upgrade to latest dependencies (#442)

bumping knative.dev/networking 0b998c1...e5d04e8:%0A  > e5d04e8 upgrade to latest dependencies (# 796)%0A  > 62fd5d0 Update actions (# 793)%0A  > b77b4a6 Bump Go version in github action (# 795)%0A  > 750a9e4 Update community files (# 792)%0A  > 62b7e26 Update actions (# 789)%0A  > 366f276 upgrade to latest dependencies (# 788)%0A  > fb58275 Update community files (# 790)%0Abumping knative.dev/eventing d35f808...034bec9:%0A  > 034bec9 [main] Upgrade to latest dependencies (# 6888)%0A  > 4c2a3aa Bump Go to 1.20 in GH workflows (# 6882)%0A  > 825a2b5 Create Cert-Manager resources (# 6849)%0A  > 193f2df Eventing TLS: support `K_CA_CERTS` in adapter/v2 (# 6848)%0A  > cc3d254 [main] Upgrade to latest dependencies (# 6863)%0A  > 81f8e67 Fix ChannelChain test lifecyle (# 6862)%0A  > d7fe38f [main] Upgrade to latest dependencies (# 6860)%0A  > a5b4810 [main] Update actions (# 6858)%0A  > 43a2554 [main] Upgrade to latest dependencies (# 6855)%0A  > cf7ee9c [main] Update actions (# 6853)%0A  > d2eaff5 [main] Update community files (# 6856)%0A  > c59bd1f Eventing TLS: Install Cert Manager as part of the test setup phase (# 6850)%0Abumping knative.dev/serving 96b84bd...2c1bb07:%0A  > 2c1bb07 Update net-kourier nightly (# 13919)%0A  > 0637cdf Update net-contour nightly (# 13918)%0A  > 08bedbe Update net-gateway-api nightly (# 13917)%0A  > e39c429 Update net-istio nightly (# 13916)%0A  > 10ed0f8 Update net-certmanager nightly (# 13915)%0A  > 84fa64c Update data-plane Secrets  (# 13859)%0A  > 22783d6 Deployment probe fixes (# 13885)%0A  > 113616b add support for downwardAPI in projected volumes (# 13896)%0A  > 55f8dd7 upgrade to latest dependencies (# 13912)%0A  > b2a416f Update net-gateway-api nightly (# 13907)%0A  > 91ac3b3 Update net-certmanager nightly (# 13904)%0A  > 787ac48 Update net-istio nightly (# 13902)%0A  > d315f71 Update net-contour nightly (# 13903)%0A  > b38ef3a Update net-istio nightly (# 13899)%0A  > b9b9d13 Update net-contour nightly (# 13900)%0A  > 9530fe9 Update net-certmanager nightly (# 13897)%0A  > 12bd205 Update net-kourier nightly (# 13898)%0A  > 4db179f upgrade to latest dependencies (# 13895)%0A  > 0c8f091 Update net-gateway-api nightly (# 13894)%0A  > f83732d Update net-kourier nightly (# 13893)%0A  > 87af840 upgrade to latest dependencies (# 13891)%0A  > 171cecd change mininum TLS version for tag to digest resolution (# 13886)%0A  > ef58d9b Update net-contour nightly (# 13881)%0A  > 842c516 Update net-istio nightly (# 13883)%0A  > cb946ff Update net-certmanager nightly (# 13882)%0A  > d0eea80 Update net-gateway-api nightly (# 13880)%0A  > c377269 Update actions (# 13879)%0A  > 018c7f8 Update net-kourier nightly (# 13871)%0A  > 235e7f1 Update net-contour nightly (# 13870)%0A  > 29089ce Update net-gateway-api nightly (# 13873)%0A  > f87c4d7 Update net-istio nightly (# 13872)%0A  > a96e2c5 upgrade to latest dependencies (# 13875)%0A  > e363b61 Update net-certmanager nightly (# 13874)%0A  > 9af99e5 Load certificate when they are updated when internal-encryption is enabled (# 13854)%0A  > 3efe96d Update community files (# 13868)%0A  > 944e8e0 Update net-kourier nightly (# 13864)%0A  > 4d85bc0 Update net-contour nightly (# 13865)%0Abumping knative.dev/hack 9153cc6...f591fea:%0A  > f591fea individual globbing is required (# 284)%0A  > 4b3f230 Update community files (# 283)%0Abumping knative.dev/pkg ef19121...dfad48e:%0A  > dfad48e upgrade to latest dependencies (# 2728)%0A  > 53f04b3 Make minimum TLS version configurable for webhooks (# 2721)%0A  > ce10b06 Update actions (# 2726)%0A  > d3d7625 Update community files (# 2724)%0A  > 166893c upgrade to latest dependencies (# 2719)

