From aa44d3bf998e73eda2c61c5cc1879f6d0ce3e8f1 Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Mon, 9 Oct 2023 01:59:36 +0000 Subject: [PATCH] upgrade to latest dependencies bumping knative.dev/eventing ce67d85...9de5275: > 9de5275 Use expiring cache with the OIDC tokens (# 7335) > 18e17ac [main] Update community files (# 7337) > 7b3afa0 Optimized the exact filter performance (# 7311) > e40037b Prefix filter optimizations (# 7309) > 8d2330c Update Kubernetes min version in KinD e2e tests to 1.26.6 (# 7332) > 402f6ac Add library for OIDC token management (# 7315) bumping knative.dev/serving b66b185...0ee4c3a: > 0ee4c3a Update community files (# 14485) > c183543 internal encryption e2e tests (# 14092) > 3eb979a Update overlay-config for tests (# 14478) > 3cafe59 Update certificates and SANs used in Serving (# 14472) bumping knative.dev/networking c1cae21...53ba1f4: > 53ba1f4 Rename cluster.local to avoid issues with config validation webhook (# 872) > 97dab15 upgrade to latest dependencies (# 870) > 463dc38 Cleanup SAN constants and Secrets Keys for system-internal-tls certificates (# 861) > 05d0964 Align the encryption flags (# 858) bumping knative.dev/hack f2f9b6f...1588988: > 1588988 Update community files (# 327) bumping knative.dev/pkg 833dd97...d0a82f9: > d0a82f9 Update community files (# 2850) Signed-off-by: Knative Automation --- go.mod | 10 +- go.sum | 20 +-- .../apis/networking/metadata_validation.go | 1 + .../pkg/apis/networking/register.go | 21 ++- .../networking/pkg/config/config.go | 143 +++++++++--------- vendor/modules.txt | 10 +- 6 files changed, 114 insertions(+), 91 deletions(-) diff --git a/go.mod b/go.mod index 85e5f53f2..62826255b 100644 --- a/go.mod +++ b/go.mod @@ -14,10 +14,10 @@ require ( k8s.io/api v0.27.6 k8s.io/apimachinery v0.27.6 k8s.io/client-go v0.27.6 - knative.dev/eventing v0.38.1-0.20231004060457-ce67d85556b7 - knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 - knative.dev/pkg v0.0.0-20231003141102-833dd976f13d - knative.dev/serving v0.38.1-0.20231004014018-b66b18545146 + knative.dev/eventing v0.38.1-0.20231006142033-9de527599ed0 + knative.dev/hack v0.0.0-20231006131420-158898889ae8 + knative.dev/pkg v0.0.0-20231006130804-d0a82f9cbb8f + knative.dev/serving v0.38.1-0.20231006142030-0ee4c3ad64c2 ) require ( @@ -103,7 +103,7 @@ require ( k8s.io/klog/v2 v2.90.1 // indirect k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect - knative.dev/networking v0.0.0-20230927121431-c1cae210daec // indirect + knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index cd68f2122..13d394928 100644 --- a/go.sum +++ b/go.sum @@ -715,16 +715,16 @@ k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5F k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.38.1-0.20231004060457-ce67d85556b7 h1:kS0FpNxOoeHfHoWK3dAMpLnRNbh268Tg04Po1/8ub0s= -knative.dev/eventing v0.38.1-0.20231004060457-ce67d85556b7/go.mod h1:RiywmLbqf6ZTG0h/fEyqTl0fdRv1DHFr/Tfsm5/noTA= -knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 h1:e6r9J1YopzSh6tDCpyKhVBfRUlZ2r0KRo9wupRjdRF4= -knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/networking v0.0.0-20230927121431-c1cae210daec h1:FuApkAE1QhvChCQDR3yziqdsZ+LiEM0ZxTdI0qKIMrA= -knative.dev/networking v0.0.0-20230927121431-c1cae210daec/go.mod h1:U9yqeTf2NtTY5aexYLbE4LAoIt/FAsnoERbnejJKlgI= -knative.dev/pkg v0.0.0-20231003141102-833dd976f13d h1:EcUwMwxqa1/4lhh0Hm5lc9h3ohUckHzKofG8ZAPZlbk= -knative.dev/pkg v0.0.0-20231003141102-833dd976f13d/go.mod h1:PxnS8ZnVtC0S+An+NEhrpzWt6k9hedDNt659Gu5EtJk= -knative.dev/serving v0.38.1-0.20231004014018-b66b18545146 h1:3F0daPkVr3UAdurm5ea412yugj8rKPi+mUGlT2kSPmI= -knative.dev/serving v0.38.1-0.20231004014018-b66b18545146/go.mod