upgrade to latest dependencies (#2266)

bumping knative.dev/networking 001fb59...4103dd9:
  > 4103dd9 upgrade to latest dependencies (# 1128)
  > dd06704 upgrade to latest dependencies (# 1127)
bumping knative.dev/reconciler-test b870fd6...8cacadc:
  > 8cacadc upgrade to latest dependencies (# 874)
bumping knative.dev/serving 75d7cae...0528bdd:
  > 0528bdd Update net-istio nightly (# 16512)
  > 047053d Bump the github-actions group with 2 updates (# 16511)
  > 7e31977 ci: pin registry image to immutable SHA digest (# 16503)
  > 4b318f2 Update net-kourier nightly (# 16509)
  > f9f2b0b hack: remove deprecated GO111MODULE=on (# 16499)
  > 6b67262 Update net-gateway-api nightly (# 16508)
  > 60aa392 Update net-contour nightly (# 16506)
  > 3842d69 Update net-istio nightly (# 16507)
  > 35cd19d upgrade to latest dependencies (# 16497)
  > 9e5c532 Update net-gateway-api nightly (# 16492)
  > 528c59d upgrade to latest dependencies (# 16494)
  > cd28f75 Update net-contour nightly (# 16491)
  > 098fe86 Update net-kourier nightly (# 16493)
  > 8ebc4a3 upgrade to latest dependencies (# 16490)
bumping knative.dev/eventing c6be563...263a3a5:
  > 263a3a5 Generate test certs dynamically (# 9009)
bumping knative.dev/caching 0201ecf...06bfe47:
  > 06bfe47 upgrade to latest dependencies (# 996)

Signed-off-by: Knative Automation <automation@knative.team>

Author: knative-automation

go.mod

@@ -20,12 +20,12 @@ require (
 	k8s.io/apimachinery v0.35.3
 	k8s.io/client-go v0.35.3
 	k8s.io/code-generator v0.35.3
-	knative.dev/caching v0.0.0-20260318014239-0201ecf9e8f3
-	knative.dev/eventing v0.48.1-0.20260320031001-c6be563d196d
+	knative.dev/caching v0.0.0-20260330015202-06bfe4789004
+	knative.dev/eventing v0.48.1-0.20260402142557-263a3a52c638
 	knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad
 	knative.dev/pkg v0.0.0-20260329160701-396dbaacd652
-	knative.dev/reconciler-test v0.0.0-20260320022005-b870fd6858c7
-	knative.dev/serving v0.48.1-0.20260320181408-75d7cae45942
+	knative.dev/reconciler-test v0.0.0-20260330022304-8cacadc6e997
+	knative.dev/serving v0.48.1-0.20260402181955-0528bdda27c8
 	sigs.k8s.io/yaml v1.6.0
 )
 
@@ -162,7 +162,7 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
-	knative.dev/networking v0.0.0-20260318014906-001fb594d5a2 // indirect
+	knative.dev/networking v0.0.0-20260331164354-4103dd9b792c // indirect
 	sigs.k8s.io/controller-runtime v0.19.0 // indirect
 	sigs.k8s.io/gateway-api v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect

go.sum

@@ -1714,20 +1714,20 @@ k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/caching v0.0.0-20260318014239-0201ecf9e8f3 h1:yUKRxYHWvid3PUgEB2C+N3aVxtpQwUWWE+oA6zS/hHI=
-knative.dev/caching v0.0.0-20260318014239-0201ecf9e8f3/go.mod h1:P61LpKUA6h0IeWjWwGwNimd2teheWbgSGsyNIF/tHK4=
-knative.dev/eventing v0.48.1-0.20260320031001-c6be563d196d h1:22RrvLhVvA53MUNPqXq13IngyQw0bjLBCXh2om6DfZM=
-knative.dev/eventing v0.48.1-0.20260320031001-c6be563d196d/go.mod h1:Dx9hXW6bOMn3sQzZ3uVpyhI+VBZUY29+WASrCyC1C+c=
+knative.dev/caching v0.0.0-20260330015202-06bfe4789004 h1:ZbilzuDD6z8rqSpE3SjQUQ/dwPw1B/Aic68eGFtafWg=
+knative.dev/caching v0.0.0-20260330015202-06bfe4789004/go.mod h1:1y2UM/zVviIGs8f+HzlU17B5NzAn4jB4nBK2dQex25s=
+knative.dev/eventing v0.48.1-0.20260402142557-263a3a52c638 h1:adV90fp22meKZVTkniLyWNFG/WUdhanoE0eJPkxU9KY=
+knative.dev/eventing v0.48.1-0.20260402142557-263a3a52c638/go.mod h1:Dx9hXW6bOMn3sQzZ3uVpyhI+VBZUY29+WASrCyC1C+c=
 knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad h1:yH957Dv5HrPgllwTs7e1wvCKcjg/PC0QPQGEWkK7QFw=
 knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0=
-knative.dev/networking v0.0.0-20260318014906-001fb594d5a2 h1:GcSmyeVB/I9BU1dP36M1iDm09lfv9Z48bv/qXu0Yp90=
-knative.dev/networking v0.0.0-20260318014906-001fb594d5a2/go.mod h1:0UAbiLzpmMyhpjWVwRo9vYEWPKGyY6PM2VCKQkBpXE4=
+knative.dev/networking v0.0.0-20260331164354-4103dd9b792c h1:KFtj7kJFwRyfdDfUEbvZoL2RXBQSmS9BhdgfkY4Ho7g=
+knative.dev/networking v0.0.0-20260331164354-4103dd9b792c/go.mod h1:NXe6Zwcd4YFaJ6n8NBfR9Q0fjqsGydkuMkmBM2TqvmI=
 knative.dev/pkg v0.0.0-20260329160701-396dbaacd652 h1:oqNQsNewkItkKI2LUfQgYGwdZzIxZ73N/L0AMwVBp80=
 knative.dev/pkg v0.0.0-20260329160701-396dbaacd652/go.mod h1:D1bZ7hFnBZaA9Y6I/TCymeaF22z9qkwbhcA1b/1nHeM=
-knative.dev/reconciler-test v0.0.0-20260320022005-b870fd6858c7 h1:SMLV0JQ3P3il7/au2/MLgumnvEDHzGTarQwKmAzKohs=
-knative.dev/reconciler-test v0.0.0-20260320022005-b870fd6858c7/go.mod h1:AYC4VmIV1eeKnc/BMYoPQ0eOxsV7h10ouF7PVDJyUzo=
-knative.dev/serving v0.48.1-0.20260320181408-75d7cae45942 h1:x6tLJ7ncINyVkGKPjF3cYkB4/wX4CVhL7msr1x3AQNY=
-knative.dev/serving v0.48.1-0.20260320181408-75d7cae45942/go.mod h1:Ol3tgnTfiv23AS1MTYm+7gDBVzDR8DxxDtcpQrJ1EIw=
+knative.dev/reconciler-test v0.0.0-20260330022304-8cacadc6e997 h1:GX+wdQhtZn0M5i2tk5JrQJpggaF4O0ihNzDNsrLce04=
+knative.dev/reconciler-test v0.0.0-20260330022304-8cacadc6e997/go.mod h1:75zK5QlwnUxq7Wvod/ARFT0u/8Rdn614H0uJuqEgTpI=
+knative.dev/serving v0.48.1-0.20260402181955-0528bdda27c8 h1:JmByaPz+TjbM6jgXU++pVRzzczemXFu1aLNGMXb8i3k=
+knative.dev/serving v0.48.1-0.20260402181955-0528bdda27c8/go.mod h1:u18/eNW6lqCkrechJ6Jxi9N+/LkK0eHK+HYjm6+lJMY=
 nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
 pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
 pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=

vendor/knative.dev/eventing/pkg/eventingtls/eventingtlstesting/eventingtlstesting.go

