upgrade to latest dependencies

bumping knative.dev/hack f2f9b6f...1588988:
  > 1588988 Update community files (# 327)
bumping knative.dev/pkg 833dd97...d0a82f9:
  > d0a82f9 Update community files (# 2850)
bumping knative.dev/networking c1cae21...53ba1f4:
  > 53ba1f4 Rename cluster.local to avoid issues with config validation webhook (# 872)
  > 97dab15 upgrade to latest dependencies (# 870)
  > 463dc38 Cleanup SAN constants and Secrets Keys for system-internal-tls certificates (# 861)
  > 05d0964 Align the encryption flags (# 858)
bumping knative.dev/eventing 402f6ac...18e17ac:
  > 18e17ac [main] Update community files (# 7337)
  > 7b3afa0 Optimized the exact filter performance (# 7311)
  > e40037b Prefix filter optimizations (# 7309)
  > 8d2330c Update Kubernetes min version in KinD e2e tests to 1.26.6 (# 7332)
bumping knative.dev/serving b66b185...c183543:
  > c183543 internal encryption e2e tests (# 14092)
  > 3eb979a Update overlay-config for tests (# 14478)
  > 3cafe59 Update certificates and SANs used in Serving (# 14472)

Signed-off-by: Knative Automation <[email protected]>

go.mod

@@ -13,10 +13,10 @@ require (
 	k8s.io/api v0.27.6
 	k8s.io/apimachinery v0.27.6
 	k8s.io/client-go v0.27.6
-	knative.dev/eventing v0.38.1-0.20231004152306-402f6acbe992
-	knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263
-	knative.dev/pkg v0.0.0-20231003141102-833dd976f13d
-	knative.dev/serving v0.38.1-0.20231004014018-b66b18545146
+	knative.dev/eventing v0.38.1-0.20231006131052-18e17ac3d531
+	knative.dev/hack v0.0.0-20231006131420-158898889ae8
+	knative.dev/pkg v0.0.0-20231006130804-d0a82f9cbb8f
+	knative.dev/serving v0.38.1-0.20231006062611-c183543ab17e
 )
 
 require (
@@ -101,7 +101,7 @@ require (
 	k8s.io/klog/v2 v2.90.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
 	k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect
-	knative.dev/networking v0.0.0-20230927121431-c1cae210daec // indirect
+	knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect

go.sum

@@ -776,16 +776,16 @@ k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5F
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.38.1-0.20231004152306-402f6acbe992 h1:+ff0CSX6Y4rGHps9IQ7KiPDRhG43CzrQFcsnbJ/LiHA=
-knative.dev/eventing v0.38.1-0.20231004152306-402f6acbe992/go.mod h1:OaXBKpWXqAvn5U8i0Ey9zt9W22w0ddSlhqHlnpfYWK4=
-knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263 h1:e6r9J1YopzSh6tDCpyKhVBfRUlZ2r0KRo9wupRjdRF4=
-knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/networking v0.0.0-20230927121431-c1cae210daec h1:FuApkAE1QhvChCQDR3yziqdsZ+LiEM0ZxTdI0qKIMrA=
-knative.dev/networking v0.0.0-20230927121431-c1cae210daec/go.mod h1:U9yqeTf2NtTY5aexYLbE4LAoIt/FAsnoERbnejJKlgI=
-knative.dev/pkg v0.0.0-20231003141102-833dd976f13d h1:EcUwMwxqa1/4lhh0Hm5lc9h3ohUckHzKofG8ZAPZlbk=
-knative.dev/pkg v0.0.0-20231003141102-833dd976f13d/go.mod h1:PxnS8ZnVtC0S+An+NEhrpzWt6k9hedDNt659Gu5EtJk=
-knative.dev/serving v0.38.1-0.20231004014018-b66b18545146 h1:3F0daPkVr3UAdurm5ea412yugj8rKPi+mUGlT2kSPmI=
-knative.dev/serving v0.38.1-0.20231004014018-b66b18545146/go.mod h1:W8uFQIUiKeP7n9+t+BsfR2cedKLvQO75XlQiot3oiHE=
+knative.dev/eventing v0.38.1-0.20231006131052-18e17ac3d531 h1:KdqIaLth8iRwof3TUnJ7n4DFGMrejgpB/qZagcqJY6g=
+knative.dev/eventing v0.38.1-0.20231006131052-18e17ac3d531/go.mod h1:OaXBKpWXqAvn5U8i0Ey9zt9W22w0ddSlhqHlnpfYWK4=
+knative.dev/hack v0.0.0-20231006131420-158898889ae8 h1:wz+G++v1u11IuFHX0ip3a849zLnEoj2vDJYxoy37Fr8=
+knative.dev/hack v0.0.0-20231006131420-158898889ae8/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
+knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a h1:Q31AcykUUn/EcDFLt4citbeN8W7sxHenX1YG8l+urcE=
+knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a/go.mod h1:LAT8cu/PGOtik5ABZhhl6h45QrNRXj0uqlpIP0dmLnU=
+knative.dev/pkg v0.0.0-20231006130804-d0a82f9cbb8f h1:yAp7wEM3EAZ3hrQ/QgxS2OR9muX/Nywxnld9n/t7fkc=
+knative.dev/pkg v0.0.0-20231006130804-d0a82f9cbb8f/go.mod h1:PxnS8ZnVtC0S+An+NEhrpzWt6k9hedDNt659Gu5EtJk=
+knative.dev/serving v0.38.1-0.20231006062611-c183543ab17e h1:C8vXVTPbdEg01XwZxjajLLPBgcQcXEDST0vhsi2IFeA=
+knative.dev/serving v0.38.1-0.20231006062611-c183543ab17e/go.mod h1:UvbR1b2b9QKgOIA+4QxmjvHfQH5miQbfgwzzDbKAaoQ=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

