upgrade to latest dependencies (#622)

bumping knative.dev/eventing e804605...d5e9973:
  > d5e9973 feat: add complete request reply data plane (# 8699)
  > e8e8035 Add auth-proxy and enable on IntegrationSink (# 8708)
  > 941dafa Fix mt-broker-ingress auth to work with structured event too (# 8710)
  > 69e11e3 [Automated] Update eventing-eventing-integrations nightly (# 8711)
bumping knative.dev/serving a87c794...93577e9:
  > 93577e9 Update net-contour nightly (# 16074)
  > dc7691c Update net-istio nightly (# 16072)
  > 917f5c1 Update net-gateway-api nightly (# 16071)

Signed-off-by: Knative Automation <automation@knative.team>

Author: knative-automation

go.mod

@@ -15,10 +15,10 @@ require (
 	k8s.io/apimachinery v0.33.4
 	k8s.io/client-go v0.33.4
 	k8s.io/code-generator v0.33.4
-	knative.dev/eventing v0.46.1-0.20250909143134-e804605aa34a
+	knative.dev/eventing v0.46.1-0.20250910170819-d5e9973e559b
 	knative.dev/hack v0.0.0-20250902153942-1499de21e119
 	knative.dev/pkg v0.0.0-20250909010931-8c9c1d368e4b
-	knative.dev/serving v0.46.1-0.20250909224032-a87c794330dc
+	knative.dev/serving v0.46.1-0.20250910032334-93577e9cb30c
 )
 
 require (

go.sum

@@ -374,16 +374,16 @@ k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUy
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.46.1-0.20250909143134-e804605aa34a h1:vxv0GGRvlYp7XbkInA41v/ccXkypkZmOKmszGK+pkUk=
-knative.dev/eventing v0.46.1-0.20250909143134-e804605aa34a/go.mod h1:3rkUNHlYs6U0bs6IhufoBgIzUnsJY+ExNNreAHtv2Dw=
+knative.dev/eventing v0.46.1-0.20250910170819-d5e9973e559b h1:u2n46/rTmab70HoKGaa/sRCeKXv9K4MTxspKQNrKnjc=
+knative.dev/eventing v0.46.1-0.20250910170819-d5e9973e559b/go.mod h1:NP1ypjTAP+eZTT1P/Xk8DAI+dkqkWatFP73IikS4BIo=
 knative.dev/hack v0.0.0-20250902153942-1499de21e119 h1:NbQvjnFK1tL489LN0qAybWy0E17Jpziwcv/XIHwfp6M=
 knative.dev/hack v0.0.0-20250902153942-1499de21e119/go.mod h1:R0ritgYtjLDO9527h5vb5X6gfvt5LCrJ55BNbVDsWiY=
 knative.dev/networking v0.0.0-20250909015233-e3b68fc57bea h1:712x0cJVdyKELYhO9Asie79wD4AvW/6bmdqGAAB6QYQ=
 knative.dev/networking v0.0.0-20250909015233-e3b68fc57bea/go.mod h1:P8mxand4fkoIIucr7pVv4sVk3IpTGGCQpJbwKu8fhy4=
 knative.dev/pkg v0.0.0-20250909010931-8c9c1d368e4b h1:Gscoeovr8XvQffYg6l2d7V8M5FuaJg34Hjg8e9sg21Y=
 knative.dev/pkg v0.0.0-20250909010931-8c9c1d368e4b/go.mod h1:OLfYBCgDhdEpaC2TEixU3e7byMEQmke/MHP3xsR7Gmo=
-knative.dev/serving v0.46.1-0.20250909224032-a87c794330dc h1:jXlre/XEno0QIkCUeRA6xJVbXnxz+YZkXDmtvS51jCY=
-knative.dev/serving v0.46.1-0.20250909224032-a87c794330dc/go.mod h1:pERRORu4itdaYfKSoNx5mhP2IduUkEQIClBQ5eXWBig=
+knative.dev/serving v0.46.1-0.20250910032334-93577e9cb30c h1:HTvPrb9EclY4We6o6eDN3blELg/50XN8wVw20qBoODE=
+knative.dev/serving v0.46.1-0.20250910032334-93577e9cb30c/go.mod h1:pERRORu4itdaYfKSoNx5mhP2IduUkEQIClBQ5eXWBig=
 sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=
 sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=

vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/integration_sink_lifecycle.go

