upgrade to latest dependencies (#672)

bumping knative.dev/eventing ba8ac76...26b9071:
  > 26b9071 make sinkbinding oidc-token volume mount readOnly (# 8894)
bumping knative.dev/serving 89f3fe7...f161c41:
  > f161c41 Update net-istio nightly (# 16426)
bumping knative.dev/pkg 1f39e94...a902bbf:
  > a902bbf Replace NewConfigFromEnv with DefaultConfigFromEnv (# 3328)

Signed-off-by: Knative Automation <automation@knative.team>

Author: knative-automation

go.mod

@@ -15,10 +15,10 @@ require (
 	k8s.io/apimachinery v0.35.2
 	k8s.io/client-go v0.35.2
 	k8s.io/code-generator v0.35.2
-	knative.dev/eventing v0.48.1-0.20260303190100-ba8ac76433d4
+	knative.dev/eventing v0.48.1-0.20260304104053-26b9071e4ef3
 	knative.dev/hack v0.0.0-20260212092700-0126b283bf20
-	knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003
-	knative.dev/serving v0.48.1-0.20260303142400-89f3fe74309a
+	knative.dev/pkg v0.0.0-20260304131155-a902bbfa38de
+	knative.dev/serving v0.48.1-0.20260304122354-f161c41d3df3
 )
 
 require (

go.sum

@@ -364,16 +364,16 @@ k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZ
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.48.1-0.20260303190100-ba8ac76433d4 h1:KaJAdxxaV9IbtvFzoJuh1vFE47/+c9rlsCCsJUHwzms=
-knative.dev/eventing v0.48.1-0.20260303190100-ba8ac76433d4/go.mod h1:HseSdM0vR//gaW5g0+iU1ApPJZ1mInL+A7DD8kef1sU=
+knative.dev/eventing v0.48.1-0.20260304104053-26b9071e4ef3 h1:wujjcmDVnCMkpwZaG2ybXjSjOf57jBf2+x84ChvNY+c=
+knative.dev/eventing v0.48.1-0.20260304104053-26b9071e4ef3/go.mod h1:HseSdM0vR//gaW5g0+iU1ApPJZ1mInL+A7DD8kef1sU=
 knative.dev/hack v0.0.0-20260212092700-0126b283bf20 h1:Ocya6ILPQxGrozD5gPELC4J2ASnqvTLvYGJjddKr4Fs=
 knative.dev/hack v0.0.0-20260212092700-0126b283bf20/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0=
 knative.dev/networking v0.0.0-20260223015858-080d52fcffb4 h1:ZXE3pdtSPB0quCfAFUodFT+VsT2Xaoqdj4r//O+zk18=
 knative.dev/networking v0.0.0-20260223015858-080d52fcffb4/go.mod h1:ITVa/pZZpgmev4E64KDICg9ZC87YLulpF4J8iMgons4=
-knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003 h1:VG+CUgVKm+mLEudP16wLj++xDM2PuVFeua9+MLLBUa8=
-knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003/go.mod h1:mV8s7Uc92am8byZSJPIaVm1NBr0h8vsFL+sEEvMoBbk=
-knative.dev/serving v0.48.1-0.20260303142400-89f3fe74309a h1:UqpGzMDykdinOeGuWPtWKw1LgZyKoFcFxVEnYe2yt1I=
-knative.dev/serving v0.48.1-0.20260303142400-89f3fe74309a/go.mod h1:5EbHL9BqS4wVEXINAc7oSrQojcDh9i6tEiACyEApiLM=
+knative.dev/pkg v0.0.0-20260304131155-a902bbfa38de h1:cz1QT/L7SNC+dF47xYRPJt1WRP/HfTx8+KoZjmGA8V8=
+knative.dev/pkg v0.0.0-20260304131155-a902bbfa38de/go.mod h1:mV8s7Uc92am8byZSJPIaVm1NBr0h8vsFL+sEEvMoBbk=
+knative.dev/serving v0.48.1-0.20260304122354-f161c41d3df3 h1:bDZ+w8ULeTMotPmBvppuFYyXFLOkuMpP3yUPIKCMm70=
+knative.dev/serving v0.48.1-0.20260304122354-f161c41d3df3/go.mod h1:5EbHL9BqS4wVEXINAc7oSrQojcDh9i6tEiACyEApiLM=
 sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=
 sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=