vendor/knative.dev/networking/pkg/apis/networking/metadata_validation.go

@@ -29,6 +29,7 @@ var (
 		IngressClassAnnotationKey,
 		CertificateClassAnnotationKey,
 		DisableAutoTLSAnnotationKey,
+		DisableExternalDomainTLSAnnotationKey,
 		HTTPOptionAnnotationKey,
 
 		IngressClassAnnotationAltKey,

vendor/knative.dev/networking/pkg/apis/networking/register.go

@@ -70,11 +70,17 @@ const (
 
 	// DisableAutoTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
 	// to indicate that AutoTLS should not be enabled for it.
+	// Deprecated: use DisableExternalDomainTLSAnnotationKey instead.
 	DisableAutoTLSAnnotationKey = PublicGroupName + "/disableAutoTLS"
 
 	// DisableAutoTLSAnnotationAltKey is an alternative casing to DisableAutoTLSAnnotationKey
+	// Deprecated: use DisableExternalDomainTLSAnnotationKey instead.
 	DisableAutoTLSAnnotationAltKey = PublicGroupName + "/disable-auto-tls"
 
+	// DisableExternalDomainTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
+	// to indicate that external-domain-tls should not be enabled for it.
+	DisableExternalDomainTLSAnnotationKey = PublicGroupName + "/disable-external-domain-tls"
+
 	// HTTPOptionAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
 	// to indicate the HTTP option of it.
 	HTTPOptionAnnotationKey = PublicGroupName + "/httpOption"
@@ -130,9 +136,15 @@ var (
 		CertificateClassAnnotationAltKey,
 	}
 
-	DisableAutoTLSAnnotation = kmap.KeyPriority{
+	// Deprecated: use DisableExternalDomainTLSAnnotation instead.
+	DisableAutoTLSAnnotation = DisableExternalDomainTLSAnnotation
+
+	DisableExternalDomainTLSAnnotation = kmap.KeyPriority{
+		// backward compatibility
 		DisableAutoTLSAnnotationKey,
 		DisableAutoTLSAnnotationAltKey,
+
+		DisableExternalDomainTLSAnnotationKey,
 	}
 
 	HTTPProtocolAnnotation = kmap.KeyPriority{
@@ -153,6 +165,9 @@ func GetHTTPProtocol(annotations map[string]string) (val string) {
 	return HTTPProtocolAnnotation.Value(annotations)
 }
 
-func GetDisableAutoTLS(annotations map[string]string) (val string) {
-	return DisableAutoTLSAnnotation.Value(annotations)
+// Deprecated: use GetDisableExternalDomainTLS instead.
+var GetDisableAutoTLS = GetDisableExternalDomainTLS
+
+func GetDisableExternalDomainTLS(annotations map[string]string) (val string) {
+	return DisableExternalDomainTLSAnnotation.Value(annotations)
 }

vendor/knative.dev/networking/pkg/config/config.go

@@ -70,17 +70,12 @@ const (
 	// ServingInternalCertName is the name of secret contains certificates in serving
 	// system namespace.
 	//
-	// Deprecated: ServingInternalCertName is deprecated.
-	// (use ServingControlCertName or ServingRoutingCertName instead)
+	// Deprecated: ServingInternalCertName is deprecated. Use ServingRoutingCertName instead.
 	ServingInternalCertName = "knative-serving-certs"
 
