From 048684a401cee1bdb4f50785f6232677eb14a891 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Sun, 30 Nov 2025 12:11:16 -0500 Subject: [PATCH 1/4] update deps to drop h2c lib --- go.mod | 2 + go.sum | 4 +- vendor/knative.dev/pkg/network/h2c.go | 69 ---------------- vendor/knative.dev/pkg/network/server.go | 37 +++++++++ vendor/knative.dev/pkg/network/transports.go | 87 ++++++++++++++++---- vendor/modules.txt | 3 +- 6 files changed, 116 insertions(+), 86 deletions(-) delete mode 100644 vendor/knative.dev/pkg/network/h2c.go create mode 100644 vendor/knative.dev/pkg/network/server.go diff --git a/go.mod b/go.mod index f4eef0571cdb..1e6597f18e1a 100644 --- a/go.mod +++ b/go.mod @@ -168,3 +168,5 @@ require ( sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect ) + +replace knative.dev/pkg => github.com/dprotaso/pkg v0.0.0-20251130181829-779b85906b73 diff --git a/go.sum b/go.sum index 4a9fa6845d71..b79662aacef4 100644 --- a/go.sum +++ b/go.sum @@ -111,6 +111,8 @@ github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBi github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= +github.com/dprotaso/pkg v0.0.0-20251130181829-779b85906b73 h1:jMvzA7UOksGYqUOS67I4Wka/apQr9MbpmHyvulzuwDs= +github.com/dprotaso/pkg v0.0.0-20251130181829-779b85906b73/go.mod h1:Eh9hwzqriXEfHiXcCuOYExUj7WH8prk57V6qSeO6m94= github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -592,8 +594,6 @@ knative.dev/hack v0.0.0-20251126013634-1484a9e9b641 h1:N9Xqx3YLUNFN1WIc3UXTanK4j knative.dev/hack v0.0.0-20251126013634-1484a9e9b641/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0= knative.dev/networking v0.0.0-20251126213812-ebe48fd53262 h1:CEFraQgj5csZPv2NgCA4h8Bz09BEUo5nFBOE552KV/8= knative.dev/networking v0.0.0-20251126213812-ebe48fd53262/go.mod h1:nxN+sYiQCoT2FLgSMTShXYmYYcb7rALHSOz6l5RjCp4= -knative.dev/pkg v0.0.0-20251126013532-e853b1d1d6bb h1:JhpOj4b8wdTjbahkCyZUaFlkuHib/6uCVyjPI/W4MPg= -knative.dev/pkg v0.0.0-20251126013532-e853b1d1d6bb/go.mod h1:KFRQGFIcsdi9fDto0lGkcz/NwnNr/8hq9mmLyBuLkro= pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw= pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= diff --git a/vendor/knative.dev/pkg/network/h2c.go b/vendor/knative.dev/pkg/network/h2c.go deleted file mode 100644 index d0608be7221b..000000000000 --- a/vendor/knative.dev/pkg/network/h2c.go +++ /dev/null @@ -1,69 +0,0 @@ -/* -Copyright 2019 The Knative Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package network - -import ( - "context" - "crypto/tls" - "net" - "net/http" - "time" - - "golang.org/x/net/http2" - "golang.org/x/net/http2/h2c" -) - -// NewServer returns a new HTTP Server with HTTP2 handler. -func NewServer(addr string, h http.Handler) *http.Server { - h1s := &http.Server{ - Addr: addr, - Handler: h2c.NewHandler(h, &http2.Server{}), - ReadHeaderTimeout: time.Minute, // https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 - } - - return h1s -} - -// NewH2CTransport constructs a new H2C transport. -// That transport will reroute all HTTPS traffic to HTTP. This is -// to explicitly allow h2c (http2 without TLS) transport. -// See https://github.com/golang/go/issues/14141 for more details. -func NewH2CTransport() http.RoundTripper { - return newH2CTransport(false) -} - -func newH2CTransport(disableCompression bool) http.RoundTripper { - return &http2.Transport{ - AllowHTTP: true, - DisableCompression: disableCompression, - DialTLS: func(netw, addr string, _ *tls.Config) (net.Conn, error) { - return DialWithBackOff(context.Background(), - netw, addr) - }, - } -} - -// newH2Transport constructs a neew H2 transport. That transport will handles HTTPS traffic -// with TLS config. -func newH2Transport(disableCompression bool, tlsContext DialTLSContextFunc) http.RoundTripper { - return &http2.Transport{ - DisableCompression: disableCompression, - DialTLSContext: func(ctx context.Context, network, addr string, cfg *tls.Config) (net.Conn, error) { - return tlsContext(ctx, network, addr) - }, - } -} diff --git a/vendor/knative.dev/pkg/network/server.go b/vendor/knative.dev/pkg/network/server.go new file mode 100644 index 000000000000..fbf68ced1e37 --- /dev/null +++ b/vendor/knative.dev/pkg/network/server.go @@ -0,0 +1,37 @@ +/* +Copyright 2025 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package network + +import ( + "net/http" + "time" +) + +func NewServer(addr string, h http.Handler) *http.Server { + var protocols http.Protocols + protocols.SetHTTP1(true) + protocols.SetUnencryptedHTTP2(true) + + return &http.Server{ + Addr: addr, + Handler: h, + Protocols: &protocols, + + // https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 + ReadHeaderTimeout: time.Minute, + } +} diff --git a/vendor/knative.dev/pkg/network/transports.go b/vendor/knative.dev/pkg/network/transports.go index ce8a72b4ebc2..27ce287fd428 100644 --- a/vendor/knative.dev/pkg/network/transports.go +++ b/vendor/knative.dev/pkg/network/transports.go @@ -117,7 +117,15 @@ func dialBackOffHelper(ctx context.Context, network, address string, bo wait.Bac return nil, fmt.Errorf("%w %s after %.2fs", ErrTimeoutDialing, address, elapsed.Seconds()) } -func newHTTPTransport(disableKeepAlives, disableCompression bool, maxIdle, maxIdlePerHost int) http.RoundTripper { +func newHTTPTransport( + disableKeepAlives, + disableCompression bool, + maxIdle, + maxIdlePerHost int, +) *http.Transport { + var protocols http.Protocols + protocols.SetHTTP1(true) + transport := http.DefaultTransport.(*http.Transport).Clone() transport.DialContext = DialWithBackOff transport.DisableKeepAlives = disableKeepAlives @@ -125,12 +133,23 @@ func newHTTPTransport(disableKeepAlives, disableCompression bool, maxIdle, maxId transport.MaxIdleConnsPerHost = maxIdlePerHost transport.ForceAttemptHTTP2 = false transport.DisableCompression = disableCompression + transport.Protocols = &protocols + return transport } type DialTLSContextFunc func(ctx context.Context, network, addr string) (net.Conn, error) -func newHTTPSTransport(disableKeepAlives, disableCompression bool, maxIdle, maxIdlePerHost int, tlsContext DialTLSContextFunc) http.RoundTripper { +func newHTTPSTransport( + disableKeepAlives, + disableCompression bool, + maxIdle, + maxIdlePerHost int, + tlsContext DialTLSContextFunc, +) *http.Transport { + var protocols http.Protocols + protocols.SetHTTP1(true) + transport := http.DefaultTransport.(*http.Transport).Clone() transport.DisableKeepAlives = disableKeepAlives transport.MaxIdleConns = maxIdle @@ -138,6 +157,7 @@ func newHTTPSTransport(disableKeepAlives, disableCompression bool, maxIdle, maxI transport.ForceAttemptHTTP2 = false transport.DisableCompression = disableCompression transport.DialTLSContext = tlsContext + transport.Protocols = &protocols return transport } @@ -145,33 +165,72 @@ func newHTTPSTransport(disableKeepAlives, disableCompression bool, maxIdle, maxI // NewProberTransport creates a RoundTripper that is useful for probing, // since it will not cache connections. func NewProberTransport() http.RoundTripper { - return newAutoTransport( - newHTTPTransport(true /*disable keep-alives*/, false /*disable auto-compression*/, 0, 0 /*no caching*/), - NewH2CTransport()) + http := newHTTPTransport( + true, /*disable keep-alives*/ + false, /*disable auto-compression*/ + 0, /*max idle*/ + 0, /*no caching*/ + ) + + // h2 prior knowledge + h2 := http.Clone() + h2.Protocols.SetHTTP1(false) + h2.Protocols.SetUnencryptedHTTP2(true) + + return newAutoTransport(http, h2) } // NewProxyAutoTLSTransport is same with NewProxyAutoTransport