From 2a124bdc26fa6d1f4fee1731e9d3f9610bccf12e Mon Sep 17 00:00:00 2001
From: knative-automation <automation@knative.team>
Date: Tue, 24 Jan 2023 00:17:38 -0500
Subject: [PATCH] upgrade to latest dependencies (#1769)

bumping knative.dev/eventing 9417125...7e899fd:
  > 7e899fd Reduce log noise in upgrade tests (# 6693)
bumping knative.dev/networking e9d3a55...db2bcbe:
  > db2bcbe Assert all the expected DNSNames are part of the HTTP01 challenge (# 757)
bumping knative.dev/serving 6b7e09a...897b61a:
  > 897b61a Change HTTP01 test DNS entry to *.{custom-domain} (# 13636)
  > 9004443 Allow challenges for hosts that don't match the route's host (# 13637)
  > 188dc1a Update net-certmanager nightly (# 13631)
  > 09bc85c Update net-kourier nightly (# 13634)
  > 87f5b62 Update net-contour nightly (# 13635)
  > 760b2f7 Update net-istio nightly (# 13632)
  > 8b28d41 Update net-gateway-api nightly (# 13633)
  > 550a6f5 Clean up `go_run` functions (# 13628)
  > d2d5723 Don't explicitly require a service account key for autotls dns tests (# 13627)
  > 6906c92 Refactor autoscaler TestContext (# 13618)
  > 8722a63 Update net-contour nightly (# 13624)
  > e05aa3a Add validation to warn about insecure SecurityContext defaults (# 13399)
  > 4a339c6 Update net-kourier nightly (# 13626)
  > b10db15 Update net-gateway-api nightly (# 13623)
  > 5b59ae0 Update net-certmanager nightly (# 13625)
  > 04df00a DomainMapping: Set Certificate.Spec.Domain (# 13620)
  > 94d23ac Set 'Domain' in kcert (# 13569)
  > a4fcb9d Update net-certmanager nightly (# 13619)

Signed-off-by: Knative Automation <automation@knative.team>

Signed-off-by: Knative Automation <automation@knative.team>
---
 go.mod                                        |  6 +-
 go.sum                                        | 12 ++--
 .../pkg/apis/serving/k8s_validation.go        | 64 +++++++++++++++++++
 .../serving/test/e2e-auto-tls-tests.sh        |  2 +-
 vendor/knative.dev/serving/test/e2e-common.sh |  4 +-
 vendor/modules.txt                            |  6 +-
 6 files changed, 79 insertions(+), 15 deletions(-)

diff --git a/go.mod b/go.mod
index 976547ef4..befe9e318 100644
--- a/go.mod
+++ b/go.mod
@@ -20,11 +20,11 @@ require (
 	k8s.io/cli-runtime v0.25.2
 	k8s.io/client-go v0.25.4
 	k8s.io/code-generator v0.25.4
-	knative.dev/eventing v0.35.1-0.20230118083600-9417125b1468
+	knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de
 	knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9
-	knative.dev/networking v0.0.0-20230118220600-e9d3a55facee
+	knative.dev/networking v0.0.0-20230123233838-db2bcbea2560
 	knative.dev/pkg v0.0.0-20230117181655-247510c00e9d
-	knative.dev/serving v0.35.1-0.20230119001800-6b7e09ac25e8
+	knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a
 	sigs.k8s.io/yaml v1.3.0
 )
 
