upgrade to latest dependencies (#492)

bumping knative.dev/pkg 64ab22b...552bbc1:
  > 552bbc1 Support the webhook serving over non-TLS. (# 2204)

Signed-off-by: Knative Automation <[email protected]>

Author: knative-automation

go.mod

@@ -12,5 +12,5 @@ require (
 	k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd
 	knative.dev/hack v0.0.0-20210622141627-e28525d8d260
 	knative.dev/hack/schema v0.0.0-20210622141627-e28525d8d260
-	knative.dev/pkg v0.0.0-20210731072840-64ab22bbaab9
+	knative.dev/pkg v0.0.0-20210803032247-552bbc106170
 )

go.sum

@@ -1055,8 +1055,8 @@ knative.dev/hack v0.0.0-20210622141627-e28525d8d260 h1:f2eMtOubAOc/Q7JlvFPDKXiPl
 knative.dev/hack v0.0.0-20210622141627-e28525d8d260/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI=
 knative.dev/hack/schema v0.0.0-20210622141627-e28525d8d260 h1:YkMkZ7qdafyRHNIuKttYzEmM1ilKTGyEtPWeVLcLcDE=
 knative.dev/hack/schema v0.0.0-20210622141627-e28525d8d260/go.mod h1:ffjwmdcrH5vN3mPhO8RrF2KfNnbHeCE2C60A+2cv3U0=
-knative.dev/pkg v0.0.0-20210731072840-64ab22bbaab9 h1:eeRutJPRJ6tR7LVkeaD7H2BaKeKwadHaR66+Z1QRVcs=
-knative.dev/pkg v0.0.0-20210731072840-64ab22bbaab9/go.mod h1:NYZRIPU+Pv39VfbZV1BtMIe4kCavNle1udsPrvOLm+Y=
+knative.dev/pkg v0.0.0-20210803032247-552bbc106170 h1:9391x1TMB/+oFjP5L2YLk61k+mEpm8VLgu6adXDBdcY=
+knative.dev/pkg v0.0.0-20210803032247-552bbc106170/go.mod h1:NYZRIPU+Pv39VfbZV1BtMIe4kCavNle1udsPrvOLm+Y=
 pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=

vendor/knative.dev/pkg/webhook/webhook.go

@@ -33,7 +33,6 @@ import (
 	"go.uber.org/zap"
 	"golang.org/x/sync/errgroup"
 	admissionv1 "k8s.io/api/admission/v1"
-	corelisters "k8s.io/client-go/listers/core/v1"
 	"knative.dev/pkg/logging"
 	"knative.dev/pkg/network"
 	"knative.dev/pkg/system"
@@ -50,6 +49,7 @@ type Options struct {
 	// server key/cert are used to serve the webhook and the CA cert
 	// is provided to k8s apiserver during admission controller
 	// registration.
+	// If no SecretName is provided, then the webhook serves without TLS.
 	SecretName string
 
 	// Port where the webhook is served. Per k8s admission
@@ -87,8 +87,10 @@ type Webhook struct {
 	// before shutting down.
 	gracePeriod time.Duration
 
-	mux          http.ServeMux
-	secretlister corelisters.SecretLister
+	mux http.ServeMux
+
+	// The TLS configuration to use for serving (or nil for non-TLS)
+	tlsConfig *tls.Config
 }
 
 // New constructs a Webhook
@@ -104,13 +106,6 @@ func New(
 		}
 	}()
 
-	// Injection is too aggressive for this case because by simply linking this
-	// library we force consumers to have secret access.  If we require that one
-	// of the admission controllers' informers *also* require the secret
-	// informer, then we can fetch the shared informer factory here and produce
-	// a new secret informer from it.
-	secretInformer := kubeinformerfactory.Get(ctx).Core().V1().Secrets()
-
 	opts := GetOptions(ctx)
 	if opts == nil {
 		return nil, errors.New("context must have Options specified")
@@ -128,11 +123,51 @@ func New(
 	syncCtx, cancel := context.WithCancel(context.Background())
 