Signed-off-by: Knative Automation <[email protected]>

go.mod

@@ -13,10 +13,10 @@ require (
 	k8s.io/api v0.25.4
 	k8s.io/apimachinery v0.25.4
 	k8s.io/client-go v0.25.4
-	knative.dev/eventing v0.36.1-0.20230411131148-d35f8086dda7
-	knative.dev/hack v0.0.0-20230411013550-9153cc618c1f
-	knative.dev/pkg v0.0.0-20230411013349-ef19121ff3df
-	knative.dev/serving v0.36.1-0.20230411130248-96b84bdbff7f
+	knative.dev/eventing v0.37.0
+	knative.dev/hack v0.0.0-20230417170854-f591fea109b3
+	knative.dev/pkg v0.0.0-20230418073056-dfad48eaa5d0
+	knative.dev/serving v0.37.0
 )
 
 require (
@@ -103,7 +103,7 @@ require (
 	k8s.io/klog/v2 v2.80.2-0.20221028030830-9ae4992afb54 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
 	k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 // indirect
-	knative.dev/networking v0.0.0-20230404133438-0b998c1bdcef // indirect
+	knative.dev/networking v0.0.0-20230419144338-e5d04e805e50 // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect

go.sum

@@ -1020,16 +1020,16 @@ k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+O
 k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.36.1-0.20230411131148-d35f8086dda7 h1:fyfr8AQS5O/Eh1n6aMrKolO8rljFuiaWhXgzGUr+XsI=
-knative.dev/eventing v0.36.1-0.20230411131148-d35f8086dda7/go.mod h1:vEQ32TrhYNoafRkuw4wxIyb5wSQ65yfejCfS611jmI8=
-knative.dev/hack v0.0.0-20230411013550-9153cc618c1f h1:KPAIuFU5+u4CLS1B21QqqMYv4SScOipH7U2O8cbuAwE=
-knative.dev/hack v0.0.0-20230411013550-9153cc618c1f/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/networking v0.0.0-20230404133438-0b998c1bdcef h1:S8gCH6+4tvqF8Ond1U9rBbthoRci59eOBqY8HI46uq0=
-knative.dev/networking v0.0.0-20230404133438-0b998c1bdcef/go.mod h1:V2ZPhM1LH+4J/rqoI6Dlt1qX6ac15uFZXkaLBlILeHU=
-knative.dev/pkg v0.0.0-20230411013349-ef19121ff3df h1:G5kuFGA167KLF6W943zW2HpKhJJ3750x0ZUFNBfHkrM=
-knative.dev/pkg v0.0.0-20230411013349-ef19121ff3df/go.mod h1:EQk8+qkZ8fMtrDYOOb9e9xMQG29N+L54iXBCfNXRm90=
-knative.dev/serving v0.36.1-0.20230411130248-96b84bdbff7f h1:nCwEGq5bSpdB/C3IbBYjGWjT0tN3Faf4iLdqkESkE+w=
-knative.dev/serving v0.36.1-0.20230411130248-96b84bdbff7f/go.mod h1:mQAOTzNVLUUjWHMOFluHcYxFTFwgGZxJiMWLP2FZADw=
+knative.dev/eventing v0.37.0 h1:OtX8B9nvUSTNcbbpoNFDyeGaGU/5+aetj94i6oATpQU=
+knative.dev/eventing v0.37.0/go.mod h1:62baPXiw5GPpPyV3f0GF64X7tOjc5x9cg64RAh1gjs4=
+knative.dev/hack v0.0.0-20230417170854-f591fea109b3 h1:+W4WBOq83tfGXKhtv8OB/uJeYqze3zh69GKiz1ucuqk=
+knative.dev/hack v0.0.0-20230417170854-f591fea109b3/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
+knative.dev/networking v0.0.0-20230419144338-e5d04e805e50 h1:X9rPBYr7Vrm075q0iXTr7/0oklkYoyqvlnrUwNzcUhI=
+knative.dev/networking v0.0.0-20230419144338-e5d04e805e50/go.mod h1:o2MyGpGfU5DoSAWCE2f/jnSC9GjGOplCslbA99yDkGo=
+knative.dev/pkg v0.0.0-20230418073056-dfad48eaa5d0 h1:EFQcoUo8I4bc+U3y6tR1B3ONYZSHWUdAfI7Vh7dae8g=
+knative.dev/pkg v0.0.0-20230418073056-dfad48eaa5d0/go.mod h1:2qWPP9Gjh9Q7ETti+WRHnBnGCSCq+6q7m3p/nmUQviE=
+knative.dev/serving v0.37.0 h1:hp/HconGRzv0kh2az9I/af1K1DY3NG3zcyiVc2rHyOk=
+knative.dev/serving v0.37.0/go.mod h1:v0Xbfp7olb0Gljm5l4qNuLsIf8/2p1rIt/mphxvx1z0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

