From 03f7877f179faf8cc357917d3db93da385cc0d5b Mon Sep 17 00:00:00 2001 From: Andrea Lamparelli Date: Mon, 13 May 2024 08:13:18 +0200 Subject: [PATCH] Upgrade knative to v1.12.4 (#2709) * Add common/knative sync script Signed-off-by: Andrea Lamparelli * Update common/knative manifests from v1.12.4/v1.12.6 Signed-off-by: Andrea Lamparelli --------- Signed-off-by: Andrea Lamparelli --- .github/workflows/kserve_cni_test.yaml | 1 + README.md | 2 +- common/knative/README.md | 26 +- .../base/eventing-post-install.yaml | 6 +- .../base/upstream/eventing-core.yaml | 680 ++++++++++++-- .../base/upstream/in-memory-channel.yaml | 150 ++- .../base/upstream/mt-channel-broker.yaml | 127 ++- .../base/serving-post-install-jobs.yaml | 7 +- .../base/upstream/net-istio.yaml | 66 +- .../base/upstream/serving-core.yaml | 883 ++++++++---------- hack/sync-knative-manifests.sh | 145 +++ 11 files changed, 1385 insertions(+), 708 deletions(-) create mode 100755 hack/sync-knative-manifests.sh diff --git a/.github/workflows/kserve_cni_test.yaml b/.github/workflows/kserve_cni_test.yaml index 8468f59ee8..3ac21b91d5 100644 --- a/.github/workflows/kserve_cni_test.yaml +++ b/.github/workflows/kserve_cni_test.yaml @@ -10,6 +10,7 @@ on: - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** - tests/gh-actions/install_knative-cni.sh + - common/knative/** - tests/gh-actions/install_kserve.sh jobs: diff --git a/README.md b/README.md index e96be1fab0..7f54f8012c 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,7 @@ used from the different projects of Kubeflow: | Component | Local Manifests Path | Upstream Revision | | - | - | - | | Istio | common/istio-1-17 | [1.17.3](https://github.com/istio/istio/releases/tag/1.17.3) | -| Knative | common/knative/knative-serving
common/knative/knative-eventing | [1.10.2](https://github.com/knative/serving/releases/tag/knative-v1.10.2)
[1.10.1](https://github.com/knative/eventing/releases/tag/knative-v1.10.1) | +| Knative | common/knative/knative-serving
common/knative/knative-eventing | [v1.12.4](https://github.com/knative/serving/releases/tag/knative-v1.12.4)
[v1.12.6](https://github.com/knative/eventing/releases/tag/knative-v1.12.6) | | Cert Manager | common/cert-manager | [1.14.5](https://github.com/cert-manager/cert-manager/releases/tag/v1.12.2) | ## Installation diff --git a/common/knative/README.md b/common/knative/README.md index 7ddd0285fb..2c2cc54110 100644 --- a/common/knative/README.md +++ b/common/knative/README.md @@ -4,17 +4,17 @@ The manifests for Knative Serving are based off the following: - - [Knative serving (v1.10.2)](https://github.com/knative/serving/releases/tag/knative-v1.10.2) - - [Knative ingress controller for Istio (v1.10.1)](https://github.com/knative-sandbox/net-istio/releases/tag/knative-v1.10.1) + - [Knative serving (v1.12.4)](https://github.com/knative/serving/releases/tag/knative-v1.12.4) + - [Knative ingress controller for Istio (v1.12.3)](https://github.com/knative-extensions/net-istio/releases/tag/knative-v1.12.3) 1. Download the knative-serving manifests with the following commands: ```sh # No need to install serving-crds. # See: https://github.com/knative/serving/issues/9945 - wget -O knative-serving/base/upstream/serving-core.yaml 'https://github.com/knative/serving/releases/download/knative-v1.10.2/serving-core.yaml' - wget -O knative-serving/base/upstream/net-istio.yaml 'https://github.com/knative-sandbox/net-istio/releases/download/knative-v1.10.1/net-istio.yaml' - wget -O knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml 'https://github.com/knative/serving/releases/download/knative-v1.10.2/serving-post-install-jobs.yaml' + wget -O knative-serving/base/upstream/serving-core.yaml 'https://github.com/knative/serving/releases/download/knative-v1.12.4/serving-core.yaml' + wget -O knative-serving/base/upstream/net-istio.yaml 'https://github.com/knative-extensions/net-istio/releases/download/knative-v1.12.3/net-istio.yaml' + wget -O knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml 'https://github.com/knative/serving/releases/download/knative-v1.12.4/serving-post-install-jobs.yaml' ``` 1. Remove all comments, since `yq` does not handle them correctly. See: @@ -54,20 +54,20 @@ The manifests for Knative Serving are based off the following: ## Knative-Eventing -The manifests for Knative Eventing are based off the [v1.10.1 release](https://github.com/knative/eventing/releases/tag/knative-v1.10.1). +The manifests for Knative Eventing are based off the [v1.12.6 release](https://github.com/knative/eventing/releases/tag/knative-v1.12.6). - - [Eventing Core](https://github.com/knative/eventing/releases/download/knative-v1.10.1/eventing-core.yaml) - - [In-Memory Channel](https://github.com/knative/eventing/releases/download/knative-v1.10.1/in-memory-channel.yaml) - - [MT Channel Broker](https://github.com/knative/eventing/releases/download/knative-v1.10.1/mt-channel-broker.yaml) + - [Eventing Core](https://github.com/knative/eventing/releases/download/knative-v1.12.6/eventing-core.yaml) + - [In-Memory Channel](https://github.com/knative/eventing/releases/download/knative-v1.12.6/in-memory-channel.yaml) + - [MT Channel Broker](https://github.com/knative/eventing/releases/download/knative-v1.12.6/mt-channel-broker.yaml) 1. Download the knative-eventing manifests with the following commands: ```sh - wget -O knative-eventing/base/upstream/eventing-core.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.10.1/eventing-core.yaml' - wget -O knative-eventing/base/upstream/in-memory-channel.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.10.1/in-memory-channel.yaml' - wget -O knative-eventing/base/upstream/mt-channel-broker.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.10.1/mt-channel-broker.yaml' - wget -O knative-eventing-post-install-jobs/base/eventing-post-install.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.10.1/eventing-post-install.yaml' + wget -O knative-eventing/base/upstream/eventing-core.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.12.6/eventing-core.yaml' + wget -O knative-eventing/base/upstream/in-memory-channel.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.12.6/in-memory-channel.yaml' + wget -O knative-eventing/base/upstream/mt-channel-broker.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.12.6/mt-channel-broker.yaml' + wget -O knative-eventing-post-install-jobs/base/eventing-post-install.yaml 'https://github.com/knative/eventing/releases/download/knative-v1.12.6/eventing-post-install.yaml' ``` 1. Remove all comments, since `yq` does not handle them correctly. See: diff --git a/common/knative/knative-eventing-post-install-jobs/base/eventing-post-install.yaml b/common/knative/knative-eventing-post-install-jobs/base/eventing-post-install.yaml index 691c49990e..9d58bba2d9 100644 --- a/common/knative/knative-eventing-post-install-jobs/base/eventing-post-install.yaml +++ b/common/knative/knative-eventing-post-install-jobs/base/eventing-post-install.yaml @@ -7,7 +7,7 @@ metadata: app: "storage-version-migration-eventing" app.kubernetes.io/name: knative-eventing app.kubernetes.io/component: storage-version-migration-job - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" name: storage-version-migration-eventing spec: ttlSecondsAfterFinished: 600 @@ -18,7 +18,7 @@ spec: app: "storage-version-migration-eventing" app.kubernetes.io/name: knative-eventing app.kubernetes.io/component: storage-version-migration-job - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" annotations: sidecar.istio.io/inject: "false" spec: @@ -26,7 +26,7 @@ spec: restartPolicy: OnFailure containers: - name: migrate - image: gcr.io/knative-releases/knative.dev/pkg/apiextensions/storageversion/cmd/migrate@sha256:56780f69e6496bb4790b0c147deb652a2b020ff81e08d58cc58a61cd649b1121 + image: gcr.io/knative-releases/knative.dev/pkg/apiextensions/storageversion/cmd/migrate@sha256:d438c3ad2fcef3c7ea1b3abb910f5fa911c8a1466d6460ac0b11bf034797d6f6 args: - "apiserversources.sources.knative.dev" - "brokers.eventing.knative.dev" diff --git a/common/knative/knative-eventing/base/upstream/eventing-core.yaml b/common/knative/knative-eventing/base/upstream/eventing-core.yaml index 92464e0e82..510a8b3dce 100644 --- a/common/knative/knative-eventing/base/upstream/eventing-core.yaml +++ b/common/knative/knative-eventing/base/upstream/eventing-core.yaml @@ -3,7 +3,7 @@ kind: Namespace metadata: name: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing --- apiVersion: v1 @@ -12,7 +12,7 @@ metadata: name: eventing-controller namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -20,7 +20,7 @@ kind: ClusterRoleBinding metadata: name: eventing-controller labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -36,7 +36,7 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-resolver labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -52,7 +52,7 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-source-observer labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -68,7 +68,7 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-sources-controller labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -84,7 +84,7 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-manipulator labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -101,7 +101,7 @@ metadata: name: pingsource-mt-adapter namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -109,7 +109,7 @@ kind: ClusterRoleBinding metadata: name: knative-eventing-pingsource-mt-adapter labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -126,7 +126,7 @@ metadata: name: eventing-webhook namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -134,7 +134,7 @@ kind: ClusterRoleBinding metadata: name: eventing-webhook labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -151,7 +151,7 @@ metadata: namespace: knative-eventing name: eventing-webhook labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -167,7 +167,7 @@ kind: ClusterRoleBinding metadata: name: eventing-webhook-resolver labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -183,7 +183,7 @@ kind: ClusterRoleBinding metadata: name: eventing-webhook-podspecable-binding labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -200,7 +200,7 @@ metadata: name: config-br-default-channel namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing data: channel-template-spec: | @@ -213,7 +213,7 @@ metadata: name: config-br-defaults namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing data: default-br-config: | @@ -234,7 +234,7 @@ metadata: name: default-ch-webhook namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing data: default-ch-config: | @@ -254,7 +254,7 @@ metadata: labels: annotations: knative.dev/example-checksum: "9185c153" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing data: _example: | @@ -285,15 +285,17 @@ metadata: labels: knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing data: kreference-group: "disabled" delivery-retryafter: "disabled" delivery-timeout: "enabled" kreference-mapping: "disabled" - new-trigger-filters: "disabled" + new-trigger-filters: "enabled" transport-encryption: "disabled" + eventtype-auto-create: "disabled" + authentication.oidc: "disabled" --- apiVersion: v1 kind: ConfigMap @@ -334,7 +336,7 @@ metadata: name: config-leader-election namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "f7948630" @@ -382,7 +384,7 @@ metadata: labels: knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing data: zap-logger-config: | @@ -417,7 +419,7 @@ metadata: labels: knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "f46cf09d" @@ -476,7 +478,7 @@ metadata: name: config-sugar namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "62dfac6f" @@ -520,7 +522,7 @@ metadata: labels: knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "0492ceb0" @@ -562,7 +564,7 @@ metadata: labels: knative.dev/high-availability: "true" app.kubernetes.io/component: eventing-controller - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: selector: @@ -573,7 +575,7 @@ spec: labels: app: eventing-controller app.kubernetes.io/component: eventing-controller - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -590,7 +592,7 @@ spec: containers: - name: eventing-controller terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing/cmd/controller@sha256:92967bab4ad8f7d55ce3a77ba8868f3f2ce173c010958c28b9a690964ad6ee9b + image: gcr.io/knative-releases/knative.dev/eventing/cmd/controller@sha256:7579c5a8b1dee07c382120a8bc1a6594aea4519d0cf652989f5d9a675b11a0de resources: requests: cpu: 100m @@ -607,7 +609,7 @@ spec: - name: METRICS_DOMAIN value: knative.dev/eventing - name: APISERVER_RA_IMAGE - value: gcr.io/knative-releases/knative.dev/eventing/cmd/apiserver_receive_adapter@sha256:828db8155996e40c13b77c1d039dba98153dcfcbe272248e92866bd7b6d6a17d + value: gcr.io/knative-releases/knative.dev/eventing/cmd/apiserver_receive_adapter@sha256:4ed3e39a11f4fc3358787433beaea4a9e72773ea7710bf4beb95aa8770515c9e - name: POD_NAME valueFrom: fieldRef: @@ -652,7 +654,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: pingsource-mt-adapter - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: replicas: 0 @@ -666,7 +668,7 @@ spec: eventing.knative.dev/source: ping-source-controller