upgrade to latest dependencies (#2211)

bumping knative.dev/caching 2e73993...ca66f55:
  > ca66f55 upgrade to latest dependencies (# 982)
bumping knative.dev/serving fcb2e4d...2b62189:
  > 2b62189 Update net-kourier nightly (# 16311)
  > fcaad85 Update net-contour nightly (# 16310)
  > 753105b Update net-gateway-api nightly (# 16309)
  > 343df7e Add terminationGracePeriodSeconds support to user and sidecar container probes (# 15823) (# 16255)
  > edc1c64 Validate networking annotations on RevisionTemplateSpec (# 16296)
  > cc306d4 Prevent cross-service revision traffic routing (# 16294)
  > cc1012c Update net-istio nightly (# 16308)
  > 1e52818 upgrade to latest dependencies (# 16306)
bumping knative.dev/networking 5082b02...9b53ca0:
  > 9b53ca0 upgrade to latest dependencies (# 1104)
bumping knative.dev/pkg 9c8140b...80c8bc4:
  > 80c8bc4 Add TLSMaxVersion, TLSCipherSuites, and TLSCurvePreferences to webhook.Options for enhanced TLS control (# 3300)
bumping knative.dev/reconciler-test 7b51b2a...d67001b:
  > d67001b upgrade to latest dependencies (# 851)

Signed-off-by: Knative Automation <[email protected]>

Author: knative-automation

go.mod

@@ -20,12 +20,12 @@ require (
 	k8s.io/apimachinery v0.34.3
 	k8s.io/client-go v0.34.3
 	k8s.io/code-generator v0.34.3
-	knative.dev/caching v0.0.0-20251216133124-2e739933d68e
+	knative.dev/caching v0.0.0-20251217015426-ca66f558da49
 	knative.dev/eventing v0.47.1-0.20251216143128-de3db52821ed
 	knative.dev/hack v0.0.0-20251126013634-1484a9e9b641
-	knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1
-	knative.dev/reconciler-test v0.0.0-20251216135827-7b51b2a66f40
-	knative.dev/serving v0.47.1-0.20251216154926-fcb2e4d0f74b
+	knative.dev/pkg v0.0.0-20251217214024-80c8bc434670
+	knative.dev/reconciler-test v0.0.0-20251217021727-d67001b5cfe8
+	knative.dev/serving v0.47.1-0.20251218010245-2b621899e32e
 	sigs.k8s.io/yaml v1.6.0
 )
 
@@ -163,7 +163,7 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	knative.dev/networking v0.0.0-20251127155419-5082b02af8c1 // indirect
+	knative.dev/networking v0.0.0-20251216133826-9b53ca077e6a // indirect
 	sigs.k8s.io/controller-runtime v0.19.0 // indirect
 	sigs.k8s.io/gateway-api v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect

go.sum

@@ -1712,20 +1712,20 @@ k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/caching v0.0.0-20251216133124-2e739933d68e h1:edSrbljmQ1Of6kwITD+2s0WxHlb3znirV5PATyRMa9U=
-knative.dev/caching v0.0.0-20251216133124-2e739933d68e/go.mod h1:dVixpGQv0Z5i7yvzTS6BGG/N0YRcPn2K6Mf9/cG7gCw=
+knative.dev/caching v0.0.0-20251217015426-ca66f558da49 h1:9Y7FO0YRgWBtP+oDG/n338xi7SgovzQFX7TYe4xiZuU=
+knative.dev/caching v0.0.0-20251217015426-ca66f558da49/go.mod h1:TCKRvTMlMsaHartet7axY20EFT8xsU/O3EE39fi4Gl8=
 knative.dev/eventing v0.47.1-0.20251216143128-de3db52821ed h1:WRRrn0VC0MnS4f7ub3L1porV3JgibGJA+p6Poz0zwhY=
 knative.dev/eventing v0.47.1-0.20251216143128-de3db52821ed/go.mod h1:g9yjoJnpE1tuQRb7ccqx31GLLKN5J6mSMlAVcVJZLQw=
 knative.dev/hack v0.0.0-20251126013634-1484a9e9b641 h1:N9Xqx3YLUNFN1WIc3UXTanK4je8VMQ36ZnAmECSsloc=
 knative.dev/hack v0.0.0-20251126013634-1484a9e9b641/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0=
-knative.dev/networking v0.0.0-20251127155419-5082b02af8c1 h1:cZToEK7gp9ZQP+De14NFjt6874PdsrH7DH1DPxjCKVc=
-knative.dev/networking v0.0.0-20251127155419-5082b02af8c1/go.mod h1:nxN+sYiQCoT2FLgSMTShXYmYYcb7rALHSOz6l5RjCp4=
-knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1 h1:pSZ4sRKm/Kq1ec+7Yhow6jUH0FKZjzrUHpPsy6Lu8pE=
-knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1/go.mod h1:jU9OxeX3zL4W6aHpdMjMA/B7kgkm5JQv6PGMod2Qu/M=
-knative.dev/reconciler-test v0.0.0-20251216135827-7b51b2a66f40 h1:l2wkSzK8EMv30UypsG4s5hjwCFxMZ1PxiDzGhGy48yk=
-knative.dev/reconciler-test v0.0.0-20251216135827-7b51b2a66f40/go.mod h1:qso1gDknkL/+DJh6hD0Z8EuWgyPvaXE/LKAdokEarZY=
-knative.dev/serving v0.47.1-0.20251216154926-fcb2e4d0f74b h1:ryyfEOYDc42GVbf5ZhikAcGg5zAXAhNu5LJNwPb1GiM=
-knative.dev/serving v0.47.1-0.20251216154926-fcb2e4d0f74b/go.mod h1:FDSziSYWrPQZ/RwX/fONtpTXZhDwXtOIBjIY5BbB7Wc=
+knative.dev/networking v0.0.0-20251216133826-9b53ca077e6a h1:IRy795/m6VioHzXIRtuYXzp7CHeF47STsP3W4++h4w0=
+knative.dev/networking v0.0.0-20251216133826-9b53ca077e6a/go.mod h1:BDVceWHtCs3jrBQzkd83vSw98zhOkO1Q7hJSuPU3hDM=
+knative.dev/pkg v0.0.0-20251217214024-80c8bc434670 h1:MKgHnTvNprMn+Tr73CRB088PqR22q4KuVFIBTLFltwA=
+knative.dev/pkg v0.0.0-20251217214024-80c8bc434670/go.mod h1:jU9OxeX3zL4W6aHpdMjMA/B7kgkm5JQv6PGMod2Qu/M=
+knative.dev/reconciler-test v0.0.0-20251217021727-d67001b5cfe8 h1:1Ilv2iZEvRTSMO2JRYFCnYIpbMSEgMUphkSkj336VMU=
+knative.dev/reconciler-test v0.0.0-20251217021727-d67001b5cfe8/go.mod h1:qZfVnTPMH0YPk3fBo09BsIJkk2HbdSMoq1rhHuWTtow=
+knative.dev/serving v0.47.1-0.20251218010245-2b621899e32e h1:GN399Z2pWdIL1uU3zU/mmnApdYwAvClu6yQjpeZ6NJU=
+knative.dev/serving v0.47.1-0.20251218010245-2b621899e32e/go.mod h1:SEhF2H2ZtmDwJNHOBi97TEiGKbF2so3/+m5prHGOu7o=
 nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
 pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
 pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=

vendor/knative.dev/pkg/webhook/README.md

@@ -78,6 +78,149 @@ func main() {
 There is also a config map validation admission controller built in under
 `knative.dev/pkg/webhook/configmaps`.
 