@@ -43,12 +43,17 @@ const (
 
 	// Certificate related condition reasons
 	IntegrationSinkCertificateNotReady string = "CertificateNotReady"
+
+	// IntegrationSinkTrustBundlePropagated is configured to indicate whether the
+	// TLS trust bundle has been properly propagated.
+	IntegrationSinkTrustBundlePropagated apis.ConditionType = "TrustBundlePropagated"
 )
 
 var IntegrationSinkCondSet = apis.NewLivingConditionSet(
 	IntegrationSinkConditionAddressable,
 	IntegrationSinkConditionDeploymentReady,
 	IntegrationSinkConditionEventPoliciesReady,
+	IntegrationSinkTrustBundlePropagated,
 )
 
 // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
@@ -151,12 +156,26 @@ func (s *IntegrationSinkStatus) PropagateCertificateStatus(cs cmv1.CertificateSt
 	return true
 }
 
-func (s *IntegrationSinkStatus) SetAddress(address *duckv1.Addressable) {
-	s.Address = address
-	if address == nil || address.URL.IsEmpty() {
+func (s *IntegrationSinkStatus) SetAddresses(addresses ...duckv1.Addressable) {
+	if len(addresses) == 0 || addresses[0].URL.IsEmpty() {
 		IntegrationSinkCondSet.Manage(s).MarkFalse(IntegrationSinkConditionAddressable, "EmptyHostname", "hostname is the empty string")
-	} else {
-		IntegrationSinkCondSet.Manage(s).MarkTrue(IntegrationSinkConditionAddressable)
+		return
+	}
 
+	s.AddressStatus = duckv1.AddressStatus{
+		Address:   &addresses[0],
+		Addresses: addresses,
 	}
+	IntegrationSinkCondSet.Manage(s).MarkTrue(IntegrationSinkConditionAddressable)
+}
+
+// MarkFailedTrustBundlePropagation marks the IntegrationSink's SinkBindingTrustBundlePropagated condition to False with
+// the provided reason and message.
+func (s *IntegrationSinkStatus) MarkFailedTrustBundlePropagation(reason, message string) {
+	IntegrationSinkCondSet.Manage(s).MarkFalse(IntegrationSinkTrustBundlePropagated, reason, message)
+}
+
+// MarkTrustBundlePropagated marks the IntegrationSink's SinkBindingTrustBundlePropagated condition to True.
+func (s *IntegrationSinkStatus) MarkTrustBundlePropagated() {
+	IntegrationSinkCondSet.Manage(s).MarkTrue(IntegrationSinkTrustBundlePropagated)
 }

vendor/knative.dev/eventing/pkg/auth/event_policy.go

@@ -219,15 +219,15 @@ func resolveSubjectsFromReference(resolver *resolver.AuthenticatableResolver, re
 // SubjectAndFiltersPass checks if the given sub is contained in the list of allowedSubs
 // or if it matches a prefix pattern in subs (e.g. system:serviceaccounts:my-ns:*), as
 // well as if the event passes any filters associated with the subjects for an event policy
-func SubjectAndFiltersPass(ctx context.Context, sub string, allowedSubsWithFilters []subjectsWithFilters, event *cloudevents.Event, logger *zap.SugaredLogger) bool {
+func SubjectAndFiltersPass(ctx context.Context, sub string, allowedSubsWithFilters []SubjectsWithFilters, event *cloudevents.Event, logger *zap.SugaredLogger) bool {
 	if event == nil {
 		return false
 	}
 
