Updates from April 17

Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>

go.mod

@@ -39,9 +39,9 @@ require (
 	github.com/davecgh/go-spew v1.1.1
 	github.com/google/gofuzz v1.2.0
 	github.com/kedacore/keda/v2 v2.8.1
-	knative.dev/eventing v0.36.1-0.20230414134751-a5b4810a24b0
+	knative.dev/eventing v0.36.1-0.20230417052154-d7fe38f04b29
 	knative.dev/hack v0.0.0-20230412013450-4b3f2300c1ad
-	knative.dev/pkg v0.0.0-20230413131852-ce10b064f603
+	knative.dev/pkg v0.0.0-20230414154551-53f04b373cc9
 	knative.dev/reconciler-test v0.0.0-20230413132853-06956b6259d6
 	sigs.k8s.io/controller-runtime v0.12.3
 )

go.sum

@@ -1518,12 +1518,12 @@ k8s.io/utils v0.0.0-20200912215256-4140de9c8800/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.36.1-0.20230414134751-a5b4810a24b0 h1:fhVP6QyjYRyBVx7IUKEwWRcBOw6LYkuxJ7mgkt0fIRU=
-knative.dev/eventing v0.36.1-0.20230414134751-a5b4810a24b0/go.mod h1:vEQ32TrhYNoafRkuw4wxIyb5wSQ65yfejCfS611jmI8=
+knative.dev/eventing v0.36.1-0.20230417052154-d7fe38f04b29 h1:t4nmia2ac2DCplswiNdiEypptp430FDYpG/l0v3CEgs=
+knative.dev/eventing v0.36.1-0.20230417052154-d7fe38f04b29/go.mod h1:JSLxUv1myIkTh+TKRiwa8znODao1X+jndy12KfWYyqI=
 knative.dev/hack v0.0.0-20230412013450-4b3f2300c1ad h1:+5MpC265m9pjmJl+popG9XO9G1l+Rq1py9ldqBHwA68=
 knative.dev/hack v0.0.0-20230412013450-4b3f2300c1ad/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/pkg v0.0.0-20230413131852-ce10b064f603 h1:vBKLFZmoi5hniD9Fi5lVbxnrO8DLeIhBRDXgRB+cqAo=
-knative.dev/pkg v0.0.0-20230413131852-ce10b064f603/go.mod h1:Xa/jM3LpUnfQabS0kKR9sMTaDn4absCVvwkdNlwRwHc=
+knative.dev/pkg v0.0.0-20230414154551-53f04b373cc9 h1:ZozlfXh+jwr+KE/C60thPDOdAVQ3MNRfdsFHbajHIRk=
+knative.dev/pkg v0.0.0-20230414154551-53f04b373cc9/go.mod h1:Xa/jM3LpUnfQabS0kKR9sMTaDn4absCVvwkdNlwRwHc=
 knative.dev/reconciler-test v0.0.0-20230413132853-06956b6259d6 h1:zUBZkr9kTSzYBasHZw2WnMcBJy5COZS5Xau9ThmByFo=
 knative.dev/reconciler-test v0.0.0-20230413132853-06956b6259d6/go.mod h1:JwK7KUivj9TX7gJ6SAFfNxhmAfYc45kyASeRT8OG+pM=
 pgregory.net/rapid v0.3.3 h1:jCjBsY4ln4Atz78QoBWxUEvAHaFyNDQg9+WU62aCn1U=

vendor/knative.dev/pkg/metrics/opencensus_exporter.go

@@ -99,7 +99,7 @@ func getCredentials(component string, secret *corev1.Secret, logger *zap.Sugared
 		return nil
 	}
 	return credentials.NewTLS(&tls.Config{
-		MinVersion: tls.VersionTLS12,
+		MinVersion: tls.VersionTLS13,
 		GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
 			cert, err := tls.X509KeyPair(secret.Data["client-cert.pem"], secret.Data["client-key.pem"])
 			if err != nil {