@@ -18,8 +18,16 @@ package eventingtlstesting
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
 	"net/http"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
@@ -87,94 +95,130 @@ func StartServer(ctx context.Context, t *testing.T, port int, handler http.Handl
 }
 
 func loadCerts() ([]byte, []byte, []byte) {
-	/*
-		Provisioned using:
-		openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=Knative-Example-Root-CA"
-		openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
-		openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local"
-		openssl x509 -req -sha256 -days 1024 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt
-		Copy:
-		- RootCA.crt for ca
-		- localhost.key for key
-		- localhost.crt for crt
-		domains.ext file:
-		authorityKeyIdentifier=keyid,issuer
-		basicConstraints=CA:FALSE
-		keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
-		subjectAltName = @alt_names
-		[alt_names]
-		DNS.1 = localhost
-		IP.1 = 127.0.0.1
-	*/
-	return []byte(`
------BEGIN CERTIFICATE-----
-MIIDPzCCAiegAwIBAgIUOF3U5UMwffSmdo24IVU1k+qix3YwDQYJKoZIhvcNAQEL
-BQAwLzELMAkGA1UEBhMCVVMxIDAeBgNVBAMMF0tuYXRpdmUtRXhhbXBsZS1Sb290
-LUNBMB4XDTIzMDYwNjE0MDY1NFoXDTI2MDMyNjE0MDY1NFowLzELMAkGA1UEBhMC
-VVMxIDAeBgNVBAMMF0tuYXRpdmUtRXhhbXBsZS1Sb290LUNBMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJEA/+FW8e/ChmpseeH+UMtpP3PIq4VO26yh
-fg3RSWKRbEnpkusWX6tM5NIZ9HqZOhB9dvb0OAC+YBM5ce8eA1/5tIUcxOzvMo5S
-Oe+5cOgzZPLNesPBD+vteFXeD/9Hg75KfxctgyYfKqAE4Q8afaxs29/9K4wZkdE7
-Fs4ED8r6hxf+7wgVSurnHiQnupHOb3BCQEGFm4w5/YJMhJFM29+LtIa5iZvQdlIC
-zrIiLSckaRCiuJH2U5HCxk6WpodyoD5ffqzX7/+xismUwsX9opnMfdz7vT4ZYvKc
-5O0u6/mx9fvhCL7hVwz8/FKvd1+Z4WnGoL/Iz3g+T/qdMbA+1wIDAQABo1MwUTAd
-BgNVHQ4EFgQU51Q84l/eECxUhLRPhlcoLougg0owHwYDVR0jBBgwFoAU51Q84l/e
-ECxUhLRPhlcoLougg0owDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
-AQEAZVXtix62c6VVAEZHsSTPwlMwGjZ67UCd6NxeY5IgXdT/vmorlrsoZa0FYYkU
-TdWOHt7Q1C48W+tA2yMTPGs240Zradam2CXAxEvL7/aC6GEFs7vhkq6riwJ/erR3
-ZAZjcWi5Qk03q7eS61JJvaV9+fKg+F2BB2EqaCPo7HMMSXO81aeHEMl/AQsNPnur
-2VG1tchMQvfakRf53H1hWu5h4APuZo1MTkPmBOTLZG7eAJTtfVWz1aPwB1rUMCyP
-wSdZWoEx7ye2kUHEyRKdRGbHyJtY9YYvaROznzxqVpIqHxnRQnE/If7kcN4t/7vi
-28zWIDKzJ8je40SPcLSfplRvBQ==
------END CERTIFICATE-----`), []byte(`
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCodsq2l7lP1LMw
-hh9j4FQvULIfvcwiz3WyBkeLvQPk044ZRX50bwm2llTKwEvWyqnmctjcS5RiKItw
-9kg6eXA3Z9CBuPyJkrvH/4OO2wOBgyBD8k3LqNtaqN0Qq2Y3JbQ/PBf5btNMmYFB
-gostqCBsiDIF1KqkpCHpvLBLPte9bLv4ZAxNecC6p/fXUbXTWJ4SFNhdZrw62Rs4
-boq8qTs0PceDJiLdvqwngGNneCdehFXR3citMCA8SxyD8E2qIIOLuOEf54s9zR7C
-d+D0h+XQmHICAcz3Yo4a27dNFUc2LHcp9a2+ASHTnKsR6Xhndo/IcT7/qbYq7/kJ
-lfN66ObzAgMBAAECggEADBYpyRvtobqi+JJG4kWQBK0HepuFb+Hukc09iNsQ0nQT
-N+Dyh6wHyF/UyY8uYcS8l9oZkQSjKr+58WraF8fqsy7xmL0K8VvjuR+t8qvn/nzH