 	// ServingRoutingCertName is the name of secret contains certificates for Routing data in serving
 	// system namespace. (Used by Ingress GWs and Activator)
 	ServingRoutingCertName = "routing-serving-certs"
-
-	// ServingControlCertName is the name of secret contains certificates for Control data in serving
-	// system namespace. (Used by Autoscaler and Ingress control for example)
-	ServingControlCertName = "control-serving-certs"
 )
 
 // Config Keys
@@ -92,8 +87,17 @@ const (
 
 	// AutoTLSKey is the name of the configuration entry
 	// that specifies enabling auto-TLS or not.
+	// Deprecated: please use ExternalDomainTLSKey.
 	AutoTLSKey = "auto-tls"
 
+	// ExternalDomainTLSKey is the name of the configuration entry
+	// that specifies if external-domain-tls is enabled or not.
+	ExternalDomainTLSKey = "external-domain-tls"
+
+	// ClusterLocalDomainTLSKey is the name of the configuration entry
+	// that specifies if cluster-local-domain-tls is enabled or not.
+	ClusterLocalDomainTLSKey = "cluster-local-domain-tls"
+
 	// DefaultCertificateClassKey is the name of the configuration entry
 	// that specifies the default Certificate.
 	DefaultCertificateClassKey = "certificate-class"
@@ -134,39 +138,26 @@ const (
 	// hostname for a Route's tag.
 	TagTemplateKey = "tag-template"
 
-	// InternalEncryptionKey is deprecated and replaced by InternalDataplaneTrustKey and ControlplaneTrustKey.
 	// InternalEncryptionKey is the name of the configuration whether
 	// internal traffic is encrypted or not.
+	// Deprecated: please use SystemInternalTLSKey.
 	InternalEncryptionKey = "internal-encryption"
 
-	// DataplaneTrustKey is the name of the configuration entry
-	// defining the level of trust used for data plane traffic.
-	DataplaneTrustKey = "dataplane-trust"
-
-	// ControlplaneTrustKey is the name of the configuration entry
-	// defining the level of trust used for control plane traffic.
-	ControlplaneTrustKey = "controlplane-trust"
+	// SystemInternalTLSKey is the name of the configuration whether
+	// traffic between Knative system components is encrypted or not.
+	SystemInternalTLSKey = "system-internal-tls"
 )
 
-// HTTPProtocol indicates a type of HTTP endpoint behavior
-// that Knative ingress could take.
-type Trust string
+// EncryptionConfig indicates the encryption configuration
+// used for TLS connections.
+type EncryptionConfig string
 
 const (
-	// TrustDisabled - TLS not used
-	TrustDisabled Trust = "disabled"
-
-	// TrustMinimal - TLS used. We verify that the server is using Knative certificates
-	TrustMinimal Trust = "minimal"
+	// EncryptionDisabled - TLS not used.
+	EncryptionDisabled EncryptionConfig = "disabled"
 
-	// TrustEnabled - TLS used. We verify that the server is using Knative certificates of the right namespace
-	TrustEnabled Trust = "enabled"
-
-	// TrustMutual - same as TrustEnabled and we also verify the identity of the client.
-	TrustMutual Trust = "mutual"
-
-	// TrustIdentity - same as TrustMutual and we also add a trusted sender identity to the message.
-	TrustIdentity Trust = "identity"
+	// EncryptionEnabled - TLS used. The client verifies the servers certificate.
+	EncryptionEnabled EncryptionConfig = "enabled"
 )
 
 // HTTPProtocol indicates a type of HTTP endpoint behavior
@@ -244,8 +235,12 @@ type Config struct {
 	TagTemplate string
 
 	// AutoTLS specifies if auto-TLS is enabled or not.
+	// Deprecated: please use ExternalDomainTLS instead.
 	AutoTLS bool
 
