upgrade to latest dependencies

bumping knative.dev/eventing d964da3...67f382d:
  > 67f382d Provide volume with OIDC token in SinkBinding (# 7444)
  > 3ec99b4 Make SECURITY.md consistent (# 7460)
  > 140482e Upgrade tests account for last event being interrupted (# 7447)
  > d84daee Gather traces for TestChannelDeadLetterSinkExtensions (# 7441)
  > 2d1bfb5 Fix OIDC token handling in event_dispatcher (# 7457)
  > dc96522 Add serviceaccount in parallel (# 7373)
  > 32d7dd8 Allow configuring whether to allow cross namespaces Brokers configuration references (# 7455)
  > 203fa93 Add deprecation warnings for EventType v1beta1 (# 7453)
  > e5f2814 support auto generation of Sequence identity service account [OIDC] (# 7361)
  > 8ebe869 Deprecate EventType v1b1 API (# 7303)
  > a9320dc Add deprecation warnings for v1b2 (# 7454)
  > 3162518 [main] Upgrade to latest dependencies (# 7450)
bumping knative.dev/pkg 97c7258...703c8b0:
  > 703c8b0 Add consistent SECURITY.md (# 2900)

Signed-off-by: Knative Automation <[email protected]>

go.mod

@@ -12,9 +12,9 @@ require (
 	k8s.io/api v0.27.6
 	k8s.io/apimachinery v0.27.6
 	k8s.io/client-go v0.27.6
-	knative.dev/eventing v0.39.1-0.20231114180859-d964da3a8ace
+	knative.dev/eventing v0.39.1-0.20231120220132-67f382d60b43
 	knative.dev/hack v0.0.0-20231109190034-5deaddeb51a7
-	knative.dev/pkg v0.0.0-20231115001034-97c7258e3a98
+	knative.dev/pkg v0.0.0-20231120182734-703c8b0d5c34
 )
 
 require (

go.sum

@@ -651,12 +651,12 @@ k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5F
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.39.1-0.20231114180859-d964da3a8ace h1:zKNCpnzCVHO8YqHiKX/l3PmpEiirG0z517j3Qf1B9p4=
-knative.dev/eventing v0.39.1-0.20231114180859-d964da3a8ace/go.mod h1:bG5Dzu03aolsgCmoUwCYjcQuI4Puo31dBz7Ho/ZYZg4=
+knative.dev/eventing v0.39.1-0.20231120220132-67f382d60b43 h1:5i2VuGz0/liRoMa48DjB4LMpyOsHtFi721uEGHc3dlU=
+knative.dev/eventing v0.39.1-0.20231120220132-67f382d60b43/go.mod h1:m+tzwZOSkMbZPRkSKOIY+nbMfPURejGKnhFYxytCyAs=
 knative.dev/hack v0.0.0-20231109190034-5deaddeb51a7 h1:HXf7M7n9jwn+Hp904r0HXRSymf+DLXSciFpXVpCg+Bs=
 knative.dev/hack v0.0.0-20231109190034-5deaddeb51a7/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/pkg v0.0.0-20231115001034-97c7258e3a98 h1:uvOLwp5Ar7oJlaYEszh51CemuZc1sRRI14xzKhUEF3U=
-knative.dev/pkg v0.0.0-20231115001034-97c7258e3a98/go.mod h1:56Qcm0ai7xPWqGxpOnjRi4sAX9fZM9UDTk7fKyjUqZM=
+knative.dev/pkg v0.0.0-20231120182734-703c8b0d5c34 h1:bMt0eapwDBD4oBGbyXrGk00DRtFgAGjRHq2B29DwhSE=
+knative.dev/pkg v0.0.0-20231120182734-703c8b0d5c34/go.mod h1:56Qcm0ai7xPWqGxpOnjRi4sAX9fZM9UDTk7fKyjUqZM=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

vendor/knative.dev/eventing/pkg/apis/sources/v1/sinkbinding_lifecycle.go

@@ -33,9 +33,14 @@ import (
 	"knative.dev/pkg/tracker"
 )
 