-7dgOmNQOmNyQr8d8V+yOmBLZrX20D0TcLzUMg0QSv3auEBkH/TQBcuGkzGE/3Uk4
-DT/L//DREjVw+DAaFd53UWWhSnLOkQAsY+zR+HktQH0CEtwMjbkBWMgCkgX7/v9w
-gBQLwR7uw5w0Kn8ArgqXj5b5naqHhNzMPj65kMHFjYejSDsjPntToz5YrDRsd4L3
-EYAcKcG4fYjJ8vYbRjG7SYCxX7HsvJUhqZT4ds/DsQKBgQDTrSN8m60ZPwmvAG+6
-Tpy3Hpf+klO/AE/FQ6WQ8K77McBoRA4awFcjqasqxkTHCl8FXXdWoEe+OIJ+MXzu
-5zX5J1dAOl++sgdOvQFW4y4H+FOHD5q5SHFzdI8d65HJy6SI6BVJz4lR51bSU5CQ
-qkdh0Sbh1hAACIsmZTApaXY03wKBgQDLvUShkRaJC/pzN7yCb0Cu4VxBV90IkE0n
-INHNML8/KCbGJ5EmLk5uJt1sWb0e8PpUgoavnljfUUKyNfd/ltr9slE6uRhy9net
-qg1A0CmArFJgOncA3bu92CvvzzcDPsnHCBnLKpTfUSThk8Sxftg0bqKEV3sy5Py1
-9x6Sp7QcbQKBgQCKRjDHRn6F3mr5+aQCpTW0XXTWpEm2nIJ/jxgJnWAA0VgqBELe
-cMS7lCsvLwNgrkKyI4NAgEU9WnbL7pH5EeptDqjtWPSQgoVJhyfn1VGNfUc7FBNz
-c4JA9GRFHExI8RFTKaA2bi765M8PZ+0ow0ML/++RWR9slign9bPHaZABKwKBgHz9
-unMcXaTqMlYpJX8n3ZjsLPrxemrcjFiq68tkUo/ehBsg/w1bb0ZolYL5curej9T0
-1sg67u7iHXbTYOlnlSX7FZZfI76zsixanRLcIfoMveTHOWbQoXMQgbP3fhqBlKyE
-Lb7UesyeLXAuhYcW+HECRrXGLZDFprvDxX/XXsnpAoGBAJdaCxiy7ZXDrJHJDzGp
-Ntxv2SbGghJwlmWYh7BP/+Cb6vUWG4MTzUBIzKfk4Z32xjFwDxKi3SW+34uZ6/fD
-Ptt315Oq0odZvrdGtJoGud/p9nCHUiLGHwRH9NrDtTcO9zR55oYc0pJk0EfrXpsb
-r5IiDpxJPL1q0JmKeA+Fr4wy
------END PRIVATE KEY-----`), []byte(`
------BEGIN CERTIFICATE-----
-MIIDoDCCAoigAwIBAgIUSVuHbk6clsj/7Fe3Uc8mFwXU6kMwDQYJKoZIhvcNAQEL
-BQAwLzELMAkGA1UEBhMCVVMxIDAeBgNVBAMMF0tuYXRpdmUtRXhhbXBsZS1Sb290
-LUNBMB4XDTIzMDYwNjE0MTEwNFoXDTI2MDMyNjE0MTEwNFowbTELMAkGA1UEBhMC
-VVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwIWW91ckNpdHkxHTAbBgNV
-BAoMFEV4YW1wbGUtQ2VydGlmaWNhdGVzMRgwFgYDVQQDDA9sb2NhbGhvc3QubG9j
-YWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCodsq2l7lP1LMwhh9j
-4FQvULIfvcwiz3WyBkeLvQPk044ZRX50bwm2llTKwEvWyqnmctjcS5RiKItw9kg6
-eXA3Z9CBuPyJkrvH/4OO2wOBgyBD8k3LqNtaqN0Qq2Y3JbQ/PBf5btNMmYFBgost
-qCBsiDIF1KqkpCHpvLBLPte9bLv4ZAxNecC6p/fXUbXTWJ4SFNhdZrw62Rs4boq8
-qTs0PceDJiLdvqwngGNneCdehFXR3citMCA8SxyD8E2qIIOLuOEf54s9zR7Cd+D0
-h+XQmHICAcz3Yo4a27dNFUc2LHcp9a2+ASHTnKsR6Xhndo/IcT7/qbYq7/kJlfN6
-6ObzAgMBAAGjdjB0MB8GA1UdIwQYMBaAFOdUPOJf3hAsVIS0T4ZXKC6LoINKMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgTwMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA
-ATAdBgNVHQ4EFgQUtxq3RVNeuFDQEu/I1Hn4u+aCKogwDQYJKoZIhvcNAQELBQAD
-ggEBAIP9672LFvNaBWCvZybv62eUoALJzxGFtXTNa9YjkYHZLwJXBa/8cnCLfSiP
-6uxUK3lDL4jF8I0VEWe2q3H2R8AllofFQbqeskD5qrrVjMdV/0tuUHI8RPCr9SPP
-Y6wIq3dlk98ZlQEwhBz3M4SYpLKyKAn/E/2ScsW+9vcvAAAK32BO27Tk9Ca6ShtQ
-p32q5PZOx9+eicXzW7qb4a26k1aFnnaDEUuSQsKXhzVVyt9Xmg14m8ETeEL5xPfI
-PiUZitNmqpg2123YyPwE4NW8okkLO03UD3I0I/Bn0mS0sb8xMt/ncR4iWeJOvZSG
-0YhYDYdUoSliRZYy5zTe7orFj7Q=
------END CERTIFICATE-----`)
+	caCert, _ /* ca1Key */, srvCert, srvKey := mustChain("Knative-Example-Root-CA")
+
+	return caCert, srvKey, srvCert
+}
+
+func mustChain(cn string) ([]byte, []byte, []byte, []byte) {
