Bump knative.dev/serving from 0.38.6 to 0.39.0

Bumps [knative.dev/serving](https://github.com/knative/serving) from 0.38.6 to 0.39.0. - [Release notes](https://github.com/knative/serving/releases) - [Commits](knative/serving@v0.38.6...v0.39.0) --- updated-dependencies: - dependency-name: knative.dev/serving dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
tektoncd · Jul 3, 2024 · 9bc3dd0 · 9bc3dd0
1 parent dce8c74
commit 9bc3dd0
Show file tree

Hide file tree

Showing 13 changed files with 164 additions and 97 deletions.
diff --git a/go.mod b/go.mod
@@ -34,7 +34,7 @@ require (
 	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9
 	knative.dev/eventing v0.30.1-0.20220407170245-58865afba92c
 	knative.dev/pkg v0.0.0-20240116073220-b488e7be5902
-	knative.dev/serving v0.38.6
+	knative.dev/serving v0.39.0
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -148,7 +148,7 @@ require (
 	k8s.io/gengo v0.0.0-20221011193443-fad74ee6edd9 // indirect
 	k8s.io/klog v1.0.0 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
-	knative.dev/networking v0.0.0-20231012062757-a5958051caf8 // indirect
+	knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1927,15 +1927,15 @@ knative.dev/hack v0.0.0-20220224013837-e1785985d364/go.mod h1:PHt8x8yX5Z9pPquBEf
 knative.dev/hack v0.0.0-20220318020218-14f832e506f8/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
 knative.dev/hack v0.0.0-20220328133751-f06773764ce3/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
 knative.dev/hack/schema v0.0.0-20220328133751-f06773764ce3/go.mod h1:ffjwmdcrH5vN3mPhO8RrF2KfNnbHeCE2C60A+2cv3U0=
-knative.dev/networking v0.0.0-20231012062757-a5958051caf8 h1:oZMbAAXyiDZUYoQ4qEjL6uxXrL1xBVfEyQJx8sP0XEg=
-knative.dev/networking v0.0.0-20231012062757-a5958051caf8/go.mod h1:XwZwqJoLZR92N6F/sj8lHxttnry/Kiz+OgG8+uVuYn0=
+knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 h1:6+1icZuxiZO1paFZ4d/ysKWVG2M4WB7OxNJNyLG0P/E=
+knative.dev/networking v0.0.0-20231017124814-2a7676e912b7/go.mod h1:1gcHoIVG47ekQWjkddqRq+/7tWRh+CB9W4k/NAcdRbk=
 knative.dev/pkg v0.0.0-20220318185521-e6e3cf03d765/go.mod h1:nKJ2L4o7or3j58eqMK843kbIM0SiYnAXXsisfEQECS8=
 knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2/go.mod h1:5xt0nzCwxvQ2N4w71smY7pYm5nVrQ8qnRsMinSLVpio=
 knative.dev/pkg v0.0.0-20240116073220-b488e7be5902 h1:H6+JJN23fhwYWCHY1339sY6uhIyoUwDy1a8dN233fdk=
 knative.dev/pkg v0.0.0-20240116073220-b488e7be5902/go.mod h1:NYk8mMYoLkO7CQWnNkti4YGGnvLxN6MIDbUvtgeo0C0=
 knative.dev/reconciler-test v0.0.0-20220328072550-7d32310c9b3a/go.mod h1:wlz1lGyn5fjJYL5PTSL/SOI4xgVpU+q6D4eaa19NsDA=
-knative.dev/serving v0.38.6 h1:G4N2dYuMggJf4Cc4ycen/dYjEF1IlyX3zoRpkou/7zI=
-knative.dev/serving v0.38.6/go.mod h1:5JIK94q75k2Y09CKpFRMe6Rs12bgCGv25wInPor/XCk=
+knative.dev/serving v0.39.0 h1:NVt8WthHmFFMWZ3qpBblXt47del8qqrbCegqwGBVSwk=
+knative.dev/serving v0.39.0/go.mod h1:0QIp5mvgWa1oUC2MxMf+Q/JWgG8JhAsSdJKc6iTRlvE=
 pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=

diff --git a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go
@@ -29,6 +29,7 @@ var (
 		IngressClassAnnotationKey,
 		CertificateClassAnnotationKey,
 		DisableAutoTLSAnnotationKey,
+		DisableExternalDomainTLSAnnotationKey,
 		HTTPOptionAnnotationKey,
 
