[main] Upgrade to latest dependencies (#6955)

Sync reconciler-test -pierDipi

/cc knative/eventing-writers
/assign knative/eventing-writers

Produced by: knative-sandbox/knobots/actions/update-deps

Signed-off-by: Knative Automation <automation@knative.team>

go.mod

@@ -47,7 +47,7 @@ require (
 	knative.dev/hack v0.0.0-20230501013555-7d81248b4638
 	knative.dev/hack/schema v0.0.0-20230501013555-7d81248b4638
 	knative.dev/pkg v0.0.0-20230502134655-db8a35330281
-	knative.dev/reconciler-test v0.0.0-20230509130259-914f5d7a110b
+	knative.dev/reconciler-test v0.0.0-20230518074312-ecf02ac620e2
 	sigs.k8s.io/yaml v1.3.0
 )
 

go.sum

@@ -1049,8 +1049,8 @@ knative.dev/hack/schema v0.0.0-20230501013555-7d81248b4638 h1:h5jdbAWKVBaH4zEYrm
 knative.dev/hack/schema v0.0.0-20230501013555-7d81248b4638/go.mod h1:GeIb+PLd5mllawcpHEGF5J5fYTQrvgEO5liao8lUKUs=
 knative.dev/pkg v0.0.0-20230502134655-db8a35330281 h1:9mN8O5XO68DKlkzEhFAShUx+O/I+TQR71vmTvYt8oF4=
 knative.dev/pkg v0.0.0-20230502134655-db8a35330281/go.mod h1:2qWPP9Gjh9Q7ETti+WRHnBnGCSCq+6q7m3p/nmUQviE=
-knative.dev/reconciler-test v0.0.0-20230509130259-914f5d7a110b h1:r7UyxaDPVy/kDB/EK4LPJIemUcWj0Ae6BiDRPQ/vQ8s=
-knative.dev/reconciler-test v0.0.0-20230509130259-914f5d7a110b/go.mod h1:+NvhtpElJXXFaKQWSpN2kK42zHRmHsqZeU2SsCCSBeM=
+knative.dev/reconciler-test v0.0.0-20230518074312-ecf02ac620e2 h1:8nceX9tCWDPIJHPewMTuEStZ9ARHvCbWsf69wF7y/Q8=
+knative.dev/reconciler-test v0.0.0-20230518074312-ecf02ac620e2/go.mod h1:+NvhtpElJXXFaKQWSpN2kK42zHRmHsqZeU2SsCCSBeM=
 pgregory.net/rapid v0.3.3 h1:jCjBsY4ln4Atz78QoBWxUEvAHaFyNDQg9+WU62aCn1U=
 pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

vendor/knative.dev/reconciler-test/pkg/environment/magic.go

@@ -235,6 +235,13 @@ func (mr *MagicGlobalEnvironment) Environment(opts ...EnvOpts) (context.Context,
 		logging.FromContext(ctx).Fatal(err)
 	}
 
+	for _, in := range GetPostInit(ctx) {
+		ctx, err = in(ctx, env)
+		if err != nil {
+			logging.FromContext(ctx).Fatal(err)
+		}
+	}
+
 	env.milestones.Environment(map[string]string{
 		// TODO: we could add more detail here, don't send secrets.
 		"requirementLevel": env.RequirementLevel().String(),
@@ -245,6 +252,24 @@ func (mr *MagicGlobalEnvironment) Environment(opts ...EnvOpts) (context.Context,
 	return ctx, env
 }
 
+type postInitKey struct{}
+
+type InitFn = EnvOpts
+
+func WithPostInit(ctx context.Context, fn InitFn) context.Context {
+	fns := GetPostInit(ctx)
+	fns = append(fns, fn)
+	return context.WithValue(ctx, postInitKey{}, fns)
+}
+
+func GetPostInit(ctx context.Context) []InitFn {
+	fns := ctx.Value(postInitKey{})
+	if fns == nil {
+		return []InitFn{}
+	}
+	return fns.([]InitFn)
+}
+
 func inNamespace() EnvOpts {
 	return func(ctx context.Context, env Environment) (context.Context, error) {
 		ns := getNamespace(ctx)

vendor/knative.dev/reconciler-test/pkg/eventshub/102-service.yaml

@@ -22,5 +22,12 @@ spec:
     app: eventshub-{{ .name }}
   ports:
     - protocol: TCP
+      name: http
       port: 80
       targetPort: 8080
+    {{ if .withEnforceTLS }}
+    - protocol: TCP
+      name: https
+      port: 443
+      targetPort: 8443
+    {{ end }}

