Bump k8s version in kind (#825)

* upgrade to latest dependencies

bumping knative.dev/hack f067737...6ffd841:
  > 6ffd841 Update community files (# 168)
  > 02c525c Update community files (# 167)
  > 0e0784b Update community files (# 166)
  > a75ca49 Update community files (# 165)
  > 9c0ea69 Update community files (# 164)
  > c7a1ce1 Update community files (# 163)
bumping knative.dev/networking 55757e9...1145ec5:
  > 1145ec5 upgrade to latest dependencies (# 658)
  > 56c4a3e upgrade to latest dependencies (# 657)
  > c173eed Add certificates config keys in config-network (# 648)
  > f96f8e2 upgrade to latest dependencies (# 655)
  > 224a816 Update actions (# 656)
  > 57ad9cf Update community files (# 654)
  > 88881dd Update community files (# 653)
  > 0d114b7 upgrade to latest dependencies (# 652)
  > 7307ffd Update community files (# 651)
  > 7fa8012 Update community files (# 650)
  > a49d1a2 Update actions (# 649)
  > 5dd0002 Update actions (# 647)
  > dde40b0 drop knative.dev/release label (# 646)
  > 0aef61e Update community files (# 645)
  > 84f7ed6 Update actions (# 644)
  > a1261cd Update community files (# 643)
  > 7e90d10 Update community files (# 642)
  > 09072d9 upgrade to latest dependencies (# 641)
bumping knative.dev/pkg 1f7514a...e325df6:
  > e325df6 upgrade to latest dependencies (# 2490)
  > 00c122e Add genreconcile for ConfigMap (# 2489)
  > 6bb6518 Update actions (# 2488)
  > 5b0e728 drop deprecated eventing repos (# 2463)
  > 75629c8 Update community files (# 2487)
  > ca82d2b Add `NewProxyAutoTLSTransport` and `DialTLSWithBackOff` to support TLS proxy (# 2479)
  > e2b4d74 Update community files (# 2486)
  > 4d62e1d bump our min k8s version to 1.22 (# 2485)
  > 9ae44fe Update community files (# 2484)
  > 29f716f Fix `InitialBuckets()` for statefulSetBuilder's electors (# 2483)
  > 8db11d0 Update community files (# 2482)
  > dcd5d7c bump go version of tekton downstream workflow (# 2481)
  > 0ce1e92 Update actions (# 2480)
  > 4f42bf4 Update actions (# 2478)
  > 7479994 Update actions (# 2477)
  > c2f1f3e Update community files (# 2476)
  > 0a1ec2e upgrade to latest dependencies (# 2474)

Signed-off-by: Knative Automation <[email protected]>

* Bump k8s version in kind

* Use kind 0.11.1

Co-authored-by: Knative Automation <[email protected]>

.github/workflows/kind-e2e-upgrade.yaml

@@ -20,9 +20,8 @@ jobs:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         k8s-version:
-        - v1.21.1
-        - v1.22.0
-        - v1.23.0
+        - v1.22.7
+        - v1.23.5
 
         upstream-traffic:
         - plain
@@ -33,15 +32,13 @@ jobs:
         # This is attempting to make it a bit clearer what's being tested.
         # See: https://github.com/kubernetes-sigs/kind/releases
         include:
-        - k8s-version: v1.21.1
-          kind-version: v0.11.1
-          kind-image-sha: sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
-        - k8s-version: v1.22.0
-          kind-version: v0.11.1
-          kind-image-sha: sha256:f97edf7f7ed53c57762b24f90a34fad101386c5bd4d93baeb45449557148c717
-        - k8s-version: v1.23.0
+        - k8s-version: v1.22.7
+          kind-version: v0.12.0
+          kind-image-sha: sha256:1dfd72d193bf7da64765fd2f2898f78663b9ba366c2aa74be1fd7498a1873166
+
+        - k8s-version: v1.23.5
           kind-version: v0.11.1
-          kind-image-sha: sha256:49824ab1727c04e56a21a5d8372a402fcd32ea51ac96a2706a12af38934f81ac
+          kind-image-sha: sha256:a69c29d3d502635369a5fe92d8e503c09581fcd406ba6598acc5d80ff5ba81b1
 
     env:
       GOPATH: ${{ github.workspace }}

.github/workflows/kind-e2e.yaml

@@ -20,9 +20,8 @@ jobs:
       fail-fast: false # Keep running if one leg fails.
       matrix:
         k8s-version:
-        - v1.21.1
-        - v1.22.0
-        - v1.23.0
+        - v1.22.7
+        - v1.23.5
 