 		IngressClassAnnotationAltKey,

diff --git a/vendor/knative.dev/networking/pkg/apis/networking/register.go b/vendor/knative.dev/networking/pkg/apis/networking/register.go
@@ -70,11 +70,17 @@ const (
 
 	// DisableAutoTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
 	// to indicate that AutoTLS should not be enabled for it.
+	// Deprecated: use DisableExternalDomainTLSAnnotationKey instead.
 	DisableAutoTLSAnnotationKey = PublicGroupName + "/disableAutoTLS"
 
 	// DisableAutoTLSAnnotationAltKey is an alternative casing to DisableAutoTLSAnnotationKey
+	// Deprecated: use DisableExternalDomainTLSAnnotationKey instead.
 	DisableAutoTLSAnnotationAltKey = PublicGroupName + "/disable-auto-tls"
 
+	// DisableExternalDomainTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
+	// to indicate that external-domain-tls should not be enabled for it.
+	DisableExternalDomainTLSAnnotationKey = PublicGroupName + "/disable-external-domain-tls"
+
 	// HTTPOptionAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
 	// to indicate the HTTP option of it.
 	HTTPOptionAnnotationKey = PublicGroupName + "/httpOption"
@@ -130,9 +136,15 @@ var (
 		CertificateClassAnnotationAltKey,
 	}
 
-	DisableAutoTLSAnnotation = kmap.KeyPriority{
+	// Deprecated: use DisableExternalDomainTLSAnnotation instead.
+	DisableAutoTLSAnnotation = DisableExternalDomainTLSAnnotation
+
+	DisableExternalDomainTLSAnnotation = kmap.KeyPriority{
+		// backward compatibility
 		DisableAutoTLSAnnotationKey,
 		DisableAutoTLSAnnotationAltKey,
+
+		DisableExternalDomainTLSAnnotationKey,
 	}
 
 	HTTPProtocolAnnotation = kmap.KeyPriority{
@@ -153,6 +165,9 @@ func GetHTTPProtocol(annotations map[string]string) (val string) {
 	return HTTPProtocolAnnotation.Value(annotations)
 }
 
-func GetDisableAutoTLS(annotations map[string]string) (val string) {
-	return DisableAutoTLSAnnotation.Value(annotations)
+// Deprecated: use GetDisableExternalDomainTLS instead.
+var GetDisableAutoTLS = GetDisableExternalDomainTLS
+
+func GetDisableExternalDomainTLS(annotations map[string]string) (val string) {
+	return DisableExternalDomainTLSAnnotation.Value(annotations)
 }
diff --git a/vendor/knative.dev/networking/pkg/config/config.go b/vendor/knative.dev/networking/pkg/config/config.go
@@ -25,6 +25,7 @@ import (
 	"strings"
 	"text/template"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/lru"
 	cm "knative.dev/pkg/configmap"
@@ -69,17 +70,12 @@ const (
 	// ServingInternalCertName is the name of secret contains certificates in serving
 	// system namespace.
 	//
-	// Deprecated: ServingInternalCertName is deprecated.
-	// (use ServingControlCertName or ServingRoutingCertName instead)
+	// Deprecated: ServingInternalCertName is deprecated. Use ServingRoutingCertName instead.
 	ServingInternalCertName = "knative-serving-certs"
 
 	// ServingRoutingCertName is the name of secret contains certificates for Routing data in serving
 	// system namespace. (Used by Ingress GWs and Activator)
 	ServingRoutingCertName = "routing-serving-certs"
-
-	// ServingControlCertName is the name of secret contains certificates for Control data in serving
-	// system namespace. (Used by Autoscaler and Ingress control for example)
-	ServingControlCertName = "control-serving-certs"
 )
 
