upgrade to latest dependencies (#1264)

bumping knative.dev/pkg df28fea...0c39ce4:
  > 0c39ce4 Allow to disable http2 for the webhook (# 2877)
bumping knative.dev/reconciler-test 4ae7322...616ce2c:
  > 616ce2c Improve error message when deleting resources (# 619)
  > a27023d Copy pull secrets to SA for eventshub (# 614)
  > 6eb37a7 upgrade to latest dependencies (# 605)
bumping knative.dev/eventing 7de3ecc...37dc77d:
  > 37dc77d [release-1.10] bump x/net to v0.17 (# 7353)

Signed-off-by: Knative Automation <[email protected]>

go.mod

@@ -21,10 +21,10 @@ require (
 	k8s.io/client-go v0.25.4
 	k8s.io/code-generator v0.25.4
 	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1
-	knative.dev/eventing v0.37.3
+	knative.dev/eventing v0.37.4
 	knative.dev/hack v0.0.0-20230417170854-f591fea109b3
-	knative.dev/pkg v0.0.0-20231011201526-df28feae6d34
-	knative.dev/reconciler-test v0.0.0-20230928102338-4ae7322c84fa
+	knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f
+	knative.dev/reconciler-test v0.0.0-20231023114053-616ce2cecb19
 	sigs.k8s.io/controller-runtime v0.11.2
 )
 

go.sum

@@ -1028,14 +1028,14 @@ k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkI
 k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.37.3 h1:TFJS/bcWJbcY4YvGg+LNEm0qdmeaMAHdUGHKuOmnX9E=
-knative.dev/eventing v0.37.3/go.mod h1:DFZEmPkisDkr3jbTQd6mK+Dno3k9yacSgbkJGIDWg3c=
+knative.dev/eventing v0.37.4 h1:JPgz4VvYY0/YO9O+5Y4FNUhuZKNxE1Soo8zKs7JdTBU=
+knative.dev/eventing v0.37.4/go.mod h1:oGwuBilJ14D1AJyRnsVR3iujY8aw2mhhPSDFCfUaTis=
 knative.dev/hack v0.0.0-20230417170854-f591fea109b3 h1:+W4WBOq83tfGXKhtv8OB/uJeYqze3zh69GKiz1ucuqk=
 knative.dev/hack v0.0.0-20230417170854-f591fea109b3/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/pkg v0.0.0-20231011201526-df28feae6d34 h1:H+K37bEBZ2STSWMjCgrdilj38KKZGVxBbob22K99Y50=
-knative.dev/pkg v0.0.0-20231011201526-df28feae6d34/go.mod h1:ZRgzFBFmdBsARm6+Pkr9WRG8bXys8rYq64ELfLG6+9w=
-knative.dev/reconciler-test v0.0.0-20230928102338-4ae7322c84fa h1:e8YtAgy9ZXjpbyS47nF2AhMJ3NRB1vUDfXwI0EANEKg=
-knative.dev/reconciler-test v0.0.0-20230928102338-4ae7322c84fa/go.mod h1:By7fsbkjKWbTmxwAs9lL1itxZI1otbhiEsAZmprEtvI=
+knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f h1:XCH1qZqW1riR8cjhMGjewxQXlWPrfgxeUorBjpC6lE4=
+knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f/go.mod h1:ZRgzFBFmdBsARm6+Pkr9WRG8bXys8rYq64ELfLG6+9w=
+knative.dev/reconciler-test v0.0.0-20231023114053-616ce2cecb19 h1:E7gYUPhZs4yOlBD8taIy7OBmVCsegNlggQcIPYIIFbg=
+knative.dev/reconciler-test v0.0.0-20231023114053-616ce2cecb19/go.mod h1:5eaMf3A7YtrddJul/ddiv3zOC4wPx40Ndsq4jq0oM/c=
 pgregory.net/rapid v0.3.3 h1:jCjBsY4ln4Atz78QoBWxUEvAHaFyNDQg9+WU62aCn1U=
 pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

vendor/knative.dev/pkg/webhook/webhook.go

@@ -67,6 +67,17 @@ type Options struct {
 	// GracePeriod is how long to wait after failing readiness probes
 	// before shutting down.
 	GracePeriod time.Duration
+
+	// EnableHTTP2 enables HTTP2 for webhooks.
+	// Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go
+	// standard library and golang.org/x/net are fully fixed.
+	// Right now, it is possible for authenticated and unauthenticated users to
+	// hold open HTTP2 connections and consume huge amounts of memory.
+	// See:
+	// * https://github.com/kubernetes/kubernetes/pull/121120
+	// * https://github.com/kubernetes/kubernetes/issues/121197
+	// * https://github.com/golang/go/issues/63417#issuecomment-1758858612
+	EnableHTTP2 bool
 }
 
