diff --git a/go.mod b/go.mod index bd34cd1bbf..54bc4d6fe8 100644 --- a/go.mod +++ b/go.mod @@ -24,10 +24,10 @@ require ( k8s.io/apimachinery v0.25.4 k8s.io/client-go v0.25.4 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 - knative.dev/eventing v0.37.3 + knative.dev/eventing v0.37.4 knative.dev/hack v0.0.0-20230417170854-f591fea109b3 - knative.dev/pkg v0.0.0-20231011201526-df28feae6d34 - knative.dev/reconciler-test v0.0.0-20230928102338-4ae7322c84fa + knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f + knative.dev/reconciler-test v0.0.0-20231023114053-616ce2cecb19 sigs.k8s.io/yaml v1.3.0 ) diff --git a/go.sum b/go.sum index 063514438e..e4008105b6 100644 --- a/go.sum +++ b/go.sum @@ -1081,14 +1081,14 @@ k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkI k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8= k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.37.3 h1:TFJS/bcWJbcY4YvGg+LNEm0qdmeaMAHdUGHKuOmnX9E= -knative.dev/eventing v0.37.3/go.mod h1:DFZEmPkisDkr3jbTQd6mK+Dno3k9yacSgbkJGIDWg3c= +knative.dev/eventing v0.37.4 h1:JPgz4VvYY0/YO9O+5Y4FNUhuZKNxE1Soo8zKs7JdTBU= +knative.dev/eventing v0.37.4/go.mod h1:oGwuBilJ14D1AJyRnsVR3iujY8aw2mhhPSDFCfUaTis= knative.dev/hack v0.0.0-20230417170854-f591fea109b3 h1:+W4WBOq83tfGXKhtv8OB/uJeYqze3zh69GKiz1ucuqk= knative.dev/hack v0.0.0-20230417170854-f591fea109b3/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/pkg v0.0.0-20231011201526-df28feae6d34 h1:H+K37bEBZ2STSWMjCgrdilj38KKZGVxBbob22K99Y50= -knative.dev/pkg v0.0.0-20231011201526-df28feae6d34/go.mod h1:ZRgzFBFmdBsARm6+Pkr9WRG8bXys8rYq64ELfLG6+9w= -knative.dev/reconciler-test v0.0.0-20230928102338-4ae7322c84fa h1:e8YtAgy9ZXjpbyS47nF2AhMJ3NRB1vUDfXwI0EANEKg= -knative.dev/reconciler-test v0.0.0-20230928102338-4ae7322c84fa/go.mod h1:By7fsbkjKWbTmxwAs9lL1itxZI1otbhiEsAZmprEtvI= +knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f h1:XCH1qZqW1riR8cjhMGjewxQXlWPrfgxeUorBjpC6lE4= +knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f/go.mod h1:ZRgzFBFmdBsARm6+Pkr9WRG8bXys8rYq64ELfLG6+9w= +knative.dev/reconciler-test v0.0.0-20231023114053-616ce2cecb19 h1:E7gYUPhZs4yOlBD8taIy7OBmVCsegNlggQcIPYIIFbg= +knative.dev/reconciler-test v0.0.0-20231023114053-616ce2cecb19/go.mod h1:5eaMf3A7YtrddJul/ddiv3zOC4wPx40Ndsq4jq0oM/c= pgregory.net/rapid v0.3.3 h1:jCjBsY4ln4Atz78QoBWxUEvAHaFyNDQg9+WU62aCn1U= pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index 779d388d22..dd6bc36e11 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -67,6 +67,17 @@ type Options struct { // GracePeriod is how long to wait after failing readiness probes // before shutting down. GracePeriod time.Duration + + // EnableHTTP2 enables HTTP2 for webhooks. + // Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go + // standard library and golang.org/x/net are fully fixed. + // Right now, it is possible for authenticated and unauthenticated users to + // hold open HTTP2 connections and consume huge amounts of memory. + // See: + // * https://github.com/kubernetes/kubernetes/pull/121120 + // * https://github.com/kubernetes/kubernetes/issues/121197 + // * https://github.com/golang/go/issues/63417#issuecomment-1758858612 + EnableHTTP2 bool } // Operation is the verb being operated on @@ -219,11 +230,18 @@ func (wh *Webhook) Run(stop <-chan struct{}) error { QuietPeriod: wh.Options.GracePeriod, } + // If TLSNextProto is not nil, HTTP/2 support is not enabled automatically. + nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){} + if wh.Options.EnableHTTP2 { + nextProto = nil + } + server := &http.Server{ Handler: drainer, Addr: fmt.Sprint(":", wh.Options.Port), TLSConfig: wh.tlsConfig, ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6 + TLSNextProto: nextProto, } eg, ctx := errgroup.WithContext(ctx) diff --git a/vendor/knative.dev/reconciler-test/pkg/environment/namespace.go b/vendor/knative.dev/reconciler-test/pkg/environment/namespace.go index 18c73c8e10..939f382eec 100644 --- a/vendor/knative.dev/reconciler-test/pkg/environment/namespace.go +++ b/vendor/knative.dev/reconciler-test/pkg/environment/namespace.go @@ -122,12 +122,26 @@ func (mr *MagicEnvironment) CreateNamespaceIfNeeded() error { return fmt.Errorf("error copying the image pull Secret: %s", err) } - _, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.StrategicMergePatchType, - []byte(`{"imagePullSecrets":[{"name":"`+mr.imagePullSecretName+`"}]}`), metav1.PatchOptions{}) + for _, secret := range sa.ImagePullSecrets { + if secret.Name == mr.imagePullSecretName { + return nil + } + } + + // Prevent overwriting existing imagePullSecrets + patch := `[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"` + mr.imagePullSecretName + `"}}]` + if len(sa.ImagePullSecrets) == 0 { + patch = `[{"op":"add","path":"/imagePullSecrets","value":[{"name":"` + mr.imagePullSecretName + `"}]}]` + } + + _, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.JSONPatchType, + []byte(patch), metav1.PatchOptions{}) if err != nil { - return fmt.Errorf("patch failed on NS/SA (%s/%s): %s", mr.namespace, sa.Name, err) + return fmt.Errorf("patch failed on NS/SA (%s/%s): %w", + mr.namespace, sa.Name, err) } } + return nil } diff --git a/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml b/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml index f86b523942..2cafc9ab1b 100644 --- a/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml +++ b/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml @@ -17,3 +17,9 @@ kind: ServiceAccount metadata: name: {{ .name }} namespace: {{ .namespace }} +{{ if .withPullSecrets }} +imagePullSecrets: + {{ range $_, $value := .withPullSecrets.secrets }} + - name: {{ $value }} + {{ end }} +{{ end }} diff --git a/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/rbac.go b/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/rbac.go index de8a2cfbde..5c7494231a 100644 --- a/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/rbac.go +++ b/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/rbac.go @@ -21,6 +21,9 @@ import ( "embed" apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + kubeclient "knative.dev/pkg/client/injection/kube/client" + "knative.dev/reconciler-test/pkg/environment" "knative.dev/reconciler-test/pkg/feature" "knative.dev/reconciler-test/pkg/manifest" @@ -30,11 +33,33 @@ import ( var templates embed.FS // Install creates the necessary ServiceAccount, Role, RoleBinding for the eventshub. -// The resources are named according to the current namespace defined in the environment. func Install(cfg map[string]interface{}) feature.StepFn { return func(ctx context.Context, t feature.T) { + WithPullSecrets(ctx, t)(cfg) if _, err := manifest.InstallYamlFS(ctx, templates, cfg); err != nil && !apierrors.IsAlreadyExists(err) { t.Fatal(err) } } } + +func WithPullSecrets(ctx context.Context, t feature.T) manifest.CfgFn { + namespace := environment.FromContext(ctx).Namespace() + serviceAccount, err := kubeclient.Get(ctx).CoreV1().ServiceAccounts(namespace).Get(ctx, "default", metav1.GetOptions{}) + if err != nil { + t.Fatalf("Failed to read default SA in %s namespace: %v", namespace, err) + } + + return func(cfg map[string]interface{}) { + if len(serviceAccount.ImagePullSecrets) == 0 { + return + } + if _, set := cfg["withPullSecrets"]; !set { + cfg["withPullSecrets"] = map[string]interface{}{} + } + withPullSecrets := cfg["withPullSecrets"].(map[string]interface{}) + withPullSecrets["secrets"] = []string{} + for _, secret := range serviceAccount.ImagePullSecrets { + withPullSecrets["secrets"] = append(withPullSecrets["secrets"].