vendor/knative.dev/reconciler-test/pkg/eventshub/103-pod.yaml

@@ -36,6 +36,12 @@ spec:
   {{ end }}
   containers:
     - name: eventshub
+      {{ if .withEnforceTLS }}
+      volumeMounts:
+        - name: tls-certificates
+          mountPath: "/etc/tls/certificates"
+          readOnly: true
+      {{ end }}
       {{ if .containerSecurityContext }}
       securityContext:
         capabilities:
@@ -76,3 +82,10 @@ spec:
         - name: {{printf "%q" $key}}
           value: {{printf "%q" $value}}
         {{ end }}
+  {{ if .withEnforceTLS }}
+  volumes:
+    - name: tls-certificates
+      secret:
+        secretName: server-tls-{{ .name }}
+        optional: false
+  {{ end }}

vendor/knative.dev/reconciler-test/pkg/eventshub/105-certificate-ca.yaml

@@ -0,0 +1,33 @@
+# Copyright 2023 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: selfsigned-ca
+  namespace: {{ .namespace }}
+spec:
+  # Secret names are always required.
+  secretName: eventshub-ca
+
+  isCA: true
+  commonName: selfsigned-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io

vendor/knative.dev/reconciler-test/pkg/eventshub/105-certificate-service.yaml

@@ -0,0 +1,53 @@
+# Copyright 2023 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .name }}
+  namespace: {{ .namespace }}
+  {{ if .annotations }}
+  annotations:
+    {{ range $key, $value := .annotations }}
+      {{ $key }}: "{{ $value }}"
+      {{ end }}
+  {{ end }}
+spec:
+  # Secret names are always required.
+  secretName: server-tls-{{ .name }}
+
+  secretTemplate:
+    labels:
+      app: eventshub-{{ .name }}
+
+  duration: 1h
+  renewBefore: 30m
+  subject:
+    organizations:
+      - local
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+
+  dnsNames:
+    - {{ .serviceName }}.{{ .namespace }}.svc.cluster.local
+  ipAddresses: # used for testing and port-forwarding
+    - 127.0.0.1
+
+  issuerRef:
+    name: selfsigned-ca-issuer
+    kind: Issuer
+    group: cert-manager.io

vendor/knative.dev/reconciler-test/pkg/eventshub/105-issuer-ca.yaml

@@ -0,0 +1,22 @@
+# Copyright 2023 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-ca-issuer
+  namespace: {{ .namespace }}
+spec:
+  ca:
+    secretName: eventshub-ca

vendor/knative.dev/reconciler-test/pkg/eventshub/105-issuer-certificate.yaml

@@ -0,0 +1,21 @@
+# Copyright 2023 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: {{ .namespace }}
+spec:
+  selfSigned: {}

vendor/knative.dev/reconciler-test/pkg/eventshub/options.go

@@ -52,6 +52,13 @@ type EventsHubOption = func(context.Context, map[string]string) error
 // This can be used together with EchoEvent, ReplyWithTransformedEvent, ReplyWithAppendedData
 var StartReceiver EventsHubOption = envAdditive(EventGeneratorsEnv, "receiver")
 
+// StartReceiverTLS starts the receiver in the eventshub with TLS enforcement.
+// This can be used together with EchoEvent, ReplyWithTransformedEvent, ReplyWithAppendedData.
+//
+// It requires cert-manager operator to be able to create TLS Certificate.
+// To get the CA certificate used you can use GetCaCerts.
+var StartReceiverTLS EventsHubOption = compose(StartReceiver, envAdditive(EnforceTLS, "true"))
+
 // StartSender starts the sender in the eventshub
 // This can be used together with InputEvent, AddTracing, EnableIncrementalId, InputEncoding and InputHeader options
 func StartSender(sinkSvc string) EventsHubOption {

vendor/knative.dev/reconciler-test/pkg/eventshub/receiver/receiver.go

@@ -18,6 +18,7 @@ package receiver
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"strings"
@@ -50,12 +51,16 @@ type Receiver struct {
 	skipResponseCode    int
 	skipResponseHeaders map[string]string
 	skipResponseBody    string
+	EnforceTLS          bool
 }
 
 type envConfig struct {
 	// ReceiverName is used to identify this instance of the receiver.
 	ReceiverName string `envconfig:"POD_NAME" default:"receiver-default" required:"true"`
 