+	// ExternalDomainTLS specifies if external-domain-tls is enabled or not.
+	ExternalDomainTLS bool
+
 	// HTTPProtocol specifics the behavior of HTTP endpoint of Knative
 	// ingress.
 	HTTPProtocol HTTPProtocol
@@ -293,15 +288,15 @@ type Config struct {
 	// not enabled. Defaults to "http".
 	DefaultExternalScheme string
 
-	// Deprecated - replaced with InternalDataplaneTrust and InternalControlplaneTrust
 	// InternalEncryption specifies whether internal traffic is encrypted or not.
+	// Deprecated: please use SystemInternalTLSKey instead.
 	InternalEncryption bool
 
-	// DataplaneTrust specifies the level of trust used for date plane.
-	DataplaneTrust Trust
+	// SystemInternalTLS specifies whether knative internal traffic is encrypted or not.
+	SystemInternalTLS EncryptionConfig
 
-	// ControlplaneTrust specifies the level of trust used for control plane.
-	ControlplaneTrust Trust
+	// ClusterLocalDomainTLS specifies whether cluster-local traffic is encrypted or not.
+	ClusterLocalDomainTLS EncryptionConfig
 }
 
 func defaultConfig() *Config {
@@ -311,14 +306,15 @@ func defaultConfig() *Config {
 		DomainTemplate:                DefaultDomainTemplate,
 		TagTemplate:                   DefaultTagTemplate,
 		AutoTLS:                       false,
+		ExternalDomainTLS:             false,
 		NamespaceWildcardCertSelector: nil,
 		HTTPProtocol:                  HTTPEnabled,
 		AutocreateClusterDomainClaims: false,
 		DefaultExternalScheme:         "http",
 		MeshCompatibilityMode:         MeshCompatibilityModeAuto,
 		InternalEncryption:            false,
-		DataplaneTrust:                TrustDisabled,
-		ControlplaneTrust:             TrustDisabled,
+		SystemInternalTLS:             EncryptionDisabled,
+		ClusterLocalDomainTLS:         EncryptionDisabled,
 	}
 }
 
@@ -383,12 +379,23 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 	}
 	templateCache.Add(nc.TagTemplate, t)
 
+	// external-domain-tls and auto-tls
 	if val, ok := data["autoTLS"]; ok {
 		nc.AutoTLS = strings.EqualFold(val, "enabled")
 	}
 	if val, ok := data[AutoTLSKey]; ok {
 		nc.AutoTLS = strings.EqualFold(val, "enabled")
 	}
+	if val, ok := data[ExternalDomainTLSKey]; ok {
+		nc.ExternalDomainTLS = strings.EqualFold(val, "enabled")
+
+		// The new key takes precedence, but we support compatibility
+		// for code that has not updated to the new field yet.
+		nc.AutoTLS = nc.ExternalDomainTLS
+	} else {
+		// backward compatibility: if the new key is not set, use the value from the old key
+		nc.ExternalDomainTLS = nc.AutoTLS
+	}
 
 	var httpProtocol string
 	if val, ok := data["httpProtocol"]; ok {
@@ -410,52 +417,52 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		return nil, fmt.Errorf("httpProtocol %s in config-network ConfigMap is not supported", data[HTTPProtocolKey])
 	}
 
-	switch strings.ToLower(data[DataplaneTrustKey]) {
-	case "", string(TrustDisabled):
-		// If DataplaneTrus is not set in the config-network, default is already
-		// set to TrustDisabled.
+	switch strings.ToLower(data[SystemInternalTLSKey]) {
+	case "", string(EncryptionDisabled):
+		// If SystemInternalTLSKey is not set in the config-network, default is already
+		// set to EncryptionDisabled.
 		if nc.InternalEncryption {
 			// Backward compatibility
-			nc.DataplaneTrust = TrustMinimal
+			nc.SystemInternalTLS = EncryptionEnabled
 		}
-	case string(TrustMinimal):
-		nc.DataplaneTrust = TrustMinimal
-	case string(TrustEnabled):
-		nc.DataplaneTrust = TrustEnabled
-	case string(TrustMutual):
-		nc.DataplaneTrust = TrustMutual
-	case string(TrustIdentity):
-		nc.DataplaneTrust = TrustIdentity
+	case string(EncryptionEnabled):
+		nc.SystemInternalTLS = EncryptionEnabled
+
+		// The new key takes precedence, but we support compatibility
+		// for code that has not updated to the new field yet.
+		nc.InternalEncryption = true
 	default:
-		return nil, fmt.Errorf("DataplaneTrust %q in config-network ConfigMap is not supported", data[DataplaneTrustKey])
+		return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
+			SystemInternalTLSKey, data[SystemInternalTLSKey])
 	}
 