 	webhook = &Webhook{
-		Options:      *opts,
-		secretlister: secretInformer.Lister(),
-		Logger:       logger,
-		synced:       cancel,
-		gracePeriod:  network.DefaultDrainTimeout,
+		Options:     *opts,
+		Logger:      logger,
+		synced:      cancel,
+		gracePeriod: network.DefaultDrainTimeout,
+	}
+
+	if opts.SecretName != "" {
+		// Injection is too aggressive for this case because by simply linking this
+		// library we force consumers to have secret access.  If we require that one
+		// of the admission controllers' informers *also* require the secret
+		// informer, then we can fetch the shared informer factory here and produce
+		// a new secret informer from it.
+		secretInformer := kubeinformerfactory.Get(ctx).Core().V1().Secrets()
+
+		webhook.tlsConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+
+			// If we return (nil, error) the client sees - 'tls: internal error"
+			// If we return (nil, nil) the client sees - 'tls: no certificates configured'
+			//
+			// We'll return (nil, nil) when we don't find a certificate
+			GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+				secret, err := secretInformer.Lister().Secrets(system.Namespace()).Get(opts.SecretName)
+				if err != nil {
+					logger.Errorw("failed to fetch secret", zap.Error(err))
+					return nil, nil
+				}
+
+				serverKey, ok := secret.Data[certresources.ServerKey]
+				if !ok {
+					logger.Warn("server key missing")
+					return nil, nil
+				}
+				serverCert, ok := secret.Data[certresources.ServerCert]
+				if !ok {
+					logger.Warn("server cert missing")
+					return nil, nil
+				}
+				cert, err := tls.X509KeyPair(serverCert, serverKey)
+				if err != nil {
+					return nil, err
+				}
+				return &cert, nil
+			},
+		}
 	}
 
 	webhook.mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
@@ -176,46 +211,23 @@ func (wh *Webhook) Run(stop <-chan struct{}) error {
 	}
 
 	server := &http.Server{
-		Handler: drainer,
-		Addr:    fmt.Sprint(":", wh.Options.Port),
-		TLSConfig: &tls.Config{
-			MinVersion: tls.VersionTLS12,
-
-			// If we return (nil, error) the client sees - 'tls: internal error"
-			// If we return (nil, nil) the client sees - 'tls: no certificates configured'
-			//
-			// We'll return (nil, nil) when we don't find a certificate
-			GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
-				secret, err := wh.secretlister.Secrets(system.Namespace()).Get(wh.Options.SecretName)
-				if err != nil {
-					logger.Errorw("failed to fetch secret", zap.Error(err))
-					return nil, nil
-				}
-
-				serverKey, ok := secret.Data[certresources.ServerKey]
-				if !ok {
-					logger.Warn("server key missing")
-					return nil, nil
-				}
-				serverCert, ok := secret.Data[certresources.ServerCert]
-				if !ok {
-					logger.Warn("server cert missing")
-					return nil, nil
-				}
-				cert, err := tls.X509KeyPair(serverCert, serverKey)
-				if err != nil {
-					return nil, err
-				}
-				return &cert, nil
-			},
-		},
+		Handler:   drainer,
+		Addr:      fmt.Sprint(":", wh.Options.Port),
+		TLSConfig: wh.tlsConfig,
 	}
 
 	eg, ctx := errgroup.WithContext(ctx)
 	eg.Go(func() error {
-		if err := server.ListenAndServeTLS("", ""); err != nil && !errors.Is(err, http.ErrServerClosed) {
-			logger.Errorw("ListenAndServeTLS for admission webhook returned error", zap.Error(err))
-			return err
+		if server.TLSConfig != nil {
+			if err := server.ListenAndServeTLS("", ""); err != nil && !errors.Is(err, http.ErrServerClosed) {
+				logger.Errorw("ListenAndServeTLS for admission webhook returned error", zap.Error(err))
+				return err
+			}
+		} else {
+			if err := server.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
+				logger.Errorw("ListenAndServe for admission webhook returned error", zap.Error(err))
+				return err
+			}
 		}
 		return nil
 	})

vendor/modules.txt

@@ -671,7 +671,7 @@ knative.dev/hack/schema/commands
 knative.dev/hack/schema/docs
 knative.dev/hack/schema/registry
 knative.dev/hack/schema/schema
-# knative.dev/pkg v0.0.0-20210731072840-64ab22bbaab9
+# knative.dev/pkg v0.0.0-20210803032247-552bbc106170
 ## explicit
 knative.dev/pkg/apis
 knative.dev/pkg/apis/duck