 // Config Keys
@@ -91,8 +87,17 @@ const (
 
 	// AutoTLSKey is the name of the configuration entry
 	// that specifies enabling auto-TLS or not.
+	// Deprecated: please use ExternalDomainTLSKey.
 	AutoTLSKey = "auto-tls"
 
+	// ExternalDomainTLSKey is the name of the configuration entry
+	// that specifies if external-domain-tls is enabled or not.
+	ExternalDomainTLSKey = "external-domain-tls"
+
+	// ClusterLocalDomainTLSKey is the name of the configuration entry
+	// that specifies if cluster-local-domain-tls is enabled or not.
+	ClusterLocalDomainTLSKey = "cluster-local-domain-tls"
+
 	// DefaultCertificateClassKey is the name of the configuration entry
 	// that specifies the default Certificate.
 	DefaultCertificateClassKey = "certificate-class"
@@ -133,39 +138,26 @@ const (
 	// hostname for a Route's tag.
 	TagTemplateKey = "tag-template"
 
-	// InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and internal-controlplane-trust
 	// InternalEncryptionKey is the name of the configuration whether
 	// internal traffic is encrypted or not.
+	// Deprecated: please use SystemInternalTLSKey.
 	InternalEncryptionKey = "internal-encryption"
 
-	// DataplaneTrustKey is the name of the configuration entry
-	// defining the level of trust used for data plane traffic.
-	DataplaneTrustKey = "dataplane-trust"
-
-	// ControlplaneTrustKey is the name of the configuration entry
-	// defining the level of trust used for control plane traffic.
-	ControlplaneTrustKey = "controlplane-trust"
+	// SystemInternalTLSKey is the name of the configuration whether
+	// traffic between Knative system components is encrypted or not.
+	SystemInternalTLSKey = "system-internal-tls"
 )
 
-// HTTPProtocol indicates a type of HTTP endpoint behavior
-// that Knative ingress could take.
-type Trust string
+// EncryptionConfig indicates the encryption configuration
+// used for TLS connections.
+type EncryptionConfig string
 
 const (
-	// TrustDisabled - TLS not used
-	TrustDisabled Trust = "disabled"
+	// EncryptionDisabled - TLS not used.
+	EncryptionDisabled EncryptionConfig = "disabled"
 
-	// TrustMinimal - TLS used. We verify that the server is using Knative certificates
-	TrustMinimal Trust = "minimal"
-
-	// TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace
-	TrustEnabled Trust = "enabled"
-
-	// TrustMutual - same as TrustEnabled and we also verify the identity of the client.
-	TrustMutual Trust = "mutual"
-
-	// TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message.
-	TrustIdentity Trust = "identity"
+	// EncryptionEnabled - TLS used. The client verifies the servers certificate.
+	EncryptionEnabled EncryptionConfig = "enabled"
 )
 
 // HTTPProtocol indicates a type of HTTP endpoint behavior
@@ -243,8 +235,12 @@ type Config struct {
 	TagTemplate string
 
 	// AutoTLS specifies if auto-TLS is enabled or not.
+	// Deprecated: please use ExternalDomainTLS instead.
 	AutoTLS bool
 
+	// ExternalDomainTLS specifies if external-domain-tls is enabled or not.
+	ExternalDomainTLS bool
+
 	// HTTPProtocol specifics the behavior of HTTP endpoint of Knative
 	// ingress.
 	HTTPProtocol HTTPProtocol
@@ -292,15 +288,15 @@ type Config struct {
 	// not enabled. Defaults to "http".
 	DefaultExternalScheme string
 
-	// Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust
 	// InternalEncryption specifies whether internal traffic is encrypted or not.
+	// Deprecated: please use SystemInternalTLSKey instead.
 	InternalEncryption bool
 