([]string), secret.Name) + } + } +} diff --git a/vendor/knative.dev/reconciler-test/pkg/feature/feature.go b/vendor/knative.dev/reconciler-test/pkg/feature/feature.go index db86f85af5..c245012ff2 100644 --- a/vendor/knative.dev/reconciler-test/pkg/feature/feature.go +++ b/vendor/knative.dev/reconciler-test/pkg/feature/feature.go @@ -227,6 +227,8 @@ func DeleteResources(ctx context.Context, t T, refs []corev1.ObjectReference) er } } + var lastResource corev1.ObjectReference // One still present resource + err := wait.Poll(time.Second, 4*time.Minute, func() (bool, error) { for _, ref := range refs { gv, err := schema.ParseGroupVersion(ref.APIVersion) @@ -248,6 +250,7 @@ func DeleteResources(ctx context.Context, t T, refs []corev1.ObjectReference) er return false, fmt.Errorf("failed to get resource %+v %s/%s: %w", resource, ref.Namespace, ref.Name, err) } + lastResource = ref t.Logf("Resource %+v %s/%s still present", resource, ref.Namespace, ref.Name) return false, nil } @@ -255,6 +258,7 @@ func DeleteResources(ctx context.Context, t T, refs []corev1.ObjectReference) er return true, nil }) if err != nil { + LogReferences(lastResource)(ctx, t) return fmt.Errorf("failed to wait for resources to be deleted: %v", err) } diff --git a/vendor/knative.dev/reconciler-test/pkg/feature/logging.go b/vendor/knative.dev/reconciler-test/pkg/feature/logging.go index cbbc572e06..2261e30886 100644 --- a/vendor/knative.dev/reconciler-test/pkg/feature/logging.go +++ b/vendor/knative.dev/reconciler-test/pkg/feature/logging.go @@ -26,6 +26,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "knative.dev/pkg/apis" + kubeclient "knative.dev/pkg/client/injection/kube/client" "knative.dev/pkg/injection/clients/dynamicclient" ) @@ -62,13 +63,26 @@ func logReference(ref corev1.ObjectReference) StepFn { return } - b, err := json.MarshalIndent(r, "", " ") + b, err := json.MarshalIndent(r, "", " ") if err != nil { t.Logf("Failed to marshal %s: %v\n", resourceStr, err) return } - t.Logf("%s\n%s", resourceStr, string(b)) + // Get events for the given resource + events, _ := kubeclient.Get(ctx).EventsV1(). + Events(ref.Namespace). + List(ctx, metav1.ListOptions{ + TypeMeta: metav1.TypeMeta{ + Kind: ref.Kind, + APIVersion: ref.APIVersion, + }, + FieldSelector: fmt.Sprintf("involvedObject.name=%s", ref.Name), + Limit: 50, + }) + eBytes, _ := json.MarshalIndent(events, "", " ") + + t.Logf("%s\n%s\nEvents:\n%s\n", resourceStr, string(b), string(eBytes)) // Recursively log owners for _, or := range r.GetOwnerReferences() { diff --git a/vendor/modules.txt b/vendor/modules.txt index ac8ce87002..4614d91aee 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1302,7 +1302,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.37.3 +# knative.dev/eventing v0.37.4 ## explicit; go 1.19 knative.dev/eventing/cmd/heartbeats knative.dev/eventing/pkg/adapter/v2 @@ -1409,7 +1409,7 @@ knative.dev/eventing/test/upgrade/prober/wathola/sender ## explicit; go 1.18 knative.dev/hack knative.dev/hack/shell -# knative.dev/pkg v0.0.0-20231011201526-df28feae6d34 +# knative.dev/pkg v0.0.0-20231023160942-0c39ce4b3a7f ## explicit; go 1.18 knative.dev/pkg/apiextensions/storageversion knative.dev/pkg/apiextensions/storageversion/cmd/migrate @@ -1507,7 +1507,7 @@ knative.dev/pkg/webhook/resourcesemantics knative.dev/pkg/webhook/resourcesemantics/conversion knative.dev/pkg/webhook/resourcesemantics/defaulting knative.dev/pkg/webhook/resourcesemantics/validation -# knative.dev/reconciler-test v0.0.0-20230928102338-4ae7322c84fa +# knative.dev/reconciler-test v0.0.0-20231023114053-616ce2cecb19 ## explicit; go 1.18 knative.dev/reconciler-test/cmd/eventshub knative.dev/reconciler-test/pkg/environment