From 562735c96fcd6206449c77df15c937117e709d41 Mon Sep 17 00:00:00 2001 From: knative-automation Date: Wed, 26 Apr 2023 03:09:46 -0400 Subject: [PATCH] upgrade to latest dependencies (#442) bumping knative.dev/networking 0b998c1...e5d04e8:%0A > e5d04e8 upgrade to latest dependencies (# 796)%0A > 62fd5d0 Update actions (# 793)%0A > b77b4a6 Bump Go version in github action (# 795)%0A > 750a9e4 Update community files (# 792)%0A > 62b7e26 Update actions (# 789)%0A > 366f276 upgrade to latest dependencies (# 788)%0A > fb58275 Update community files (# 790)%0Abumping knative.dev/eventing d35f808...034bec9:%0A > 034bec9 [main] Upgrade to latest dependencies (# 6888)%0A > 4c2a3aa Bump Go to 1.20 in GH workflows (# 6882)%0A > 825a2b5 Create Cert-Manager resources (# 6849)%0A > 193f2df Eventing TLS: support `K_CA_CERTS` in adapter/v2 (# 6848)%0A > cc3d254 [main] Upgrade to latest dependencies (# 6863)%0A > 81f8e67 Fix ChannelChain test lifecyle (# 6862)%0A > d7fe38f [main] Upgrade to latest dependencies (# 6860)%0A > a5b4810 [main] Update actions (# 6858)%0A > 43a2554 [main] Upgrade to latest dependencies (# 6855)%0A > cf7ee9c [main] Update actions (# 6853)%0A > d2eaff5 [main] Update community files (# 6856)%0A > c59bd1f Eventing TLS: Install Cert Manager as part of the test setup phase (# 6850)%0Abumping knative.dev/serving 96b84bd...2c1bb07:%0A > 2c1bb07 Update net-kourier nightly (# 13919)%0A > 0637cdf Update net-contour nightly (# 13918)%0A > 08bedbe Update net-gateway-api nightly (# 13917)%0A > e39c429 Update net-istio nightly (# 13916)%0A > 10ed0f8 Update net-certmanager nightly (# 13915)%0A > 84fa64c Update data-plane Secrets (# 13859)%0A > 22783d6 Deployment probe fixes (# 13885)%0A > 113616b add support for downwardAPI in projected volumes (# 13896)%0A > 55f8dd7 upgrade to latest dependencies (# 13912)%0A > b2a416f Update net-gateway-api nightly (# 13907)%0A > 91ac3b3 Update net-certmanager nightly (# 13904)%0A > 787ac48 Update net-istio nightly (# 13902)%0A > d315f71 Update net-contour nightly (# 13903)%0A > b38ef3a Update net-istio nightly (# 13899)%0A > b9b9d13 Update net-contour nightly (# 13900)%0A > 9530fe9 Update net-certmanager nightly (# 13897)%0A > 12bd205 Update net-kourier nightly (# 13898)%0A > 4db179f upgrade to latest dependencies (# 13895)%0A > 0c8f091 Update net-gateway-api nightly (# 13894)%0A > f83732d Update net-kourier nightly (# 13893)%0A > 87af840 upgrade to latest dependencies (# 13891)%0A > 171cecd change mininum TLS version for tag to digest resolution (# 13886)%0A > ef58d9b Update net-contour nightly (# 13881)%0A > 842c516 Update net-istio nightly (# 13883)%0A > cb946ff Update net-certmanager nightly (# 13882)%0A > d0eea80 Update net-gateway-api nightly (# 13880)%0A > c377269 Update actions (# 13879)%0A > 018c7f8 Update net-kourier nightly (# 13871)%0A > 235e7f1 Update net-contour nightly (# 13870)%0A > 29089ce Update net-gateway-api nightly (# 13873)%0A > f87c4d7 Update net-istio nightly (# 13872)%0A > a96e2c5 upgrade to latest dependencies (# 13875)%0A > e363b61 Update net-certmanager nightly (# 13874)%0A > 9af99e5 Load certificate when they are updated when internal-encryption is enabled (# 13854)%0A > 3efe96d Update community files (# 13868)%0A > 944e8e0 Update net-kourier nightly (# 13864)%0A > 4d85bc0 Update net-contour nightly (# 13865)%0Abumping knative.dev/hack 9153cc6...f591fea:%0A > f591fea individual globbing is required (# 284)%0A > 4b3f230 Update community files (# 283)%0Abumping knative.dev/pkg ef19121...dfad48e:%0A > dfad48e upgrade to latest dependencies (# 2728)%0A > 53f04b3 Make minimum TLS version configurable for webhooks (# 2721)%0A > ce10b06 