         gateway:
         - quay.io/maistra/proxyv2-ubi8:2.1.0
@@ -37,15 +36,13 @@ jobs:
         # This is attempting to make it a bit clearer what's being tested.
         # See: https://github.com/kubernetes-sigs/kind/releases
         include:
-        - k8s-version: v1.21.1
-          kind-version: v0.11.1
-          kind-image-sha: sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
-        - k8s-version: v1.22.0
-          kind-version: v0.11.1
-          kind-image-sha: sha256:f97edf7f7ed53c57762b24f90a34fad101386c5bd4d93baeb45449557148c717
-        - k8s-version: v1.23.0
+        - k8s-version: v1.22.7
+          kind-version: v0.12.0
+          kind-image-sha: sha256:1dfd72d193bf7da64765fd2f2898f78663b9ba366c2aa74be1fd7498a1873166
+
+        - k8s-version: v1.23.5
           kind-version: v0.11.1
-          kind-image-sha: sha256:49824ab1727c04e56a21a5d8372a402fcd32ea51ac96a2706a12af38934f81ac
+          kind-image-sha: sha256:a69c29d3d502635369a5fe92d8e503c09581fcd406ba6598acc5d80ff5ba81b1
 
     env:
       GOPATH: ${{ github.workspace }}

go.mod

@@ -19,7 +19,7 @@ require (
 	k8s.io/apimachinery v0.23.5
 	k8s.io/client-go v0.23.5
 	k8s.io/code-generator v0.23.5
-	knative.dev/hack v0.0.0-20220328133751-f06773764ce3
-	knative.dev/networking v0.0.0-20220323170318-55757e9c20d6
-	knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2
+	knative.dev/hack v0.0.0-20220411131823-6ffd8417de7c
+	knative.dev/networking v0.0.0-20220412163509-1145ec58c8be
+	knative.dev/pkg v0.0.0-20220412134708-e325df66cb51
 )

go.sum

@@ -1158,7 +1158,6 @@ k8s.io/gengo v0.0.0-20220307231824-4627b89bbf1b/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAE
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/klog/v2 v2.40.2-0.20220227211518-7ea6d6adb645/go.mod h1:N3kgBtsFxMb4nQ0eBDgbHEt/dtxBuTkSFQ+7K5OUoz4=
 k8s.io/klog/v2 v2.60.1-0.20220317184644-43cc75f9ae89 h1:bUNlsw5yb353zbKMj8srOr6V2Ajhz1VkTKonP1L8r2o=
 k8s.io/klog/v2 v2.60.1-0.20220317184644-43cc75f9ae89/go.mod h1:N3kgBtsFxMb4nQ0eBDgbHEt/dtxBuTkSFQ+7K5OUoz4=
 k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 h1:E3J9oCLlaobFUqsjG9DfKbP2BmgwBL2p7pn0A3dG9W4=
@@ -1167,15 +1166,12 @@ k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-knative.dev/hack v0.0.0-20220224013837-e1785985d364/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
-knative.dev/hack v0.0.0-20220318020218-14f832e506f8/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
-knative.dev/hack v0.0.0-20220328133751-f06773764ce3 h1:kXLX7HS7gwQglz+p8ohdxDdO3akLAN+MTfz/B+eUeu4=
-knative.dev/hack v0.0.0-20220328133751-f06773764ce3/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
-knative.dev/networking v0.0.0-20220323170318-55757e9c20d6 h1:3dutSZL6nk/Rt30n0AAq5WfwRJBkHFBHRLdMosDnDh4=
-knative.dev/networking v0.0.0-20220323170318-55757e9c20d6/go.mod h1:tI+j9UGI4eHeinQktrQpHNS0pZ+XII1yF7ZtGyemkm0=
-knative.dev/pkg v0.0.0-20220318133418-7f16595277b2/go.mod h1:nKJ2L4o7or3j58eqMK843kbIM0SiYnAXXsisfEQECS8=
-knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2 h1:dJ1YKQ1IvCfxtYqS1dHm18VT153ntHi5uJsFVv7oxfc=
-knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2/go.mod h1:5xt0nzCwxvQ2N4w71smY7pYm5nVrQ8qnRsMinSLVpio=
+knative.dev/hack v0.0.0-20220411131823-6ffd8417de7c h1:aXsFXeky/GccNQxwf72CS4NR3EoqTqsCVNKQnblfwr0=
+knative.dev/hack v0.0.0-20220411131823-6ffd8417de7c/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
+knative.dev/networking v0.0.0-20220412163509-1145ec58c8be h1:MmwR4SfwlXgt/jnjronkTTOKBrwN1mP/VNhHH08pIoc=
+knative.dev/networking v0.0.0-20220412163509-1145ec58c8be/go.mod h1:6OZIUimxPelIIudzHWRd+Lc7ippC5t+DC8CsZKCOjcI=
+knative.dev/pkg v0.0.0-20220412134708-e325df66cb51 h1:4AmaxeY7+r/PYYz3HS9pMY21Mw3ykO6STLFEk2FoJ2s=
+knative.dev/pkg v0.0.0-20220412134708-e325df66cb51/go.mod h1:j2MeD8s+JoCu1vegX80GbRXV/xd20Jm1NznxBYtVXiM=
 pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=

