upgrade to latest dependencies (#1608)

bumping knative.dev/pkg d6ab729...29775d7: > 29775d7 [release-1.12] [CVE-2023-44487] Disable http2 for webhooks (# 2876) bumping knative.dev/serving cfd806f...2659cc3: > 2659cc3 upgrade to latest dependencies (# 14555) > 2a46d0d upgrade to latest dependencies (# 14546) > 268701d Update net-kourier nightly (# 14549) bumping knative.dev/networking c086340...2a7676e: > 2a7676e upgrade to latest dependencies (# 883) > b6cd712 upgrade to latest dependencies (# 882) > 64434a8 upgrade to latest dependencies (# 881) > fa72cb5 Update community files (# 880) bumping knative.dev/eventing 16a3986...b5fd264: > b5fd264 Shell executor logs through testing.T in upgrade tests (# 7367) > 5848584 [main] Upgrade to latest dependencies (# 7388) Signed-off-by: Knative Automation <automation@knative.team>
knative · Oct 24, 2023 · 25d0c33 · 25d0c33
1 parent fefbd3c
commit 25d0c33
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 16 deletions.
diff --git a/go.mod b/go.mod
@@ -22,10 +22,10 @@ require (
 	k8s.io/code-generator v0.27.6
 	k8s.io/utils v0.0.0-20230209194617-a36077c30491
 	knative.dev/caching v0.0.0-20231017130712-54d0758671ef
-	knative.dev/eventing v0.38.1-0.20231020133954-16a398695622
+	knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0
 	knative.dev/hack v0.0.0-20231016131700-2c938d4918da
-	knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5
-	knative.dev/serving v0.38.1-0.20231023130708-cfd806f994ce
+	knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c
+	knative.dev/serving v0.38.1-0.20231023192719-2659cc3aed8e
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -138,7 +138,7 @@ require (
 	k8s.io/gengo v0.0.0-20221011193443-fad74ee6edd9 // indirect
 	k8s.io/klog/v2 v2.90.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
-	knative.dev/networking v0.0.0-20231012062439-c0863403c83b // indirect
+	knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 // indirect
 	sigs.k8s.io/controller-runtime v0.7.2 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect

diff --git a/go.sum b/go.sum
@@ -1391,16 +1391,16 @@ k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPB
 k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 knative.dev/caching v0.0.0-20231017130712-54d0758671ef h1:92Gn5HUcgMJ78mbSpkCfUxrCTHHZSnvjURk0YRCbUqo=
 knative.dev/caching v0.0.0-20231017130712-54d0758671ef/go.mod h1:plGN+mIBKRtVxZ0vQeZ3Gt02RIaj0niwIMnQNkQHycw=
-knative.dev/eventing v0.38.1-0.20231020133954-16a398695622 h1:0zVa3WIigc9Le/K1MVPNLjFo3lOs4ADj30EbNrRO820=
-knative.dev/eventing v0.38.1-0.20231020133954-16a398695622/go.mod h1:swWS48qpCQbBkj+2iS0rVa7PbQBWLD9YAy3CSHfevaU=
+knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0 h1:dRCHnSKwsnqAeQ0TbUdgk12Q5GU/P2P+v/lQ0tyfSfg=
+knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0/go.mod h1:a9uzuTLH4ur+Q1wLCqbxIQNcYxeJPRPYBgs3e8lo13Y=
 knative.dev/hack v0.0.0-20231016131700-2c938d4918da h1:xy+fvuz2LDOMsZ5UwXRaMF70NYUs9fsG+EF5/ierYBg=
 knative.dev/hack v0.0.0-20231016131700-2c938d4918da/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/networking v0.0.0-20231012062439-c0863403c83b h1:yGtVPNHek3rmKb50k7G9fG/NuuC4FRzESVrWmPFU9AM=
-knative.dev/networking v0.0.0-20231012062439-c0863403c83b/go.mod h1:uEvP4spV82HGB8loxo8nH/LGmwsd9jUGWvDVC+tH4O4=
-knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 h1:9AvFZdEtuwKWDcTV1VSwmrgrRR9f38wbIAm+sNwLivQ=
-knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ=
-knative.dev/serving v0.38.1-0.20231023130708-cfd806f994ce h1:I8tVCCOOblApI7cJ73sA8TBVOY4TtQcnCHklzRmDJNc=
-knative.dev/serving v0.38.1-0.20231023130708-cfd806f994ce/go.mod h1:cuia3pUQNF4sa3g3KsPFgqpLnF1pf9iquDLgk71iLfo=
+knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 h1:6+1icZuxiZO1paFZ4d/ysKWVG2M4WB7OxNJNyLG0P/E=
+knative.dev/networking v0.0.0-20231017124814-2a7676e912b7/go.mod h1:1gcHoIVG47ekQWjkddqRq+/7tWRh+CB9W4k/NAcdRbk=
+knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c h1:xyPoEToTWeBdn6tinhLxXfnhJhTNQt5WzHiTNiFphRw=
+knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ=
+knative.dev/serving v0.38.1-0.20231023192719-2659cc3aed8e h1:KLFfwnphfqhrbLYbVep/hUPS829FP+QfQ0jR3nzHZ0w=
+knative.dev/serving v0.38.1-0.20231023192719-2659cc3aed8e/go.mod h1:0QIp5mvgWa1oUC2MxMf+Q/JWgG8JhAsSdJKc6iTRlvE=
 nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
 pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go
@@ -81,6 +81,17 @@ type Options struct {
 	// ControllerOptions encapsulates options for creating a new controller,
 	// including throttling and stats behavior.
 	ControllerOptions *controller.ControllerOptions
+
+	// EnableHTTP2 enables HTTP2 for webhooks.
+	// Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go
+	// standard library and golang.org/x/net are fully fixed.
+	// Right now, it is possible for authenticated and unauthenticated users to
+	// hold open HTTP2 connections and consume huge amounts of memory.
+	// See:
+	// * https://github.com/kubernetes/kubernetes/pull/121120
+	// * https://github.com/kubernetes/kubernetes/issues/121197
+	// * https://github.com/golang/go/issues/63417#issuecomment-1758858612
+	EnableHTTP2 bool
 }
 
