Update to Knative 1.1 (#502)

.github/workflows/minkind-cosigned.yaml

@@ -95,9 +95,6 @@ jobs:
     - name: Run cosigned e2e tests
       working-directory: ./src/github.com/mattmoor/mink
       run: |
-        # Update the cosign verification-key secret with a proper key pair.
-        cosign generate-key-pair k8s://mink-system/verification-key
-
         sed -i 's/cosign-system/mink-system/g' ./vendor/github.com/sigstore/cosign/test/e2e_test_cosigned.sh
         bash ./vendor/github.com/sigstore/cosign/test/e2e_test_cosigned.sh
 

cmd/webhook/cosigned.go

@@ -21,45 +21,53 @@ import (
 
 	appsv1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
+	batchv1beta1 "k8s.io/api/batch/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/webhook/resourcesemantics"
+	"knative.dev/pkg/webhook/resourcesemantics/defaulting"
 	"knative.dev/pkg/webhook/resourcesemantics/validation"
 	servingv1 "knative.dev/serving/pkg/apis/serving/v1"
 
 	cwebhook "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook"
 )
 
-func newCosignedWebhook(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+var cosignedTypes = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+	corev1.SchemeGroupVersion.WithKind("Pod"): &duckv1.Pod{},
+
+	appsv1.SchemeGroupVersion.WithKind("ReplicaSet"):  &duckv1.WithPod{},
+	appsv1.SchemeGroupVersion.WithKind("Deployment"):  &duckv1.WithPod{},
+	appsv1.SchemeGroupVersion.WithKind("StatefulSet"): &duckv1.WithPod{},
+	appsv1.SchemeGroupVersion.WithKind("DaemonSet"):   &duckv1.WithPod{},
+	batchv1.SchemeGroupVersion.WithKind("Job"):        &duckv1.WithPod{},
+
+	batchv1.SchemeGroupVersion.WithKind("CronJob"):      &duckv1.CronJob{},
+	batchv1beta1.SchemeGroupVersion.WithKind("CronJob"): &duckv1.CronJob{},
+
+	servingv1.SchemeGroupVersion.WithKind("Service"): &duckv1.WithPod{},
+}
+
+func newCosignedValidatingWebhook(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
 	validator := cwebhook.NewValidator(ctx, *secretName)
 
 	return validation.NewAdmissionController(ctx,
 		// Name of the resource webhook.
 		"cosigned.mink.knative.dev",
 
 		// The path on which to serve the webhook.
-		"/cosigned",
+		"/validations",
 
 		// The resources to validate.
-		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
-			corev1.SchemeGroupVersion.WithKind("Pod"): &duckv1.Pod{},
-
-			appsv1.SchemeGroupVersion.WithKind("ReplicaSet"):  &duckv1.WithPod{},
-			appsv1.SchemeGroupVersion.WithKind("Deployment"):  &duckv1.WithPod{},
-			appsv1.SchemeGroupVersion.WithKind("StatefulSet"): &duckv1.WithPod{},
-			appsv1.SchemeGroupVersion.WithKind("DaemonSet"):   &duckv1.WithPod{},
-			batchv1.SchemeGroupVersion.WithKind("Job"):        &duckv1.WithPod{},
-
-			servingv1.SchemeGroupVersion.WithKind("Service"): &duckv1.WithPod{},
-		},
+		cosignedTypes,
 
 		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
 		func(ctx context.Context) context.Context {
 			ctx = duckv1.WithPodValidator(ctx, validator.ValidatePod)
 			ctx = duckv1.WithPodSpecValidator(ctx, validator.ValidatePodSpecable)
+			ctx = duckv1.WithCronJobValidator(ctx, validator.ValidateCronJob)
 			return ctx
 		},
 
@@ -71,3 +79,30 @@ func newCosignedWebhook(ctx context.Context, cmw configmap.Watcher) *controller.
 		nil,
 	)
 }
+
+func newCosignedMutatingWebhook(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	validator := cwebhook.NewValidator(ctx, *secretName)
+
+	return defaulting.NewAdmissionController(ctx,
+		// Name of the resource webhook.
+		"cosigned.mink.knative.dev",
+
+		// The path on which to serve the webhook.
+		"/mutations",
+
+		// The resources to validate.
+		cosignedTypes,
+
+		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
+		func(ctx context.Context) context.Context {
+			ctx = duckv1.WithPodDefaulter(ctx, validator.ResolvePod)
+			ctx = duckv1.WithPodSpecDefaulter(ctx, validator.ResolvePodSpecable)
+			ctx = duckv1.WithCronJobDefaulter(ctx, validator.ResolveCronJob)
+			return ctx
+		},
+
+		// Whether to disallow unknown fields.
+		// We pass false because we're using partial schemas.
+		false,
+	)
+}