+const (
+	oidcTokenVolumeName = "oidc-token"
+)
+
 var sbCondSet = apis.NewLivingConditionSet(
 	SinkBindingConditionSinkProvided,
 	SinkBindingConditionOIDCIdentityCreated,
+	SinkBindingConditionOIDCTokenSecretCreated,
 )
 
 // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
@@ -90,6 +95,7 @@ func (sbs *SinkBindingStatus) MarkSink(addr *duckv1.Addressable) {
 	if addr != nil {
 		sbs.SinkURI = addr.URL
 		sbs.SinkCACerts = addr.CACerts
+		sbs.SinkAudience = addr.Audience
 		sbCondSet.Manage(sbs).MarkTrue(SinkBindingConditionSinkProvided)
 	} else {
 		sbCondSet.Manage(sbs).MarkFalse(SinkBindingConditionSinkProvided, "SinkEmpty", "Sink has resolved to empty.%s", "")
@@ -112,6 +118,22 @@ func (sbs *SinkBindingStatus) MarkOIDCIdentityCreatedUnknown(reason, messageForm
 	sbCondSet.Manage(sbs).MarkUnknown(SinkBindingConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
 }
 
+func (sbs *SinkBindingStatus) MarkOIDCTokenSecretCreatedSuccceeded() {
+	sbCondSet.Manage(sbs).MarkTrue(SinkBindingConditionOIDCTokenSecretCreated)
+}
+
+func (sbs *SinkBindingStatus) MarkOIDCTokenSecretCreatedSuccceededWithReason(reason, messageFormat string, messageA ...interface{}) {
+	sbCondSet.Manage(sbs).MarkTrueWithReason(SinkBindingConditionOIDCTokenSecretCreated, reason, messageFormat, messageA...)
+}
+
+func (sbs *SinkBindingStatus) MarkOIDCTokenSecretCreatedFailed(reason, messageFormat string, messageA ...interface{}) {
+	sbCondSet.Manage(sbs).MarkFalse(SinkBindingConditionOIDCTokenSecretCreated, reason, messageFormat, messageA...)
+}
+
+func (sbs *SinkBindingStatus) MarkOIDCTokenSecretCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
+	sbCondSet.Manage(sbs).MarkUnknown(SinkBindingConditionOIDCTokenSecretCreated, reason, messageFormat, messageA...)
+}
+
 // Do implements psbinding.Bindable
 func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) {
 	// First undo so that we can just unconditionally append below.
@@ -171,6 +193,38 @@ func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) {
 			Value: ceOverrides,
 		})
 	}
+
+	if sb.Status.OIDCTokenSecretName != nil {
+		ps.Spec.Template.Spec.Volumes = append(ps.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: oidcTokenVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				Projected: &corev1.ProjectedVolumeSource{
+					Sources: []corev1.VolumeProjection{
+						{
+							Secret: &corev1.SecretProjection{
+								LocalObjectReference: corev1.LocalObjectReference{
+									Name: *sb.Status.OIDCTokenSecretName,
+								},
+							},
+						},
+					},
+				},
+			},
+		})
+
+		for i := range spec.Containers {
+			spec.Containers[i].VolumeMounts = append(spec.Containers[i].VolumeMounts, corev1.VolumeMount{
+				Name:      oidcTokenVolumeName,
+				MountPath: "/oidc",
+			})
+		}
+		for i := range spec.InitContainers {
+			spec.InitContainers[i].VolumeMounts = append(spec.InitContainers[i].VolumeMounts, corev1.VolumeMount{
+				Name:      oidcTokenVolumeName,
+				MountPath: "/oidc",
+			})
+		}
+	}
 }
 