h1:W8uFQIUiKeP7n9+t+BsfR2cedKLvQO75XlQiot3oiHE= +knative.dev/eventing v0.38.1-0.20231006142033-9de527599ed0 h1:0K/jS3Pf5DC09ertJINFnAHoNQt1qRrFHIUklygqvOA= +knative.dev/eventing v0.38.1-0.20231006142033-9de527599ed0/go.mod h1:OaXBKpWXqAvn5U8i0Ey9zt9W22w0ddSlhqHlnpfYWK4= +knative.dev/hack v0.0.0-20231006131420-158898889ae8 h1:wz+G++v1u11IuFHX0ip3a849zLnEoj2vDJYxoy37Fr8= +knative.dev/hack v0.0.0-20231006131420-158898889ae8/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= +knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a h1:Q31AcykUUn/EcDFLt4citbeN8W7sxHenX1YG8l+urcE= +knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a/go.mod h1:LAT8cu/PGOtik5ABZhhl6h45QrNRXj0uqlpIP0dmLnU= +knative.dev/pkg v0.0.0-20231006130804-d0a82f9cbb8f h1:yAp7wEM3EAZ3hrQ/QgxS2OR9muX/Nywxnld9n/t7fkc= +knative.dev/pkg v0.0.0-20231006130804-d0a82f9cbb8f/go.mod h1:PxnS8ZnVtC0S+An+NEhrpzWt6k9hedDNt659Gu5EtJk= +knative.dev/serving v0.38.1-0.20231006142030-0ee4c3ad64c2 h1:xhE1ZG7sj0hgOSoLuo3hzAKU5x4yp5dMUhQKj1NDyhg= +knative.dev/serving v0.38.1-0.20231006142030-0ee4c3ad64c2/go.mod h1:UvbR1b2b9QKgOIA+4QxmjvHfQH5miQbfgwzzDbKAaoQ= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go index 85f69717f..fbd6c155f 100644 --- a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go +++ b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go @@ -29,6 +29,7 @@ var ( IngressClassAnnotationKey, CertificateClassAnnotationKey, DisableAutoTLSAnnotationKey, + DisableExternalDomainTLSAnnotationKey, HTTPOptionAnnotationKey, IngressClassAnnotationAltKey, diff --git a/vendor/knative.dev/networking/pkg/apis/networking/register.go b/vendor/knative.dev/networking/pkg/apis/networking/register.go index f7bdd81d7..e88e9b5c0 100644 --- a/vendor/knative.dev/networking/pkg/apis/networking/register.go +++ b/vendor/knative.dev/networking/pkg/apis/networking/register.go @@ -70,11 +70,17 @@ const ( // DisableAutoTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping // to indicate that AutoTLS should not be enabled for it. + // Deprecated: use DisableExternalDomainTLSAnnotationKey instead. DisableAutoTLSAnnotationKey = PublicGroupName + "/disableAutoTLS" // DisableAutoTLSAnnotationAltKey is an alternative casing to DisableAutoTLSAnnotationKey + // Deprecated: use DisableExternalDomainTLSAnnotationKey instead. DisableAutoTLSAnnotationAltKey = PublicGroupName + "/disable-auto-tls" + // DisableExternalDomainTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping + // to indicate that external-domain-tls should not be enabled for it. + DisableExternalDomainTLSAnnotationKey = PublicGroupName + "/disable-external-domain-tls" + // HTTPOptionAnnotationKey is the annotation key attached to a Knative Service/DomainMapping // to indicate the HTTP option of it. HTTPOptionAnnotationKey = PublicGroupName + "/httpOption" @@ -130,9 +136,15 @@ var ( CertificateClassAnnotationAltKey, } - DisableAutoTLSAnnotation = kmap.KeyPriority{ + // Deprecated: use DisableExternalDomainTLSAnnotation instead. + DisableAutoTLSAnnotation = DisableExternalDomainTLSAnnotation + + DisableExternalDomainTLSAnnotation = kmap.KeyPriority{ + // backward compatibility DisableAutoTLSAnnotationKey, DisableAutoTLSAnnotationAltKey, + + DisableExternalDomainTLSAnnotationKey, } HTTPProtocolAnnotation = kmap.KeyPriority{ @@ -153,6 +165,9 @@ func GetHTTPProtocol(annotations map[string]string) (val string) { return HTTPProtocolAnnotation.Value(annotations) } -func GetDisableAutoTLS(annotations map[string]string) (val string) { - return DisableAutoTLSAnnotation.Value(annotations) +// Deprecated: use GetDisableExternalDomainTLS instead. +var GetDisableAutoTLS = GetDisableExternalDomainTLS + +func