-	switch strings.ToLower(data[ControlplaneTrustKey]) {
-	case "", string(TrustDisabled):
-		// If ControlplaneTrust is not set in the config-network, default is already
-		// set to TrustDisabled.
-	case string(TrustEnabled):
-		nc.ControlplaneTrust = TrustEnabled
-	case string(TrustMutual):
-		nc.ControlplaneTrust = TrustMutual
+	switch strings.ToLower(data[ClusterLocalDomainTLSKey]) {
+	case "", string(EncryptionDisabled):
+		// If ClusterLocalDomainTLSKey is not set in the config-network, default is already
+		// set to EncryptionDisabled.
+	case string(EncryptionEnabled):
+		nc.ClusterLocalDomainTLS = EncryptionEnabled
 	default:
-		return nil, fmt.Errorf("ControlplaneTrust %q in config-network ConfigMap is not supported", data[ControlplaneTrustKey])
+		return nil, fmt.Errorf("%s with value: %q in config-network ConfigMap is not supported",
+			ClusterLocalDomainTLSKey, data[ClusterLocalDomainTLSKey])
 	}
 
 	return nc, nil
 }
 
-// InternalTLSEnabled returns whether or not InternalEncyrption is enabled.
-// Currently only DataplaneTrust is considered.
+// InternalTLSEnabled returns whether InternalEncryption is enabled or not.
+// Deprecated: please use SystemInternalTLSEnabled()
 func (c *Config) InternalTLSEnabled() bool {
-	return tlsEnabled(c.DataplaneTrust)
+	return tlsEnabled(c.SystemInternalTLS)
+}
+
+// SystemInternalTLSEnabled returns whether SystemInternalTLS is enabled or not.
+func (c *Config) SystemInternalTLSEnabled() bool {
+	return tlsEnabled(c.SystemInternalTLS)
 }
 
-func tlsEnabled(trust Trust) bool {
-	return trust == TrustMinimal ||
-		trust == TrustEnabled ||
-		trust == TrustMutual ||
-		trust == TrustIdentity
+func tlsEnabled(encryptionConfig EncryptionConfig) bool {
+	return encryptionConfig == EncryptionEnabled
 }
 
 // GetDomainTemplate returns the golang Template from the config map

vendor/modules.txt

@@ -964,7 +964,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# knative.dev/eventing v0.38.1-0.20231004152306-402f6acbe992
+# knative.dev/eventing v0.38.1-0.20231006131052-18e17ac3d531
 ## explicit; go 1.19
 knative.dev/eventing/pkg/adapter/v2
 knative.dev/eventing/pkg/adapter/v2/util/crstatusevent
@@ -1010,15 +1010,15 @@ knative.dev/eventing/pkg/observability
 knative.dev/eventing/pkg/observability/client
 knative.dev/eventing/pkg/reconciler/resources
 knative.dev/eventing/pkg/reconciler/source
-# knative.dev/hack v0.0.0-20230926181829-f2f9b6f91263
+# knative.dev/hack v0.0.0-20231006131420-158898889ae8
 ## explicit; go 1.18
 knative.dev/hack
-# knative.dev/networking v0.0.0-20230927121431-c1cae210daec
+# knative.dev/networking v0.0.0-20231004065302-53ba1f44ef7a
 ## explicit; go 1.18
 knative.dev/networking/pkg/apis/networking
 knative.dev/networking/pkg/apis/networking/v1alpha1
 knative.dev/networking/pkg/config
-# knative.dev/pkg v0.0.0-20231003141102-833dd976f13d
+# knative.dev/pkg v0.0.0-20231006130804-d0a82f9cbb8f
 ## explicit; go 1.18
 knative.dev/pkg/apis
 knative.dev/pkg/apis/duck
@@ -1071,7 +1071,7 @@ knative.dev/pkg/tracker
 knative.dev/pkg/version
 knative.dev/pkg/webhook
 knative.dev/pkg/webhook/certificates/resources
-# knative.dev/serving v0.38.1-0.20231004014018-b66b18545146
+# knative.dev/serving v0.38.1-0.20231006062611-c183543ab17e
 ## explicit; go 1.18
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1