Update actions (# 2726)%0A > d3d7625 Update community files (# 2724)%0A > 166893c upgrade to latest dependencies (# 2719) Signed-off-by: Knative Automation --- go.mod | 10 +- go.sum | 20 +- .../eventing/pkg/adapter/v2/cloudevents.go | 21 +- .../eventing/pkg/adapter/v2/config.go | 12 ++ .../eventing/pkg/eventingtls/eventingtls.go | 197 ++++++++++++++++++ .../pkg/kncloudevents/message_receiver.go | 18 +- vendor/knative.dev/hack/release.sh | 7 +- .../pkg/metrics/opencensus_exporter.go | 2 +- vendor/knative.dev/pkg/webhook/env.go | 16 ++ vendor/knative.dev/pkg/webhook/webhook.go | 13 +- .../serving/pkg/apis/serving/fieldmask.go | 39 +++- .../pkg/apis/serving/k8s_validation.go | 28 ++- .../serving/pkg/networking/constants.go | 4 +- vendor/modules.txt | 13 +- 14 files changed, 366 insertions(+), 34 deletions(-) create mode 100644 vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go diff --git a/go.mod b/go.mod index ca28be377..c6e1167f1 100644 --- a/go.mod +++ b/go.mod @@ -13,10 +13,10 @@ require ( k8s.io/api v0.25.4 k8s.io/apimachinery v0.25.4 k8s.io/client-go v0.25.4 - knative.dev/eventing v0.36.1-0.20230411131148-d35f8086dda7 - knative.dev/hack v0.0.0-20230411013550-9153cc618c1f - knative.dev/pkg v0.0.0-20230411013349-ef19121ff3df - knative.dev/serving v0.36.1-0.20230411130248-96b84bdbff7f + knative.dev/eventing v0.37.0 + knative.dev/hack v0.0.0-20230417170854-f591fea109b3 + knative.dev/pkg v0.0.0-20230418073056-dfad48eaa5d0 + knative.dev/serving v0.37.0 ) require ( @@ -103,7 +103,7 @@ require ( k8s.io/klog/v2 v2.80.2-0.20221028030830-9ae4992afb54 // indirect k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 // indirect - knative.dev/networking v0.0.0-20230404133438-0b998c1bdcef // indirect + knative.dev/networking v0.0.0-20230419144338-e5d04e805e50 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index 4bba1ce7b..a7b4e2b92 100644 --- a/go.sum +++ b/go.sum @@ -1020,16 +1020,16 @@ k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+O k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8= k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.36.1-0.20230411131148-d35f8086dda7 h1:fyfr8AQS5O/Eh1n6aMrKolO8rljFuiaWhXgzGUr+XsI= -knative.dev/eventing v0.36.1-0.20230411131148-d35f8086dda7/go.mod h1:vEQ32TrhYNoafRkuw4wxIyb5wSQ65yfejCfS611jmI8= -knative.dev/hack v0.0.0-20230411013550-9153cc618c1f h1:KPAIuFU5+u4CLS1B21QqqMYv4SScOipH7U2O8cbuAwE= -knative.dev/hack v0.0.0-20230411013550-9153cc618c1f/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/networking v0.0.0-20230404133438-0b998c1bdcef h1:S8gCH6+4tvqF8Ond1U9rBbthoRci59eOBqY8HI46uq0= -knative.dev/networking v0.0.0-20230404133438-0b998c1bdcef/go.mod h1:V2ZPhM1LH+4J/rqoI6Dlt1qX6ac15uFZXkaLBlILeHU= -knative.dev/pkg v0.0.0-20230411013349-ef19121ff3df h1:G5kuFGA167KLF6W943zW2HpKhJJ3750x0ZUFNBfHkrM= -knative.dev/pkg v0.0.0-20230411013349-ef19121ff3df/go.mod h1:EQk8+qkZ8fMtrDYOOb9e9xMQG29N+L54iXBCfNXRm90= -knative.dev/serving v0.36.1-0.20230411130248-96b84bdbff7f h1:nCwEGq5bSpdB/C3IbBYjGWjT0tN3Faf4iLdqkESkE+w= -knative.dev/serving v0.36.1-0.20230411130248-96b84bdbff7f/go.mod h1:mQAOTzNVLUUjWHMOFluHcYxFTFwgGZxJiMWLP2FZADw= +knative.dev/eventing v0.37.0 h1:OtX8B9nvUSTNcbbpoNFDyeGaGU/5+aetj94i6oATpQU= +knative.dev/eventing v0.37.0/go.mod h1:62baPXiw5GPpPyV3f0GF64X7tOjc5x9cg64RAh1gjs4= +knative.dev/hack v0.0.0-20230417170854-f591fea109b3 h1:+W4WBOq83tfGXKhtv8OB/uJeYqze3zh69GKiz1ucuqk= +knative.dev/hack v0.0.0-20230417170854-f591fea109b3/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= +knative.dev/networking v0.0.0-20230419144338-e5d04e805e50 h1:X9rPBYr7Vrm075q0iXTr7/0oklkYoyqvlnrUwNzcUhI= +knative.dev/networking v0.0.0-20230419144338-e5d04e805e50/go.mod