upgrade to latest dependencies (#749)

bumping knative.dev/hack 9c0ea69...6ffd841:
  > 6ffd841 Update community files (# 168)
  > 02c525c Update community files (# 167)
  > 0e0784b Update community files (# 166)
  > a75ca49 Update community files (# 165)
bumping knative.dev/pkg 0a1ec2e...e325df6:
  > e325df6 upgrade to latest dependencies (# 2490)
  > 00c122e Add genreconcile for ConfigMap (# 2489)
  > 6bb6518 Update actions (# 2488)
  > 5b0e728 drop deprecated eventing repos (# 2463)
  > 75629c8 Update community files (# 2487)
  > ca82d2b Add `NewProxyAutoTLSTransport` and `DialTLSWithBackOff` to support TLS proxy (# 2479)
  > e2b4d74 Update community files (# 2486)
  > 4d62e1d bump our min k8s version to 1.22 (# 2485)
  > 9ae44fe Update community files (# 2484)
  > 29f716f Fix `InitialBuckets()` for statefulSetBuilder's electors (# 2483)
  > 8db11d0 Update community files (# 2482)
  > dcd5d7c bump go version of tekton downstream workflow (# 2481)
  > 0ce1e92 Update actions (# 2480)
  > 4f42bf4 Update actions (# 2478)
  > 7479994 Update actions (# 2477)
  > c2f1f3e Update community files (# 2476)
bumping knative.dev/networking 7e90d10...1145ec5:
  > 1145ec5 upgrade to latest dependencies (# 658)
  > 56c4a3e upgrade to latest dependencies (# 657)
  > c173eed Add certificates config keys in config-network (# 648)
  > f96f8e2 upgrade to latest dependencies (# 655)
  > 224a816 Update actions (# 656)
  > 57ad9cf Update community files (# 654)
  > 88881dd Update community files (# 653)
  > 0d114b7 upgrade to latest dependencies (# 652)
  > 7307ffd Update community files (# 651)
  > 7fa8012 Update community files (# 650)
  > a49d1a2 Update actions (# 649)
  > 5dd0002 Update actions (# 647)
  > dde40b0 drop knative.dev/release label (# 646)
  > 0aef61e Update community files (# 645)
  > 84f7ed6 Update actions (# 644)
  > a1261cd Update community files (# 643)

Signed-off-by: Knative Automation <automation@knative.team>

go.mod

@@ -10,9 +10,9 @@ require (
 	k8s.io/api v0.23.5
 	k8s.io/apimachinery v0.23.5
 	k8s.io/client-go v0.23.5
-	knative.dev/hack v0.0.0-20220331040044-9c0ea69d9b4d
-	knative.dev/networking v0.0.0-20220330230145-7e90d10acb64
-	knative.dev/pkg v0.0.0-20220329144915-0a1ec2e0d46c
+	knative.dev/hack v0.0.0-20220411131823-6ffd8417de7c
+	knative.dev/networking v0.0.0-20220412163509-1145ec58c8be
+	knative.dev/pkg v0.0.0-20220412134708-e325df66cb51
 	sigs.k8s.io/yaml v1.3.0
 )
 

