diff --git a/go.mod b/go.mod index bcc5fc0a2..cc483c73d 100644 --- a/go.mod +++ b/go.mod @@ -34,7 +34,7 @@ require ( k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 knative.dev/eventing v0.30.1-0.20220407170245-58865afba92c knative.dev/pkg v0.0.0-20240116073220-b488e7be5902 - knative.dev/serving v0.38.6 + knative.dev/serving v0.39.0 sigs.k8s.io/yaml v1.4.0 ) @@ -148,7 +148,7 @@ require ( k8s.io/gengo v0.0.0-20221011193443-fad74ee6edd9 // indirect k8s.io/klog v1.0.0 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect - knative.dev/networking v0.0.0-20231012062757-a5958051caf8 // indirect + knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect ) diff --git a/go.sum b/go.sum index 205e1626e..b87ac16e3 100644 --- a/go.sum +++ b/go.sum @@ -1927,15 +1927,15 @@ knative.dev/hack v0.0.0-20220224013837-e1785985d364/go.mod h1:PHt8x8yX5Z9pPquBEf knative.dev/hack v0.0.0-20220318020218-14f832e506f8/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI= knative.dev/hack v0.0.0-20220328133751-f06773764ce3/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI= knative.dev/hack/schema v0.0.0-20220328133751-f06773764ce3/go.mod h1:ffjwmdcrH5vN3mPhO8RrF2KfNnbHeCE2C60A+2cv3U0= -knative.dev/networking v0.0.0-20231012062757-a5958051caf8 h1:oZMbAAXyiDZUYoQ4qEjL6uxXrL1xBVfEyQJx8sP0XEg= -knative.dev/networking v0.0.0-20231012062757-a5958051caf8/go.mod h1:XwZwqJoLZR92N6F/sj8lHxttnry/Kiz+OgG8+uVuYn0= +knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 h1:6+1icZuxiZO1paFZ4d/ysKWVG2M4WB7OxNJNyLG0P/E= +knative.dev/networking v0.0.0-20231017124814-2a7676e912b7/go.mod h1:1gcHoIVG47ekQWjkddqRq+/7tWRh+CB9W4k/NAcdRbk= knative.dev/pkg v0.0.0-20220318185521-e6e3cf03d765/go.mod h1:nKJ2L4o7or3j58eqMK843kbIM0SiYnAXXsisfEQECS8= knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2/go.mod h1:5xt0nzCwxvQ2N4w71smY7pYm5nVrQ8qnRsMinSLVpio= knative.dev/pkg v0.0.0-20240116073220-b488e7be5902 h1:H6+JJN23fhwYWCHY1339sY6uhIyoUwDy1a8dN233fdk= knative.dev/pkg v0.0.0-20240116073220-b488e7be5902/go.mod h1:NYk8mMYoLkO7CQWnNkti4YGGnvLxN6MIDbUvtgeo0C0= knative.dev/reconciler-test v0.0.0-20220328072550-7d32310c9b3a/go.mod h1:wlz1lGyn5fjJYL5PTSL/SOI4xgVpU+q6D4eaa19NsDA= -knative.dev/serving v0.38.6 h1:G4N2dYuMggJf4Cc4ycen/dYjEF1IlyX3zoRpkou/7zI= -knative.dev/serving v0.38.6/go.mod h1:5JIK94q75k2Y09CKpFRMe6Rs12bgCGv25wInPor/XCk= +knative.dev/serving v0.39.0 h1:NVt8WthHmFFMWZ3qpBblXt47del8qqrbCegqwGBVSwk= +knative.dev/serving v0.39.0/go.mod h1:0QIp5mvgWa1oUC2MxMf+Q/JWgG8JhAsSdJKc6iTRlvE= pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= diff --git a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go index 85f69717f..fbd6c155f 100644 --- a/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go +++ b/vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go @@ -29,6 +29,7 @@ var ( IngressClassAnnotationKey, CertificateClassAnnotationKey, DisableAutoTLSAnnotationKey, + DisableExternalDomainTLSAnnotationKey, HTTPOptionAnnotationKey, IngressClassAnnotationAltKey, diff --git a/vendor/knative.dev/networking/pkg/apis/networking/register.go b/vendor/knative.dev/networking/pkg/apis/networking/register.go index f7bdd81d7..e88e9b5c0 100644 --- a/vendor/knative.dev/networking/pkg/apis/networking/register.go +++ b/vendor/knative.dev/networking/pkg/apis/networking/register.go @@ -70,11 +70,17 @@ const ( // DisableAutoTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping // to indicate that AutoTLS should not be enabled for it. + // Deprecated: use DisableExternalDomainTLSAnnotationKey instead. DisableAutoTLSAnnotationKey = PublicGroupName + "/disableAutoTLS" // DisableAutoTLSAnnotationAltKey is an alternative casing to DisableAutoTLSAnnotationKey + // Deprecated: use DisableExternalDomainTLSAnnotationKey instead. DisableAutoTLSAnnotationAltKey = PublicGroupName + "/disable-auto-tls" + // DisableExternalDomainTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping + // to indicate that external-domain-tls should not be enabled for it. + DisableExternalDomainTLSAnnotationKey = PublicGroupName + "/disable-external-domain-tls" + // HTTPOptionAnnotationKey is the annotation key attached to a Knative Service/DomainMapping // to indicate the HTTP option of it. HTTPOptionAnnotationKey = PublicGroupName + "/httpOption" @@ -130,9 +136,15 @@ var ( CertificateClassAnnotationAltKey, } - DisableAutoTLSAnnotation = kmap.KeyPriority{ + // Deprecated: use DisableExternalDomainTLSAnnotation instead. + DisableAutoTLSAnnotation = DisableExternalDomainTLSAnnotation + + DisableExternalDomainTLSAnnotation = kmap.KeyPriority{ + // backward compatibility DisableAutoTLSAnnotationKey, DisableAutoTLSAnnotationAltKey, + + DisableExternalDomainTLSAnnotationKey, } HTTPProtocolAnnotation = kmap.KeyPriority{ @@ -153,6 +165,9 @@ func GetHTTPProtocol(annotations map[string]string) (val string) { return HTTPProtocolAnnotation.Value(annotations) } -func GetDisableAutoTLS(annotations map[string]string) (val string) { - return DisableAutoTLSAnnotation.Value(annotations) +// Deprecated: use GetDisableExternalDomainTLS instead. +var GetDisableAutoTLS = GetDisableExternalDomainTLS + +func GetDisableExternalDomainTLS(annotations map[string]string) (val string) { + return DisableExternalDomainTLSAnnotation.Value(annotations) } diff --git a/vendor/knative.dev/networking/pkg/config/config.go b/vendor/knative.dev/networking/pkg/config/config.go index 47cf440cd..028937067 100644 --- a/vendor/knative.dev/networking/pkg/config/config.go +++ b/vendor/knative.dev/networking/pkg/config/config.go @@ -25,6 +25,7 @@ import ( "strings" "text/template" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/lru" cm "knative.dev/pkg/configmap" @@ -69,17 +70,12 @@ const ( // ServingInternalCertName is the name of secret contains certificates in serving // system namespace. // - // Deprecated: ServingInternalCertName is deprecated. - // (use ServingControlCertName or ServingRoutingCertName instead) + // Deprecated: ServingInternalCertName is deprecated. Use ServingRoutingCertName instead. ServingInternalCertName = "knative-serving-certs" // ServingRoutingCertName is the name of secret contains certificates for Routing data in serving // system namespace. (Used by Ingress GWs and Activator) ServingRoutingCertName = "routing-serving-certs" - - // ServingControlCertName is the name of secret contains certificates for Control data in serving - // system namespace. (Used by Autoscaler and Ingress control for example) - ServingControlCertName = "control-serving-certs" ) // Config Keys @@ -91,8 +87,17 @@ const ( // AutoTLSKey is the name of the configuration entry // that specifies enabling auto-TLS or not. + // Deprecated: please use ExternalDomainTLSKey. AutoTLSKey = "auto-tls" + // ExternalDomainTLSKey is the name of the configuration entry + // that specifies if external-domain-tls is enabled or not. + ExternalDomainTLSKey = "external-domain-tls" + + // ClusterLocalDomainTLSKey is the name of the configuration entry + // that specifies if cluster-local-domain-tls is enabled or not. + ClusterLocalDomainTLSKey = "cluster-local-domain-tls" + // DefaultCertificateClassKey is the name of the configuration entry // that specifies