h1:o2MyGpGfU5DoSAWCE2f/jnSC9GjGOplCslbA99yDkGo= +knative.dev/pkg v0.0.0-20230418073056-dfad48eaa5d0 h1:EFQcoUo8I4bc+U3y6tR1B3ONYZSHWUdAfI7Vh7dae8g= +knative.dev/pkg v0.0.0-20230418073056-dfad48eaa5d0/go.mod h1:2qWPP9Gjh9Q7ETti+WRHnBnGCSCq+6q7m3p/nmUQviE= +knative.dev/serving v0.37.0 h1:hp/HconGRzv0kh2az9I/af1K1DY3NG3zcyiVc2rHyOk= +knative.dev/serving v0.37.0/go.mod h1:v0Xbfp7olb0Gljm5l4qNuLsIf8/2p1rIt/mphxvx1z0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/eventing/pkg/adapter/v2/cloudevents.go b/vendor/knative.dev/eventing/pkg/adapter/v2/cloudevents.go index 6ecc37f53..dae960b5e 100644 --- a/vendor/knative.dev/eventing/pkg/adapter/v2/cloudevents.go +++ b/vendor/knative.dev/eventing/pkg/adapter/v2/cloudevents.go @@ -31,11 +31,11 @@ import ( "github.com/cloudevents/sdk-go/v2/protocol" "github.com/cloudevents/sdk-go/v2/protocol/http" "go.opencensus.io/plugin/ochttp" - duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/pkg/tracing/propagation/tracecontextb3" "knative.dev/eventing/pkg/adapter/v2/util/crstatusevent" + "knative.dev/eventing/pkg/eventingtls" "knative.dev/eventing/pkg/metrics/source" obsclient "knative.dev/eventing/pkg/observability/client" ) @@ -92,8 +92,25 @@ func newCloudEventsClientCRStatus(env EnvConfigAccessor, ceOverrides *duckv1.Clo if sinkWait := env.GetSinktimeout(); sinkWait > 0 { pOpts = append(pOpts, setTimeOut(time.Duration(sinkWait)*time.Second)) } - var err error + if caCerts := env.GetCACerts(); (caCerts != nil && *caCerts != "") && eventingtls.IsHttpsSink(env.GetSink()) { + var err error + + clientConfig := eventingtls.NewDefaultClientConfig() + clientConfig.CACerts = caCerts + + transport := nethttp.DefaultTransport.(*nethttp.Transport).Clone() + transport.TLSClientConfig, err = eventingtls.GetTLSClientConfig(clientConfig) + if err != nil { + return nil, err + } + + pOpts = append(pOpts, http.WithRoundTripper(&ochttp.Transport{ + Base: transport, + Propagation: tracecontextb3.TraceContextEgress, + })) + } if ceOverrides == nil { + var err error ceOverrides, err = env.GetCloudEventOverrides() if err != nil { return nil, err diff --git a/vendor/knative.dev/eventing/pkg/adapter/v2/config.go b/vendor/knative.dev/eventing/pkg/adapter/v2/config.go index ba499be49..9cfafcd79 100644 --- a/vendor/knative.dev/eventing/pkg/adapter/v2/config.go +++ b/vendor/knative.dev/eventing/pkg/adapter/v2/config.go @@ -65,6 +65,11 @@ type EnvConfig struct { // Sink is the URI messages will be sent. Sink string `envconfig:"K_SINK"` + // CACerts are the Certification Authority (CA) certificates in PEM format + // according to https://www.rfc-editor.org/rfc/rfc7468. + // +optional + CACerts *string `envconfig:"K_CA_CERTS"` + // CEOverrides are the CloudEvents overrides to be applied to the outbound event. CEOverrides string `envconfig:"K_CE_OVERRIDES"` @@ -104,6 +109,9 @@ type EnvConfigAccessor interface { // Get the URI where messages will be forwarded to. GetSink() string + // GetCACerts gets the CACerts of the Sink. + GetCACerts() *string + // Get the namespace of the adapter. GetNamespace() string @@ -163,6 +171,10 @@ func (e *EnvConfig) GetSink() string { return e.Sink } +func (e *EnvConfig) GetCACerts() *string { + return e.CACerts +} + func (e *EnvConfig) GetNamespace() string { return e.Namespace } diff --git a/vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go b/vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go new file mode 100644 index 000000000..4e394952a --- /dev/null +++ b/vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go @@ -0,0 +1,197 @@ +/* +Copyright 2023 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package eventingtls + +import ( + "context" + "crypto/tls" + "crypto/x509" + "fmt" + "strings" + "sync/atomic" + + "go.uber.org/zap" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + coreinformersv1 "k8s.io/client-go/informers/core/v1" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/tools/cache" + "knative.dev/pkg/apis" + "knative.dev/pkg/controller" + "knative.dev/pkg/logging" +) + +const ( + // TLSKey is the key in the TLS secret for the private key of TLS servers + TLSKey = "tls.key" + // TLSCrt is the key in the TLS secret for the public key of TLS servers + TLSCrt = "tls.crt" + // DefaultMinTLSVersion is the default minimum TLS version for servers and clients. + DefaultMinTLSVersion = tls.VersionTLS12 +) + +type ClientConfig struct { + // CACerts are Certification Authority (CA) certificates in PEM format + // according to https://www.rfc-editor.org/rfc/rfc7468. + CACerts *string +} + +type ServerConfig struct { + // GetCertificate returns a Certificate based on the given + // ClientHelloInfo. It will only be called if the client supplies SNI + // information or if Certificates is empty. + // + // If GetCertificate is nil or returns nil, then the certificate is + // retrieved from NameToCertificate. If NameToCertificate is nil, the + // best element of Certificates will be used. + GetCertificate func(*tls.ClientHelloInfo) (*tls.Certificate, error) +} + +// GetCertificate returns a Certificate based on the given +// ClientHelloInfo. It will only be called if the client supplies SNI +// information or if Certificates is empty. +// +// If GetCertificate is nil or returns nil, then the certificate is +// retrieved from NameToCertificate. If NameToCertificate is nil, the +// best element of Certificates will be used. +type GetCertificate func(*tls.ClientHelloInfo) (*tls.Certificate, error) + +// GetCertificateFromSecret returns a GetCertificate function that will automatically return +// the latest certificate that is present in the provided secret. +// +// The secret is expected to have at least 2 keys in data: see TLSKey and TLSCrt constants for +// knowing the key names. +func GetCertificateFromSecret(ctx context.Context, informer coreinformersv1.SecretInformer, kube kubernetes.Interface, secret types.NamespacedName) GetCertificate { + + certHolder := atomic.Value{} + + logger := logging.FromContext(ctx).Desugar(). + With(zap.String("tls.secret", secret.String())) + + store := func(obj interface{}) { + s, ok := obj.(*corev1.Secret) + if !ok { + return + } + crt, crtOk := s.Data[TLSCrt] + key, keyOk := s.Data[TLSKey] + if !crtOk || !keyOk { + logger.Debug("Missing " + TLSCrt + " or " + TLSKey + " in the secret.data") + return + } + + logger.Debug("Loading key pair") + + certificate, err := tls.X509KeyPair(crt, key) + if err != nil { + logger.Error("Failed to create x.509 key pair", zap.Error(err)) + return + } + + logger.Debug("certificate stored") + certHolder.Store(&certificate) + } + + informer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + FilterFunc: controller.FilterWithNameAndNamespace(secret.Namespace, secret.Name), + Handler: cache.ResourceEventHandlerFuncs{ + AddFunc: store, + UpdateFunc: func(_, newObj interface{}) { + store(newObj) + }, + DeleteFunc: nil, + }, + }) + + // Store the current value so that we have certHolder initialized. + firstValue, err := informer.Lister().Secrets(secret.Namespace).Get(secret.Name) + if err != nil { + // Try to get the secret from the API Server when the lister failed. + firstValue, err = kube.CoreV1().Secrets(secret.Namespace).Get(ctx, secret.Name, metav1.GetOptions{}) + if err != nil { + logger.Fatal(err.Error()) + } + } + store(firstValue) + + return func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { + cert := certHolder.Load() + if cert == nil { + return nil, nil + } + return cert.