From e552ba7da5dc59559a98f0e002ea38c9081f6b3e Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Wed, 4 Mar 2026 13:50:25 +0000 Subject: [PATCH] upgrade to latest dependencies bumping knative.dev/eventing ba8ac76...26b9071: > 26b9071 make sinkbinding oidc-token volume mount readOnly (# 8894) bumping knative.dev/serving 89f3fe7...f161c41: > f161c41 Update net-istio nightly (# 16426) bumping knative.dev/pkg 1f39e94...a902bbf: > a902bbf Replace NewConfigFromEnv with DefaultConfigFromEnv (# 3328) Signed-off-by: Knative Automation --- go.mod | 6 +- go.sum | 12 +-- .../apis/sources/v1/sinkbinding_lifecycle.go | 2 + vendor/knative.dev/pkg/tls/config.go | 34 ++----- vendor/knative.dev/pkg/webhook/env.go | 2 +- vendor/knative.dev/pkg/webhook/webhook.go | 96 ++++++++----------- vendor/modules.txt | 6 +- 7 files changed, 63 insertions(+), 95 deletions(-) diff --git a/go.mod b/go.mod index 7675822b1..fd35d0ef4 100644 --- a/go.mod +++ b/go.mod @@ -15,10 +15,10 @@ require ( k8s.io/apimachinery v0.35.2 k8s.io/client-go v0.35.2 k8s.io/code-generator v0.35.2 - knative.dev/eventing v0.48.1-0.20260303190100-ba8ac76433d4 + knative.dev/eventing v0.48.1-0.20260304104053-26b9071e4ef3 knative.dev/hack v0.0.0-20260212092700-0126b283bf20 - knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003 - knative.dev/serving v0.48.1-0.20260303142400-89f3fe74309a + knative.dev/pkg v0.0.0-20260304131155-a902bbfa38de + knative.dev/serving v0.48.1-0.20260304122354-f161c41d3df3 ) require ( diff --git a/go.sum b/go.sum index d4b53b0cf..2538efbec 100644 --- a/go.sum +++ b/go.sum @@ -364,16 +364,16 @@ k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZ k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.48.1-0.20260303190100-ba8ac76433d4 h1:KaJAdxxaV9IbtvFzoJuh1vFE47/+c9rlsCCsJUHwzms= -knative.dev/eventing v0.48.1-0.20260303190100-ba8ac76433d4/go.mod h1:HseSdM0vR//gaW5g0+iU1ApPJZ1mInL+A7DD8kef1sU= +knative.dev/eventing v0.48.1-0.20260304104053-26b9071e4ef3 h1:wujjcmDVnCMkpwZaG2ybXjSjOf57jBf2+x84ChvNY+c= +knative.dev/eventing v0.48.1-0.20260304104053-26b9071e4ef3/go.mod h1:HseSdM0vR//gaW5g0+iU1ApPJZ1mInL+A7DD8kef1sU= knative.dev/hack v0.0.0-20260212092700-0126b283bf20 h1:Ocya6ILPQxGrozD5gPELC4J2ASnqvTLvYGJjddKr4Fs= knative.dev/hack v0.0.0-20260212092700-0126b283bf20/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0= knative.dev/networking v0.0.0-20260223015858-080d52fcffb4 h1:ZXE3pdtSPB0quCfAFUodFT+VsT2Xaoqdj4r//O+zk18= knative.dev/networking v0.0.0-20260223015858-080d52fcffb4/go.mod h1:ITVa/pZZpgmev4E64KDICg9ZC87YLulpF4J8iMgons4= -knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003 h1:VG+CUgVKm+mLEudP16wLj++xDM2PuVFeua9+MLLBUa8= -knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003/go.mod h1:mV8s7Uc92am8byZSJPIaVm1NBr0h8vsFL+sEEvMoBbk= -knative.dev/serving v0.48.1-0.20260303142400-89f3fe74309a h1:UqpGzMDykdinOeGuWPtWKw1LgZyKoFcFxVEnYe2yt1I= -knative.dev/serving v0.48.1-0.20260303142400-89f3fe74309a/go.mod h1:5EbHL9BqS4wVEXINAc7oSrQojcDh9i6tEiACyEApiLM= +knative.dev/pkg v0.0.0-20260304131155-a902bbfa38de h1:cz1QT/L7SNC+dF47xYRPJt1WRP/HfTx8+KoZjmGA8V8= +knative.dev/pkg v0.0.0-20260304131155-a902bbfa38de/go.mod h1:mV8s7Uc92am8byZSJPIaVm1NBr0h8vsFL+sEEvMoBbk= +knative.dev/serving