the default Certificate. DefaultCertificateClassKey = "certificate-class" @@ -133,39 +138,26 @@ const ( // hostname for a Route's tag. TagTemplateKey = "tag-template" - // InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and internal-controlplane-trust // InternalEncryptionKey is the name of the configuration whether // internal traffic is encrypted or not. + // Deprecated: please use SystemInternalTLSKey. InternalEncryptionKey = "internal-encryption" - // DataplaneTrustKey is the name of the configuration entry - // defining the level of trust used for data plane traffic. - DataplaneTrustKey = "dataplane-trust" - - // ControlplaneTrustKey is the name of the configuration entry - // defining the level of trust used for control plane traffic. - ControlplaneTrustKey = "controlplane-trust" + // SystemInternalTLSKey is the name of the configuration whether + // traffic between Knative system components is encrypted or not. + SystemInternalTLSKey = "system-internal-tls" ) -// HTTPProtocol indicates a type of HTTP endpoint behavior -// that Knative ingress could take. -type Trust string +// EncryptionConfig indicates the encryption configuration +// used for TLS connections. +type EncryptionConfig string const ( - // TrustDisabled - TLS not used - TrustDisabled Trust = "disabled" + // EncryptionDisabled - TLS not used. + EncryptionDisabled EncryptionConfig = "disabled" - // TrustMinimal - TLS used. We verify that the server is using Knative certificates - TrustMinimal Trust = "minimal" - - // TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace - TrustEnabled Trust = "enabled" - - // TrustMutual - same as TrustEnabled and we also verify the identity of the client. - TrustMutual Trust = "mutual" - - // TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message. - TrustIdentity Trust = "identity" + // EncryptionEnabled - TLS used. The client verifies the servers certificate. + EncryptionEnabled EncryptionConfig = "enabled" ) // HTTPProtocol indicates a type of HTTP endpoint behavior @@ -243,8 +235,12 @@ type Config struct { TagTemplate string // AutoTLS specifies if auto-TLS is enabled or not. + // Deprecated: please use ExternalDomainTLS instead. AutoTLS bool + // ExternalDomainTLS specifies if external-domain-tls is enabled or not. + ExternalDomainTLS bool + // HTTPProtocol specifics the behavior of HTTP endpoint of Knative // ingress. HTTPProtocol HTTPProtocol @@ -292,15 +288,15 @@ type Config struct { // not enabled. Defaults to "http". DefaultExternalScheme string - // Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust // InternalEncryption specifies whether internal traffic is encrypted or not. + // Deprecated: please use SystemInternalTLSKey instead. InternalEncryption bool - // DataplaneTrust specifies the level of trust used for date plane. - DataplaneTrust Trust + // SystemInternalTLS specifies whether knative internal traffic is encrypted or not. + SystemInternalTLS EncryptionConfig - // ControlplaneTrust specifies the level of trust used for control plane. - ControlplaneTrust Trust + // ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not. + ClusterLocalDomainTLS EncryptionConfig } func defaultConfig() *Config { @@ -310,17 +306,26 @@ func defaultConfig() *Config { DomainTemplate: DefaultDomainTemplate, TagTemplate: DefaultTagTemplate, AutoTLS: false, + ExternalDomainTLS: false, NamespaceWildcardCertSelector: nil, HTTPProtocol: HTTPEnabled, AutocreateClusterDomainClaims: false, DefaultExternalScheme: "http", MeshCompatibilityMode: MeshCompatibilityModeAuto, InternalEncryption: false, - DataplaneTrust: TrustDisabled, - ControlplaneTrust: TrustDisabled, + SystemInternalTLS: EncryptionDisabled, + ClusterLocalDomainTLS: EncryptionDisabled, } } +// NewConfigFromConfigMap returns a Config for the given configmap +func NewConfigFromConfigMap(config *corev1.ConfigMap) (*Config, error) { + if config == nil { + return NewConfigFromMap(nil) + } + return NewConfigFromMap(config.Data) +} + // NewConfigFromMap creates a Config from the supplied data. func NewConfigFromMap(data map[string]string) (*Config, error) { nc := defaultConfig() @@ -374,12 +379,23 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { } templateCache.Add(nc.TagTemplate, t) + // external-domain-tls and auto-tls if val, ok := data["autoTLS"]; ok { nc.AutoTLS = strings.EqualFold(val, "enabled") } if val, ok := data[AutoTLSKey]; ok { nc.AutoTLS = strings.EqualFold(val, "enabled") } + if val, ok := data[ExternalDomainTLSKey]; ok { + nc.ExternalDomainTLS = strings.EqualFold(val, "enabled") + + // The new key takes precedence, but we support compatibility + // for code that has not updated to the new field yet. + nc.AutoTLS = nc.ExternalDomainTLS + } else { + // backward compatibility: if the new key is not set, use the value from the old key + nc.ExternalDomainTLS = nc.AutoTLS + } var httpProtocol string if val, ok := data["httpProtocol"]; ok { @@ -401,41 +417,54 @@ func NewConfigFromMap(data map[string]string) (*Config, error) { return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey]) } - switch strings.ToLower(data[DataplaneTrustKey]) { - case "", string(TrustDisabled): - // If DataplaneTrus is not set in the config-network, default is already - // set to TrustDisabled. + switch strings.ToLower(data[SystemInternalTLSKey]) { + case "", string(EncryptionDisabled): + // If SystemInternalTLSKey is not set in the config-network, default is already + // set to EncryptionDisabled. if nc.InternalEncryption { // Backward compatibility - nc.DataplaneTrust = TrustMinimal + nc.SystemInternalTLS = EncryptionEnabled } - case string(TrustMinimal): - nc.DataplaneTrust = TrustMinimal - case string(TrustEnabled): - nc.DataplaneTrust = TrustEnabled - case string(TrustMutual): - nc.DataplaneTrust = TrustMutual - case string(TrustIdentity): - nc.DataplaneTrust = TrustIdentity + case string(EncryptionEnabled): + nc.SystemInternalTLS = EncryptionEnabled + + // The new key takes precedence, but we support compatibility + // for code that has not updated to the new field yet. + nc.InternalEncryption = true default: - return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey]) + return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported", + SystemInternalTLSKey, data[SystemInternalTLSKey]) } - switch strings.ToLower(data[ControlplaneTrustKey]) { - case "", string(TrustDisabled): - // If ControlplaneTrust is not set in the config-network, default is already - // set to TrustDisabled. - case string(TrustEnabled): - nc.ControlplaneTrust = TrustEnabled - case string(TrustMutual): - nc.ControlplaneTrust = TrustMutual + switch strings.ToLower(data[ClusterLocalDomainTLSKey]) { + case "", string(EncryptionDisabled): + // If ClusterLocalDomainTLSKey is not set in the config-network, default is already + // set to EncryptionDisabled. + case string(EncryptionEnabled): + nc.ClusterLocalDomainTLS = EncryptionEnabled default: - return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey]) + return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported", + ClusterLocalDomainTLSKey, data[ClusterLocalDomainTLSKey]) } return nc, nil } +// InternalTLSEnabled returns whether InternalEncryption is enabled or not. +// Deprecated: please use SystemInternalTLSEnabled() +func (c *Config) InternalTLSEnabled() bool { + return tlsEnabled(c.SystemInternalTLS) +} + +// SystemInternalTLSEnabled returns whether SystemInternalTLS is enabled or not. +func (c *Config) SystemInternalTLSEnabled() bool { + return tlsEnabled(c.SystemInternalTLS) +} + +func tlsEnabled(encryptionConfig EncryptionConfig) bool { + return encryptionConfig == EncryptionEnabled +} + // GetDomainTemplate returns the golang Template from the config map // or panics (the value is validated during CM validation and at // this point guaranteed to be parseable). diff --git a/vendor/knative.dev/serving/AUTHORS b/vendor/knative.dev/serving/AUTHORS deleted file mode 100644 index f42714c4e..000000000 --- a/vendor/knative.dev/serving/AUTHORS +++ /dev/null @@ -1,11 +0,0 @@ -# This is the list of Knative authors for copyright purposes. -# -# This does not necessarily list everyone who has contributed code, since in -# some cases, their employer may be the copyright holder. To see the full list -# of contributors, see the revision history in source control. -Google LLC -Pivotal Software, Inc. -IBM Corp -Red Hat, Inc. -Cisco Systems, Inc. -VMware, Inc. diff --git a/vendor/knative.dev/serving/pkg/apis/config/features.go b/vendor/knative.dev/serving/pkg/apis/config/features.go index 32b7345a8..4e9d0aefd 100644 --- a/vendor/knative.dev/serving/pkg/apis/config/features.go +++ b/vendor/knative.dev/serving/pkg/apis/config/features.go @@ -59,6 +59,7 @@ func defaultFeaturesConfig() *Features { PodSpecNodeSelector: Disabled, PodSpecRuntimeClassName: Disabled, PodSpecSecurityContext: Disabled, + PodSpecShareProcessNamespace: Disabled, PodSpecPriorityClassName: Disabled, PodSpecSchedulerName: Disabled, ContainerSpecAddCapabilities: Disabled, @@ -91,6 +92,7 @@ func NewFeaturesConfigFromMap(data map[string]string) (*Features, error) { asFlag("kubernetes.podspec-nodeselector", &nc.PodSpecNodeSelector), asFlag("kubernetes.podspec-runtimeclassname", &nc.PodSpecRuntimeClassName), asFlag("kubernetes.podspec-securitycontext", &nc.PodSpecSecurityContext), + asFlag("kubernetes.podspec-shareprocessnamespace", &nc.PodSpecShareProcessNamespace), asFlag("kubernetes.podspec-priorityclassname", &nc.PodSpecPriorityClassName), asFlag("kubernetes.podspec-schedulername", &nc.PodSpecSchedulerName), asFlag("kubernetes.containerspec-addcapabilities", &nc.ContainerSpecAddCapabilities), @@ -127,6 +129,7 @@ type Features struct { PodSpecNodeSelector Flag PodSpecRuntimeClassName Flag PodSpecSecurityContext Flag + PodSpecShareProcessNamespace Flag PodSpecPriorityClassName Flag PodSpecSchedulerName Flag ContainerSpecAddCapabilities Flag diff --git a/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go b/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go index 1d4dd77eb..769370d76 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go @@ -245,6 +245,9 @@ func PodSpecMask(ctx context.Context, in *corev1.PodSpec) *corev1.PodSpec { // This is further validated in ValidatePodSecurityContext. out.SecurityContext = in.SecurityContext } + if cfg.Features.PodSpecShareProcessNamespace != config.Disabled { + out.ShareProcessNamespace = in.ShareProcessNamespace + } if cfg.Features.PodSpecPriorityClassName != config.Disabled { out.PriorityClassName = in.PriorityClassName } @@ -270,7 +273,6 @@ func PodSpecMask(ctx context.Context, in *corev1.PodSpec) *corev1.PodSpec { out.HostNetwork = false out.HostPID = false out.HostIPC = false - out.ShareProcessNamespace = nil