GetDisableExternalDomainTLS(annotations map[string]string) (val string) { + return DisableExternalDomainTLSAnnotation.Value(annotations) } diff --git a/vendor/knative.dev/networking/pkg/config/config.go b/vendor/knative.dev/networking/pkg/config/config.go index f27c7865e..028937067 100644 --- a/vendor/knative.dev/networking/pkg/config/config.go +++ b/vendor/knative.dev/networking/pkg/config/config.go @@ -70,17 +70,12 @@ const ( // ServingInternalCertName is the name of secret contains certificates in serving // system namespace. // - // Deprecated: ServingInternalCertName is deprecated. - // (use ServingControlCertName or ServingRoutingCertName instead) + // Deprecated: ServingInternalCertName is deprecated. Use ServingRoutingCertName instead. ServingInternalCertName = "knative-serving-certs" // ServingRoutingCertName is the name of secret contains certificates for Routing data in serving // system namespace. (Used by Ingress GWs and Activator) ServingRoutingCertName = "routing-serving-certs" - - // ServingControlCertName is the name of secret contains certificates for Control data in serving - // system namespace. (Used by Autoscaler and Ingress control for example) - ServingControlCertName = "control-serving-certs" ) // Config Keys @@ -92,8 +87,17 @@ const ( // AutoTLSKey is the name of the configuration entry // that specifies enabling auto-TLS or not. + // Deprecated: please use ExternalDomainTLSKey. AutoTLSKey = "auto-tls" + // ExternalDomainTLSKey is the name of the configuration entry + // that specifies if external-domain-tls is enabled or not. + ExternalDomainTLSKey = "external-domain-tls" + + // ClusterLocalDomainTLSKey is the name of the configuration entry + // that specifies if cluster-local-domain-tls is enabled or not. + ClusterLocalDomainTLSKey = "cluster-local-domain-tls" + // DefaultCertificateClassKey is the name of the configuration entry // that specifies the default Certificate. DefaultCertificateClassKey = "certificate-class" @@ -134,39 +138,26 @@ const ( // hostname for a Route's tag. TagTemplateKey = "tag-template" - // InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and ControlplaneTrustKey. // InternalEncryptionKey is the name of the configuration whether // internal traffic is encrypted or not. + // Deprecated: please use SystemInternalTLSKey. InternalEncryptionKey = "internal-encryption" - // DataplaneTrustKey is the name of the configuration entry - // defining the level of trust used for data plane traffic. - DataplaneTrustKey = "dataplane-trust" - - // ControlplaneTrustKey is the name of the configuration entry - // defining the level of trust used for control plane traffic. - ControlplaneTrustKey = "controlplane-trust" + // SystemInternalTLSKey is the name of the configuration whether + // traffic between Knative system components is encrypted or not. + SystemInternalTLSKey = "system-internal-tls" ) -// HTTPProtocol indicates a type of HTTP endpoint behavior -// that Knative ingress could take. -type Trust string +// EncryptionConfig indicates the encryption configuration +// used for TLS connections. +type EncryptionConfig string const ( - // TrustDisabled - TLS not used - TrustDisabled Trust = "disabled" - - // TrustMinimal - TLS used. We verify that the server is using Knative certificates - TrustMinimal Trust = "minimal" + // EncryptionDisabled - TLS not used. + EncryptionDisabled EncryptionConfig = "disabled" - // TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace - TrustEnabled Trust = "enabled" - - // TrustMutual - same as TrustEnabled and we also verify the identity of the client. - TrustMutual Trust = "mutual" - - // TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message. - TrustIdentity