feat: add new otel config (#8624 )

* feat: add new otel config Signed-off-by: Calum Murray <cmurray@redhat.com> * chore: run ./hack/update-deps.sh Signed-off-by: Calum Murray <cmurray@redhat.com> * chore: fix boilerplate comments to use tabs instead of spaces Signed-off-by: Calum Murray <cmurray@redhat.com> * fix(test): otel config tests work Signed-off-by: Calum Murray <cmurray@redhat.com> * fix: configmap comments reflect eventing resources, not serving Signed-off-by: Calum Murray <cmurray@redhat.com> * change example metrics url to more sensible value Signed-off-by: Calum Murray <cmurray@redhat.com> * chore: update codegen to correct configmap checksum Signed-off-by: Calum Murray <cmurray@redhat.com> * cleanup: drop request metrics as they are unused in eventing Signed-off-by: Calum Murray <cmurray@redhat.com> * chore: fix configmap checksum Signed-off-by: Calum Murray <cmurray@redhat.com> --------- Signed-off-by: Calum Murray <cmurray@redhat.com>
[main] Upgrade to latest dependencies (#8625 )
2025-07-11 18:10:06 +00:00 · 2025-07-09 06:50:03 +00:00 · 2025-07-08 15:51:02 +00:00 · 2025-07-08 12:05:03 +00:00 · 2025-07-08 01:37:51 +00:00 · 2025-06-30 14:16:11 +00:00
4343 changed files with 413088 additions and 130355 deletions
--- a/.github/workflows/kind-e2e.yaml
+++ b/.github/workflows/kind-e2e.yaml
@ -17,25 +17,15 @@ jobs:
      fail-fast: false # Keep running if one leg fails.
      matrix:
        k8s-version:
-        - v1.28.7
-        - v1.29.0
+          - v1.32.x
+          - v1.33.x

        test-suite:
        - ./test/e2e
        - ./test/conformance
        - ./test/experimental

-        # Map between K8s and KinD versions.
-        # This is attempting to make it a bit clearer what's being tested.
-        # See: https://github.com/kubernetes-sigs/kind/releases/tag/v0.20.0
        include:
-        - k8s-version: v1.28.7
-          kind-version: v0.21.0
-          kind-image-sha: sha256:9bc6c451a289cf96ad0bbaf33d416901de6fd632415b076ab05f5fa7e4f65c58
-        - k8s-version: v1.29.0
-          kind-version: v0.21.0
-          kind-image-sha: sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570
-
        # Add the flags we use for each of these test suites.
        - test-suite: ./test/e2e
          extra-test-flags: >
@ -55,7 +45,6 @@ jobs:
      ARTIFACTS: ${{ github.workspace }}/artifacts

      NODE_VERSION: ${{ matrix.k8s-version }}
-      NODE_SHA: ${{ matrix.kind-image-sha }}

    steps:
    - name: Set up Go
@ -63,26 +52,18 @@ jobs:

    # Install the latest release of ko
    - name: Install ko
-      uses: ko-build/setup-ko@v0.6
+      uses: ko-build/setup-ko@v0.9

    - name: Check out code onto GOPATH
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4

    - name: Install KinD
-      run: |
-        set -x
-
-        # Disable swap otherwise memory enforcement doesn't work
-        # See: https://kubernetes.slack.com/archives/CEKK1KTN2/p1600009955324200
-        sudo swapoff -a
-        sudo rm -f /swapfile
-
-        curl -Lo ./kind https://github.com/kubernetes-sigs/kind/releases/download/${{ matrix.kind-version }}/kind-$(uname)-amd64
-        chmod +x ./kind
-        sudo mv kind /usr/local/bin
-
-    - name: Create KinD Cluster
-      run: ./hack/create-kind-cluster.sh
+      # TODO: replace with chainguard-dev/actions/setup-kind
+      uses: chainguard-dev/actions/setup-kind@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # main
+      with:
+        k8s-version: ${{ matrix.k8s-version }}
+        kind-worker-count: 1
+        cluster-suffix: c${{ github.run_id }}.local

    - name: Install Knative Eventing
      run: |
--- a/.github/workflows/weekly-office-hours-slack-reminder.yaml
+++ b/.github/workflows/weekly-office-hours-slack-reminder.yaml
@ -0,0 +1,36 @@
+# Copyright 2024 The Knative Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'Weekly Eventing WG Office Hours Slack Reminder'
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: 0 14 * * 4 # 1 hour before the meeting time
+
+jobs:
+  remind:
+    name: weekly-eventing-office-hours-reminder
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: Post reminder to Slack
+        uses: rtCamp/action-slack-notify@v2.2.1
+        env:
+          SLACK_ICON: http://github.com/knative.png?size=48
+          SLACK_USERNAME: github-actions
+          SLACK_TITLE: Knative Eventing Office Hours Reminder
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          MSG_MINIMAL: 'true'
+          SLACK_CHANNEL: 'knative-eventing'
+          SLACK_MESSAGE: "This is a friendly reminder that the Knative Eventing Office Hours start in 1 hour. We hope to see you there! Please join the zoom meeting: https://zoom.us/j/92717482035?pwd=SnBiWnl6MXRvcUNFWHZ4Wkt5Z0FYZz09"
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -1,16 +1,11 @@
+version: "2"
 run:
-  timeout: 10m
-
  build-tags:
    - e2e
    - probe
    - preupgrade
    - postupgrade
    - postdowngrade
-
-  skip-dirs:
-    - pkg/client
-
 linters:
  enable:
    - asciicheck
@ -20,10 +15,53 @@ linters:
    - unparam
  disable:
    - errcheck
-
-issues:
-  exclude-rules:
-    - path: test # Excludes /test, *_test.go etc.
-      linters:
-        - gosec
-        - unparam
+  settings:
+    staticcheck:
+      checks:
+      - all
+      - '-SA1019'  # Temporary ignore SA1019: use of deprecated types or methods
+      - '-ST1003'  # Temporary ignore ST1003: We have a lot of "Api" where it should be "API"
+      - '-ST1005'  # Temporary ignore ST1005: error strings should not be capitalized
+      - '-ST1016'  # Temporary ignore ST1016: methods on the same type should have the same receiver name
+      - '-ST1019'  # Temporary ignore ST1019: multiple imports of a module with different names
+      - '-QF1002'  # Temporary ignore QF1002: could use tagged switch
+      - '-QF1003'  # Temporary ignore QF1003: Convert if/else-if chain to tagged switch
+      - '-QF1007'  # Temporary ignore QF1007: merge conditional assignment into variable declaration
+      - '-QF1008'  # Temporary ignore QF1008: Omit embedded fields from selector expression
+      - '-QF1009'  # Temporary ignore QF1009: Merge conditional assignment into variable declaration
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - gosec
+          - unparam
+        path: test
+      - linters:
+          - staticcheck
+        text: "ST1003"  # A lot of "Api" instead of "API" names
+        path: pkg/reconciler/testing/v1/apiserversource.go
+      - linters:
+          - staticcheck
+        text: "ST1001"  # Prohibit dot imports
+        path: test/e2e/helpers/.*_helper.go
+      - linters:
+          - staticcheck
+        text: "ST1001"  # Prohibit dot imports
+        path: test/rekt/features/.*.go
+    paths:
+      - pkg/client
+      - third_party/
+      - builtin$
+      - examples$
+formatters:
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/46
+++ b/46
@ -6,19 +6,14 @@ aliases:
  - itsmurugappan
  client-wg-leads:
  - dsimansk
-  - rhuss
  client-writers:
  - dsimansk
-  - maximilien
-  - rhuss
  - vyasgun
  docs-reviewers:
  - nainaz
-  - retocode
  - skonto
  docs-writers:
  - csantanapr
-  - retocode
  - skonto
  eventing-reviewers:
  - Leo6Leo
@ -26,8 +21,10 @@ aliases:
  - cali0707
  - creydr
  eventing-wg-leads:
+  - creydr
  - pierDipi
  eventing-writers:
+  - Leo6Leo
  - aliok
  - cali0707
  - creydr
@ -49,30 +46,25 @@ aliases:
  - lkingland
  - salaboy
  knative-admin:
-  - Cali0707
-  - Leo6Leo
-  - ReToCode
  - aliok
  - cardil
-  - davidhadas
  - dprotaso
  - dsimansk
  - evankanderson
+  - gauron99
  - knative-automation
  - knative-prow-releaser-robot
  - knative-prow-robot
  - knative-prow-updater-robot
  - knative-test-reporter-robot
-  - nainaz
-  - psschwei
-  - salaboy
+  - matzew
+  - nrrso
  - skonto
  - upodroid
  knative-release-leads:
-  - Cali0707
-  - Leo6Leo
-  - ReToCode
+  - dprotaso
  - dsimansk
+  - gauron99
  - skonto
  knative-robots:
  - knative-automation
@ -84,14 +76,12 @@ aliases:
  - aliok
  - houshengbo
  - matzew
-  - maximilien
  operations-wg-leads:
  - houshengbo
  operations-writers:
  - aliok
  - houshengbo
  - matzew
-  - maximilien
  productivity-leads:
  - cardil
  - upodroid
@ -111,39 +101,31 @@ aliases:
  - davidhadas
  - evankanderson
  serving-approvers:
-  - ReToCode
+  - dsimansk
  - skonto
  serving-reviewers:
-  - izabelacg
-  - retocode
  - skonto
  serving-triage:
-  - izabelacg
-  - retocode
  - skonto
  serving-wg-leads:
  - dprotaso
  serving-writers:
-  - ReToCode
  - dprotaso
+  - dsimansk
  - skonto
  steering-committee:
  - aliok
-  - evankanderson
-  - nainaz
-  - salaboy
-  technical-oversight-committee:
-  - davidhadas
  - dprotaso
-  - dsimansk
-  - psschwei
+  - evankanderson
+  - matzew
+  - nrrso
  ux-wg-leads:
+  - Leo6Leo
  - cali0707
-  - leo6leo
  - mmejia02
  - zainabhusain227
  ux-writers:
+  - Leo6Leo
  - cali0707
-  - leo6leo
  - mmejia02
  - zainabhusain227
--- a/cmd/broker/filter/main.go
+++ b/cmd/broker/filter/main.go
@ -21,6 +21,8 @@ import (
 	"fmt"
 	"log"

+	eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy"
+
 	"github.com/google/uuid"
 	"github.com/kelseyhightower/envconfig"
 	"go.uber.org/zap"
@ -45,7 +47,8 @@ import (
 	eventingclient "knative.dev/eventing/pkg/client/injection/client"
 	brokerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker"
 	triggerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger"
-	eventtypeinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1beta2/eventtype"
+	eventtypeinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1beta3/eventtype"
+	subscriptioninformer "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription"
 	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/eventtype"
 	"knative.dev/eventing/pkg/reconciler/names"
@ -117,6 +120,8 @@ func main() {
 	// Watch the observability config map and dynamically update request logs.
 	configMapWatcher.Watch(logging.ConfigMapName(), logging.UpdateLevelFromConfigMap(sl, atomicLevel, component))

+	trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
+
 	var featureStore *feature.Store
 	var handler *filter.Handler

@ -125,13 +130,12 @@ func main() {
 		if featureFlags.IsEnabled(feature.EvenTypeAutoCreate) && featureStore != nil && handler != nil {
 			autoCreate := &eventtype.EventTypeAutoHandler{
 				EventTypeLister: eventtypeinformer.Get(ctx).Lister(),
-				EventingClient:  eventingclient.Get(ctx).EventingV1beta2(),
+				EventingClient:  eventingclient.Get(ctx).EventingV1beta3(),
 				FeatureStore:    featureStore,
 				Logger:          logger,
 			}
 			handler.EventTypeCreator = autoCreate
 		}
-
 	})
 	featureStore.WatchConfigs(configMapWatcher)

@ -151,9 +155,8 @@ func main() {
 	oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
 	// We are running both the receiver (takes messages in from the Broker) and the dispatcher (send
 	// the messages to the triggers' subscribers) in this binary.
-	oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
-	trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
-	handler, err = filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc)
+	authVerifier := auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister(), trustBundleConfigMapLister, configMapWatcher)
+	handler, err = filter.NewHandler(logger, authVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), subscriptioninformer.Get(ctx), reporter, trustBundleConfigMapLister, ctxFunc)
 	if err != nil {
 		logger.Fatal("Error creating Handler", zap.Error(err))
 	}
--- a/cmd/broker/ingress/main.go
+++ b/cmd/broker/ingress/main.go
@ -49,7 +49,8 @@ import (
 	"knative.dev/eventing/pkg/broker/ingress"
 	eventingclient "knative.dev/eventing/pkg/client/injection/client"
 	brokerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker"
-	eventtypeinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1beta2/eventtype"
+	eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy"
+	eventtypeinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1beta3/eventtype"
 	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/eventtype"
 	"knative.dev/eventing/pkg/reconciler/names"
@ -74,7 +75,7 @@ type envConfig struct {
 	PodName       string `envconfig:"POD_NAME" required:"true"`
 	ContainerName string `envconfig:"CONTAINER_NAME" required:"true"`
 	Port          int    `envconfig:"INGRESS_PORT" default:"8080"`
-	MaxTTL        int    `envconfig:"MAX_TTL" default:"255"`
+	MaxTTL        int32  `envconfig:"MAX_TTL" default:"255"`
 	HTTPPort      int    `envconfig:"INGRESS_PORT" default:"8080"`
 	HTTPSPort     int    `envconfig:"INGRESS_PORT_HTTPS" default:"8443"`
 }
@ -142,6 +143,8 @@ func main() {
 		logger.Fatal("Error setting up trace publishing", zap.Error(err))
 	}

+	trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
+
 	var featureStore *feature.Store
 	var handler *ingress.Handler

@ -150,7 +153,7 @@ func main() {
 		if featureFlags.IsEnabled(feature.EvenTypeAutoCreate) && featureStore != nil && handler != nil {
 			autoCreate := &eventtype.EventTypeAutoHandler{
 				EventTypeLister: eventtypeinformer.Get(ctx).Lister(),
-				EventingClient:  eventingclient.Get(ctx).EventingV1beta2(),
+				EventingClient:  eventingclient.Get(ctx).EventingV1beta3(),
 				FeatureStore:    featureStore,
 				Logger:          logger,
 			}
@ -167,9 +170,8 @@ func main() {
 	reporter := ingress.NewStatsReporter(env.ContainerName, kmeta.ChildName(env.PodName, uuid.New().String()))

 	oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
-	oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
-	trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
-	handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, oidcTokenVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc)
+	authVerifier := auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister(), trustBundleConfigMapLister, configMapWatcher)
+	handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, env.MaxTTL), brokerInformer, authVerifier, oidcTokenProvider, trustBundleConfigMapLister, ctxFunc)
 	if err != nil {
 		logger.Fatal("Error creating Handler", zap.Error(err))
 	}
@ -188,7 +190,7 @@ func main() {
 	if featureStore.IsEnabled(feature.EvenTypeAutoCreate) {
 		autoCreate := &eventtype.EventTypeAutoHandler{
 			EventTypeLister: eventtypeinformer.Get(ctx).Lister(),
-			EventingClient:  eventingclient.Get(ctx).EventingV1beta2(),
+			EventingClient:  eventingclient.Get(ctx).EventingV1beta3(),
 			FeatureStore:    featureStore,
 			Logger:          logger,
 		}
--- a/cmd/controller/main.go
+++ b/cmd/controller/main.go
@ -20,27 +20,27 @@ import (
 	// Uncomment the following line to load the gcp plugin (only required to authenticate against GKE clusters).
 	// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"

-	"errors"
-	"log"
-	"net/http"
-	"os"
-	"time"
-
+	"knative.dev/eventing/pkg/certificates"
 	"knative.dev/pkg/injection/sharedmain"

-	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
+	kubefilteredfactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/signals"

+	eventingfilteredfactory "knative.dev/eventing/pkg/client/injection/informers/factory/filtered"
+
 	"knative.dev/eventing/pkg/apis/sinks"
 	"knative.dev/eventing/pkg/auth"
 	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/reconciler/eventpolicy"
+	"knative.dev/eventing/pkg/reconciler/eventtransform"
 	"knative.dev/eventing/pkg/reconciler/jobsink"

 	"knative.dev/eventing/pkg/reconciler/apiserversource"
 	"knative.dev/eventing/pkg/reconciler/channel"
 	"knative.dev/eventing/pkg/reconciler/containersource"
 	"knative.dev/eventing/pkg/reconciler/eventtype"
+	integrationsink "knative.dev/eventing/pkg/reconciler/integration/sink"
+	integrationsource "knative.dev/eventing/pkg/reconciler/integration/source"
 	"knative.dev/eventing/pkg/reconciler/parallel"
 	"knative.dev/eventing/pkg/reconciler/pingsource"
 	"knative.dev/eventing/pkg/reconciler/sequence"
@ -51,40 +51,18 @@ import (
 )

 func main() {
-
 	ctx := signals.NewContext()

-	port := os.Getenv("PROBES_PORT")
-	if port == "" {
-		port = "8080"
-	}
-
-	// sets up liveness and readiness probes.
-	server := http.Server{
-		ReadTimeout: 5 * time.Second,
-		Handler:     http.HandlerFunc(handler),
-		Addr:        ":" + port,
-	}
-
-	go func() {
-
-		go func() {
-			<-ctx.Done()
-			_ = server.Shutdown(ctx)
-		}()
-
-		// start the web server on port and accept requests
-		log.Printf("Readiness and health check server listening on port %s", port)
-
-		if err := server.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
-			log.Fatal(err)
-		}
-	}()
-
-	ctx = filteredFactory.WithSelectors(ctx,
+	ctx = kubefilteredfactory.WithSelectors(ctx,
 		auth.OIDCLabelSelector,
 		eventingtls.TrustBundleLabelSelector,
 		sinks.JobSinkJobsLabelSelector,
+		eventtransform.JsonataResourcesSelector,
+		certificates.SecretLabelSelectorPair,
+	)
+
+	ctx = eventingfilteredfactory.WithSelectors(ctx,
+		eventtransform.JsonataResourcesSelector,
 	)

 	sharedmain.MainWithContext(ctx, "controller",
@ -104,18 +82,20 @@ func main() {
 		apiserversource.NewController,
 		pingsource.NewController,
 		containersource.NewController,
+		integrationsource.NewController,
+
 		// Sources CRD
 		sourcecrd.NewController,

 		// Sinks
 		jobsink.NewController,
+		integrationsink.NewController,

 		// Sugar
 		sugarnamespace.NewController,
 		sugartrigger.NewController,
+
+		// Transform
+		eventtransform.NewController,
 	)
 }
-
-func handler(w http.ResponseWriter, r *http.Request) {
-	w.WriteHeader(http.StatusOK)
-}
--- a/cmd/in_memory/channel_dispatcher/main.go
+++ b/cmd/in_memory/channel_dispatcher/main.go
@ -44,6 +44,8 @@ func main() {
 		eventingtls.TrustBundleLabelSelector,
 	)

+	ctx = sharedmain.WithHealthProbesDisabled(ctx)
+
 	sharedmain.MainWithContext(ctx, "inmemorychannel-dispatcher",
 		inmemorychannel.NewController,
 	)
--- a/cmd/jobsink/main.go
+++ b/cmd/jobsink/main.go
@ -20,11 +20,15 @@ import (
 	"context"
 	"crypto/md5" //nolint:gosec
 	"crypto/tls"
+	"encoding/hex"
 	"fmt"
 	"log"
 	"net/http"
 	"strings"

+	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
+
 	"github.com/cloudevents/sdk-go/v2/binding"
 	cehttp "github.com/cloudevents/sdk-go/v2/protocol/http"
 	"go.uber.org/zap"
@ -54,6 +58,7 @@ import (
 	"knative.dev/eventing/pkg/apis/sinks"
 	sinksv "knative.dev/eventing/pkg/apis/sinks/v1alpha1"
 	"knative.dev/eventing/pkg/auth"
+	eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy"
 	"knative.dev/eventing/pkg/client/injection/informers/sinks/v1alpha1/jobsink"
 	sinkslister "knative.dev/eventing/pkg/client/listers/sinks/v1alpha1"
 	"knative.dev/eventing/pkg/eventingtls"
@ -61,7 +66,7 @@ import (
 	"knative.dev/eventing/pkg/utils"
 )

-const component = "job-sink"
+const component = "job_sink"

 func main() {

@ -69,9 +74,13 @@ func main() {

 	cfg := injection.ParseAndGetRESTConfigOrDie()
 	ctx = injection.WithConfig(ctx, cfg)
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)

 	ctx, informers := injection.Default.SetupInformers(ctx, cfg)
 	ctx = injection.WithConfig(ctx, cfg)
+
 	loggingConfig, err := cmdbroker.GetLoggingConfig(ctx, system.Namespace(), logging.ConfigMapName())
 	if err != nil {
 		log.Fatal("Error loading/parsing logging configuration:", err)
@ -103,9 +112,10 @@ func main() {

 	logger.Info("Starting the JobSink Ingress")

-	featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
-		logger.Info("Updated", zap.String("name", name), zap.Any("value", value))
-	})
+	trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
+	var h *Handler
+
+	featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"))
 	featureStore.WatchConfigs(configMapWatcher)

 	// Decorate contexts with the current state of the feature config.
@ -113,11 +123,11 @@ func main() {
 		return logging.WithLogger(featureStore.ToContext(ctx), sl)
 	}

-	h := &Handler{
-		k8s:               kubeclient.Get(ctx),
-		lister:            jobsink.Get(ctx).Lister(),
-		withContext:       ctxFunc,
-		oidcTokenVerifier: auth.NewOIDCTokenVerifier(ctx),
+	h = &Handler{
+		k8s:          kubeclient.Get(ctx),
+		lister:       jobsink.Get(ctx).Lister(),
+		withContext:  ctxFunc,
+		authVerifier: auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister(), trustBundleConfigMapLister, configMapWatcher),
 	}

 	tlsConfig, err := getServerTLSConfig(ctx)
@ -158,10 +168,10 @@ func main() {
 }

 type Handler struct {
-	k8s               kubernetes.Interface
-	lister            sinkslister.JobSinkLister
-	withContext       func(ctx context.Context) context.Context
-	oidcTokenVerifier *auth.OIDCTokenVerifier
+	k8s          kubernetes.Interface
+	lister       sinkslister.JobSinkLister
+	withContext  func(ctx context.Context) context.Context
+	authVerifier *auth.Verifier
 }

 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@ -191,22 +201,19 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		Name:      parts[2],
 	}

+	js, err := h.lister.JobSinks(ref.Namespace).Get(ref.Name)
+	if err != nil {
+		logger.Warn("Failed to retrieve jobsink", zap.String("ref", ref.String()), zap.Error(err))
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
 	logger.Debug("Handling POST request", zap.String("URI", r.RequestURI))

-	features := feature.FromContext(ctx)
-	logger.Debug("features", zap.Any("features", features))
-
-	if features.IsOIDCAuthentication() {
-		logger.Debug("OIDC authentication is enabled")
-
-		audience := auth.GetAudienceDirect(sinksv.SchemeGroupVersion.WithKind("JobSink"), ref.Namespace, ref.Name)
-
-		err := h.oidcTokenVerifier.VerifyJWTFromRequest(ctx, r, &audience, w)
-		if err != nil {
-			logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
-			return
-		}
-		logger.Debug("Request contained a valid JWT. Continuing...")
+	err = h.authVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
+	if err != nil {
+		logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err))
+		return
 	}

 	message := cehttp.NewMessageFromHttpRequest(r)
@ -225,18 +232,11 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	js, err := h.lister.JobSinks(ref.Namespace).Get(ref.Name)
-	if err != nil {
-		logger.Warn("Failed to retrieve jobsink", zap.String("ref", ref.String()), zap.Error(err))
-		w.WriteHeader(http.StatusBadRequest)
-		return
-	}
-
-	id := toIdHashLabelValue(event.Source(), event.ID())
-	logger.Debug("Getting job for event", zap.String("URI", r.RequestURI), zap.String("id", id))
+	jobName := toJobName(ref.Name, event.Source(), event.ID())
+	logger.Debug("Getting job for event", zap.String("URI", r.RequestURI), zap.String("jobName", jobName))

 	jobs, err := h.k8s.BatchV1().Jobs(js.GetNamespace()).List(r.Context(), metav1.ListOptions{
-		LabelSelector: jobLabelSelector(ref, id),
+		LabelSelector: jobLabelSelector(ref, jobName),
 		Limit:         1,
 	})
 	if err != nil {
@ -257,56 +257,24 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	jobName := kmeta.ChildName(ref.Name, id)
-
-	logger.Debug("Creating secret for event", zap.String("URI", r.RequestURI), zap.String("jobName", jobName))
-
-	jobSinkUID := js.GetUID()
-
-	or := metav1.OwnerReference{
-		APIVersion:         sinksv.SchemeGroupVersion.String(),
-		Kind:               sinks.JobSinkResource.Resource,
-		Name:               js.GetName(),
-		UID:                jobSinkUID,
-		Controller:         ptr.Bool(true),
-		BlockOwnerDeletion: ptr.Bool(false),
-	}
-
-	secret := &corev1.Secret{
-		TypeMeta: metav1.TypeMeta{},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      jobName,
-			Namespace: ref.Namespace,
-			Labels: map[string]string{
-				sinks.JobSinkIDLabel:   id,
-				sinks.JobSinkNameLabel: ref.Name,
-			},
-			OwnerReferences: []metav1.OwnerReference{or},
-		},
-		Immutable: ptr.Bool(true),
-		Data:      map[string][]byte{"event": eventBytes},
-		Type:      corev1.SecretTypeOpaque,
-	}
-
-	_, err = h.k8s.CoreV1().Secrets(ref.Namespace).Create(r.Context(), secret, metav1.CreateOptions{})
-	if err != nil && !apierrors.IsAlreadyExists(err) {
-		logger.Warn("Failed to create secret", zap.Error(err))
-
-		w.Header().Add("Reason", err.Error())
-		w.WriteHeader(http.StatusInternalServerError)
-		return
-	}
-
-	logger.Debug("Creating job for event", zap.String("URI", r.RequestURI), zap.String("jobName", jobName))
+	js = js.DeepCopy() // Do not modify informer copy.
+	js.SetDefaults(ctx)

 	job := js.Spec.Job.DeepCopy()
 	job.Name = jobName
 	if job.Labels == nil {
 		job.Labels = make(map[string]string, 4)
 	}
-	job.Labels[sinks.JobSinkIDLabel] = id
+	job.Labels[sinks.JobSinkIDLabel] = jobName
 	job.Labels[sinks.JobSinkNameLabel] = ref.Name
-	job.OwnerReferences = append(job.OwnerReferences, or)
+	job.OwnerReferences = append(job.OwnerReferences, metav1.OwnerReference{
+		APIVersion:         sinksv.SchemeGroupVersion.String(),
+		Kind:               sinks.JobSinkResource.Resource,
+		Name:               js.GetName(),
+		UID:                js.GetUID(),
+		Controller:         ptr.Bool(true),
+		BlockOwnerDeletion: ptr.Bool(false),
+	})
 	var mountPathName string
 	for i := range job.Spec.Template.Spec.Containers {
 		found := false
@ -347,14 +315,66 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		})
 	}

-	_, err = h.k8s.BatchV1().Jobs(ref.Namespace).Create(r.Context(), job, metav1.CreateOptions{})
-	if err != nil {
+	logger.Debug("Creating job for event",
+		zap.String("URI", r.RequestURI),
+		zap.String("jobName", jobName),
+		zap.Any("job", job),
+	)
+
+	createdJob, err := h.k8s.BatchV1().Jobs(ref.Namespace).Create(r.Context(), job, metav1.CreateOptions{})
+	if err != nil && !apierrors.IsAlreadyExists(err) {
 		logger.Warn("Failed to create job", zap.Error(err))

 		w.Header().Add("Reason", err.Error())
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
+	if apierrors.IsAlreadyExists(err) {
+		logger.Debug("Job already exists", zap.String("URI", r.RequestURI), zap.String("jobName", jobName))
+	}
+
+	secret := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      jobName,
+			Namespace: ref.Namespace,
+			Labels: map[string]string{
+				sinks.JobSinkIDLabel:   jobName,
+				sinks.JobSinkNameLabel: ref.Name,
+			},
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion:         "batch/v1",
+					Kind:               "Job",
+					Name:               createdJob.Name,
+					UID:                createdJob.UID,
+					Controller:         ptr.Bool(true),
+					BlockOwnerDeletion: ptr.Bool(false),
+				},
+			},
+		},
+		Immutable: ptr.Bool(true),
+		Data:      map[string][]byte{"event": eventBytes},
+		Type:      corev1.SecretTypeOpaque,
+	}
+
+	logger.Debug("Creating secret for event",
+		zap.String("URI", r.RequestURI),
+		zap.String("jobName", jobName),
+		zap.Any("secret.metadata", secret.ObjectMeta),
+	)
+
+	_, err = h.k8s.CoreV1().Secrets(ref.Namespace).Create(r.Context(), secret, metav1.CreateOptions{})
+	if err != nil && !apierrors.IsAlreadyExists(err) {
+		logger.Warn("Failed to create secret", zap.Error(err))
+
+		w.Header().Add("Reason", err.Error())
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	if apierrors.IsAlreadyExists(err) {
+		logger.Debug("Secret already exists", zap.String("URI", r.RequestURI), zap.String("jobName", jobName))
+	}

 	w.Header().Add("Location", locationHeader(ref, event.Source(), event.ID()))
 	w.WriteHeader(http.StatusAccepted)
@ -374,27 +394,25 @@ func (h *Handler) handleGet(ctx context.Context, w http.ResponseWriter, r *http.
 		Name:      parts[4],
 	}