out.Hostname = "" out.Subdomain = "" out.Priority = nil @@ -374,6 +376,7 @@ func HandlerMask(in *corev1.ProbeHandler) *corev1.ProbeHandler { out.Exec = in.Exec out.HTTPGet = in.HTTPGet out.TCPSocket = in.TCPSocket + out.GRPC = in.GRPC return out @@ -429,6 +432,22 @@ func TCPSocketActionMask(in *corev1.TCPSocketAction) *corev1.TCPSocketAction { return out } +// GRPCActionMask performs a _shallow_ copy of the Kubernetes GRPCAction object to a new +// Kubernetes GRPCAction object bringing over only the fields allowed in the Knative API. This +// does not validate the contents or the bounds of the provided fields. +func GRPCActionMask(in *corev1.GRPCAction) *corev1.GRPCAction { + if in == nil { + return nil + } + out := new(corev1.GRPCAction) + + // Allowed fields + out.Port = in.Port + out.Service = in.Service + + return out +} + // ContainerPortMask performs a _shallow_ copy of the Kubernetes ContainerPort object to a new // Kubernetes ContainerPort object bringing over only the fields allowed in the Knative API. This // does not validate the contents or the bounds of the provided fields. @@ -708,8 +727,14 @@ func CapabilitiesMask(ctx context.Context, in *corev1.Capabilities) *corev1.Capa // Allowed fields out.Drop = in.Drop - if config.FromContextOrDefaults(ctx).Features.ContainerSpecAddCapabilities != config.Disabled { + if config.FromContextOrDefaults(ctx).Features.ContainerSpecAddCapabilities == config.Enabled { out.Add = in.Add + } else if config.FromContextOrDefaults(ctx).Features.SecurePodDefaults == config.Enabled { + if len(in.Add) == 1 && in.Add[0] == "NET_BIND_SERVICE" { + out.Add = in.Add + } else { + out.Add = nil + } } return out diff --git a/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go b/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go index efa65a05e..797dfb38a 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go @@ -832,9 +832,13 @@ func validateProbe(p *corev1.Probe, port corev1.ContainerPort) *apis.FieldError handlers = append(handlers, "exec") errs = errs.Also(apis.CheckDisallowedFields(*h.Exec, *ExecActionMask(h.Exec))).ViaField("exec") } + if h.GRPC != nil { + handlers = append(handlers, "gRPC") + errs = errs.Also(apis.CheckDisallowedFields(*h.GRPC, *GRPCActionMask(h.GRPC))).ViaField("grpc") + } if len(handlers) == 0 { - errs = errs.Also(apis.ErrMissingOneOf("httpGet", "tcpSocket", "exec")) + errs = errs.Also(apis.ErrMissingOneOf("httpGet", "tcpSocket", "exec", "grpc")) } else if len(handlers) > 1 { errs = errs.Also(apis.ErrMultipleOneOf(handlers...)) } diff --git a/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go b/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go index 4805f5b1f..2b3f5f2f2 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go @@ -143,10 +143,15 @@ func (*RevisionSpec) applyProbes(container *corev1.Container) { } if container.ReadinessProbe.TCPSocket == nil && container.ReadinessProbe.HTTPGet == nil && - container.ReadinessProbe.Exec == nil { + container.ReadinessProbe.Exec == nil && + container.ReadinessProbe.GRPC == nil { container.ReadinessProbe.TCPSocket = &corev1.TCPSocketAction{} } + if container.ReadinessProbe.GRPC != nil && container.ReadinessProbe.GRPC.Service == nil { + container.ReadinessProbe.GRPC.Service = ptr.String("") + } + if container.ReadinessProbe.SuccessThreshold == 0 { container.ReadinessProbe.SuccessThreshold = 1 } diff --git a/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_helpers.go b/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_helpers.go index effc22445..e561c7ae6 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_helpers.