vendor/knative.dev/eventing/pkg/apis/sources/v1/sinkbinding_lifecycle.go

@@ -262,12 +262,14 @@ func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) {
 			ps.Spec.Template.Spec.Containers[i].VolumeMounts = append(ps.Spec.Template.Spec.Containers[i].VolumeMounts, corev1.VolumeMount{
 				Name:      oidcTokenVolumeName,
 				MountPath: "/oidc",
+				ReadOnly:  true,
 			})
 		}
 		for i := range ps.Spec.Template.Spec.InitContainers {
 			ps.Spec.Template.Spec.InitContainers[i].VolumeMounts = append(ps.Spec.Template.Spec.InitContainers[i].VolumeMounts, corev1.VolumeMount{
 				Name:      oidcTokenVolumeName,
 				MountPath: "/oidc",
+				ReadOnly:  true,
 			})
 		}
 	}

vendor/knative.dev/pkg/tls/config.go

@@ -33,22 +33,14 @@ const (
 	CurvePreferencesEnvKey = "TLS_CURVE_PREFERENCES"
 )
 
-// Config holds parsed TLS configuration values that can be used
-// to build a *crypto/tls.Config.
-type Config struct {
-	MinVersion       uint16
-	MaxVersion       uint16
-	CipherSuites     []uint16
-	CurvePreferences []cryptotls.CurveID
-}
-
-// NewConfigFromEnv reads TLS configuration from environment variables and
-// returns a Config. The prefix is prepended to each standard env-var suffix;
+// DefaultConfigFromEnv returns a tls.Config with secure defaults.
+// The prefix is prepended to each standard env-var suffix;
 // for example with prefix "WEBHOOK_" the function reads
 // WEBHOOK_TLS_MIN_VERSION, WEBHOOK_TLS_MAX_VERSION, etc.
-// Fields whose corresponding env var is unset are left at their zero value.
-func NewConfigFromEnv(prefix string) (*Config, error) {
-	var cfg Config
+func DefaultConfigFromEnv(prefix string) (*cryptotls.Config, error) {
+	cfg := &cryptotls.Config{
+		MinVersion: cryptotls.VersionTLS13,
+	}
 
 	if v := os.Getenv(prefix + MinVersionEnvKey); v != "" {
 		ver, err := parseVersion(v)
@@ -82,19 +74,7 @@ func NewConfigFromEnv(prefix string) (*Config, error) {
 		cfg.CurvePreferences = curves
 	}
 
-	return &cfg, nil
-}
-
-// TLSConfig constructs a *crypto/tls.Config from the parsed configuration.
-// The caller typically adds additional fields such as GetCertificate.
-func (c *Config) TLSConfig() *cryptotls.Config {
-	//nolint:gosec // Min version is caller-configurable; default is TLS 1.3.
-	return &cryptotls.Config{
-		MinVersion:       c.MinVersion,
-		MaxVersion:       c.MaxVersion,
-		CipherSuites:     c.CipherSuites,
-		CurvePreferences: c.CurvePreferences,
-	}
+	return cfg, nil
 }
 
 // parseVersion converts a TLS version string to the corresponding

vendor/knative.dev/pkg/webhook/env.go

@@ -72,7 +72,7 @@ func SecretNameFromEnv(defaultSecretName string) string {
 	return secret
 }
 