sources.knative.dev/role: adapter app.kubernetes.io/component: pingsource-mt-adapter - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -682,7 +684,7 @@ spec: enableServiceLinks: false containers: - name: dispatcher - image: gcr.io/knative-releases/knative.dev/eventing/cmd/mtping@sha256:6d35cc98baa098fc0c5b4290859e363a8350a9dadc31d1191b0b5c9796958223 + image: gcr.io/knative-releases/knative.dev/eventing/cmd/mtping@sha256:9d74e8c69d671ad10fdfd84d33569fde5c16c9f95824ea288d2cb6fd69e32f4d env: - name: SYSTEM_NAMESPACE value: '' @@ -739,7 +741,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: scaleTargetRef: @@ -763,7 +765,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: minAvailable: 80% @@ -778,7 +780,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: selector: @@ -791,7 +793,7 @@ spec: app: eventing-webhook role: eventing-webhook app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -808,7 +810,7 @@ spec: containers: - name: eventing-webhook terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing/cmd/webhook@sha256:ebf93652f0254ac56600bedf4a7d81611b3e1e7f6526c6998da5dd24cdc67ee1 + image: gcr.io/knative-releases/knative.dev/eventing/cmd/webhook@sha256:cd577cb977a2830b29bb799cf146bbffe0241d65eef1c680ec158af97b18d4fa resources: requests: cpu: 100m @@ -876,7 +878,7 @@ metadata: labels: role: eventing-webhook app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing name: eventing-webhook namespace: knative-eventing @@ -896,17 +898,35 @@ metadata: eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing annotations: registry.knative.dev/eventTypes: | [ - { "type": "dev.knative.apiserver.resource.add" }, - { "type": "dev.knative.apiserver.resource.delete" }, - { "type": "dev.knative.apiserver.resource.update" }, - { "type": "dev.knative.apiserver.ref.add" }, - { "type": "dev.knative.apiserver.ref.delete" }, - { "type": "dev.knative.apiserver.ref.update" } + { + "type": "dev.knative.apiserver.resource.add", + "description": "CloudEvent type used for add operations when in Resource mode" + }, + { + "type": "dev.knative.apiserver.resource.delete", + "description": "CloudEvent type used for delete operations when in Resource mode" + }, + { + "type": "dev.knative.apiserver.resource.update", + "description": "CloudEvent type used for update operations when in Resource mode" + }, + { + "type": "dev.knative.apiserver.ref.add", + "description": "CloudEvent type used for add operations when in Reference mode" + }, + { + "type": "dev.knative.apiserver.ref.delete", + "description": "CloudEvent type used for delete operations when in Reference mode" + }, + { + "type": "dev.knative.apiserver.ref.update", + "description": "CloudEvent type used for update operations when in Reference mode" + } ] name: apiserversources.sources.knative.dev spec: @@ -1011,6 +1031,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string namespaceSelector: description: NamespaceSelector is a label selector to capture the namespaces that should be watched by the source. type: object @@ -1043,6 +1069,13 @@ spec: description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. type: object x-kubernetes-preserve-unknown-fields: true + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string ceAttributes: description: CloudEventAttributes are the specific attributes that the Source uses as part of its CloudEvents. type: array @@ -1089,6 +1122,9 @@ spec: sinkUri: description: SinkURI is the current active sink URI that has been configured for the Source. type: string + sinkCACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string namespaces: description: Namespaces show the namespaces currently watched by the ApiServerSource type: array @@ -1124,7 +1160,7 @@ metadata: labels: knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev @@ -1192,6 +1228,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. type: integer @@ -1205,8 +1247,28 @@ spec: description: Broker is Addressable. It exposes the endpoint as an URI to get events delivered into the Broker mesh. type: object properties: + name: + type: string url: type: string + CACerts: + type: string + audience: + type: string + addresses: + description: Broker is Addressable. It exposes the endpoints as URIs to get events delivered into the Broker mesh. + type: array + items: + type: object + properties: + name: + type: string + url: + type: string + CACerts: + type: string + audience: + type: string annotations: description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. type: object @@ -1241,6 +1303,9 @@ spec: deadLetterSinkUri: description: DeadLetterSinkURI is the resolved URI of the dead letter sink that will be used as a fallback when not specified by Triggers. type: string + deadLetterSinkCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string observedGeneration: description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. type: integer @@ -1280,7 +1345,7 @@ metadata: knative.dev/crd-install: "true" messaging.knative.dev/subscribable: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -1359,6 +1424,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. type: integer @@ -1415,9 +1486,21 @@ spec: replyUri: description: ReplyURI is the endpoint for the reply type: string + replyCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string + replyAudience: + description: ReplyAudience is the OIDC audience for the replyUri. + type: string subscriberUri: description: SubscriberURI is the endpoint for the subscriber type: string + subscriberCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string + subscriberAudience: + description: SubscriberAudience is the OIDC audience for the subscriberUri. + type: string uid: description: UID is used to understand the origin of the subscriber. type: string @@ -1426,10 +1509,31 @@ spec: type: object properties: address: + description: Channel is Addressable. It exposes the endpoint as an URI to get events delivered into the Channel mesh. type: object properties: + name: + type: string url: type: string + CACerts: + type: string + audience: + type: string + addresses: + description: Channel is Addressable. It exposes the endpoints as URIs to get events delivered into the Channel mesh. + type: array + items: + type: object + properties: + name: + type: string + url: + type: string + CACerts: + type: string + audience: + type: string annotations: description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. type: object @@ -1496,6 +1600,9 @@ spec: deadLetterSinkUri: description: DeadLetterSinkURI is the resolved URI of the dead letter sink that will be used as a fallback when not specified by Triggers. type: string + deadLetterSinkCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string observedGeneration: description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. type: integer @@ -1519,6 +1626,13 @@ spec: uid: description: UID is used to understand the origin of the subscriber. type: string + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string names: kind: Channel plural: channels @@ -1539,7 +1653,7 @@ metadata: eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing name: containersources.sources.knative.dev spec: @@ -1589,6 +1703,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string template: type: object x-kubernetes-preserve-unknown-fields: true @@ -1600,6 +1720,13 @@ spec: description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. type: object x-kubernetes-preserve-unknown-fields: true + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string ceAttributes: description: CloudEventAttributes are the specific attributes that the Source uses as part of its CloudEvents. type: array @@ -1646,6 +1773,9 @@ spec: sinkUri: description: SinkURI is the current active sink URI that has been configured for the Source. type: string + sinkCACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string additionalPrinterColumns: - name: Sink type: string @@ -1675,7 +1805,7 @@ metadata: name: eventtypes.eventing.knative.dev labels: knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev @@ -1696,6 +1826,22 @@ spec: properties: broker: type: string + reference: + description: Reference Broker. For example + type: object + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is an optional field, it gets defaulted to the object holding it if left out.' + type: string description: description: 'Description is an optional field used to describe the EventType, in any meaningful way.' type: string @@ -1760,9 +1906,12 @@ spec: - name: Schema type: string jsonPath: ".spec.schema" - - name: Broker + - name: Reference Name type: string - jsonPath: ".spec.broker" + jsonPath: ".spec.reference.name" + - name: Reference Kind + type: string + jsonPath: ".spec.reference.kind" - name: Description type: string jsonPath: ".spec.description" @@ -1772,6 +1921,117 @@ spec: - name: Reason type: string jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + - subresources: + status: {} + schema: + openAPIV3Schema: + type: object + description: 'EventType represents a type of event that can be consumed from a Broker.' + properties: + spec: + description: 'Spec defines the desired state of the EventType.' + type: object + properties: + broker: + type: string + reference: + description: Reference Broker. For example + type: object + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is an optional field, it gets defaulted to the object holding it if left out.' + type: string + description: + description: 'Description is an optional field used to describe the EventType, in any meaningful way.' + type: string + schema: + description: 'Schema is a URI, it represents the CloudEvents schemaurl extension attribute. It may be a JSON schema, a protobuf schema, etc. It is optional.' + type: string + schemaData: + description: 'SchemaData allows the CloudEvents schema to be stored directly in the EventType. Content is dependent on the encoding. Optional attribute. The contents are not validated or manipulated by the system.' + type: string + source: + description: 'Source is a URI, it represents the CloudEvents source.' + type: string + type: + description: 'Type represents the CloudEvents type. It is authoritative.' + type: string + status: + description: 'Status represents the current state of the EventType. This data may be out of date.' + type: object + properties: + annotations: + description: 'Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.' + type: object + x-kubernetes-preserve-unknown-fields: true + conditions: + description: 'Conditions the latest available observations of a resource''s current state.' + type: array + items: + type: object + required: + - type + - status + properties: + lastTransitionTime: + description: 'LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).' + type: string + message: + description: 'A human readable message indicating details about the transition.' + type: string + reason: + description: 'The reason for the condition''s last transition.' + type: string + severity: + description: 'Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.' + type: string + status: + description: 'Status of the condition, one of True, False, Unknown.' + type: string + type: + description: 'Type of condition.' + type: string + observedGeneration: + description: 'ObservedGeneration is the ''Generation'' of the Service that was last processed by the controller.' + type: integer + format: int64 + additionalPrinterColumns: + - name: Type + type: string + jsonPath: ".spec.type" + - name: Source + type: string + jsonPath: ".spec.source" + - name: Schema + type: string + jsonPath: ".spec.schema" + - name: Reference Name + type: string + jsonPath: ".spec.reference.name" + - name: Reference Kind + type: string + jsonPath: ".spec.reference.kind" + - name: Description + type: string + jsonPath: ".spec.description" + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + name: v1beta2 + served: true + storage: false names: kind: EventType plural: eventtypes @@ -1781,6 +2041,14 @@ spec: - knative - eventing scope: Namespaced + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: eventing-webhook + namespace: knative-eventing --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1789,7 +2057,7 @@ metadata: labels: knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: group: flows.knative.dev @@ -1848,6 +2116,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. type: integer @@ -1876,6 +2150,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string reply: description: Reply is a Reference to where the result of Subscriber of this case gets sent to. If not specified, sent the result to the Parallel Reply type: object @@ -1899,6 +2179,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string subscriber: description: Subscriber receiving the event when the filter passes type: object @@ -1922,6 +2208,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string channelTemplate: description: ChannelTemplate specifies which Channel CRD to use. If left unspecified, it is set to the default Channel CRD for the namespace (or cluster, in case there are no defaults for the namespace). type: object @@ -1959,19 +2251,53 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string