 	for _, swf := range allowedSubsWithFilters {
-		for _, s := range swf.subjects {
+		for _, s := range swf.Subjects {
 			if strings.EqualFold(s, sub) || (strings.HasSuffix(s, "*") && strings.HasPrefix(sub, strings.TrimSuffix(s, "*"))) {
-				return subscriptionsapi.CreateSubscriptionsAPIFilters(logger.Desugar(), swf.filters).Filter(ctx, *event) != eventfilter.FailFilter
+				return subscriptionsapi.CreateSubscriptionsAPIFilters(logger.Desugar(), swf.Filters).Filter(ctx, *event) != eventfilter.FailFilter
 			}
 		}
 	}

vendor/knative.dev/eventing/pkg/auth/verifier.go

@@ -17,7 +17,6 @@ limitations under the License.
 package auth
 
 import (
-	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -32,6 +31,7 @@ import (
 	"go.opentelemetry.io/otel"
 	corev1listers "k8s.io/client-go/listers/core/v1"
 	"knative.dev/eventing/pkg/eventingtls"
+	"knative.dev/eventing/pkg/utils"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/network"
 	"knative.dev/pkg/observability/tracing"
@@ -136,6 +136,30 @@ func (v *Verifier) VerifyRequestFromSubject(ctx context.Context, features featur
 	return nil
 }
 
+// VerifyRequestFromSubjectsWithFilters verifies AuthN and AuthZ in the request.
+// In the AuthZ part it checks if the request comes from the given allowedSubject.
+// On verification errors, it sets the responses HTTP status and returns an error.
+// This method is similar to VerifyRequestFromSubject() except that
+// VerifyRequestFromSubjectsWithFilters() allows to check based on a list of
+// subjects with filters.
+func (v *Verifier) VerifyRequestFromSubjectsWithFilters(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubjectsWithFilters []SubjectsWithFilters, resourceNamespace string, req *http.Request, resp http.ResponseWriter) error {
+	if !features.IsOIDCAuthentication() {
+		return nil
+	}
+
+	idToken, err := v.verifyAuthN(ctx, requiredOIDCAudience, req, resp)
+	if err != nil {
+		return fmt.Errorf("authentication of request could not be verified: %w", err)
+	}
+
+	err = v.verifyAuthZBySubjectsWithFilters(ctx, features, idToken, resourceNamespace, allowedSubjectsWithFilters, req, resp)
+	if err != nil {
+		return fmt.Errorf("authorization of request could not be verified: %w", err)
+	}
+
+	return nil
+}
+
 // verifyAuthN verifies if the incoming request contains a correct JWT token
 func (v *Verifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) {
 	token := GetJWTFromHeader(req.Header)
@@ -160,8 +184,20 @@ func (v *Verifier) verifyAuthN(ctx context.Context, audience *string, req *http.
 
 // verifyAuthZ verifies if the given idToken is allowed by the resources eventPolicyStatus
 func (v *Verifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
-	if len(policyRefs) > 0 {
-		req, err := copyRequest(req)
+	subjectsWithFiltersFromApplyingPolicies, err := SubjectWithFiltersFromPolicyRef(v.eventPolicyLister, resourceNamespace, policyRefs)
+	if err != nil {
+		resp.WriteHeader(http.StatusInternalServerError)
+		return fmt.Errorf("could not get subjects with filters from policy: %w", err)
+	}
+
+	return v.verifyAuthZBySubjectsWithFilters(ctx, features, idToken, resourceNamespace, subjectsWithFiltersFromApplyingPolicies, req, resp)
+}
+
+// verifyAuthZBySubjectsWithFilters verifies if the given idToken is allowed by the resources eventPolicyStatus
+// it does the same as verifyAuthZ but taking a subjectWithFilters slice instead
+func (v *Verifier) verifyAuthZBySubjectsWithFilters(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, subjectsWithFiltersFromApplyingPolicies []SubjectsWithFilters, req *http.Request, resp http.ResponseWriter) error {
+	if len(subjectsWithFiltersFromApplyingPolicies) > 0 {
+		req, err := utils.CopyRequest(req)
 		if err != nil {
 			resp.WriteHeader(http.StatusInternalServerError)
 			return fmt.Errorf("failed to copy request body: %w", err)
@@ -176,38 +212,26 @@ func (v *Verifier) verifyAuthZ(ctx context.Context, features feature.Flags, idTo
 			return fmt.Errorf("failed to decode event from request: %w", err)
 		}
 