+	caCert, caKey := mustCA(cn)
+	srvKey, csr := mustCSR()
+	srvCert := mustSign(csr, caCert, caKey)
+
+	return pemCert(caCert.Raw),
+		pemKey(caKey),
+		pemCert(srvCert),
+		pemKey(srvKey)
+}
+
+// --- CA (openssl req -x509) ---
+func mustCA(cn string) (*x509.Certificate, *rsa.PrivateKey) {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(err)
+	}
+
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(time.Now().UnixNano()),
+		Subject: pkix.Name{
+			Country:    []string{"US"},
+			CommonName: cn,
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(1024 * 24 * time.Hour),
+
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+		KeyUsage: x509.KeyUsageCertSign |
+			x509.KeyUsageCRLSign |
+			x509.KeyUsageDigitalSignature,
+	}
+
+	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
+	if err != nil {
+		panic(err)
+	}
+
+	cert, _ := x509.ParseCertificate(der)
+	return cert, key
+}
+
+// --- CSR (openssl req -new) ---
+func mustCSR() (*rsa.PrivateKey, []byte) {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(err)
+	}
+
+	csrTmpl := &x509.CertificateRequest{
+		Subject: pkix.Name{
+			Country:      []string{"US"},
+			Province:     []string{"YourState"},
+			Locality:     []string{"YourCity"},
+			Organization: []string{"Example-Certificates"},
+			CommonName:   "localhost.local",
+		},
+	}
+
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTmpl, key)
+	if err != nil {
+		panic(err)
+	}
+
+	return key, csrDER
+}
+
+// --- Sign (openssl x509 -req -extfile domains.ext) ---
+func mustSign(csrDER []byte, ca *x509.Certificate, caKey *rsa.PrivateKey) []byte {
+	csr, err := x509.ParseCertificateRequest(csrDER)
+	if err != nil {
+		panic(err)
+	}
+
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(time.Now().UnixNano()),
+		Subject:      csr.Subject,
+
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(1024 * 24 * time.Hour),
+
+		// domains.ext equivalent
+		DNSNames:    []string{"localhost"},
+		IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
+
+		BasicConstraintsValid: true,
+		IsCA:                  false,
+
+		KeyUsage: x509.KeyUsageDigitalSignature |
+			x509.KeyUsageContentCommitment | // nonRepudiation
+			x509.KeyUsageKeyEncipherment |
+			x509.KeyUsageDataEncipherment,
+
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth,
+		},
+	}
+
+	der, err := x509.CreateCertificate(rand.Reader, tmpl, ca, csr.PublicKey, caKey)
+	if err != nil {
+		panic(err)
+	}
+
+	return der
+}
+
+// --- PEM helpers ---
+func pemCert(der []byte) []byte {
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: der,
+	})
+}
+
+func pemKey(key *rsa.PrivateKey) []byte {
+	b, _ := x509.MarshalPKCS8PrivateKey(key)
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: b,
+	})
 }