status: description: Status represents the current state of the Parallel. This data may be out of date. type: object properties: address: + description: Parallel is Addressable. It exposes the endpoint as an URI to get events delivered into the Parallel. type: object properties: + name: + type: string url: type: string + CACerts: + type: string + audience: + type: string + addresses: + description: Parallel is Addressable. It exposes the endpoints as URIs to get events delivered into the Parallel. + type: array + items: + type: object + properties: + name: + type: string + url: + type: string + CACerts: + type: string + audience: + type: string annotations: description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. type: object x-kubernetes-preserve-unknown-fields: true + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string branchStatuses: description: BranchStatuses is an array of corresponding to branch statuses. Matches the Spec.Branches array in the order. type: array @@ -2227,12 +2553,15 @@ metadata: eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing annotations: registry.knative.dev/eventTypes: | [ - { "type": "dev.knative.sources.ping" } + { + "type": "dev.knative.sources.ping", + "description": "CloudEvent type for fixed payloads on a specified cron schedule" + } ] name: pingsources.sources.knative.dev spec: @@ -2297,6 +2626,12 @@ spec: uri: description: 'URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref.' type: string + CACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string timezone: description: 'Timezone modifies the actual time relative to the specified timezone. Defaults to the system time zone. More general information about time zones: https://www.iana.org/time-zones List of valid timezone values: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones' type: string @@ -2308,6 +2643,13 @@ spec: description: 'Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.' type: object x-kubernetes-preserve-unknown-fields: true + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string ceAttributes: description: 'CloudEventAttributes are the specific attributes that the Source uses as part of its CloudEvents.' type: array @@ -2354,6 +2696,9 @@ spec: sinkUri: description: 'SinkURI is the current active sink URI that has been configured for the Source.' type: string + sinkCACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string additionalPrinterColumns: - name: Sink type: string @@ -2426,6 +2771,12 @@ spec: uri: description: 'URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref.' type: string + CACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string timezone: description: 'Timezone modifies the actual time relative to the specified timezone. Defaults to the system time zone. More general information about time zones: https://www.iana.org/time-zones List of valid timezone values: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones' type: string @@ -2437,6 +2788,13 @@ spec: description: 'Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.' type: object x-kubernetes-preserve-unknown-fields: true + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string ceAttributes: description: 'CloudEventAttributes are the specific attributes that the Source uses as part of its CloudEvents.' type: array @@ -2483,6 +2841,9 @@ spec: sinkUri: description: 'SinkURI is the current active sink URI that has been configured for the Source.' type: string + sinkCACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string additionalPrinterColumns: - name: Sink type: string @@ -2527,7 +2888,7 @@ metadata: labels: knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: group: flows.knative.dev @@ -2583,6 +2944,9 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + type: string + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the reply. steps: description: Steps is the list of Destinations (processors / functions) that will be called in the order provided. Each step has its own delivery options type: array @@ -2622,6 +2986,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. type: integer @@ -2646,19 +3016,53 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string status: description: Status represents the current state of the Sequence. This data may be out of date. type: object properties: address: + description: Sequence is Addressable. It exposes the endpoint as an URI to get events delivered into the Sequence. type: object properties: + name: + type: string url: type: string + CACerts: + type: string + audience: + type: string + addresses: + description: Sequence is Addressable. It exposes the endpoints as URIs to get events delivered into the Sequence. + type: array + items: + type: object + properties: + name: + type: string + url: + type: string + CACerts: + type: string + audience: + type: string annotations: description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. type: object x-kubernetes-preserve-unknown-fields: true + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string channelStatuses: description: ChannelStatuses is an array of corresponding Channel statuses. Matches the Spec.Steps array in the order. type: array @@ -2833,7 +3237,7 @@ metadata: duck.knative.dev/source: "true" duck.knative.dev/binding: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing name: sinkbindings.sources.knative.dev spec: @@ -2883,6 +3287,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string subject: description: Subject references the resource(s) whose "runtime contract" should be augmented by Binding implementations. type: object @@ -2931,6 +3341,13 @@ spec: description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. type: object x-kubernetes-preserve-unknown-fields: true + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string ceAttributes: description: CloudEventAttributes are the specific attributes that the Source uses as part of its CloudEvents. type: array @@ -2977,6 +3394,9 @@ spec: sinkUri: description: SinkURI is the current active sink URI that has been configured for the Source. type: string + sinkCACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string additionalPrinterColumns: - name: Sink type: string @@ -3007,7 +3427,7 @@ metadata: name: subscriptions.messaging.knative.dev labels: knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -3072,6 +3492,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. type: integer @@ -3100,6 +3526,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string subscriber: description: Subscriber is reference to (optional) function for processing events. Events from the Channel will be delivered here and replies are sent to a Destination as specified by the Reply. type: object @@ -3124,6 +3556,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the subscription trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string status: type: object properties: @@ -3131,6 +3569,13 @@ spec: description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. type: object x-kubernetes-preserve-unknown-fields: true + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string conditions: description: Conditions the latest available observations of a resource's current state. type: array @@ -3169,12 +3614,27 @@ spec: deadLetterSinkUri: description: ReplyURI is the fully resolved URI for the spec.delivery.deadLetterSink. type: string + deadLetterSinkCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string replyUri: description: ReplyURI is the fully resolved URI for the spec.reply. type: string + replyCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string + replyAudience: + description: ReplyAudience is the OIDC audience for the replyUri. + type: string subscriberUri: description: SubscriberURI is the fully resolved URI for spec.subscriber. type: string + subscriberCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string + subscriberAudience: + description: SubscriberAudience is the OIDC audience for the subscriberUri. + type: string additionalPrinterColumns: - name: Age type: date @@ -3203,7 +3663,7 @@ metadata: name: triggers.eventing.knative.dev labels: knative.dev/crd-install: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev @@ -3276,6 +3736,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. type: integer @@ -3311,6 +3777,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string status: description: Status represents the current state of the Trigger. This data may be out of date. type: object @@ -3319,6 +3791,13 @@ spec: description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. type: object x-kubernetes-preserve-unknown-fields: true + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string conditions: description: Conditions the latest available observations of a resource's current state. type: array @@ -3349,6 +3828,9 @@ spec: deadLetterSinkUri: description: DeadLetterSinkURI is the resolved URI of the dead letter sink for this Trigger, in case there is none this will fallback to it's Broker status DeadLetterSinkURI. type: string + deadLetterSinkCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string observedGeneration: description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. type: integer @@ -3356,6 +3838,9 @@ spec: subscriberUri: description: SubscriberURI is the resolved URI of the receiver for this Trigger. type: string + subscriberCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string names: kind: Trigger plural: triggers @@ -3371,7 +3856,7 @@ kind: ClusterRole metadata: name: addressable-resolver labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -3385,7 +3870,7 @@ metadata: name: service-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3403,7 +3888,7 @@ metadata: name: serving-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3424,7 +3909,7 @@ metadata: name: channel-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3449,7 +3934,7 @@ metadata: name: broker-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3468,7 +3953,7 @@ metadata: name: flows-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3488,7 +3973,7 @@ kind: ClusterRole metadata: name: eventing-broker-filter labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3514,7 +3999,7 @@ kind: ClusterRole metadata: name: eventing-broker-ingress labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3531,7 +4016,7 @@ kind: ClusterRole metadata: name: eventing-config-reader labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3548,7 +4033,7 @@ kind: ClusterRole metadata: name: channelable-manipulator labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -3562,7 +4047,7 @@ metadata: name: meta-channelable-manipulator labels: duck.knative.dev/channelable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3585,7 +4070,7 @@ metadata: name: knative-eventing-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["eventing.knative.dev"] @@ -3598,7 +4083,7 @@ metadata: name: knative-messaging-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["messaging.knative.dev"] @@ -3611,7 +4096,7 @@ metadata: name: knative-flows-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["flows.knative.dev"] @@ -3624,7 +4109,7 @@ metadata: name: knative-sources-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["sources.knative.dev"] @@ -3637,7 +4122,7 @@ metadata: name: knative-bindings-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["bindings.knative.dev"] @@ -3649,8 +4134,8 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-eventing-namespaced-edit labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - app.kubernetes.io/version: "1.10.1" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["eventing.knative.dev", "messaging.knative.dev", "sources.knative.dev", "flows.knative.dev", "bindings.knative.dev"] @@ -3663,7 +4148,7 @@ metadata: name: knative-eventing-namespaced-view labels: rbac.authorization.k8s.io/aggregate-to-view: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["eventing.knative.dev", "messaging.knative.dev", "sources.knative.dev", "flows.knative.dev", "bindings.knative.dev"] @@ -3675,7 +4160,7 @@ kind: ClusterRole metadata: name: knative-eventing-controller labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3826,7 +4311,7 @@ kind: ClusterRole metadata: name: knative-eventing-pingsource-mt-adapter labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3877,7 +4362,7 @@ kind: ClusterRole metadata: name: podspecable-binding labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -3891,7 +4376,7 @@ metadata: name: builtin-podspecable-binding labels: duck.knative.dev/podspecable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3919,7 +4404,7 @@ kind: ClusterRole metadata: name: source-observer labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -3933,7 +4418,7 @@ metadata: name: eventing-sources-source-observer labels: duck.knative.dev/source: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -3953,7 +4438,7 @@ kind: ClusterRole metadata: name: knative-eventing-sources-controller labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4053,7 +4538,7 @@ kind: ClusterRole metadata: name: knative-eventing-webhook labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4142,6 +4627,18 @@ rules: - "list" - "create" - "patch" + - apiGroups: + - "" + resources: + - "serviceaccounts" + verbs: + - "get" + - "list" + - "create" + - "update" + - "delete" + - "patch" + - "watch" - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] @@ -4152,7 +4649,7 @@ metadata: namespace: knative-eventing name: knative-eventing-webhook labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4172,7 +4669,7 @@ kind: ValidatingWebhookConfiguration metadata: name: config.webhook.eventing.knative.dev labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] @@ -4192,7 +4689,7 @@ kind: MutatingWebhookConfiguration metadata: name: webhook.eventing.knative.dev labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] @@ -4210,7 +4707,7 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.eventing.knative.dev labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] @@ -4229,7 +4726,7 @@ metadata: name: eventing-webhook-certs namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing --- apiVersion: admissionregistration.k8s.io/v1 @@ -4237,7 +4734,7 @@ kind: MutatingWebhookConfiguration metadata: name: sinkbindings.webhook.sources.knative.dev labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] @@ -4250,3 +4747,4 @@ webhooks: name: sinkbindings.webhook.sources.knative.dev timeoutSeconds: 10 --- + diff --git a/common/knative/knative-eventing/base/upstream/in-memory-channel.yaml b/common/knative/knative-eventing/base/upstream/in-memory-channel.yaml index 8d3f25819e..aee529742d 100644 --- a/common/knative/knative-eventing/base/upstream/in-memory-channel.yaml +++ b/common/knative/knative-eventing/base/upstream/in-memory-channel.yaml @@ -4,7 +4,7 @@ metadata: name: imc-controller namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -12,7 +12,7 @@ kind: ClusterRoleBinding metadata: name: imc-controller labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -29,7 +29,7 @@ metadata: namespace: knative-eventing name: imc-controller labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -45,7 +45,7 @@ kind: ClusterRoleBinding metadata: name: imc-controller-resolver labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -62,7 +62,7 @@ metadata: name: imc-dispatcher namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -70,7 +70,7 @@ kind: ClusterRoleBinding metadata: name: imc-dispatcher labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -81,6 +81,35 @@ roleRef: name: imc-dispatcher apiGroup: rbac.authorization.k8s.io --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: imc-dispatcher-tls-role-binding + namespace: knative-eventing +subjects: + - kind: ServiceAccount + name: imc-dispatcher + apiGroup: "" +roleRef: + kind: Role + name: imc-dispatcher-tls-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: imc-dispatcher-tls-role + namespace: knative-eventing +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- apiVersion: v1 kind: ConfigMap metadata: @@ -88,7 +117,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing data: MaxIdleConnections: "1000" @@ -102,7 +131,7 @@ metadata: labels: knative.dev/high-availability: "true" app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: selector: @@ -115,7 +144,7 @@ spec: messaging.knative.dev/channel: in-memory-channel messaging.knative.dev/role: controller app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -132,7 +161,7 @@ spec: enableServiceLinks: false containers: - name: controller - image: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_controller@sha256:e004174a896811aec46520b1f2857f1973762389426bb0e0fc5d2332d5e36c7a + image: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_controller@sha256:5386029f1fdcce1398dcca436864051a2f7eb5abed176453104f41b7b9b587f9 env: - name: WEBHOOK_NAME value: inmemorychannel-webhook @@ -149,7 +178,7 @@ spec: fieldRef: fieldPath: metadata.namespace - name: DISPATCHER_IMAGE - value: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:521234b4cff9d3cd32f8264cd7c830caa06f9982637b4866e983591fa1abc418 + value: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:fa64db1ad126874f4e5ce1c17c2414b0fc3dde2a7e0db6fde939cafdbd4d96cd - name: POD_NAME valueFrom: fieldRef: @@ -194,7 +223,7 @@ kind: Service metadata: labels: app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing name: inmemorychannel-webhook namespace: knative-eventing @@ -222,7 +251,7 @@ metadata: messaging.knative.dev/channel: in-memory-channel messaging.knative.dev/role: dispatcher app.kubernetes.io/component: imc-dispatcher - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: selector: @@ -233,6 +262,10 @@ spec: port: 80 protocol: TCP targetPort: 8080 + - name: https-dispatcher + port: 443 + protocol: TCP + targetPort: 8443 - name: http-metrics port: 9090 targetPort: 9090 @@ -245,7 +278,7 @@ metadata: labels: knative.dev/high-availability: "true" app.kubernetes.io/component: imc-dispatcher - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: selector: @@ -258,7 +291,7 @@ spec: messaging.knative.dev/channel: in-memory-channel messaging.knative.dev/role: dispatcher app.kubernetes.io/component: imc-dispatcher - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -275,7 +308,7 @@ spec: enableServiceLinks: false containers: - name: dispatcher - image: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:521234b4cff9d3cd32f8264cd7c830caa06f9982637b4866e983591fa1abc418 + image: gcr.io/knative-releases/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:fa64db1ad126874f4e5ce1c17c2414b0fc3dde2a7e0db6fde939cafdbd4d96cd readinessProbe: failureThreshold: 3 httpGet: @@ -320,6 +353,9 @@ spec: - containerPort: 8080 name: http protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP - containerPort: 9090 name: metrics securityContext: @@ -340,7 +376,7 @@ metadata: knative.dev/crd-install: "true" messaging.knative.dev/subscribable: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -392,6 +428,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. type: integer @@ -436,6 +478,12 @@ spec: uri: description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref. type: string + CACerts: + description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. + type: string + audience: + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. type: integer @@ -448,9 +496,21 @@ spec: replyUri: description: ReplyURI is the endpoint for the reply type: string + replyCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string + replyAudience: + description: ReplyAudience is the OIDC audience for the replyUri. + type: string subscriberUri: description: SubscriberURI is the endpoint for the subscriber type: string + subscriberCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string + subscriberAudience: + description: SubscriberAudience is the OIDC audience for the subscriberUri. + type: string uid: description: UID is used to understand the origin of the subscriber. type: string @@ -459,10 +519,31 @@ spec: type: object properties: address: + description: InMemoryChannel is Addressable. It exposes the endpoint as an URI to get events delivered into the channel mesh. type: object properties: + name: + type: string url: type: string + CACerts: + type: string + audience: + type: string + addresses: + description: InMemoryChannel is Addressable. It exposes the endpoints as URIs to get events delivered into the channel mesh. + type: array + items: + type: object + properties: + name: + type: string + url: + type: string + CACerts: + type: string + audience: + type: string annotations: description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. type: object @@ -513,6 +594,9 @@ spec: deadLetterSinkUri: description: DeadLetterSinkURI is the resolved URI of the dead letter ref if one is specified in the Spec.Delivery. type: string + deadLetterSinkCACerts: + description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string observedGeneration: description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. type: integer @@ -536,6 +620,13 @@ spec: uid: description: UID is used to understand the origin of the subscriber. type: string + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string additionalPrinterColumns: - name: URL type: string @@ -568,7 +659,7 @@ metadata: name: imc-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -587,7 +678,7 @@ metadata: name: imc-channelable-manipulator labels: duck.knative.dev/channelable: "true" - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -609,7 +700,7 @@ kind: ClusterRole metadata: name: imc-controller labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -748,7 +839,7 @@ kind: ClusterRole metadata: name: imc-dispatcher labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -794,6 +885,15 @@ rules: - create - update - patch + - apiGroups: + - eventing.knative.dev + resources: + - eventtypes + verbs: + - create + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -801,7 +901,7 @@ metadata: namespace: knative-eventing name: knative-inmemorychannel-webhook labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -821,7 +921,7 @@ kind: MutatingWebhookConfiguration metadata: name: inmemorychannel.eventing.knative.dev labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1"] @@ -839,7 +939,7 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.inmemorychannel.eventing.knative.dev labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1"] @@ -858,7 +958,7 @@ metadata: name: inmemorychannel-webhook-certs namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing --- diff --git a/common/knative/knative-eventing/base/upstream/mt-channel-broker.yaml b/common/knative/knative-eventing/base/upstream/mt-channel-broker.yaml index 9c045d9e7a..94fddb06a4 100644 --- a/common/knative/knative-eventing/base/upstream/mt-channel-broker.yaml +++ b/common/knative/knative-eventing/base/upstream/mt-channel-broker.yaml @@ -3,7 +3,7 @@ kind: ClusterRole metadata: name: knative-eventing-mt-channel-broker-controller labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -30,7 +30,7 @@ kind: ClusterRole metadata: name: knative-eventing-mt-broker-filter labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -51,13 +51,28 @@ rules: - list - watch --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mt-broker-filter + namespace: knative-eventing +rules: + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - get + - list + - watch +--- apiVersion: v1 kind: ServiceAccount metadata: name: mt-broker-filter namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -65,9 +80,18 @@ kind: ClusterRole metadata: name: knative-eventing-mt-broker-ingress labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing rules: + - apiGroups: + - eventing.knative.dev + resources: + - eventtypes + verbs: + - create + - get + - list + - watch - apiGroups: - eventing.knative.dev resources: @@ -85,13 +109,28 @@ rules: - list - watch --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mt-broker-ingress + namespace: knative-eventing +rules: + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - get + - list + - watch +--- apiVersion: v1 kind: ServiceAccount metadata: name: mt-broker-ingress namespace: knative-eventing labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -99,7 +138,7 @@ kind: ClusterRoleBinding metadata: name: eventing-mt-channel-broker-controller labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -115,7 +154,7 @@ kind: ClusterRoleBinding metadata: name: knative-eventing-mt-broker-filter labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -127,11 +166,25 @@ roleRef: apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mt-broker-filter + namespace: knative-eventing +subjects: + - kind: ServiceAccount + name: mt-broker-filter + namespace: knative-eventing +roleRef: + kind: Role + name: mt-broker-filter + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: knative-eventing-mt-broker-ingress labels: - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -142,6 +195,20 @@ roleRef: name: knative-eventing-mt-broker-ingress apiGroup: rbac.authorization.k8s.io --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mt-broker-ingress + namespace: knative-eventing +subjects: + - kind: ServiceAccount + name: mt-broker-ingress + namespace: knative-eventing +roleRef: + kind: Role + name: mt-broker-ingress + apiGroup: rbac.authorization.k8s.io +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -149,7 +216,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: selector: @@ -160,7 +227,7 @@ spec: labels: eventing.knative.dev/brokerRole: filter app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: serviceAccountName: mt-broker-filter @@ -168,7 +235,7 @@ spec: containers: - name: filter terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/filter@sha256:29bd9f43359153c0ea39cf382d5f25ca43f55abbbce3d802ca37cc4d5c4a6942 + image: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/filter@sha256:4e3cf0703024129c60b66529f41a1d29310f61f6aced24d25fd241e43b1a2e8e readinessProbe: failureThreshold: 3 httpGet: @@ -196,6 +263,9 @@ spec: - containerPort: 8080 name: http protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP - containerPort: 9092 name: metrics protocol: TCP @@ -225,6 +295,8 @@ spec: value: knative.dev/internal/eventing - name: FILTER_PORT value: "8080" + - name: FILTER_PORT_HTTPS + value: "8443" securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -241,7 +313,7 @@ metadata: labels: eventing.knative.dev/brokerRole: filter app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing name: broker-filter namespace: knative-eventing @@ -251,6 +323,10 @@ spec: port: 80 protocol: TCP targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 - name: http-metrics port: 9092 protocol: TCP @@ -265,7 +341,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: selector: @@ -276,7 +352,7 @@ spec: labels: eventing.knative.dev/brokerRole: ingress app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: serviceAccountName: mt-broker-ingress @@ -284,7 +360,7 @@ spec: containers: - name: ingress terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/ingress@sha256:7f3b05f6e0abae19e9438fac44dd9938ddd2293014ef0fb8d388450c9ff63000 + image: gcr.io/knative-releases/knative.dev/eventing/cmd/broker/ingress@sha256:65412cf797d0bb7c7e22454431f57f8d9dcedf93620769f4c1206947acf05abb readinessProbe: failureThreshold: 3 httpGet: @@ -312,6 +388,9 @@ spec: - containerPort: 8080 name: http protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP - containerPort: 9092 name: metrics protocol: TCP @@ -341,6 +420,8 @@ spec: value: knative.dev/internal/eventing - name: INGRESS_PORT value: "8080" + - name: INGRESS_PORT_HTTPS + value: "8443" securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -357,7 +438,7 @@ metadata: labels: eventing.knative.dev/brokerRole: ingress app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing name: broker-ingress namespace: knative-eventing @@ -367,6 +448,10 @@ spec: port: 80 protocol: TCP targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 - name: http-metrics port: 9092 protocol: TCP @@ -381,7 +466,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: mt-broker-controller - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: selector: @@ -392,7 +477,7 @@ spec: labels: app: mt-broker-controller app.kubernetes.io/component: broker-controller - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -409,7 +494,7 @@ spec: containers: - name: mt-broker-controller terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-releases/knative.dev/eventing/cmd/mtchannel_broker@sha256:4040ffc2d34e950b7969b4ba90cec29e65e506126ddb195faf3a56cb2fa653e8 + image: gcr.io/knative-releases/knative.dev/eventing/cmd/mtchannel_broker@sha256:9dc9e0b00325f1ec994ef6f48761ba7d9217333fa0c2cbfccfa9b204e3f616a9 resources: requests: cpu: 100m @@ -451,7 +536,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: scaleTargetRef: @@ -475,7 +560,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.6" app.kubernetes.io/name: knative-eventing spec: scaleTargetRef: diff --git a/common/knative/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml b/common/knative/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml index 60a6b69a46..aa50b92583 100644 --- a/common/knative/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml +++ b/common/knative/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml @@ -7,7 +7,7 @@ metadata: app: storage-version-migration-serving app.kubernetes.io/name: knative-serving app.kubernetes.io/component: storage-version-migration-job - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" name: storage-version-migration-serving spec: ttlSecondsAfterFinished: 600 @@ -20,18 +20,19 @@ spec: app: storage-version-migration-serving app.kubernetes.io/name: knative-serving app.kubernetes.io/component: storage-version-migration-job - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: serviceAccountName: controller restartPolicy: OnFailure containers: - name: migrate - image: gcr.io/knative-releases/knative.dev/pkg/apiextensions/storageversion/cmd/migrate@sha256:bc91e1fdaf3b67876ca33de1ce15b1268ed0ca8da203102b7699286fae97cf58 + image: gcr.io/knative-releases/knative.dev/pkg/apiextensions/storageversion/cmd/migrate@sha256:232d6ffd88dfc0d0ec02c6f3a95520283d076c16b77543cee04f4ef276e0b7ae args: - "services.serving.knative.dev" - "configurations.serving.knative.dev" - "revisions.serving.knative.dev" - "routes.serving.knative.dev" + - "domainmappings.serving.knative.dev" resources: requests: cpu: 100m diff --git a/common/knative/knative-serving/base/upstream/net-istio.yaml b/common/knative/knative-serving/base/upstream/net-istio.yaml index b857cb50db..cebf3fea5f 100644 --- a/common/knative/knative-serving/base/upstream/net-istio.yaml +++ b/common/knative/knative-serving/base/upstream/net-istio.yaml @@ -5,7 +5,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" serving.knative.dev/controller: "true" networking.knative.dev/ingress-provider: istio rules: @@ -21,7 +21,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio spec: selector: @@ -42,7 +42,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio spec: selector: @@ -63,7 +63,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio experimental.istio.io/disable-gateway-port-translation: "true" spec: @@ -83,7 +83,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio data: _example: | @@ -124,11 +124,6 @@ data: # will search for the local gateway in the serving system namespace # `knative-serving` local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" - - # If true, knative will use the Istio VirtualService's status to determine - # endpoint readiness. Otherwise, probe as usual. - # NOTE: This feature is currently experimental and should not be used in production. - enable-virtualservice-status: "false" --- apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" @@ -138,7 +133,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio spec: selector: @@ -150,31 +145,13 @@ spec: --- apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" -metadata: - name: "domainmapping-webhook" - namespace: "knative-serving" - labels: - app.kubernetes.io/component: net-istio - app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: domainmapping-webhook - portLevelMtls: - "8443": - mode: PERMISSIVE ---- -apiVersion: "security.istio.io/v1beta1" -kind: "PeerAuthentication" metadata: name: "net-istio-webhook" namespace: "knative-serving" labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio spec: selector: @@ -192,7 +169,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio spec: selector: @@ -206,12 +183,12 @@ spec: app: net-istio-controller app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" spec: serviceAccountName: controller containers: - name: controller - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:421aa67057240fa0c56ebf2c6e5b482a12842005805c46e067129402d1751220 + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:5782b4a6b1a106d7cafe77d044b30905a9fecbbd2e0029946cb8a4b3507b40a4 resources: requests: cpu: 30m @@ -271,7 +248,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio spec: selector: @@ -285,12 +262,12 @@ spec: role: net-istio-webhook app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" spec: serviceAccountName: controller containers: - name: webhook - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:bfa1dfea77aff6dfa7959f4822d8e61c4f7933053874cd3f27352323e6ecd985 + image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:eeff0ad31550f3ff519d988bb36bfe214e5b60c1ec4349c1f9bb2b2d8cad9479 resources: requests: cpu: 20m @@ -356,7 +333,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio --- apiVersion: v1 @@ -368,7 +345,7 @@ metadata: role: net-istio-webhook app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio spec: ports: @@ -391,7 +368,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio webhooks: - admissionReviewVersions: @@ -415,7 +392,7 @@ metadata: labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.1" + app.kubernetes.io/version: "1.12.3" networking.knative.dev/ingress-provider: istio webhooks: - admissionReviewVersions: @@ -433,4 +410,13 @@ webhooks: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: net-istio --- +apiVersion: v1 +kind: Secret +metadata: + name: routing-serving-certs + namespace: istio-system + labels: + serving-certs-ctrl: "data-plane-routing" + networking.internal.knative.dev/certificate-uid: "serving-certs" +--- diff --git a/common/knative/knative-serving/base/upstream/serving-core.yaml b/common/knative/knative-serving/base/upstream/serving-core.yaml index f87729b127..be638c4621 100644 --- a/common/knative/knative-serving/base/upstream/serving-core.yaml +++ b/common/knative/knative-serving/base/upstream/serving-core.yaml @@ -4,14 +4,48 @@ metadata: name: knative-serving labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-serving-activator + namespace: knative-serving + labels: + serving.knative.dev/controller: "true" + app.kubernetes.io/version: "1.12.4" + app.kubernetes.io/name: knative-serving +rules: + - apiGroups: [""] + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + resourceNames: ["routing-serving-certs", "knative-serving-certs"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: knative-serving-activator-cluster + labels: + serving.knative.dev/controller: "true" + app.kubernetes.io/version: "1.12.4" + app.kubernetes.io/name: knative-serving +rules: + - apiGroups: [""] + resources: ["services", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["serving.knative.dev"] + resources: ["revisions"] + verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: knative-serving-aggregated-addressable-resolver labels: - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving aggregationRule: clusterRoleSelectors: @@ -23,7 +57,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-serving-addressable-resolver labels: - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving duck.knative.dev/addressable: "true" rules: @@ -45,7 +79,7 @@ metadata: name: knative-serving-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving rules: - apiGroups: ["serving.knative.dev"] @@ -61,7 +95,7 @@ metadata: name: knative-serving-namespaced-edit labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving rules: - apiGroups: ["serving.knative.dev"] @@ -77,7 +111,7 @@ metadata: name: knative-serving-namespaced-view labels: rbac.authorization.k8s.io/aggregate-to-view: "true" - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving rules: - apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev", "caching.internal.knative.dev"] @@ -90,7 +124,7 @@ metadata: name: knative-serving-core labels: serving.knative.dev/controller: "true" - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving rules: - apiGroups: [""] @@ -129,7 +163,7 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-serving-podspecable-binding labels: - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving duck.knative.dev/podspecable: "true" rules: @@ -151,7 +185,7 @@ metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -159,7 +193,7 @@ metadata: name: knative-serving-admin labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" aggregationRule: clusterRoleSelectors: - matchLabels: @@ -172,7 +206,7 @@ metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" subjects: - kind: ServiceAccount name: controller @@ -189,7 +223,7 @@ metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" subjects: - kind: ServiceAccount name: controller @@ -199,13 +233,58 @@ roleRef: name: knative-serving-aggregated-addressable-resolver apiGroup: rbac.authorization.k8s.io --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: activator + namespace: knative-serving + labels: + app.kubernetes.io/component: activator + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.4" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: knative-serving-activator + namespace: knative-serving + labels: + app.kubernetes.io/component: activator + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.4" +subjects: + - kind: ServiceAccount + name: activator + namespace: knative-serving +roleRef: + kind: Role + name: knative-serving-activator + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: knative-serving-activator-cluster + labels: + app.kubernetes.io/component: activator + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.4" +subjects: + - kind: ServiceAccount + name: activator + namespace: knative-serving +roleRef: + kind: ClusterRole + name: knative-serving-activator-cluster + apiGroup: rbac.authorization.k8s.io +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: images.caching.internal.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" spec: group: caching.internal.knative.dev @@ -312,7 +391,7 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: networking - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" spec: group: networking.internal.knative.dev @@ -444,7 +523,7 @@ metadata: name: configurations.serving.