-		subjectsWithFiltersFromApplyingPolicies := []subjectsWithFilters{}
-		for _, p := range policyRefs {
-			policy, err := v.eventPolicyLister.EventPolicies(resourceNamespace).Get(p.Name)
-			if err != nil {
-				resp.WriteHeader(http.StatusInternalServerError)
-				return fmt.Errorf("failed to get eventPolicy: %w", err)
-			}
-
-			subjectsWithFiltersFromApplyingPolicies = append(subjectsWithFiltersFromApplyingPolicies, subjectsWithFilters{subjects: policy.Status.From, filters: policy.Spec.Filters})
-		}
-
 		if !SubjectAndFiltersPass(ctx, idToken.Subject, subjectsWithFiltersFromApplyingPolicies, event, v.logger) {
 			resp.WriteHeader(http.StatusForbidden)
 			return fmt.Errorf("token is from subject %q, but only %#v are part of applying event policies", idToken.Subject, subjectsWithFiltersFromApplyingPolicies)
 		}
 
 		return nil
-	} else {
-		if features.IsAuthorizationDefaultModeDenyAll() {
-			resp.WriteHeader(http.StatusForbidden)
-			return fmt.Errorf("no event policies apply for resource and %s is set to %s", feature.AuthorizationDefaultMode, feature.AuthorizationDenyAll)
-
-		} else if features.IsAuthorizationDefaultModeSameNamespace() {
-			if !strings.HasPrefix(idToken.Subject, fmt.Sprintf("%s:%s:", kubernetesServiceAccountPrefix, resourceNamespace)) {
-				resp.WriteHeader(http.StatusForbidden)
-				return fmt.Errorf("no policies apply for resource. %s is set to %s, but token is from subject %q, which is not part of %q namespace", feature.AuthorizationDefaultMode, feature.AuthorizationDenyAll, idToken.Subject, resourceNamespace)
-			}
+	}
 
-			return nil
+	if features.IsAuthorizationDefaultModeDenyAll() {
+		resp.WriteHeader(http.StatusForbidden)
+		return fmt.Errorf("no event policies apply for resource and %s is set to %s", feature.AuthorizationDefaultMode, feature.AuthorizationDenyAll)
+	} else if features.IsAuthorizationDefaultModeSameNamespace() {
+		if !strings.HasPrefix(idToken.Subject, fmt.Sprintf("%s:%s:", kubernetesServiceAccountPrefix, resourceNamespace)) {
+			resp.WriteHeader(http.StatusForbidden)
+			return fmt.Errorf("no policies apply for resource. %s is set to %s, but token is from subject %q, which is not part of %q namespace", feature.AuthorizationDefaultMode, feature.AuthorizationDenyAll, idToken.Subject, resourceNamespace)
 		}
-		// else: allow all
+
+		return nil
 	}
+	// else: allow all
 
 	return nil
 }
@@ -335,35 +359,6 @@ func (v *Verifier) getKubernetesOIDCDiscovery(features feature.Flags, client *ht
 	return openIdConfig, nil
 }
 
-// copyRequest makes a copy of the http request which can be consumed as needed, leaving the original request
-// able to be consumed as well.
-func copyRequest(req *http.Request) (*http.Request, error) {
-	// check if we actually need to copy the body, otherwise we can return the original request
-	if req.Body == nil || req.Body == http.NoBody {
-		return req, nil
-	}
-
-	var buf bytes.Buffer
-	if _, err := buf.ReadFrom(req.Body); err != nil {
-		return nil, fmt.Errorf("failed to read request body while copying it: %w", err)
-	}
-
-	if err := req.Body.Close(); err != nil {
-		return nil, fmt.Errorf("failed to close original request body ready while copying request: %w", err)
-	}
-
-	// set the original request body to be readable again
-	req.Body = io.NopCloser(&buf)
-
-	// return a new request with a readable body and same headers as the original
-	// we don't need to set any other fields as cloudevents only uses the headers
-	// and body to construct the Message/Event.
-	return &http.Request{
-		Header: req.Header,
-		Body:   io.NopCloser(bytes.NewReader(buf.Bytes())),
-	}, nil
-}
-
 type openIDMetadata struct {
 	Issuer        string   `json:"issuer"`
 	JWKSURI       string   `json:"jwks_uri"`
@@ -372,7 +367,22 @@ type openIDMetadata struct {
 	SigningAlgs   []string `json:"id_token_signing_alg_values_supported"`
 }
 