Trust = "identity" + // EncryptionEnabled - TLS used. The client verifies the servers certificate. + EncryptionEnabled EncryptionConfig = "enabled" ) // HTTPProtocol indicates a type of HTTP endpoint behavior @@ -244,8 +235,12 @@ type Config struct { TagTemplate string // AutoTLS specifies if auto-TLS is enabled or not. + // Deprecated: please use ExternalDomainTLS instead. AutoTLS bool + // ExternalDomainTLS specifies if external-domain-tls is enabled or not. + ExternalDomainTLS bool + // HTTPProtocol specifics the behavior of HTTP endpoint of Knative // ingress. HTTPProtocol HTTPProtocol @@ -293,15 +288,15 @@ type Config struct { // not enabled. Defaults to "http". DefaultExternalScheme string - // Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust // InternalEncryption specifies whether internal traffic is encrypted or not. + // Deprecated: please use SystemInternalTLSKey instead. InternalEncryption bool - // DataplaneTrust specifies the level of trust used for date plane. - DataplaneTrust Trust + // SystemInternalTLS specifies whether knative internal traffic is encrypted or not. + SystemInternalTLS EncryptionConfig - // ControlplaneTrust specifies the level of trust used for control plane. - ControlplaneTrust Trust + // ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not. + ClusterLocalDomainTLS EncryptionConfig } func defaultConfig() *Config { @@ -311,14 +306,15 @@ func defaultConfig() *Config { DomainTemplate: DefaultDomainTemplate, TagTemplate: DefaultTagTemplate, AutoTLS: false, + ExternalDomainTLS: false, NamespaceWildcardCertSelector: nil, HTTPProtocol: HTTPEnabled, AutocreateClusterDomainClaims: false, DefaultExternalScheme: "http", MeshCompatibilityMode: MeshCompatibilityModeAuto, InternalEncryption: false, - DataplaneTrust: TrustDisabled, - ControlplaneTrust: TrustDisabled, + SystemInternalTLS: EncryptionDisabled, + ClusterLocalDomainTLS: EncryptionDisabled, } } @@ -383,12 +379,23 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { } templateCache.Add(nc.TagTemplate, t) + // external-domain-tls and auto-tls if val, ok := data["autoTLS"]; ok { nc.AutoTLS = strings.EqualFold(val, "enabled") } if val, ok := data[AutoTLSKey]; ok { nc.AutoTLS = strings.EqualFold(val, "enabled") } + if val, ok := data[ExternalDomainTLSKey]; ok { + nc.ExternalDomainTLS = strings.EqualFold(val, "enabled") + + // The new key takes precedence, but we support compatibility + // for code that has not updated to the new field yet. + nc.AutoTLS = nc.ExternalDomainTLS + } else { + // backward compatibility: if the new key is not set, use the value from the old key + nc.ExternalDomainTLS = nc.AutoTLS + } var httpProtocol string if val, ok := data["httpProtocol"]; ok { @@ -410,52 +417,52 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey]) } - switch strings.ToLower(data[DataplaneTrustKey]) { - case "", string(TrustDisabled): - // If DataplaneTrus is not set in the config-network, default is already - // set to TrustDisabled. + switch strings.ToLower(data[SystemInternalTLSKey]) { + case "", string(EncryptionDisabled): + // If SystemInternalTLSKey is not set in the config-network, default is already + // set to EncryptionDisabled. if nc.InternalEncryption { // Backward compatibility - nc.DataplaneTrust = TrustMinimal + nc.SystemInternalTLS = EncryptionEnabled } - case string(TrustMinimal): - nc.DataplaneTrust = TrustMinimal - case string(TrustEnabled): - nc.DataplaneTrust = TrustEnabled - case string(TrustMutual): - nc.DataplaneTrust = TrustMutual - case string(TrustIdentity): - nc.DataplaneTrust = TrustIdentity + case string(EncryptionEnabled): + nc.SystemInternalTLS = EncryptionEnabled + + // The new key takes precedence, but we support compatibility + // for code that has not updated to the new field yet. + nc.InternalEncryption = true default: - return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey]) + return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported", + SystemInternalTLSKey, data[SystemInternalTLSKey]) } - switch strings.ToLower(data[ControlplaneTrustKey]) { - case "", string(TrustDisabled): - // If ControlplaneTrust is not set in the config-network, default is already - // set to TrustDisabled. - case string(TrustEnabled): - nc.ControlplaneTrust = TrustEnabled - case string(TrustMutual): - nc.ControlplaneTrust = TrustMutual + switch strings.ToLower(data[ClusterLocalDomainTLSKey]) { + case "", string(EncryptionDisabled): + // If ClusterLocalDomainTLSKey is not set in the config-network, default is already + // set to EncryptionDisabled. + case string(EncryptionEnabled): + nc.ClusterLocalDomainTLS = EncryptionEnabled default: - return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey]) + return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported", + ClusterLocalDomainTLSKey, data[ClusterLocalDomainTLSKey]) } return nc, nil } -// InternalTLSEnabled returns whether or not InternalEncyrption is enabled. -// Currently only DataplaneTrust is considered. +// InternalTLSEnabled returns whether InternalEncryption is enabled or not. +// Deprecated: please use SystemInternalTLSEnabled() func (c *Config) InternalTLSEnabled() bool { - return tlsEnabled(c.DataplaneTrust) + return tlsEnabled(c.SystemInternalTLS) +} + +// SystemInternalTLSEnabled returns whether SystemInternalTLS is enabled or not. +func (c *Config) SystemInternalTLSEnabled() bool { + return tlsEnabled(c.SystemInternalTLS) } -func tlsEnabled(trust Trust) bool { - return trust == TrustMinimal || - trust == TrustEnabled || - trust == TrustMutual || - trust == TrustIdentity +func tlsEnabled(encryptionConfig EncryptionConfig) bool { + return encryptionConfig == EncryptionEnabled } // GetDomainTemplate returns the golang Template from the config map diff --git a/vendor/modules.txt b/vendor/modules.txt index b16ac7767..7210681e2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -968,7 +968,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.38.1-0.20231004060457-ce67d85556b7 +# knative.dev/eventing v0.38.1-0.20231006142033-9de527599ed0 ## explicit; go 1.19 knative.dev/eventing/pkg/adapter/v2 knative.dev/eventing/pkg/adapter/v2/test @@ -1015,15 +1015,15 @@ knative.dev/eventing/pkg/metrics knative.dev/eventing/pkg/metrics/source knative.dev/eventing/pkg/observability knative.dev/eventing/pkg/observability/client -# knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 +# knative.dev/hack v0.0.0-20231006131420-158898889ae8 ## explicit; go 1.18 knative.dev/hack -# knative.dev/networking v0.0.0-20230927121431-c1cae210daec +# knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a ## explicit; go 1.18 knative.dev/networking/pkg/apis/networking knative.dev/networking/pkg/apis/networking/v1alpha1 knative.dev/networking/pkg/config -# knative.dev/pkg v0.0.0-20231003141102-833dd976f13d +# knative.dev/pkg v0.0.0-20231006130804-d0a82f9cbb8f ## explicit; go 1.18 knative.dev/pkg/apis knative.dev/pkg/apis/duck @@ -1087,7 +1087,7 @@ knative.dev/pkg/webhook/psbinding knative.dev/pkg/webhook/resourcesemantics knative.dev/pkg/webhook/resourcesemantics/defaulting knative.dev/pkg/webhook/resourcesemantics/validation -# knative.dev/serving v0.38.1-0.20231004014018-b66b18545146 +# knative.dev/serving v0.38.1-0.20231006142030-0ee4c3ad64c2 ## explicit; go 1.18 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1