upgrade to latest dependencies

bumping knative.dev/eventing 16d75a9...b5fd264:
  > b5fd264 Shell executor logs through testing.T in upgrade tests (# 7367)
  > 5848584 [main] Upgrade to latest dependencies (# 7388)
  > 16a3986 Don't override default values when applying partial features.yaml configmap  (# 7379)
  > 4d14c21 Added test for multiple sinks, multiple triggers (# 7350)
  > a261e06 OIDC - Support auto generation of PingSource identity service account and expose in AuthStatus (# 7344)
bumping knative.dev/pkg d6ab729...29775d7:
  > 29775d7 [release-1.12] [CVE-2023-44487] Disable http2 for webhooks (# 2876)
bumping knative.dev/reconciler-test 317033b...e3a9c2e:
  > e3a9c2e Improve error message when deleting resources (# 617)

Signed-off-by: Knative Automation <[email protected]>

go.mod

@@ -35,10 +35,10 @@ require (
 	k8s.io/apiserver v0.27.6
 	k8s.io/client-go v0.27.6
 	k8s.io/utils v0.0.0-20230209194617-a36077c30491
-	knative.dev/eventing v0.38.1-0.20231019094926-16d75a980703
+	knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0
 	knative.dev/hack v0.0.0-20231016131700-2c938d4918da
-	knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5
-	knative.dev/reconciler-test v0.0.0-20231019092754-317033b0f02e
+	knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c
+	knative.dev/reconciler-test v0.0.0-20231023113936-e3a9c2e9b06b
 	sigs.k8s.io/controller-runtime v0.12.3
 	sigs.k8s.io/yaml v1.3.0
 )

go.sum

@@ -1251,14 +1251,14 @@ k8s.io/utils v0.0.0-20200912215256-4140de9c8800/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.38.1-0.20231019094926-16d75a980703 h1:JvAE5DCPfOD8Wa8IhrNNOQ0eaSWfQb5Rv+UZ6G8+MLg=
-knative.dev/eventing v0.38.1-0.20231019094926-16d75a980703/go.mod h1:swWS48qpCQbBkj+2iS0rVa7PbQBWLD9YAy3CSHfevaU=
+knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0 h1:dRCHnSKwsnqAeQ0TbUdgk12Q5GU/P2P+v/lQ0tyfSfg=
+knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0/go.mod h1:a9uzuTLH4ur+Q1wLCqbxIQNcYxeJPRPYBgs3e8lo13Y=
 knative.dev/hack v0.0.0-20231016131700-2c938d4918da h1:xy+fvuz2LDOMsZ5UwXRaMF70NYUs9fsG+EF5/ierYBg=
 knative.dev/hack v0.0.0-20231016131700-2c938d4918da/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 h1:9AvFZdEtuwKWDcTV1VSwmrgrRR9f38wbIAm+sNwLivQ=
-knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ=
-knative.dev/reconciler-test v0.0.0-20231019092754-317033b0f02e h1:lNnU34Bh3xXekvIcpt7fb2GM9XZI1ihoxVHMv4YTuag=
-knative.dev/reconciler-test v0.0.0-20231019092754-317033b0f02e/go.mod h1:0jsKqMXLCIQNdceLuL2SL1LaAZSFtqUY7cLyHt0V2xY=
+knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c h1:xyPoEToTWeBdn6tinhLxXfnhJhTNQt5WzHiTNiFphRw=
+knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ=
+knative.dev/reconciler-test v0.0.0-20231023113936-e3a9c2e9b06b h1:L43rzmujsuHa2C1SdFdouBd5QBlibgiXIFyY/+luWnU=
+knative.dev/reconciler-test v0.0.0-20231023113936-e3a9c2e9b06b/go.mod h1:0jsKqMXLCIQNdceLuL2SL1LaAZSFtqUY7cLyHt0V2xY=
 pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=

vendor/knative.dev/eventing/pkg/apis/feature/features.go

@@ -51,11 +51,29 @@ const (
 // Missing entry in the map means feature is equal to feature not enabled.
 type Flags map[string]Flag
 