go.sum

@@ -1851,15 +1851,12 @@ k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-knative.dev/hack v0.0.0-20220224013837-e1785985d364/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
-knative.dev/hack v0.0.0-20220328133751-f06773764ce3/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
-knative.dev/hack v0.0.0-20220331040044-9c0ea69d9b4d h1:Hsn2lYYDDs1raRsYCJut4MGXRQpEDQ68YOni+sXwUsg=
-knative.dev/hack v0.0.0-20220331040044-9c0ea69d9b4d/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
-knative.dev/networking v0.0.0-20220330230145-7e90d10acb64 h1:g82Zft7qU5aqaTvsxGwZP656k+QN2GHe9Qkb0wAmGKs=
-knative.dev/networking v0.0.0-20220330230145-7e90d10acb64/go.mod h1:5mOmDZAOLZ4spdHWoiRpjIVCSWuA8V4NYIVtFycdSn8=
-knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2/go.mod h1:5xt0nzCwxvQ2N4w71smY7pYm5nVrQ8qnRsMinSLVpio=
-knative.dev/pkg v0.0.0-20220329144915-0a1ec2e0d46c h1:PLzCwnuPt+bjwiyYrRrsbmiBWR8a5cIwKtTd3LK1TqU=
-knative.dev/pkg v0.0.0-20220329144915-0a1ec2e0d46c/go.mod h1:0A5D5tOLettuVoi5x+0SLGRfrvVemXXtLH247WupPJk=
+knative.dev/hack v0.0.0-20220411131823-6ffd8417de7c h1:aXsFXeky/GccNQxwf72CS4NR3EoqTqsCVNKQnblfwr0=
+knative.dev/hack v0.0.0-20220411131823-6ffd8417de7c/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
+knative.dev/networking v0.0.0-20220412163509-1145ec58c8be h1:MmwR4SfwlXgt/jnjronkTTOKBrwN1mP/VNhHH08pIoc=
+knative.dev/networking v0.0.0-20220412163509-1145ec58c8be/go.mod h1:6OZIUimxPelIIudzHWRd+Lc7ippC5t+DC8CsZKCOjcI=
+knative.dev/pkg v0.0.0-20220412134708-e325df66cb51 h1:4AmaxeY7+r/PYYz3HS9pMY21Mw3ykO6STLFEk2FoJ2s=
+knative.dev/pkg v0.0.0-20220412134708-e325df66cb51/go.mod h1:j2MeD8s+JoCu1vegX80GbRXV/xd20Jm1NznxBYtVXiM=
 pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/letsencrypt v0.0.3/go.mod h1:buyQKZ6IXrRnB7TdkHP0RyEybLx18HHyOSoTyoOLqNY=

vendor/knative.dev/networking/config/certificate.yaml

@@ -18,8 +18,8 @@ metadata:
   name: certificates.networking.internal.knative.dev
   labels:
     app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/config/config-network.yaml

@@ -21,9 +21,8 @@ metadata:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
   annotations:
-    knative.dev/example-checksum: "7c86cb6a"
+    knative.dev/example-checksum: "d0b91f80"
 data:
   _example: |
     ################################
@@ -189,3 +188,35 @@ data:
     # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
     #       for now. Use with caution.
     activator-san: ""
+
+    # The server certificates to serve the TLS traffic from ingress to activator.
+    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
+    # Use an empty value to disable the feature (default).
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    activator-cert-secret: ""
+
+    # The CA public certificate used to sign the queue-proxy TLS certificate.
+    # It is specified by the secret name, which has the "ca.crt" data field.
+    # Use an empty value to disable the feature (default).
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    queue-proxy-ca: ""
+
+    # The SAN (Subject Alt Name) used to validate the activator TLS certificate.
+    # It must be set when "queue-proxy-ca" is specified.
+    # Use an empty value to disable the feature (default).
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    queue-proxy-san: ""
+
+    # The server certificates to serve the TLS traffic from activator to queue-proxy.
+    # It is specified by the secret name, which has the "tls.crt" and "tls.key" data field.
+    # Use an empty value to disable the feature (default).
+    #
+    # NOTE: This flag is in an alpha state and is mostly here to enable internal testing
+    #       for now. Use with caution.
+    queue-proxy-cert-secret: ""

vendor/knative.dev/networking/config/domain-claim.yaml

@@ -18,8 +18,8 @@ metadata:
   name: clusterdomainclaims.networking.internal.knative.dev
   labels:
     app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/config/domain.yaml

@@ -19,7 +19,7 @@ metadata:
   labels:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
+    app.kubernetes.io/component: networking
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/config/ingress.yaml

@@ -18,8 +18,8 @@ metadata:
   name: ingresses.networking.internal.knative.dev
   labels:
     app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/config/realm.yaml

@@ -18,8 +18,8 @@ metadata:
   name: realms.networking.internal.knative.dev
   labels:
     app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/config/serverlessservice.yaml