vendor/knative.dev/networking/config/certificate.yaml

@@ -18,8 +18,8 @@ metadata:
   name: certificates.networking.internal.knative.dev
   labels:
     app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/config/config-network.yaml

@@ -21,9 +21,8 @@ metadata:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
   annotations:
-    knative.dev/example-checksum: "7c86cb6a"
+    knative.dev/example-checksum: "d0b91f80"
 data:
   _example: |
     ################################
@@ -189,3 +188,35 @@ data:
     # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
     #       for now. Use with caution.
     activator-san: ""
+
+    # The server certificates to serve the TLS traffic from ingress to activator.
+    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
+    # Use an empty value to disable the feature (default).
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    activator-cert-secret: ""
+
+    # The CA public certificate used to sign the queue-proxy TLS certificate.
+    # It is specified by the secret name, which has the "ca.crt" data field.
+    # Use an empty value to disable the feature (default).
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    queue-proxy-ca: ""
+
+    # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
+    # It must be set when "queue-proxy-ca" is specified.
+    # Use an empty value to disable the feature (default).
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    queue-proxy-san: ""
+
+    # The server certificates to serve the TLS traffic from activator to queue-proxy.
+    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
+    # Use an empty value to disable the feature (default).
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    queue-proxy-cert-secret: ""

vendor/knative.dev/networking/config/domain-claim.yaml

@@ -18,8 +18,8 @@ metadata:
   name: clusterdomainclaims.networking.internal.knative.dev
   labels:
     app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/config/domain.yaml

@@ -19,7 +19,7 @@ metadata:
   labels:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
+    app.kubernetes.io/component: networking
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/config/ingress.yaml

@@ -18,8 +18,8 @@ metadata:
   name: ingresses.networking.internal.knative.dev
   labels:
     app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/config/realm.yaml

@@ -18,8 +18,8 @@ metadata:
   name: realms.networking.internal.knative.dev
   labels:
     app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/config/serverlessservice.yaml

@@ -18,8 +18,8 @@ metadata:
   name: serverlessservices.networking.internal.knative.dev
   labels:
     app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/pkg/network.go

@@ -196,6 +196,21 @@ const (
 
 	// ActivatorSANKey is the config for the SAN used to validate the activator TLS certificate.
 	ActivatorSANKey = "activator-san"
+
+	// ActivatorCertKey is the config for the secret name, which stores certificates
+	// to serve the TLS traffic from ingress to activator.
+	ActivatorCertKey = "activator-cert-secret"
+
+	// QueueProxyCAKey is the config for the secret name, which stores CA public certificate used
+	// to sign the queue-proxy TLS certificate.
+	QueueProxyCAKey = "queue-proxy-ca"
+
+	// QueueProxySANKey is the config for the SAN used to validate the queue-proxy TLS certificate.
+	QueueProxySANKey = "queue-proxy-san"
+
+	// QueueProxyCertKey is the config for the secret name, which stores certificates
+	// to serve the TLS traffic from activator to queue-proxy.
+	QueueProxyCertKey = "queue-proxy-cert-secret"
 )
 