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" duck.knative.dev/podspecable: "true" spec: @@ -671,6 +750,19 @@ spec: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. type: integer format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string httpGet: description: HTTPGet specifies the http request to perform. type: object @@ -689,7 +781,7 @@ spec: - value properties: name: - description: The header field name + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. type: string value: description: The header field value @@ -779,6 +871,19 @@ spec: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. type: integer format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string httpGet: description: HTTPGet specifies the http request to perform. type: object @@ -797,7 +902,7 @@ spec: - value properties: name: - description: The header field name + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. type: string value: description: The header field value @@ -847,6 +952,21 @@ spec: description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object properties: + claims: + description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers." + type: array + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + type: object + required: + - name + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + type: string + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object @@ -857,7 +977,7 @@ spec: - type: string x-kubernetes-int-or-string: true requests: - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object additionalProperties: pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -1012,6 +1132,10 @@ spec: serviceAccountName: description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' type: string + shareProcessNamespace: + description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace + type: boolean + x-kubernetes-preserve-unknown-fields: true timeoutSeconds: description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided. type: integer @@ -1320,7 +1444,7 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: networking - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" spec: group: networking.internal.knative.dev @@ -1369,14 +1493,14 @@ metadata: name: domainmappings.serving.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" spec: group: serving.knative.dev versions: - name: v1beta1 served: true - storage: false + storage: true subresources: status: {} additionalPrinterColumns: @@ -1453,119 +1577,8 @@ spec: CACerts: description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. type: string - name: - description: Name is the name of the address. - type: string - url: - type: string - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - additionalProperties: - type: string - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 - url: - description: URL is the URL of this DomainMapping. - type: string - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - description: DomainMapping is a mapping from a custom hostname to an Addressable. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Spec is the desired state of the DomainMapping. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - required: - - ref - properties: - ref: - description: "Ref specifies the target of the Domain Mapping. \n The object identified by the Ref must be an Addressable with a URL of the form `{name}.{namespace}.{domain}` where `{domain}` is the cluster domain, and `{name}` and `{namespace}` are the name and namespace of a Kubernetes Service. \n This contract is satisfied by Knative types such as Knative Services and Knative Routes, and by Kubernetes Services." - type: object - required: - - kind - - name - properties: - address: - description: Address points to a specific Address Name. - type: string - apiVersion: - description: API version of the referent. - type: string - group: - description: 'Group of the API, without the version of the group. This can be used as an alternative to the APIVersion, and then resolved using ResolveGroup. Note: This API is EXPERIMENTAL and might break anytime. For more details: https://github.com/knative/eventing/issues/5086' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is optional field, it gets defaulted to the object holding it if left out.' - type: string - tls: - description: TLS allows the DomainMapping to terminate TLS traffic with an existing secret. - type: object - required: - - secretName - properties: - secretName: - description: SecretName is the name of the existing secret used to terminate TLS traffic. - type: string - status: - description: 'Status is the current state of the DomainMapping. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - properties: - address: - description: Address holds the information needed for a DomainMapping to be the target of an event. - type: object - properties: - CACerts: - description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + audience: + description: Audience is the OIDC audience for this address. type: string name: description: Name is the name of the address. @@ -1612,16 +1625,6 @@ spec: url: description: URL is the URL of this DomainMapping. type: string - additionalPrinterColumns: - - name: URL - type: string - jsonPath: .status.url - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" names: kind: DomainMapping plural: domainmappings @@ -1641,7 +1644,7 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: networking - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" spec: group: networking.internal.knative.dev @@ -1884,7 +1887,7 @@ metadata: name: metrics.autoscaling.internal.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" spec: group: autoscaling.internal.knative.dev @@ -1989,7 +1992,7 @@ metadata: name: podautoscalers.autoscaling.internal.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" spec: group: autoscaling.internal.knative.dev @@ -2132,7 +2135,7 @@ metadata: name: revisions.serving.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" spec: group: serving.knative.dev @@ -2338,6 +2341,19 @@ spec: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. type: integer format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string httpGet: description: HTTPGet specifies the http request to perform. type: object @@ -2356,7 +2372,7 @@ spec: - value properties: name: - description: The header field name + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. type: string value: description: The header field value @@ -2446,6 +2462,19 @@ spec: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. type: integer format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string httpGet: description: HTTPGet specifies the http request to perform. type: object @@ -2464,7 +2493,7 @@ spec: - value properties: name: - description: The header field name + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. type: string value: description: The header field value @@ -2514,6 +2543,21 @@ spec: description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object properties: + claims: + description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers." + type: array + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + type: object + required: + - name + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + type: string + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object @@ -2524,7 +2568,7 @@ spec: - type: string x-kubernetes-int-or-string: true requests: - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object additionalProperties: pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -2679,6 +2723,10 @@ spec: serviceAccountName: description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' type: string + shareProcessNamespace: + description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace + type: boolean + x-kubernetes-preserve-unknown-fields: true timeoutSeconds: description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided. type: integer @@ -3013,7 +3061,7 @@ metadata: name: routes.serving.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" spec: @@ -3099,6 +3147,9 @@ spec: CACerts: description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. type: string + audience: + description: Audience is the OIDC audience for this address. + type: string name: description: Name is the name of the address. type: string @@ -3178,7 +3229,7 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: networking - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" spec: group: networking.internal.knative.dev @@ -3327,7 +3378,7 @@ metadata: name: services.serving.knative.dev labels: app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" duck.knative.dev/podspecable: "true" @@ -3558,6 +3609,19 @@ spec: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. type: integer format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string httpGet: description: HTTPGet specifies the http request to perform. type: object @@ -3576,7 +3640,7 @@ spec: - value properties: name: - description: The header field name + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. type: string value: description: The header field value @@ -3666,6 +3730,19 @@ spec: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. type: integer format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string httpGet: description: HTTPGet specifies the http request to perform. type: object @@ -3684,7 +3761,7 @@ spec: - value properties: name: - description: The header field name + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. type: string value: description: The header field value @@ -3734,6 +3811,21 @@ spec: description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object properties: + claims: + description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers." + type: array + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + type: object + required: + - name + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + type: string + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object @@ -3744,7 +3836,7 @@ spec: - type: string x-kubernetes-int-or-string: true requests: - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object additionalProperties: pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ @@ -3899,6 +3991,10 @@ spec: serviceAccountName: description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' type: string + shareProcessNamespace: + description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace + type: boolean + x-kubernetes-preserve-unknown-fields: true timeoutSeconds: description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided. type: integer @@ -4189,6 +4285,9 @@ spec: CACerts: description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. type: string + audience: + description: Audience is the OIDC audience for this address. + type: string name: description: Name is the name of the address. type: string @@ -4287,21 +4386,11 @@ metadata: --- apiVersion: v1 kind: Secret -metadata: - name: control-serving-certs - namespace: knative-serving - labels: - serving-certs-ctrl: "control-plane" - networking.internal.knative.dev/certificate-uid: "serving-certs" ---- -apiVersion: v1 -kind: Secret metadata: name: routing-serving-certs namespace: knative-serving labels: serving-certs-ctrl: "data-plane-routing" - routing-id: "0" networking.internal.knative.dev/certificate-uid: "serving-certs" --- apiVersion: caching.internal.knative.dev/v1alpha1 @@ -4312,9 +4401,9 @@ metadata: labels: app.kubernetes.io/component: queue-proxy app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: - image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:dabaecec38860ca4c972e6821d5dc825549faf50c6feb8feb4c04802f2338b8a + image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:89e6f90141f1b63405883fbb4de0d3b6d80f8b77e530904c4d29bdcd1dc5a167 --- apiVersion: v1 kind: ConfigMap @@ -4324,7 +4413,7 @@ metadata: labels: app.kubernetes.io/component: autoscaler app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" annotations: knative.dev/example-checksum: "47c2487f" data: @@ -4520,7 +4609,7 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" annotations: knative.dev/example-checksum: "e7973912" data: @@ -4660,11 +4749,11 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" annotations: - knative.dev/example-checksum: "410041a0" + knative.dev/example-checksum: "ed77183a" data: - queue-sidecar-image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:dabaecec38860ca4c972e6821d5dc825549faf50c6feb8feb4c04802f2338b8a + queue-sidecar-image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:89e6f90141f1b63405883fbb4de0d3b6d80f8b77e530904c4d29bdcd1dc5a167 _example: |- ################################ # # @@ -4695,15 +4784,18 @@ data: queue-sidecar-cpu-request: "25m" # Sets the queue proxy's CPU limit. - # If omitted, no value is specified and the system default is used. + # If omitted, a default value (currently "1000m"), is used when + # `queueproxy.resource-defaults` is set to `Enabled`. queue-sidecar-cpu-limit: "1000m" # Sets the queue proxy's memory request. - # If omitted, no value is specified and the system default is used. + # If omitted, a default value (currently "400Mi"), is used when + # `queueproxy.resource-defaults` is set to `Enabled`. queue-sidecar-memory-request: "400Mi" # Sets the queue proxy's memory limit. - # If omitted, no value is specified and the system default is used. + # If omitted, a default value (currently "800Mi"), is used when + # `queueproxy.resource-defaults` is set to `Enabled`. queue-sidecar-memory-limit: "800Mi" # Sets the queue proxy's ephemeral storage request. @@ -4735,7 +4827,7 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" annotations: knative.dev/example-checksum: "26c09de5" data: @@ -4785,9 +4877,9 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" annotations: - knative.dev/example-checksum: "d3565159" + knative.dev/example-checksum: "f2fc138e" data: _example: |- ################################ @@ -4891,6 +4983,12 @@ data: # See: https://knative.dev/docs/serving/feature-flags/#kubernetes-security-context kubernetes.podspec-securitycontext: "disabled" + # Indicated whether sharing the process namespace via ShareProcessNamespace pod spec is allowed. + # This can be especially useful for sharing data from images directly between sidecars + # + # See: https://knative.dev/docs/serving/configuration/feature-flags/#kubernetes-share-process-namespace + kubernetes.podspec-shareprocessnamespace: "disabled" + # Indicates whether Kubernetes PriorityClassName support is enabled # # WARNING: Cannot safely be disabled once enabled. @@ -4966,6 +5064,9 @@ data: # # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE queueproxy.mount-podinfo: "disabled" + + # Default queue proxy resource requests and limits to good values for most cases if set. + queueproxy.resource-defaults: "disabled" --- apiVersion: v1 kind: ConfigMap @@ -4975,7 +5076,7 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" annotations: knative.dev/example-checksum: "aa3813a8" data: @@ -5060,7 +5161,7 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: controller - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" annotations: knative.dev/example-checksum: "f4b71f57" data: @@ -5105,11 +5206,11 @@ metadata: name: config-logging namespace: knative-serving labels: - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/component: logging app.kubernetes.io/name: knative-serving annotations: - knative.dev/example-checksum: "b0f3c6f2" + knative.dev/example-checksum: "53fda05f" data: _example: | ################################ @@ -5163,6 +5264,8 @@ data: loglevel.net-certmanager-controller: "info" loglevel.net-istio-controller: "info" loglevel.net-contour-controller: "info" + loglevel.net-kourier-controller: "info" + loglevel.net-gateway-api-controller: "info" --- apiVersion: v1 kind: ConfigMap @@ -5172,9 +5275,9 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: networking - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" annotations: - knative.dev/example-checksum: "73d96d1b" + knative.dev/example-checksum: "0573e07d" data: _example: | ################################ @@ -5225,7 +5328,7 @@ data: # namespace-wildcard-cert-selector: {} # # Useful labels include the "kubernetes.io/metadata.name" label to - # avoid provisioning a certifcate for the "kube-system" namespaces. + # avoid provisioning a certificate for the "kube-system" namespaces. # Use the following selector to match pre-1.0 behavior of using # "networking.knative.dev/disableWildcardCert" to exclude namespaces: # @@ -5240,7 +5343,7 @@ data: # value is "{{.Name}}.{{.Namespace}}.{{.Domain}}". # # Valid variables defined in the template include Name, Namespace, Domain, - # Labels, and Annotations. Name will be the result of the tagTemplate + # Labels, and Annotations. Name will be the result of the tag-template # below, if a tag is specified for the route. # # Changing this value might be necessary when the extra levels in @@ -5260,22 +5363,51 @@ data: # would be {Name}-{Namespace}.foo.{Domain} domain-template: "{{.Name}}.{{.Namespace}}.{{.Domain}}" - # tagTemplate specifies the golang text template string to use + # tag-template specifies the golang text template string to use # when constructing the DNS name for "tags" within the traffic blocks # of Routes and Configuration. This is used in conjunction with the - # domainTemplate above to determine the full URL for the tag. + # domain-template above to determine the full URL for the tag. tag-template: "{{.Tag}}-{{.Name}}" - # Controls whether TLS certificates are automatically provisioned and - # installed in the Knative ingress to terminate external TLS connection. - # 1. Enabled: enabling auto-TLS feature. - # 2. Disabled: disabling auto-TLS feature. + # auto-tls is deprecated and replaced by external-domain-tls auto-tls: "Disabled" + # Controls whether TLS certificates are automatically provisioned and + # installed in the Knative ingress to terminate TLS connections + # for cluster external domains (like: app.example.com) + # - Enabled: enables the TLS certificate provisioning feature for cluster external domains. + # - Disabled: disables the TLS certificate provisioning feature for cluster external domains. + external-domain-tls: "Disabled" + + # Controls weather TLS certificates are automatically provisioned and + # installed in the Knative ingress to terminate TLS connections + # for cluster local domains (like: app.namespace.svc.) + # - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains. + # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains. + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + cluster-local-domain-tls: "Disabled" + + # internal-encryption is deprecated and replaced by system-internal-tls + internal-encryption: "false" + + # system-internal-tls controls weather TLS encryption is used for connections between + # the internal components of Knative: + # - ingress to activator + # - ingress to queue-proxy + # - activator to queue-proxy + # + # Possible values for this flag are: + # - Enabled: enables the TLS certificate provisioning feature for cluster cluster-local domains. + # - Disabled: disables the TLS certificate provisioning feature for cluster cluster local domains. + # NOTE: This flag is in an alpha state and is mostly here to enable internal testing + # for now. Use with caution. + system-internal-tls: "Disabled" + # Controls the behavior of the HTTP endpoint for the Knative ingress. - # It requires autoTLS to be enabled. - # 1. Enabled: The Knative ingress will be able to serve HTTP connection. - # 2. Redirected: The Knative ingress will send a 301 redirect for all + # It requires auto-tls to be enabled. + # - Enabled: The Knative ingress will be able to serve HTTP connection. + # - Redirected: The Knative ingress will send a 301 redirect for all # http connections, asking the clients to use HTTPS. # # "Disabled" option is deprecated. @@ -5319,21 +5451,11 @@ data: # - "disabled": always use Pod IPs and do not fall back to Cluster IP on failure. mesh-compatibility-mode: "auto" - # Defines the scheme used for external URLs if autoTLS is not enabled. + # Defines the scheme used for external URLs if auto-tls is not enabled. # This can be used for making Knative report all URLs as "HTTPS" for example, if you're # fronting Knative with an external loadbalancer that deals with TLS termination and # Knative doesn't know about that otherwise. default-external-scheme: "http" - - # internal-encryption indicates whether internal traffic is encrypted or not. - # If this is "true", the following traffic are encrypted: - # - ingress to activator - # - ingress to queue-proxy - # - activator to queue-proxy - # - # NOTE: This flag is in an alpha state and is mostly here to enable internal testing - # for now. Use with caution. - internal-encryption: "false" --- apiVersion: v1 kind: ConfigMap @@ -5343,9 +5465,9 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: observability - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" annotations: - knative.dev/example-checksum: "fed4756e" + knative.dev/example-checksum: "54abd711" data: _example: | ################################ @@ -5418,11 +5540,22 @@ data: # It supports either prometheus (the default) or opencensus. metrics.backend-destination: prometheus + # metrics.reporting-period-seconds specifies the global metrics reporting period for control and data plane components. + # If a zero or negative value is passed the default reporting period is used (10 secs). + # If the attribute is not specified a default value is used per metrics backend. + # For the prometheus backend the default reporting period is 5s while for opencensus it is 60s. + metrics.reporting-period-seconds: "5" + # metrics.request-metrics-backend-destination specifies the request metrics # destination. It enables queue proxy to send request metrics. # Currently supported values: prometheus (the default), opencensus. metrics.request-metrics-backend-destination: prometheus + # metrics.request-metrics-reporting-period-seconds specifies the request metrics reporting period in sec at queue proxy. + # If a zero or negative value is passed the default reporting period is used (10 secs). + # If the attribute is not specified, it is overridden by the value of metrics.reporting-period-seconds. + metrics.request-metrics-reporting-period-seconds: "5" + # profiling.enable indicates whether it is allowed to retrieve runtime profiling data from # the pods via an HTTP server in the format expected by the pprof visualization tool. When # enabled, the Knative Serving pods expose the profiling data on an alternate HTTP port 8008. @@ -5437,7 +5570,7 @@ metadata: labels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: tracing - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" annotations: knative.dev/example-checksum: "26614636" data: @@ -5479,7 +5612,7 @@ metadata: labels: app.kubernetes.io/component: activator app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: minReplicas: 1 maxReplicas: 20 @@ -5503,7 +5636,7 @@ metadata: labels: app.kubernetes.io/component: activator app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: minAvailable: 80% selector: @@ -5517,7 +5650,7 @@ metadata: namespace: knative-serving labels: app.kubernetes.io/component: activator - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving spec: selector: @@ -5531,12 +5664,12 @@ spec: role: activator app.kubernetes.io/component: activator app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: - serviceAccountName: controller + serviceAccountName: activator containers: - name: activator - image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:c2994c2b6c2c7f38ad1b85c71789bf1753cc8979926423c83231e62258837cb9 + image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:ad42ddc9bc4e25fdc88c240d7cbfad4b2708eb7d26e07ae904d258011141116e resources: requests: cpu: 300m @@ -5610,7 +5743,7 @@ metadata: labels: app: activator app.kubernetes.io/component: activator - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving spec: selector: @@ -5641,7 +5774,7 @@ metadata: labels: app.kubernetes.io/component: autoscaler app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: replicas: 1 selector: @@ -5657,7 +5790,7 @@ spec: app: autoscaler app.kubernetes.io/component: autoscaler app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: affinity: podAntiAffinity: @@ -5671,7 +5804,7 @@ spec: serviceAccountName: controller containers: - name: autoscaler - image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:8319aa662b4912e8175018bd7cc90c63838562a27515197b803bdcd5634c7007 + image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:66aa0dbceee62691d5327e423bbd7cbd411903747adeab61fdc81b14590793d4 resources: requests: cpu: 100m @@ -5735,7 +5868,7 @@ metadata: app: autoscaler app.kubernetes.io/component: autoscaler app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" name: autoscaler namespace: knative-serving spec: @@ -5760,7 +5893,7 @@ metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: selector: matchLabels: @@ -5771,7 +5904,7 @@ spec: app: controller app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: affinity: podAntiAffinity: @@ -5785,7 +5918,7 @@ spec: serviceAccountName: controller containers: - name: controller - image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:98a2cc7fd62ee95e137116504e7166c32c65efef42c3d1454630780410abf943 + image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:e5b7b6edd265b66d32f424bd245c06455154462ade6ce05698472212248d5657 resources: requests: cpu: 100m @@ -5846,7 +5979,7 @@ metadata: app: controller app.kubernetes.io/component: controller app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" name: controller namespace: knative-serving spec: @@ -5860,210 +5993,6 @@ spec: selector: app: controller --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: domain-mapping - namespace: knative-serving - labels: - app.kubernetes.io/component: domain-mapping - app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" -spec: - selector: - matchLabels: - app: domain-mapping - template: - metadata: - labels: - app: domain-mapping - app.kubernetes.io/component: domain-mapping - app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: domain-mapping - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: controller - containers: - - name: domain-mapping - image: gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping@sha256:f66c41ad7a73f5d4f4bdfec4294d5459c477f09f3ce52934d1a215e32316b59b - resources: - requests: - cpu: 30m - memory: 40Mi - limits: - cpu: 300m - memory: 400Mi - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: METRICS_DOMAIN - value: knative.dev/serving - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - livenessProbe: - httpGet: - path: /health - port: probes - scheme: HTTP - periodSeconds: 5 - failureThreshold: 6 - readinessProbe: - httpGet: - path: /readiness - port: probes - scheme: HTTP - periodSeconds: 5 - failureThreshold: 3 - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: probes - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: domainmapping-webhook - namespace: knative-serving - labels: - app.kubernetes.io/component: domain-mapping - app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" -spec: - selector: - matchLabels: - app: domainmapping-webhook - role: domainmapping-webhook - template: - metadata: - labels: - app: domainmapping-webhook - role: domainmapping-webhook - app.kubernetes.io/component: domain-mapping - app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: domainmapping-webhook - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: controller - containers: - - name: domainmapping-webhook - image: gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping-webhook@sha256:7368aaddf2be8d8784dc7195f5bc272ecfe49d429697f48de0ddc44f278167aa - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 500m - memory: 500Mi - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: WEBHOOK_PORT - value: "8443" - - name: METRICS_DOMAIN - value: knative.dev/serving - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: https-webhook - containerPort: 8443 - readinessProbe: - periodSeconds: 1 - httpGet: - scheme: HTTPS - port: 8443 - httpHeaders: - - name: k-kubelet-probe - value: "webhook" - livenessProbe: - periodSeconds: 1 - httpGet: - scheme: HTTPS - port: 8443 - httpHeaders: - - name: k-kubelet-probe - value: "webhook" - failureThreshold: 6 - initialDelaySeconds: 20 - terminationGracePeriodSeconds: 300 ---- -apiVersion: v1 -kind: Service -metadata: - labels: - role: domainmapping-webhook - app.kubernetes.io/component: domain-mapping - app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" - name: domainmapping-webhook - namespace: knative-serving -spec: - ports: - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: https-webhook - port: 443 - targetPort: 8443 - selector: - app: domainmapping-webhook - role: domainmapping-webhook ---- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: @@ -6072,7 +6001,7 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: minReplicas: 1 maxReplicas: 5 @@ -6096,7 +6025,7 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" spec: minAvailable: 80% selector: @@ -6110,7 +6039,7 @@ metadata: namespace: knative-serving labels: app.kubernetes.io/component: webhook - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving spec: selector: @@ -6123,7 +6052,7 @@ spec: app: webhook role: webhook app.kubernetes.io/component: webhook - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving spec: affinity: @@ -6138,7 +6067,7 @@ spec: serviceAccountName: controller containers: - name: webhook - image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:4305209ce498caf783f39c8f3e85dfa635ece6947033bf50b0b627983fd65953 + image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:48aee2733721ecc77956abc5a2ca072853a669ebc97519beb48f7b3da8455e67 resources: requests: cpu: 100m @@ -6205,9 +6134,10 @@ apiVersion: v1 kind: Service metadata: labels: + app: webhook role: webhook app.kubernetes.io/component: webhook - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" app.kubernetes.io/name: knative-serving name: webhook namespace: knative-serving @@ -6233,7 +6163,7 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" webhooks: - admissionReviewVersions: ["v1", "v1beta1"] clientConfig: @@ -6260,7 +6190,7 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" webhooks: - admissionReviewVersions: ["v1", "v1beta1"] clientConfig: @@ -6292,77 +6222,6 @@ webhooks: - revisions - routes - services ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.domainmapping.serving.knative.dev - labels: - app.kubernetes.io/component: domain-mapping - app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" -webhooks: - - admissionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: domainmapping-webhook - namespace: knative-serving - failurePolicy: Fail - sideEffects: None - name: webhook.domainmapping.serving.knative.dev - timeoutSeconds: 10 - rules: - - apiGroups: - - serving.knative.dev - apiVersions: - - "*" - operations: - - CREATE - - UPDATE - scope: "*" - resources: - - domainmappings - - domainmappings/status ---- -apiVersion: v1 -kind: Secret -metadata: - name: domainmapping-webhook-certs - namespace: knative-serving - labels: - app.kubernetes.io/component: domain-mapping - app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation.webhook.domainmapping.serving.knative.dev - labels: - app.kubernetes.io/component: domain-mapping - app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" -webhooks: - - admissionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: domainmapping-webhook - namespace: knative-serving - failurePolicy: Fail - sideEffects: None - name: validation.webhook.domainmapping.serving.knative.dev - timeoutSeconds: 10 - rules: - - apiGroups: - - serving.knative.dev - apiVersions: - - "*" - operations: - - CREATE - - UPDATE - - DELETE - scope: "*" - resources: - domainmappings - domainmappings/status --- @@ -6373,7 +6232,7 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" webhooks: - admissionReviewVersions: ["v1", "v1beta1"] clientConfig: @@ -6406,6 +6265,8 @@ webhooks: - revisions - routes - services + - domainmappings + - domainmappings/status --- apiVersion: v1 kind: Secret @@ -6415,6 +6276,6 @@ metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/name: knative-serving - app.kubernetes.io/version: "1.10.2" + app.kubernetes.io/version: "1.12.4" --- diff --git a/hack/sync-knative-manifests.sh b/hack/sync-knative-manifests.sh new file mode 100755 index 0000000000..5ae8a5315d --- /dev/null +++ b/hack/sync-knative-manifests.sh @@ -0,0 +1,145 @@ +#!/usr/bin/env bash + +# This script aims at helping create a PR to update the manifests of the +# knative. +# This script: +# 1. Checks out a new branch +# 2. Download files into the correct places +# 3. Commits the changes +# +# Afterwards the developers can submit the PR to the kubeflow/manifests +# repo, based on that local branch +# It must be executed directly from its directory + +# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/ +set -euxo pipefail +IFS=$'\n\t' + +KN_SERVING_RELEASE="v1.12.4" # Must be a release +KN_EXTENSION_RELEASE="v1.12.3" # Must be a release +KN_EVENTING_RELEASE="v1.12.6" # Must be a release +BRANCH=${BRANCH:=sync-knative-manifests-${KN_SERVING_RELEASE?}} + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +MANIFESTS_DIR=$(dirname $SCRIPT_DIR) + +# replace source regex ($1) with target regex ($2) +# in file ($3) +replace_in_file() { + SRC_TXT=$1 + DST_TXT=$2 + sed -i "s|$SRC_TXT|$DST_TXT|g" $3 +} + +echo "Creating branch: ${BRANCH}" + +if [ -n "$(git status --porcelain)" ]; then + echo "WARNING: You have uncommitted changes" +fi +if [ `git branch --list $BRANCH` ] +then + echo "WARNING: Branch $BRANCH already exists." +fi + +# Create the branch in the manifests repository +if ! git show-ref --verify --quiet refs/heads/$BRANCH; then + git checkout -b $BRANCH +else + echo "Branch $BRANCH already exists." +fi + +if [ -n "$(git status --porcelain)" ]; then + echo "WARNING: You have uncommitted changes" +fi + +DST_DIR=$MANIFESTS_DIR/common/knative +if [ -d "$DST_DIR" ]; then + # keep README and OWNERS file + rm -r "$DST_DIR/knative-serving/base/upstream" + rm "$DST_DIR/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml" + rm -r "$DST_DIR/knative-eventing/base/upstream" + rm "$DST_DIR/knative-eventing-post-install-jobs/base/eventing-post-install.yaml" +fi + +mkdir -p "$DST_DIR/knative-serving/base/upstream" +mkdir -p "$DST_DIR/knative-serving-post-install-jobs/base" +mkdir -p "$DST_DIR/knative-eventing/base/upstream" +mkdir -p "$DST_DIR/knative-eventing-post-install-jobs/base" + +echo "Downloading knative-serving manifests..." +# No need to install serving-crds. +# See: https://github.com/knative/serving/issues/9945 +wget -O $DST_DIR/knative-serving/base/upstream/serving-core.yaml "https://github.com/knative/serving/releases/download/knative-$KN_SERVING_RELEASE/serving-core.yaml" +wget -O $DST_DIR/knative-serving/base/upstream/net-istio.yaml "https://github.com/knative-extensions/net-istio/releases/download/knative-$KN_EXTENSION_RELEASE/net-istio.yaml" +wget -O $DST_DIR/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml "https://github.com/knative/serving/releases/download/knative-$KN_SERVING_RELEASE/serving-post-install-jobs.yaml" + +yq eval -i '... comments=""' $DST_DIR/knative-serving/base/upstream/serving-core.yaml +yq eval -i '... comments=""' $DST_DIR/knative-serving/base/upstream/net-istio.yaml +yq eval -i '... comments=""' $DST_DIR/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml + +yq eval -i 'explode(.)' $DST_DIR/knative-serving/base/upstream/serving-core.yaml +yq eval -i 'explode(.)' $DST_DIR/knative-serving/base/upstream/net-istio.yaml +yq eval -i 'explode(.)' $DST_DIR/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml + +# We are not using the '|=' operator because it generates an empty object +# ({}) which crashes kustomize. +yq eval -i 'select(.kind == "Job" and .metadata.generateName == "storage-version-migration-serving-") | .metadata.name = "storage-version-migration-serving"' $DST_DIR/knative-serving-post-install-jobs/base/serving-post-install-jobs.yaml + +echo "Downloading knative-eventing manifests..." + +wget -O $DST_DIR/knative-eventing/base/upstream/eventing-core.yaml "https://github.com/knative/eventing/releases/download/knative-$KN_EVENTING_RELEASE/eventing-core.yaml" +wget -O $DST_DIR/knative-eventing/base/upstream/in-memory-channel.yaml "https://github.com/knative/eventing/releases/download/knative-$KN_EVENTING_RELEASE/in-memory-channel.yaml" +wget -O $DST_DIR/knative-eventing/base/upstream/mt-channel-broker.yaml "https://github.com/knative/eventing/releases/download/knative-$KN_EVENTING_RELEASE/mt-channel-broker.yaml" +wget -O $DST_DIR/knative-eventing-post-install-jobs/base/eventing-post-install.yaml "https://github.com/knative/eventing/releases/download/knative-$KN_EVENTING_RELEASE/eventing-post-install.yaml" + +yq eval -i '... comments=""' $DST_DIR/knative-eventing/base/upstream/eventing-core.yaml +yq eval -i '... comments=""' $DST_DIR/knative-eventing/base/upstream/in-memory-channel.yaml +yq eval -i '... comments=""' $DST_DIR/knative-eventing/base/upstream/mt-channel-broker.yaml +yq eval -i '... comments=""' $DST_DIR/knative-eventing-post-install-jobs/base/eventing-post-install.yaml + +yq eval -i 'explode(.)' $DST_DIR/knative-eventing/base/upstream/eventing-core.yaml +yq eval -i 'explode(.)' $DST_DIR/knative-eventing/base/upstream/in-memory-channel.yaml +yq eval -i 'explode(.)' $DST_DIR/knative-eventing/base/upstream/mt-channel-broker.yaml +yq eval -i 'explode(.)' $DST_DIR/knative-eventing-post-install-jobs/base/eventing-post-install.yaml + +# We are not using the '|=' operator because it generates an empty object +# ({}) which crashes kustomize. +yq eval -i 'select(.kind == "Job" and .metadata.generateName == "storage-version-migration-eventing-") | .metadata.name = "storage-version-migration-eventing"' $DST_DIR/knative-eventing-post-install-jobs/base/eventing-post-install.yaml + +yq eval -i 'select((.kind == "ConfigMap" and .metadata.name == "config-observability") | not)' $DST_DIR/knative-eventing/base/upstream/in-memory-channel.yaml +yq eval -i 'select((.kind == "ConfigMap" and .metadata.name == "config-tracing") | not)' $DST_DIR/knative-eventing/base/upstream/in-memory-channel.yaml + +echo "Successfully copied all manifests." + +echo "Updating README..." + +replace_in_file \ + "\[.*\](https://github.com/knative/serving/releases/tag/knative-.*) <" \ + "\[$KN_SERVING_RELEASE\](https://github.com/knative/serving/releases/tag/knative-$KN_SERVING_RELEASE) <" \ + ${MANIFESTS_DIR}/README.md + +replace_in_file \ + "> \[.*\](https://github.com/knative/eventing/releases/tag/knative-.*)" \ + "> \[$KN_EVENTING_RELEASE\](https://github.com/knative/eventing/releases/tag/knative-$KN_EVENTING_RELEASE)" \ + ${MANIFESTS_DIR}/README.md + +replace_in_file \ + "\[Knative serving (v.*)\](https://github.com/knative/serving/releases/tag/knative-v.*)" \ + "\[Knative serving ($KN_SERVING_RELEASE)\](https://github.com/knative/serving/releases/tag/knative-$KN_SERVING_RELEASE)" \ + $DST_DIR/README.md + +replace_in_file \ + "\[Knative ingress controller for Istio (v.*)\](https://github.com/knative-extensions/net-istio/releases/tag/knative-v.*)" \ + "\[Knative ingress controller for Istio ($KN_EXTENSION_RELEASE)\](https://github.com/knative-extensions/net-istio/releases/tag/knative-$KN_EXTENSION_RELEASE)" \ + $DST_DIR/README.md + +replace_in_file \ + "The manifests for Knative Eventing are based off the \[v.* release\](https://github.com/knative/eventing/releases/tag/knative-v.*)" \ + "The manifests for Knative Eventing are based off the \[$KN_EVENTING_RELEASE release\](https://github.com/knative/eventing/releases/tag/knative-$KN_EVENTING_RELEASE)" \ + $DST_DIR/README.md + +echo "Committing the changes..." +cd $MANIFESTS_DIR +git add $DST_DIR +git add README.md +git commit -s -m "Update common/knative manifests from ${KN_SERVING_RELEASE}/${KN_EVENTING_RELEASE}"