vendor/modules.txt

@@ -1506,11 +1506,11 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/trace
-# knative.dev/caching v0.0.0-20260318014239-0201ecf9e8f3
+# knative.dev/caching v0.0.0-20260330015202-06bfe4789004
 ## explicit; go 1.25.0
 knative.dev/caching/pkg/apis/caching
 knative.dev/caching/pkg/apis/caching/v1alpha1
-# knative.dev/eventing v0.48.1-0.20260320031001-c6be563d196d
+# knative.dev/eventing v0.48.1-0.20260402142557-263a3a52c638
 ## explicit; go 1.25.0
 knative.dev/eventing/cmd/heartbeats
 knative.dev/eventing/pkg/apis
@@ -1606,7 +1606,7 @@ knative.dev/eventing/test/upgrade/prober/wathola/sender
 # knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad
 ## explicit; go 1.24
 knative.dev/hack
-# knative.dev/networking v0.0.0-20260318014906-001fb594d5a2
+# knative.dev/networking v0.0.0-20260331164354-4103dd9b792c
 ## explicit; go 1.25.0
 knative.dev/networking/pkg/apis/networking
 knative.dev/networking/pkg/apis/networking/v1alpha1
@@ -1709,7 +1709,7 @@ knative.dev/pkg/webhook
 knative.dev/pkg/webhook/certificates
 knative.dev/pkg/webhook/certificates/resources
 knative.dev/pkg/webhook/resourcesemantics/conversion
-# knative.dev/reconciler-test v0.0.0-20260320022005-b870fd6858c7
+# knative.dev/reconciler-test v0.0.0-20260330022304-8cacadc6e997
 ## explicit; go 1.25.0
 knative.dev/reconciler-test/cmd/eventshub
 knative.dev/reconciler-test/pkg/environment
@@ -1738,7 +1738,7 @@ knative.dev/reconciler-test/pkg/resources/service
 knative.dev/reconciler-test/pkg/resources/serviceaccount
 knative.dev/reconciler-test/pkg/state
 knative.dev/reconciler-test/resources/certificate
-# knative.dev/serving v0.48.1-0.20260320181408-75d7cae45942
+# knative.dev/serving v0.48.1-0.20260402181955-0528bdda27c8
 ## explicit; go 1.25.0
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1