diff --git a/go.sum b/go.sum
index 7a8f36566..d3634bf6f 100644
--- a/go.sum
+++ b/go.sum
@@ -1086,16 +1086,16 @@ k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkI
 k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.35.1-0.20230118083600-9417125b1468 h1:N6Nh3b46f+iAOuu/14P488TMBieF6/tC9NA+83LAxqM=
-knative.dev/eventing v0.35.1-0.20230118083600-9417125b1468/go.mod h1:PqYrXKXhZU7rQaS5TQuZDSOd9jPX7AegF8uNNUY4kcU=
+knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de h1:mTwmkYvaPsDCxzQaSjT9BKcf4BQ1zcFSkTIFVGHww3Y=
+knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de/go.mod h1:PqYrXKXhZU7rQaS5TQuZDSOd9jPX7AegF8uNNUY4kcU=
 knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 h1:CDa7s9KspEZqPhk7cN68ZypRLuAvSgr+knoOaXSsrHk=
 knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/networking v0.0.0-20230118220600-e9d3a55facee h1:8KYvxZFaP/LgOE+zVvcG5SpdEK1b03eETvaCauoeCUs=
-knative.dev/networking v0.0.0-20230118220600-e9d3a55facee/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo=
+knative.dev/networking v0.0.0-20230123233838-db2bcbea2560 h1:iprdS5tKTXtgV9dGryuwJJJTTdl5LusCHOelKdezR3I=
+knative.dev/networking v0.0.0-20230123233838-db2bcbea2560/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo=
 knative.dev/pkg v0.0.0-20230117181655-247510c00e9d h1:pjKDcvHoMib8nRp56eISRmMj/pFMzJljnzvMvGCIReI=
 knative.dev/pkg v0.0.0-20230117181655-247510c00e9d/go.mod h1:VO/fcEsq43seuONRQxZyftWHjpMabYzRHDtpSEQ/eoQ=
-knative.dev/serving v0.35.1-0.20230119001800-6b7e09ac25e8 h1:9id7E3O0KkMFvtO4TbjYXXIJT7kr1JNiN/t14iMofLc=
-knative.dev/serving v0.35.1-0.20230119001800-6b7e09ac25e8/go.mod h1:JSbgFN3qNLqEZhNtn6uZLIj7Aaut+hhYEcsyrkfEXTE=
+knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a h1:EFgNwvcbmiswVuE+TNYl+UiiVM4Q+5FHvsKfpiJNWkI=
+knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a/go.mod h1:WdVK1b42aahKc8WewW5YLPjp46QK4+D8R9lq3PNuRYg=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff --git a/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go b/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go
index 4a9606770..55ae1173f 100644
--- a/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go
+++ b/vendor/knative.dev/serving/pkg/apis/serving/k8s_validation.go
@@ -341,6 +341,17 @@ func ValidatePodSpec(ctx context.Context, ps corev1.PodSpec) *apis.FieldError {
 
 	errs = errs.Also(ValidatePodSecurityContext(ctx, ps.SecurityContext).ViaField("securityContext"))
 
+	for i := range ps.Containers {
+		errs = errs.Also(
+			warnDefaultContainerSecurityContext(ctx, ps.SecurityContext, ps.Containers[i].SecurityContext).
+				ViaField("securityContext").ViaFieldIndex("containers", i))
+	}
+	for i := range ps.InitContainers {
+		errs = errs.Also(
+			warnDefaultContainerSecurityContext(ctx, ps.SecurityContext, ps.InitContainers[i].SecurityContext).
+				ViaField("securityContext").ViaFieldIndex("initContainers", i))
+	}
+
 	volumes, err := ValidateVolumes(ctx, ps.Volumes, AllMountedVolumes(append(ps.InitContainers, ps.Containers...)))
 	errs = errs.Also(err.ViaField("volumes"))
 
@@ -872,6 +883,59 @@ func ValidatePodSecurityContext(ctx context.Context, sc *corev1.PodSecurityConte
 	return errs
 }
 