cmd/webhook/main.go

@@ -88,8 +88,6 @@ func main() {
 	flag.StringVar(&opts.Images.GsutilImage, "gsutil-image", "", "The container image containing gsutil")
 	flag.StringVar(&opts.Images.PRImage, "pr-image", "", "The container image containing our PR binary.")
 	flag.StringVar(&opts.Images.ImageDigestExporterImage, "imagedigest-exporter-image", "", "The container image containing our image digest exporter binary.")
-	flag.BoolVar(&opts.ExperimentalDisableResolution, "experimental-disable-in-tree-resolution", false,
-		"Disable resolution of taskrun and pipelinerun refs by the taskrun and pipelinerun reconcilers.")
 
 	flag.Parse()
 
@@ -122,7 +120,8 @@ func main() {
 		newValidationAdmissionController,
 		newConfigValidationController,
 		newConversionController,
-		newCosignedWebhook,
+		newCosignedValidatingWebhook,
+		newCosignedMutatingWebhook,
 
 		// Serving resource controllers.
 		configuration.NewController,

config/core/200-imported/200-eventing/100-resources/apiserversource.yaml

@@ -22,7 +22,7 @@ metadata:
     duck.knative.dev/source: "true"
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
   annotations:
     # TODO add schemas and descriptions
     registry.knative.dev/eventTypes: |

config/core/200-imported/200-eventing/100-resources/broker.yaml

@@ -21,7 +21,7 @@ metadata:
     knative.dev/crd-install: "true"
     duck.knative.dev/addressable: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: eventing.knative.dev
   versions:

config/core/200-imported/200-eventing/100-resources/channel.yaml

@@ -22,7 +22,7 @@ metadata:
     messaging.knative.dev/subscribable: "true"
     duck.knative.dev/addressable: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: messaging.knative.dev
   versions:

config/core/200-imported/200-eventing/100-resources/containersource.yaml

@@ -21,7 +21,7 @@ metadata:
     duck.knative.dev/source: "true"
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
   name: containersources.sources.knative.dev
 spec:
   group: sources.knative.dev

config/core/200-imported/200-eventing/100-resources/eventtype.yaml

@@ -19,7 +19,7 @@ metadata:
     knative.dev/release: devel
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: eventing.knative.dev
   versions:

config/core/200-imported/200-eventing/100-resources/parallel.yaml

@@ -20,7 +20,7 @@ metadata:
     knative.dev/crd-install: "true"
     duck.knative.dev/addressable: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: flows.knative.dev
   versions:

config/core/200-imported/200-eventing/100-resources/pingsource.yaml

@@ -21,7 +21,7 @@ metadata:
     duck.knative.dev/source: "true"
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
   annotations:
     # TODO add schemas and descriptions
     registry.knative.dev/eventTypes: |

config/core/200-imported/200-eventing/100-resources/sequence.yaml

@@ -20,7 +20,7 @@ metadata:
     knative.dev/crd-install: "true"
     duck.knative.dev/addressable: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: flows.knative.dev
   versions:
@@ -50,7 +50,8 @@ spec:
                     type: string
                   spec:
                     description: Spec defines the Spec to use for each channel created. Passed in verbatim to the Channel CRD as Spec section.
-                    type: string
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
               reply:
                 description: Reply is a Reference to where the result of the last Subscriber gets sent to.
                 type: object
@@ -143,8 +144,6 @@ spec:
             properties:
               address:
                 type: object
-                required:
-                  - url
                 properties:
                   url:
                     type: string

config/core/200-imported/200-eventing/100-resources/sinkbindings.yaml

@@ -22,7 +22,7 @@ metadata:
     duck.knative.dev/binding: "true"
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
   name: sinkbindings.sources.knative.dev
 spec:
   group: sources.knative.dev

config/core/200-imported/200-eventing/100-resources/subscription.yaml

@@ -19,7 +19,7 @@ metadata:
     knative.dev/release: devel
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: messaging.knative.dev
   versions:

config/core/200-imported/200-eventing/100-resources/trigger.yaml

@@ -20,7 +20,7 @@ metadata:
     knative.dev/release: devel
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: eventing.knative.dev
   versions:
@@ -53,6 +53,7 @@ spec:
           spec:
             description: Spec defines the desired state of the Trigger.
             type: object
+            x-kubernetes-preserve-unknown-fields: true
             properties:
               broker:
                 description: Broker is the broker that this trigger receives events from.