vendor/knative.dev/eventing/pkg/adapter/v2/cloudevents.go

@@ -31,11 +31,11 @@ import (
 	"github.com/cloudevents/sdk-go/v2/protocol"
 	"github.com/cloudevents/sdk-go/v2/protocol/http"
 	"go.opencensus.io/plugin/ochttp"
-
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/tracing/propagation/tracecontextb3"
 
 	"knative.dev/eventing/pkg/adapter/v2/util/crstatusevent"
+	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/metrics/source"
 	obsclient "knative.dev/eventing/pkg/observability/client"
 )
@@ -92,8 +92,25 @@ func newCloudEventsClientCRStatus(env EnvConfigAccessor, ceOverrides *duckv1.Clo
 		if sinkWait := env.GetSinktimeout(); sinkWait > 0 {
 			pOpts = append(pOpts, setTimeOut(time.Duration(sinkWait)*time.Second))
 		}
-		var err error
+		if caCerts := env.GetCACerts(); (caCerts != nil && *caCerts != "") && eventingtls.IsHttpsSink(env.GetSink()) {
+			var err error
+
+			clientConfig := eventingtls.NewDefaultClientConfig()
+			clientConfig.CACerts = caCerts
+
+			transport := nethttp.DefaultTransport.(*nethttp.Transport).Clone()
+			transport.TLSClientConfig, err = eventingtls.GetTLSClientConfig(clientConfig)
+			if err != nil {
+				return nil, err
+			}
+
+			pOpts = append(pOpts, http.WithRoundTripper(&ochttp.Transport{
+				Base:        transport,
+				Propagation: tracecontextb3.TraceContextEgress,
+			}))
+		}
 		if ceOverrides == nil {
+			var err error
 			ceOverrides, err = env.GetCloudEventOverrides()
 			if err != nil {
 				return nil, err

vendor/knative.dev/eventing/pkg/adapter/v2/config.go

@@ -65,6 +65,11 @@ type EnvConfig struct {
 	// Sink is the URI messages will be sent.
 	Sink string `envconfig:"K_SINK"`
 
+	// CACerts are the Certification Authority (CA) certificates in PEM format
+	// according to https://www.rfc-editor.org/rfc/rfc7468.
+	// +optional
+	CACerts *string `envconfig:"K_CA_CERTS"`
+
 	// CEOverrides are the CloudEvents overrides to be applied to the outbound event.
 	CEOverrides string `envconfig:"K_CE_OVERRIDES"`
 
@@ -104,6 +109,9 @@ type EnvConfigAccessor interface {
 	// Get the URI where messages will be forwarded to.
 	GetSink() string
 
+	// GetCACerts gets the CACerts of the Sink.
+	GetCACerts() *string
+
 	// Get the namespace of the adapter.
 	GetNamespace() string
 
@@ -163,6 +171,10 @@ func (e *EnvConfig) GetSink() string {
 	return e.Sink
 }
 
+func (e *EnvConfig) GetCACerts() *string {
+	return e.CACerts
+}
+
 func (e *EnvConfig) GetNamespace() string {
 	return e.Namespace
 }

vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go

@@ -0,0 +1,197 @@
+/*
+Copyright 2023 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package eventingtls
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"strings"
+	"sync/atomic"
+
+	"go.uber.org/zap"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	coreinformersv1 "k8s.io/client-go/informers/core/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
+	"knative.dev/pkg/apis"
+	"knative.dev/pkg/controller"
+	"knative.dev/pkg/logging"
+)
+
+const (
+	// TLSKey is the key in the TLS secret for the private key of TLS servers
+	TLSKey = "tls.key"
+	// TLSCrt is the key in the TLS secret for the public key of TLS servers
+	TLSCrt = "tls.crt"
+	// DefaultMinTLSVersion is the default minimum TLS version for servers and clients.
+	DefaultMinTLSVersion = tls.VersionTLS12
+)
+
+type ClientConfig struct {
+	// CACerts are Certification Authority (CA) certificates in PEM format
+	// according to https://www.rfc-editor.org/rfc/rfc7468.
+	CACerts *string
+}
+
+type ServerConfig struct {
+	// GetCertificate returns a Certificate based on the given
+	// ClientHelloInfo. It will only be called if the client supplies SNI
+	// information or if Certificates is empty.
+	//
+	// If GetCertificate is nil or returns nil, then the certificate is
+	// retrieved from NameToCertificate. If NameToCertificate is nil, the
+	// best element of Certificates will be used.
+	GetCertificate func(*tls.ClientHelloInfo) (*tls.Certificate, error)
+}
+
+// GetCertificate returns a Certificate based on the given
+// ClientHelloInfo. It will only be called if the client supplies SNI
+// information or if Certificates is empty.
+//
+// If GetCertificate is nil or returns nil, then the certificate is
+// retrieved from NameToCertificate. If NameToCertificate is nil, the
+// best element of Certificates will be used.
+type GetCertificate func(*tls.ClientHelloInfo) (*tls.Certificate, error)
+
+// GetCertificateFromSecret returns a GetCertificate function that will automatically return
+// the latest certificate that is present in the provided secret.
+//
+// The secret is expected to have at least 2 keys in data: see TLSKey and TLSCrt constants for
+// knowing the key names.
+func GetCertificateFromSecret(ctx context.Context, informer coreinformersv1.SecretInformer, kube kubernetes.Interface, secret types.NamespacedName) GetCertificate {
+
+	certHolder := atomic.Value{}
+
+	logger := logging.FromContext(ctx).Desugar().
+		With(zap.String("tls.secret", secret.String()))
+
+	store := func(obj interface{}) {
+		s, ok := obj.(*corev1.Secret)
+		if !ok {
+			return
+		}
+		crt, crtOk := s.Data[TLSCrt]
+		key, keyOk := s.Data[TLSKey]
+		if !crtOk || !keyOk {
+			logger.Debug("Missing " + TLSCrt + " or " + TLSKey + " in the secret.data")
+			return
+		}
+
+		logger.Debug("Loading key pair")
+
+		certificate, err := tls.X509KeyPair(crt, key)
+		if err != nil {
+			logger.Error("Failed to create x.509 key pair", zap.Error(err))
+			return
+		}
+
+		logger.Debug("certificate stored")
+		certHolder.Store(&certificate)
+	}
+
+	informer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
+		FilterFunc: controller.FilterWithNameAndNamespace(secret.Namespace, secret.Name),
+		Handler: cache.ResourceEventHandlerFuncs{
+			AddFunc: store,
+			UpdateFunc: func(_, newObj interface{}) {
+				store(newObj)
+			},
+			DeleteFunc: nil,
+		},
+	})
+
+	// Store the current value so that we have certHolder initialized.
+	firstValue, err := informer.Lister().Secrets(secret.Namespace).Get(secret.Name)
+	if err != nil {
+		// Try to get the secret from the API Server when the lister failed.
+		firstValue, err = kube.CoreV1().Secrets(secret.Namespace).Get(ctx, secret.Name, metav1.GetOptions{})
+		if err != nil {
+			logger.Fatal(err.Error())
+		}
+	}
+	store(firstValue)
+
+	return func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		cert := certHolder.Load()
+		if cert == nil {
+			return nil, nil
+		}
+		return cert.(*tls.Certificate), nil
+	}
+}
+
+// NewDefaultClientConfig returns a default ClientConfig.
+func NewDefaultClientConfig() ClientConfig {
+	return ClientConfig{}
+}
+
+// GetTLSClientConfig returns tls.Config based on the given ClientConfig.
+func GetTLSClientConfig(config ClientConfig) (*tls.Config, error) {
+	pool, err := certPool(config.CACerts)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tls.Config{
+		RootCAs:    pool,
+		MinVersion: DefaultMinTLSVersion,
+	}, nil
+}
+
+func NewDefaultServerConfig() ServerConfig {
+	return ServerConfig{}
+}
+
+func GetTLSServerConfig(config ServerConfig) (*tls.Config, error) {
+	return &tls.Config{
+		MinVersion:     DefaultMinTLSVersion,
+		GetCertificate: config.GetCertificate,
+	}, nil
+}
+
+// IsHttpsSink returns true if the sink has scheme equal to https.
+func IsHttpsSink(sink string) bool {
+	s, err := apis.ParseURL(sink)
+	if err != nil {
+		return false
+	}
+	return strings.EqualFold(s.Scheme, "https")
+}
+
+// certPool returns a x509.CertPool with the combined certs from:
+// - the system cert pool
+// - the given CA certificates
+func certPool(caCerts *string) (*x509.CertPool, error) {
+	p, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+
+	if caCerts == nil || *caCerts == "" {
+		return p, nil
+	}
+
+	if ok := p.AppendCertsFromPEM([]byte(*caCerts)); !ok {
+		return p, fmt.Errorf("failed to append CA certs from PEM")
+	}
+
+	return p, nil
+}