+func newDefaults() Flags {
+	return map[string]Flag{
+		KReferenceGroup:     Disabled,
+		DeliveryRetryAfter:  Disabled,
+		DeliveryTimeout:     Enabled,
+		KReferenceMapping:   Disabled,
+		NewTriggerFilters:   Enabled,
+		TransportEncryption: Disabled,
+		OIDCAuthentication:  Disabled,
+		EvenTypeAutoCreate:  Disabled,
+	}
+}
+
 // IsEnabled returns true if the feature is enabled
 func (e Flags) IsEnabled(featureName string) bool {
 	return e != nil && e[featureName] == Enabled
 }
 
+// IsDisabled returns true if the feature is disabled
+func (e Flags) IsDisabled(featureName string) bool {
+	return e != nil && e[featureName] == Disabled
+}
+
 // IsAllowed returns true if the feature is enabled or allowed
 func (e Flags) IsAllowed(featureName string) bool {
 	return e.IsEnabled(featureName) || (e != nil && e[featureName] == Allowed)
@@ -86,7 +104,7 @@ func (e Flags) String() string {
 
 // NewFlagsConfigFromMap creates a Flags from the supplied Map
 func NewFlagsConfigFromMap(data map[string]string) (Flags, error) {
-	flags := Flags{}
+	flags := newDefaults()
 
 	for k, v := range data {
 		if strings.HasPrefix(k, "_") {
@@ -100,12 +118,12 @@ func NewFlagsConfigFromMap(data map[string]string) (Flags, error) {
 			flags[sanitizedKey] = Disabled
 		} else if strings.EqualFold(v, string(Enabled)) {
 			flags[sanitizedKey] = Enabled
-		} else if strings.EqualFold(v, string(Permissive)) {
+		} else if k == TransportEncryption && strings.EqualFold(v, string(Permissive)) {
 			flags[sanitizedKey] = Permissive
-		} else if strings.EqualFold(v, string(Strict)) {
+		} else if k == TransportEncryption && strings.EqualFold(v, string(Strict)) {
 			flags[sanitizedKey] = Strict
 		} else {
-			return Flags{}, fmt.Errorf("cannot parse the boolean flag '%s' = '%s'. Allowed values: [true, false]", k, v)
+			return flags, fmt.Errorf("cannot parse the feature flag '%s' = '%s'", k, v)
 		}
 	}
 

vendor/knative.dev/eventing/pkg/apis/sources/v1/ping_lifecycle.go

@@ -35,11 +35,15 @@ const (
 
 	// PingSourceConditionDeployed has status True when the PingSource has had it's receive adapter deployment created.
 	PingSourceConditionDeployed apis.ConditionType = "Deployed"
+
+	// PingSourceConditionOIDCIdentityCreated has status True when the PingSource has had it's OIDC identity created.
+	PingSourceConditionOIDCIdentityCreated apis.ConditionType = "OIDCIdentityCreated"
 )
 
 var PingSourceCondSet = apis.NewLivingConditionSet(
 	PingSourceConditionSinkProvided,
-	PingSourceConditionDeployed)
+	PingSourceConditionDeployed,
+	PingSourceConditionOIDCIdentityCreated)
 
 const (
 	// PingSourceEventType is the default PingSource CloudEvent type.
@@ -122,3 +126,19 @@ func (s *PingSourceStatus) PropagateDeploymentAvailability(d *appsv1.Deployment)
 		PingSourceCondSet.Manage(s).MarkUnknown(PingSourceConditionDeployed, "DeploymentUnavailable", "The Deployment '%s' is unavailable.", d.Name)
 	}
 }
+
+func (s *PingSourceStatus) MarkOIDCIdentityCreatedSucceeded() {
+	PingSourceCondSet.Manage(s).MarkTrue(PingSourceConditionOIDCIdentityCreated)
+}
+
+func (s *PingSourceStatus) MarkOIDCIdentityCreatedSucceededWithReason(reason, messageFormat string, messageA ...interface{}) {
+	PingSourceCondSet.Manage(s).MarkTrueWithReason(PingSourceConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
+}
+
+func (s *PingSourceStatus) MarkOIDCIdentityCreatedFailed(reason, messageFormat string, messageA ...interface{}) {
+	PingSourceCondSet.Manage(s).MarkFalse(PingSourceConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
+}
+
+func (s *PingSourceStatus) MarkOIDCIdentityCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
+	PingSourceCondSet.Manage(s).MarkUnknown(PingSourceConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
+}

vendor/knative.dev/eventing/pkg/reconciler/testing/v1/pingsource.go

@@ -18,8 +18,11 @@ package testing
 
 import (
 	"context"
+	"fmt"
 	"time"
 