-	// DataplaneTrust specifies the level of trust used for date plane.
-	DataplaneTrust Trust
+	// SystemInternalTLS specifies whether knative internal traffic is encrypted or not.
+	SystemInternalTLS EncryptionConfig
 
-	// ControlplaneTrust specifies the level of trust used for control plane.
-	ControlplaneTrust Trust
+	// ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not.
+	ClusterLocalDomainTLS EncryptionConfig
 }
 
 func defaultConfig() *Config {
@@ -310,17 +306,26 @@ func defaultConfig() *Config {
 		DomainTemplate:                DefaultDomainTemplate,
 		TagTemplate:                   DefaultTagTemplate,
 		AutoTLS:                       false,
+		ExternalDomainTLS:             false,
 		NamespaceWildcardCertSelector: nil,
 		HTTPProtocol:                  HTTPEnabled,
 		AutocreateClusterDomainClaims: false,
 		DefaultExternalScheme:         "http",
 		MeshCompatibilityMode:         MeshCompatibilityModeAuto,
 		InternalEncryption:            false,
-		DataplaneTrust:                TrustDisabled,
-		ControlplaneTrust:             TrustDisabled,
+		SystemInternalTLS:             EncryptionDisabled,
+		ClusterLocalDomainTLS:         EncryptionDisabled,
 	}
 }
 
+// NewConfigFromConfigMap returns a Config for the given configmap
+func NewConfigFromConfigMap(config *corev1.ConfigMap) (*Config, error) {
+	if config == nil {
+		return NewConfigFromMap(nil)
+	}
+	return NewConfigFromMap(config.Data)
+}
+
 // NewConfigFromMap creates a Config from the supplied data.
 func NewConfigFromMap(data map[string]string) (*Config, error) {
 	nc := defaultConfig()
@@ -374,12 +379,23 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 	}
 	templateCache.Add(nc.TagTemplate, t)
 
+	// external-domain-tls and auto-tls
 	if val, ok := data["autoTLS"]; ok {
 		nc.AutoTLS = strings.EqualFold(val, "enabled")
 	}
 	if val, ok := data[AutoTLSKey]; ok {
 		nc.AutoTLS = strings.EqualFold(val, "enabled")
 	}
+	if val, ok := data[ExternalDomainTLSKey]; ok {
+		nc.ExternalDomainTLS = strings.EqualFold(val, "enabled")
+
+		// The new key takes precedence, but we support compatibility
+		// for code that has not updated to the new field yet.
+		nc.AutoTLS = nc.ExternalDomainTLS
+	} else {
+		// backward compatibility: if the new key is not set, use the value from the old key
+		nc.ExternalDomainTLS = nc.AutoTLS
+	}
 
 	var httpProtocol string
 	if val, ok := data["httpProtocol"]; ok {
@@ -401,41 +417,54 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey])
 	}
 
-	switch strings.ToLower(data[DataplaneTrustKey]) {
-	case "", string(TrustDisabled):
-		// If DataplaneTrus is not set in the config-network, default is already
-		// set to TrustDisabled.
+	switch strings.ToLower(data[SystemInternalTLSKey]) {
+	case "", string(EncryptionDisabled):
+		// If SystemInternalTLSKey is not set in the config-network, default is already
+		// set to EncryptionDisabled.
 		if nc.InternalEncryption {
 			// Backward compatibility
-			nc.DataplaneTrust = TrustMinimal
+			nc.SystemInternalTLS = EncryptionEnabled
 		}
-	case string(TrustMinimal):
-		nc.DataplaneTrust = TrustMinimal
-	case string(TrustEnabled):
-		nc.DataplaneTrust = TrustEnabled
-	case string(TrustMutual):
-		nc.DataplaneTrust = TrustMutual
-	case string(TrustIdentity):
-		nc.DataplaneTrust = TrustIdentity
+	case string(EncryptionEnabled):
+		nc.SystemInternalTLS = EncryptionEnabled
+
+		// The new key takes precedence, but we support compatibility
+		// for code that has not updated to the new field yet.
+		nc.InternalEncryption = true
 	default:
-		return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey])
+		return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
+			SystemInternalTLSKey, data[SystemInternalTLSKey])
 	}
 