+	js, err := h.lister.JobSinks(ref.Namespace).Get(ref.Name)
+	if err != nil {
+		logger.Warn("Failed to retrieve jobsink", zap.String("ref", ref.String()), zap.Error(err))
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
 	logger.Debug("Handling GET request", zap.String("URI", r.RequestURI))

-	features := feature.FromContext(ctx)
-	if features.IsOIDCAuthentication() {
-		logger.Debug("OIDC authentication is enabled")
-
-		audience := auth.GetAudienceDirect(sinksv.SchemeGroupVersion.WithKind("JobSink"), ref.Namespace, ref.Name)
-
-		err := h.oidcTokenVerifier.VerifyJWTFromRequest(ctx, r, &audience, w)
-		if err != nil {
-			logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
-			return
-		}
-		logger.Debug("Request contained a valid JWT. Continuing...")
+	err = h.authVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
+	if err != nil {
+		logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err))
+		return
 	}

 	eventSource := parts[6]
 	eventID := parts[8]

-	id := toIdHashLabelValue(eventSource, eventID)
-	jobName := kmeta.ChildName(ref.Name, id)
+	jobName := toJobName(ref.Name, eventSource, eventID)

 	job, err := h.k8s.BatchV1().Jobs(ref.Namespace).Get(r.Context(), jobName, metav1.GetOptions{})
 	if err != nil {
@ -447,6 +465,7 @@ func jobLabelSelector(ref types.NamespacedName, id string) string {
 	return fmt.Sprintf("%s=%s,%s=%s", sinks.JobSinkIDLabel, id, sinks.JobSinkNameLabel, ref.Name)
 }

-func toIdHashLabelValue(source, id string) string {
-	return utils.ToDNS1123Subdomain(fmt.Sprintf("%s", md5.Sum([]byte(fmt.Sprintf("%s-%s", source, id))))) //nolint:gosec
+func toJobName(js string, source, id string) string {
+	h := md5.Sum([]byte(source + id)) //nolint:gosec
+	return kmeta.ChildName(js+"-", utils.ToDNS1123Subdomain(hex.EncodeToString(h[:])))
 }
--- a/cmd/jobsink/main_test.go
+++ b/cmd/jobsink/main_test.go
@ -0,0 +1,106 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/api/validation"
+
+	"knative.dev/eventing/pkg/utils"
+)
+
+type testCase struct {
+	JobSinkName string
+	Source      string
+	Id          string
+}
+
+func TestToJobName(t *testing.T) {
+	testcases := []testCase{
+		{
+			JobSinkName: "job-sink-success",
+			Source:      "mysource3/myservice",
+			Id:          "2234-5678",
+		},
+		{
+			JobSinkName: "a",
+			Source:      "0",
+			Id:          "0",
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.JobSinkName+"_"+tc.Source+"_"+tc.Id, func(t *testing.T) {
+			if errs := validation.NameIsDNS1035Label(tc.JobSinkName, false); len(errs) != 0 {
+				t.Errorf("Invalid JobSinkName: %v", errs)
+			}
+
+			name := toJobName(tc.JobSinkName, tc.Source, tc.Id)
+			doubleName := toJobName(tc.JobSinkName, tc.Source, tc.Id)
+			if name != doubleName {
+				t.Errorf("Before: %q, after: %q", name, doubleName)
+			}
+
+			if got := utils.ToDNS1123Subdomain(name); got != name {
+				t.Errorf("ToDNS1123Subdomain(Want) returns a different result, Want: %q, Got: %q", name, got)
+			}
+
+			if errs := validation.NameIsDNS1035Label(name, false); len(errs) != 0 {
+				t.Errorf("toJobName produced invalid name %q given %q, %q, %q: errors: %#v", name, tc.JobSinkName, tc.Source, tc.Id, errs)
+			}
+		})
+	}
+}
+
+func FuzzToJobName(f *testing.F) {
+	testcases := []testCase{
+		{
+			JobSinkName: "job-sink-success",
+			Source:      "mysource3/myservice",
+			Id:          "2234-5678",
+		},
+		{
+			JobSinkName: "a",
+			Source:      "0",
+			Id:          "0",
+		},
+	}
+
+	for _, tc := range testcases {
+		f.Add(tc.JobSinkName, tc.Source, tc.Id) // Use f.Add to provide a seed corpus
+	}
+	f.Fuzz(func(t *testing.T, js, source, id string) {
+		if errs := validation.NameIsDNSLabel(js, false); len(errs) != 0 {
+			t.Skip("Prerequisite: invalid jobsink name")
+		}
+
+		name := toJobName(js, source, id)
+		doubleName := toJobName(js, source, id)
+		if name != doubleName {
+			t.Errorf("Before: %q, after: %q", name, doubleName)
+		}
+
+		if got := utils.ToDNS1123Subdomain(name); got != name {
+			t.Errorf("ToDNS1123Subdomain(Want) returns a different result, Want: %q, Got: %q", name, got)
+		}
+
+		if errs := validation.NameIsDNSLabel(name, false); len(errs) != 0 {
+			t.Errorf("toJobName produced invalid name %q given %q, %q, %q: errors: %#v", name, js, source, id, errs)
+		}
+	})
+}
--- a/cmd/schema/main.go
+++ b/cmd/schema/main.go
@ -26,7 +26,9 @@ import (
 	eventingv1alpha1 "knative.dev/eventing/pkg/apis/eventing/v1alpha1"
 	flowsv1 "knative.dev/eventing/pkg/apis/flows/v1"
 	messagingv1 "knative.dev/eventing/pkg/apis/messaging/v1"
+	sinksv1alpha1 "knative.dev/eventing/pkg/apis/sinks/v1alpha1"
 	sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1"
+	sourcesv1alpha1 "knative.dev/eventing/pkg/apis/sources/v1alpha1"
 )

 // schema is a tool to dump the schema for Eventing resources.
@ -40,15 +42,21 @@ func main() {
 	registry.Register(&messagingv1.Channel{})
 	registry.Register(&messagingv1.InMemoryChannel{})

+	// Sinks
+	registry.Register(&sinksv1alpha1.JobSink{})
+	registry.Register(&sinksv1alpha1.IntegrationSink{})
+
 	// Sources
 	registry.Register(&sourcesv1.ApiServerSource{})
 	registry.Register(&sourcesv1.SinkBinding{})
 	registry.Register(&sourcesv1.ContainerSource{}) // WARNING: THIS DOES NOT WORK OUT OF THE BOX: See https://github.com/knative/eventing/issues/5353.
+	registry.Register(&sourcesv1alpha1.IntegrationSource{})

 	// Flows
 	registry.Register(&flowsv1.Sequence{})
 	registry.Register(&flowsv1.Parallel{})
 	registry.Register(&eventingv1alpha1.EventPolicy{})
+	registry.Register(&eventingv1alpha1.EventTransform{})

 	if err := commands.New("knative.dev/eventing").Execute(); err != nil {
 		log.Fatal("Error during command execution: ", err)
--- a/cmd/webhook/main.go
+++ b/cmd/webhook/main.go
@ -20,6 +20,8 @@ import (
 	"context"
 	"os"

+	sourcesv1alpha1 "knative.dev/eventing/pkg/apis/sources/v1alpha1"
+
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes/scheme"
@ -77,7 +79,8 @@ func init() {
 var ourTypes = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
 	// For group eventing.knative.dev.
 	// v1alpha1
-	eventingv1alpha1.SchemeGroupVersion.WithKind("EventPolicy"): &eventingv1alpha1.EventPolicy{},
+	eventingv1alpha1.SchemeGroupVersion.WithKind("EventPolicy"):    &eventingv1alpha1.EventPolicy{},
+	eventingv1alpha1.SchemeGroupVersion.WithKind("EventTransform"): &eventingv1alpha1.EventTransform{},
 	// v1beta1
 	eventingv1beta1.SchemeGroupVersion.WithKind("EventType"): &eventingv1beta1.EventType{},
 	// v1beta2
@ -92,6 +95,8 @@ var ourTypes = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
 	messagingv1.SchemeGroupVersion.WithKind("Subscription"): &messagingv1.Subscription{},

 	// For group sources.knative.dev.
+	// v1alpha1
+	sourcesv1alpha1.SchemeGroupVersion.WithKind("IntegrationSource"): &sourcesv1alpha1.IntegrationSource{},
 	// v1beta2
 	sourcesv1beta2.SchemeGroupVersion.WithKind("PingSource"): &sourcesv1beta2.PingSource{},
 	// v1
@ -102,7 +107,8 @@ var ourTypes = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{

 	// For group sinks.knative.dev.
 	// v1alpha1
-	sinksv1alpha1.SchemeGroupVersion.WithKind("JobSink"): &sinksv1alpha1.JobSink{},
+	sinksv1alpha1.SchemeGroupVersion.WithKind("JobSink"):         &sinksv1alpha1.JobSink{},
+	sinksv1alpha1.SchemeGroupVersion.WithKind("IntegrationSink"): &sinksv1alpha1.IntegrationSink{},

 	// For group flows.knative.dev
 	// v1
--- a/cmd/websocketsource/main.go
+++ b/cmd/websocketsource/main.go
@ -45,6 +45,7 @@ func init() {
 func main() {
 	flag.Parse()

+	//nolint:staticcheck
 	k_sink := os.Getenv("K_SINK")
 	if k_sink != "" {
 		sink = k_sink
--- a/config/300-eventtransform.yaml
+++ b/config/300-eventtransform.yaml
@ -0,0 +1 @@
+./core/resources/eventtransform.yaml
--- a/config/300-integrationsink.yaml
+++ b/config/300-integrationsink.yaml
@ -0,0 +1 @@
+core/resources/integrationsink.yaml
--- a/config/300-integrationsource.yaml
+++ b/config/300-integrationsource.yaml
@ -0,0 +1 @@
+core/resources/integrationsource.yaml
--- a/config/400-config-eventing-integrations-images.yaml
+++ b/config/400-config-eventing-integrations-images.yaml
@ -0,0 +1 @@
+../third_party/eventing-integrations-latest/eventing-integrations-images.yaml
--- a/config/400-config-eventing-transformations-images.yaml
+++ b/config/400-config-eventing-transformations-images.yaml
@ -0,0 +1 @@
+../third_party/eventing-integrations-latest/eventing-transformations-images.yaml
--- a/config/brokers/mt-channel-broker/deployments/controller.yaml
+++ b/config/brokers/mt-channel-broker/deployments/controller.yaml
@ -83,8 +83,27 @@ spec:
          seccompProfile:
            type: RuntimeDefault

+        livenessProbe:
+          httpGet:
+            path: /health
+            port: probes
+            scheme: HTTP
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /readiness
+            port: probes
+            scheme: HTTP
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 5
+
        ports:
        - name: metrics
          containerPort: 9090
        - name: profiling
          containerPort: 8008
+        - name: probes
+          containerPort: 8080
--- a/config/brokers/mt-channel-broker/roles/filter-clusterrole.yaml
+++ b/config/brokers/mt-channel-broker/roles/filter-clusterrole.yaml
@ -31,6 +31,15 @@ rules:
      - get
      - list
      - watch
+  # get subscription of trigger for AuthZ
+  - apiGroups:
+      - messaging.knative.dev
+    resources:
+      - subscriptions
+    verbs:
+      - get
+      - list
+      - watch
  - apiGroups:
      - ""
    resources:
--- a/config/core/configmaps/eventing-integrations-images.yaml
+++ b/config/core/configmaps/eventing-integrations-images.yaml
@ -0,0 +1 @@
+../../../third_party/eventing-integrations-latest/eventing-integrations-images.yaml
--- a/config/core/configmaps/eventing-transformations-images.yaml
+++ b/config/core/configmaps/eventing-transformations-images.yaml
@ -0,0 +1 @@
+../../../third_party/eventing-integrations-latest/eventing-transformations-images.yaml
--- a/config/core/configmaps/observability.yaml
+++ b/config/core/configmaps/observability.yaml
@ -23,7 +23,7 @@ metadata:
    app.kubernetes.io/version: devel
    app.kubernetes.io/name: knative-eventing
  annotations:
-    knative.dev/example-checksum: "f46cf09d"
+    knative.dev/example-checksum: "b7377954"
 data:
  _example: |
    ################################
@ -41,34 +41,45 @@ data:
    # this example block and unindented to be in the data block
    # to actually change the configuration.

-    # metrics.backend-destination field specifies the system metrics destination.
-    # It supports either prometheus (the default) or stackdriver.
-    # Note: Using stackdriver will incur additional charges
-    metrics.backend-destination: prometheus
+     # metrics-protocol field specifies the protocol used when exporting metrics
+    # It supports either 'none' (the default), 'prometheus', 'http/protobuf' (OTLP HTTP), 'grpc' (OTLP gRPC)
+    metrics-protocol: http/protobuf

-    # metrics.request-metrics-backend-destination specifies the request metrics
-    # destination. If non-empty, it enables queue proxy to send request metrics.
-    # Currently supported values: prometheus, stackdriver.
-    metrics.request-metrics-backend-destination: prometheus
+    # metrics-endpoint field specifies the destination metrics should be exported to.
+    #
+    # The endpoint MUST be set when the protocol is http/protobuf or grpc.
+    # The endpoint MUST NOT be set when the protocol is none.
+    #
+    # When the protocol is prometheus the endpoint can accept a 'host:port' string to customize the
+    # listening host interface and port.
+    metrics-endpoint: http://collector.otel.svc.cluster.local/

-    # metrics.stackdriver-project-id field specifies the stackdriver project ID. This
-    # field is optional. When running on GCE, application default credentials will be
-    # used if this field is not provided.
-    metrics.stackdriver-project-id: "<your stackdriver project id>"
-
-    # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to
-    # Stackdriver using "global" resource type and custom metric type if the
-    # metrics are not supported by "knative_broker", "knative_trigger", and "knative_source" resource types.
-    # Setting this flag to "true" could cause extra Stackdriver charge.
-    # If metrics.backend-destination is not Stackdriver, this is ignored.
-    metrics.allow-stackdriver-custom-metrics: "false"
-
-    # profiling.enable indicates whether it is allowed to retrieve runtime profiling data from
-    # the pods via an HTTP server in the format expected by the pprof visualization tool. When
-    # enabled, the Knative Eventing pods expose the profiling data on an alternate HTTP port 8008.
-    # The HTTP context root for profiling is then /debug/pprof/.
-    profiling.enable: "false"
+    # metrics-export-interval specifies the global metrics reporting period for control and data plane components.
+    # If a zero or negative value is passed the default reporting OTel period is used (60 secs).
+    metrics-export-interval: 60s

    # sink-event-error-reporting.enable whether the adapter reports a kube event to the CRD indicating
    # a failure to send a cloud event to the sink.
    sink-event-error-reporting.enable: "false"
+
+    # runtime-profiling indicates whether it is allowed to retrieve runtime profiling data from
+    # the pods via an HTTP server in the format expected by the pprof visualization tool. When
+    # enabled, the Knative Eventing pods expose the profiling data on an alternate HTTP port 8008.
+    # The HTTP context root for profiling is then /debug/pprof/.
+    runtime-profiling: enabled
+
+
+    # tracing-protocol field specifies the protocol used when exporting traces
+    # It supports either 'none' (the default), 'prometheus', 'http/protobuf' (OTLP HTTP), 'grpc' (OTLP gRPC)
+    # or `stdout` for debugging purposes
+    tracing-protocol: http/protobuf
+
+    # tracing-endpoint field specifies the destination traces should be exporter to.
+    #
+    # The endpoint MUST be set when the protocol is http/protobuf or grpc.
+    # The endpoint MUST NOT be set when the protocol is none.
+    tracing-endpoint: http://jaeger-collector.observability:4318/v1/traces
+
+    # tracing-sampling-rate allows the user to specify what percentage of all traces should be exported
+    # The value should be between 0 (never sample) to 1 (always sample)
+    tracing-sampling-rate: "1"
--- a/config/core/configmaps/tracing.yaml
+++ b/config/core/configmaps/tracing.yaml
@ -23,33 +23,11 @@ metadata:
    app.kubernetes.io/version: devel
    app.kubernetes.io/name: knative-eventing
  annotations:
-    knative.dev/example-checksum: "0492ceb0"
+    knative.dev/example-checksum: "04c7e9a3"
 data:
  _example: |
-    ################################
-    #                              #
-    #    EXAMPLE CONFIGURATION     #
-    #                              #
-    ################################
-    # This block is not actually functional configuration,
-    # but serves to illustrate the available configuration
-    # options and document them in a way that is accessible
-    # to users that `kubectl edit` this config map.
-    #
-    # These sample configuration options may be copied out of
-    # this example block and unindented to be in the data block
-    # to actually change the configuration.
-    #
-    # This may be "zipkin" or "none". the default is "none"
-    backend: "none"
-
-    # URL to zipkin collector where traces are sent.
-    # This must be specified when backend is "zipkin"
-    zipkin-endpoint: "http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans"
-
-    # Enable zipkin debug mode. This allows all spans to be sent to the server
-    # bypassing sampling.
-    debug: "false"
-
-    # Percentage (0-1) of requests to trace
-    sample-rate: "0.1"
+    ###########################################################
+    #                                                         #
+    #  This config is deprecated - use config-observability   #
+    #                                                         #
+    ###########################################################
--- a/config/core/deployments/controller.yaml
+++ b/config/core/deployments/controller.yaml
@ -77,6 +77,59 @@ spec:
              fieldRef:
                fieldPath: metadata.name

+          - name: EVENT_TRANSFORM_JSONATA_IMAGE
+            valueFrom:
+              configMapKeyRef:
+                key: transform-jsonata
+                name: eventing-transformations-images
+
+          - name: INTEGRATION_SOURCE_TIMER_IMAGE
+            valueFrom:
+              configMapKeyRef:
+                key: timer-source
+                name: eventing-integrations-images
+
+          - name: INTEGRATION_SOURCE_AWS_S3_IMAGE
+            valueFrom:
+              configMapKeyRef:
+                key: aws-s3-source
+                name: eventing-integrations-images
+
+          - name: INTEGRATION_SOURCE_AWS_SQS_IMAGE
+            valueFrom:
+              configMapKeyRef:
+                key: aws-sqs-source
+                name: eventing-integrations-images
+
+          - name: INTEGRATION_SOURCE_AWS_DDB_STREAMS_IMAGE
+            valueFrom:
+              configMapKeyRef:
+                key: aws-ddb-streams-source
+                name: eventing-integrations-images
+
+          - name: INTEGRATION_SINK_LOG_IMAGE
+            valueFrom:
+              configMapKeyRef:
+                key: log-sink
+                name: eventing-integrations-images
+
+          - name: INTEGRATION_SINK_AWS_S3_IMAGE
+            valueFrom:
+              configMapKeyRef:
+                key: aws-s3-sink
+                name: eventing-integrations-images
+
+          - name: INTEGRATION_SINK_AWS_SQS_IMAGE
+            valueFrom:
+              configMapKeyRef:
+                key: aws-sqs-sink
+                name: eventing-integrations-images
+
+          - name: INTEGRATION_SINK_AWS_SNS_IMAGE
+            valueFrom:
+              configMapKeyRef:
+                key: aws-sns-sink
+                name: eventing-integrations-images

 ##         Adapter settings
 #          - name: K_LOGGING_CONFIG
--- a/config/core/deployments/pingsource-mt-adapter.yaml
+++ b/config/core/deployments/pingsource-mt-adapter.yaml
@ -87,6 +87,8 @@ spec:
            - containerPort: 9090
              name: metrics
              protocol: TCP
+            - name: probes
+              containerPort: 8080
          resources:
            requests:
              cpu: 125m
@ -104,4 +106,21 @@ spec:
            seccompProfile:
              type: RuntimeDefault

+          livenessProbe:
+            httpGet:
+              path: /health
+              port: probes
+              scheme: HTTP
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /readiness
+              port: probes
+              scheme: HTTP
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 5
+
      serviceAccountName: pingsource-mt-adapter
--- a/config/core/resources/eventpolicy.yaml
+++ b/config/core/resources/eventpolicy.yaml
@ -110,6 +110,44 @@ spec:
                          description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                          type: object
                          x-kubernetes-preserve-unknown-fields: true
+              filters:
+                description: 'Filters is an array of SubscriptionsAPIFilters that evaluate to true or false. If any filter expression in the array evaluates to false, the event will not continue pass the ingress of the target resources of the policy'
+                type: array
+                items:
+                  type: object
+                  properties:
+                    all:
+                      description: 'All evaluates to true if all the nested expressions evaluate to true. It must contain at least one filter expression'
+                      type: array
+                      items:
+                        type: object
+                        x-kubernetes-preserve-unknown-fields: true
+                    any:
+                      description: 'Any evaluates to true if any of the nested expressions evaluate to true. It must contain at least one filter expression'
+                      type: array
+                      items:
+                        type: object
+                        x-kubernetes-preserve-unknown-fields: true
+                    cesql:
+                      description: 'CESQL is a CloudEvents SQL v1 expression that will evaluate to true or false for each CloudEvent.'
+                      type: string
+                    exact:
+                      description: 'Exact evaluates to true if the values of the matching CloudEvents attributes all exactly match with the associated value string specified (case sensitive)'
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    not:
+                      description: 'Not evaluates to true if the nested expression evaluates to false.'
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    prefix:
+                      description: 'Prefix evaluates to true if the values of the matching CloudEvents attributes all start with the associated value string specified (case sensitive)'
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    suffix:
+                      description: 'Exact evaluates to true if the values of the matching CloudEvents attributes all end with the associated value string specified (case sensitive)'
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+
          status:
            description: Status represents the current state of the EventPolicy. This data may be out of date.
            type: object
@ -171,11 +209,3 @@ spec:
      - knative
      - eventing
  scope: Namespaced
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions: ["v1", "v1beta1"]
-      clientConfig:
-        service:
-          name: eventing-webhook
-          namespace: knative-eventing
--- a/config/core/resources/eventtransform.yaml
+++ b/config/core/resources/eventtransform.yaml
@ -0,0 +1,281 @@
+# Copyright 2025 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: eventtransforms.eventing.knative.dev
+  labels:
+    knative.dev/crd-install: "true"
+    duck.knative.dev/addressable: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+spec:
+  group: eventing.knative.dev
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      subresources:
+        status: { }
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              description: Spec defines the desired state of the EventTransform.
+              type: object
+              properties:
+                jsonata:
+                  type: object
+                  properties:
+                    expression:
+                      description: Expression is the JSONata expression (https://jsonata.org/).
+                      type: string
+                reply:
+                  description: |
+                    Reply is the configuration on how to handle responses from Sink. It can only be set if Sink is set.
+                    Only one "type" can be used.
+                    The used type must match the top-level transformation, if you need to mix transformation types, use compositions and chain transformations together to achieve your desired outcome.
+                  type: object
+                  properties:
+                    jsonata:
+                      type: object
+                      properties:
+                        expression:
+                          description: Expression is the JSONata expression (https://jsonata.org/).
+                          type: string
+                    discard:
+                      description: |
+                        Discard discards responses from Sink and return empty response body.
+                        When set to false, it returns the exact sink response body.
+                        When set to true, Discard is mutually exclusive with EventTransformations in the reply
+                        section, it can either be discarded or transformed.
+                        Default: false.
+                      type: boolean
+                sink:
+                  description: 'Sink is a reference to an object that will resolve to a uri to use as the sink.  If not present, the transformation will send back the transformed event as response, this is useful to leverage the built-in Broker reply feature to re-publish a transformed event back to the broker. '
+                  type: object
+                  properties:
+                    CACerts:
+                      description: CACerts are Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. If set, these CAs are appended to the set of CAs provided by the Addressable target, if any.
+                      type: string
+                    audience:
+                      description: Audience is the OIDC audience. This need only be set, if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. In case the Addressable specifies an Audience too, the Destinations Audience takes preference.
+                      type: string
+                    ref:
+                      description: Ref points to an Addressable.
+                      type: object
+                      properties:
+                        address:
+                          description: Address points to a specific Address Name.
+                          type: string
+                        apiVersion:
+                          description: API version of the referent.
+                          type: string
+                        group:
+                          description: 'Group of the API, without the version of the group. This can be used as an alternative to the APIVersion, and then resolved using ResolveGroup. Note: This API is EXPERIMENTAL and might break anytime. For more details: https://github.com/knative/eventing/issues/5086'
+                          type: string
+                        kind:
+                          description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                          type: string
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                          type: string
+                        namespace:
+                          description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is optional field, it gets defaulted to the object holding it if left out.'
+                          type: string
+                    uri:
+                      description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref.
+                      type: string
+            status:
+              description: Status represents the current state of the EventTransform. This data may be out of date.
+              type: object
+              properties:
+                address:
+                  description: Address is a single Addressable address. If Addresses is present, Address will be ignored by clients.
+                  type: object
+                  required:
+                    - url
+                  properties:
+                    CACerts:
+                      description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
+                      type: string
+                    audience:
+                      description: Audience is the OIDC audience for this address.
+                      type: string
+                    name:
+                      description: Name is the name of the address.
+                      type: string
+                    url:
+                      type: string
+                addresses:
+                  description: Addresses is a list of addresses for different protocols (HTTP and HTTPS) If Addresses is present, Address must be ignored by clients.
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - url
+                    properties:
+                      CACerts:
+                        description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
+                        type: string
+                      audience:
+                        description: Audience is the OIDC audience for this address.
+                        type: string
+                      name:
+                        description: Name is the name of the address.
+                        type: string
+                      url:
+                        type: string
+                annotations:
+                  description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                auth:
+                  description: Auth defines the attributes that provide the generated service account name in the resource status.
+                  type: object
+                  required:
+                    - serviceAccountName
+                  properties:
+                    serviceAccountName:
+                      description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
+                      type: string
+                    serviceAccountNames:
+                      description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication. This list can have len() > 1, when the component uses multiple identities (e.g. in case of a Parallel).
+                      type: array
+                      items:
+                        type: string
+                conditions:
+                  description: Conditions the latest available observations of a resource's current state.
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - type
+                      - status
+                    properties:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
+                        type: string
+                      message:
+                        description: A human readable message indicating details about the transition.
+                        type: string
+                      reason:
+                        description: The reason for the condition's last transition.
+                        type: string
+                      severity:
+                        description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
+                        type: string
+                      status:
+                        description: Status of the condition, one of True, False, Unknown.
+                        type: string
+                      type:
+                        description: Type of condition.
+                        type: string
+                jsonata:
+                  description: JsonataTransformationStatus is the status associated with JsonataEventTransformationSpec.
+                  type: object
+                  properties:
+                    deployment:
+                      type: object
+                      properties:
+                        availableReplicas:
+                          description: Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+                          type: integer
+                          format: int32
+                        collisionCount:
+                          description: Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.
+                          type: integer
+                          format: int32
+                        conditions:
+                          description: Represents the latest available observations of a deployment's current state.
+                          type: array
+                          items:
+                            type: object
+                            properties:
+                              lastTransitionTime:
+                                description: Last time the condition transitioned from one status to another.
+                                type: string
+                              lastUpdateTime:
+                                description: The last time this condition was updated.
+                                type: string
+                              message:
+                                description: A human readable message indicating details about the transition.
+                                type: string
+                              reason:
+                                description: The reason for the condition's last transition.
+                                type: string
+                              status:
+                                description: Status of the condition, one of True, False, Unknown.
+                                type: string
+                              type:
+                                description: Type of deployment condition.
+                                type: string
+                        observedGeneration:
+                          description: The generation observed by the deployment controller.
+                          type: integer
+                          format: int64
+                        readyReplicas:
+                          description: readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
+                          type: integer
+                          format: int32
+                        replicas:
+                          description: Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+                          type: integer
+                          format: int32
+                        unavailableReplicas:
+                          description: Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.
+                          type: integer
+                          format: int32
+                        updatedReplicas:
+                          description: Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+                          type: integer
+                          format: int32
+                observedGeneration:
+                  description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
+                  type: integer
+                  format: int64
+                sinkAudience:
+                  description: SinkAudience is the OIDC audience of the sink.
+                  type: string
+                sinkCACerts:
+                  description: SinkCACerts are Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
+                  type: string
+                sinkUri:
+                  description: SinkURI is the current active sink URI that has been configured for the Source.
+                  type: string
+
+      additionalPrinterColumns:
+        - name: URL
+          type: string
+          jsonPath: ".status.address.url"
+        - name: Sink
+          type: string
+          jsonPath: ".status.sinkUri"
+        - name: Ready
+          type: string
+          jsonPath: ".status.conditions[?(@.type==\"Ready\")].status"
+        - name: Reason
+          type: string
+          jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason"
+  names:
+    kind: EventTransform
+    plural: eventtransforms
+    singular: eventtransform
+    categories:
+      - all
+      - knative
+      - eventing
+  scope: Namespaced
--- a/config/core/resources/integrationsink.yaml
+++ b/config/core/resources/integrationsink.yaml
@ -0,0 +1,425 @@
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: integrationsinks.sinks.knative.dev
+  labels:
+    knative.dev/crd-install: "true"
+    duck.knative.dev/addressable: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+spec:
+  group: sinks.knative.dev
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      subresources:
+        status: { }
+      schema:
+        openAPIV3Schema:
+          description: 'IntegrationSink sends events to generic event sink'
+          type: object
+          properties:
+            spec:
+              description: Spec defines the desired state of the IntegrationSink.
+              type: object
+              properties:
+                log:
+                  type: object
+                  properties:
+                    loggerName:
+                      type: string
+                      title: Logger Name
+                      description: Name of the logging category to use
+                      default: log-sink
+                    level:
+                      type: string
+                      title: Log Level
+                      description: Logging level to use
+                      default: INFO
+                    logMask:
+                      type: boolean
+                      title: Log Mask
+                      description: Mask sensitive information like password or passphrase in the
+                        log
+                      default: false
+                    marker:
+                      type: string
+                      title: Marker
+                      description: An optional Marker name to use
+                    multiline:
+                      type: boolean
+                      title: Multiline
+                      description: If enabled then each information is outputted on a newline
+                      default: false
+                    showAllProperties:
+                      type: boolean
+                      title: Show All Properties
+                      description: Show all of the exchange properties (both internal and custom)
+                      default: false
+                    showBody:
+                      type: boolean
+                      title: Show Body
+                      description: Show the message body
+                      default: true
+                    showBodyType:
+                      type: boolean
+                      title: Show Body Type
+                      description: Show the body Java type
+                      default: true
+                    showExchangePattern:
+                      type: boolean
+                      title: Show Exchange Pattern
+                      description: Shows the Message Exchange Pattern (or MEP for short)
+                      default: true
+                    showHeaders:
+                      type: boolean
+                      title: Show Headers
+                      description: Show the headers received
+                      default: false
+                    showProperties:
+                      type: boolean
+                      title: Show Properties
+                      description: Show the exchange properties (only custom). Use showAllProperties
+                        to show both internal and custom properties.
+                      default: false
+                    showStreams:
+                      type: boolean
+                      title: Show Streams
+                      description: Show the stream bodies (they may not be available in following
+                        steps)
+                      default: false
+                    showCachedStreams:
+                      type: boolean
+                      title: Show Cached Streams
+                      description: Whether Camel should show cached stream bodies or not.
+                      default: true
+                aws:
+                  type: object
+                  properties:
+                    s3:
+                      type: object
+                      properties:
+                        arn:
+                          type: string
+                          title: Bucket Name
+                          description: The S3 Bucket name or Amazon Resource Name (ARN).
+                        deleteAfterRead:
+                          type: boolean
+                          title: Auto-delete Objects
+                          description: Specifies to delete objects after consuming them.
+                          default: true
+                        moveAfterRead:
+                          type: boolean
+                          title: Move Objects After Delete
+                          description: Move objects from S3 bucket to a different bucket after
+                            they have been retrieved.
+                          default: false
+                        destinationBucket:
+                          type: string
+                          title: Destination Bucket
+                          description: Define the destination bucket where an object must be moved
+                            when moveAfterRead is set to true.
+                        destinationBucketPrefix:
+                          type: string
+                          title: Destination Bucket Prefix
+                          description: Define the destination bucket prefix to use when an object
+                            must be moved, and moveAfterRead is set to true.
+                        destinationBucketSuffix:
+                          type: string
+                          title: Destination Bucket Suffix
+                          description: Define the destination bucket suffix to use when an object
+                            must be moved, and moveAfterRead is set to true.
+                        region:
+                          type: string
+                          title: AWS Region
+                          description: The AWS region to access.
+                        autoCreateBucket:
+                          type: boolean
+                          title: Autocreate Bucket
+                          description: Specifies to automatically create the S3 bucket.
+                          default: false
+                        prefix:
+                          type: string
+                          title: Prefix
+                          description: The AWS S3 bucket prefix to consider while searching.
+                          example: folder/
+                        ignoreBody:
+                          type: boolean
+                          title: Ignore Body
+                          description: If true, the S3 Object body is ignored. Setting this to
+                            true overrides any behavior defined by the `includeBody` option. If
+                            false, the S3 object is put in the body.
+                          default: false
+                        uriEndpointOverride:
+                          type: string
+                          title: Overwrite Endpoint URI
+                          description: The overriding endpoint URI. To use this option, you must
+                            also select the `overrideEndpoint` option.
+                        overrideEndpoint:
+                          type: boolean
+                          title: Endpoint Overwrite
+                          description: Select this option to override the endpoint URI. To use
+                            this option, you must also provide a URI for the `uriEndpointOverride`
+                            option.
+                          default: false
+                        forcePathStyle:
+                          type: boolean
+                          title: Force Path Style
+                          description: Forces path style when accessing AWS S3 buckets.
+                          default: false
+                        delay:
+                          type: integer
+                          title: Delay
+                          description: The number of milliseconds before the next poll of the
+                            selected bucket.
+                          default: 500
+                        maxMessagesPerPoll:
+                          type: integer
+                          title: Max Messages Per Poll
+                          description: Gets the maximum number of messages as a limit to poll
+                            at each polling. Gets the maximum number of messages as a limit to
+                            poll at each polling. The default value is 10. Use 0 or a negative
+                            number to set it as unlimited.
+                          default: 10
+                    sqs:
+                      type: object
+                      properties:
+                        arn:
+                          type: string
+                          title: Queue Name
+                          description: The SQS Queue Name or ARN
+                        deleteAfterRead:
+                          type: boolean
+                          title: Auto-delete Messages
+                          description: Delete messages after consuming them
+                          default: true
+                        region:
+                          type: string
+                          title: AWS Region
+                          description: The AWS region to access.
+                        autoCreateQueue:
+                          type: boolean
+                          title: Autocreate Queue
+                          description: Setting the autocreation of the SQS queue.
+                          default: false
+                        host:
+                          type: string
+                          title: AWS Host
+                          description: The hostname of the Amazon AWS cloud.
+                          default: amazonaws.com
+                        protocol:
+                          type: string
+                          title: Protocol
+                          description: The underlying protocol used to communicate with SQS
+                          default: https
+                          example: http or https
+                        queueURL:
+                          type: string
+                          title: Queue URL
+                          description: The full SQS Queue URL (required if using KEDA)
+                        uriEndpointOverride:
+                          type: string
+                          title: Overwrite Endpoint URI
+                          description: The overriding endpoint URI. To use this option, you must
+                            also select the `overrideEndpoint` option.
+                        overrideEndpoint:
+                          type: boolean
+                          title: Endpoint Overwrite
+                          description: Select this option to override the endpoint URI. To use
+                            this option, you must also provide a URI for the `uriEndpointOverride`
+                            option.
+                          default: false
+                        delay:
+                          type: integer
+                          title: Delay
+                          description: The number of milliseconds before the next poll of the
+                            selected stream
+                          default: 500
+                        greedy:
+                          type: boolean
+                          title: Greedy Scheduler
+                          description: If greedy is enabled, then the polling will happen immediately
+                            again, if the previous run polled 1 or more messages.
+                          default: false
+                        maxMessagesPerPoll:
+                          type: integer
+                          title: Max Messages Per Poll
+                          description: The maximum number of messages to return. Amazon SQS never
+                            returns more messages than this value (however, fewer messages might
+                            be returned). Valid values 1 to 10. Default 1.
+                          default: 1
+                        waitTimeSeconds:
+                          type: integer
+                          title: Wait Time Seconds
+                          description: The duration (in seconds) for which the call waits for
+                            a message to arrive in the queue before returning. If a message is
+                            available, the call returns sooner than WaitTimeSeconds. If no messages
+                            are available and the wait time expires, the call does not return
+                            a message list.
+                        visibilityTimeout:
+                          type: integer
+                          title: Visibility Timeout
+                          description: The duration (in seconds) that the received messages are
+                            hidden from subsequent retrieve requests after being retrieved by
+                            a ReceiveMessage request.
+                    sns:
+                      type: object
+                      properties:
+                        arn:
+                          type: string
+                          title: Topic Name
+                          description: The SNS topic name name or Amazon Resource Name (ARN).
+                        region:
+                          type: string
+                          title: AWS Region
+                          description: The AWS region to access.
+                        autoCreateTopic:
+                          type: boolean
+                          title: Autocreate Topic
+                          description: Setting the autocreation of the SNS topic.
+                          default: false
+                        uriEndpointOverride:
+                          type: string
+                          title: Overwrite Endpoint URI
+                          description: The overriding endpoint URI. To use this option, you must
+                            also select the `overrideEndpoint` option.
+                        overrideEndpoint:
+                          type: boolean
+                          title: Endpoint Overwrite
+                          description: Select this option to override the endpoint URI. To use
+                            this option, you must also provide a URI for the `uriEndpointOverride`
+                            option.
+                          default: false
+                    auth:
+                      description: 'Auth configurations'
+                      type: object
+                      properties:
+                        secret:
+                          description: 'Auth secret'
+                          type: object
+                          properties:
+                            ref:
+                              description: |
+                                Secret reference.
+                              type: object
+                              required:
+                                - name
+                              properties:
+                                name:
+                                  description: 'Secret name'
+                                  type: string
+            status:
+              description: Status represents the current state of the IntegrationSink. This data may be out of date.
+              type: object
+              properties:
+                address:
+                  description: IntegrationSink is Addressable. It exposes the endpoints as URIs to get events delivered into the used Kamelet.
+                  type: object
+                  properties:
+                    name:
+                      type: string
+                    url:
+                      type: string
+                    CACerts:
+                      type: string
+                    audience:
+                      type: string
+                addresses:
+                  description: IntegrationSink is Addressable. It exposes the endpoints as URIs to get events delivered into the used Kamelet.
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      url:
+                        type: string
+                      CACerts:
+                        type: string
+                      audience:
+                        type: string
+                annotations:
+                  description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                policies:
+                  description: List of applied EventPolicies
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      apiVersion:
+                        description: The API version of the applied EventPolicy. This indicates, which version of EventPolicy is supported by the resource.
+                        type: string
+                      name:
+                        description: The name of the applied EventPolicy
+                        type: string
+                conditions:
+                  description: Conditions the latest available observations of a resource's current state.
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - type
+                      - status
+                    properties:
+                      lastTransitionTime:
+                        description: 'LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).'
+                        type: string
+                      message:
+                        description: 'A human readable message indicating details about the transition.'
+                        type: string
+                      reason:
+                        description: 'The reason for the condition''s last transition.'
+                        type: string
+                      severity:
+                        description: 'Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.'
+                        type: string
+                      status:
+                        description: 'Status of the condition, one of True, False, Unknown.'
+                        type: string
+                      type:
+                        description: 'Type of condition.'
+                        type: string
+                observedGeneration:
+                  description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
+                  type: integer
+                  format: int64
+      additionalPrinterColumns:
+        - name: URL
+          type: string
+          jsonPath: .status.address.url
+        - name: Age
+          type: date
+          jsonPath: .metadata.creationTimestamp
+        - name: Ready
+          type: string
+          jsonPath: ".status.conditions[?(@.type==\"Ready\")].status"
+        - name: Reason
+          type: string
+          jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason"
+  names:
+    kind: IntegrationSink
+    plural: integrationsinks
+    singular: integrationsink
+    categories:
+      - all
+      - knative
+      - eventing
+      - sink
+  scope: Namespaced
--- a/config/core/resources/integrationsource.yaml
+++ b/config/core/resources/integrationsource.yaml
@ -0,0 +1,421 @@
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    eventing.knative.dev/source: "true"
+    duck.knative.dev/source: "true"
+    knative.dev/crd-install: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+  name: integrationsources.sources.knative.dev
+spec:
+  group: sources.knative.dev
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      subresources:
+        status: {}
+      schema:
+        openAPIV3Schema:
+          description: 'IntegrationSource is an event source that starts a container image which generates events under certain situations and sends messages to a sink URI'
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                ceOverrides:
+                  description: CloudEventOverrides defines overrides to control the output format and modifications of the event sent to the sink.
+                  type: object
+                  properties:
+                    extensions:
+                      description: Extensions specify what attribute are added or overridden on the outbound event. Each `Extensions` key-value pair are set on the event as an attribute extension independently.
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                sink:
+                  description: Sink is a reference to an object that will resolve to a uri to use as the sink.
+                  type: object
+                  properties:
+                    ref:
+                      description: Ref points to an Addressable.
+                      type: object
+                      properties:
+                        apiVersion:
+                          description: API version of the referent.
+                          type: string
+                        kind:
+                          description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                          type: string
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                          type: string
+                        namespace:
+                          description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is optional field, it gets defaulted to the object holding it if left out.'
+                          type: string
+                    uri:
+                      description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref.
+                      type: string
+                    CACerts:
+                      description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink.
+                      type: string
+                    audience:
+                      description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience.
+                      type: string
+                timer:
+                  type: object
+                  properties:
+                    period:
+                      type: integer
+                      title: Period
+                      description: The interval (in milliseconds) to wait between producing the
+                        next message.
+                      default: 1000
+                    message:
+                      type: string
+                      title: Message
+                      description: The message to generate.
+                      example: hello world
+                    contentType:
+                      type: string
+                      title: Content Type
+                      description: The content type of the generated message.
+                      default: text/plain
+                    repeatCount:
+                      type: integer
+                      title: Repeat Count
+                      description: Specifies a maximum limit of number of fires
+                aws:
+                  type: object
+                  properties:
+                    s3:
+                      type: object
+                      properties:
+                        arn:
+                          type: string
+                          title: Bucket Name
+                          description: The S3 Bucket name or Amazon Resource Name (ARN).
+                        deleteAfterRead:
+                          type: boolean
+                          title: Auto-delete Objects
+                          description: Specifies to delete objects after consuming them.
+                          default: true
+                        moveAfterRead:
+                          type: boolean
+                          title: Move Objects After Delete
+                          description: Move objects from S3 bucket to a different bucket after
+                            they have been retrieved.
+                          default: false
+                        destinationBucket:
+                          type: string
+                          title: Destination Bucket
+                          description: Define the destination bucket where an object must be moved
+                            when moveAfterRead is set to true.
+                        destinationBucketPrefix:
+                          type: string
+                          title: Destination Bucket Prefix
+                          description: Define the destination bucket prefix to use when an object
+                            must be moved, and moveAfterRead is set to true.
+                        destinationBucketSuffix:
+                          type: string
+                          title: Destination Bucket Suffix
+                          description: Define the destination bucket suffix to use when an object
+                            must be moved, and moveAfterRead is set to true.
+                        region:
+                          type: string
+                          title: AWS Region
+                          description: The AWS region to access.
+                        autoCreateBucket:
+                          type: boolean
+                          title: Autocreate Bucket
+                          description: Specifies to automatically create the S3 bucket.
+                          default: false
+                        prefix:
+                          type: string
+                          title: Prefix
+                          description: The AWS S3 bucket prefix to consider while searching.
+                          example: folder/
+                        ignoreBody:
+                          type: boolean
+                          title: Ignore Body
+                          description: If true, the S3 Object body is ignored. Setting this to
+                            true overrides any behavior defined by the `includeBody` option. If
+                            false, the S3 object is put in the body.
+                          default: false
+                        uriEndpointOverride:
+                          type: string
+                          title: Overwrite Endpoint URI
+                          description: The overriding endpoint URI. To use this option, you must
+                            also select the `overrideEndpoint` option.
+                        overrideEndpoint:
+                          type: boolean
+                          title: Endpoint Overwrite
+                          description: Select this option to override the endpoint URI. To use
+                            this option, you must also provide a URI for the `uriEndpointOverride`
+                            option.
+                          default: false
+                        forcePathStyle:
+                          type: boolean
+                          title: Force Path Style
+                          description: Forces path style when accessing AWS S3 buckets.
+                          default: false
+                        delay:
+                          type: integer
+                          title: Delay
+                          description: The number of milliseconds before the next poll of the
+                            selected bucket.
+                          default: 500
+                        maxMessagesPerPoll:
+                          type: integer
+                          title: Max Messages Per Poll
+                          description: Gets the maximum number of messages as a limit to poll
+                            at each polling. Gets the maximum number of messages as a limit to
+                            poll at each polling. The default value is 10. Use 0 or a negative
+                            number to set it as unlimited.
+                          default: 10
+                    sqs:
+                      type: object
+                      properties:
+                        arn:
+                          type: string
+                          title: Queue Name
+                          description: The SQS Queue Name or ARN
+                        deleteAfterRead:
+                          type: boolean
+                          title: Auto-delete Messages
+                          description: Delete messages after consuming them
+                          default: true
+                        region:
+                          type: string
+                          title: AWS Region
+                          description: The AWS region to access.
+                        autoCreateQueue:
+                          type: boolean
+                          title: Autocreate Queue
+                          description: Setting the autocreation of the SQS queue.
+                          default: false
+                        host:
+                          type: string
+                          title: AWS Host
+                          description: The hostname of the Amazon AWS cloud.
+                          default: amazonaws.com
+                        protocol:
+                          type: string
+                          title: Protocol
+                          description: The underlying protocol used to communicate with SQS
+                          default: https
+                          example: http or https
+                        queueURL:
+                          type: string
+                          title: Queue URL
+                          description: The full SQS Queue URL (required if using KEDA)
+                        uriEndpointOverride:
+                          type: string
+                          title: Overwrite Endpoint URI
+                          description: The overriding endpoint URI. To use this option, you must
+                            also select the `overrideEndpoint` option.
+                        overrideEndpoint:
+                          type: boolean
+                          title: Endpoint Overwrite
+                          description: Select this option to override the endpoint URI. To use
+                            this option, you must also provide a URI for the `uriEndpointOverride`
+                            option.
+                          default: false
+                        delay:
+                          type: integer
+                          title: Delay
+                          description: The number of milliseconds before the next poll of the
+                            selected stream
+                          default: 500
+                        greedy:
+                          type: boolean
+                          title: Greedy Scheduler
+                          description: If greedy is enabled, then the polling will happen immediately
+                            again, if the previous run polled 1 or more messages.
+                          default: false
+                        maxMessagesPerPoll:
+                          type: integer
+                          title: Max Messages Per Poll
+                          description: The maximum number of messages to return. Amazon SQS never
+                            returns more messages than this value (however, fewer messages might
+                            be returned). Valid values 1 to 10. Default 1.
+                          default: 1
+                        waitTimeSeconds:
+                          type: integer
+                          title: Wait Time Seconds
+                          description: The duration (in seconds) for which the call waits for
+                            a message to arrive in the queue before returning. If a message is
+                            available, the call returns sooner than WaitTimeSeconds. If no messages
+                            are available and the wait time expires, the call does not return
+                            a message list.
+                        visibilityTimeout:
+                          type: integer
+                          title: Visibility Timeout
+                          description: The duration (in seconds) that the received messages are
+                            hidden from subsequent retrieve requests after being retrieved by
+                            a ReceiveMessage request.
+                    ddbStreams:
+                      type: object
+                      properties:
+                        table:
+                          type: string
+                          title: Table
+                          description: The name of the DynamoDB table.
+                        region:
+                          type: string
+                          title: AWS Region
+                          description: The AWS region to access.
+                        streamIteratorType:
+                          type: string
+                          title: Stream Iterator Type
+                          description: Defines where in the DynamoDB stream to start getting records.
+                            There are two enums and the value can be one of FROM_LATEST and FROM_START.
+                            Note that using FROM_START can cause a significant delay before the stream
+                            has caught up to real-time.
+                          default: FROM_LATEST
+                        uriEndpointOverride:
+                          type: string
+                          title: Overwrite Endpoint URI
+                          description: The overriding endpoint URI. To use this option, you must
+                            also select the `overrideEndpoint` option.
+                        overrideEndpoint:
+                          type: boolean
+                          title: Endpoint Overwrite
+                          description: Select this option to override the endpoint URI. To use
+                            this option, you must also provide a URI for the `uriEndpointOverride`
+                            option.
+                          default: false
+                        delay:
+                          type: integer
+                          title: Delay
+                          description: The number of milliseconds before the next poll from the
+                            database.
+                          default: 500
+                    auth:
+                      description: 'Auth configurations'
+                      type: object
+                      properties:
+                        secret:
+                          description: 'Auth secret'
+                          type: object
+                          properties:
+                            ref:
+                              description: |
+                                Secret reference.
+                              type: object
+                              required:
+                                - name
+                              properties:
+                                name:
+                                  description: 'Secret name'
+                                  type: string
+                template:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                  description: 'A template in the shape of `Deployment.spec.template` to be used for this ContainerSource. More info: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/'
+            status:
+              type: object
+              properties:
+                annotations:
+                  description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                auth:
+                  description: Auth provides the relevant information for OIDC authentication.
+                  type: object
+                  properties:
+                    serviceAccountName:
+                      description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
+                      type: string
+                    serviceAccountNames:
+                      description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                      type: array
+                      items:
+                        type: string
+                ceAttributes:
+                  description: CloudEventAttributes are the specific attributes that the Source uses as part of its CloudEvents.
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      source:
+                        description: Source is the CloudEvents source attribute.
+                        type: string
+                      type:
+                        description: Type refers to the CloudEvent type attribute.
+                        type: string
+                conditions:
+                  description: Conditions the latest available observations of a resource's current state.
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - type
+                      - status
+                    properties:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
+                        type: string
+                      message:
+                        description: A human readable message indicating details about the transition.
+                        type: string
+                      reason:
+                        description: The reason for the condition's last transition.
+                        type: string
+                      severity:
+                        description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
+                        type: string
+                      status:
+                        description: Status of the condition, one of True, False, Unknown.
+                        type: string
+                      type:
+                        description: Type of condition.
+                        type: string
+                observedGeneration:
+                  description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
+                  type: integer
+                  format: int64
+                sinkUri:
+                  description: SinkURI is the current active sink URI that has been configured for the Source.
+                  type: string
+                sinkCACerts:
+                  description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink.
+                  type: string
+                sinkAudience:
+                  description: Audience is the OIDC audience of the sink.
+                  type: string
+      additionalPrinterColumns:
+        - name: Sink
+          type: string
+          jsonPath: ".status.sinkUri"
+        - name: Age
+          type: date
+          jsonPath: ".metadata.creationTimestamp"
+        - name: Ready
+          type: string
+          jsonPath: ".status.conditions[?(@.type=='Ready')].status"
+        - name: Reason
+          type: string
+          jsonPath: ".status.conditions[?(@.type=='Ready')].reason"
+  names:
+    categories:
+      - all
+      - knative
+      - sources
+    kind: IntegrationSource
+    plural: integrationsources
+    singular: integrationsource
+  scope: Namespaced
--- a/config/core/resources/jobsink.yaml
+++ b/config/core/resources/jobsink.yaml
@ -121,6 +121,10 @@ spec:
                      type:
                        description: 'Type of condition.'
                        type: string
+                observedGeneration:
+                  description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
+                  type: integer
+                  format: int64
      additionalPrinterColumns:
        - name: URL
          type: string
--- a/config/core/resources/requestreply.yaml
+++ b/config/core/resources/requestreply.yaml
@ -0,0 +1,213 @@
+# Copyright 2024 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: requestreplies.eventing.knative.dev
+  labels:
+    knative.dev/crd-install: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+spec:
+  group: eventing.knative.dev
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            description: Spec defines the desired state of the RequestReply.
+            type: object
+            properties:
+              brokerRef:
+                description: A KReference referring to the broker this RequestReply forwards events to. CrossNamespace references are not allowed.
+                type: object
+                properties:
+                  apiVersion:
+                    description: API Version of the broker.
+                    type: string
+                  kind:
+                    description: 'Kind of the broker. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the broker. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+              correlationAttribute:
+                description: The name of the cloudevent attribute where the correlation id will be set on new events.
+                type: string
+              replyAttribute:
+                description: The name of the cloudevents attribute which will hold the correlation id for an event which will be treated as a reply.
+                type: string
+              secrets:
+                description: A list of the names of one or more secrets used to sign the correlation ids and reply ids. The secrets must be in the same namespace as the requestreply resource.
+                type: array
+                items:
+                  type: string
+              timeout:
+                description: A ISO8601 string representing how long RequestReply holds onto an incoming request before it times out without a reply.
+                type: string
+              delivery:
+                description: Delivery contains the delivery spec for each trigger to this Broker. Each trigger delivery spec, if any, overrides this global delivery spec.
+                type: object
+                properties:
+                  backoffDelay:
+                    description: 'BackoffDelay is the delay before retrying. More information on Duration format: - https://www.iso.org/iso-8601-date-and-time-format.html - https://en.wikipedia.org/wiki/ISO_8601  For linear policy, backoff delay is backoffDelay*<numberOfRetries>. For exponential policy, backoff delay is backoffDelay*2^<numberOfRetries>.'
+                    type: string
+                  backoffPolicy:
+                    description: BackoffPolicy is the retry backoff policy (linear, exponential).
+                    type: string
+                  deadLetterSink:
+                    description: DeadLetterSink is the sink receiving event that could not be sent to a destination.
+                    type: object
+                    properties:
+                      ref:
+                        description: Ref points to an Addressable.
+                        type: object
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          kind:
+                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                            type: string
+                          namespace:
+                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is optional field, it gets defaulted to the object holding it if left out.'
+                            type: string
+                      uri:
+                        description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref.
+                        type: string
+                      CACerts:
+                        description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink.
+                        type: string
+                      audience:
+                        description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience.
+                        type: string
+                  retry:
+                    description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink.
+                    type: integer
+                    format: int32
+                x-kubernetes-preserve-unknown-fields: true # This is necessary to enable the experimental feature delivery-timeout
+          status:
+            description: Status represents the current state of the RequestReply. This data may be out of date.
+            type: object
+            properties:
+              annotations:
+                description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+              conditions:
+                description: Conditions the latest available observations of a resource's current state.
+                type: array
+                items:
+                  type: object
+                  required:
+                    - type
+                    - status
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
+                      type: string
+                    message:
+                      description: A human readable message indicating details about the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition.
+                      type: string
+                    severity:
+                      description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition.
+                      type: string
+              address:
+                description: RequestReply is Addressable. It exposes the endpoint as an URI to get events delivered.
+                type: object
+                properties:
+                  name:
+                    type: string
+                  url:
+                    type: string
+                  CACerts:
+                    type: string
+                  audience:
+                    type: string
+              addresses:
+                description: RequestReply is Addressable. It exposes the endpoints as URIs to get events delivered.
+                type: array
+                items:
+                  type: object
+                  properties:
+                    name:
+                      type: string
+                    url:
+                      type: string
+                    CACerts:
+                      type: string
+                    audience:
+                      type: string
+              policies:
+                description: List of applied EventPolicies
+                type: array
+                items:
+                  type: object
+                  properties:
+                    apiVersion:
+                      description: The API version of the applied EventPolicy. This indicates whichversion of EventPolicy is supported by the resource.
+                      type: string
+                    name:
+                      description: The name of the applied EventPolicy
+                      type: string
+              observedGeneration:
+                description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
+                type: integer
+                format: int64
+
+    additionalPrinterColumns:
+    - name: URL
+      type: string
+      jsonPath: ".status.address.url"
+    - name: Ready
+      type: string
+      jsonPath: ".status.conditions[?(@.type==\"Ready\")].status"
+    - name: Reason
+      type: string
+      jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason"
+  names:
+    kind: RequestReply
+    plural: requestreplies
+    singular: requestreply
+    categories:
+      - all
+      - knative
+      - eventing
+  scope: Namespaced
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions: ["v1", "v1beta1"]
+      clientConfig:
+        service:
+          name: eventing-webhook
+          namespace: knative-eventing
--- a/config/core/resources/trigger.yaml
+++ b/config/core/resources/trigger.yaml
@ -117,6 +117,9 @@ spec:
                    description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink.
                    type: integer
                    format: int32
+                  format:
+                    description: Format is the format used to serialize the event into a http request when delivering the event. It can be json (for structured events), binary (for binary events), or unset.
+                    type: string
              filter:
                description: 'Filter is the filter to apply against all events from the Broker. Only events that pass this filter will be sent to the Subscriber. If not specified, will default to allowing all events.'
                type: object
--- a/config/core/roles/addressable-resolvers-clusterrole.yaml
+++ b/config/core/roles/addressable-resolvers-clusterrole.yaml
@ -144,3 +144,69 @@ rules:
  - get
  - list
  - watch
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: jobsinks-addressable-resolver
+  labels:
+    duck.knative.dev/addressable: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+# Do not use this role directly. These rules will be added to the "addressable-resolver" role.
+rules:
+- apiGroups:
+    - sinks.knative.dev
+  resources:
+    - jobsinks
+    - jobsinks/status
+  verbs:
+    - get
+    - list
+    - watch
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: integrationsinks-addressable-resolver
+  labels:
+    duck.knative.dev/addressable: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+# Do not use this role directly. These rules will be added to the "addressable-resolver" role.
+rules:
+- apiGroups:
+    - sinks.knative.dev
+  resources:
+    - integrationsinks
+    - integrationsinks/status
+  verbs:
+    - get
+    - list
+    - watch
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: eventtransforms-addressable-resolver
+  labels:
+    duck.knative.dev/addressable: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+# Do not use this role directly. These rules will be added to the "addressable-resolver" role.
+rules:
+  - apiGroups:
+      - eventing.knative.dev
+    resources:
+      - eventtransforms
+      - eventtransforms/status
+    verbs:
+      - get
+      - list
+      - watch
--- a/config/core/roles/clusterrole-namespaced.yaml
+++ b/config/core/roles/clusterrole-namespaced.yaml
@ -79,6 +79,19 @@ rules:
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: knative-sinks-namespaced-admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+rules:
+  - apiGroups: ["sinks.knative.dev"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: knative-eventing-namespaced-edit
  labels:
@ -86,7 +99,7 @@ metadata:
    app.kubernetes.io/version: devel
    app.kubernetes.io/name: knative-eventing
 rules:
-  - apiGroups: ["eventing.knative.dev", "messaging.knative.dev", "sources.knative.dev", "flows.knative.dev", "bindings.knative.dev"]
+  - apiGroups: ["eventing.knative.dev", "messaging.knative.dev", "sources.knative.dev", "flows.knative.dev", "bindings.knative.dev", "sinks.knative.dev"]
    resources: ["*"]
    verbs: ["create", "update", "patch", "delete"]
 ---
@ -99,6 +112,6 @@ metadata:
    app.kubernetes.io/version: devel
    app.kubernetes.io/name: knative-eventing
 rules:
-  - apiGroups: ["eventing.knative.dev", "messaging.knative.dev", "sources.knative.dev", "flows.knative.dev", "bindings.knative.dev"]
+  - apiGroups: ["eventing.knative.dev", "messaging.knative.dev", "sources.knative.dev", "flows.knative.dev", "bindings.knative.dev", "sinks.knative.dev"]
    resources: ["*"]
    verbs: ["get", "list", "watch"]
--- a/config/core/roles/controller-clusterroles.yaml
+++ b/config/core/roles/controller-clusterroles.yaml
@ -64,11 +64,13 @@ rules:
      - "list"
      - "watch"

-  # PingSource controller manipulates Deployment owner reference
+  # PingSource and EventTransform controllers manipulate Deployment and ConfigMap owner reference
  - apiGroups:
      - "apps"
+      - ""
    resources:
      - "deployments/finalizers"
+      - "configmaps/finalizers"
    verbs:
      - "update"

@ -99,6 +101,8 @@ rules:
      - "eventtypes/status"
      - "eventpolicies"
      - "eventpolicies/status"
+      - "eventtransforms"
+      - "eventtransforms/status"
    verbs:
      - "get"
      - "list"
@ -113,6 +117,8 @@ rules:
    resources:
      - "jobsinks"
      - "jobsinks/status"
+      - "integrationsinks"
+      - "integrationsinks/status"
    verbs:
      - "get"
      - "list"
@ -128,6 +134,23 @@ rules:
    resources:
      - "brokers/finalizers"
      - "triggers/finalizers"
+      - "eventtransforms/finalizers"
+    verbs:
+      - "update"
+
+  # EventTransform controller manipulates SinkBinding owner reference
+  - apiGroups:
+      - "sources.knative.dev"
+    resources:
+      - "sinkbindings/finalizers"
+    verbs:
+      - "update"
+
+  # EventTransform controller manipulates Service owner reference
+  - apiGroups:
+      - ""
+    resources:
+      - "services/finalizers"
    verbs:
      - "update"

@ -135,6 +158,7 @@ rules:
      - "sinks.knative.dev"
    resources:
      - "jobsinks/finalizers"
+      - "integrationsinks/finalizers"
    verbs:
      - "update"

@ -218,3 +242,37 @@ rules:
      - "delete"
      - "patch"
      - "watch"
+
+  - apiGroups:
+      - "cert-manager.io"
+    resources:
+      - "certificates"
+    verbs:
+      - "get"
+      - "list"
+      - "create"
+      - "update"
+      - "delete"
+      - "patch"
+      - "watch"
+
+  # EventTransform controller manipulates Certificate owner reference
+  - apiGroups:
+      - "cert-manager.io"
+    resources:
+      - "certificates/finalizers"
+    verbs:
+      - "update"
+
+  - apiGroups:
+      - "acme.cert-manager.io"
+    resources:
+      - "challenges"
+    verbs:
+      - "get"
+      - "list"
+      - "create"
+      - "update"
+      - "delete"
+      - "patch"
+      - "watch"
--- a/config/core/roles/source-observer-clusterrole.yaml
+++ b/config/core/roles/source-observer-clusterrole.yaml
@ -45,6 +45,7 @@ rules:
      - pingsources
      - sinkbindings
      - containersources
+      - integrationsources
    verbs:
      - get
      - list
--- a/config/core/roles/sources-controller-clusterroles.yaml
+++ b/config/core/roles/sources-controller-clusterroles.yaml
@ -66,6 +66,9 @@ rules:
      - "containersources"
      - "containersources/status"
      - "containersources/finalizers"
+      - "integrationsources"
+      - "integrationsources/status"
+      - "integrationsources/finalizers"
    verbs:
      - "get"
      - "list"
--- a/config/post-install/placeholder.go
+++ b/config/post-install/placeholder.go
@ -16,4 +16,6 @@ limitations under the License.

 // Package post_install is a placeholder that allows us to pull in config files
 // via go mod vendor.
+//
+//nolint:staticcheck
 package post_install
--- a/config/post-install/storage-version-migrator.yaml
+++ b/config/post-install/storage-version-migrator.yaml
@ -32,6 +32,7 @@ spec:
        app.kubernetes.io/name: knative-eventing
        app.kubernetes.io/component: storage-version-migration-job
        app.kubernetes.io/version: devel
+        sidecar.istio.io/inject: "false"
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
@ -40,6 +41,9 @@ spec:
      containers:
        - name: migrate
          image: ko://knative.dev/pkg/apiextensions/storageversion/cmd/migrate
+          env:
+            - name: IGNORE_NOT_FOUND
+              value: "true"
          args:
            - "apiserversources.sources.knative.dev"
            - "brokers.eventing.knative.dev"
@ -54,6 +58,9 @@ spec:
            - "subscriptions.messaging.knative.dev"
            - "triggers.eventing.knative.dev"
            - "jobsinks.sinks.knative.dev"
+            - "eventpolicies.eventing.knative.dev"
+            - "integrationsources.sources.knative.dev"
+            - "integrationsinks.sinks.knative.dev"
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
--- a/docs/eventing-api.md
+++ b/docs/eventing-api.md
--- a/docs/mt-channel-based-broker/README.md
+++ b/docs/mt-channel-based-broker/README.md
@ -14,7 +14,7 @@ In the following the control plane components and their responsibilities are des

 The `mt-broker-controller` is kind of the heart of the MTChannelBasedBroker control plane and has the following responsibilities:

-* Watches for new `Broker` resources with the `eventing.kantive.dev/broker.class: MTChannelBasedBroker` annotation (step 2 in the diagram) and creates a new _concrete_ channel resource (step 3 in the diagram) depending on the `channel-template-spec` from the configmap referenced in the `config-br-defaults` configmap (by default this points to `config-br-default-channel`).
+* Watches for new `Broker` resources with the `eventing.knative.dev/broker.class: MTChannelBasedBroker` annotation (step 2 in the diagram) and creates a new _concrete_ channel resource (step 3 in the diagram) depending on the `channel-template-spec` from the configmap referenced in the `config-br-defaults` configmap (by default this points to `config-br-default-channel`).

  Be aware that in case the default `brokerClass` in `config-br-defaults` is not set to `MTChannelBasedBroker`, the referenced configmap still must contain a `channel-template-spec`. Otherwise the user needs to define the corresponding config on the broker resource directly when using the `MTChannelBasedBroker` broker class, e.g.:

--- a/go.mod
+++ b/go.mod
@ -1,21 +1,21 @@
 module knative.dev/eventing

-go 1.22
+go 1.24.0

 require (
 	github.com/ahmetb/gen-crd-api-reference-docs v0.3.1-0.20210420163308-c1402a70e2f1
-	github.com/cloudevents/conformance v0.2.0
+	github.com/cert-manager/cert-manager v1.16.3
+	github.com/cloudevents/conformance v0.4.1
 	github.com/cloudevents/sdk-go/observability/opencensus/v2 v2.15.2
 	github.com/cloudevents/sdk-go/protocol/mqtt_paho/v2 v2.0.0-20240508060731-1ed9471c98bd
 	github.com/cloudevents/sdk-go/sql/v2 v2.0.0-20240712172937-3ce6b2f1f011
 	github.com/cloudevents/sdk-go/v2 v2.15.2
 	github.com/coreos/go-oidc/v3 v3.9.0
 	github.com/eclipse/paho.golang v0.12.0
-	github.com/go-jose/go-jose/v3 v3.0.3
-	github.com/google/go-cmp v0.6.0
-	github.com/google/gofuzz v1.2.0
+	github.com/go-jose/go-jose/v3 v3.0.4
+	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/websocket v1.5.1
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/hashicorp/golang-lru v1.0.2
@ -27,27 +27,32 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/rickb777/date v1.13.0
 	github.com/robfig/cron/v3 v3.0.1
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	github.com/wavesoftware/go-ensure v1.0.0
 	go.opencensus.io v0.24.0
-	go.opentelemetry.io/otel v1.24.0
-	go.opentelemetry.io/otel/trace v1.24.0
+	go.opentelemetry.io/contrib/instrumentation/runtime v0.62.0
+	go.opentelemetry.io/otel v1.37.0
+	go.opentelemetry.io/otel/sdk v1.37.0
+	go.opentelemetry.io/otel/sdk/metric v1.37.0
+	go.opentelemetry.io/otel/trace v1.37.0
 	go.uber.org/atomic v1.10.0
 	go.uber.org/multierr v1.11.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/net v0.27.0
-	golang.org/x/sync v0.7.0
-	k8s.io/api v0.29.2
-	k8s.io/apiextensions-apiserver v0.29.2
-	k8s.io/apimachinery v0.29.2
-	k8s.io/apiserver v0.29.2
-	k8s.io/client-go v0.29.2
-	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
-	knative.dev/hack v0.0.0-20240704013904-b9799599afcf
-	knative.dev/hack/schema v0.0.0-20240704013904-b9799599afcf
-	knative.dev/pkg v0.0.0-20240716082220-4355f0c73608
-	knative.dev/reconciler-test v0.0.0-20240716134925-00d94f40c470
-	sigs.k8s.io/yaml v1.4.0
+	golang.org/x/net v0.41.0
+	golang.org/x/sync v0.15.0
+	k8s.io/api v0.33.1
+	k8s.io/apiextensions-apiserver v0.33.1
+	k8s.io/apimachinery v0.33.1
+	k8s.io/apiserver v0.33.1
+	k8s.io/client-go v0.33.1
+	k8s.io/code-generator v0.33.1
+	k8s.io/utils v0.0.0-20241210054802-24370beab758
+	knative.dev/hack v0.0.0-20250708013849-70d4b00da6ba
+	knative.dev/hack/schema v0.0.0-20250708013849-70d4b00da6ba
+	knative.dev/pkg v0.0.0-20250708013613-d3550d4350f9
+	knative.dev/reconciler-test v0.0.0-20250708152404-d97d9007b8d3
+	sigs.k8s.io/randfill v1.0.0
+	sigs.k8s.io/yaml v1.5.0
 )

 require (
@ -58,66 +63,84 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/blendle/zapdriver v1.3.1 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/gobuffalo/flect v1.0.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/gobuffalo/flect v1.0.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
-	github.com/imdario/mergo v0.3.9 // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.54.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.65.0 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/prometheus/statsd_exporter v0.22.7 // indirect
 	github.com/rickb777/plural v1.2.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/spf13/cobra v1.7.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/cobra v1.8.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	go.uber.org/automaxprocs v1.5.3 // indirect
-	golang.org/x/crypto v0.25.0 // indirect
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sys v0.22.0 // indirect
-	golang.org/x/term v0.22.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.23.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/api v0.183.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
-	google.golang.org/grpc v1.65.0 // indirect
-	google.golang.org/protobuf v1.34.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.59.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/time v0.10.0 // indirect
+	golang.org/x/tools v0.34.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
+	google.golang.org/api v0.198.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/grpc v1.73.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/code-generator v0.29.2 // indirect
-	k8s.io/gengo v0.0.0-20240129211411-f967bbeff4b4 // indirect
+	k8s.io/gengo v0.0.0-20240404160639-a0386bf69313 // indirect
+	k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7 // indirect
 	k8s.io/klog v1.0.0 // indirect
-	k8s.io/klog/v2 v2.120.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
+	sigs.k8s.io/gateway-api v1.1.0 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/hack/create-kind-cluster.sh
+++ b/hack/create-kind-cluster.sh
@ -20,8 +20,8 @@ set -o nounset
 set -o pipefail

 CLUSTER_SUFFIX=${CLUSTER_SUFFIX:-"cluster.local"}
-NODE_VERSION=${NODE_VERSION:-"v1.28.7"}
-NODE_SHA=${NODE_SHA:-"sha256:9bc6c451a289cf96ad0bbaf33d416901de6fd632415b076ab05f5fa7e4f65c58"}
+NODE_VERSION=${NODE_VERSION:-"v1.31.4"}
+NODE_SHA=${NODE_SHA:-"sha256:2cb39f7295fe7eafee0842b1052a599a4fb0f8bcf3f83d96c7f4864c357c6c30"}

 cat <<EOF | kind create cluster --config=-
 apiVersion: kind.x-k8s.io/v1alpha4
--- a/hack/e2e-debug.sh
+++ b/hack/e2e-debug.sh
@ -35,4 +35,4 @@ wait_until_pods_running knative-eventing || fail_test "Pods in knative-eventing

 header "Running tests"

-go test -tags=e2e -v -timeout=30m -run="${test_name}" "${test_dir}" || fail_test "Test(s) failed"
+go test -tags=e2e -v -timeout=30m -parallel=12 -run="${test_name}" "${test_dir}" || fail_test "Test(s) failed"
--- a/hack/release.sh
+++ b/hack/release.sh
@ -17,9 +17,50 @@
 # Documentation about this script and how to use it can be found
 # at https://github.com/knative/test-infra/tree/main/ci

-source $(dirname $0)/../vendor/knative.dev/hack/release.sh
+source "$(dirname "${BASH_SOURCE[0]}")/../vendor/knative.dev/hack/release.sh"
+
+KNATIVE_EVENTING_INTEGRATIONS_IMAGES_RELEASE="$(get_latest_knative_yaml_source "eventing-integrations" "eventing-integrations-images")"
+readonly KNATIVE_EVENTING_INTEGRATIONS_IMAGES_RELEASE
+KNATIVE_EVENTING_TRANSFORMATIONS_IMAGES_RELEASE="$(get_latest_knative_yaml_source "eventing-integrations" "eventing-transformations-images")"
+readonly KNATIVE_EVENTING_TRANSFORMATIONS_IMAGES_RELEASE
+
+readonly KNATIVE_EVENTING_INTEGRATIONS_IMAGES_CM="${REPO_ROOT_DIR}/third_party/eventing-integrations-latest/eventing-integrations-images.yaml"
+readonly KNATIVE_EVENTING_TRANSFORMATIONS_IMAGES_CM="${REPO_ROOT_DIR}/third_party/eventing-integrations-latest/eventing-transformations-images.yaml"
+
+function update_eventing_integrations_release_cms() {
+   curl "${KNATIVE_EVENTING_INTEGRATIONS_IMAGES_RELEASE}" --create-dirs -o "${KNATIVE_EVENTING_INTEGRATIONS_IMAGES_CM}" || return $?
+   curl "${KNATIVE_EVENTING_TRANSFORMATIONS_IMAGES_RELEASE}" --create-dirs -o "${KNATIVE_EVENTING_TRANSFORMATIONS_IMAGES_CM}" || return $?
+}
+
+function check_knative_nightly() {
+    local files=(
+       "${KNATIVE_EVENTING_INTEGRATIONS_IMAGES_CM}"
+       "${KNATIVE_EVENTING_TRANSFORMATIONS_IMAGES_CM}"
+       "${REPO_ROOT_DIR}/config/core/configmaps/eventing-integrations-images.yaml"
+       "${REPO_ROOT_DIR}/config/core/configmaps/eventing-transformations-images.yaml"
+       "${REPO_ROOT_DIR}/config/400-config-eventing-integrations-images.yaml"
+       "${REPO_ROOT_DIR}/config/400-config-eventing-transformations-images.yaml"
+    )
+
+    for file in "${files[@]}"; do
+        if grep -q "knative-nightly" "$file"; then
+            echo "Error: Found 'knative-nightly' in $file, is eventing-integrations for this major and minor '${TAG}' version already released? https://github.com/knative-extensions/eventing-integrations/releases"
+            cat "${file}"
+            return 1
+        fi
+    done
+
+    echo "No 'knative-nightly' occurrences found."
+}

 function build_release() {
+  if (( PUBLISH_TO_GITHUB )); then
+    # For official releases, update eventing-integrations ConfigMaps and stop the release if a nightly image is found
+    # in the ConfigMaps.
+    update_eventing_integrations_release_cms || return $?
+    check_knative_nightly || return $?
+  fi
+
  # Run `generate-yamls.sh`, which should be versioned with the
  # branch since the detail of building may change over time.
  local YAML_LIST="$(mktemp)"
--- a/hack/tools.go
+++ b/hack/tools.go
@ -36,4 +36,7 @@ import (
 	// API reference docs generation.
 	_ "github.com/ahmetb/gen-crd-api-reference-docs"
 	_ "github.com/ahmetb/gen-crd-api-reference-docs/template"
+
+	// K8s code generation tools
+	_ "k8s.io/code-generator/cmd/validation-gen"
 )
--- a/hack/update-cert-manager.sh
+++ b/hack/update-cert-manager.sh
@ -21,7 +21,7 @@ metadata:
 EOF

  helm template -n cert-manager cert-manager jetstack/cert-manager --create-namespace --version "${cert_manager_version}" --set installCRDs=true > third_party/cert-manager/01-cert-manager.yaml
-  helm template -n cert-manager cert-manager jetstack/trust-manager --create-namespace --version "${trust_manager_version}" --set installCRDs=true > third_party/cert-manager/02-trust-manager.yaml
+  helm template -n cert-manager cert-manager jetstack/trust-manager --create-namespace --version "${trust_manager_version}" --set crds.enabled=true > third_party/cert-manager/02-trust-manager.yaml
 }

-update_cert_manager "v1.13.3" "v0.7.1"
+update_cert_manager "v1.16.3" "v0.12.0"
--- a/hack/update-codegen.sh
+++ b/hack/update-codegen.sh
@ -19,6 +19,7 @@ set -o nounset
 set -o pipefail

 source $(dirname $0)/../vendor/knative.dev/hack/codegen-library.sh
+source "${CODEGEN_PKG}/kube_codegen.sh"

 # If we run with -mod=vendor here, then generate-groups.sh looks for vendor files in the wrong place.
 export GOFLAGS=-mod=
@ -32,34 +33,30 @@ ${REPO_ROOT_DIR}/hack/update-checksums.sh

 group "Kubernetes Codegen"

-# generate the code with:
-# --output-base    because this script should also be able to run inside the vendor dir of
-#                  k8s.io/kubernetes. The output-base is needed for the generators to output into the vendor dir
-#                  instead of the $GOPATH directly. For normal projects this can be dropped.
-${CODEGEN_PKG}/generate-groups.sh "deepcopy,client,informer,lister" \
-  knative.dev/eventing/pkg/client knative.dev/eventing/pkg/apis \
-  "sinks:v1alpha1 eventing:v1alpha1 eventing:v1beta1 eventing:v1beta2 eventing:v1beta3 eventing:v1 messaging:v1 flows:v1 sources:v1beta2 sources:v1" \
-  --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt
+kube::codegen::gen_helpers \
+  --boilerplate "${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt" \
+  "${REPO_ROOT_DIR}/pkg/apis"

-# Deep copy config
-${GOPATH}/bin/deepcopy-gen \
-  -O zz_generated.deepcopy \
-  --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt \
-  -i knative.dev/eventing/pkg/apis/config \
-  -i knative.dev/eventing/pkg/apis/messaging/config \
-
-# Only deepcopy the Duck types, as they are not real resources.
-${CODEGEN_PKG}/generate-groups.sh "deepcopy" \
-  knative.dev/eventing/pkg/client knative.dev/eventing/pkg/apis \
-  "duck:v1beta1 duck:v1alpha1 duck:v1" \
-  --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt
+kube::codegen::gen_client \
+  --boilerplate "${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt" \
+  --output-dir "${REPO_ROOT_DIR}/pkg/client" \
+  --output-pkg "knative.dev/eventing/pkg/client" \
+  --with-watch \
+  "${REPO_ROOT_DIR}/pkg/apis"

 group "Knative Codegen"

 # Knative Injection
 ${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh "injection" \
  knative.dev/eventing/pkg/client knative.dev/eventing/pkg/apis \
-  "sinks:v1alpha1 eventing:v1alpha1 eventing:v1beta1 eventing:v1beta2 eventing:v1beta3 eventing:v1 messaging:v1 flows:v1 sources:v1beta2 sources:v1 duck:v1beta1 duck:v1" \
+  "sinks:v1alpha1 eventing:v1alpha1 eventing:v1beta1 eventing:v1beta2 eventing:v1beta3 eventing:v1 messaging:v1 flows:v1 sources:v1alpha1 sources:v1beta2 sources:v1 duck:v1beta1 duck:v1" \
+  --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt
+
+# Knative Injection (for cert-manager)
+OUTPUT_PKG="knative.dev/eventing/pkg/client/certmanager/injection" \
+${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh "injection" \
+  github.com/cert-manager/cert-manager/pkg/client github.com/cert-manager/cert-manager/pkg/apis "certmanager:v1 acme:v1" \
+  --disable-informer-init \
  --go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt

 group "Generating API reference docs"
--- a/pkg/adapter/apiserver/adapter.go
+++ b/pkg/adapter/apiserver/adapter.go
@ -19,7 +19,6 @@ package apiserver
 import (
 	"context"
 	"fmt"
-	"net/http"
 	"time"

 	cloudevents "github.com/cloudevents/sdk-go/v2"
@ -34,7 +33,6 @@ import (

 	"knative.dev/eventing/pkg/adapter/v2"
 	v1 "knative.dev/eventing/pkg/apis/sources/v1"
-	brokerfilter "knative.dev/eventing/pkg/broker/filter"
 	"knative.dev/eventing/pkg/eventfilter/subscriptionsapi"
 )

@ -73,7 +71,7 @@ func (a *apiServerAdapter) start(ctx context.Context, stopCh <-chan struct{}) er
 		logger:              a.logger,
 		ref:                 a.config.EventMode == v1.ReferenceMode,
 		apiServerSourceName: a.name,
-		filter:              subscriptionsapi.NewAllFilter(brokerfilter.MaterializeFiltersList(a.logger.Desugar(), a.config.Filters)...),
+		filter:              subscriptionsapi.NewAllFilter(subscriptionsapi.MaterializeFiltersList(a.logger.Desugar(), a.config.Filters)...),
 	}
 	if a.config.ResourceOwner != nil {
 		a.logger.Infow("will be filtered",
@ -127,20 +125,8 @@ func (a *apiServerAdapter) start(ctx context.Context, stopCh <-chan struct{}) er
 		}
 	}

-	srv := &http.Server{
-		Addr: ":8080",
-		// Configure read header timeout to overcome potential Slowloris Attack because ReadHeaderTimeout is not
-		// configured in the http.Server.
-		ReadHeaderTimeout: 10 * time.Second,
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusOK)
-		}),
-	}
-	go srv.ListenAndServe()
-
 	<-stopCh
-	stop <- struct{}{}
-	srv.Shutdown(ctx)
+	close(stop)
 	return nil
 }

--- a/pkg/adapter/apiserver/adapter_test.go
+++ b/pkg/adapter/apiserver/adapter_test.go
@ -35,7 +35,6 @@ import (
 	kubetesting "k8s.io/client-go/testing"
 	adaptertest "knative.dev/eventing/pkg/adapter/v2/test"
 	eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1"
-	brokerfilter "knative.dev/eventing/pkg/broker/filter"
 	"knative.dev/eventing/pkg/eventfilter/subscriptionsapi"
 	rectesting "knative.dev/eventing/pkg/reconciler/testing"
 	"knative.dev/pkg/logging"
@ -299,7 +298,7 @@ func makeResourceAndTestingClient() (*resourceDelegate, *adaptertest.TestCloudEv
 		source:              "unit-test",
 		apiServerSourceName: apiServerSourceNameTest,
 		logger:              logger,
-		filter:              subscriptionsapi.NewAllFilter(brokerfilter.MaterializeFiltersList(logger.Desugar(), []eventingv1.SubscriptionsAPIFilter{})...),
+		filter:              subscriptionsapi.NewAllFilter(subscriptionsapi.MaterializeFiltersList(logger.Desugar(), []eventingv1.SubscriptionsAPIFilter{})...),
 	}, ce
 }

@ -313,6 +312,6 @@ func makeRefAndTestingClient() (*resourceDelegate, *adaptertest.TestCloudEventsC
 		apiServerSourceName: apiServerSourceNameTest,
 		logger:              zap.NewExample().Sugar(),
 		ref:                 true,
-		filter:              subscriptionsapi.NewAllFilter(brokerfilter.MaterializeFiltersList(logger.Desugar(), []eventingv1.SubscriptionsAPIFilter{})...),
+		filter:              subscriptionsapi.NewAllFilter(subscriptionsapi.MaterializeFiltersList(logger.Desugar(), []eventingv1.SubscriptionsAPIFilter{})...),
 	}, ce
 }
--- a/pkg/adapter/apiserver/delegate_test.go
+++ b/pkg/adapter/apiserver/delegate_test.go
@ -22,7 +22,6 @@ import (
 	adaptertest "knative.dev/eventing/pkg/adapter/v2/test"
 	eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1"
 	"knative.dev/eventing/pkg/apis/sources"
-	brokerfilter "knative.dev/eventing/pkg/broker/filter"
 	"knative.dev/eventing/pkg/eventfilter/subscriptionsapi"
 )

@ -87,7 +86,7 @@ func TestFilterFails(t *testing.T) {
 		source:              "unit-test",
 		apiServerSourceName: apiServerSourceNameTest,
 		logger:              logger,
-		filter:              subscriptionsapi.NewAllFilter(brokerfilter.MaterializeFiltersList(logger.Desugar(), filters)...),
+		filter:              subscriptionsapi.NewAllFilter(subscriptionsapi.MaterializeFiltersList(logger.Desugar(), filters)...),
 	}

 	delegate.Update(simplePod("unit", "test"))
@ -104,7 +103,7 @@ func TestEmptyFiltersList(t *testing.T) {
 		source:              "unit-test",
 		apiServerSourceName: apiServerSourceNameTest,
 		logger:              logger,
-		filter:              subscriptionsapi.NewAllFilter(brokerfilter.MaterializeFiltersList(logger.Desugar(), filters)...),
+		filter:              subscriptionsapi.NewAllFilter(subscriptionsapi.MaterializeFiltersList(logger.Desugar(), filters)...),
 	}

 	delegate.Update(simplePod("unit", "test"))
--- a/pkg/adapter/mtping/runner_test.go
+++ b/pkg/adapter/mtping/runner_test.go
@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/base64"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
@ -213,8 +214,8 @@ func TestSendEventsTLS(t *testing.T) {
 	eventsChan := make(chan cloudevents.Event, 10)
 	handler := eventingtlstesting.EventChannelHandler(eventsChan)
 	events := make([]cloudevents.Event, 0, 8)
-	ca := eventingtlstesting.StartServer(ctx, t, 8500, handler)
-	hostString := "localhost:8500"
+	ca, port := eventingtlstesting.StartServer(ctx, t, 0, handler)
+	hostString := fmt.Sprintf("localhost:%d", port)

 	var wg sync.WaitGroup
 	wg.Add(1)
--- a/pkg/adapter/v2/cloudevents_test.go
+++ b/pkg/adapter/v2/cloudevents_test.go
@ -18,6 +18,7 @@ package adapter

 import (
 	"context"
+	"fmt"
 	nethttp "net/http"
 	"os"
 	"strconv"
@ -309,7 +310,7 @@ func TestTLS(t *testing.T) {
 	ctx, cancel := context.WithCancel(ctx)
 	t.Cleanup(cancel)

-	ca := eventingtlstesting.StartServer(ctx, t, 8333, nethttp.HandlerFunc(func(writer nethttp.ResponseWriter, request *nethttp.Request) {
+	ca, port := eventingtlstesting.StartServer(ctx, t, 0, nethttp.HandlerFunc(func(writer nethttp.ResponseWriter, request *nethttp.Request) {
 		if request.TLS == nil {
 			// It's not on TLS, fail request
 			writer.WriteHeader(nethttp.StatusInternalServerError)
@ -328,17 +329,17 @@ func TestTLS(t *testing.T) {
 	}{
 		{
 			name:    "https sink URL, no CA certs fail",
-			sink:    "https://localhost:8333",
+			sink:    fmt.Sprintf("https://localhost:%d", port),
 			wantErr: true,
 		},
 		{
 			name:    "https sink URL with ca certs",
-			sink:    "https://localhost:8333",
+			sink:    fmt.Sprintf("https://localhost:%d", port),
 			caCerts: pointer.String(ca),
 		},
 		{
 			name:    "http sink URL with ca certs",
-			sink:    "http://localhost:8333",
+			sink:    fmt.Sprintf("http://localhost:%d", port),
 			caCerts: pointer.String(ca),
 			wantErr: true,
 		},
--- a/pkg/adapter/v2/context.go
+++ b/pkg/adapter/v2/context.go
@ -124,3 +124,14 @@ func ConfiguratorOptionsFromContext(ctx context.Context) []ConfiguratorOption {
 	}
 	return value.([]ConfiguratorOption)
 }
+
+type healthProbesDisabledKey struct{}
+
+// WithHealthProbesDisabled signals to MainWithContext that it should disable default probes (readiness and liveness).
+func WithHealthProbesDisabled(ctx context.Context) context.Context {
+	return context.WithValue(ctx, healthProbesDisabledKey{}, struct{}{})
+}
+
+func HealthProbesDisabled(ctx context.Context) bool {
+	return ctx.Value(healthProbesDisabledKey{}) != nil
+}
--- a/pkg/adapter/v2/main.go
+++ b/pkg/adapter/v2/main.go
@ -306,6 +306,14 @@ func MainWithInformers(ctx context.Context, component string, env EnvConfigAcces
 		}()
 	}

+	if !HealthProbesDisabled(ctx) {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			injection.ServeHealthProbes(ctx, injection.HealthCheckDefaultPort)
+		}()
+	}
+
 	// Finally start the adapter (blocking)
 	if err := adapter.Start(ctx); err != nil {
 		logger.Fatalw("Start returned an error", zap.Error(err))
--- a/pkg/adapter/v2/main_test.go
+++ b/pkg/adapter/v2/main_test.go
@ -67,6 +67,7 @@ func TestMainWithContext(t *testing.T) {
 	}()

 	ctx := context.TODO()
+	ctx = WithHealthProbesDisabled(ctx)
 	ctx, _ = fakekubeclient.With(ctx)

 	MainWithContext(ctx, "mycomponent",
--- a/pkg/adapter/v2/test/test_client.go
+++ b/pkg/adapter/v2/test/test_client.go
@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package test

 import (
--- a/pkg/adapter/v2/util/crstatusevent/eventsstatus.go
+++ b/pkg/adapter/v2/util/crstatusevent/eventsstatus.go
@ -74,7 +74,9 @@ func UpdateFromConfigMap(client *CRStatusEventClient) func(configMap *corev1.Con
 	}
 }

-var contextkey struct{}
+type contextkeytype struct{}
+
+var contextkey contextkeytype

 func ContextWithCRStatus(ctx context.Context, kubeEventSink *record.EventSink, component string, source runtime.Object, logf func(format string, args ...interface{})) context.Context {

@ -144,7 +146,7 @@ func (a *crStatusEvent) createEvent(ctx context.Context, result protocol.Result)
 		reason = strconv.Itoa(res.StatusCode)
 		if res.Format != "" && res.Format != "%w" { // returns '"%w" but this does not format
 			msg += " " + fmt.Sprintf(res.Format, res.Args...)
-		} else if res.Args != nil && len(res.Args) > 0 {
+		} else if len(res.Args) > 0 {
 			if m, ok := res.Args[0].(*protocol.Receipt); ok {
 				if m.Err != nil {
 					msg += " " + m.Err.Error() // add any error message if it's there.
--- a/pkg/apis/common/integration/v1alpha1/auth.go
+++ b/pkg/apis/common/integration/v1alpha1/auth.go
@ -0,0 +1,43 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+type Auth struct {
+	// Auth Secret
+	Secret *Secret `json:"secret,omitempty"`
+
+	// AccessKey is the AWS access key ID.
+	AccessKey string `json:"accessKey,omitempty"`
+
+	// SecretKey is the AWS secret access key.
+	SecretKey string `json:"secretKey,omitempty"`
+}
+
+func (a *Auth) HasAuth() bool {
+	return a != nil && a.Secret != nil &&
+		a.Secret.Ref != nil && a.Secret.Ref.Name != ""
+}
+
+type Secret struct {
+	// Secret reference for SASL and SSL configurations.
+	Ref *SecretReference `json:"ref,omitempty"`
+}
+
+type SecretReference struct {
+	// Secret name.
+	Name string `json:"name"`
+}
--- a/pkg/apis/common/integration/v1alpha1/aws.go
+++ b/pkg/apis/common/integration/v1alpha1/aws.go
@ -0,0 +1,76 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+const (
+
+	// AwsAccessKey is the name of the expected key on the secret for accessing the actual AWS access key value.
+	AwsAccessKey = "aws.accessKey"
+	// AwsSecretKey is the name of the expected key on the secret for accessing the actual AWS secret key value.
+	AwsSecretKey = "aws.secretKey"
+)
+
+type AWSCommon struct {
+	// Auth is the S3 authentication (accessKey/secretKey) configuration.
+	Region              string `json:"region,omitempty"`                 // AWS region
+	URIEndpointOverride string `json:"uriEndpointOverride,omitempty"`    // Override endpoint URI
+	OverrideEndpoint    bool   `json:"overrideEndpoint" default:"false"` // Override endpoint flag
+}
+
+type AWSS3 struct {
+	AWSCommon               `json:",inline"` // Embeds AWSCommon to inherit its fields in JSON
+	Arn                     string           `json:"arn,omitempty" camel:"BUCKET_NAME_OR_ARN"` // S3 ARN
+	DeleteAfterRead         bool             `json:"deleteAfterRead" default:"true"`           // Auto-delete objects after reading
+	MoveAfterRead           bool             `json:"moveAfterRead" default:"false"`            // Move objects after reading
+	DestinationBucket       string           `json:"destinationBucket,omitempty"`              // Destination bucket for moved objects
+	DestinationBucketPrefix string           `json:"destinationBucketPrefix,omitempty"`        // Prefix for moved objects
+	DestinationBucketSuffix string           `json:"destinationBucketSuffix,omitempty"`        // Suffix for moved objects
+	AutoCreateBucket        bool             `json:"autoCreateBucket" default:"false"`         // Auto-create S3 bucket
+	Prefix                  string           `json:"prefix,omitempty"`                         // S3 bucket prefix for search
+	IgnoreBody              bool             `json:"ignoreBody" default:"false"`               // Ignore object body
+	ForcePathStyle          bool             `json:"forcePathStyle" default:"false"`           // Force path style for bucket access
+	Delay                   int              `json:"delay" default:"500"`                      // Delay between polls in milliseconds
+	MaxMessagesPerPoll      int              `json:"maxMessagesPerPoll" default:"10"`          // Max messages to poll per request
+}
+
+type AWSSQS struct {
+	AWSCommon          `json:",inline"` // Embeds AWSCommon to inherit its fields in JSON
+	Arn                string           `json:"arn,omitempty" camel:"QUEUE_NAME_OR_ARN"`            // SQS ARN
+	DeleteAfterRead    bool             `json:"deleteAfterRead" default:"true"`                     // Auto-delete messages after reading
+	AutoCreateQueue    bool             `json:"autoCreateQueue" default:"false"`                    // Auto-create SQS queue
+	Host               string           `json:"host" camel:"AMAZONAWSHOST" default:"amazonaws.com"` // AWS host
+	Protocol           string           `json:"protocol" default:"https"`                           // Communication protocol (http/https)
+	QueueURL           string           `json:"queueURL,omitempty"`                                 // Full SQS queue URL
+	Greedy             bool             `json:"greedy" default:"false"`                             // Greedy scheduler
+	Delay              int              `json:"delay" default:"500"`                                // Delay between polls in milliseconds
+	MaxMessagesPerPoll int              `json:"maxMessagesPerPoll" default:"1"`                     // Max messages to return (1-10)
+	WaitTimeSeconds    int              `json:"waitTimeSeconds,omitempty"`                          // Wait time for messages
+	VisibilityTimeout  int              `json:"visibilityTimeout,omitempty"`                        // Visibility timeout in seconds
+}
+
+type AWSDDBStreams struct {
+	AWSCommon          `json:",inline"` // Embeds AWSCommon to inherit its fields in JSON
+	Table              string           `json:"table,omitempty"`                                    // The name of the DynamoDB table
+	StreamIteratorType string           `json:"streamIteratorType,omitempty" default:"FROM_LATEST"` // Defines where in the DynamoDB stream to start getting records
+	Delay              int              `json:"delay,omitempty" default:"500"`                      // Delay in milliseconds before the next poll from the database
+}
+
+type AWSSNS struct {
+	AWSCommon       `json:",inline"` // Embeds AWSCommon to inherit its fields in JSON
+	Arn             string           `json:"arn,omitempty" camel:"TOPIC_NAME_OR_ARN"` // SNS ARN
+	AutoCreateTopic bool             `json:"autoCreateTopic" default:"false"`         // Auto-create SNS topic
+}
--- a/pkg/apis/common/integration/v1alpha1/doc.go
+++ b/pkg/apis/common/integration/v1alpha1/doc.go
@ -0,0 +1,19 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+
+package v1alpha1
--- a/pkg/apis/common/integration/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/common/integration/v1alpha1/zz_generated.deepcopy.go
@ -0,0 +1,164 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright 2021 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSCommon) DeepCopyInto(out *AWSCommon) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSCommon.
+func (in *AWSCommon) DeepCopy() *AWSCommon {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSCommon)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSDDBStreams) DeepCopyInto(out *AWSDDBStreams) {
+	*out = *in
+	out.AWSCommon = in.AWSCommon
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSDDBStreams.
+func (in *AWSDDBStreams) DeepCopy() *AWSDDBStreams {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSDDBStreams)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSS3) DeepCopyInto(out *AWSS3) {
+	*out = *in
+	out.AWSCommon = in.AWSCommon
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSS3.
+func (in *AWSS3) DeepCopy() *AWSS3 {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSS3)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSSNS) DeepCopyInto(out *AWSSNS) {
+	*out = *in
+	out.AWSCommon = in.AWSCommon
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSSNS.
+func (in *AWSSNS) DeepCopy() *AWSSNS {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSSNS)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSSQS) DeepCopyInto(out *AWSSQS) {
+	*out = *in
+	out.AWSCommon = in.AWSCommon
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSSQS.
+func (in *AWSSQS) DeepCopy() *AWSSQS {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSSQS)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Auth) DeepCopyInto(out *Auth) {
+	*out = *in
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		*out = new(Secret)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Auth.
+func (in *Auth) DeepCopy() *Auth {
+	if in == nil {
+		return nil
+	}
+	out := new(Auth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Secret) DeepCopyInto(out *Secret) {
+	*out = *in
+	if in.Ref != nil {
+		in, out := &in.Ref, &out.Ref
+		*out = new(SecretReference)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Secret.
+func (in *Secret) DeepCopy() *Secret {
+	if in == nil {
+		return nil
+	}
+	out := new(Secret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretReference) DeepCopyInto(out *SecretReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretReference.
+func (in *SecretReference) DeepCopy() *SecretReference {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretReference)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/pkg/apis/config/defaults.go
+++ b/pkg/apis/config/defaults.go
@ -68,28 +68,88 @@ func NewDefaultsConfigFromConfigMap(config *corev1.ConfigMap) (*Defaults, error)
 	return NewDefaultsConfigFromMap(config.Data)
 }

+/*
+The priority precedence for determining the broker class and configuration is as follows:
+
+1. If a specific broker class is provided:
+   a. Check namespace-specific configuration for the given broker class
+   b. If not found, check cluster-wide configuration for the given broker class
+   c. If still not found, use the cluster-wide default configuration
+
+2. If no specific broker class is provided:
+   a. Check namespace-specific default broker class
+   b. If found, use its configuration (following step 1)
+   c. If not found, use cluster-wide default broker class and configuration
+
+3. If no default cluster configuration is set, return an error
+
+4. If no default namespace configuration is set, will use the cluster-wide default configuration.
+
+This can be represented as a flow chart:
+
+                    Start
+                      |
+                      v
+          Is broker class provided?
+                 /            \
+               Yes            No
+               /                \
+   Check namespace config    Check namespace
+   for provided class        default class
+         |                        |
+         v                        v
+    Found?                    Found?
+     /    \                    /    \
+   Yes    No                 Yes    No
+   |       |                 |       |
+   |       |                 |       |
+   |       v                 |       v
+   |   Check cluster         |   Use cluster
+   |   config for class      |   default class
+   |       |                 |   and config
+   |       v                 |
+   |    Found?               |
+   |    /    \               |
+   |  Yes    No              |
+   |   |      |              |
+   |   |      v              |
+   |   |   Use cluster       |
+   |   |   default config    |
+   v   v                     v
+ Use found configuration
+
+The system prioritizes namespace-specific configurations over cluster-wide defaults,
+and explicitly provided broker classes over default classes.
+*/
+
 // Defaults includes the default values to be populated by the webhook.
 type Defaults struct {
 	// NamespaceDefaultsConfig are the default Broker Configs for each namespace.
-	// Namespace is the key, the value is the KReference to the config.
-	NamespaceDefaultsConfig map[string]*ClassAndBrokerConfig `json:"namespaceDefaults,omitempty"`
+	// Namespace is the key, the value is the NamespaceDefaultConfig
+	NamespaceDefaultsConfig map[string]*DefaultConfig `json:"namespaceDefaults,omitempty"`

-	// ClusterDefaultBrokerConfig is the default broker config for all the namespaces that
-	// are not in NamespaceDefaultBrokerConfigs.
-	ClusterDefault *ClassAndBrokerConfig `json:"clusterDefault,omitempty"`
+	// ClusterDefaultConfig is the default broker config for all the namespaces that
+	// are not in NamespaceDefaultBrokerConfigs. Different broker class could have
+	// different default config.
+	ClusterDefaultConfig *DefaultConfig `json:"clusterDefault,omitempty"`
 }

-// ClassAndBrokerConfig contains configuration for a given namespace for broker. Allows
-// configuring the Class of the Broker, the reference to the
-// config it should use and it's delivery.
-type ClassAndBrokerConfig struct {
-	BrokerClass   string `json:"brokerClass,omitempty"`
+// DefaultConfig struct contains the default configuration for the cluster and namespace.
+type DefaultConfig struct {
+	// DefaultBrokerClass and DefaultBrokerClassConfig are the default broker class for the whole cluster/namespace.
+	// Users have to specify both of them
+	DefaultBrokerClass string `json:"brokerClass,omitempty"`
+
+	//Deprecated: Use the config in BrokerClasses instead
 	*BrokerConfig `json:",inline"`

+	// Optional: BrokerClasses are the default broker classes' config. The key is the broker class name, and the value is the config for that broker class.
+	BrokerClasses map[string]*BrokerConfig `json:"brokerClasses,omitempty"`
+
 	DisallowDifferentNamespaceConfig *bool `json:"disallowDifferentNamespaceConfig,omitempty"`
 }

-// BrokerConfig contains configuration for a given namespace for broker. Allows
+// BrokerConfig contains configuration for a given broker. Allows
 // configuring the reference to the
 // config it should use and it's delivery.
 type BrokerConfig struct {
@ -97,36 +157,115 @@ type BrokerConfig struct {
 	Delivery           *eventingduckv1.DeliverySpec `json:"delivery,omitempty"`
 }

-// GetBrokerConfig returns a namespace specific Broker Configuration, and if
-// that doesn't exist, return a Cluster Default and if that doesn't exist
-// return an error.
-func (d *Defaults) GetBrokerConfig(ns string) (*BrokerConfig, error) {
+// GetBrokerConfig returns a namespace specific Broker Config, and if
+// that doesn't exist, return a Cluster Default and if that doesn't exist return an error.
+func (d *Defaults) GetBrokerConfig(ns string, brokerClassName *string) (*BrokerConfig, error) {
 	if d == nil {
-		return nil, errors.New("Defaults are nil")
+		return nil, errors.New("Defaults for Broker Configurations for cluster have not been set up. You can set them via ConfigMap config-br-defaults.")
 	}
-	value, present := d.NamespaceDefaultsConfig[ns]
-	if present && value.BrokerConfig != nil {
-		return value.BrokerConfig, nil
+
+	// Early return if brokerClassName is provided and valid
+	if brokerClassName != nil && *brokerClassName != "" {
+		return d.getBrokerConfigByClassName(ns, *brokerClassName)
 	}
-	if d.ClusterDefault != nil && d.ClusterDefault.BrokerConfig != nil {
-		return d.ClusterDefault.BrokerConfig, nil
+
+	// Handling empty brokerClassName
+	return d.getBrokerConfigForEmptyClassName(ns)
+}
+
+// getBrokerConfigByClassName returns the BrokerConfig for the given brokerClassName.
+// It first checks the namespace specific configuration, then the cluster default configuration.
+func (d *Defaults) getBrokerConfigByClassName(ns string, brokerClassName string) (*BrokerConfig, error) {
+	// Check namespace specific configuration
+	if nsConfig, ok := d.NamespaceDefaultsConfig[ns]; ok && nsConfig != nil {
+		// check if the brokerClassName is the default broker class for this namespace
+		if nsConfig.DefaultBrokerClass == brokerClassName {
+			if nsConfig.BrokerConfig == nil {
+				// as no default broker class config is set for this namespace, check whether nsconfig's brokerClasses map has the config for this broker class
+				if config, ok := nsConfig.BrokerClasses[brokerClassName]; ok && config != nil {
+					return config, nil
+				}
+				// if not found, return the cluster default config
+				return d.getClusterDefaultBrokerConfig(brokerClassName)
+			} else {
+				// If the brokerClassName exists in the BrokerClasses, return the config in the BrokerClasses
+				if config, ok := nsConfig.BrokerClasses[brokerClassName]; ok && config != nil {
+					return config, nil
+				} else {
+					// If the brokerClassName is the default broker class for the namespace, return the BrokerConfig
+					return nsConfig.BrokerConfig, nil
+				}
+			}
+		} else {
+			// if the brokerClassName is not the default broker class for the namespace, check whether nsconfig's brokerClasses map has the config for this broker class
+			if config, ok := nsConfig.BrokerClasses[brokerClassName]; ok && config != nil {
+				return config, nil
+			}
+		}
 	}
-	return nil, errors.New("Defaults for Broker Configurations have not been set up.")
+
+	// Check cluster default configuration
+	return d.getClusterDefaultBrokerConfig(brokerClassName)
+}
+
+// getBrokerConfigForEmptyClassName returns the BrokerConfig for the given namespace when brokerClassName is empty.
+// It first checks the namespace specific configuration, then the cluster default configuration.
+func (d *Defaults) getBrokerConfigForEmptyClassName(ns string) (*BrokerConfig, error) {
+	// Check if namespace has a default broker class
+	if nsConfig, ok := d.NamespaceDefaultsConfig[ns]; ok && nsConfig != nil {
+		if nsConfig.DefaultBrokerClass != "" {
+			return d.getBrokerConfigByClassName(ns, nsConfig.DefaultBrokerClass)
+		}
+	}
+
+	// Fallback to cluster default configuration
+	return d.getClusterDefaultBrokerConfig("")
+}
+
+// getClusterDefaultBrokerConfig returns the BrokerConfig for the given brokerClassName.
+func (d *Defaults) getClusterDefaultBrokerConfig(brokerClassName string) (*BrokerConfig, error) {
+	if d.ClusterDefaultConfig == nil || d.ClusterDefaultConfig.BrokerConfig == nil {
+		return nil, errors.New("Defaults for Broker Configurations for cluster have not been set up. You can set them via ConfigMap config-br-defaults.")
+	}
+
+	// Check if the brokerClassName is the default broker class for the whole cluster
+	if brokerClassName == "" || d.ClusterDefaultConfig.DefaultBrokerClass == brokerClassName {
+		// If the brokerClassName exists in the BrokerClasses, return the config in the BrokerClasses
+		if config, ok := d.ClusterDefaultConfig.BrokerClasses[brokerClassName]; ok && config != nil {
+			return config, nil
+		} else {
+			// If the brokerClassName is the default broker class for the cluster, return the BrokerConfig
+			return d.ClusterDefaultConfig.BrokerConfig, nil
+		}
+	}
+
+	if config, ok := d.ClusterDefaultConfig.BrokerClasses[brokerClassName]; ok && config != nil {
+		return config, nil
+	}
+
+	return d.ClusterDefaultConfig.BrokerConfig, nil
 }

 // GetBrokerClass returns a namespace specific Broker Class, and if
-// that doesn't exist, return a Cluster Default and if that doesn't exist
+// that doesn't exist, return a Cluster Default and if the defaults doesn't exist
 // return an error.
 func (d *Defaults) GetBrokerClass(ns string) (string, error) {
 	if d == nil {
-		return "", errors.New("Defaults are nil")
+		return "", errors.New("Defaults for Broker Configurations for cluster have not been set up. You can set them via ConfigMap config-br-defaults.")
 	}
-	value, present := d.NamespaceDefaultsConfig[ns]
-	if present && value.BrokerClass != "" {
-		return value.BrokerClass, nil
+
+	// Check if the namespace has a specific configuration
+	if nsConfig, ok := d.NamespaceDefaultsConfig[ns]; ok && nsConfig != nil {
+		if nsConfig.DefaultBrokerClass != "" {
+			return nsConfig.DefaultBrokerClass, nil
+		}
 	}
-	if d.ClusterDefault != nil && d.ClusterDefault.BrokerClass != "" {
-		return d.ClusterDefault.BrokerClass, nil
+
+	// Fallback to cluster default configuration if namespace specific configuration is not set
+	if d.ClusterDefaultConfig != nil && d.ClusterDefaultConfig.DefaultBrokerClass != "" {
+		return d.ClusterDefaultConfig.DefaultBrokerClass, nil
 	}
-	return "", errors.New("Defaults for Broker Configurations have not been set up.")
+
+	// If neither namespace specific nor cluster default broker class is found
+	return "", fmt.Errorf("Neither namespace specific nor cluster default broker class is found for namespace %q, please set them via ConfigMap config-br-defaults", ns)
 }
--- a/pkg/apis/config/defaults_test.go
+++ b/pkg/apis/config/defaults_test.go
--- a/pkg/apis/config/testdata/config-br-defaults.yaml
+++ b/pkg/apis/config/testdata/config-br-defaults.yaml
@ -28,10 +28,10 @@ data:
    ################################
    default-br-config: |
      clusterDefault:
-        brokerClass: MTChannelBasedBroker
+        brokerClass: default-cluster-class
        apiVersion: v1
        kind: ConfigMap
-        name: somename
+        name: config-default-cluster-class
        namespace: knative-eventing
        delivery:
          retry: 3
@ -39,18 +39,53 @@ data:
            ref:
              apiVersion: serving.knative.dev/v1
              kind: Service
-              name: handle-error
+              name: mt-handle-error
              namespace: knative-eventing
          backoffPolicy: exponential
          backoffDelay: 3s
+        brokerClasses:
+          cluster-class-2:
+            delivery:
+              retry: 3
+              deadLetterSink:
+                ref:
+                  apiVersion: serving.knative.dev/v1
+                  kind: Service
+                  name: mt-handle-error
+                  namespace: knative-eventing
+              backoffPolicy: exponential
+              backoffDelay: 3s
+
+            apiVersion: v1
+            kind: ConfigMap
+            name: config-cluster-class-2
+            namespace: knative-eventing
+
+          shared-class:
+            delivery:
+              retry: 3
+              deadLetterSink:
+                ref:
+                  apiVersion: serving.knative.dev/v1
+                  kind: Service
+                  name: kafka-handle-error
+                  namespace: knative-eventing
+              backoffPolicy: exponential
+              backoffDelay: 3s
+
+            apiVersion: v1
+            kind: ConfigMap
+            name: config-shared-class
+            namespace: knative-eventing
+

      namespaceDefaults:
-        some-namespace:
-          brokerClass: someotherbrokerclass
+        namespace-1:
+          brokerClass: namespace-1-class
          apiVersion: v1
          kind: ConfigMap
-          name: someothername
-          namespace: someothernamespace
+          name: config-namespace-1-class
+          namespace: namespace-1
          delivery:
            retry: 5
            deadLetterSink:
@ -58,6 +93,46 @@ data:
                apiVersion: serving.knative.dev/v1
                kind: Service
                name: someother-handle-error
-                namespace: someothernamespace
+                namespace: knative-eventing
            backoffPolicy: linear
            backoffDelay: 5s
+          brokerClasses:
+            namespace-1-class-2:
+              delivery:
+                retry: 3
+                deadLetterSink:
+                  ref:
+                    apiVersion: serving.knative.dev/v1
+                    kind: Service
+                    name: mt-handle-error
+                    namespace: knative-eventing
+                backoffPolicy: exponential
+                backoffDelay: 3s
+
+              apiVersion: v1
+              kind: ConfigMap
+              name: config-namespace-1-class-2
+              namespace: knative-eventing
+
+            shared-class:
+              delivery:
+                retry: 3
+                deadLetterSink:
+                  ref:
+                    apiVersion: serving.knative.dev/v1
+                    kind: Service
+                    name: kafka-handle-error
+                    namespace: knative-eventing
+                backoffPolicy: exponential
+                backoffDelay: 3s
+
+              apiVersion: v1
+              kind: ConfigMap
+              name: config-shared-class-in-namespace-1
+              namespace: knative-eventing
+
+        namespace-2:
+          brokerClass: default-namespace-2-class
+
+
+        namespace-3:
--- a/pkg/apis/config/zz_generated.deepcopy.go
+++ b/pkg/apis/config/zz_generated.deepcopy.go
@ -53,13 +53,28 @@ func (in *BrokerConfig) DeepCopy() *BrokerConfig {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClassAndBrokerConfig) DeepCopyInto(out *ClassAndBrokerConfig) {
+func (in *DefaultConfig) DeepCopyInto(out *DefaultConfig) {
 	*out = *in
 	if in.BrokerConfig != nil {
 		in, out := &in.BrokerConfig, &out.BrokerConfig
 		*out = new(BrokerConfig)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.BrokerClasses != nil {
+		in, out := &in.BrokerClasses, &out.BrokerClasses
+		*out = make(map[string]*BrokerConfig, len(*in))
+		for key, val := range *in {
+			var outVal *BrokerConfig
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(BrokerConfig)
+				(*in).DeepCopyInto(*out)
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.DisallowDifferentNamespaceConfig != nil {
 		in, out := &in.DisallowDifferentNamespaceConfig, &out.DisallowDifferentNamespaceConfig
 		*out = new(bool)
@ -68,12 +83,12 @@ func (in *ClassAndBrokerConfig) DeepCopyInto(out *ClassAndBrokerConfig) {
 	return
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClassAndBrokerConfig.
-func (in *ClassAndBrokerConfig) DeepCopy() *ClassAndBrokerConfig {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultConfig.
+func (in *DefaultConfig) DeepCopy() *DefaultConfig {
 	if in == nil {
 		return nil
 	}
-	out := new(ClassAndBrokerConfig)
+	out := new(DefaultConfig)
 	in.DeepCopyInto(out)
 	return out
 }
@ -83,22 +98,22 @@ func (in *Defaults) DeepCopyInto(out *Defaults) {
 	*out = *in
 	if in.NamespaceDefaultsConfig != nil {
 		in, out := &in.NamespaceDefaultsConfig, &out.NamespaceDefaultsConfig
-		*out = make(map[string]*ClassAndBrokerConfig, len(*in))
+		*out = make(map[string]*DefaultConfig, len(*in))
 		for key, val := range *in {
-			var outVal *ClassAndBrokerConfig
+			var outVal *DefaultConfig
 			if val == nil {
 				(*out)[key] = nil
 			} else {
 				in, out := &val, &outVal
-				*out = new(ClassAndBrokerConfig)
+				*out = new(DefaultConfig)
 				(*in).DeepCopyInto(*out)
 			}
 			(*out)[key] = outVal
 		}
 	}
-	if in.ClusterDefault != nil {
-		in, out := &in.ClusterDefault, &out.ClusterDefault
-		*out = new(ClassAndBrokerConfig)
+	if in.ClusterDefaultConfig != nil {
+		in, out := &in.ClusterDefaultConfig, &out.ClusterDefaultConfig
+		*out = new(DefaultConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	return
--- a/pkg/apis/duck/v1/channelable_types.go
+++ b/pkg/apis/duck/v1/channelable_types.go
@ -138,7 +138,7 @@ func (c *Channelable) Populate() {
 }

 // GetFullType implements duck.Implementable
-func (s *Channelable) GetFullType() duck.Populatable {
+func (c *Channelable) GetFullType() duck.Populatable {
 	return &Channelable{}
 }

--- a/pkg/apis/duck/v1beta1/delivery_conversion_test.go
+++ b/pkg/apis/duck/v1beta1/delivery_conversion_test.go
@ -41,8 +41,11 @@ func TestDeliverySpecConversionBadType(t *testing.T) {
 // Test v1beta1 -> v1 -> v1beta1
 func TestDeliverySpecConversion(t *testing.T) {
 	var retryCount int32 = 10
+	//nolint:staticcheck  // ST1023 types can be inferred
 	var backoffPolicy BackoffPolicyType = BackoffPolicyLinear
+	//nolint:staticcheck  // ST1023 types can be inferred
 	var backoffPolicyExp BackoffPolicyType = BackoffPolicyExponential
+	//nolint:staticcheck  // ST1023 types can be inferred
 	var backoffPolicyBad BackoffPolicyType = "garbage"
 	badPolicyString := `unknown BackoffPolicy, got: "garbage"`

@ -118,8 +121,11 @@ func TestDeliverySpecConversion(t *testing.T) {
 // Test v1 -> v1beta1 -> v1
 func TestDeliverySpecConversionV1(t *testing.T) {
 	var retryCount int32 = 10
+	//nolint:staticcheck  // ST1023 types can be inferred
 	var backoffPolicy v1.BackoffPolicyType = v1.BackoffPolicyLinear
+	//nolint:staticcheck  // ST1023 types can be inferred
 	var backoffPolicyExp v1.BackoffPolicyType = v1.BackoffPolicyExponential
+	//nolint:staticcheck  // ST1023 types can be inferred
 	var backoffPolicyBad v1.BackoffPolicyType = "garbage"
 	badPolicyString := `unknown BackoffPolicy, got: "garbage"`

--- a/pkg/apis/eventing/v1/broker_defaults.go
+++ b/pkg/apis/eventing/v1/broker_defaults.go
@ -30,13 +30,18 @@ import (
 func (b *Broker) SetDefaults(ctx context.Context) {
 	// Default Spec fields.
 	withNS := apis.WithinParent(ctx, b.ObjectMeta)
-	b.Spec.SetDefaults(withNS)
+	b.Spec.SetDefaults(withNS, b.Annotations["eventing.knative.dev/broker.class"])
 	eventing.DefaultBrokerClassIfUnset(withNS, &b.ObjectMeta)
 }

-func (bs *BrokerSpec) SetDefaults(ctx context.Context) {
+func (bs *BrokerSpec) SetDefaults(ctx context.Context, brokerClass string) {
 	cfg := config.FromContextOrDefaults(ctx)
-	c, err := cfg.Defaults.GetBrokerConfig(apis.ParentMeta(ctx).Namespace)
+	c, err := cfg.Defaults.GetBrokerConfig(apis.ParentMeta(ctx).Namespace, &brokerClass)
+
+	if bs.Config != nil {
+		c, err = cfg.Defaults.GetBrokerConfig(apis.ParentMeta(ctx).Namespace, &bs.Config.Kind)
+	}
+
 	if err == nil {
 		if bs.Config == nil {
 			bs.Config = c.KReference
@ -49,10 +54,14 @@ func (bs *BrokerSpec) SetDefaults(ctx context.Context) {
 				BackoffDelay:   c.Delivery.BackoffDelay,
 			}
 		}
+
 	}
+
 	// Default the namespace if not given
 	if bs.Config != nil {
 		bs.Config.SetDefaults(ctx)
 	}
+
 	bs.Delivery.SetDefaults(ctx)
+
 }
--- a/pkg/apis/eventing/v1/broker_defaults_test.go
+++ b/pkg/apis/eventing/v1/broker_defaults_test.go
@ -38,8 +38,9 @@ var (
 		Defaults: &config.Defaults{
 			// NamespaceDefaultsConfig are the default Broker Configs for each namespace.
 			// Namespace is the key, the value is the KReference to the config.
-			NamespaceDefaultsConfig: map[string]*config.ClassAndBrokerConfig{
+			NamespaceDefaultsConfig: map[string]*config.DefaultConfig{
 				"mynamespace": {
+					DefaultBrokerClass: "MTChannelBasedBroker",
 					BrokerConfig: &config.BrokerConfig{
 						KReference: &duckv1.KReference{
 							APIVersion: "v1",
@ -61,9 +62,27 @@ var (
 							BackoffDelay:  pointer.String("5s"),
 						},
 					},
+					BrokerClasses: map[string]*config.BrokerConfig{
+						"mynamespaceclass": {
+							KReference: &duckv1.KReference{
+								APIVersion: "v1",
+								Kind:       "ConfigMap",
+								Namespace:  "knative-eventing",
+								Name:       "kafka-channel",
+							},
+						},
+						"mynamespaceclass2": {
+							KReference: &duckv1.KReference{
+								APIVersion: "v1",
+								Kind:       "ConfigMap",
+								Namespace:  "knative-eventing",
+								Name:       "kafka-channel",
+							},
+						},
+					},
 				},
 				"mynamespace2": {
-					BrokerClass: "mynamespace2class",
+					DefaultBrokerClass: "mynamespace2class",
 					BrokerConfig: &config.BrokerConfig{
 						KReference: &duckv1.KReference{
 							APIVersion: "v1",
@ -85,9 +104,19 @@ var (
 							BackoffDelay:  pointer.String("3s"),
 						},
 					},
+					BrokerClasses: map[string]*config.BrokerConfig{
+						"mynamespaceclass": {
+							KReference: &duckv1.KReference{
+								APIVersion: "v1",
+								Kind:       "ConfigMap",
+								Namespace:  "knative-eventing",
+								Name:       "natss-channel",
+							},
+						},
+					},
 				},
 				"mynamespace3": {
-					BrokerClass: "mynamespace3class",
+					DefaultBrokerClass: "mynamespace3class",
 					BrokerConfig: &config.BrokerConfig{
 						KReference: &duckv1.KReference{
 							APIVersion: "v1",
@ -109,9 +138,67 @@ var (
 						},
 					},
 				},
+				"customns": {
+					DefaultBrokerClass: "MTChannelBasedBroker",
+					BrokerConfig: &config.BrokerConfig{
+						KReference: &duckv1.KReference{
+							APIVersion: "v1",
+							Kind:       "ConfigMap",
+							Namespace:  "test-ns",
+							Name:       "test-config",
+						},
+					},
+					BrokerClasses: map[string]*config.BrokerConfig{
+						"mynamespaceclass": {
+							KReference: &duckv1.KReference{
+								APIVersion: "v1",
+								Kind:       "ConfigMap",
+								Namespace:  "knative-eventing",
+								Name:       "kafka-channel",
+							},
+						},
+						"mynamespaceclass2": {
+							KReference: &duckv1.KReference{
+								APIVersion: "v1",
+								Kind:       "ConfigMap",
+								Namespace:  "knative-eventing",
+								Name:       "kafka-channel",
+							},
+						},
+					},
+				},
+				"custom": {
+					DefaultBrokerClass: "test-broker",
+					BrokerConfig: &config.BrokerConfig{
+						KReference: &duckv1.KReference{
+							APIVersion: "v1",
+							Kind:       "ConfigMap",
+							Namespace:  "test-ns",
+							Name:       "test-config",
+						},
+					},
+					BrokerClasses: map[string]*config.BrokerConfig{
+						"mynamespaceclass": {
+							KReference: &duckv1.KReference{
+								APIVersion: "v1",
+								Kind:       "ConfigMap",
+								Namespace:  "knative-eventing",
+								Name:       "kafka-channel",
+							},
+						},
+						"mynamespaceclass2": {
+							KReference: &duckv1.KReference{
+								APIVersion: "v1",
+								Kind:       "ConfigMap",
+								Namespace:  "knative-eventing",
+								Name:       "kafka-channel",
+							},
+						},
+					},
+				},
 			},
-			ClusterDefault: &config.ClassAndBrokerConfig{
-				BrokerClass: eventing.MTChannelBrokerClassValue,
+			ClusterDefaultConfig: &config.DefaultConfig{
+				DefaultBrokerClass: eventing.MTChannelBrokerClassValue,
 				BrokerConfig: &config.BrokerConfig{
 					KReference: &duckv1.KReference{
 						APIVersion: "v1",
@ -133,6 +220,24 @@ var (
 						BackoffDelay:  pointer.String("5s"),
 					},
 				},
+				BrokerClasses: map[string]*config.BrokerConfig{
+					"clusterBrokerClass1": {
+						KReference: &duckv1.KReference{
+							APIVersion: "v1",
+							Kind:       "ConfigMap",
+							Namespace:  "knative-eventing",
+							Name:       "imc-channel-test",
+						},
+					},
+					"MTChannelBasedBroker": {
+						KReference: &duckv1.KReference{
+							APIVersion: "v1",
+							Kind:       "ConfigMap",
+							Namespace:  "knative-eventing",
+							Name:       "imc-channel-in-broker-classes",
+						},
+					},
+				},
 			},
 		},
 	}
@ -408,7 +513,7 @@ func TestBrokerSetDefaults(t *testing.T) {
 		},
 		"missing deadLetterSink.ref.namespace, defaulted": {
 			initial: Broker{
-				ObjectMeta: metav1.ObjectMeta{Name: "broker", Namespace: "custom"},
+				ObjectMeta: metav1.ObjectMeta{Name: "broker", Namespace: "customns"},
 				Spec: BrokerSpec{
 					Config: &duckv1.KReference{
 						Kind:       "ConfigMap",
@ -433,7 +538,7 @@ func TestBrokerSetDefaults(t *testing.T) {
 			expected: Broker{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "broker",
-					Namespace: "custom",
+					Namespace: "customns",
 					Annotations: map[string]string{
 						eventing.BrokerClassKey: "MTChannelBasedBroker",
 					},
@ -449,7 +554,7 @@ func TestBrokerSetDefaults(t *testing.T) {
 						DeadLetterSink: &duckv1.Destination{
 							Ref: &duckv1.KReference{
 								Kind:       "Service",
-								Namespace:  "custom",
+								Namespace:  "customns",
 								Name:       "handle-error",
 								APIVersion: "serving.knative.dev/v1",
 							},
@ -461,6 +566,78 @@ func TestBrokerSetDefaults(t *testing.T) {
 				},
 			},
 		},
+		"try to use the config from the brokerclasses": {
+			initial: Broker{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						eventing.BrokerClassKey: "clusterBrokerClass1",
+					},
+				},
+			},
+			expected: Broker{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "",
+					Annotations: map[string]string{
+						eventing.BrokerClassKey: "clusterBrokerClass1",
+					},
+				},
+				Spec: BrokerSpec{
+					Config: &duckv1.KReference{
+						Kind:       "ConfigMap",
+						Namespace:  "knative-eventing",
+						Name:       "imc-channel-test",
+						APIVersion: "v1",
+					},
+				},
+			},
+		},
+		"if targeted broker class has config exist in both default config and broker classes ": {
+			initial: Broker{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						eventing.BrokerClassKey: "MTChannelBasedBroker",
+					},
+				},
+			},
+			expected: Broker{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "",
+					Annotations: map[string]string{
+						eventing.BrokerClassKey: "MTChannelBasedBroker",
+					},
+				},
+				Spec: BrokerSpec{
+					Config: &duckv1.KReference{
+						Kind:       "ConfigMap",
+						Namespace:  "knative-eventing",
+						Name:       "imc-channel-in-broker-classes",
+						APIVersion: "v1",
+					},
+				},
+			},
+		},
+		"test and validate namespace broker config": {
+			initial: Broker{
+				ObjectMeta: metav1.ObjectMeta{Name: "broker", Namespace: "custom"},
+			},
+			expected: Broker{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "broker",
+					Namespace: "custom",
+					Annotations: map[string]string{
+						eventing.BrokerClassKey: "test-broker",
+					},
+				},
+				Spec: BrokerSpec{
+					Config: &duckv1.KReference{
+						Kind:       "ConfigMap",
+						Namespace:  "test-ns",
+						Name:       "test-config",
+						APIVersion: "v1",
+					},
+				},
+			},
+		},
 	}
 	for n, tc := range testCases {
 		t.Run(n, func(t *testing.T) {
--- a/pkg/apis/eventing/v1/broker_validation.go
+++ b/pkg/apis/eventing/v1/broker_validation.go
@ -33,36 +33,48 @@ const (

 func (b *Broker) Validate(ctx context.Context) *apis.FieldError {
 	ctx = apis.WithinParent(ctx, b.ObjectMeta)
-
 	cfg := config.FromContextOrDefaults(ctx)
-	var brConfig *config.ClassAndBrokerConfig
-	if cfg.Defaults != nil {
-		if c, ok := cfg.Defaults.NamespaceDefaultsConfig[b.GetNamespace()]; ok {
-			brConfig = c
-		} else {
-			brConfig = cfg.Defaults.ClusterDefault
-		}
-	}

-	withNS := ctx
-	if brConfig == nil || brConfig.DisallowDifferentNamespaceConfig == nil || !*brConfig.DisallowDifferentNamespaceConfig {
-		withNS = apis.AllowDifferentNamespace(ctx)
-	}
+	var errs *apis.FieldError
+	withNS := determineNamespaceAllowance(ctx, cfg.Defaults)

 	// Make sure a BrokerClassAnnotation exists
-	var errs *apis.FieldError
 	if bc, ok := b.GetAnnotations()[BrokerClassAnnotationKey]; !ok || bc == "" {
 		errs = errs.Also(apis.ErrMissingField(BrokerClassAnnotationKey))
 	}

+	// Further validation logic
 	errs = errs.Also(b.Spec.Validate(withNS).ViaField("spec"))
 	if apis.IsInUpdate(ctx) {
 		original := apis.GetBaseline(ctx).(*Broker)
 		errs = errs.Also(b.CheckImmutableFields(ctx, original))
 	}
+
 	return errs
 }

+// Determine if the namespace allowance based on the given configuration
+func determineNamespaceAllowance(ctx context.Context, brConfig *config.Defaults) context.Context {
+
+	// If there is no configurations set, allow different namespace by default
+	if brConfig == nil || (brConfig.NamespaceDefaultsConfig == nil && brConfig.ClusterDefaultConfig == nil) {
+		return apis.AllowDifferentNamespace(ctx)
+	}
+	namespace := apis.ParentMeta(ctx).Namespace
+	nsConfig := brConfig.NamespaceDefaultsConfig[namespace]
+
+	// Check if the namespace disallows different namespace first
+	if nsConfig == nil || nsConfig.DisallowDifferentNamespaceConfig == nil || !*nsConfig.DisallowDifferentNamespaceConfig {
+		// If there is no namespace specific configuration or DisallowDifferentNamespaceConfig is false, check the cluster level configuration
+		if brConfig.ClusterDefaultConfig == nil || brConfig.ClusterDefaultConfig.DisallowDifferentNamespaceConfig == nil || !*brConfig.ClusterDefaultConfig.DisallowDifferentNamespaceConfig {
+			// If there is no cluster level configuration or DisallowDifferentNamespaceConfig in cluster level is false, allow different namespace
+			return apis.AllowDifferentNamespace(ctx)
+		}
+	}
+	// If we reach here, it means DisallowDifferentNamespaceConfig is true at either level, no need to explicitly disallow, just return the original context
+	return ctx
+}
+
 func (bs *BrokerSpec) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError

--- a/pkg/apis/eventing/v1/broker_validation_test.go
+++ b/pkg/apis/eventing/v1/broker_validation_test.go
@ -197,7 +197,7 @@ func TestValidate(t *testing.T) {
 		cfg: &config.Config{
 			Defaults: &config.Defaults{
 				NamespaceDefaultsConfig: nil,
-				ClusterDefault: &config.ClassAndBrokerConfig{
+				ClusterDefaultConfig: &config.DefaultConfig{
 					DisallowDifferentNamespaceConfig: pointer.Bool(true),
 				},
 			},
@ -225,7 +225,7 @@ func TestValidate(t *testing.T) {
 		name: "invalid config, cross namespace disallowed, namespace wide",
 		cfg: &config.Config{
 			Defaults: &config.Defaults{
-				NamespaceDefaultsConfig: map[string]*config.ClassAndBrokerConfig{
+				NamespaceDefaultsConfig: map[string]*config.DefaultConfig{
 					"ns1": {DisallowDifferentNamespaceConfig: pointer.Bool(true)},
 				},
 			},
@ -253,7 +253,7 @@ func TestValidate(t *testing.T) {
 		name: "valid config, cross namespace allowed, namespace wide",
 		cfg: &config.Config{
 			Defaults: &config.Defaults{
-				NamespaceDefaultsConfig: map[string]*config.ClassAndBrokerConfig{
+				NamespaceDefaultsConfig: map[string]*config.DefaultConfig{
 					"ns1": {DisallowDifferentNamespaceConfig: pointer.Bool(true)},
 				},
 			},
--- a/pkg/apis/eventing/v1/roundtrip_test.go
+++ b/pkg/apis/eventing/v1/roundtrip_test.go
@ -19,8 +19,8 @@ package v1
 import (
 	"testing"

-	fuzz "github.com/google/gofuzz"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"sigs.k8s.io/randfill"

 	"k8s.io/apimachinery/pkg/api/apitesting/fuzzer"
 	"k8s.io/apimachinery/pkg/runtime"
@ -36,8 +36,8 @@ import (
 var FuzzerFuncs = fuzzer.MergeFuzzerFuncs(
 	func(codecs serializer.CodecFactory) []interface{} {
 		return []interface{}{
-			func(s *TriggerStatus, c fuzz.Continue) {
-				c.FuzzNoCustom(s) // fuzz the status object
+			func(s *TriggerStatus, c randfill.Continue) {
+				c.FillNoCustom(s) // fuzz the status object

 				// Clear the random fuzzed condition
 				s.Status.SetConditions(nil)
@ -46,8 +46,8 @@ var FuzzerFuncs = fuzzer.MergeFuzzerFuncs(
 				s.InitializeConditions()
 				pkgfuzzer.FuzzConditions(&s.Status, c)
 			},
-			func(s *BrokerStatus, c fuzz.Continue) {
-				c.FuzzNoCustom(s) // fuzz the status object
+			func(s *BrokerStatus, c randfill.Continue) {
+				c.FillNoCustom(s) // fuzz the status object

 				// Clear the random fuzzed condition
 				s.Status.SetConditions(nil)
--- a/pkg/apis/eventing/v1alpha1/eventpolicy_defaults.go
+++ b/pkg/apis/eventing/v1alpha1/eventpolicy_defaults.go
@ -28,4 +28,14 @@ func (ep *EventPolicy) SetDefaults(ctx context.Context) {
 }

 func (ets *EventPolicySpec) SetDefaults(ctx context.Context) {
+	for i := range ets.From {
+		ets.From[i].SetDefaults(ctx)
+	}
+}
+
+func (from *EventPolicySpecFrom) SetDefaults(ctx context.Context) {
+	if from.Ref != nil && from.Ref.Namespace == "" {
+		// default to event policies namespace
+		from.Ref.Namespace = apis.ParentMeta(ctx).Namespace
+	}
 }
--- a/pkg/apis/eventing/v1alpha1/eventpolicy_defaults_test.go
+++ b/pkg/apis/eventing/v1alpha1/eventpolicy_defaults_test.go
@ -20,6 +20,8 @@ import (
 	"context"
 	"testing"

+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"github.com/google/go-cmp/cmp"
 )

@ -32,6 +34,36 @@ func TestEventPolicyDefaults(t *testing.T) {
 			initial:  EventPolicy{},
 			expected: EventPolicy{},
 		},
+		"default .spec.from[].namespace": {
+			initial: EventPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "my-ns",
+				},
+				Spec: EventPolicySpec{
+					From: []EventPolicySpecFrom{
+						{
+							Ref: &EventPolicyFromReference{
+								Namespace: "",
+							},
+						},
+					},
+				},
+			},
+			expected: EventPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "my-ns",
+				},
+				Spec: EventPolicySpec{
+					From: []EventPolicySpecFrom{
+						{
+							Ref: &EventPolicyFromReference{
+								Namespace: "my-ns",
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for n, tc := range testCases {
 		t.Run(n, func(t *testing.T) {
--- a/pkg/apis/eventing/v1alpha1/eventpolicy_types.go
+++ b/pkg/apis/eventing/v1alpha1/eventpolicy_types.go
@ -20,9 +20,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+
 	"knative.dev/pkg/apis"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/kmeta"
+
+	eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1"
 )

 // +genclient
@ -71,6 +74,14 @@ type EventPolicySpec struct {

 	// From is the list of sources or oidc identities, which are allowed to send events to the targets (.spec.to).
 	From []EventPolicySpecFrom `json:"from,omitempty"`
+
+	// Filters is the list of SubscriptoinsApi filters which determine whether or not the event is accepted.
+	// It is an array of filter expressions that evaluate to true or false.
+	// If any filter expression in the array evaluates to false, the event will not
+	// pass the target resource's ingress. Absence of any filters implies that the filters
+	// always evaluate to true.
+	// +optional
+	Filters []eventingv1.SubscriptionsAPIFilter `json:"filters,omitempty"`
 }

 type EventPolicySpecTo struct {
--- a/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go
+++ b/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go
@ -20,6 +20,7 @@ import (
 	"context"
 	"strings"

+	eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1"
 	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/pkg/apis"
 )
@ -60,6 +61,8 @@ func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
 		}
 	}

+	err = err.Also(eventingv1.ValidateSubscriptionAPIFiltersList(ctx, ets.Filters).ViaField("filters"))
+
 	return err
 }

--- a/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go
+++ b/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go
@ -21,6 +21,7 @@ import (
 	"testing"

 	"github.com/google/go-cmp/cmp"
+	eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1"
 	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/pkg/apis"
 	"knative.dev/pkg/ptr"
@ -294,6 +295,45 @@ func TestEventPolicySpecValidationWithOIDCAuthenticationFeatureFlagEnabled(t *te
 				return nil
 			}(),
 		},
+		{
+			name: "valid, from.sub exactly '*', valid filters",
+			ep: &EventPolicy{
+				Spec: EventPolicySpec{
+					From: []EventPolicySpecFrom{{
+						Sub: ptr.String("*"),
+					}},
+					Filters: []eventingv1.SubscriptionsAPIFilter{
+						{
+							Prefix: map[string]string{"type": "example"},
+						},
+					},
+				},
+			},
+			want: func() *apis.FieldError {
+				return nil
+			}(),
+		},
+		{
+			name: "invalid, from.sub exactly '*', invalid cesql filter",
+			ep: &EventPolicy{
+				Spec: EventPolicySpec{
+					From: []EventPolicySpecFrom{{
+						Sub: ptr.String("*"),
+					}},
+					Filters: []eventingv1.SubscriptionsAPIFilter{
+						{
+							CESQL: "type LIKE id",
+						},
+					},
+				},
+			},
+			want: func() *apis.FieldError {
+
+				return apis.ErrInvalidValue("type LIKE id", "cesql", "parse error: syntax error: |failed to parse LIKE expression: the pattern was not a string literal").
+					ViaFieldIndex("filters", 0).
+					ViaField("spec")
+			}(),
+		},
 	}