(*tls.Certificate), nil + } +} + +// NewDefaultClientConfig returns a default ClientConfig. +func NewDefaultClientConfig() ClientConfig { + return ClientConfig{} +} + +// GetTLSClientConfig returns tls.Config based on the given ClientConfig. +func GetTLSClientConfig(config ClientConfig) (*tls.Config, error) { + pool, err := certPool(config.CACerts) + if err != nil { + return nil, err + } + + return &tls.Config{ + RootCAs: pool, + MinVersion: DefaultMinTLSVersion, + }, nil +} + +func NewDefaultServerConfig() ServerConfig { + return ServerConfig{} +} + +func GetTLSServerConfig(config ServerConfig) (*tls.Config, error) { + return &tls.Config{ + MinVersion: DefaultMinTLSVersion, + GetCertificate: config.GetCertificate, + }, nil +} + +// IsHttpsSink returns true if the sink has scheme equal to https. +func IsHttpsSink(sink string) bool { + s, err := apis.ParseURL(sink) + if err != nil { + return false + } + return strings.EqualFold(s.Scheme, "https") +} + +// certPool returns a x509.CertPool with the combined certs from: +// - the system cert pool +// - the given CA certificates +func certPool(caCerts *string) (*x509.CertPool, error) { + p, err := x509.SystemCertPool() + if err != nil { + return nil, err + } + + if caCerts == nil || *caCerts == "" { + return p, nil + } + + if ok := p.AppendCertsFromPEM([]byte(*caCerts)); !ok { + return p, fmt.Errorf("failed to append CA certs from PEM") + } + + return p, nil +} diff --git a/vendor/knative.dev/eventing/pkg/kncloudevents/message_receiver.go b/vendor/knative.dev/eventing/pkg/kncloudevents/message_receiver.go index 9632d27bc..8916e4f2c 100644 --- a/vendor/knative.dev/eventing/pkg/kncloudevents/message_receiver.go +++ b/vendor/knative.dev/eventing/pkg/kncloudevents/message_receiver.go @@ -18,6 +18,7 @@ package kncloudevents import ( "context" + "crypto/tls" "fmt" "net" "net/http" @@ -78,6 +79,17 @@ func WithDrainQuietPeriod(duration time.Duration) HTTPMessageReceiverOption { } } +// WithTLSConfig configures the TLS config for the receiver. +func WithTLSConfig(cfg *tls.Config) HTTPMessageReceiverOption { + return func(h *HTTPMessageReceiver) { + if h.server == nil { + h.server = newServer() + } + + h.server.TLSConfig = cfg + } +} + // WithWriteTimeout sets the HTTP server's WriteTimeout. It covers the time between end of reading // Request Header to end of writing response. func WithWriteTimeout(duration time.Duration) HTTPMessageReceiverOption { @@ -123,7 +135,11 @@ func (recv *HTTPMessageReceiver) StartListen(ctx context.Context, handler http.H errChan := make(chan error, 1) go func() { close(recv.Ready) - errChan <- recv.server.Serve(recv.listener) + if recv.server.TLSConfig == nil { + errChan <- recv.server.Serve(recv.listener) + } else { + errChan <- recv.server.ServeTLS(recv.listener, "", "") + } }() // wait for the server to return or ctx.Done(). diff --git a/vendor/knative.dev/hack/release.sh b/vendor/knative.dev/hack/release.sh index 135fa8b7c..5d4f09a89 100644 --- a/vendor/knative.dev/hack/release.sh +++ b/vendor/knative.dev/hack/release.sh @@ -51,6 +51,7 @@ function tag_images_in_yamls() { local DOCKER_BASE="${KO_DOCKER_REPO}/${REPO_ROOT_DIR/$SRC_DIR}" local GEO_REGIONS="${GEO_REPLICATION[@]} " echo "Tagging any images under '${DOCKER_BASE}' with ${TAG}" + # shellcheck disable=SC2068 for file in $@; do [[ "${file##*.}" != "yaml" ]] && continue echo "Inspecting ${file}" @@ -316,7 +317,8 @@ function build_from_source() { function get_images_in_yamls() { rm -rf "$IMAGES_REFS_FILE" echo "Assembling a list of image refences to sign" - for file in "$@"; do + # shellcheck disable=SC2068 + for file in $@; do [[ "${file##*.