-// Deprecated: Use knative.dev/pkg/tls.NewConfigFromEnv instead.
+// Deprecated: Use knative.dev/pkg/tls.DefaultConfigFromEnv instead.
 // TLS configuration is now read automatically inside webhook.New via the shared tls package.
 func TLSMinVersionFromEnv(defaultTLSMinVersion uint16) uint16 {
 	switch tlsMinVersion := os.Getenv(tlsMinVersionEnvKey); tlsMinVersion {

vendor/knative.dev/pkg/webhook/webhook.go

@@ -191,36 +191,29 @@ func New(
 
 	logger := logging.FromContext(ctx)
 
-	tlsCfg, err := knativetls.NewConfigFromEnv("WEBHOOK_")
+	tlsCfg, err := knativetls.DefaultConfigFromEnv("WEBHOOK_")
 	if err != nil {
 		return nil, fmt.Errorf("reading TLS configuration from environment: %w", err)
 	}
 
-	// Replace the TLS configuration with the one from the environment if not set.
-	// Default to TLS 1.3 as the minimum version when neither the caller nor the
-	// environment specifies one.
-	if opts.TLSMinVersion == 0 {
-		if tlsCfg.MinVersion != 0 {
-			opts.TLSMinVersion = tlsCfg.MinVersion
-		} else {
-			opts.TLSMinVersion = tls.VersionTLS13
-		}
+	if opts.TLSMinVersion != 0 {
+		tlsCfg.MinVersion = opts.TLSMinVersion
 	}
-	if opts.TLSMaxVersion == 0 && tlsCfg.MaxVersion != 0 {
-		opts.TLSMaxVersion = tlsCfg.MaxVersion
+	if opts.TLSMaxVersion != 0 {
+		tlsCfg.MaxVersion = opts.TLSMaxVersion
 	}
-	if opts.TLSCipherSuites == nil && len(tlsCfg.CipherSuites) > 0 {
-		opts.TLSCipherSuites = tlsCfg.CipherSuites
+	if opts.TLSCipherSuites != nil {
+		tlsCfg.CipherSuites = opts.TLSCipherSuites
 	}
-	if opts.TLSCurvePreferences == nil && len(tlsCfg.CurvePreferences) > 0 {
-		opts.TLSCurvePreferences = tlsCfg.CurvePreferences
+	if opts.TLSCurvePreferences != nil {
+		tlsCfg.CurvePreferences = opts.TLSCurvePreferences
 	}
 
-	if opts.TLSMinVersion != 0 && opts.TLSMinVersion != tls.VersionTLS12 && opts.TLSMinVersion != tls.VersionTLS13 {
-		return nil, fmt.Errorf("unsupported TLS minimum version %d: must be TLS 1.2 or TLS 1.3", opts.TLSMinVersion)
+	if tlsCfg.MinVersion != tls.VersionTLS12 && tlsCfg.MinVersion != tls.VersionTLS13 {
+		return nil, fmt.Errorf("unsupported TLS minimum version %d: must be TLS 1.2 or TLS 1.3", tlsCfg.MinVersion)
 	}
-	if opts.TLSMaxVersion != 0 && opts.TLSMinVersion > opts.TLSMaxVersion {
-		return nil, fmt.Errorf("TLS minimum version (%#x) is greater than maximum version (%#x)", opts.TLSMinVersion, opts.TLSMaxVersion)
+	if tlsCfg.MaxVersion != 0 && tlsCfg.MinVersion > tlsCfg.MaxVersion {
+		return nil, fmt.Errorf("TLS minimum version (%#x) is greater than maximum version (%#x)", tlsCfg.MinVersion, tlsCfg.MaxVersion)
 	}
 
 	syncCtx, cancel := context.WithCancel(context.Background())
@@ -240,42 +233,35 @@ func New(
 		// a new secret informer from it.
 		secretInformer := kubeinformerfactory.Get(ctx).Core().V1().Secrets()
 