 // Operation is the verb being operated on
@@ -219,11 +230,18 @@ func (wh *Webhook) Run(stop <-chan struct{}) error {
 		QuietPeriod: wh.Options.GracePeriod,
 	}
 
+	// If TLSNextProto is not nil, HTTP/2 support is not enabled automatically.
+	nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){}
+	if wh.Options.EnableHTTP2 {
+		nextProto = nil
+	}
+
 	server := &http.Server{
 		Handler:           drainer,
 		Addr:              fmt.Sprint(":", wh.Options.Port),
 		TLSConfig:         wh.tlsConfig,
 		ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6
+		TLSNextProto:      nextProto,
 	}
 
 	eg, ctx := errgroup.WithContext(ctx)

vendor/knative.dev/reconciler-test/pkg/environment/namespace.go

@@ -122,12 +122,26 @@ func (mr *MagicEnvironment) CreateNamespaceIfNeeded() error {
 			return fmt.Errorf("error copying the image pull Secret: %s", err)
 		}
 
-		_, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.StrategicMergePatchType,
-			[]byte(`{"imagePullSecrets":[{"name":"`+mr.imagePullSecretName+`"}]}`), metav1.PatchOptions{})
+		for _, secret := range sa.ImagePullSecrets {
+			if secret.Name == mr.imagePullSecretName {
+				return nil
+			}
+		}
+
+		// Prevent overwriting existing imagePullSecrets
+		patch := `[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"` + mr.imagePullSecretName + `"}}]`
+		if len(sa.ImagePullSecrets) == 0 {
+			patch = `[{"op":"add","path":"/imagePullSecrets","value":[{"name":"` + mr.imagePullSecretName + `"}]}]`
+		}
+
+		_, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.JSONPatchType,
+			[]byte(patch), metav1.PatchOptions{})
 		if err != nil {
-			return fmt.Errorf("patch failed on NS/SA (%s/%s): %s", mr.namespace, sa.Name, err)
+			return fmt.Errorf("patch failed on NS/SA (%s/%s): %w",
+				mr.namespace, sa.Name, err)
 		}
 	}
+
 	return nil
 }
 

vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml

@@ -17,3 +17,9 @@ kind: ServiceAccount
 metadata:
   name: {{ .name }}
   namespace: {{ .namespace }}
+{{ if .withPullSecrets }}
+imagePullSecrets:
+  {{ range $_, $value := .withPullSecrets.secrets }}
+  - name: {{ $value }}
+  {{ end }}
+{{ end }}

vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/rbac.go

@@ -21,6 +21,9 @@ import (
 	"embed"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kubeclient "knative.dev/pkg/client/injection/kube/client"
+	"knative.dev/reconciler-test/pkg/environment"
 
 	"knative.dev/reconciler-test/pkg/feature"
 	"knative.dev/reconciler-test/pkg/manifest"
@@ -30,11 +33,33 @@ import (
 var templates embed.FS
 
 // Install creates the necessary ServiceAccount, Role, RoleBinding for the eventshub.
-// The resources are named according to the current namespace defined in the environment.
 func Install(cfg map[string]interface{}) feature.StepFn {
 	return func(ctx context.Context, t feature.T) {
+		WithPullSecrets(ctx, t)(cfg)
 		if _, err := manifest.InstallYamlFS(ctx, templates, cfg); err != nil && !apierrors.IsAlreadyExists(err) {
 			t.Fatal(err)
 		}
 	}
 }
+
+func WithPullSecrets(ctx context.Context, t feature.T) manifest.CfgFn {
+	namespace := environment.FromContext(ctx).Namespace()
+	serviceAccount, err := kubeclient.Get(ctx).CoreV1().ServiceAccounts(namespace).Get(ctx, "default", metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to read default SA in %s namespace: %v", namespace, err)
+	}
+
+	return func(cfg map[string]interface{}) {
+		if len(serviceAccount.ImagePullSecrets) == 0 {
+			return
+		}
+		if _, set := cfg["withPullSecrets"]; !set {
+			cfg["withPullSecrets"] = map[string]interface{}{}
+		}
+		withPullSecrets := cfg["withPullSecrets"].(map[string]interface{})
+		withPullSecrets["secrets"] = []string{}
+		for _, secret := range serviceAccount.ImagePullSecrets {
+			withPullSecrets["secrets"] = append(withPullSecrets["secrets"].([]string), secret.Name)
+		}
+	}
+}