@@ -18,8 +18,8 @@ metadata:
   name: serverlessservices.networking.internal.knative.dev
   labels:
     app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: networking
     app.kubernetes.io/version: devel
-    serving.knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:
   group: networking.internal.knative.dev

vendor/knative.dev/networking/pkg/network.go

@@ -196,6 +196,21 @@ const (
 
 	// ActivatorSANKey is the config for the SAN used to validate the activator TLS certificate.
 	ActivatorSANKey = "activator-san"
+
+	// ActivatorCertKey is the config for the secret name, which stores certificates
+	// to serve the TLS traffic from ingress to activator.
+	ActivatorCertKey = "activator-cert-secret"
+
+	// QueueProxyCAKey is the config for the secret name, which stores CA public certificate used
+	// to sign the queue-proxy TLS certificate.
+	QueueProxyCAKey = "queue-proxy-ca"
+
+	// QueueProxySANKey is the config for the SAN used to validate the queue-proxy TLS certificate.
+	QueueProxySANKey = "queue-proxy-san"
+
+	// QueueProxyCertKey is the config for the secret name, which stores certificates
+	// to serve the TLS traffic from activator to queue-proxy.
+	QueueProxyCertKey = "queue-proxy-cert-secret"
 )
 
 // DomainTemplateValues are the available properties people can choose from
@@ -302,6 +317,20 @@ type Config struct {
 	// ActivatorSAN defines the SAN (Subject Alt Name) used to validate the activator TLS certificate.
 	// It is used only when ActivatorCA is specified.
 	ActivatorSAN string
+
+	// ActivatorCertSecret defines the secret name of the server certificates to serve the TLS traffic from ingress to activator.
+	ActivatorCertSecret string
+
+	// QueueProxyCA defines the secret name of the CA public certificate used to sign the queue-proxy TLS certificate.
+	// The traffic to queue-proxy is not encrypted if QueueProxyCA is empty.
+	QueueProxyCA string
+
+	// QueueProxySAN defines the SAN (Subject Alt Name) used to validate the queue-proxy TLS certificate.
+	// It is used only when QueueProxyCA is specified.
+	QueueProxySAN string
+
+	// QueueProxyCertSecret defines the secret name of the server certificates to serve the TLS traffic from activator to queue-proxy.
+	QueueProxyCertSecret string
 }
 
 // HTTPProtocol indicates a type of HTTP endpoint behavior
@@ -359,6 +388,10 @@ func defaultConfig() *Config {
 		MeshCompatibilityMode:         MeshCompatibilityModeAuto,
 		ActivatorCA:                   "",
 		ActivatorSAN:                  "",
+		ActivatorCertSecret:           "",
+		QueueProxyCA:                  "",
+		QueueProxySAN:                 "",
+		QueueProxyCertSecret:          "",
 	}
 }
 
@@ -392,6 +425,10 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		cm.AsString(DefaultExternalSchemeKey, &nc.DefaultExternalScheme),
 		cm.AsString(ActivatorCAKey, &nc.ActivatorCA),
 		cm.AsString(ActivatorSANKey, &nc.ActivatorSAN),
+		cm.AsString(ActivatorCertKey, &nc.ActivatorCertSecret),
+		cm.AsString(QueueProxyCAKey, &nc.QueueProxyCA),
+		cm.AsString(QueueProxySANKey, &nc.QueueProxySAN),
+		cm.AsString(QueueProxyCertKey, &nc.QueueProxyCertSecret),
 		asMode(MeshCompatibilityModeKey, &nc.MeshCompatibilityMode),
 		asLabelSelector(NamespaceWildcardCertSelectorKey, &nc.NamespaceWildcardCertSelector),
 	); err != nil {
@@ -456,6 +493,14 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		return nil, fmt.Errorf("%q must be set when %q was set", ActivatorCAKey, ActivatorSANKey)
 	}
 