 func (sb *SinkBinding) Undo(ctx context.Context, ps *duckv1.WithPod) {
@@ -189,6 +243,17 @@ func (sb *SinkBinding) Undo(ctx context.Context, ps *duckv1.WithPod) {
 			}
 		}
 		spec.InitContainers[i].Env = env
+
+		if len(spec.InitContainers[i].VolumeMounts) > 0 {
+			volumeMounts := make([]corev1.VolumeMount, 0, len(spec.InitContainers[i].VolumeMounts))
+			for j, vol := range c.VolumeMounts {
+				if vol.Name == oidcTokenVolumeName {
+					continue
+				}
+				volumeMounts = append(volumeMounts, spec.InitContainers[i].VolumeMounts[j])
+			}
+			spec.InitContainers[i].VolumeMounts = volumeMounts
+		}
 	}
 	for i, c := range spec.Containers {
 		if len(c.Env) == 0 {
@@ -204,5 +269,27 @@ func (sb *SinkBinding) Undo(ctx context.Context, ps *duckv1.WithPod) {
 			}
 		}
 		spec.Containers[i].Env = env
+
+		if len(spec.Containers[i].VolumeMounts) > 0 {
+			volumeMounts := make([]corev1.VolumeMount, 0, len(spec.Containers[i].VolumeMounts))
+			for j, vol := range c.VolumeMounts {
+				if vol.Name == oidcTokenVolumeName {
+					continue
+				}
+				volumeMounts = append(volumeMounts, spec.Containers[i].VolumeMounts[j])
+			}
+			spec.Containers[i].VolumeMounts = volumeMounts
+		}
+	}
+
+	if len(spec.Volumes) > 0 {
+		volumes := make([]corev1.Volume, 0, len(spec.Volumes))
+		for i, vol := range spec.Volumes {
+			if vol.Name == oidcTokenVolumeName {
+				continue
+			}
+			volumes = append(volumes, spec.Volumes[i])
+		}
+		ps.Spec.Template.Spec.Volumes = volumes
 	}
 }

vendor/knative.dev/eventing/pkg/apis/sources/v1/sinkbinding_types.go

@@ -81,6 +81,10 @@ const (
 	// SinkBindingConditionOIDCIdentityCreated is configured to indicate whether
 	// the OIDC identity has been created for the sink.
 	SinkBindingConditionOIDCIdentityCreated apis.ConditionType = "OIDCIdentityCreated"
+
+	// SinkBindingConditionOIDCTokenSecretCreated is configured to indicate whether
+	// the secret containing the OIDC token has been created for the sink.
+	SinkBindingConditionOIDCTokenSecretCreated apis.ConditionType = "OIDCTokenSecretCreated"
 )
 
 // SinkBindingStatus communicates the observed state of the SinkBinding (from the controller).
@@ -93,6 +97,10 @@ type SinkBindingStatus struct {
 	// * SinkURI - the current active sink URI that has been configured for the
 	//   Source.
 	duckv1.SourceStatus `json:",inline"`
+
+	// OIDCTokenSecretName is the name of the secret containing the token for
+	// this SinkBindings OIDC authentication
+	OIDCTokenSecretName *string `json:"oidcTokenSecretName,omitempty"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

vendor/modules.txt

@@ -864,7 +864,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# knative.dev/eventing v0.39.1-0.20231114180859-d964da3a8ace
+# knative.dev/eventing v0.39.1-0.20231120220132-67f382d60b43
 ## explicit; go 1.19
 knative.dev/eventing/pkg/adapter/v2
 knative.dev/eventing/pkg/adapter/v2/util/crstatusevent
@@ -883,7 +883,7 @@ knative.dev/eventing/pkg/reconciler/source
 # knative.dev/hack v0.0.0-20231109190034-5deaddeb51a7
 ## explicit; go 1.18
 knative.dev/hack
-# knative.dev/pkg v0.0.0-20231115001034-97c7258e3a98
+# knative.dev/pkg v0.0.0-20231120182734-703c8b0d5c34
 ## explicit; go 1.18
 knative.dev/pkg/apis
 knative.dev/pkg/apis/duck