but it has DialTLSContextFunc to create HTTPS request. func NewProxyAutoTLSTransport(maxIdle, maxIdlePerHost int, tlsContext DialTLSContextFunc) http.RoundTripper { - return newAutoTransport( - newHTTPSTransport(false /*disable keep-alives*/, true /*disable auto-compression*/, maxIdle, maxIdlePerHost, tlsContext), - newH2Transport(true /*disable auto-compression*/, tlsContext)) + https := newHTTPSTransport( + false, /*disable keep-alives*/ + true, /*disable auto-compression*/ + maxIdle, + maxIdlePerHost, + tlsContext, + ) + + h2 := https.Clone() + h2.Protocols.SetHTTP1(false) + h2.Protocols.SetHTTP2(true) + h2.Protocols.SetUnencryptedHTTP2(true) + + return newAutoTransport(https, h2) } // NewAutoTransport creates a RoundTripper that can use appropriate transport // based on the request's HTTP version. func NewAutoTransport(maxIdle, maxIdlePerHost int) http.RoundTripper { - return newAutoTransport( - newHTTPTransport(false /*disable keep-alives*/, false /*disable auto-compression*/, maxIdle, maxIdlePerHost), - newH2CTransport(false /*disable auto-compression*/)) + http := newHTTPTransport( + false, /*disable keep-alives*/ + false, /*disable auto-compression*/ + maxIdle, + maxIdlePerHost, + ) + + h2 := http.Clone() + h2.Protocols.SetHTTP1(false) + h2.Protocols.SetUnencryptedHTTP2(true) + + return newAutoTransport(http, h2) } // NewProxyAutoTransport creates a RoundTripper suitable for use by a reverse // proxy. The returned transport uses HTTP or H2C based on the request's HTTP // version. The transport has DisableCompression set to true. func NewProxyAutoTransport(maxIdle, maxIdlePerHost int) http.RoundTripper { - return newAutoTransport( - newHTTPTransport(false /*disable keep-alives*/, true /*disable auto-compression*/, maxIdle, maxIdlePerHost), - newH2CTransport(true /*disable auto-compression*/)) + http := newHTTPTransport( + false, /*disable keep-alives*/ + true, /*disable auto-compression*/ + maxIdle, + maxIdlePerHost, + ) + + h2 := http.Clone() + h2.Protocols.SetHTTP1(false) + h2.Protocols.SetUnencryptedHTTP2(true) + + return newAutoTransport(http, h2) } // AutoTransport uses h2c for HTTP2 requests and falls back to `http.DefaultTransport` for all others diff --git a/vendor/modules.txt b/vendor/modules.txt index 72fd6f820e25..422fa94d9d5f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1522,7 +1522,7 @@ knative.dev/networking/pkg/http/proxy knative.dev/networking/pkg/http/stats knative.dev/networking/pkg/ingress knative.dev/networking/pkg/prober -# knative.dev/pkg v0.0.0-20251126013532-e853b1d1d6bb +# knative.dev/pkg v0.0.0-20251126013532-e853b1d1d6bb => github.com/dprotaso/pkg v0.0.0-20251130181829-779b85906b73 ## explicit; go 1.24.0 knative.dev/pkg/apiextensions/storageversion knative.dev/pkg/apiextensions/storageversion/cmd/migrate @@ -1669,3 +1669,4 @@ sigs.k8s.io/structured-merge-diff/v6/value # sigs.k8s.io/yaml v1.6.0 ## explicit; go 1.22 sigs.k8s.io/yaml +# knative.dev/pkg => github.com/dprotaso/pkg v0.0.0-20251130181829-779b85906b73 From 47f4d5f0ca8dbaad9422c9b9f15a44e8f606ac22 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Sun, 30 Nov 2025 15:20:27 -0500 Subject: [PATCH 2/4] debug --- test/e2e_flags.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e_flags.go b/test/e2e_flags.go index c714dfa3e59a..4b27fcfec6d9 100644 --- a/test/e2e_flags.go +++ b/test/e2e_flags.go @@ -85,7 +85,7 @@ func initializeServingFlags() *ServingEnvironmentFlags { flag.BoolVar(&f.DisableOptionalAPI, "disable-optional-api", false, "Set this flag to skip conformance tests against optional API.") - flag.BoolVar(&f.SkipCleanupOnFail, "skip-cleanup-on-fail", false, "Set this flag to skip cleanup if test fails.") + flag.BoolVar(&f.SkipCleanupOnFail, "skip-cleanup-on-fail", true, "Set this flag to