vendor/knative.dev/pkg/webhook/env.go

@@ -17,6 +17,7 @@ limitations under the License.
 package webhook
 
 import (
+	"crypto/tls"
 	"fmt"
 	"os"
 	"strconv"
@@ -29,6 +30,8 @@ const (
 	webhookNameEnvKey = "WEBHOOK_NAME"
 
 	secretNameEnvKey = "WEBHOOK_SECRET_NAME" //nolint:gosec // This is not a hardcoded credential
+
+	tlsMinVersionEnvKey = "WEBHOOK_TLS_MIN_VERSION"
 )
 
 // PortFromEnv returns the webhook port set by portEnvKey, or default port if env var is not set.
@@ -66,3 +69,16 @@ func SecretNameFromEnv(defaultSecretName string) string {
 	}
 	return secret
 }
+
+func TLSMinVersionFromEnv(defaultTLSMinVersion uint16) uint16 {
+	switch tlsMinVersion := os.Getenv(tlsMinVersionEnvKey); tlsMinVersion {
+	case "1.2":
+		return tls.VersionTLS12
+	case "1.3":
+		return tls.VersionTLS13
+	case "":
+		return defaultTLSMinVersion
+	default:
+		panic(fmt.Sprintf("the environment variable %q has to be either '1.2' or '1.3'", tlsMinVersionEnvKey))
+	}
+}

vendor/knative.dev/pkg/webhook/webhook.go

@@ -40,6 +40,10 @@ import (
 
 // Options contains the configuration for the webhook
 type Options struct {
+	// TLSMinVersion contains the minimum TLS version that is acceptable to communicate with the API server.
+	// TLS 1.3 is the minimum version if not specified otherwise.
+	TLSMinVersion uint16
+
 	// ServiceName is the service name of the webhook.
 	ServiceName string
 
@@ -119,6 +123,13 @@ func New(
 		opts.StatsReporter = reporter
 	}
 
+	defaultTLSMinVersion := uint16(tls.VersionTLS13)
+	if opts.TLSMinVersion == 0 {
+		opts.TLSMinVersion = TLSMinVersionFromEnv(defaultTLSMinVersion)
+	} else if opts.TLSMinVersion != tls.VersionTLS12 && opts.TLSMinVersion != tls.VersionTLS13 {
+		return nil, fmt.Errorf("unsupported TLS version: %d", opts.TLSMinVersion)
+	}
+
 	syncCtx, cancel := context.WithCancel(context.Background())
 
 	webhook = &Webhook{
@@ -136,7 +147,7 @@ func New(
 		secretInformer := kubeinformerfactory.Get(ctx).Core().V1().Secrets()
 
 		webhook.tlsConfig = &tls.Config{
-			MinVersion: tls.VersionTLS12,
+			MinVersion: opts.TLSMinVersion,
 
 			// If we return (nil, error) the client sees - 'tls: internal error"
 			// If we return (nil, nil) the client sees - 'tls: no certificates configured'

vendor/modules.txt

@@ -1221,7 +1221,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# knative.dev/eventing v0.36.1-0.20230414134751-a5b4810a24b0
+# knative.dev/eventing v0.36.1-0.20230417052154-d7fe38f04b29
 ## explicit; go 1.18
 knative.dev/eventing/cmd/event_display
 knative.dev/eventing/pkg/apis/config
@@ -1370,7 +1370,7 @@ knative.dev/eventing/test/upgrade/prober/wathola/sender
 ## explicit; go 1.18
 knative.dev/hack
 knative.dev/hack/shell
-# knative.dev/pkg v0.0.0-20230413131852-ce10b064f603
+# knative.dev/pkg v0.0.0-20230414154551-53f04b373cc9
 ## explicit; go 1.18
 knative.dev/pkg/apiextensions/storageversion
 knative.dev/pkg/apiextensions/storageversion/cmd/migrate