 // Operation is the verb being operated on
@@ -245,12 +256,19 @@ func (wh *Webhook) Run(stop <-chan struct{}) error {
 		QuietPeriod: wh.Options.GracePeriod,
 	}
 
+	// If TLSNextProto is not nil, HTTP/2 support is not enabled automatically.
+	nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){}
+	if wh.Options.EnableHTTP2 {
+		nextProto = nil
+	}
+
 	server := &http.Server{
 		ErrorLog:          log.New(&zapWrapper{logger}, "", 0),
 		Handler:           drainer,
 		Addr:              fmt.Sprint(":", wh.Options.Port),
 		TLSConfig:         wh.tlsConfig,
 		ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6
+		TLSNextProto:      nextProto,
 	}
 
 	var serve = server.ListenAndServe

diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -1271,7 +1271,7 @@ k8s.io/utils/trace
 ## explicit; go 1.18
 knative.dev/caching/pkg/apis/caching
 knative.dev/caching/pkg/apis/caching/v1alpha1
-# knative.dev/eventing v0.38.1-0.20231020133954-16a398695622
+# knative.dev/eventing v0.38.1-0.20231023152436-b5fd264775b0
 ## explicit; go 1.19
 knative.dev/eventing/pkg/apis/config
 knative.dev/eventing/pkg/apis/duck
@@ -1364,7 +1364,7 @@ knative.dev/eventing/test/upgrade/prober/wathola/sender
 ## explicit; go 1.18
 knative.dev/hack
 knative.dev/hack/shell
-# knative.dev/networking v0.0.0-20231012062439-c0863403c83b
+# knative.dev/networking v0.0.0-20231017124814-2a7676e912b7
 ## explicit; go 1.18
 knative.dev/networking/pkg
 knative.dev/networking/pkg/apis/networking
@@ -1379,7 +1379,7 @@ knative.dev/networking/pkg/http/probe
 knative.dev/networking/pkg/http/proxy
 knative.dev/networking/pkg/http/stats
 knative.dev/networking/pkg/k8s
-# knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5
+# knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c
 ## explicit; go 1.18
 knative.dev/pkg/apiextensions/storageversion
 knative.dev/pkg/apiextensions/storageversion/cmd/migrate
@@ -1459,7 +1459,7 @@ knative.dev/pkg/webhook
 knative.dev/pkg/webhook/certificates
 knative.dev/pkg/webhook/certificates/resources
 knative.dev/pkg/webhook/resourcesemantics/conversion
-# knative.dev/serving v0.38.1-0.20231023130708-cfd806f994ce
+# knative.dev/serving v0.38.1-0.20231023192719-2659cc3aed8e
 ## explicit; go 1.18
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1