diff --git a/go.mod b/go.mod index 6ca9c1f9..7244e7ff 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( knative.dev/net-istio v0.36.2 knative.dev/networking v0.0.0-20230419144338-e5d04e805e50 knative.dev/pkg v0.0.0-20230418073056-dfad48eaa5d0 - knative.dev/serving v0.37.0 + knative.dev/serving v0.37.1 ) require ( diff --git a/go.sum b/go.sum index 2af03db0..ec7c825b 100644 --- a/go.sum +++ b/go.sum @@ -850,8 +850,8 @@ knative.dev/networking v0.0.0-20230419144338-e5d04e805e50 h1:X9rPBYr7Vrm075q0iXT knative.dev/networking v0.0.0-20230419144338-e5d04e805e50/go.mod h1:o2MyGpGfU5DoSAWCE2f/jnSC9GjGOplCslbA99yDkGo= knative.dev/pkg v0.0.0-20230418073056-dfad48eaa5d0 h1:EFQcoUo8I4bc+U3y6tR1B3ONYZSHWUdAfI7Vh7dae8g= knative.dev/pkg v0.0.0-20230418073056-dfad48eaa5d0/go.mod h1:2qWPP9Gjh9Q7ETti+WRHnBnGCSCq+6q7m3p/nmUQviE= -knative.dev/serving v0.37.0 h1:hp/HconGRzv0kh2az9I/af1K1DY3NG3zcyiVc2rHyOk= -knative.dev/serving v0.37.0/go.mod h1:v0Xbfp7olb0Gljm5l4qNuLsIf8/2p1rIt/mphxvx1z0= +knative.dev/serving v0.37.1 h1:msn1sJ9yVBVWu/5slqkpSXXqCEQRIysHR+fKMO4EXlI= +knative.dev/serving v0.37.1/go.mod h1:v0Xbfp7olb0Gljm5l4qNuLsIf8/2p1rIt/mphxvx1z0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/serving/pkg/reconciler/revision/resolve.go b/vendor/knative.dev/serving/pkg/reconciler/revision/resolve.go index 6aee10ce..1abb11e6 100644 --- a/vendor/knative.dev/serving/pkg/reconciler/revision/resolve.go +++ b/vendor/knative.dev/serving/pkg/reconciler/revision/resolve.go @@ -42,6 +42,8 @@ const ( // Kubernetes CA certificate bundle is mounted into the pod here, see: // https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#trusting-tls-in-a-cluster k8sCertPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + + tlsMinVersionEnvKey = "TAG_TO_DIGEST_TLS_MIN_VERSION" ) // newResolverTransport returns an http.Transport that appends the certs bundle @@ -64,13 +66,26 @@ func newResolverTransport(path string, maxIdleConns, maxIdleConnsPerHost int) (* transport.MaxIdleConns = maxIdleConns transport.MaxIdleConnsPerHost = maxIdleConnsPerHost transport.TLSClientConfig = &tls.Config{ - MinVersion: tls.VersionTLS13, + MinVersion: tlsMinVersionFromEnv(tls.VersionTLS12), RootCAs: pool, } return transport, nil } +func tlsMinVersionFromEnv(defaultTLSMinVersion uint16) uint16 { + switch tlsMinVersion := os.Getenv(tlsMinVersionEnvKey); tlsMinVersion { + case "1.2": + return tls.VersionTLS12 + case "1.3": + return tls.VersionTLS13 + case "": + return defaultTLSMinVersion + default: + panic(fmt.Sprintf("the environment variable %q has to be either '1.2' or '1.3'", tlsMinVersionEnvKey)) + } +} + // Resolve resolves the image references that use tags to digests. func (r *digestResolver) Resolve( ctx context.Context, diff --git a/vendor/modules.txt b/vendor/modules.txt index fe406a45..e2fcca9a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1293,7 +1293,7 @@ knative.dev/pkg/webhook/resourcesemantics/defaulting knative.dev/pkg/webhook/resourcesemantics/validation knative.dev/pkg/webhook/testing knative.dev/pkg/websocket -# knative.dev/serving v0.37.0 +# knative.dev/serving v0.37.1 ## explicit; go 1.18 knative.dev/serving/cmd/activator knative.dev/serving/cmd/autoscaler