config/core/200-imported/200-eventing/deployments/pingsource-mt-adapter.yaml

@@ -19,9 +19,9 @@ metadata:
   namespace: mink-system
   labels:
     knative.dev/release: devel
-    app.kubernetes.io/name: pingsource-mt-adapter
+    app.kubernetes.io/component: pingsource-mt-adapter
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   # when set to 0 (and only 0) will be set to 1 when the first PingSource is created.
   replicas: 0
@@ -34,9 +34,9 @@ spec:
       labels:
         <<: *labels
         knative.dev/release: devel
-        app.kubernetes.io/name: pingsource-mt-adapter
+        app.kubernetes.io/component: pingsource-mt-adapter
         app.kubernetes.io/version: devel
-        app.kubernetes.io/part-of: mink-system
+        app.kubernetes.io/name: mink-system
     spec:
       affinity:
         podAntiAffinity:
@@ -86,4 +86,12 @@ spec:
             limits:
               cpu: 1000m
               memory: 2048Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - all
+
       serviceAccountName: pingsource-mt-adapter

config/core/200-imported/200-eventing/roles/channelable-manipulator-clusterrole.yaml

@@ -20,7 +20,7 @@ metadata:
   labels:
     knative.dev/release: devel
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
@@ -37,7 +37,7 @@ metadata:
     knative.dev/release: devel
     duck.knative.dev/channelable: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 # Do not use this role directly. These rules will be added to the "channelable-manipulator" role.
 rules:
 - apiGroups:

config/core/200-imported/200-eventing/roles/source-observer-clusterrole.yaml

@@ -20,7 +20,7 @@ metadata:
   labels:
     knative.dev/release: devel
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 aggregationRule:
   clusterRoleSelectors:
     - matchLabels:
@@ -37,7 +37,7 @@ metadata:
     knative.dev/release: devel
     duck.knative.dev/source: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 # Do not use this role directly. These rules will be added to the "source-observer" role.
 rules:
   - apiGroups:

config/core/200-imported/200-serving/100-resources/certificate.yaml

@@ -17,6 +17,8 @@ kind: CustomResourceDefinition
 metadata:
   name: certificates.networking.internal.knative.dev
   labels:
+    app.kubernetes.io/name: mink-system
+    app.kubernetes.io/version: devel
     knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:

config/core/200-imported/200-serving/100-resources/configuration.yaml

@@ -19,6 +19,8 @@ kind: CustomResourceDefinition
 metadata:
   name: configurations.serving.knative.dev
   labels:
+    app.kubernetes.io/name: mink-system
+    app.kubernetes.io/version: devel
     knative.dev/release: devel
     knative.dev/crd-install: "true"
     duck.knative.dev/podspecable: "true"

config/core/200-imported/200-serving/100-resources/domain-claim.yaml

@@ -17,6 +17,8 @@ kind: CustomResourceDefinition
 metadata:
   name: clusterdomainclaims.networking.internal.knative.dev
   labels:
+    app.kubernetes.io/name: mink-system
+    app.kubernetes.io/version: devel
     knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:

config/core/200-imported/200-serving/100-resources/domain-mapping.yaml

@@ -17,6 +17,8 @@ kind: CustomResourceDefinition
 metadata:
   name: domainmappings.serving.knative.dev
   labels:
+    app.kubernetes.io/name: mink-system
+    app.kubernetes.io/version: devel
     knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:

config/core/200-imported/200-serving/100-resources/image.yaml

@@ -17,6 +17,8 @@ kind: CustomResourceDefinition
 metadata:
   name: images.caching.internal.knative.dev
   labels:
+    app.kubernetes.io/name: mink-system
+    app.kubernetes.io/version: devel
     knative.dev/crd-install: "true"
 spec:
   group: caching.internal.knative.dev

config/core/200-imported/200-serving/100-resources/ingress.yaml

@@ -17,6 +17,8 @@ kind: CustomResourceDefinition
 metadata:
   name: ingresses.networking.internal.knative.dev
   labels:
+    app.kubernetes.io/name: mink-system
+    app.kubernetes.io/version: devel
     knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:

config/core/200-imported/200-serving/100-resources/metric.yaml

@@ -19,6 +19,8 @@ kind: CustomResourceDefinition
 metadata:
   name: metrics.autoscaling.internal.knative.dev
   labels:
+    app.kubernetes.io/name: mink-system
+    app.kubernetes.io/version: devel
     knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec:

config/core/200-imported/200-serving/100-resources/podautoscaler.yaml

@@ -19,6 +19,8 @@ kind: CustomResourceDefinition
 metadata:
   name: podautoscalers.autoscaling.internal.knative.dev
   labels:
+    app.kubernetes.io/name: mink-system
+    app.kubernetes.io/version: devel
     knative.dev/release: devel
     knative.dev/crd-install: "true"
 spec: