upgrade to latest dependencies

bumping knative.dev/pkg 9c8140b...80c8bc4:
  > 80c8bc4 Add TLSMaxVersion, TLSCipherSuites, and TLSCurvePreferences to webhook.Options for enhanced TLS control (# 3300)

Signed-off-by: Knative Automation <[email protected]>

Author: knative-automation

go.mod

@@ -14,7 +14,7 @@ require (
 	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
 	knative.dev/hack v0.0.0-20251126013634-1484a9e9b641
 	knative.dev/networking v0.0.0-20251217020127-11890a5dabea
-	knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1
+	knative.dev/pkg v0.0.0-20251217214024-80c8bc434670
 	sigs.k8s.io/gateway-api v1.4.0
 	sigs.k8s.io/yaml v1.6.0
 )

go.sum

@@ -259,8 +259,8 @@ knative.dev/hack v0.0.0-20251126013634-1484a9e9b641 h1:N9Xqx3YLUNFN1WIc3UXTanK4j
 knative.dev/hack v0.0.0-20251126013634-1484a9e9b641/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0=
 knative.dev/networking v0.0.0-20251217020127-11890a5dabea h1:CsVi1M+NbPIfvBPWI9DQOwlzBG6+w+mAfhUDqw1jeXM=
 knative.dev/networking v0.0.0-20251217020127-11890a5dabea/go.mod h1:gPzztUiSYDSB3yHx85xr4j2ZccEdiZDWlLsYHr7fQtg=
-knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1 h1:pSZ4sRKm/Kq1ec+7Yhow6jUH0FKZjzrUHpPsy6Lu8pE=
-knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1/go.mod h1:jU9OxeX3zL4W6aHpdMjMA/B7kgkm5JQv6PGMod2Qu/M=
+knative.dev/pkg v0.0.0-20251217214024-80c8bc434670 h1:MKgHnTvNprMn+Tr73CRB088PqR22q4KuVFIBTLFltwA=
+knative.dev/pkg v0.0.0-20251217214024-80c8bc434670/go.mod h1:jU9OxeX3zL4W6aHpdMjMA/B7kgkm5JQv6PGMod2Qu/M=
 sigs.k8s.io/gateway-api v1.4.0 h1:ZwlNM6zOHq0h3WUX2gfByPs2yAEsy/EenYJB78jpQfQ=
 sigs.k8s.io/gateway-api v1.4.0/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=

vendor/knative.dev/pkg/webhook/README.md

@@ -78,6 +78,149 @@ func main() {
 There is also a config map validation admission controller built in under
 `knative.dev/pkg/webhook/configmaps`.
 
+## TLS Configuration
+
+The webhook server supports configuring TLS parameters through the `webhook.Options` struct. This allows you to control the TLS version, cipher suites, and elliptic curve preferences for enhanced security.
+
+### Available TLS Options
+
+```go
+type Options struct {
+    // ... other fields ...
+
+    // TLSMinVersion contains the minimum TLS version that is acceptable.
+    // Default is TLS 1.3 if not specified.
+    // Supported values: tls.VersionTLS12, tls.VersionTLS13
+    TLSMinVersion uint16
+
+    // TLSMaxVersion contains the maximum TLS version that is acceptable.
+    // If not set (0), the maximum version supported by the implementation will be used.
+    // Useful for enforcing Modern profile (TLS 1.3 only) by setting both
+    // TLSMinVersion and TLSMaxVersion to tls.VersionTLS13.
+    TLSMaxVersion uint16
+
+    // TLSCipherSuites specifies the list of enabled cipher suites.
+    // If empty, a default list of secure cipher suites will be used.
+    // Note: Cipher suites are not configurable in TLS 1.3; they are
+    // determined by the implementation.
+    TLSCipherSuites []uint16
+
+    // TLSCurvePreferences specifies the elliptic curves that will be used
+    // in an ECDHE handshake. If empty, the default curves will be used.
+    TLSCurvePreferences []tls.CurveID
+}
+```
+
+### Environment Variable Configuration
+
+You can also configure the minimum TLS version via the `WEBHOOK_TLS_MIN_VERSION` environment variable:
+
+```yaml
+env:
+  - name: WEBHOOK_TLS_MIN_VERSION
+    value: "1.3"  # or "1.2"
+```
+
+### Usage Examples
+
+#### Example 1: Default Configuration (Recommended)
+
+By default, the webhook uses TLS 1.3 as the minimum version with secure defaults:
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName: "webhook",
+    Port:        8443,
+    SecretName:  "webhook-certs",
+    // TLS defaults: MinVersion=1.3, secure cipher suites and curves
+})
+```
+
+#### Example 2: Modern Profile (TLS 1.3 Only)
+
+To enforce TLS 1.3 only (highest security profile):
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName:   "webhook",
+    Port:          8443,
+    SecretName:    "webhook-certs",
+    TLSMinVersion: tls.VersionTLS13,
+    TLSMaxVersion: tls.VersionTLS13,  // Enforce TLS 1.3 only
+})
+```
+
+#### Example 3: Intermediate Profile (TLS 1.2+)
+
+For broader compatibility while maintaining security:
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName:   "webhook",
+    Port:          8443,
+    SecretName:    "webhook-certs",
+    TLSMinVersion: tls.VersionTLS12,
+})
+```
+
+#### Example 4: Custom Cipher Suites
+
+To specify custom cipher suites (for TLS 1.2):
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName:   "webhook",
+    Port:          8443,
+    SecretName:    "webhook-certs",
+    TLSMinVersion: tls.VersionTLS12,
+    TLSCipherSuites: []uint16{
+        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+        tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+        tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    },
+})
+```
+
+#### Example 5: Custom Elliptic Curves
+
+To specify elliptic curve preferences:
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName:   "webhook",
+    Port:          8443,
+    SecretName:    "webhook-certs",
+    TLSCurvePreferences: []tls.CurveID{
+        tls.X25519,    // Preferred
+        tls.CurveP256,
+        tls.CurveP384,
+    },
+})
+```
+
+#### Example 6: Complete Custom Configuration
+
+For full control over TLS parameters:
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName:   "webhook",
+    Port:          8443,
+    SecretName:    "webhook-certs",
+    TLSMinVersion: tls.VersionTLS12,
+    TLSMaxVersion: tls.VersionTLS13,
+    TLSCipherSuites: []uint16{
+        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    },
+    TLSCurvePreferences: []tls.CurveID{
+        tls.X25519,
+        tls.CurveP256,
+    },
+})
+```
+
 ## Writing new Admission Controllers
 
 To implement your own admission controller akin to the resource defaulting and

vendor/knative.dev/pkg/webhook/webhook.go

@@ -52,6 +52,21 @@ type Options struct {
 	// TLS 1.3 is the minimum version if not specified otherwise.
 	TLSMinVersion uint16
 
+	// TLSMaxVersion contains the maximum TLS version that is acceptable.
+	// If not set (0), the maximum version supported by the implementation will be used.
+	// This is useful for enforcing Modern profile (TLS 1.3 only) by setting both
+	// TLSMinVersion and TLSMaxVersion to tls.VersionTLS13.
+	TLSMaxVersion uint16
+
+	// TLSCipherSuites specifies the list of enabled cipher suites.
+	// If empty, a default list of secure cipher suites will be used.
+	// Note: Cipher suites are not configurable in TLS 1.3; they are determined by the implementation.
+	TLSCipherSuites []uint16
+
+	// TLSCurvePreferences specifies the elliptic curves that will be used in an ECDHE handshake.
+	// If empty, the default curves will be used.
+	TLSCurvePreferences []tls.CurveID
+
 	// ServiceName is the service name of the webhook.
 	ServiceName string
 
@@ -191,7 +206,10 @@ func New(
 
 		//nolint:gosec // operator configures TLS min version (default is 1.3)
 		webhook.tlsConfig = &tls.Config{
-			MinVersion: opts.TLSMinVersion,
+			MinVersion:       opts.TLSMinVersion,
+			MaxVersion:       opts.TLSMaxVersion,
+			CipherSuites:     opts.TLSCipherSuites,
+			CurvePreferences: opts.TLSCurvePreferences,
 
 			// If we return (nil, error) the client sees - 'tls: internal error"
 			// If we return (nil, nil) the client sees - 'tls: no certificates configured'

vendor/modules.txt

@@ -1075,7 +1075,7 @@ knative.dev/networking/test/test_images/runtime/handlers
 knative.dev/networking/test/test_images/timeout
 knative.dev/networking/test/test_images/wsserver
 knative.dev/networking/test/types
-# knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1
+# knative.dev/pkg v0.0.0-20251217214024-80c8bc434670
 ## explicit; go 1.24.0
 knative.dev/pkg/apis
 knative.dev/pkg/apis/duck