-type subjectsWithFilters struct {
-	filters  []eventingv1.SubscriptionsAPIFilter
-	subjects []string
+func SubjectWithFiltersFromPolicyRef(eventPolicyLister listerseventingv1alpha1.EventPolicyLister, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef) ([]SubjectsWithFilters, error) {
+	subjectsWithFiltersFromApplyingPolicies := make([]SubjectsWithFilters, 0, len(policyRefs))
+
+	for _, p := range policyRefs {
+		policy, err := eventPolicyLister.EventPolicies(resourceNamespace).Get(p.Name)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get eventPolicy: %w", err)
+		}
+
+		subjectsWithFiltersFromApplyingPolicies = append(subjectsWithFiltersFromApplyingPolicies, SubjectsWithFilters{Subjects: policy.Status.From, Filters: policy.Spec.Filters})
+	}
+
+	return subjectsWithFiltersFromApplyingPolicies, nil
+}
+
+type SubjectsWithFilters struct {
+	Filters  []eventingv1.SubscriptionsAPIFilter `json:"filters,omitempty"`
+	Subjects []string                            `json:"subjects,omitempty"`
 }

vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go

@@ -36,6 +36,7 @@ import (
 	corev1listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/logging"
 )
@@ -195,6 +196,17 @@ func IsHttpsSink(sink string) bool {
 	return strings.EqualFold(s.Scheme, "https")
 }
 
+// GetHttpsAddress returns the (first) https address out of the list of addresses
+func GetHttpsAddress(addresses []duckv1.Addressable) *duckv1.Addressable {
+	for _, address := range addresses {
+		if IsHttpsSink(address.URL.String()) {
+			return &address
+		}
+	}
+
+	return nil
+}
+
 // certPool returns a x509.CertPool with the combined certs from:
 // - the system cert pool
 // - the knative trust bundle in TrustBundleMountPath

vendor/knative.dev/eventing/pkg/utils/headers.go

@@ -0,0 +1,63 @@
+/*
+Copyright 2019 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package utils
+
+import (
+	"net/http"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// TODO make propagated headers/prefixes configurable (configmap?)
+
+var (
+	// These MUST be lowercase strings, as they will be compared against lowercase strings.
+	forwardHeaders = sets.NewString(
+		"x-request-id", // tracing
+		"retry-after",
+	)
+	// These MUST be lowercase strings, as they will be compared against lowercase strings.
+	// Removing CloudEvents ce- prefixes on purpose as they should be set in the CloudEvent itself as extensions.
+	// Then the SDK will set them as ce- headers when sending them through HTTP. Otherwise, when using replies we would
+	// duplicate ce- headers.
+	forwardPrefixes = []string{
+		"knative-", // Knative
+		"x-b3-",    // Zipkin (Istio) B3
+	}
+)
+
+// PassThroughHeaders extracts the headers from headers that are in the `forwardHeaders` set
+// or has any of the prefixes in `forwardPrefixes`.
+func PassThroughHeaders(headers http.Header) http.Header {
+	h := http.Header{}
+
+	for n, v := range headers {
+		lower := strings.ToLower(n)
+		if forwardHeaders.Has(lower) {
+			h[n] = v
+			continue
+		}
+		for _, prefix := range forwardPrefixes {
+			if strings.HasPrefix(lower, prefix) {
+				h[n] = v
+				break
+			}
+		}
+	}
+	return h
+}