 // DomainTemplateValues are the available properties people can choose from
@@ -302,6 +317,20 @@ type Config struct {
 	// ActivatorSAN defines the SAN (Subject Alt Name) used to validate the activator TLS certificate.
 	// It is used only when ActivatorCA is specified.
 	ActivatorSAN string
+
+	// ActivatorCertSecret defines the secret name of the server certificates to serve the TLS traffic from ingress to activator.
+	ActivatorCertSecret string
+
+	// QueueProxyCA defines the secret name of the CA public certificate used to sign the queue-proxy TLS certificate.
+	// The traffic to queue-proxy is not encrypted if QueueProxyCA is empty.
+	QueueProxyCA string
+
+	// QueueProxySAN defines the SAN (Subject Alt Name) used to validate the queue-proxy TLS certificate.
+	// It is used only when QueueProxyCA is specified.
+	QueueProxySAN string
+
+	// QueueProxyCertSecret defines the secret name of the server certificates to serve the TLS traffic from activator to queue-proxy.
+	QueueProxyCertSecret string
 }
 
 // HTTPProtocol indicates a type of HTTP endpoint behavior
@@ -359,6 +388,10 @@ func defaultConfig() *Config {
 		MeshCompatibilityMode:         MeshCompatibilityModeAuto,
 		ActivatorCA:                   "",
 		ActivatorSAN:                  "",
+		ActivatorCertSecret:           "",
+		QueueProxyCA:                  "",
+		QueueProxySAN:                 "",
+		QueueProxyCertSecret:          "",
 	}
 }
 
@@ -392,6 +425,10 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		cm.AsString(DefaultExternalSchemeKey, &nc.DefaultExternalScheme),
 		cm.AsString(ActivatorCAKey, &nc.ActivatorCA),
 		cm.AsString(ActivatorSANKey, &nc.ActivatorSAN),
+		cm.AsString(ActivatorCertKey, &nc.ActivatorCertSecret),
+		cm.AsString(QueueProxyCAKey, &nc.QueueProxyCA),
+		cm.AsString(QueueProxySANKey, &nc.QueueProxySAN),
+		cm.AsString(QueueProxyCertKey, &nc.QueueProxyCertSecret),
 		asMode(MeshCompatibilityModeKey, &nc.MeshCompatibilityMode),
 		asLabelSelector(NamespaceWildcardCertSelectorKey, &nc.NamespaceWildcardCertSelector),
 	); err != nil {
@@ -456,6 +493,14 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		return nil, fmt.Errorf("%q must be set when %q was set", ActivatorCAKey, ActivatorSANKey)
 	}
 
+	if nc.QueueProxyCA != "" && nc.QueueProxySAN == "" {
+		return nil, fmt.Errorf("%q must be set when %q was set", QueueProxySANKey, QueueProxyCAKey)
+	}
+
+	if nc.QueueProxyCA == "" && nc.QueueProxySAN != "" {
+		return nil, fmt.Errorf("%q must be set when %q was set", QueueProxyCAKey, QueueProxySANKey)
+	}
+
 	return nc, nil
 }
 

vendor/knative.dev/pkg/hack/update-codegen.sh

@@ -51,7 +51,7 @@ EXTERNAL_INFORMER_PKG="k8s.io/client-go/informers" \
     k8s.io/api \
     "${K8S_TYPES}" \
     --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \
-    --force-genreconciler-kinds "Namespace,Deployment,Secret,Pod,CronJob,NetworkPolicy"
+    --force-genreconciler-kinds "Namespace,ConfigMap,Deployment,Secret,Pod,CronJob,NetworkPolicy"
 
 OUTPUT_PKG="knative.dev/pkg/client/injection/apiextensions" \
 VERSIONED_CLIENTSET_PKG="k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" \

vendor/knative.dev/pkg/leaderelection/context.go

@@ -273,7 +273,7 @@ func (ue *unopposedElector) Run(ctx context.Context) {
 
 func (ue *unopposedElector) InitialBuckets() []reconciler.Bucket {
 	return []reconciler.Bucket{
-		reconciler.UniversalBucket(),
+		ue.bkt,
 	}
 }
 

vendor/knative.dev/pkg/network/h2c.go

@@ -54,3 +54,16 @@ func newH2CTransport(disableCompression bool) http.RoundTripper {
 		},
 	}
 }
+
+// newH2Transport constructs a neew H2 transport. That transport will handles HTTPS traffic
+// with TLS config.
+func newH2Transport(disableCompression bool, tlsConf *tls.Config) http.RoundTripper {
+	return &http2.Transport{
+		DisableCompression: disableCompression,
+		DialTLS: func(netw, addr string, tlsConf *tls.Config) (net.Conn, error) {
+			return DialTLSWithBackOff(context.Background(),
+				netw, addr, tlsConf)
+		},
+		TLSClientConfig: tlsConf,
+	}
+}