vendor/knative.dev/reconciler-test/pkg/feature/feature.go

@@ -227,6 +227,8 @@ func DeleteResources(ctx context.Context, t T, refs []corev1.ObjectReference) er
 		}
 	}
 
+	var lastResource corev1.ObjectReference // One still present resource
+
 	err := wait.Poll(time.Second, 4*time.Minute, func() (bool, error) {
 		for _, ref := range refs {
 			gv, err := schema.ParseGroupVersion(ref.APIVersion)
@@ -248,13 +250,15 @@ func DeleteResources(ctx context.Context, t T, refs []corev1.ObjectReference) er
 				return false, fmt.Errorf("failed to get resource %+v %s/%s: %w", resource, ref.Namespace, ref.Name, err)
 			}
 
+			lastResource = ref
 			t.Logf("Resource %+v %s/%s still present", resource, ref.Namespace, ref.Name)
 			return false, nil
 		}
 
 		return true, nil
 	})
 	if err != nil {
+		LogReferences(lastResource)(ctx, t)
 		return fmt.Errorf("failed to wait for resources to be deleted: %v", err)
 	}
 

vendor/knative.dev/reconciler-test/pkg/feature/logging.go

@@ -26,6 +26,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"knative.dev/pkg/apis"
+	kubeclient "knative.dev/pkg/client/injection/kube/client"
 	"knative.dev/pkg/injection/clients/dynamicclient"
 )
 
@@ -62,13 +63,26 @@ func logReference(ref corev1.ObjectReference) StepFn {
 			return
 		}
 
-		b, err := json.MarshalIndent(r, "", " ")
+		b, err := json.MarshalIndent(r, "", "  ")
 		if err != nil {
 			t.Logf("Failed to marshal %s: %v\n", resourceStr, err)
 			return
 		}
 
-		t.Logf("%s\n%s", resourceStr, string(b))
+		// Get events for the given resource
+		events, _ := kubeclient.Get(ctx).EventsV1().
+			Events(ref.Namespace).
+			List(ctx, metav1.ListOptions{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       ref.Kind,
+					APIVersion: ref.APIVersion,
+				},
+				FieldSelector: fmt.Sprintf("involvedObject.name=%s", ref.Name),
+				Limit:         50,
+			})
+		eBytes, _ := json.MarshalIndent(events, "", "  ")
+
+		t.Logf("%s\n%s\nEvents:\n%s\n", resourceStr, string(b), string(eBytes))
 
 		// Recursively log owners
 		for _, or := range r.GetOwnerReferences() {

vendor/modules.txt

@@ -1052,7 +1052,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# knative.dev/eventing v0.37.3
+# knative.dev/eventing v0.37.4
 ## explicit; go 1.19
 knative.dev/eventing/cmd/heartbeats
 knative.dev/eventing/pkg/adapter/v2
@@ -1156,7 +1156,7 @@ knative.dev/eventing/test/test_images/print
 # knative.dev/hack v0.0.0-20230417170854-f591fea109b3
 ## explicit; go 1.18
 knative.dev/hack
-# knative.dev/pkg v0.0.0-20231011201526-df28feae6d34
+# knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f
 ## explicit; go 1.18
 knative.dev/pkg/apis
 knative.dev/pkg/apis/duck
@@ -1261,7 +1261,7 @@ knative.dev/pkg/webhook/json
 knative.dev/pkg/webhook/resourcesemantics
 knative.dev/pkg/webhook/resourcesemantics/defaulting
 knative.dev/pkg/webhook/resourcesemantics/validation
-# knative.dev/reconciler-test v0.0.0-20230928102338-4ae7322c84fa
+# knative.dev/reconciler-test v0.0.0-20231023114053-616ce2cecb19
 ## explicit; go 1.18
 knative.dev/reconciler-test/cmd/eventshub
 knative.dev/reconciler-test/pkg/environment