vendor/knative.dev/eventing/pkg/kncloudevents/message_receiver.go

@@ -18,6 +18,7 @@ package kncloudevents
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/http"
@@ -78,6 +79,17 @@ func WithDrainQuietPeriod(duration time.Duration) HTTPMessageReceiverOption {
 	}
 }
 
+// WithTLSConfig configures the TLS config for the receiver.
+func WithTLSConfig(cfg *tls.Config) HTTPMessageReceiverOption {
+	return func(h *HTTPMessageReceiver) {
+		if h.server == nil {
+			h.server = newServer()
+		}
+
+		h.server.TLSConfig = cfg
+	}
+}
+
 // WithWriteTimeout sets the HTTP server's WriteTimeout. It covers the time between end of reading
 // Request Header to end of writing response.
 func WithWriteTimeout(duration time.Duration) HTTPMessageReceiverOption {
@@ -123,7 +135,11 @@ func (recv *HTTPMessageReceiver) StartListen(ctx context.Context, handler http.H
 	errChan := make(chan error, 1)
 	go func() {
 		close(recv.Ready)
-		errChan <- recv.server.Serve(recv.listener)
+		if recv.server.TLSConfig == nil {
+			errChan <- recv.server.Serve(recv.listener)
+		} else {
+			errChan <- recv.server.ServeTLS(recv.listener, "", "")
+		}
 	}()
 
 	// wait for the server to return or ctx.Done().

vendor/knative.dev/hack/release.sh

@@ -51,6 +51,7 @@ function tag_images_in_yamls() {
   local DOCKER_BASE="${KO_DOCKER_REPO}/${REPO_ROOT_DIR/$SRC_DIR}"
   local GEO_REGIONS="${GEO_REPLICATION[@]} "
   echo "Tagging any images under '${DOCKER_BASE}' with ${TAG}"
+  # shellcheck disable=SC2068
   for file in $@; do
     [[ "${file##*.}" != "yaml" ]] && continue
     echo "Inspecting ${file}"
@@ -316,7 +317,8 @@ function build_from_source() {
 function get_images_in_yamls() {
   rm -rf "$IMAGES_REFS_FILE"
   echo "Assembling a list of image refences to sign"
-  for file in "$@"; do
+  # shellcheck disable=SC2068
+  for file in $@; do
     [[ "${file##*.}" != "yaml" ]] && continue
     echo "Inspecting ${file}"
     while read -r image; do
@@ -407,10 +409,11 @@ function sign_release() {
   if [[ -f "$IMAGES_REFS_FILE" ]]; then
     COSIGN_EXPERIMENTAL=1 cosign sign $(cat "$IMAGES_REFS_FILE") \
       --recursive --identity-token="${ID_TOKEN}"
+    cp "${IMAGES_REFS_FILE}" "${ARTIFACTS}"
     if  [ -n "${ATTEST_IMAGES:-}" ]; then # Temporary Feature Gate
       provenance-generator --clone-log=/logs/clone.json \
         --image-refs="$IMAGES_REFS_FILE" --output=attestation.json
-      mkdir -p "${ARTIFACTS}"/attestation && cp attestation.json "${ARTIFACTS}"/attestation
+      mkdir -p "${ARTIFACTS}" && cp attestation.json "${ARTIFACTS}"
       COSIGN_EXPERIMENTAL=1 cosign attest $(cat "$IMAGES_REFS_FILE") \
         --recursive --identity-token="${ID_TOKEN}" \
         --predicate=attestation.json --type=slsaprovenance