+	// EnforceTLS is used to enforce TLS.
+	EnforceTLS bool `envconfig:"ENFORCE_TLS" default:"false"`
+
 	// ResponseWaitTime is the seconds to wait for the eventshub to write any response
 	ResponseWaitTime int `envconfig:"RESPONSE_WAIT_TIME" default:"0" required:"false"`
 
@@ -128,6 +133,7 @@ func NewFromEnv(ctx context.Context, eventLogs *eventshub.EventLogs) *Receiver {
 
 	return &Receiver{
 		Name:                env.ReceiverName,
+		EnforceTLS:          env.EnforceTLS,
 		EventLogs:           eventLogs,
 		ctx:                 ctx,
 		replyFunc:           replyFunc,
@@ -149,16 +155,33 @@ func (o *Receiver) Start(ctx context.Context, handlerFuncs ...func(handler http.
 	}
 
 	server := &http.Server{Addr: ":8080", Handler: handler}
+	serverTLS := &http.Server{
+		Addr: ":8443",
+		TLSConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		},
+		Handler: handler,
+	}
 
-	var err error
+	var httpErr error
 	go func() {
-		err = server.ListenAndServe()
+		httpErr = server.ListenAndServe()
 	}()
+	var httpsErr error
+	if o.EnforceTLS {
+		go func() {
+			httpsErr = serverTLS.ListenAndServeTLS("/etc/tls/certificates/tls.crt", "/etc/tls/certificates/tls.key")
+		}()
+		defer serverTLS.Close()
+	}
 
 	<-ctx.Done()
 
-	if err != nil {
-		return fmt.Errorf("error while starting the HTTP server: %w", err)
+	if httpErr != nil {
+		return fmt.Errorf("error while starting the HTTP server: %w", httpErr)
+	}
+	if httpsErr != nil {
+		return fmt.Errorf("error while starting the HTTPS server: %w", httpsErr)
 	}
 
 	logging.FromContext(ctx).Info("Closing the HTTP server")
@@ -175,6 +198,11 @@ func (o *Receiver) ServeHTTP(writer http.ResponseWriter, request *http.Request)
 		return
 	}
 
+	var rejectErr error
+	if o.EnforceTLS && !isTLS(request) {
+		rejectErr = fmt.Errorf("failed to enforce TLS connection for request %s", request.RequestURI)
+	}
+
 	m := cloudeventshttp.NewMessageFromHttpRequest(request)
 	defer m.Finish(nil)
 
@@ -190,15 +218,17 @@ func (o *Receiver) ServeHTTP(writer http.ResponseWriter, request *http.Request)
 		headers.Set("Host", request.Host)
 	}
 
-	eventErrStr := ""
-	if eventErr != nil {
-		eventErrStr = eventErr.Error()
+	errString := ""
+	if rejectErr != nil {
+		errString = rejectErr.Error()
+	} else if eventErr != nil {
+		errString = eventErr.Error()
 	}
 
 	shouldSkip := o.counter.Skip()
 	var s uint64
 	var kind eventshub.EventKind
-	if shouldSkip {
+	if shouldSkip || rejectErr != nil {
 		kind = eventshub.EventRejected
 		s = atomic.AddUint64(&o.dropSeq, 1)
 	} else {
@@ -207,7 +237,7 @@ func (o *Receiver) ServeHTTP(writer http.ResponseWriter, request *http.Request)
 	}
 
 	eventInfo := eventshub.EventInfo{
-		Error:       eventErrStr,
+		Error:       errString,
 		Event:       event,
 		HTTPHeaders: headers,
 		Origin:      request.RemoteAddr,
@@ -226,7 +256,12 @@ func (o *Receiver) ServeHTTP(writer http.ResponseWriter, request *http.Request)
 		time.Sleep(o.responseWaitTime)
 	}
 
-	if shouldSkip {
+	if rejectErr != nil {
+		for headerKey, headerValue := range o.skipResponseHeaders {
+			writer.Header().Set(headerKey, headerValue)
+		}
+		writer.WriteHeader(http.StatusBadRequest)
+	} else if shouldSkip {
 		// Trigger a redelivery
 		for headerKey, headerValue := range o.skipResponseHeaders {
 			writer.Header().Set(headerKey, headerValue)
@@ -237,3 +272,8 @@ func (o *Receiver) ServeHTTP(writer http.ResponseWriter, request *http.Request)
 		o.replyFunc(o.ctx, writer, eventInfo)
 	}
 }
+
+func isTLS(request *http.Request) bool {
+	return strings.EqualFold(request.URL.Scheme, "https") &&
+		request.TLS != nil && request.TLS.HandshakeComplete
+}