-		//nolint:gosec // operator configures TLS min version (default is 1.3)
-		webhook.tlsConfig = &tls.Config{
-			MinVersion:       opts.TLSMinVersion,
-			MaxVersion:       opts.TLSMaxVersion,
-			CipherSuites:     opts.TLSCipherSuites,
-			CurvePreferences: opts.TLSCurvePreferences,
-
-			// If we return (nil, error) the client sees - 'tls: internal error"
-			// If we return (nil, nil) the client sees - 'tls: no certificates configured'
-			//
-			// We'll return (nil, nil) when we don't find a certificate
-			GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
-				secret, err := secretInformer.Lister().Secrets(system.Namespace()).Get(opts.SecretName)
-				if err != nil {
-					logger.Errorw("failed to fetch secret", zap.Error(err))
-					return nil, nil
-				}
-				webOpts := GetOptions(ctx)
-				sKey, sCert := getSecretDataKeyNamesOrDefault(webOpts.ServerPrivateKeyName, webOpts.ServerCertificateName)
-				serverKey, ok := secret.Data[sKey]
-				if !ok {
-					logger.Warn("server key missing")
-					return nil, nil
-				}
-				serverCert, ok := secret.Data[sCert]
-				if !ok {
-					logger.Warn("server cert missing")
-					return nil, nil
-				}
-				cert, err := tls.X509KeyPair(serverCert, serverKey)
-				if err != nil {
-					return nil, err
-				}
-				return &cert, nil
-			},
+		// If we return (nil, error) the client sees - 'tls: internal error'
+		// If we return (nil, nil) the client sees - 'tls: no certificates configured'
+		//
+		// We'll return (nil, nil) when we don't find a certificate
+		tlsCfg.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+			secret, err := secretInformer.Lister().Secrets(system.Namespace()).Get(opts.SecretName)
+			if err != nil {
+				logger.Errorw("failed to fetch secret", zap.Error(err))
+				return nil, nil
+			}
+			webOpts := GetOptions(ctx)
+			sKey, sCert := getSecretDataKeyNamesOrDefault(webOpts.ServerPrivateKeyName, webOpts.ServerCertificateName)
+			serverKey, ok := secret.Data[sKey]
+			if !ok {
+				logger.Warn("server key missing")
+				return nil, nil
+			}
+			serverCert, ok := secret.Data[sCert]
+			if !ok {
+				logger.Warn("server cert missing")
+				return nil, nil
+			}
+			cert, err := tls.X509KeyPair(serverCert, serverKey)
+			if err != nil {
+				return nil, err
+			}
+			return &cert, nil
 		}
+		webhook.tlsConfig = tlsCfg
 	}
 
 	webhook.mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {

vendor/modules.txt

@@ -1124,7 +1124,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/trace
-# knative.dev/eventing v0.48.1-0.20260303190100-ba8ac76433d4
+# knative.dev/eventing v0.48.1-0.20260304104053-26b9071e4ef3
 ## explicit; go 1.24.0
 knative.dev/eventing/pkg/adapter/v2
 knative.dev/eventing/pkg/adapter/v2/test
@@ -1200,7 +1200,7 @@ knative.dev/hack
 knative.dev/networking/pkg/apis/networking
 knative.dev/networking/pkg/apis/networking/v1alpha1
 knative.dev/networking/pkg/config
-# knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003
+# knative.dev/pkg v0.0.0-20260304131155-a902bbfa38de
 ## explicit; go 1.25.0
 knative.dev/pkg/apis
 knative.dev/pkg/apis/duck
@@ -1279,7 +1279,7 @@ knative.dev/pkg/webhook/psbinding
 knative.dev/pkg/webhook/resourcesemantics
 knative.dev/pkg/webhook/resourcesemantics/defaulting
 knative.dev/pkg/webhook/resourcesemantics/validation
-# knative.dev/serving v0.48.1-0.20260303142400-89f3fe74309a
+# knative.dev/serving v0.48.1-0.20260304122354-f161c41d3df3
 ## explicit; go 1.25.0
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1