+	if nc.QueueProxyCA != "" && nc.QueueProxySAN == "" {
+		return nil, fmt.Errorf("%q must be set when %q was set", QueueProxySANKey, QueueProxyCAKey)
+	}
+
+	if nc.QueueProxyCA == "" && nc.QueueProxySAN != "" {
+		return nil, fmt.Errorf("%q must be set when %q was set", QueueProxyCAKey, QueueProxySANKey)
+	}
+
 	return nc, nil
 }
 

vendor/knative.dev/pkg/hack/update-codegen.sh

@@ -51,7 +51,7 @@ EXTERNAL_INFORMER_PKG="k8s.io/client-go/informers" \
     k8s.io/api \
     "${K8S_TYPES}" \
     --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \
-    --force-genreconciler-kinds "Namespace,Deployment,Secret,Pod,CronJob,NetworkPolicy"
+    --force-genreconciler-kinds "Namespace,ConfigMap,Deployment,Secret,Pod,CronJob,NetworkPolicy"
 
 OUTPUT_PKG="knative.dev/pkg/client/injection/apiextensions" \
 VERSIONED_CLIENTSET_PKG="k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" \

vendor/knative.dev/pkg/leaderelection/context.go

@@ -273,7 +273,7 @@ func (ue *unopposedElector) Run(ctx context.Context) {
 
 func (ue *unopposedElector) InitialBuckets() []reconciler.Bucket {
 	return []reconciler.Bucket{
-		reconciler.UniversalBucket(),
+		ue.bkt,
 	}
 }
 

vendor/knative.dev/pkg/network/h2c.go

@@ -54,3 +54,16 @@ func newH2CTransport(disableCompression bool) http.RoundTripper {
 		},
 	}
 }
+
+// newH2Transport constructs a neew H2 transport. That transport will handles HTTPS traffic
+// with TLS config.
+func newH2Transport(disableCompression bool, tlsConf *tls.Config) http.RoundTripper {
+	return &http2.Transport{
+		DisableCompression: disableCompression,
+		DialTLS: func(netw, addr string, tlsConf *tls.Config) (net.Conn, error) {
+			return DialTLSWithBackOff(context.Background(),
+				netw, addr, tlsConf)
+		},
+		TLSClientConfig: tlsConf,
+	}
+}

vendor/knative.dev/pkg/network/transports.go

@@ -18,6 +18,7 @@ package network
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"net"
@@ -45,7 +46,7 @@ func newAutoTransport(v1, v2 http.RoundTripper) http.RoundTripper {
 	})
 }
 
-const sleepTO = 30 * time.Millisecond
+const sleep = 30 * time.Millisecond
 
 var backOffTemplate = wait.Backoff{
 	Duration: 50 * time.Millisecond,
@@ -63,19 +64,37 @@ var DialWithBackOff = NewBackoffDialer(backOffTemplate)
 // between tries.
 func NewBackoffDialer(backoffConfig wait.Backoff) func(context.Context, string, string) (net.Conn, error) {
 	return func(ctx context.Context, network, address string) (net.Conn, error) {
-		return dialBackOffHelper(ctx, network, address, backoffConfig, sleepTO)
+		return dialBackOffHelper(ctx, network, address, backoffConfig, nil)
 	}
 }
 
-func dialBackOffHelper(ctx context.Context, network, address string, bo wait.Backoff, sleep time.Duration) (net.Conn, error) {
+// DialTLSWithBackOff is same with DialWithBackOff but takes tls config.
+var DialTLSWithBackOff = NewTLSBackoffDialer(backOffTemplate)
+
+// NewTLSBackoffDialer is same with NewBackoffDialer but takes tls config.
+func NewTLSBackoffDialer(backoffConfig wait.Backoff) func(context.Context, string, string, *tls.Config) (net.Conn, error) {
+	return func(ctx context.Context, network, address string, tlsConf *tls.Config) (net.Conn, error) {
+		return dialBackOffHelper(ctx, network, address, backoffConfig, tlsConf)
+	}
+}
+
+func dialBackOffHelper(ctx context.Context, network, address string, bo wait.Backoff, tlsConf *tls.Config) (net.Conn, error) {
 	dialer := &net.Dialer{
 		Timeout:   bo.Duration, // Initial duration.
 		KeepAlive: 5 * time.Second,
 		DualStack: true,
 	}
 	start := time.Now()
 	for {
-		c, err := dialer.DialContext(ctx, network, address)
+		var (
+			c   net.Conn
+			err error
+		)
+		if tlsConf == nil {
+			c, err = dialer.DialContext(ctx, network, address)
+		} else {
+			c, err = tls.DialWithDialer(dialer, network, address, tlsConf)
+		}
 		if err != nil {
 			var errNet net.Error
 			if errors.As(err, &errNet) && errNet.Timeout() {
@@ -105,6 +124,19 @@ func newHTTPTransport(disableKeepAlives, disableCompression bool, maxIdle, maxId
 	return transport
 }
 