}" != "yaml" ]] && continue echo "Inspecting ${file}" while read -r image; do @@ -407,10 +409,11 @@ function sign_release() { if [[ -f "$IMAGES_REFS_FILE" ]]; then COSIGN_EXPERIMENTAL=1 cosign sign $(cat "$IMAGES_REFS_FILE") \ --recursive --identity-token="${ID_TOKEN}" + cp "${IMAGES_REFS_FILE}" "${ARTIFACTS}" if [ -n "${ATTEST_IMAGES:-}" ]; then # Temporary Feature Gate provenance-generator --clone-log=/logs/clone.json \ --image-refs="$IMAGES_REFS_FILE" --output=attestation.json - mkdir -p "${ARTIFACTS}"/attestation && cp attestation.json "${ARTIFACTS}"/attestation + mkdir -p "${ARTIFACTS}" && cp attestation.json "${ARTIFACTS}" COSIGN_EXPERIMENTAL=1 cosign attest $(cat "$IMAGES_REFS_FILE") \ --recursive --identity-token="${ID_TOKEN}" \ --predicate=attestation.json --type=slsaprovenance diff --git a/vendor/knative.dev/pkg/metrics/opencensus_exporter.go b/vendor/knative.dev/pkg/metrics/opencensus_exporter.go index eaeac4a56..59e33ab09 100644 --- a/vendor/knative.dev/pkg/metrics/opencensus_exporter.go +++ b/vendor/knative.dev/pkg/metrics/opencensus_exporter.go @@ -99,7 +99,7 @@ func getCredentials(component string, secret *corev1.Secret, logger *zap.Sugared return nil } return credentials.NewTLS(&tls.Config{ - MinVersion: tls.VersionTLS12, + MinVersion: tls.VersionTLS13, GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { cert, err := tls.X509KeyPair(secret.Data["client-cert.pem"], secret.Data["client-key.pem"]) if err != nil { diff --git a/vendor/knative.dev/pkg/webhook/env.go b/vendor/knative.dev/pkg/webhook/env.go index da8a1bd89..ffb757011 100644 --- a/vendor/knative.dev/pkg/webhook/env.go +++ b/vendor/knative.dev/pkg/webhook/env.go @@ -17,6 +17,7 @@ limitations under the License. package webhook import ( + "crypto/tls" "fmt" "os" "strconv" @@ -29,6 +30,8 @@ const ( webhookNameEnvKey = "WEBHOOK_NAME" secretNameEnvKey = "WEBHOOK_SECRET_NAME" //nolint:gosec // This is not a hardcoded credential + + tlsMinVersionEnvKey = "WEBHOOK_TLS_MIN_VERSION" ) // PortFromEnv returns the webhook port set by portEnvKey, or default port if env var is not set. @@ -66,3 +69,16 @@ func SecretNameFromEnv(defaultSecretName string) string { } return secret } + +func TLSMinVersionFromEnv(defaultTLSMinVersion uint16) uint16 { + switch tlsMinVersion := os.Getenv(tlsMinVersionEnvKey); tlsMinVersion { + case "1.2": + return tls.VersionTLS12 + case "1.3": + return tls.VersionTLS13 + case "": + return defaultTLSMinVersion + default: + panic(fmt.Sprintf("the environment variable %q has to be either '1.2' or '1.3'", tlsMinVersionEnvKey)) + } +} diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index 6099e6ac5..779d388d2 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -40,6 +40,10 @@ import ( // Options contains the configuration for the webhook type Options struct { + // TLSMinVersion contains the minimum TLS version that is acceptable to communicate with the API server. + // TLS 1.3 is the minimum version if not specified otherwise. + TLSMinVersion uint16 + // ServiceName is the service name of the webhook. ServiceName string @@ -119,6 +123,13 @@ func New( opts.StatsReporter = reporter } + defaultTLSMinVersion := uint16(tls.VersionTLS13) + if opts.TLSMinVersion == 0 { + opts.TLSMinVersion = TLSMinVersionFromEnv(defaultTLSMinVersion) + } else if opts.TLSMinVersion != tls.VersionTLS12 && opts.TLSMinVersion != tls.VersionTLS13 { + return nil, fmt.Errorf("unsupported TLS version: %d", opts.TLSMinVersion) + } + syncCtx, cancel := context.WithCancel(context.Background()) webhook = &Webhook{ @@ -136,7 +147,7 @@ func New( secretInformer := kubeinformerfactory.Get(ctx).Core().V1().Secrets() webhook.tlsConfig = &tls.Config{ - MinVersion: tls.VersionTLS12, + MinVersion: opts.TLSMinVersion, // If we return (nil, error) the client sees - 'tls: internal error" // If we return (nil, nil) the client sees - 'tls: no certificates configured' diff --git a/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go b/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go index cc59b95f3..1d4dd77eb 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go @@ -86,9 +86,8 @@ func VolumeProjectionMask(in *corev1.VolumeProjection) *corev1.VolumeProjection out.ConfigMap = in.ConfigMap out.ServiceAccountToken = in.ServiceAccountToken - // Disallowed fields - // This list is unnecessary, but added here for clarity - out.DownwardAPI = nil + // TODO(KauzClay): Should this be behind a feature flag like EmptyDir? + out.DownwardAPI = in.DownwardAPI return out } @@ -147,6 +146,40 @@ func ServiceAccountTokenProjectionMask(in *corev1.ServiceAccountTokenProjection) return out } +// DownwardAPIProjectionMask performs a _shallow_ copy of the Kubernetes DownwardAPIProjection +// object to a new Kubernetes DownwardAPIProjection object bringing over only the fields allowed +// in the Knative API. This does not validate the contents or the bounds of the provided fields. +func DownwardAPIProjectionMask(in *corev1.DownwardAPIProjection) *corev1.DownwardAPIProjection { + if in == nil { + return nil + } + + out := new(corev1.DownwardAPIProjection) + + out.Items = append(out.Items, in.Items...) + + return out +} + +// DownwardAPIVolumeFileMask performs a _shallow_ copy of the Kubernetes DownwardAPIVolumeFileMask +// object to a new Kubernetes DownwardAPIVolumeFileMask object bringing over only the fields allowed +// in the Knative API. This does not validate the contents or the bounds of the provided fields. +func DownwardAPIVolumeFileMask(in *corev1.DownwardAPIVolumeFile) *corev1.DownwardAPIVolumeFile { + if in == nil { + return nil + } + + out := new(corev1.DownwardAPIVolumeFile) + + // Allowed fields + out.FieldRef = in.FieldRef + out.ResourceFieldRef = in.ResourceFieldRef + out.Path = in.Path + out.Mode = in.Mode + + return out +} + // KeyToPathMask performs a _shallow_ copy of the Kubernetes KeyToPath // object to a new Kubernetes KeyToPath object bringing over only the fields allowed // in the Knative API. This does not validate the contents or the bounds of the provided fields. diff --git a/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go b/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go index 55ae1173f..efa65a05e 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go @@ -196,8 +196,12 @@ func validateProjectedVolumeSource(vp corev1.VolumeProjection) *apis.FieldError specified = append(specified, "serviceAccountToken") errs = errs.Also(validateServiceAccountTokenProjection(vp.ServiceAccountToken).ViaField("serviceAccountToken")) } + if vp.DownwardAPI != nil { + specified = append(specified, "downwardAPI") + errs = errs.Also(validateDownwardAPIProjection(vp.DownwardAPI).ViaField("downwardAPI")) + } if len(specified) == 0 { - errs = errs.Also(apis.ErrMissingOneOf("secret", "configMap", "serviceAccountToken")) + errs = errs.Also(apis.ErrMissingOneOf("secret", "configMap", "serviceAccountToken", "downwardAPI")) } else if len(specified) > 1 { errs = errs.Also(apis.ErrMultipleOneOf(specified...)) } @@ -239,6 +243,28 @@ func validateServiceAccountTokenProjection(sp *corev1.ServiceAccountTokenProject return errs } +func validateDownwardAPIProjection(dapi *corev1.DownwardAPIProjection) *apis.FieldError { + errs := apis.CheckDisallowedFields(*dapi, *DownwardAPIProjectionMask(dapi)) + for i := range dapi.Items { + errs = errs.Also(validateDownwardAPIVolumeFile(&dapi.Items[i]).ViaFieldIndex("items", i)) + } + return errs +} + +func validateDownwardAPIVolumeFile(vf *corev1.DownwardAPIVolumeFile) *apis.FieldError { + errs := apis.CheckDisallowedFields(*vf, *DownwardAPIVolumeFileMask(vf)) + if vf.FieldRef == nil && vf.ResourceFieldRef == nil { + errs = errs.Also(apis.ErrMissingOneOf("fieldRef", "resourceFieldRef")) + } + if vf.FieldRef != nil && vf.ResourceFieldRef != nil { + errs = errs.Also(apis.ErrGeneric("Within a single item, cannot set both", "resourceFieldRef", "fieldRef")) + } + if vf.Path == "" { + errs = errs.Also(apis.ErrMissingField("path")) + } + return errs +} + func validateKeyToPath(k2p corev1.KeyToPath) *apis.FieldError { errs := apis.CheckDisallowedFields(k2p, *KeyToPathMask(&k2p)) if k2p.Key == "" { diff --git a/vendor/knative.dev/serving/pkg/networking/constants.go b/vendor/knative.dev/serving/pkg/networking/constants.go index a832d4654..642f59c0e 100644 --- a/vendor/knative.dev/serving/pkg/networking/constants.go +++ b/vendor/knative.dev/serving/pkg/networking/constants.go @@ -52,8 +52,8 @@ const ( // e.g. Public, Private. ServiceTypeKey = networking.GroupName + "/serviceType" - // ServingCertName is used by the secret name for internal TLS as "namespace-${ServingCertName}". - // Also the secret name has the label with "${ServingCertName}: data-plane" + // ServingCertName is the secret name for internal TLS. + // Also the secret name has the label with "${ServingCertName}: data-plane-user" ServingCertName = "serving-certs" ) diff --git a/vendor/modules.txt b/vendor/modules.txt index 5400a96e4..b8ef56173 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -947,8 +947,8 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.36.1-0.20230411131148-d35f8086dda7 -## explicit; go 1.18 +# knative.dev/eventing v0.37.0 +## explicit; go 1.19 knative.dev/eventing/pkg/adapter/v2 knative.dev/eventing/pkg/adapter/v2/util/crstatusevent knative.dev/eventing/pkg/apis/config @@ -982,6 +982,7 @@ knative.dev/eventing/pkg/client/clientset/versioned/typed/sources/v1 knative.dev/eventing/pkg/client/clientset/versioned/typed/sources/v1/fake knative.dev/eventing/pkg/client/clientset/versioned/typed/sources/v1beta2 knative.dev/eventing/pkg/client/clientset/versioned/typed/sources/v1beta2/fake +knative.dev/eventing/pkg/eventingtls knative.dev/eventing/pkg/kncloudevents knative.dev/eventing/pkg/metrics knative.dev/eventing/pkg/metrics/source @@ -989,15 +990,15 @@ knative.dev/eventing/pkg/observability knative.dev/eventing/pkg/observability/client knative.dev/eventing/pkg/reconciler/resources knative.dev/eventing/pkg/reconciler/source -# knative.dev/hack v0.0.0-20230411013550-9153cc618c1f +# knative.dev/hack v0.0.0-20230417170854-f591fea109b3 ## explicit; go 1.18 knative.dev/hack -# knative.dev/networking v0.0.0-20230404133438-0b998c1bdcef +# knative.dev/networking v0.0.0-20230419144338-e5d04e805e50 ## explicit; go 1.18 knative.dev/networking/pkg/apis/networking knative.dev/networking/pkg/apis/networking/v1alpha1 knative.dev/networking/pkg/config -# knative.dev/pkg v0.0.0-20230411013349-ef19121ff3df +# knative.dev/pkg v0.0.0-20230418073056-dfad48eaa5d0 ## explicit; go 1.18 knative.dev/pkg/apis knative.dev/pkg/apis/duck @@ -1050,7 +1051,7 @@ knative.dev/pkg/tracker knative.dev/pkg/version knative.dev/pkg/webhook knative.dev/pkg/webhook/certificates/resources -# knative.dev/serving v0.36.1-0.20230411130248-96b84bdbff7f +# knative.dev/serving v0.37.0 ## explicit; go 1.18 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1