-	switch strings.ToLower(data[ControlplaneTrustKey]) {
-	case "", string(TrustDisabled):
-		// If ControlplaneTrust is not set in the config-network, default is already
-		// set to TrustDisabled.
-	case string(TrustEnabled):
-		nc.ControlplaneTrust = TrustEnabled
-	case string(TrustMutual):
-		nc.ControlplaneTrust = TrustMutual
+	switch strings.ToLower(data[ClusterLocalDomainTLSKey]) {
+	case "", string(EncryptionDisabled):
+		// If ClusterLocalDomainTLSKey is not set in the config-network, default is already
+		// set to EncryptionDisabled.
+	case string(EncryptionEnabled):
+		nc.ClusterLocalDomainTLS = EncryptionEnabled
 	default:
-		return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey])
+		return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
+			ClusterLocalDomainTLSKey, data[ClusterLocalDomainTLSKey])
 	}
 
 	return nc, nil
 }
 
+// InternalTLSEnabled returns whether InternalEncryption is enabled or not.
+// Deprecated: please use SystemInternalTLSEnabled()
+func (c *Config) InternalTLSEnabled() bool {
+	return tlsEnabled(c.SystemInternalTLS)
+}
+
+// SystemInternalTLSEnabled returns whether SystemInternalTLS is enabled or not.
+func (c *Config) SystemInternalTLSEnabled() bool {
+	return tlsEnabled(c.SystemInternalTLS)
+}
+
+func tlsEnabled(encryptionConfig EncryptionConfig) bool {
+	return encryptionConfig == EncryptionEnabled
+}
+
 // GetDomainTemplate returns the golang Template from the config map
 // or panics (the value is validated during CM validation and at
 // this point guaranteed to be parseable).

diff --git a/vendor/knative.dev/serving/AUTHORS b/vendor/knative.dev/serving/AUTHORS
diff --git a/vendor/knative.dev/serving/pkg/apis/config/features.go b/vendor/knative.dev/serving/pkg/apis/config/features.go
@@ -59,6 +59,7 @@ func defaultFeaturesConfig() *Features {
 		PodSpecNodeSelector:              Disabled,
 		PodSpecRuntimeClassName:          Disabled,
 		PodSpecSecurityContext:           Disabled,
+		PodSpecShareProcessNamespace:     Disabled,
 		PodSpecPriorityClassName:         Disabled,
 		PodSpecSchedulerName:             Disabled,
 		ContainerSpecAddCapabilities:     Disabled,
@@ -91,6 +92,7 @@ func NewFeaturesConfigFromMap(data map[string]string) (*Features, error) {
 		asFlag("kubernetes.podspec-nodeselector", &nc.PodSpecNodeSelector),
 		asFlag("kubernetes.podspec-runtimeclassname", &nc.PodSpecRuntimeClassName),
 		asFlag("kubernetes.podspec-securitycontext", &nc.PodSpecSecurityContext),
+		asFlag("kubernetes.podspec-shareprocessnamespace", &nc.PodSpecShareProcessNamespace),
 		asFlag("kubernetes.podspec-priorityclassname", &nc.PodSpecPriorityClassName),
 		asFlag("kubernetes.podspec-schedulername", &nc.PodSpecSchedulerName),
 		asFlag("kubernetes.containerspec-addcapabilities", &nc.ContainerSpecAddCapabilities),
@@ -127,6 +129,7 @@ type Features struct {
 	PodSpecNodeSelector              Flag
 	PodSpecRuntimeClassName          Flag
 	PodSpecSecurityContext           Flag
+	PodSpecShareProcessNamespace     Flag
 	PodSpecPriorityClassName         Flag
 	PodSpecSchedulerName             Flag
 	ContainerSpecAddCapabilities     Flag