v0.48.1-0.20260304122354-f161c41d3df3 h1:bDZ+w8ULeTMotPmBvppuFYyXFLOkuMpP3yUPIKCMm70= +knative.dev/serving v0.48.1-0.20260304122354-f161c41d3df3/go.mod h1:5EbHL9BqS4wVEXINAc7oSrQojcDh9i6tEiACyEApiLM= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= diff --git a/vendor/knative.dev/eventing/pkg/apis/sources/v1/sinkbinding_lifecycle.go b/vendor/knative.dev/eventing/pkg/apis/sources/v1/sinkbinding_lifecycle.go index 9b7101bbc..b369d91a8 100644 --- a/vendor/knative.dev/eventing/pkg/apis/sources/v1/sinkbinding_lifecycle.go +++ b/vendor/knative.dev/eventing/pkg/apis/sources/v1/sinkbinding_lifecycle.go @@ -262,12 +262,14 @@ func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) { ps.Spec.Template.Spec.Containers[i].VolumeMounts = append(ps.Spec.Template.Spec.Containers[i].VolumeMounts, corev1.VolumeMount{ Name: oidcTokenVolumeName, MountPath: "/oidc", + ReadOnly: true, }) } for i := range ps.Spec.Template.Spec.InitContainers { ps.Spec.Template.Spec.InitContainers[i].VolumeMounts = append(ps.Spec.Template.Spec.InitContainers[i].VolumeMounts, corev1.VolumeMount{ Name: oidcTokenVolumeName, MountPath: "/oidc", + ReadOnly: true, }) } } diff --git a/vendor/knative.dev/pkg/tls/config.go b/vendor/knative.dev/pkg/tls/config.go index 4d07cbb5b..6cd205bae 100644 --- a/vendor/knative.dev/pkg/tls/config.go +++ b/vendor/knative.dev/pkg/tls/config.go @@ -33,22 +33,14 @@ const ( CurvePreferencesEnvKey = "TLS_CURVE_PREFERENCES" ) -// Config holds parsed TLS configuration values that can be used -// to build a *crypto/tls.Config. -type Config struct { - MinVersion uint16 - MaxVersion uint16 - CipherSuites []uint16 - CurvePreferences []cryptotls.CurveID -} - -// NewConfigFromEnv reads TLS configuration from environment variables and -// returns a Config. The prefix is prepended to each standard env-var suffix; +// DefaultConfigFromEnv returns a tls.Config with secure defaults. +// The prefix is prepended to each standard env-var suffix; // for example with prefix "WEBHOOK_" the function reads // WEBHOOK_TLS_MIN_VERSION, WEBHOOK_TLS_MAX_VERSION, etc. -// Fields whose corresponding env var is unset are left at their zero value. -func NewConfigFromEnv(prefix string) (*Config, error) { - var cfg Config +func DefaultConfigFromEnv(prefix string) (*cryptotls.Config, error) { + cfg := &cryptotls.Config{ + MinVersion: cryptotls.VersionTLS13, + } if v := os.Getenv(prefix + MinVersionEnvKey); v != "" { ver, err := parseVersion(v) @@ -82,19 +74,7 @@ func NewConfigFromEnv(prefix string) (*Config, error) { cfg.CurvePreferences = curves } - return &cfg, nil -} - -// TLSConfig constructs a *crypto/tls.Config from the parsed configuration. -// The caller typically adds additional fields such as GetCertificate. -func (c *Config) TLSConfig() *cryptotls.Config { - //nolint:gosec // Min version is caller-configurable; default is TLS 1.3. - return &cryptotls.Config{ - MinVersion: c.MinVersion, - MaxVersion: c.MaxVersion, - CipherSuites: c.CipherSuites, - CurvePreferences: c.CurvePreferences, - } + return cfg, nil } // parseVersion converts a TLS version string to the corresponding diff --git a/vendor/knative.dev/pkg/webhook/env.go b/vendor/knative.dev/pkg/webhook/env.go index 1dd38585b..0a9f0b8dd 100644 --- a/vendor/knative.dev/pkg/webhook/env.go +++ b/vendor/knative.dev/pkg/webhook/env.go @@ -72,7 +72,7 @@ func SecretNameFromEnv(defaultSecretName string) string { return secret } -// Deprecated: Use knative.dev/pkg/tls.NewConfigFromEnv instead. +// Deprecated: Use knative.dev/pkg/tls.DefaultConfigFromEnv instead. // TLS configuration is now read automatically inside webhook.New via the shared tls package. func TLSMinVersionFromEnv(defaultTLSMinVersion uint16) uint16 { switch tlsMinVersion := os.Getenv(tlsMinVersionEnvKey); tlsMinVersion { diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index 8f3a3701c..ae25d777f 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -191,36 +191,29 @@ func New( logger := logging.FromContext(ctx) - tlsCfg, err := knativetls.NewConfigFromEnv("WEBHOOK_") + tlsCfg, err := knativetls.DefaultConfigFromEnv("WEBHOOK_") if err != nil { return nil, fmt.Errorf("reading TLS configuration from environment: %w", err) } - // Replace the TLS configuration with the one from the environment if not set. - // Default to TLS 1.3 as the minimum version when neither the caller nor the - // environment specifies one. - if opts.TLSMinVersion == 0 { - if tlsCfg.MinVersion != 0 { - opts.TLSMinVersion = tlsCfg.MinVersion - } else { - opts.TLSMinVersion = tls.VersionTLS13 - } + if opts.TLSMinVersion != 0 { + tlsCfg.MinVersion = opts.TLSMinVersion } - if opts.TLSMaxVersion == 0 && tlsCfg.MaxVersion != 0 { - opts.TLSMaxVersion = tlsCfg.MaxVersion + if opts.TLSMaxVersion != 0 { + tlsCfg.MaxVersion = opts.TLSMaxVersion } - if opts.TLSCipherSuites == nil && len(tlsCfg.CipherSuites) > 0 { - opts.TLSCipherSuites = tlsCfg.CipherSuites + if opts.TLSCipherSuites != nil { + tlsCfg.CipherSuites = opts.TLSCipherSuites } - if opts.TLSCurvePreferences == nil && len(tlsCfg.CurvePreferences) > 0 { - opts.TLSCurvePreferences = tlsCfg.CurvePreferences + if opts.TLSCurvePreferences != nil { + tlsCfg.CurvePreferences = opts.TLSCurvePreferences } - if opts.TLSMinVersion != 0 && opts.TLSMinVersion != tls.VersionTLS12 && opts.TLSMinVersion != tls.VersionTLS13 { - return nil, fmt.Errorf("unsupported TLS minimum version %d: must be TLS 1.2 or TLS 1.3", opts.TLSMinVersion) + if tlsCfg.MinVersion != tls.VersionTLS12 && tlsCfg.MinVersion != tls.VersionTLS13 { + return nil, fmt.Errorf("unsupported TLS minimum version %d: must be TLS 1.2 or TLS 1.3", tlsCfg.MinVersion) } - if opts.TLSMaxVersion != 0 && opts.TLSMinVersion > opts.TLSMaxVersion { - return nil, fmt.Errorf("TLS minimum version (%#x) is greater than maximum version (%#x)", opts.TLSMinVersion, opts.TLSMaxVersion) + if tlsCfg.MaxVersion != 0 && tlsCfg.MinVersion > tlsCfg.MaxVersion { + return nil, fmt.Errorf("TLS minimum version (%#x) is greater than maximum version (%#x)", tlsCfg.MinVersion, tlsCfg.MaxVersion) } syncCtx, cancel := context.WithCancel(context.Background()) @@ -240,42 +233,35 @@ func New( // a new secret informer from it. secretInformer := kubeinformerfactory.Get(ctx).Core().V1().Secrets() - //nolint:gosec // operator configures TLS min version (default is 1.3) - webhook.tlsConfig = &tls.Config{ - MinVersion: opts.TLSMinVersion, - MaxVersion: opts.TLSMaxVersion, - CipherSuites: opts.TLSCipherSuites, - CurvePreferences: opts.TLSCurvePreferences, - - // If we return (nil, error) the client sees - 'tls: internal error" - // If we return (nil, nil) the client sees - 'tls: no certificates configured' - // - // We'll return (nil, nil) when we don't find a certificate - GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) { - secret, err := secretInformer.Lister().Secrets(system.Namespace()).Get(opts.SecretName) - if err != nil { - logger.Errorw("failed to fetch secret", zap.Error(err)) - return nil, nil - } - webOpts := GetOptions(ctx) - sKey, sCert := getSecretDataKeyNamesOrDefault(webOpts.ServerPrivateKeyName, webOpts.ServerCertificateName) - serverKey, ok := secret.Data[sKey] - if !ok { - logger.Warn("server key missing") - return nil, nil - } - serverCert, ok := secret.Data[sCert] - if !ok { - logger.Warn("server cert missing") - return nil, nil - } - cert, err := tls.X509KeyPair(serverCert, serverKey) - if err != nil { - return nil, err - } - return &cert, nil - }, + // If we return (nil, error) the client sees - 'tls: internal error' + // If we return (nil, nil) the client sees - 'tls: no certificates configured' + // + // We'll return (nil, nil) when we don't find a certificate + tlsCfg.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) { + secret, err := secretInformer.Lister().Secrets(system.Namespace()).Get(opts.SecretName) + if err != nil { + logger.Errorw("failed to fetch secret", zap.Error(err)) + return nil, nil + } + webOpts := GetOptions(ctx) + sKey, sCert := getSecretDataKeyNamesOrDefault(webOpts.ServerPrivateKeyName, webOpts.ServerCertificateName) + serverKey, ok := secret.Data[sKey] + if !ok { + logger.Warn("server key missing") + return nil, nil + } + serverCert, ok := secret.Data[sCert] + if !ok { + logger.Warn("server cert missing") + return nil, nil + } + cert, err := tls.X509KeyPair(serverCert, serverKey) + if err != nil { + return nil, err + } + return &cert, nil } + webhook.tlsConfig = tlsCfg } webhook.mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { diff --git a/vendor/modules.txt b/vendor/modules.txt index b0b7f7c84..2a31120e6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1124,7 +1124,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/ptr k8s.io/utils/trace -# knative.dev/eventing v0.48.1-0.20260303190100-ba8ac76433d4 +# knative.dev/eventing v0.48.1-0.20260304104053-26b9071e4ef3 ## explicit; go 1.24.0 knative.dev/eventing/pkg/adapter/v2 knative.dev/eventing/pkg/adapter/v2/test @@ -1200,7 +1200,7 @@ knative.dev/hack knative.dev/networking/pkg/apis/networking knative.dev/networking/pkg/apis/networking/v1alpha1 knative.dev/networking/pkg/config -# knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003 +# knative.dev/pkg v0.0.0-20260304131155-a902bbfa38de ## explicit; go 1.25.0 knative.dev/pkg/apis knative.dev/pkg/apis/duck @@ -1279,7 +1279,7 @@ knative.dev/pkg/webhook/psbinding knative.dev/pkg/webhook/resourcesemantics knative.dev/pkg/webhook/resourcesemantics/defaulting knative.dev/pkg/webhook/resourcesemantics/validation -# knative.dev/serving v0.48.1-0.20260303142400-89f3fe74309a +# knative.dev/serving v0.48.1-0.20260304122354-f161c41d3df3 ## explicit; go 1.25.0 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1