+## TLS Configuration
+
+The webhook server supports configuring TLS parameters through the `webhook.Options` struct. This allows you to control the TLS version, cipher suites, and elliptic curve preferences for enhanced security.
+
+### Available TLS Options
+
+```go
+type Options struct {
+    // ... other fields ...
+
+    // TLSMinVersion contains the minimum TLS version that is acceptable.
+    // Default is TLS 1.3 if not specified.
+    // Supported values: tls.VersionTLS12, tls.VersionTLS13
+    TLSMinVersion uint16
+
+    // TLSMaxVersion contains the maximum TLS version that is acceptable.
+    // If not set (0), the maximum version supported by the implementation will be used.
+    // Useful for enforcing Modern profile (TLS 1.3 only) by setting both
+    // TLSMinVersion and TLSMaxVersion to tls.VersionTLS13.
+    TLSMaxVersion uint16
+
+    // TLSCipherSuites specifies the list of enabled cipher suites.
+    // If empty, a default list of secure cipher suites will be used.
+    // Note: Cipher suites are not configurable in TLS 1.3; they are
+    // determined by the implementation.
+    TLSCipherSuites []uint16
+
+    // TLSCurvePreferences specifies the elliptic curves that will be used
+    // in an ECDHE handshake. If empty, the default curves will be used.
+    TLSCurvePreferences []tls.CurveID
+}
+```
+
+### Environment Variable Configuration
+
+You can also configure the minimum TLS version via the `WEBHOOK_TLS_MIN_VERSION` environment variable:
+
+```yaml
+env:
+  - name: WEBHOOK_TLS_MIN_VERSION
+    value: "1.3"  # or "1.2"
+```
+
+### Usage Examples
+
+#### Example 1: Default Configuration (Recommended)
+
+By default, the webhook uses TLS 1.3 as the minimum version with secure defaults:
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName: "webhook",
+    Port:        8443,
+    SecretName:  "webhook-certs",
+    // TLS defaults: MinVersion=1.3, secure cipher suites and curves
+})
+```
+
+#### Example 2: Modern Profile (TLS 1.3 Only)
+
+To enforce TLS 1.3 only (highest security profile):
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName:   "webhook",
+    Port:          8443,
+    SecretName:    "webhook-certs",
+    TLSMinVersion: tls.VersionTLS13,
+    TLSMaxVersion: tls.VersionTLS13,  // Enforce TLS 1.3 only
+})
+```
+
+#### Example 3: Intermediate Profile (TLS 1.2+)
+
+For broader compatibility while maintaining security:
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName:   "webhook",
+    Port:          8443,
+    SecretName:    "webhook-certs",
+    TLSMinVersion: tls.VersionTLS12,
+})
+```
+
+#### Example 4: Custom Cipher Suites
+
+To specify custom cipher suites (for TLS 1.2):
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName:   "webhook",
+    Port:          8443,
+    SecretName:    "webhook-certs",
+    TLSMinVersion: tls.VersionTLS12,
+    TLSCipherSuites: []uint16{
+        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+        tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+        tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    },
+})
+```
+
+#### Example 5: Custom Elliptic Curves
+
+To specify elliptic curve preferences:
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName:   "webhook",
+    Port:          8443,
+    SecretName:    "webhook-certs",
+    TLSCurvePreferences: []tls.CurveID{
+        tls.X25519,    // Preferred
+        tls.CurveP256,
+        tls.CurveP384,
+    },
+})
+```
+
+#### Example 6: Complete Custom Configuration
+
+For full control over TLS parameters:
+
+```go
+ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+    ServiceName:   "webhook",
+    Port:          8443,
+    SecretName:    "webhook-certs",
+    TLSMinVersion: tls.VersionTLS12,
+    TLSMaxVersion: tls.VersionTLS13,
+    TLSCipherSuites: []uint16{
+        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    },
+    TLSCurvePreferences: []tls.CurveID{
+        tls.X25519,
+        tls.CurveP256,
+    },
+})
+```
+
 ## Writing new Admission Controllers
 
 To implement your own admission controller akin to the resource defaulting and

vendor/knative.dev/pkg/webhook/webhook.go

@@ -52,6 +52,21 @@ type Options struct {
 	// TLS 1.3 is the minimum version if not specified otherwise.
 	TLSMinVersion uint16
 
+	// TLSMaxVersion contains the maximum TLS version that is acceptable.
+	// If not set (0), the maximum version supported by the implementation will be used.
+	// This is useful for enforcing Modern profile (TLS 1.3 only) by setting both
+	// TLSMinVersion and TLSMaxVersion to tls.VersionTLS13.
+	TLSMaxVersion uint16
+
+	// TLSCipherSuites specifies the list of enabled cipher suites.
+	// If empty, a default list of secure cipher suites will be used.
+	// Note: Cipher suites are not configurable in TLS 1.3; they are determined by the implementation.
+	TLSCipherSuites []uint16
+
+	// TLSCurvePreferences specifies the elliptic curves that will be used in an ECDHE handshake.
+	// If empty, the default curves will be used.
+	TLSCurvePreferences []tls.CurveID
+
 	// ServiceName is the service name of the webhook.
 	ServiceName string
 
@@ -191,7 +206,10 @@ func New(
 
 		//nolint:gosec // operator configures TLS min version (default is 1.3)
 		webhook.tlsConfig = &tls.Config{
-			MinVersion: opts.TLSMinVersion,
+			MinVersion:       opts.TLSMinVersion,
+			MaxVersion:       opts.TLSMaxVersion,
+			CipherSuites:     opts.TLSCipherSuites,
+			CurvePreferences: opts.TLSCurvePreferences,
 
 			// If we return (nil, error) the client sees - 'tls: internal error"
 			// If we return (nil, nil) the client sees - 'tls: no certificates configured'

vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go

@@ -24,6 +24,7 @@ import (
 	"slices"
 
 	corev1 "k8s.io/api/core/v1"
+
 	"knative.dev/serving/pkg/apis/config"
 )
 