skip cleanup if test fails.") flag.StringVar(&f.TestNamespace, "test-namespace", "serving-tests", "Set this flag to change the default namespace for running tests.") From c8afa39dd489a0b307240b746f64972ed1ffe760 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Sun, 30 Nov 2025 16:41:35 -0500 Subject: [PATCH 3/4] include change that enables http2 --- go.mod | 2 +- go.sum | 4 ++-- vendor/knative.dev/pkg/network/server.go | 1 + vendor/modules.txt | 4 ++-- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 1e6597f18e1a..9a0a80620efa 100644 --- a/go.mod +++ b/go.mod @@ -169,4 +169,4 @@ require ( sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect ) -replace knative.dev/pkg => github.com/dprotaso/pkg v0.0.0-20251130181829-779b85906b73 +replace knative.dev/pkg => github.com/dprotaso/pkg v0.0.0-20251130213149-b24adc693a81 diff --git a/go.sum b/go.sum index b79662aacef4..fa9c86b186e7 100644 --- a/go.sum +++ b/go.sum @@ -111,8 +111,8 @@ github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBi github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= -github.com/dprotaso/pkg v0.0.0-20251130181829-779b85906b73 h1:jMvzA7UOksGYqUOS67I4Wka/apQr9MbpmHyvulzuwDs= -github.com/dprotaso/pkg v0.0.0-20251130181829-779b85906b73/go.mod h1:Eh9hwzqriXEfHiXcCuOYExUj7WH8prk57V6qSeO6m94= +github.com/dprotaso/pkg v0.0.0-20251130213149-b24adc693a81 h1:7YeAKV/I+qI9cTjspBgyq2b9Weu2xiyBYXwqiIpy/Fc= +github.com/dprotaso/pkg v0.0.0-20251130213149-b24adc693a81/go.mod h1:Eh9hwzqriXEfHiXcCuOYExUj7WH8prk57V6qSeO6m94= github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= diff --git a/vendor/knative.dev/pkg/network/server.go b/vendor/knative.dev/pkg/network/server.go index fbf68ced1e37..9f57982a814d 100644 --- a/vendor/knative.dev/pkg/network/server.go +++ b/vendor/knative.dev/pkg/network/server.go @@ -24,6 +24,7 @@ import ( func NewServer(addr string, h http.Handler) *http.Server { var protocols http.Protocols protocols.SetHTTP1(true) + protocols.SetHTTP2(true) protocols.SetUnencryptedHTTP2(true) return &http.Server{ diff --git a/vendor/modules.txt b/vendor/modules.txt index 422fa94d9d5f..a58d3940a133 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1522,7 +1522,7 @@ knative.dev/networking/pkg/http/proxy knative.dev/networking/pkg/http/stats knative.dev/networking/pkg/ingress knative.dev/networking/pkg/prober -# knative.dev/pkg v0.0.0-20251126013532-e853b1d1d6bb => github.com/dprotaso/pkg v0.0.0-20251130181829-779b85906b73 +# knative.dev/pkg v0.0.0-20251126013532-e853b1d1d6bb => github.com/dprotaso/pkg v0.0.0-20251130213149-b24adc693a81 ## explicit; go 1.24.0 knative.dev/pkg/apiextensions/storageversion knative.dev/pkg/apiextensions/storageversion/cmd/migrate @@ -1669,4 +1669,4 @@ sigs.k8s.io/structured-merge-diff/v6/value # sigs.k8s.io/yaml v1.6.0 ## explicit; go 1.22 sigs.k8s.io/yaml -# knative.dev/pkg => github.com/dprotaso/pkg v0.0.0-20251130181829-779b85906b73 +# knative.dev/pkg => github.com/dprotaso/pkg v0.0.0-20251130213149-b24adc693a81 From f2547c2c4e6f76315324d910799b64c86a7cdfe5 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Mon, 1 Dec 2025 09:58:04 -0500 Subject: [PATCH 4/4] add contour tls testing in github actions --- .github/workflows/kind-e2e.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml index 5ffb3ad2f52a..aa31f669755f 100644 --- a/.github/workflows/kind-e2e.yaml +++ b/.github/workflows/kind-e2e.yaml @@ -94,6 +94,7 @@ jobs: # Disabled due to flakiness: https://github.com/knative/serving/issues/14637 # - istio-ambient - contour + - contour-tls - gateway_istio - gateway_contour @@ -135,6 +136,10 @@ jobs: ingress-class: kourier enable-tls: 1 + - ingress: contour-tls + ingress-class: contour + enable-tls: 1 + - test-suite: runtime test-path: ./test/conformance/runtime/...