 	for _, test := range tests {
--- a/pkg/apis/eventing/v1alpha1/eventtransform_defaults.go
+++ b/pkg/apis/eventing/v1alpha1/eventtransform_defaults.go
@ -0,0 +1,24 @@
+/*
+Copyright 2025 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+)
+
+func (t *EventTransform) SetDefaults(_ context.Context) {
+}
--- a/pkg/apis/eventing/v1alpha1/eventtransform_lifecycle.go
+++ b/pkg/apis/eventing/v1alpha1/eventtransform_lifecycle.go
@ -0,0 +1,213 @@
+/*
+Copyright 2025 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	appsv1 "k8s.io/api/apps/v1"
+	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
+
+	sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1"
+)
+
+const (
+	TransformConditionAddressable apis.ConditionType = "Addressable"
+	TransformationConditionReady  apis.ConditionType = "TransformationReady"
+
+	TransformationAddressableEmptyURL                   string = "NoURL"
+	TransformationAddressableWaitingForServiceEndpoints string = "WaitingForServiceEndpoints"
+
+	// Specific transformations conditions
+
+	// TransformationJsonataDeploymentReady is the condition to indicate that the Jsonata deployment
+	// is ready.
+	TransformationJsonataDeploymentReady       apis.ConditionType = "JsonataDeploymentReady"
+	TransformationJsonataDeploymentUnavailable string             = "JsonataDeploymentUnavailable"
+	TransformationJsonataCertificateNotReady   string             = "JsonataCertificateNotReady"
+	// TransformationJsonataSinkBindingReady is the condition to indicate that the Jsonata sink
+	// binding is ready.
+	TransformationJsonataSinkBindingReady apis.ConditionType = "JsonataSinkBindingReady"
+)
+
+var TransformCondSet = apis.NewLivingConditionSet(
+	TransformationConditionReady,
+	TransformConditionAddressable,
+)
+
+// transformJsonataConditionSet is the subset of conditions for the Jsonata transformation
+// The overall readiness of those conditions will be propagated to the top-level
+// TransformationConditionReady condition.
+var transformJsonataConditionSet = apis.NewLivingConditionSet(
+	TransformationJsonataDeploymentReady,
+	TransformationJsonataSinkBindingReady,
+)
+
+// GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
+func (et *EventTransform) GetConditionSet() apis.ConditionSet {
+	if et == nil {
+		return TransformCondSet
+	}
+	return et.Status.GetConditionSet()
+}
+
+func (*EventTransformStatus) GetConditionSet() apis.ConditionSet {
+	return TransformCondSet
+}
+
+// GetCondition returns the condition cutsently associated with the given type, or nil.
+func (ts *EventTransformStatus) GetCondition(t apis.ConditionType) *apis.Condition {
+	return ts.GetConditionSet().Manage(ts).GetCondition(t)
+}
+
+// IsReady returns true if the resource is ready overall.
+func (ts *EventTransformStatus) IsReady() bool {
+	return ts.GetTopLevelCondition().IsTrue()
+}
+
+// GetTopLevelCondition returns the top level Condition.
+func (ts *EventTransformStatus) GetTopLevelCondition() *apis.Condition {
+	return ts.GetConditionSet().Manage(ts).GetTopLevelCondition()
+}
+
+// InitializeConditions sets relevant unset conditions to Unknown state.
+func (ts *EventTransformStatus) InitializeConditions() {
+	ts.GetConditionSet().Manage(ts).InitializeConditions()
+}
+
+func (ts *EventTransformStatus) PropagateJsonataDeploymentStatus(ds appsv1.DeploymentStatus) bool {
+	defer ts.propagateTransformJsonataReadiness()
+	if ts.JsonataTransformationStatus == nil {
+		ts.JsonataTransformationStatus = &JsonataEventTransformationStatus{}
+	}
+	ts.JsonataTransformationStatus.Deployment = ds
+	if ds.Replicas > 0 && ds.Replicas == ds.AvailableReplicas {
+		transformJsonataConditionSet.Manage(ts).MarkTrue(TransformationJsonataDeploymentReady)
+		return true
+	}
+	transformJsonataConditionSet.Manage(ts).MarkFalse(TransformationJsonataDeploymentReady, TransformationJsonataDeploymentUnavailable, "Expected replicas: %d, available: %d", ds.Replicas, ds.AvailableReplicas)
+	return false
+}
+
+func (ts *EventTransformStatus) PropagateJsonataCertificateStatus(cs cmv1.CertificateStatus) bool {
+	defer ts.propagateTransformJsonataReadiness()
+	var topLevel *cmv1.CertificateCondition
+	for _, cond := range cs.Conditions {
+		if cond.Type == cmv1.CertificateConditionReady {
+			topLevel = &cond
+			break
+		}
+	}
+	if topLevel == nil {
+		transformJsonataConditionSet.Manage(ts).MarkUnknown(TransformationJsonataDeploymentReady, TransformationJsonataCertificateNotReady, "Certificate is progressing")
+		return false
+	}
+	if topLevel.Status == cmmeta.ConditionUnknown {
+		transformJsonataConditionSet.Manage(ts).MarkUnknown(TransformationJsonataDeploymentReady, TransformationJsonataCertificateNotReady, "Certificate is progressing, "+topLevel.Reason+" Message: "+topLevel.Message)
+		return false
+	}
+	if topLevel.Status == cmmeta.ConditionFalse {
+		transformJsonataConditionSet.Manage(ts).MarkFalse(TransformationJsonataDeploymentReady, TransformationJsonataCertificateNotReady, "Certificate is not ready, "+topLevel.Reason+" Message: "+topLevel.Message)
+		return false
+	}
+	return true
+}
+
+func (ts *EventTransformStatus) PropagateJsonataSinkBindingUnset() {
+	defer ts.propagateTransformJsonataReadiness()
+	transformJsonataConditionSet.Manage(ts).MarkTrue(TransformationJsonataSinkBindingReady)
+}
+
+func (ts *EventTransformStatus) PropagateJsonataSinkBindingStatus(sbs sourcesv1.SinkBindingStatus) bool {
+	defer ts.propagateTransformJsonataReadiness()
+	if ts.JsonataTransformationStatus == nil {
+		ts.JsonataTransformationStatus = &JsonataEventTransformationStatus{}
+	}
+	ts.SourceStatus.SinkURI = sbs.SinkURI
+	ts.SourceStatus.SinkAudience = sbs.SinkAudience
+	ts.SourceStatus.SinkCACerts = sbs.SinkCACerts
+	ts.SourceStatus.Auth = sbs.Auth
+
+	topLevel := sbs.GetCondition(apis.ConditionReady)
+	if topLevel == nil {
+		transformJsonataConditionSet.Manage(ts).MarkUnknown(TransformationJsonataSinkBindingReady, "", "")
+		return false
+	}
+	if topLevel.IsTrue() {
+		transformJsonataConditionSet.Manage(ts).MarkTrue(TransformationJsonataSinkBindingReady)
+		return true
+	}
+	if topLevel.IsFalse() {
+		transformJsonataConditionSet.Manage(ts).MarkFalse(TransformationJsonataSinkBindingReady, topLevel.Reason, topLevel.Message)
+		return false
+	}
+	transformJsonataConditionSet.Manage(ts).MarkUnknown(TransformationJsonataSinkBindingReady, topLevel.Reason, topLevel.Message)
+	return false
+}
+
+func (ts *EventTransformStatus) propagateTransformJsonataReadiness() {
+	ts.markTransformReady(transformJsonataConditionSet)
+}
+
+func (ts *EventTransformStatus) markTransformReady(set apis.ConditionSet) {
+	dCond := set.Manage(ts).GetCondition(TransformationJsonataDeploymentReady)
+	sbCond := set.Manage(ts).GetCondition(TransformationJsonataSinkBindingReady)
+	if !dCond.IsTrue() {
+		ts.propagateTransformationConditionStatus(dCond)
+		return
+	}
+	if !sbCond.IsTrue() {
+		ts.propagateTransformationConditionStatus(sbCond)
+		return
+	}
+	ts.propagateTransformationConditionStatus(sbCond)
+	ts.propagateTransformationConditionStatus(dCond)
+}
+
+func (ts *EventTransformStatus) propagateTransformationConditionStatus(cond *apis.Condition) {
+	if cond == nil {
+		ts.GetConditionSet().Manage(ts).MarkUnknown(TransformationConditionReady, "", "")
+	} else if cond.IsTrue() {
+		ts.GetConditionSet().Manage(ts).MarkTrue(TransformationConditionReady)
+	} else if cond.IsFalse() {
+		ts.GetConditionSet().Manage(ts).MarkFalse(TransformationConditionReady, cond.Reason, cond.Message)
+	} else {
+		ts.GetConditionSet().Manage(ts).MarkUnknown(TransformationConditionReady, cond.Reason, cond.Message)
+	}
+}
+
+func (ts *EventTransformStatus) MarkWaitingForServiceEndpoints() {
+	ts.GetConditionSet().Manage(ts).MarkFalse(TransformConditionAddressable, TransformationAddressableWaitingForServiceEndpoints, "URL is empty")
+}
+
+func (ts *EventTransformStatus) IsTransformationReady() bool {
+	return ts.GetConditionSet().Manage(ts).GetCondition(TransformationConditionReady).IsTrue()
+}
+
+func (ts *EventTransformStatus) SetAddresses(addresses ...duckv1.Addressable) {
+	if len(addresses) == 0 || addresses[0].URL.IsEmpty() {
+		ts.GetConditionSet().Manage(ts).MarkFalse(TransformConditionAddressable, TransformationAddressableEmptyURL, "URL is empty")
+		return
+	}
+
+	ts.AddressStatus = duckv1.AddressStatus{
+		Address:   &addresses[0],
+		Addresses: addresses,
+	}
+	ts.GetConditionSet().Manage(ts).MarkTrue(TransformConditionAddressable)
+}
--- a/pkg/apis/eventing/v1alpha1/eventtransform_lifecycle_test.go
+++ b/pkg/apis/eventing/v1alpha1/eventtransform_lifecycle_test.go
@ -0,0 +1,104 @@
+/*
+Copyright 2025 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
+)
+
+func TestFullLifecycle(t *testing.T) {
+
+	et := &EventTransform{
+		TypeMeta:   metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{},
+		Spec: EventTransformSpec{
+			Sink: nil,
+			EventTransformations: EventTransformations{
+				Jsonata: &JsonataEventTransformationSpec{
+					Expression: `
+    {
+        "specversion": "1.0",
+        "id": id,
+        "type": "transformed-event",
+        "source": source,
+        "reason": data.reason,
+        "message": data.message,
+        "data": $
+    }
+`,
+				},
+			},
+		},
+	}
+	et.Status.InitializeConditions()
+
+	topLevel := et.Status.GetCondition(apis.ConditionReady)
+	transformation := et.Status.GetCondition(TransformationConditionReady)
+	addressable := et.Status.GetCondition(TransformConditionAddressable)
+
+	assert.Equal(t, corev1.ConditionUnknown, topLevel.Status)
+	assert.Equal(t, corev1.ConditionUnknown, transformation.Status)
+	assert.Equal(t, corev1.ConditionUnknown, addressable.Status)
+	assert.Len(t, et.Status.Conditions, 3)
+	assert.Equal(t, false, et.Status.IsReady())
+
+	ds := appsv1.DeploymentStatus{
+		ObservedGeneration:  202,
+		Replicas:            1,
+		UpdatedReplicas:     1,
+		ReadyReplicas:       1,
+		AvailableReplicas:   1,
+		UnavailableReplicas: 0,
+	}
+	et.Status.PropagateJsonataDeploymentStatus(ds)
+
+	deploymentCondition := et.Status.GetCondition(TransformationJsonataDeploymentReady)
+	assert.Equal(t, corev1.ConditionTrue, deploymentCondition.Status)
+	assert.Len(t, et.Status.Conditions, 4)
+	assert.Equal(t, false, et.Status.IsReady())
+
+	transformationCondition := et.Status.GetCondition(TransformationConditionReady)
+	assert.Equal(t, corev1.ConditionUnknown, transformationCondition.Status, et)
+	assert.Len(t, et.Status.Conditions, 4)
+	assert.Equal(t, false, et.Status.IsReady())
+
+	et.Status.PropagateJsonataSinkBindingUnset()
+
+	transformationCondition = et.Status.GetCondition(TransformationConditionReady)
+	assert.Equal(t, corev1.ConditionTrue, transformationCondition.Status, et)
+	assert.Len(t, et.Status.Conditions, 5)
+	assert.Equal(t, false, et.Status.IsReady())
+
+	et.Status.SetAddresses(duckv1.Addressable{URL: apis.HTTPS("example.com")})
+	addrCondition := et.Status.GetCondition(TransformConditionAddressable)
+	assert.Equal(t, corev1.ConditionTrue, addrCondition.Status, et)
+	assert.Len(t, et.Status.Conditions, 5)
+
+	assert.Equal(t, true, et.Status.IsReady())
+
+	// All conditions are ready
+	for _, c := range et.Status.Conditions {
+		assert.Equal(t, true, c.IsTrue(), "Unexpected condition status %#v, expected True", c)
+	}
+}
--- a/pkg/apis/eventing/v1alpha1/eventtransform_types.go
+++ b/pkg/apis/eventing/v1alpha1/eventtransform_types.go
@ -0,0 +1,165 @@
+/*
+Copyright 2025 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
+	"knative.dev/pkg/kmeta"
+)
+
+// +genclient
+// +genreconciler
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// EventTransform represents an even transformation.
+type EventTransform struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec defines the desired state of the EventTransform.
+	Spec EventTransformSpec `json:"spec,omitempty"`
+
+	// Status represents the current state of the EventTransform.
+	// This data may be out of date.
+	// +optional
+	Status EventTransformStatus `json:"status,omitempty"`
+}
+
+var (
+	// Check that EventTransform can be validated, can be defaulted, and has immutable fields.
+	_ apis.Validatable = (*EventTransform)(nil)
+	_ apis.Defaultable = (*EventTransform)(nil)
+
+	// Check that EventTransform can return its spec untyped.
+	_ apis.HasSpec = (*EventTransform)(nil)
+
+	_ runtime.Object = (*EventTransform)(nil)
+
+	// Check that we can create OwnerReferences to an EventTransform.
+	_ kmeta.OwnerRefable = (*EventTransform)(nil)
+
+	// Check that the type conforms to the duck Knative Resource shape.
+	_ duckv1.KRShaped = (*EventTransform)(nil)
+)
+
+type EventTransformSpec struct {
+
+	// Sink is a reference to an object that will resolve to a uri to use as the sink.
+	//
+	// If not present, the transformation will send back the transformed event as response, this
+	// is useful to leverage the built-in Broker reply feature to re-publish a transformed event
+	// back to the broker.
+	//
+	// +optional
+	Sink *duckv1.Destination `json:"sink,omitempty"`
+
+	// Reply is the configuration on how to handle responses from Sink.
+	// It can only be set if Sink is set.
+	//
+	// +optional
+	Reply *ReplySpec `json:"reply,omitempty"`
+
+	// EventTransformations contain all possible transformations, only one "type" can be used.
+	EventTransformations `json:",inline"`
+}
+
+// ReplySpec is the configurations on how to handle responses from Sink.
+type ReplySpec struct {
+	// EventTransformations for replies from the Sink, contain all possible transformations,
+	// only one "type" can be used.
+	//
+	// The used type must match the top-level transformation, if you need to mix transformation types,
+	// use compositions and chain transformations together to achieve your desired outcome.
+	EventTransformations `json:",inline"`
+
+	// Discard discards responses from Sink and return empty response body.
+	//
+	// When set to false, it returns the exact sink response body.
+	// When set to true, Discard is mutually exclusive with EventTransformations in the reply
+	// section, it can either be discarded or transformed.
+	//
+	// Default: false.
+	//
+	// +optional
+	Discard *bool `json:"discard,omitempty"`
+}
+
+type EventTransformations struct {
+	Jsonata *JsonataEventTransformationSpec `json:"jsonata,omitempty"`
+}
+
+type JsonataEventTransformationSpec struct {
+	// Expression is the JSONata expression.
+	Expression string `json:"expression,omitempty"`
+}
+
+// EventTransformStatus represents the current state of a EventTransform.
+type EventTransformStatus struct {
+	// SourceStatus inherits duck/v1 SourceStatus, which currently provides:
+	// * ObservedGeneration - the 'Generation' of the Service that was last
+	//   processed by the controller.
+	// * Conditions - the latest available observations of a resource's current
+	//   state.
+	// * SinkURI - the current active sink URI that has been configured for the
+	//   Source.
+	duckv1.SourceStatus `json:",inline"`
+
+	// AddressStatus is the part where the EventTransform fulfills the Addressable contract.
+	// It exposes the endpoint as an URI to get events delivered.
+	// +optional
+	duckv1.AddressStatus `json:",inline"`
+
+	// JsonataTransformationStatus is the status associated with JsonataEventTransformationSpec.
+	// +optional
+	JsonataTransformationStatus *JsonataEventTransformationStatus `json:"jsonata,omitempty"`
+}
+
+type JsonataEventTransformationStatus struct {
+	Deployment appsv1.DeploymentStatus `json:"deployment,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// EventTransformList is a collection of EventTransform.
+type EventTransformList struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []EventTransform `json:"items"`
+}
+
+// GetGroupVersionKind returns GroupVersionKind for EventTransform
+func (ep *EventTransform) GetGroupVersionKind() schema.GroupVersionKind {
+	return SchemeGroupVersion.WithKind("EventTransform")
+}
+
+// GetUntypedSpec returns the spec of the EventTransform.
+func (ep *EventTransform) GetUntypedSpec() interface{} {
+	return ep.Spec
+}
+
+// GetStatus retrieves the status of the EventTransform. Implements the KRShaped interface.
+func (ep *EventTransform) GetStatus() *duckv1.Status {
+	return &ep.Status.Status
+}
--- a/pkg/apis/eventing/v1alpha1/eventtransform_validation.go
+++ b/pkg/apis/eventing/v1alpha1/eventtransform_validation.go
@ -0,0 +1,164 @@
+/*
+Copyright 2025 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"knative.dev/pkg/apis"
+)
+
+func (t *EventTransform) Validate(ctx context.Context) *apis.FieldError {
+	ctx = apis.WithinParent(ctx, t.ObjectMeta)
+	return t.Spec.Validate(ctx).ViaField("spec")
+}
+
+var possibleTransformations = []string{"jsonata"}
+
+func (ts *EventTransformSpec) Validate(ctx context.Context) *apis.FieldError {
+	errs := ts.EventTransformations.Validate(ctx /* allowEmpty */, false)
+	errs = errs.Also(ts.Sink.Validate(ctx).ViaField("sink"))
+	errs = errs.Also(disallowSinkCaCerts(ts).ViaField("sink"))
+	errs = errs.Also(ts.Reply.Validate(ctx, ts).ViaField("reply"))
+
+	if apis.IsInUpdate(ctx) {
+		original := apis.GetBaseline(ctx).(*EventTransform)
+		errs = errs.Also(ts.CheckImmutableFields(ctx, original))
+	}
+
+	return errs
+}
+
+func (ets EventTransformations) Validate(ctx context.Context, allowEmpty bool) *apis.FieldError {
+	var errs *apis.FieldError
+
+	// Only one type of transformation is allowed.
+	// These are transformations field paths.
+	transformations := ets.transformations()
+
+	if len(transformations) == 0 && !allowEmpty {
+		errs = apis.ErrMissingOneOf(possibleTransformations...)
+	} else if len(transformations) > 1 {
+		errs = apis.ErrMultipleOneOf(transformations...)
+	}
+
+	errs = errs.Also(ets.Jsonata.Validate(ctx).ViaField("jsonata"))
+
+	return errs
+}
+
+func (ets EventTransformations) transformations() []string {
+	// Only one type of transformation is allowed.
+	// These are transformations field paths.
+	transformations := make([]string, 0, 2)
+
+	if ets.Jsonata != nil {
+		transformations = append(transformations, "jsonata")
+	}
+	return transformations
+}
+
+func (rs *ReplySpec) Validate(ctx context.Context, ts *EventTransformSpec) *apis.FieldError {
+	if rs == nil {
+		return nil
+	}
+	if ts.Sink == nil {
+		return apis.ErrGeneric(
+			"reply is set without spec.sink",
+			"",
+		)
+	}
+
+	errs := rs.EventTransformations.Validate(ctx /* allowEmpty */, true)
+
+	baseTransformationsSet := sets.New(ts.EventTransformations.transformations()...)
+	replyTransformationsSet := sets.New(rs.EventTransformations.transformations()...)
+	transformationsIntersection := baseTransformationsSet.Intersection(replyTransformationsSet)
+
+	replyTransformations := rs.EventTransformations.transformations()
+
+	if rs.Discard != nil && *rs.Discard {
+		replyTransformations = append(replyTransformations, "discard")
+	}
+	if len(replyTransformations) > 1 {
+		errs = apis.ErrMultipleOneOf(replyTransformations...)
+	} else if replyTransformationsSet.Len() > 0 &&
+		baseTransformationsSet.Len() > 0 &&
+		transformationsIntersection.Len() != 1 {
+		errs = apis.ErrGeneric(
+			fmt.Sprintf(
+				"Reply transformation type must match the transformation type in the top-level spec. Top-level transformations: %#v, reply transformations: %#v",
+				strings.Join(baseTransformationsSet.UnsortedList(), ", "),
+				strings.Join(replyTransformationsSet.UnsortedList(), ", "),
+			),
+			replyTransformationsSet.UnsortedList()...,
+		)
+	}
+
+	return errs
+}
+
+func (js *JsonataEventTransformationSpec) Validate(context.Context) *apis.FieldError {
+	// Jsonata parsers for Go are not maintained, therefore, we will not parse the expression here.
+	// The downside is that the errors will only be present in the status of the EventTransform resource.
+	// We can reconsider this in the future and improve.
+	return nil
+}
+
+func disallowSinkCaCerts(ts *EventTransformSpec) *apis.FieldError {
+	sink := ts.Sink
+	if sink == nil || sink.CACerts == nil || ts.Jsonata == nil {
+		return nil
+	}
+	return &apis.FieldError{
+		Message: "CACerts for the sink is not supported for JSONata transformations, to propagate CA trust bundles use labeled ConfigMaps: " +
+			"https://knative.dev/docs/eventing/features/transport-encryption/#configure-additional-ca-trust-bundles",
+		Paths: []string{"CACerts"},
+	}
+}
+
+func (in *EventTransformSpec) CheckImmutableFields(ctx context.Context, original *EventTransform) *apis.FieldError {
+	if original == nil {
+		return nil
+	}
+
+	errs := in.EventTransformations.CheckImmutableFields(ctx, original.Spec.EventTransformations)
+	errs = errs.Also(in.Reply.CheckImmutableFields(ctx, original.Spec.Reply).ViaField("reply"))
+	return errs
+}
+
+func (ets EventTransformations) CheckImmutableFields(ctx context.Context, original EventTransformations) *apis.FieldError {
+	var errs *apis.FieldError
+
+	const suggestion = "Suggestion: create a new transformation, migrate services to the new one, and delete this transformation."
+
+	if ets.Jsonata != nil && original.Jsonata == nil {
+		errs = apis.ErrGeneric("Transformations types are immutable, jsonata transformation cannot be changed to a different transformation type. " + suggestion).ViaField("jsonata")
+	} else if original.Jsonata != nil && ets.Jsonata == nil {
+		errs = apis.ErrGeneric("Transformations types are immutable, transformation type cannot be changed to a jsonata transformation. " + suggestion).ViaField("jsonata")
+	}
+
+	return errs
+}
+
+func (rs *ReplySpec) CheckImmutableFields(_ context.Context, _ *ReplySpec) *apis.FieldError {
+	// ReplySpec is fully mutable.
+	return nil
+}
--- a/pkg/apis/eventing/v1alpha1/eventtransform_validation_test.go
+++ b/pkg/apis/eventing/v1alpha1/eventtransform_validation_test.go
@ -0,0 +1,394 @@
+/*
+Copyright 2025 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	eventing "knative.dev/eventing/pkg/apis/eventing/v1alpha1"
+	"knative.dev/eventing/pkg/eventingtls/eventingtlstesting"
+	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
+	"knative.dev/pkg/ptr"
+	"knative.dev/pkg/webhook/json"
+)
+
+func TestJSONDecode(t *testing.T) {
+
+	et := &eventing.EventTransform{}
+
+	err := json.Decode([]byte(`
+{
+  "apiVersion": "eventing.knative.dev/v1alpha1",
+  "kind": "EventTransform",
+  "metadata": {
+    "name": "identity"
+  },
+  "spec": {
+    "jsonata": {
+      "expression": "{\n  \"specversion\": \"1.0\",\n  \"id\": id,\n  \"type\": \"transformation.jsonata\",\n  \"source\": \"transformation.json.identity\",\n  \"data\": $\n}\n"
+    }
+  }
+}
+`), et, true)
+
+	assert.Nil(t, err)
+}
+
+var sink = &duckv1.Destination{
+	URI: apis.HTTP("example.com"),
+}
+
+func TestEventTransform_Validate(t *testing.T) {
+	tests := []struct {
+		name string
+		in   eventing.EventTransform
+		ctx  context.Context
+		want *apis.FieldError
+	}{
+		{
+			name: "empty",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec:   eventing.EventTransformSpec{},
+				Status: eventing.EventTransformStatus{},
+			},
+			ctx:  context.Background(),
+			want: apis.ErrMissingOneOf("jsonata").ViaField("spec"),
+		},
+		{
+			name: "jsonata valid",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "1.0" }`,
+						},
+					},
+				},
+			},
+			ctx:  context.Background(),
+			want: nil,
+		},
+		{
+			name: "jsonata with reply valid",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					Sink: sink,
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "1.0" }`,
+						},
+					},
+					Reply: &eventing.ReplySpec{
+						EventTransformations: eventing.EventTransformations{
+							Jsonata: &eventing.JsonataEventTransformationSpec{
+								Expression: `{ "specversion": "1.0" }`,
+							},
+						},
+					},
+				},
+				Status: eventing.EventTransformStatus{},
+			},
+			ctx:  context.Background(),
+			want: nil,
+		},
+		{
+			name: "jsonata with reply discard valid",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					Sink: sink,
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "1.0" }`,
+						},
+					},
+					Reply: &eventing.ReplySpec{
+						Discard: ptr.Bool(true),
+					},
+				},
+				Status: eventing.EventTransformStatus{},
+			},
+			ctx:  context.Background(),
+			want: nil,
+		},
+		{
+			name: "jsonata with reply, jsonata reply transformations and discard = true, invalid",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					Sink: sink,
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "1.0" }`,
+						},
+					},
+					Reply: &eventing.ReplySpec{
+						EventTransformations: eventing.EventTransformations{
+							Jsonata: &eventing.JsonataEventTransformationSpec{
+								Expression: `{ "specversion": "1.0" }`,
+							},
+						},
+						Discard: ptr.Bool(true),
+					},
+				},
+			},
+			ctx:  context.Background(),
+			want: (&apis.FieldError{}).Also(apis.ErrMultipleOneOf("jsonata", "discard").ViaField("reply").ViaField("spec")),
+		},
+		{
+			name: "jsonata update change expression",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					Sink: sink,
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "2.0" }`,
+						},
+					},
+					Reply: &eventing.ReplySpec{
+						EventTransformations: eventing.EventTransformations{
+							Jsonata: &eventing.JsonataEventTransformationSpec{
+								Expression: `{ "specversion": "2.0" }`,
+							},
+						},
+					},
+				},
+			},
+			ctx: apis.WithinUpdate(context.Background(), &eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "1.0" }`,
+						},
+					},
+					Reply: &eventing.ReplySpec{
+						EventTransformations: eventing.EventTransformations{
+							Jsonata: &eventing.JsonataEventTransformationSpec{
+								Expression: `{ "specversion": "1.0" }`,
+							},
+						},
+					},
+				},
+			}),
+			want: nil,
+		},
+		{
+			name: "transform jsonata change transformation type, have -> not have",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "2.0" }`,
+						},
+					},
+				},
+			},
+			ctx: apis.WithinUpdate(context.Background(), &eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					EventTransformations: eventing.EventTransformations{},
+				},
+			}),
+			want: (&apis.FieldError{}).
+				Also(
+					apis.ErrGeneric("Transformations types are immutable, jsonata transformation cannot be changed to a different transformation type. Suggestion: create a new transformation, migrate services to the new one, and delete this transformation.").
+						ViaField("jsonata"),
+				).
+				ViaField("spec"),
+		},
+		{
+			name: "transform jsonata change reply transformation type, have -> not have",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					Sink: sink,
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "2.0" }`,
+						},
+					},
+					Reply: &eventing.ReplySpec{
+						EventTransformations: eventing.EventTransformations{
+							Jsonata: &eventing.JsonataEventTransformationSpec{
+								Expression: `{ "specversion": "2.0" }`,
+							},
+						},
+					},
+				},
+			},
+			ctx: apis.WithinUpdate(context.Background(), &eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "2.0" }`,
+						},
+					},
+				},
+			}),
+			want: nil,
+		},
+		{
+			name: "transform jsonata change reply transformation type, jsonata expression -> discard",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					Sink: sink,
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "2.0" }`,
+						},
+					},
+					Reply: &eventing.ReplySpec{
+						EventTransformations: eventing.EventTransformations{
+							Jsonata: &eventing.JsonataEventTransformationSpec{
+								Expression: `{ "specversion": "2.0" }`,
+							},
+						},
+					},
+				},
+			},
+			ctx: apis.WithinUpdate(context.Background(), &eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "2.0" }`,
+						},
+					},
+					Reply: &eventing.ReplySpec{
+						Discard: ptr.Bool(true),
+					},
+				},
+			}),
+			want: nil,
+		},
+		{
+			name: "reply without sink",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "2.0" }`,
+						},
+					},
+					Reply: &eventing.ReplySpec{
+						EventTransformations: eventing.EventTransformations{
+							Jsonata: &eventing.JsonataEventTransformationSpec{
+								Expression: `{ "specversion": "2.0" }`,
+							},
+						},
+					},
+				},
+				Status: eventing.EventTransformStatus{},
+			},
+			ctx: context.Background(),
+			want: (&apis.FieldError{}).Also(
+				apis.ErrGeneric("reply is set without spec.sink", "").
+					ViaField("reply").
+					ViaField("spec"),
+			),
+		},
+		{
+			name: "jsonata with sink unsupported CACerts",
+			in: eventing.EventTransform{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "name",
+				},
+				Spec: eventing.EventTransformSpec{
+					Sink: &duckv1.Destination{
+						URI:     sink.URI,
+						CACerts: ptr.String(string(eventingtlstesting.CA)),
+					},
+					EventTransformations: eventing.EventTransformations{
+						Jsonata: &eventing.JsonataEventTransformationSpec{
+							Expression: `{ "specversion": "1.0" }`,
+						},
+					},
+				},
+			},
+			ctx: context.Background(),
+			want: (&apis.FieldError{}).Also(&apis.FieldError{
+				Message: "CACerts for the sink is not supported for JSONata transformations, to propagate CA trust bundles use labeled ConfigMaps: " +
+					"https://knative.dev/docs/eventing/features/transport-encryption/#configure-additional-ca-trust-bundles",
+				Paths: []string{"spec.sink.CACerts"},
+			}),
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := tt.in.Validate(tt.ctx)
+			assert.Equalf(t, tt.want, tt.in.Validate(tt.ctx), "Validate(%v) = %v", tt.ctx, got)
+		})
+	}
+}
--- a/pkg/apis/eventing/v1alpha1/register.go
+++ b/pkg/apis/eventing/v1alpha1/register.go
@ -47,6 +47,10 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&EventPolicy{},
 		&EventPolicyList{},
+		&RequestReply{},
+		&RequestReplyList{},
+		&EventTransform{},
+		&EventTransformList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
--- a/pkg/apis/eventing/v1alpha1/requestreply_conversion.go
+++ b/pkg/apis/eventing/v1alpha1/requestreply_conversion.go
@ -0,0 +1,34 @@
+/*
+Copyright 2020 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+
+	"knative.dev/pkg/apis"
+)
+
+// ConvertTo implements apis.Convertible
+func (ep *RequestReply) ConvertTo(ctx context.Context, obj apis.Convertible) error {
+	return fmt.Errorf("v1alpha1 is the highest known version, got: %T", obj)
+}
+
+// ConvertFrom implements apis.Convertible
+func (ep *RequestReply) ConvertFrom(ctx context.Context, obj apis.Convertible) error {
+	return fmt.Errorf("v1alpha1 is the highest known version, got: %T", obj)
+}
--- a/pkg/apis/eventing/v1alpha1/requestreply_conversion_test.go
+++ b/pkg/apis/eventing/v1alpha1/requestreply_conversion_test.go
@ -14,26 +14,21 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package upgrade
+package v1alpha1

 import (
 	"context"
 	"testing"
-
-	cloudevents "github.com/cloudevents/sdk-go/v2"
-	"knative.dev/eventing/test/e2e/helpers"
-	"knative.dev/eventing/test/lib"
 )

-var channelTestRunner lib.ComponentsTestRunner
+func TestRequestReplyConversionHighestVersion(t *testing.T) {
+	good, bad := &RequestReply{}, &RequestReply{}