+	"knative.dev/eventing/pkg/apis/feature"
+
 	"knative.dev/eventing/pkg/reconciler/testing"
 
 	duckv1 "knative.dev/pkg/apis/duck/v1"
@@ -107,3 +110,31 @@ func WithPingSourceDeleted(c *v1.PingSource) {
 	t := metav1.NewTime(time.Unix(1e9, 0))
 	c.SetDeletionTimestamp(&t)
 }
+
+func WithPingSourceOIDCIdentityCreatedSucceeded() PingSourceOption {
+	return func(c *v1.PingSource) {
+		c.Status.MarkOIDCIdentityCreatedSucceeded()
+	}
+}
+
+func WithPingSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled() PingSourceOption {
+	return func(c *v1.PingSource) {
+		c.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
+	}
+}
+
+func WithPingSourceOIDCIdentityCreatedFailed(reason, message string) PingSourceOption {
+	return func(c *v1.PingSource) {
+		c.Status.MarkOIDCIdentityCreatedFailed(reason, message)
+	}
+}
+
+func WithPingSourceOIDCServiceAccountName(name string) PingSourceOption {
+	return func(c *v1.PingSource) {
+		if c.Status.Auth == nil {
+			c.Status.Auth = &duckv1.AuthStatus{}
+		}
+
+		c.Status.Auth.ServiceAccountName = &name
+	}
+}

vendor/knative.dev/eventing/test/rekt/features/new_trigger_filters/feature.go

@@ -258,3 +258,84 @@ func AllFilterFeature(brokerName string) *feature.Feature {
 
 	return f
 }
+
+func MultipleTriggersAndSinksFeature(brokerName string) *feature.Feature {
+	f := feature.NewFeature()
+
+	eventContextsFirstSink := []CloudEventsContext{
+		{
+			eventType:     "type1",
+			shouldDeliver: true,
+		},
+		{
+			eventType:     "both.should.match",
+			shouldDeliver: true,
+		},
+		{
+			eventType:     "type2",
+			shouldDeliver: false,
+		},
+		{
+			eventType:     "type3",
+			shouldDeliver: false,
+		},
+	}
+
+	filtersFirstTrigger := []eventingv1.SubscriptionsAPIFilter{
+		{
+			Any: []eventingv1.SubscriptionsAPIFilter{
+				{
+					Exact: map[string]string{
+						"type": "type1",
+					},
+				},
+				{
+					Prefix: map[string]string{
+						"type": "both",
+					},
+				},
+			},
+		},
+	}
+
+	eventContextsSecondSink := []CloudEventsContext{
+		{
+			eventType:     "type1",
+			shouldDeliver: false,
+		},
+		{
+			eventType:     "both.should.match",
+			shouldDeliver: true,
+		},
+		{
+			eventType:     "type2",
+			shouldDeliver: true,
+		},
+		{
+			eventType:     "type3",
+			shouldDeliver: false,
+		},
+	}
+
+	filtersSecondTrigger := []eventingv1.SubscriptionsAPIFilter{
+		{
+			Any: []eventingv1.SubscriptionsAPIFilter{
+				{
+					Exact: map[string]string{
+						"type": "type2",
+					},
+				},
+				{
+					Prefix: map[string]string{
+						"type": "both",
+					},
+				},
+			},
+		},
+	}
+
+	f = newEventFilterFeature(eventContextsFirstSink, filtersFirstTrigger, f, brokerName)
+	f = newEventFilterFeature(eventContextsSecondSink, filtersSecondTrigger, f, brokerName)
+
+	return f
+}

vendor/knative.dev/pkg/webhook/webhook.go

@@ -81,6 +81,17 @@ type Options struct {
 	// ControllerOptions encapsulates options for creating a new controller,
 	// including throttling and stats behavior.
 	ControllerOptions *controller.ControllerOptions
+
+	// EnableHTTP2 enables HTTP2 for webhooks.
+	// Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go
+	// standard library and golang.org/x/net are fully fixed.
+	// Right now, it is possible for authenticated and unauthenticated users to
+	// hold open HTTP2 connections and consume huge amounts of memory.
+	// See:
+	// * https://github.com/kubernetes/kubernetes/pull/121120
+	// * https://github.com/kubernetes/kubernetes/issues/121197
+	// * https://github.com/golang/go/issues/63417#issuecomment-1758858612
+	EnableHTTP2 bool
 }
 