+// warnDefaultContainerSecurityContext warns about Kubernetes default
+// SecurityContext values which are unset and thus insecure (i.e. the
+// "restricted" profile forbids these values). Because securityContext values
+// may also be set at the Pod level, the container-level settings need to be
+// considered alongside the Pod-level settings.
+//
+// Note that this **explicitly** does not warn on dangerous SecurityContext
+// settings, the purpose is to avoid accidentally-insecure settings, not to
+// block deliberate use of dangerous settings.
+func warnDefaultContainerSecurityContext(_ context.Context, psc *corev1.PodSecurityContext, sc *corev1.SecurityContext) *apis.FieldError {
+	if sc == nil {
+		sc = &corev1.SecurityContext{}
+	}
+	if psc == nil {
+		psc = &corev1.PodSecurityContext{}
+	}
+
+	insecureDefault := func(fieldPath string) *apis.FieldError {
+		return apis.ErrGeneric("Kubernetes default value is insecure, Knative may default this to secure in a future release", fieldPath).At(apis.WarningLevel)
+	}
+
+	var errs *apis.FieldError
+	if psc.RunAsNonRoot == nil && sc.RunAsNonRoot == nil {
+		errs = errs.Also(insecureDefault("runAsNonRoot"))
+	}
+
+	if sc.AllowPrivilegeEscalation == nil {
+		errs = errs.Also(insecureDefault("allowPrivilegeEscalation"))
+	}
+
+	if sc.SeccompProfile == nil && psc.SeccompProfile == nil {
+		errs = errs.Also(insecureDefault("seccompProfile"))
+	} else {
+		pscIsDefault := psc.SeccompProfile == nil || psc.SeccompProfile.Type == ""
+		scIsDefault := sc.SeccompProfile == nil || sc.SeccompProfile.Type == ""
+		if pscIsDefault && scIsDefault {
+			errs = errs.Also(insecureDefault("seccompProfile.type"))
+		}
+	}
+
+	if sc.Capabilities == nil {
+		errs = errs.Also(insecureDefault("capabilities"))
+	} else {
+		if sc.Capabilities.Drop == nil {
+			errs = errs.Also(insecureDefault("capabilities.drop"))
+		} else if len(sc.Capabilities.Drop) > 0 && sc.Capabilities.Drop[0] == "all" {
+			// Sometimes, people mis-spell "ALL" as "all", which does nothing.
+			errs = errs.Also(apis.ErrInvalidValue("all", "capabilities.drop", "Must be spelled as 'ALL'").At(apis.WarningLevel))
+		}
+	}
+	return errs
+}
+
 // This is attached to contexts as they are passed down through a user container
 // being validated.
 type userContainer struct{}
diff --git a/vendor/knative.dev/serving/test/e2e-auto-tls-tests.sh b/vendor/knative.dev/serving/test/e2e-auto-tls-tests.sh
index 861921069..a0a1583cb 100644
--- a/vendor/knative.dev/serving/test/e2e-auto-tls-tests.sh
+++ b/vendor/knative.dev/serving/test/e2e-auto-tls-tests.sh
@@ -86,7 +86,7 @@ function setup_http01_auto_tls() {
   # Rely on the built-in naming (for logstream)
   unset TLS_SERVICE_NAME
   # The full host name of the Knative Service. This is used to configure the DNS record.
-  export AUTO_TLS_TEST_FULL_HOST_NAME="*.${TLS_TEST_NAMESPACE}.${CUSTOM_DOMAIN_SUFFIX}"
+  export AUTO_TLS_TEST_FULL_HOST_NAME="*.${CUSTOM_DOMAIN_SUFFIX}"
 
   kubectl delete kcert --all -n "${TLS_TEST_NAMESPACE}"
 
diff --git a/vendor/knative.dev/serving/test/e2e-common.sh b/vendor/knative.dev/serving/test/e2e-common.sh
index 90acb1915..7d8097e1e 100644
--- a/vendor/knative.dev/serving/test/e2e-common.sh
+++ b/vendor/knative.dev/serving/test/e2e-common.sh
@@ -592,10 +592,10 @@ function overlay_system_namespace() {
 }
 
 function run_ytt() {
-  run_go_tool github.com/vmware-tanzu/carvel-ytt/cmd/ytt ytt "$@"
+  go_run github.com/vmware-tanzu/carvel-ytt/cmd/ytt@v0.44.1 "$@"
 }
 
 
 function run_kapp() {
-  run_go_tool github.com/vmware-tanzu/carvel-kapp/cmd/kapp kapp "$@"
+  go_run github.com/vmware-tanzu/carvel-kapp/cmd/kapp@v0.54.1 "$@"
 }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 2906314fc..3e42120d6 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -917,7 +917,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# knative.dev/eventing v0.35.1-0.20230118083600-9417125b1468
+# knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de
 ## explicit; go 1.18
 knative.dev/eventing/pkg/apis/config
 knative.dev/eventing/pkg/apis/duck
@@ -948,7 +948,7 @@ knative.dev/eventing/pkg/client/clientset/versioned/typed/sources/v1beta2/fake
 # knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9
 ## explicit; go 1.18
 knative.dev/hack
-# knative.dev/networking v0.0.0-20230118220600-e9d3a55facee
+# knative.dev/networking v0.0.0-20230123233838-db2bcbea2560
 ## explicit; go 1.18
 knative.dev/networking/pkg
 knative.dev/networking/pkg/apis/networking
@@ -1013,7 +1013,7 @@ knative.dev/pkg/tracing/config
 knative.dev/pkg/tracing/propagation
 knative.dev/pkg/tracing/propagation/tracecontextb3
 knative.dev/pkg/tracker
-# knative.dev/serving v0.35.1-0.20230119001800-6b7e09ac25e8
+# knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a
 ## explicit; go 1.18
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1