+func newHTTPSTransport(disableKeepAlives, disableCompression bool, maxIdle, maxIdlePerHost int, tlsConf *tls.Config) http.RoundTripper {
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.DialContext = DialWithBackOff
+	transport.DisableKeepAlives = disableKeepAlives
+	transport.MaxIdleConns = maxIdle
+	transport.MaxIdleConnsPerHost = maxIdlePerHost
+	transport.ForceAttemptHTTP2 = false
+	transport.DisableCompression = disableCompression
+
+	transport.TLSClientConfig = tlsConf
+	return transport
+}
+
 // NewProberTransport creates a RoundTripper that is useful for probing,
 // since it will not cache connections.
 func NewProberTransport() http.RoundTripper {
@@ -113,6 +145,13 @@ func NewProberTransport() http.RoundTripper {
 		NewH2CTransport())
 }
 
+// NewProxyAutoTLSTransport is same with NewProxyAutoTransport but it has tls.Config to create HTTPS request.
+func NewProxyAutoTLSTransport(maxIdle, maxIdlePerHost int, tlsConf *tls.Config) http.RoundTripper {
+	return newAutoTransport(
+		newHTTPSTransport(false /*disable keep-alives*/, true /*disable auto-compression*/, maxIdle, maxIdlePerHost, tlsConf),
+		newH2Transport(true /*disable auto-compression*/, tlsConf))
+}
+
 // NewAutoTransport creates a RoundTripper that can use appropriate transport
 // based on the request's HTTP version.
 func NewAutoTransport(maxIdle, maxIdlePerHost int) http.RoundTripper {

vendor/knative.dev/pkg/version/version.go

@@ -33,7 +33,7 @@ const (
 	// NOTE: If you are changing this line, please also update the minimum kubernetes
 	// version listed here:
 	// https://github.com/knative/docs/blob/mkdocs/docs/snippets/prerequisites.md
-	defaultMinimumVersion = "v1.21.0"
+	defaultMinimumVersion = "v1.22.0"
 )
 
 func getMinimumVersion() string {

vendor/modules.txt

@@ -862,10 +862,10 @@ k8s.io/utils/internal/third_party/forked/golang/net
 k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/trace
-# knative.dev/hack v0.0.0-20220331040044-9c0ea69d9b4d
+# knative.dev/hack v0.0.0-20220411131823-6ffd8417de7c
 ## explicit; go 1.14
 knative.dev/hack
-# knative.dev/networking v0.0.0-20220330230145-7e90d10acb64
+# knative.dev/networking v0.0.0-20220412163509-1145ec58c8be
 ## explicit; go 1.16
 knative.dev/networking/config
 knative.dev/networking/pkg
@@ -903,7 +903,7 @@ knative.dev/networking/test/test_images/runtime/handlers
 knative.dev/networking/test/test_images/timeout
 knative.dev/networking/test/test_images/wsserver
 knative.dev/networking/test/types
-# knative.dev/pkg v0.0.0-20220329144915-0a1ec2e0d46c
+# knative.dev/pkg v0.0.0-20220412134708-e325df66cb51
 ## explicit; go 1.17
 knative.dev/pkg/apis
 knative.dev/pkg/apis/duck