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_helpers.go @@ -128,11 +128,6 @@ func (r *Revision) GetRoutingStateModified() time.Time { return parsed } -// IsReachable returns whether or not the revision can be reached by a route. -func (r *Revision) IsReachable() bool { - return RoutingState(r.Labels[serving.RoutingStateLabelKey]) == RoutingStateActive -} - // GetProtocol returns the app level network protocol. func (r *Revision) GetProtocol() net.ProtocolType { ports := r.Spec.GetContainer().Ports diff --git a/vendor/knative.dev/serving/pkg/apis/serving/v1/route_lifecycle.go b/vendor/knative.dev/serving/pkg/apis/serving/v1/route_lifecycle.go index ba2908cd1..5a75031eb 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/v1/route_lifecycle.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/v1/route_lifecycle.go @@ -174,10 +174,11 @@ func (rs *RouteStatus) MarkCertificateReady(name string) { // MarkCertificateNotReady marks the RouteConditionCertificateProvisioned // condition to indicate that the Certificate is not ready. -func (rs *RouteStatus) MarkCertificateNotReady(name string) { +func (rs *RouteStatus) MarkCertificateNotReady(c *v1alpha1.Certificate) { + certificateCondition := c.Status.GetCondition("Ready") routeCondSet.Manage(rs).MarkUnknown(RouteConditionCertificateProvisioned, "CertificateNotReady", - "Certificate %s is not ready.", name) + "Certificate %s is not ready: %s", c.Name, certificateCondition.GetReason()) } // MarkCertificateNotOwned changes the RouteConditionCertificateProvisioned @@ -190,10 +191,10 @@ func (rs *RouteStatus) MarkCertificateNotOwned(name string) { } const ( - // AutoTLSNotEnabledMessage is the message which is set on the + // ExternalDomainTLSNotEnabledMessage is the message which is set on the // RouteConditionCertificateProvisioned condition when it is set to True - // because AutoTLS was not enabled. - AutoTLSNotEnabledMessage = "autoTLS is not enabled" + // because external-domain-tls was not enabled. + ExternalDomainTLSNotEnabledMessage = "external-domain-tls is not enabled" // TLSNotEnabledForClusterLocalMessage is the message which is set on the // RouteConditionCertificateProvisioned condition when it is set to True @@ -202,7 +203,7 @@ const ( ) // MarkTLSNotEnabled sets RouteConditionCertificateProvisioned to true when -// certificate config such as autoTLS is not enabled or private cluster-local service. +// certificate config such as external-domain-tls is not enabled or private cluster-local service. func (rs *RouteStatus) MarkTLSNotEnabled(msg string) { routeCondSet.Manage(rs).MarkTrueWithReason(RouteConditionCertificateProvisioned, "TLSNotEnabled", msg) diff --git a/vendor/modules.txt b/vendor/modules.txt index 44a063063..3a4d5524c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1266,7 +1266,7 @@ knative.dev/eventing/pkg/metrics/source knative.dev/eventing/pkg/observability knative.dev/eventing/pkg/observability/client knative.dev/eventing/pkg/reconciler/source -# knative.dev/networking v0.0.0-20231012062757-a5958051caf8 +# knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 ## explicit; go 1.18 knative.dev/networking/pkg/apis/networking knative.dev/networking/pkg/apis/networking/v1alpha1 @@ -1355,7 +1355,7 @@ knative.dev/pkg/webhook/json knative.dev/pkg/webhook/resourcesemantics knative.dev/pkg/webhook/resourcesemantics/defaulting knative.dev/pkg/webhook/resourcesemantics/validation -# knative.dev/serving v0.38.6 +# knative.dev/serving v0.39.0 ## explicit; go 1.18 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1