-func runSmokeTest(t *testing.T) {
-	helpers.SingleEventForChannelTestHelper(
-		context.Background(),
-		t,
-		cloudevents.EncodingBinary,
-		helpers.SubscriptionV1,
-		"",
-		channelTestRunner,
-	)
+	if err := good.ConvertTo(context.Background(), bad); err == nil {
+		t.Errorf("ConvertTo() = %#v, wanted error", bad)
+	}
+
+	if err := good.ConvertFrom(context.Background(), bad); err == nil {
+		t.Errorf("ConvertFrom() = %#v, wanted error", good)
+	}
 }
--- a/pkg/apis/eventing/v1alpha1/requestreply_defaults.go
+++ b/pkg/apis/eventing/v1alpha1/requestreply_defaults.go
@ -0,0 +1,44 @@
+/*
+Copyright 2020 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+
+	"k8s.io/utils/ptr"
+	"knative.dev/eventing/pkg/apis/feature"
+	"knative.dev/pkg/apis"
+)
+
+func (rr *RequestReply) SetDefaults(ctx context.Context) {
+	ctx = apis.WithinParent(ctx, rr.ObjectMeta)
+	rr.Spec.SetDefaults(ctx)
+}
+
+func (rrs *RequestReplySpec) SetDefaults(ctx context.Context) {
+	if rrs.Timeout == nil || *rrs.Timeout == "" {
+		rrs.Timeout = ptr.To(feature.FromContextOrDefaults(ctx).RequestReplyDefaultTimeout())
+	}
+
+	if rrs.CorrelationAttribute == "" {
+		rrs.CorrelationAttribute = "correlationid"
+	}
+
+	if rrs.ReplyAttribute == "" {
+		rrs.ReplyAttribute = "replyid"
+	}
+}
--- a/pkg/apis/eventing/v1alpha1/requestreply_defaults_test.go
+++ b/pkg/apis/eventing/v1alpha1/requestreply_defaults_test.go
@ -0,0 +1,68 @@
+/*
+Copyright 2020 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+	"testing"
+
+	"k8s.io/utils/ptr"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestRequestReplyDefaults(t *testing.T) {
+	testCases := map[string]struct {
+		initial  RequestReply
+		expected RequestReply
+	}{
+		"nil spec": {
+			initial: RequestReply{},
+			expected: RequestReply{
+				Spec: RequestReplySpec{
+					Timeout:              ptr.To("30s"),
+					CorrelationAttribute: "correlationid",
+					ReplyAttribute:       "replyid",
+				},
+			},
+		},
+		"does not override existing values": {
+			initial: RequestReply{
+				Spec: RequestReplySpec{
+					Timeout:              ptr.To("40s"),
+					CorrelationAttribute: "othercorrelationid",
+					ReplyAttribute:       "otherreplyid",
+				},
+			},
+			expected: RequestReply{
+				Spec: RequestReplySpec{
+					Timeout:              ptr.To("40s"),
+					CorrelationAttribute: "othercorrelationid",
+					ReplyAttribute:       "otherreplyid",
+				},
+			},
+		},
+	}
+	for n, tc := range testCases {
+		t.Run(n, func(t *testing.T) {
+			tc.initial.SetDefaults(context.TODO())
+			if diff := cmp.Diff(tc.expected, tc.initial); diff != "" {
+				t.Fatal("Unexpected defaults (-want, +got):", diff)
+			}
+		})
+	}
+}
--- a/pkg/apis/eventing/v1alpha1/requestreply_lifecycle.go
+++ b/pkg/apis/eventing/v1alpha1/requestreply_lifecycle.go
@ -0,0 +1,106 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"knative.dev/pkg/apis"
+	v1 "knative.dev/pkg/apis/duck/v1"
+)
+
+var requestReplyCondSet = apis.NewLivingConditionSet(RequestReplyConditionIngress, RequestReplyConditionTriggers, RequestReplyConditionAddressable, RequestReplyConditionEventPoliciesReady)
+
+const (
+	RequestReplyConditionReady                                 = apis.ConditionReady
+	RequestReplyConditionIngress            apis.ConditionType = "IngressReady"
+	RequestReplyConditionTriggers           apis.ConditionType = "TriggersReady"
+	RequestReplyConditionAddressable        apis.ConditionType = "Addressable"
+	RequestReplyConditionEventPoliciesReady apis.ConditionType = "EventPoliciesReady"
+)
+
+// GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
+func (*RequestReply) GetConditionSet() apis.ConditionSet {
+	return requestReplyCondSet
+}
+
+func (*RequestReplyStatus) GetConditionSet() apis.ConditionSet {
+	return requestReplyCondSet
+}
+
+// GetCondition returns the condition currently associated with the given type, or nil.
+func (rr *RequestReplyStatus) GetCondition(t apis.ConditionType) *apis.Condition {
+	return requestReplyCondSet.Manage(rr).GetCondition(t)
+}
+
+// IsReady returns true if the resource is ready overall.
+func (rr *RequestReplyStatus) IsReady() bool {
+	return rr.GetTopLevelCondition().IsTrue()
+}
+
+// GetTopLevelCondition returns the top level Condition.
+func (rr *RequestReplyStatus) GetTopLevelCondition() *apis.Condition {
+	return requestReplyCondSet.Manage(rr).GetTopLevelCondition()
+}
+
+// InitializeConditions sets relevant unset conditions to Unknown state.
+func (rr *RequestReplyStatus) InitializeConditions() {
+	requestReplyCondSet.Manage(rr).InitializeConditions()
+}
+
+func (rr *RequestReplyStatus) SetAddress(address *v1.Addressable) {
+	rr.AddressStatus = v1.AddressStatus{
+		Address: address,
+	}
+
+	if address != nil && address.URL != nil {
+		rr.GetConditionSet().Manage(rr).MarkTrue(RequestReplyConditionAddressable)
+		rr.AddressStatus.Address.Name = &address.URL.Scheme
+	} else {
+		rr.GetConditionSet().Manage(rr).MarkFalse(RequestReplyConditionAddressable, "nil URL", "URL is nil")
+	}
+}
+
+func (rr *RequestReplyStatus) MarkTriggersReady() {
+	rr.GetConditionSet().Manage(rr).MarkTrue(RequestReplyConditionTriggers)
+}
+
+func (rr *RequestReplyStatus) MarkTriggersNotReadyWithReason(reason, messageFormat string, messageA ...interface{}) {
+	rr.GetConditionSet().Manage(rr).MarkUnknown(RequestReplyConditionTriggers, reason, messageFormat, messageA...)
+}
+
+func (rr *RequestReplyStatus) MarkIngressReady() {
+	rr.GetConditionSet().Manage(rr).MarkTrue(RequestReplyConditionIngress)
+}
+
+func (rr *RequestReplyStatus) MarkIngressNotReadyWithReason(reason, messageFormat string, messageA ...interface{}) {
+	rr.GetConditionSet().Manage(rr).MarkUnknown(RequestReplyConditionIngress, reason, messageFormat, messageA...)
+}
+
+func (rr *RequestReplyStatus) MarkEventPoliciesTrue() {
+	rr.GetConditionSet().Manage(rr).MarkTrue(RequestReplyConditionEventPoliciesReady)
+}
+
+func (rr *RequestReplyStatus) MarkEventPoliciesTrueWithReason(reason, messageFormat string, messageA ...interface{}) {
+	rr.GetConditionSet().Manage(rr).MarkTrueWithReason(RequestReplyConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}
+
+func (rr *RequestReplyStatus) MarkEventPoliciesFailed(reason, messageFormat string, messageA ...interface{}) {
+	rr.GetConditionSet().Manage(rr).MarkFalse(RequestReplyConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}
+
+func (rr *RequestReplyStatus) MarkEventPoliciesUnknown(reason, messageFormat string, messageA ...interface{}) {
+	rr.GetConditionSet().Manage(rr).MarkUnknown(RequestReplyConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}
--- a/pkg/apis/eventing/v1alpha1/requestreply_lifecycle_test.go
+++ b/pkg/apis/eventing/v1alpha1/requestreply_lifecycle_test.go
@ -0,0 +1,267 @@
+/*
+Copyright 2020 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
+	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
+)
+
+var (
+	requestReplyConditionReady = apis.Condition{
+		Type:   RequestReplyConditionReady,
+		Status: corev1.ConditionTrue,
+	}
+)
+
+func TestRequestReplyGetConditionSet(t *testing.T) {
+	r := &RequestReply{}
+
+	if got, want := r.GetConditionSet().GetTopLevelConditionType(), apis.ConditionReady; got != want {
+		t.Errorf("GetTopLevelCondition=%v, want=%v", got, want)
+	}
+}
+
+func TestRequestReplyGetCondition(t *testing.T) {
+	tests := []struct {
+		name      string
+		rrs       *RequestReplyStatus
+		condQuery apis.ConditionType
+		want      *apis.Condition
+	}{{
+		name: "single condition",
+		rrs: &RequestReplyStatus{
+			Status: duckv1.Status{
+				Conditions: []apis.Condition{
+					requestReplyConditionReady,
+				},
+			},
+		},
+		condQuery: apis.ConditionReady,
+		want:      &eventPolicyConditionReady,
+	}}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got := test.rrs.GetCondition(test.condQuery)
+			if diff := cmp.Diff(test.want, got); diff != "" {
+				t.Error("unexpected condition (-want, +got) =", diff)
+			}
+		})
+	}
+}
+
+func TestRequestReplyInitializeConditions(t *testing.T) {
+	tests := []struct {
+		name string
+		rrs  *RequestReplyStatus
+		want *RequestReplyStatus
+	}{
+		{
+			name: "empty status",
+			rrs:  &RequestReplyStatus{},
+			want: &RequestReplyStatus{
+				Status: duckv1.Status{
+					Conditions: []apis.Condition{
+						{
+							Type:   RequestReplyConditionAddressable,
+							Status: corev1.ConditionUnknown,
+						},
+						{
+							Type:   RequestReplyConditionEventPoliciesReady,
+							Status: corev1.ConditionUnknown,
+						},
+						{
+							Type:   RequestReplyConditionIngress,
+							Status: corev1.ConditionUnknown,
+						},
+						{
+							Type:   RequestReplyConditionReady,
+							Status: corev1.ConditionUnknown,
+						},
+						{
+							Type:   RequestReplyConditionTriggers,
+							Status: corev1.ConditionUnknown,
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			test.rrs.InitializeConditions()
+			if diff := cmp.Diff(test.want, test.rrs, ignoreAllButTypeAndStatus); diff != "" {
+				t.Error("unexpected conditions (-want, +got) =", diff)
+			}
+		})
+	}
+}
+
+func TestRequestReplyReadyCondition(t *testing.T) {
+	tests := []struct {
+		name                            string
+		rrs                             *RequestReplyStatus
+		markAddresableSucceeded         *bool
+		markIngressReadySucceeded       *bool
+		markTriggersReadySucceeded      *bool
+		markEventPoliciesReadySucceeded *bool
+		wantReady                       bool
+	}{
+		{
+			name: "Initially everything is Unknown, Auth&SubjectsResolved marked as true, EP should become Ready",
+			rrs: &RequestReplyStatus{
+				Status: duckv1.Status{
+					Conditions: []apis.Condition{
+						{Type: RequestReplyConditionReady, Status: corev1.ConditionUnknown},
+						{Type: RequestReplyConditionAddressable, Status: corev1.ConditionUnknown},
+						{Type: RequestReplyConditionIngress, Status: corev1.ConditionUnknown},
+						{Type: RequestReplyConditionTriggers, Status: corev1.ConditionUnknown},
+						{Type: RequestReplyConditionEventPoliciesReady, Status: corev1.ConditionUnknown},
+					},
+				},
+			},
+			markAddresableSucceeded:         ptr.To(true),
+			markIngressReadySucceeded:       ptr.To(true),
+			markTriggersReadySucceeded:      ptr.To(true),
+			markEventPoliciesReadySucceeded: ptr.To(true),
+			wantReady:                       true,
+		},
+		{
+			name: "Initially everything is Ready, Addressable set to false, RR should become False",
+			rrs: &RequestReplyStatus{
+				Status: duckv1.Status{
+					Conditions: []apis.Condition{
+						{Type: RequestReplyConditionReady, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionAddressable, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionIngress, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionTriggers, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionEventPoliciesReady, Status: corev1.ConditionTrue},
+					},
+				},
+			},
+			markAddresableSucceeded:         ptr.To(false),
+			markIngressReadySucceeded:       ptr.To(true),
+			markTriggersReadySucceeded:      ptr.To(true),
+			markEventPoliciesReadySucceeded: ptr.To(true),
+			wantReady:                       false,
+		},
+		{
+			name: "Initially everything is Ready, Ingress set to false, RR should become False",
+			rrs: &RequestReplyStatus{
+				Status: duckv1.Status{
+					Conditions: []apis.Condition{
+						{Type: RequestReplyConditionReady, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionAddressable, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionIngress, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionTriggers, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionEventPoliciesReady, Status: corev1.ConditionTrue},
+					},
+				},
+			},
+			markAddresableSucceeded:         ptr.To(true),
+			markIngressReadySucceeded:       ptr.To(false),
+			markTriggersReadySucceeded:      ptr.To(true),
+			markEventPoliciesReadySucceeded: ptr.To(true),
+			wantReady:                       false,
+		},
+		{
+			name: "Initially everything is Ready, Trigger set to false, RR should become False",
+			rrs: &RequestReplyStatus{
+				Status: duckv1.Status{
+					Conditions: []apis.Condition{
+						{Type: RequestReplyConditionReady, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionAddressable, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionIngress, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionTriggers, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionEventPoliciesReady, Status: corev1.ConditionTrue},
+					},
+				},
+			},
+			markAddresableSucceeded:         ptr.To(true),
+			markIngressReadySucceeded:       ptr.To(true),
+			markTriggersReadySucceeded:      ptr.To(false),
+			markEventPoliciesReadySucceeded: ptr.To(true),
+			wantReady:                       false,
+		},
+		{
+			name: "Initially everything is Ready, EPs set to false, RR should become False",
+			rrs: &RequestReplyStatus{
+				Status: duckv1.Status{
+					Conditions: []apis.Condition{
+						{Type: RequestReplyConditionReady, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionAddressable, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionIngress, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionTriggers, Status: corev1.ConditionTrue},
+						{Type: RequestReplyConditionEventPoliciesReady, Status: corev1.ConditionTrue},
+					},
+				},
+			},
+			markAddresableSucceeded:         ptr.To(true),
+			markIngressReadySucceeded:       ptr.To(true),
+			markTriggersReadySucceeded:      ptr.To(true),
+			markEventPoliciesReadySucceeded: ptr.To(false),
+			wantReady:                       false,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if test.markAddresableSucceeded != nil {
+				if *test.markAddresableSucceeded {
+					url, _ := apis.ParseURL("http://localhost:8080")
+					test.rrs.SetAddress(&duckv1.Addressable{URL: url})
+				} else {
+					test.rrs.SetAddress(nil)
+
+				}
+			}
+			if test.markIngressReadySucceeded != nil {
+				if *test.markIngressReadySucceeded {
+					test.rrs.MarkIngressReady()
+				} else {
+					test.rrs.MarkIngressNotReadyWithReason("", "")
+				}
+			}
+			if test.markTriggersReadySucceeded != nil {
+				if *test.markTriggersReadySucceeded {
+					test.rrs.MarkTriggersReady()
+				} else {
+					test.rrs.MarkTriggersNotReadyWithReason("", "")
+				}
+			}
+			if test.markEventPoliciesReadySucceeded != nil {
+				if *test.markEventPoliciesReadySucceeded {
+					test.rrs.MarkEventPoliciesTrue()
+				} else {
+					test.rrs.MarkEventPoliciesFailed("", "")
+				}
+			}
+			rr := RequestReply{Status: *test.rrs}
+			got := rr.GetConditionSet().Manage(test.rrs).IsHappy()
+			if test.wantReady != got {
+				t.Errorf("unexpected readiness: want %v, got %v", test.wantReady, got)
+			}
+		})
+	}
+}
--- a/pkg/apis/eventing/v1alpha1/requestreply_types.go
+++ b/pkg/apis/eventing/v1alpha1/requestreply_types.go
@ -0,0 +1,122 @@
+/*
+Copyright 2020 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
+	"knative.dev/pkg/kmeta"
+
+	eventingduckv1 "knative.dev/eventing/pkg/apis/duck/v1"
+)
+
+// +genclient
+// +genreconciler
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RequestRepluy represents synchronous interface to sending and receiving events from a Broker.
+type RequestReply struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec defines the desired state of the EventPolicy.
+	Spec RequestReplySpec `json:"spec,omitempty"`
+
+	// Status represents the current state of the EventPolicy.
+	// This data may be out of date.
+	// +optional
+	Status RequestReplyStatus `json:"status,omitempty"`
+}
+
+var (
+	// Check that EventPolicy can be validated, can be defaulted, and has immutable fields.
+	_ apis.Validatable = (*RequestReply)(nil)
+	_ apis.Defaultable = (*RequestReply)(nil)
+
+	// Check that EventPolicy can return its spec untyped.
+	_ apis.HasSpec = (*RequestReply)(nil)
+
+	_ runtime.Object = (*RequestReply)(nil)
+
+	// Check that we can create OwnerReferences to an EventPolicy.
+	_ kmeta.OwnerRefable = (*RequestReply)(nil)
+
+	// Check that the type conforms to the duck Knative Resource shape.
+	_ duckv1.KRShaped = (*RequestReply)(nil)
+)
+
+type RequestReplySpec struct {
+	// BrokerRef contains the reference to the broker the RequestReply sends events to.
+	BrokerRef duckv1.KReference `json:"brokerRef"`
+
+	CorrelationAttribute string `json:"correlationAttribute"`
+
+	ReplyAttribute string `json:"replyAttribute"`
+
+	Timeout *string `json:"timeout,omitempty"`
+
+	Delivery *eventingduckv1.DeliverySpec `json:"delivery,omitempty"`
+
+	Secrets []string `json:"secrets"`
+}
+
+// RequestReplyStatus represents the current state of a RequestReply.
+type RequestReplyStatus struct {
+	// inherits duck/v1 Status, which currently provides:
+	// * ObservedGeneration - the 'Generation' of the Service that was last processed by the controller.
+	// * Conditions - the latest available observations of a resource's current state.
+	duckv1.Status `json:",inline"`
+
+	// AddressStatus is the part where the RequestReply fulfills the Addressable contract.
+	// It exposes the endpoint as an URI to get events delivered.
+	// +optional
+	duckv1.AddressStatus `json:",inline"`
+
+	// AppliedEventPoliciesStatus contains the list of EventPolicies which apply to this Broker.
+	// +optional
+	eventingduckv1.AppliedEventPoliciesStatus `json:",inline"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RequestReplyList is a collection of RequestReplies.
+type RequestReplyList struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []RequestReply `json:"items"`
+}
+
+// GetGroupVersionKind returns GroupVersionKind for EventPolicy
+func (rr *RequestReply) GetGroupVersionKind() schema.GroupVersionKind {
+	return SchemeGroupVersion.WithKind("RequestReply")
+}
+
+// GetUntypedSpec returns the spec of the EventPolicy.
+func (rr *RequestReply) GetUntypedSpec() interface{} {
+	return rr.Spec
+}
+
+// GetStatus retrieves the status of the EventPolicy. Implements the KRShaped interface.
+func (rr *RequestReply) GetStatus() *duckv1.Status {
+	return &rr.Status.Status
+}
--- a/pkg/apis/eventing/v1alpha1/requestreply_types_test.go
+++ b/pkg/apis/eventing/v1alpha1/requestreply_types_test.go
@ -14,23 +14,26 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package resources
+package v1alpha1

 import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"knative.dev/pkg/kmeta"
+	"testing"
 )

-// MakeServiceAccount creates a ServiceAccount object for the given referable object
-func MakeServiceAccount(obj kmeta.OwnerRefable, name string) *corev1.ServiceAccount {
-	return &corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: obj.GetObjectMeta().GetNamespace(),
-			Name:      name,
-			OwnerReferences: []metav1.OwnerReference{
-				*kmeta.NewControllerRef(obj),
-			},
-		},
+func TestRequestReplyGetStatus(t *testing.T) {
+	r := &RequestReply{
+		Status: RequestReplyStatus{},
+	}
+	if got, want := r.GetStatus(), &r.Status.Status; got != want {
+		t.Errorf("GetStatus=%v, want=%v", got, want)
+	}
+}
+
+func TestRequestReply_GetGroupVersionKind(t *testing.T) {
+	src := RequestReply{}
+	gvk := src.GetGroupVersionKind()
+
+	if gvk.Kind != "RequestReply" {
+		t.Errorf("Should be RequestReply, got %s.", gvk.Kind)
 	}
 }
--- a/pkg/apis/eventing/v1alpha1/requestreply_validation.go
+++ b/pkg/apis/eventing/v1alpha1/requestreply_validation.go
@ -0,0 +1,83 @@
+/*
+Copyright 2020 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+	"strings"
+
+	"github.com/rickb777/date/period"
+
+	"knative.dev/pkg/apis"
+)
+
+func (rr *RequestReply) Validate(ctx context.Context) *apis.FieldError {
+	ctx = apis.WithinParent(ctx, rr.ObjectMeta)
+	return rr.Spec.Validate(ctx).ViaField("spec")
+}
+
+func (rrs *RequestReplySpec) Validate(ctx context.Context) *apis.FieldError {
+	var errs *apis.FieldError
+
+	if ke := rrs.BrokerRef.Validate(ctx); ke != nil {
+		errs = errs.Also(ke.ViaField("brokerRef"))
+	}
+
+	if !strings.EqualFold(rrs.BrokerRef.Kind, "broker") {
+		errs = errs.Also(apis.ErrInvalidValue(rrs.BrokerRef.Kind, ".kind", "brokerRef kind must be Broker").ViaField("brokerRef"))
+	}
+
+	if rrs.BrokerRef.Namespace != "" {
+		errs = errs.Also(apis.ErrDisallowedFields("namespace").ViaField("brokerRef"))
+	}
+
+	if rrs.Delivery != nil {
+		if de := rrs.Delivery.Validate(ctx); de != nil {
+			errs = errs.Also(de.ViaField("delivery"))
+		}
+	}
+
+	if rrs.Timeout != nil {
+		timeout, err := period.Parse(*rrs.Timeout)
+		if err != nil || timeout.IsZero() || timeout.IsNegative() {
+			errs = errs.Also(apis.ErrInvalidValue(*rrs.Timeout, "timeout"))
+		}
+
+	}
+
+	if len(rrs.Secrets) == 0 {
+		errs = errs.Also(apis.ErrInvalidValue(rrs.Secrets, "secrets", "one or more secrets must be provided"))
+	}
+
+	if rrs.CorrelationAttribute == "" ||
+		rrs.CorrelationAttribute == "id" ||
+		rrs.CorrelationAttribute == "course" ||
+		rrs.CorrelationAttribute == "specversion" ||
+		rrs.CorrelationAttribute == "type" {
+		errs = errs.Also(apis.ErrInvalidValue(rrs.CorrelationAttribute, "correlationattribute", "correlationattribute must be non-empty and cannot be a core cloudevent attribute (id, type, specversion, source)"))
+	}
+
+	if rrs.ReplyAttribute == "" ||
+		rrs.ReplyAttribute == "id" ||
+		rrs.ReplyAttribute == "course" ||
+		rrs.ReplyAttribute == "specversion" ||
+		rrs.ReplyAttribute == "type" {
+		errs = errs.Also(apis.ErrInvalidValue(rrs.ReplyAttribute, "replyattribute", "replyattribute must be non-empty and cannot be a core cloudevent attribute (id, type, specversion, source)"))
+	}
+
+	return errs
+}
--- a/pkg/apis/eventing/v1alpha1/requestreply_validation_test.go
+++ b/pkg/apis/eventing/v1alpha1/requestreply_validation_test.go
@ -0,0 +1,63 @@
+/*
+Copyright 2020 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
+)
+
+func TestRequestReplyValidation(t *testing.T) {
+	tests := []struct {
+		name string
+		rr   *RequestReply
+		want *apis.FieldError
+	}{
+		{
+			name: "valid, all required fields set",
+			rr: &RequestReply{
+				Spec: RequestReplySpec{
+					ReplyAttribute:       "reply",
+					CorrelationAttribute: "correlate",
+					Secrets:              []string{"secret1"},
+					BrokerRef: duckv1.KReference{
+						APIVersion: "eventing.knative.dev/v1",
+						Kind:       "Broker",
+						Name:       "broker",
+					},
+				},
+			},
+			want: func() *apis.FieldError {
+				return nil
+			}(),
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			ctx := apis.WithinCreate(context.Background())
+			got := test.rr.Validate(ctx)
+			if diff := cmp.Diff(test.want.Error(), got.Error()); diff != "" {
+				t.Errorf("%s: Validate EventPolicySpec (-want, +got) = %v", test.name, diff)
+			}
+		})
+	}
+}
--- a/pkg/apis/eventing/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/eventing/v1alpha1/zz_generated.deepcopy.go
@ -24,6 +24,9 @@ package v1alpha1
 import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
+	apisduckv1 "knative.dev/eventing/pkg/apis/duck/v1"
+	eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 )

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@ -146,6 +149,13 @@ func (in *EventPolicySpec) DeepCopyInto(out *EventPolicySpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Filters != nil {
+		in, out := &in.Filters, &out.Filters
+		*out = make([]eventingv1.SubscriptionsAPIFilter, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }

@ -248,3 +258,302 @@ func (in *EventPolicyToReference) DeepCopy() *EventPolicyToReference {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EventTransform) DeepCopyInto(out *EventTransform) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventTransform.
+func (in *EventTransform) DeepCopy() *EventTransform {
+	if in == nil {
+		return nil
+	}
+	out := new(EventTransform)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *EventTransform) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EventTransformList) DeepCopyInto(out *EventTransformList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]EventTransform, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventTransformList.
+func (in *EventTransformList) DeepCopy() *EventTransformList {
+	if in == nil {
+		return nil
+	}
+	out := new(EventTransformList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *EventTransformList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EventTransformSpec) DeepCopyInto(out *EventTransformSpec) {
+	*out = *in
+	if in.Sink != nil {
+		in, out := &in.Sink, &out.Sink
+		*out = new(duckv1.Destination)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Reply != nil {
+		in, out := &in.Reply, &out.Reply
+		*out = new(ReplySpec)
+		(*in).DeepCopyInto(*out)
+	}
+	in.EventTransformations.DeepCopyInto(&out.EventTransformations)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventTransformSpec.
+func (in *EventTransformSpec) DeepCopy() *EventTransformSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(EventTransformSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EventTransformStatus) DeepCopyInto(out *EventTransformStatus) {
+	*out = *in
+	in.SourceStatus.DeepCopyInto(&out.SourceStatus)
+	in.AddressStatus.DeepCopyInto(&out.AddressStatus)
+	if in.JsonataTransformationStatus != nil {
+		in, out := &in.JsonataTransformationStatus, &out.JsonataTransformationStatus
+		*out = new(JsonataEventTransformationStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventTransformStatus.
+func (in *EventTransformStatus) DeepCopy() *EventTransformStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(EventTransformStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EventTransformations) DeepCopyInto(out *EventTransformations) {
+	*out = *in
+	if in.Jsonata != nil {
+		in, out := &in.Jsonata, &out.Jsonata
+		*out = new(JsonataEventTransformationSpec)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventTransformations.
+func (in *EventTransformations) DeepCopy() *EventTransformations {
+	if in == nil {
+		return nil
+	}
+	out := new(EventTransformations)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JsonataEventTransformationSpec) DeepCopyInto(out *JsonataEventTransformationSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JsonataEventTransformationSpec.
+func (in *JsonataEventTransformationSpec) DeepCopy() *JsonataEventTransformationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(JsonataEventTransformationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JsonataEventTransformationStatus) DeepCopyInto(out *JsonataEventTransformationStatus) {
+	*out = *in
+	in.Deployment.DeepCopyInto(&out.Deployment)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JsonataEventTransformationStatus.
+func (in *JsonataEventTransformationStatus) DeepCopy() *JsonataEventTransformationStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(JsonataEventTransformationStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplySpec) DeepCopyInto(out *ReplySpec) {
+	*out = *in
+	in.EventTransformations.DeepCopyInto(&out.EventTransformations)
+	if in.Discard != nil {
+		in, out := &in.Discard, &out.Discard
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplySpec.
+func (in *ReplySpec) DeepCopy() *ReplySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequestReply) DeepCopyInto(out *RequestReply) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestReply.
+func (in *RequestReply) DeepCopy() *RequestReply {
+	if in == nil {
+		return nil
+	}
+	out := new(RequestReply)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RequestReply) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequestReplyList) DeepCopyInto(out *RequestReplyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RequestReply, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestReplyList.
+func (in *RequestReplyList) DeepCopy() *RequestReplyList {
+	if in == nil {
+		return nil
+	}
+	out := new(RequestReplyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RequestReplyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequestReplySpec) DeepCopyInto(out *RequestReplySpec) {
+	*out = *in
+	in.BrokerRef.DeepCopyInto(&out.BrokerRef)
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(string)
+		**out = **in
+	}
+	if in.Delivery != nil {
+		in, out := &in.Delivery, &out.Delivery
+		*out = new(apisduckv1.DeliverySpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Secrets != nil {
+		in, out := &in.Secrets, &out.Secrets
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestReplySpec.
+func (in *RequestReplySpec) DeepCopy() *RequestReplySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(RequestReplySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequestReplyStatus) DeepCopyInto(out *RequestReplyStatus) {
+	*out = *in
+	in.Status.DeepCopyInto(&out.Status)
+	in.AddressStatus.DeepCopyInto(&out.AddressStatus)
+	in.AppliedEventPoliciesStatus.DeepCopyInto(&out.AppliedEventPoliciesStatus)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestReplyStatus.
+func (in *RequestReplyStatus) DeepCopy() *RequestReplyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(RequestReplyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/pkg/apis/eventing/v1beta3/eventtype_validation_test.go
+++ b/pkg/apis/eventing/v1beta3/eventtype_validation_test.go
@ -50,12 +50,36 @@ func TestEventTypeSpecValidation(t *testing.T) {
 		ets  *EventTypeSpec
 		want *apis.FieldError
 	}{{
-		name: "invalid eventtype type",
+		name: "invalid/empty eventtype",
 		ets:  &EventTypeSpec{},
 		want: func() *apis.FieldError {
 			fe := apis.ErrMissingField("attributes.id", "attributes.source", "attributes.specversion", "attributes.type")
 			return fe
 		}(),
+	}, {
+		name: "partially invalid eventtype type",
+		ets: &EventTypeSpec{
+			Attributes: []EventAttributeDefinition{
+				{
+					Name:     "source",
+					Value:    testSource.String(),
+					Required: true,
+				},
+				{
+					Name:     "specversion",
+					Value:    "v1",
+					Required: true,
+				},
+				{
+					Name:     "id",
+					Required: true,
+				},
+			},
+		},
+		want: func() *apis.FieldError {
+			fe := apis.ErrMissingField("attributes.type")
+			return fe
+		}(),
 	}, {
 		name: "valid eventtype",
 		ets: &EventTypeSpec{
@ -86,6 +110,46 @@ func TestEventTypeSpecValidation(t *testing.T) {
 				},
 			},
 		},
+	}, {
+		name: "valid eventtype with extensions and optional attributes",
+		ets: &EventTypeSpec{
+			Reference: &duckv1.KReference{
+				APIVersion: "eventing.knative.dev/v1",
+				Kind:       "Broker",
+				Name:       "test-broker",
+			},
+			Attributes: []EventAttributeDefinition{
+				{
+					Name:     "type",
+					Value:    "event-type",
+					Required: true,
+				},
+				{
+					Name:     "source",
+					Value:    testSource.String(),
+					Required: true,
+				},
+				{
+					Name:     "specversion",
+					Value:    "v1",
+					Required: true,
+				},
+				{
+					Name:     "subject",
+					Value:    "foo.png",
+					Required: false,
+				},
+				{
+					Name:     "customattribute",
+					Value:    "value",
+					Required: false,
+				},
+				{
+					Name:     "id",
+					Required: true,
+				},
+			},
+		},
 	},
 	}

--- a/pkg/apis/feature/features.go
+++ b/pkg/apis/feature/features.go
@ -64,6 +64,13 @@ const (
 	// This configuration is applied when there is no EventPolicy with a "to" referencing a given
 	// resource.
 	AuthorizationAllowSameNamespace Flag = "Allow-Same-Namespace"
+
+	// DefaultOIDCDiscoveryURL is the default OIDC Discovery URL used in most Kubernetes clusters.
+	DefaultOIDCDiscoveryBaseURL Flag = "https://kubernetes.default.svc"
+
+	// DefaultRequestReplyTimeout is a value for RequestReplyDefaultTimeout that indicates to timeout
+	// a RequestReply resource after 30 seconds by default.
+	DefaultRequestReplyTimeout Flag = "30s"
 )

 // Flags is a map containing all the enabled/disabled flags for the experimental features.
@ -72,15 +79,17 @@ type Flags map[string]Flag

 func newDefaults() Flags {
 	return map[string]Flag{
-		KReferenceGroup:          Disabled,
-		DeliveryRetryAfter:       Disabled,
-		DeliveryTimeout:          Enabled,
-		KReferenceMapping:        Disabled,
-		TransportEncryption:      Disabled,
-		OIDCAuthentication:       Disabled,
-		EvenTypeAutoCreate:       Disabled,
-		NewAPIServerFilters:      Disabled,
-		AuthorizationDefaultMode: AuthorizationAllowSameNamespace,
+		KReferenceGroup:            Disabled,
+		DeliveryRetryAfter:         Disabled,
+		DeliveryTimeout:            Enabled,
+		KReferenceMapping:          Disabled,
+		TransportEncryption:        Disabled,
+		OIDCAuthentication:         Disabled,
+		EvenTypeAutoCreate:         Disabled,
+		NewAPIServerFilters:        Disabled,
+		AuthorizationDefaultMode:   AuthorizationAllowSameNamespace,
+		OIDCDiscoveryBaseURL:       DefaultOIDCDiscoveryBaseURL,
+		RequestReplyDefaultTimeout: DefaultRequestReplyTimeout,
 	}
 }

@ -134,6 +143,33 @@ func (e Flags) IsAuthorizationDefaultModeSameNamespace() bool {
 	return e != nil && e[AuthorizationDefaultMode] == AuthorizationAllowSameNamespace
 }

+func (e Flags) OIDCDiscoveryBaseURL() string {
+	if e == nil {
+		return string(DefaultOIDCDiscoveryBaseURL)
+	}
+
+	//nolint:staticcheck
+	discoveryUrl, ok := e[OIDCDiscoveryBaseURL]
+	if !ok {
+		return string(DefaultOIDCDiscoveryBaseURL)
+	}
+
+	return string(discoveryUrl)
+}
+
+func (e Flags) RequestReplyDefaultTimeout() string {
+	if e == nil {
+		return string(DefaultRequestReplyTimeout)
+	}
+
+	timeout, ok := e[RequestReplyDefaultTimeout]
+	if !ok {
+		return string(DefaultRequestReplyTimeout)
+	}
+
+	return string(timeout)
+}
+
 func (e Flags) String() string {
 	return fmt.Sprintf("%+v", map[string]Flag(e))
 }
@ -183,7 +219,7 @@ func NewFlagsConfigFromMap(data map[string]string) (Flags, error) {
 			flags[sanitizedKey] = AuthorizationDenyAll
 		} else if sanitizedKey == AuthorizationDefaultMode && strings.EqualFold(v, string(AuthorizationAllowSameNamespace)) {
 			flags[sanitizedKey] = AuthorizationAllowSameNamespace
-		} else if strings.Contains(k, NodeSelectorLabel) {
+		} else if strings.Contains(k, NodeSelectorLabel) || sanitizedKey == OIDCDiscoveryBaseURL {
 			flags[sanitizedKey] = Flag(v)
 		} else {
 			flags[k] = Flag(v)
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`../third_party/eventing-integrations-latest/eventing-integrations-images.yaml`
				`@ -0,0 +1 @@`
				`../../../third_party/eventing-integrations-latest/eventing-integrations-images.yaml`