 // Operation is the verb being operated on
@@ -245,12 +256,19 @@ func (wh *Webhook) Run(stop <-chan struct{}) error {
 		QuietPeriod: wh.Options.GracePeriod,
 	}
 
+	// If TLSNextProto is not nil, HTTP/2 support is not enabled automatically.
+	nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){}
+	if wh.Options.EnableHTTP2 {
+		nextProto = nil
+	}
+
 	server := &http.Server{
 		ErrorLog:          log.New(&zapWrapper{logger}, "", 0),
 		Handler:           drainer,
 		Addr:              fmt.Sprint(":", wh.Options.Port),
 		TLSConfig:         wh.tlsConfig,
 		ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6
+		TLSNextProto:      nextProto,
 	}
 
 	var serve = server.ListenAndServe

vendor/knative.dev/reconciler-test/pkg/environment/namespace.go

@@ -122,26 +122,12 @@ func (mr *MagicEnvironment) CreateNamespaceIfNeeded() error {
 			return fmt.Errorf("error copying the image pull Secret: %s", err)
 		}
 
-		for _, secret := range sa.ImagePullSecrets {
-			if secret.Name == mr.imagePullSecretName {
-				return nil
-			}
-		}
-
-		// Prevent overwriting existing imagePullSecrets
-		patch := `[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"` + mr.imagePullSecretName + `"}}]`
-		if len(sa.ImagePullSecrets) == 0 {
-			patch = `[{"op":"add","path":"/imagePullSecrets","value":[{"name":"` + mr.imagePullSecretName + `"}]}]`
-		}
-
-		_, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.JSONPatchType,
-			[]byte(patch), metav1.PatchOptions{})
+		_, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.StrategicMergePatchType,
+			[]byte(`{"imagePullSecrets":[{"name":"`+mr.imagePullSecretName+`"}]}`), metav1.PatchOptions{})
 		if err != nil {
-			return fmt.Errorf("patch failed on NS/SA (%s/%s): %w",
-				mr.namespace, sa.Name, err)
+			return fmt.Errorf("patch failed on NS/SA (%s/%s): %s", mr.namespace, sa.Name, err)
 		}
 	}
-
 	return nil
 }
 

vendor/knative.dev/reconciler-test/pkg/eventshub/options.go

@@ -202,11 +202,6 @@ func DropEventsResponseHeaders(headers map[string]string) EventsHubOption {
 	)
 }
 
-// OIDCReceiverAudience sets the expected audience for received OIDC tokens on the receiver side
-func OIDCReceiverAudience(aud string) EventsHubOption {
-	return compose(envOption(OIDCReceiverAudienceEnv, aud), envOIDCEnabled())
-}
-
 // --- Sender options
 
 // InitialSenderDelay defines how much the sender has to wait (in millisecond), when started, before start sending events.
@@ -288,11 +283,6 @@ func OIDCInvalidAudience() EventsHubOption {
 	return compose(envOption(OIDCGenerateInvalidAudienceTokenEnv, "true"), envOIDCEnabled())
 }
 
-// OIDCSinkAudience sets the Audience of the Sink
-func OIDCSinkAudience(aud string) EventsHubOption {
-	return oidcSinkAudience(&aud)
-}
-
 func oidcSinkAudience(aud *string) EventsHubOption {
 	if aud != nil && *aud != "" {
 		// if the sink has an audience set, we enable OIDC to get a token added

vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml

@@ -17,9 +17,3 @@ kind: ServiceAccount
 metadata:
   name: {{ .name }}
   namespace: {{ .namespace }}
-{{ if .withPullSecrets }}
-imagePullSecrets:
-  {{ range $_, $value := .withPullSecrets.secrets }}
-  - name: {{ $value }}
-  {{ end }}
-{{ end }}

vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/101-rbac.yaml

@@ -45,20 +45,3 @@ subjects:
   - kind: ServiceAccount
     name: {{ .name }}
     namespace: {{ .namespace }}
-
-{{ if and .withOIDCAuth .isReceiver }}
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ .name }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator # e.g. to do a token review
-subjects:
-  - kind: ServiceAccount
-    name: {{ .name }}
-    namespace: {{ .namespace }}
-{{ end }}