@@ -384,6 +385,7 @@ func ProbeMask(in *corev1.Probe) *corev1.Probe {
 	out.PeriodSeconds = in.PeriodSeconds
 	out.SuccessThreshold = in.SuccessThreshold
 	out.FailureThreshold = in.FailureThreshold
+	out.TerminationGracePeriodSeconds = in.TerminationGracePeriodSeconds
 
 	return out
 }

vendor/knative.dev/serving/pkg/apis/serving/v1/revision_validation.go

@@ -25,6 +25,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/api/validation"
+	"knative.dev/networking/pkg/apis/networking"
 	"knative.dev/pkg/apis"
 	"knative.dev/pkg/kmap"
 	"knative.dev/pkg/kmp"
@@ -66,6 +67,7 @@ func (rts *RevisionTemplateSpec) Validate(ctx context.Context) *apis.FieldError
 	errs := rts.Spec.Validate(apis.WithinSpec(ctx)).ViaField("spec")
 	errs = errs.Also(autoscaling.ValidateAnnotations(ctx, config.FromContextOrDefaults(ctx).Autoscaler,
 		rts.GetAnnotations()).ViaField("metadata.annotations"))
+	errs = errs.Also(networking.ValidateAnnotations(rts.GetAnnotations()).ViaField("metadata.annotations"))
 
 	// If the RevisionTemplateSpec has a name specified, then check that
 	// it follows the requirements on the name.

vendor/knative.dev/serving/pkg/apis/serving/v1/route_lifecycle.go

@@ -155,6 +155,23 @@ func (rs *RouteStatus) MarkRevisionFailed(name string) {
 		"Revision %q failed to become ready.", name)
 }
 
+// MarkRevisionNotOwned marks the RouteConditionAllTrafficAssigned condition
+// to indicate the Revision does not belong to the expected Service.
+func (rs *RouteStatus) MarkRevisionNotOwned(revisionName, expectedService, actualService string) {
+	if actualService == "" {
+		// Revision was created from a standalone Configuration (no known service)
+		routeCondSet.Manage(rs).MarkFalse(RouteConditionAllTrafficAssigned,
+			"RevisionNotOwned",
+			"Revision %q does not belong to Service %q.", revisionName, expectedService)
+	} else {
+		// Revision belongs to a different Service
+		routeCondSet.Manage(rs).MarkFalse(RouteConditionAllTrafficAssigned,
+			"RevisionNotOwned",
+			"Revision %q belongs to Service %q, not Service %q.",
+			revisionName, actualService, expectedService)
+	}
+}
+
 // MarkMissingTrafficTarget marks the RouteConditionAllTrafficAssigned
 // condition to indicate a reference traffic target was not found.
 func (rs *RouteStatus) MarkMissingTrafficTarget(kind, name string) {

vendor/modules.txt

@@ -1504,7 +1504,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/trace
-# knative.dev/caching v0.0.0-20251216133124-2e739933d68e
+# knative.dev/caching v0.0.0-20251217015426-ca66f558da49
 ## explicit; go 1.24.0
 knative.dev/caching/pkg/apis/caching
 knative.dev/caching/pkg/apis/caching/v1alpha1
@@ -1604,7 +1604,7 @@ knative.dev/eventing/test/upgrade/prober/wathola/sender
 # knative.dev/hack v0.0.0-20251126013634-1484a9e9b641
 ## explicit; go 1.24
 knative.dev/hack
-# knative.dev/networking v0.0.0-20251127155419-5082b02af8c1
+# knative.dev/networking v0.0.0-20251216133826-9b53ca077e6a
 ## explicit; go 1.24.0
 knative.dev/networking/pkg/apis/networking
 knative.dev/networking/pkg/apis/networking/v1alpha1
@@ -1615,7 +1615,7 @@ knative.dev/networking/pkg/client/clientset/versioned/typed/networking/v1alpha1
 knative.dev/networking/pkg/config
 knative.dev/networking/pkg/http/header
 knative.dev/networking/pkg/ingress
-# knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1
+# knative.dev/pkg v0.0.0-20251217214024-80c8bc434670
 ## explicit; go 1.24.0
 knative.dev/pkg/apiextensions/storageversion
 knative.dev/pkg/apiextensions/storageversion/cmd/migrate
@@ -1706,7 +1706,7 @@ knative.dev/pkg/webhook
 knative.dev/pkg/webhook/certificates
 knative.dev/pkg/webhook/certificates/resources
 knative.dev/pkg/webhook/resourcesemantics/conversion
-# knative.dev/reconciler-test v0.0.0-20251216135827-7b51b2a66f40
+# knative.dev/reconciler-test v0.0.0-20251217021727-d67001b5cfe8
 ## explicit; go 1.24.0
 knative.dev/reconciler-test/cmd/eventshub
 knative.dev/reconciler-test/pkg/environment
@@ -1735,7 +1735,7 @@ knative.dev/reconciler-test/pkg/resources/service
 knative.dev/reconciler-test/pkg/resources/serviceaccount
 knative.dev/reconciler-test/pkg/state
 knative.dev/reconciler-test/resources/certificate
-# knative.dev/serving v0.47.1-0.20251216154926-fcb2e4d0f74b
+# knative.dev/serving v0.47.1-0.20251218010245-2b621899e32e
 ## explicit; go 1.24.0
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1