upgrade to latest dependencies (#2147)

bumping knative.dev/eventing e804605...d5e9973:
  > d5e9973 feat: add complete request reply data plane (# 8699)
  > e8e8035 Add auth-proxy and enable on IntegrationSink (# 8708)
  > 941dafa Fix mt-broker-ingress auth to work with structured event too (# 8710)
  > 69e11e3 [Automated] Update eventing-eventing-integrations nightly (# 8711)
bumping knative.dev/serving a87c794...93577e9:
  > 93577e9 Update net-contour nightly (# 16074)
  > dc7691c Update net-istio nightly (# 16072)
  > 917f5c1 Update net-gateway-api nightly (# 16071)

Signed-off-by: Knative Automation <automation@knative.team>

Author: knative-automation

go.mod

@@ -21,11 +21,11 @@ require (
 	k8s.io/client-go v0.33.4
 	k8s.io/code-generator v0.33.4
 	knative.dev/caching v0.0.0-20250909014531-e918af7eb00b
-	knative.dev/eventing v0.46.1-0.20250909143134-e804605aa34a
+	knative.dev/eventing v0.46.1-0.20250910170819-d5e9973e559b
 	knative.dev/hack v0.0.0-20250902153942-1499de21e119
 	knative.dev/pkg v0.0.0-20250909010931-8c9c1d368e4b
 	knative.dev/reconciler-test v0.0.0-20250909113732-73218b8f3940
-	knative.dev/serving v0.46.1-0.20250909224032-a87c794330dc
+	knative.dev/serving v0.46.1-0.20250910032334-93577e9cb30c
 	sigs.k8s.io/yaml v1.6.0
 )
 

go.sum

@@ -1705,8 +1705,8 @@ k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJ
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 knative.dev/caching v0.0.0-20250909014531-e918af7eb00b h1:ryWKhcyM6QapWh5wE4oALoKYuKwRwOVTDmJYUva5Dh4=
 knative.dev/caching v0.0.0-20250909014531-e918af7eb00b/go.mod h1:DOGV0SmM+WZ/PU0SzlSXecSlOhO7yMUZ+d9sqwJGTQk=
-knative.dev/eventing v0.46.1-0.20250909143134-e804605aa34a h1:vxv0GGRvlYp7XbkInA41v/ccXkypkZmOKmszGK+pkUk=
-knative.dev/eventing v0.46.1-0.20250909143134-e804605aa34a/go.mod h1:3rkUNHlYs6U0bs6IhufoBgIzUnsJY+ExNNreAHtv2Dw=
+knative.dev/eventing v0.46.1-0.20250910170819-d5e9973e559b h1:u2n46/rTmab70HoKGaa/sRCeKXv9K4MTxspKQNrKnjc=
+knative.dev/eventing v0.46.1-0.20250910170819-d5e9973e559b/go.mod h1:NP1ypjTAP+eZTT1P/Xk8DAI+dkqkWatFP73IikS4BIo=
 knative.dev/hack v0.0.0-20250902153942-1499de21e119 h1:NbQvjnFK1tL489LN0qAybWy0E17Jpziwcv/XIHwfp6M=
 knative.dev/hack v0.0.0-20250902153942-1499de21e119/go.mod h1:R0ritgYtjLDO9527h5vb5X6gfvt5LCrJ55BNbVDsWiY=
 knative.dev/networking v0.0.0-20250909015233-e3b68fc57bea h1:712x0cJVdyKELYhO9Asie79wD4AvW/6bmdqGAAB6QYQ=
@@ -1715,8 +1715,8 @@ knative.dev/pkg v0.0.0-20250909010931-8c9c1d368e4b h1:Gscoeovr8XvQffYg6l2d7V8M5F
 knative.dev/pkg v0.0.0-20250909010931-8c9c1d368e4b/go.mod h1:OLfYBCgDhdEpaC2TEixU3e7byMEQmke/MHP3xsR7Gmo=
 knative.dev/reconciler-test v0.0.0-20250909113732-73218b8f3940 h1:iqaxc4FelXHVrUD6Jq/N2tr9DM4YNIlAZuU8eoUgU/k=
 knative.dev/reconciler-test v0.0.0-20250909113732-73218b8f3940/go.mod h1:1pexOYpq548o8aD564cgDpXoumingywDV3tZ5L7m9nI=
-knative.dev/serving v0.46.1-0.20250909224032-a87c794330dc h1:jXlre/XEno0QIkCUeRA6xJVbXnxz+YZkXDmtvS51jCY=
-knative.dev/serving v0.46.1-0.20250909224032-a87c794330dc/go.mod h1:pERRORu4itdaYfKSoNx5mhP2IduUkEQIClBQ5eXWBig=
+knative.dev/serving v0.46.1-0.20250910032334-93577e9cb30c h1:HTvPrb9EclY4We6o6eDN3blELg/50XN8wVw20qBoODE=
+knative.dev/serving v0.46.1-0.20250910032334-93577e9cb30c/go.mod h1:pERRORu4itdaYfKSoNx5mhP2IduUkEQIClBQ5eXWBig=
 nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
 pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
 pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=

vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/integration_sink_lifecycle.go

@@ -43,12 +43,17 @@ const (
 
 	// Certificate related condition reasons
 	IntegrationSinkCertificateNotReady string = "CertificateNotReady"
+
+	// IntegrationSinkTrustBundlePropagated is configured to indicate whether the
+	// TLS trust bundle has been properly propagated.
+	IntegrationSinkTrustBundlePropagated apis.ConditionType = "TrustBundlePropagated"
 )
 
 var IntegrationSinkCondSet = apis.NewLivingConditionSet(
 	IntegrationSinkConditionAddressable,
 	IntegrationSinkConditionDeploymentReady,
 	IntegrationSinkConditionEventPoliciesReady,
+	IntegrationSinkTrustBundlePropagated,
 )
 
 // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
@@ -151,12 +156,26 @@ func (s *IntegrationSinkStatus) PropagateCertificateStatus(cs cmv1.CertificateSt
 	return true
 }
 
-func (s *IntegrationSinkStatus) SetAddress(address *duckv1.Addressable) {
-	s.Address = address
-	if address == nil || address.URL.IsEmpty() {
+func (s *IntegrationSinkStatus) SetAddresses(addresses ...duckv1.Addressable) {
+	if len(addresses) == 0 || addresses[0].URL.IsEmpty() {
 		IntegrationSinkCondSet.Manage(s).MarkFalse(IntegrationSinkConditionAddressable, "EmptyHostname", "hostname is the empty string")
-	} else {
-		IntegrationSinkCondSet.Manage(s).MarkTrue(IntegrationSinkConditionAddressable)
+		return
+	}
 
+	s.AddressStatus = duckv1.AddressStatus{
+		Address:   &addresses[0],
+		Addresses: addresses,
 	}
+	IntegrationSinkCondSet.Manage(s).MarkTrue(IntegrationSinkConditionAddressable)
+}
+
+// MarkFailedTrustBundlePropagation marks the IntegrationSink's SinkBindingTrustBundlePropagated condition to False with
+// the provided reason and message.
+func (s *IntegrationSinkStatus) MarkFailedTrustBundlePropagation(reason, message string) {
+	IntegrationSinkCondSet.Manage(s).MarkFalse(IntegrationSinkTrustBundlePropagated, reason, message)
+}
+
+// MarkTrustBundlePropagated marks the IntegrationSink's SinkBindingTrustBundlePropagated condition to True.
+func (s *IntegrationSinkStatus) MarkTrustBundlePropagated() {
+	IntegrationSinkCondSet.Manage(s).MarkTrue(IntegrationSinkTrustBundlePropagated)
 }

vendor/knative.dev/eventing/pkg/auth/event_policy.go

@@ -219,15 +219,15 @@ func resolveSubjectsFromReference(resolver *resolver.AuthenticatableResolver, re
 // SubjectAndFiltersPass checks if the given sub is contained in the list of allowedSubs
 // or if it matches a prefix pattern in subs (e.g. system:serviceaccounts:my-ns:*), as
 // well as if the event passes any filters associated with the subjects for an event policy
-func SubjectAndFiltersPass(ctx context.Context, sub string, allowedSubsWithFilters []subjectsWithFilters, event *cloudevents.Event, logger *zap.SugaredLogger) bool {
+func SubjectAndFiltersPass(ctx context.Context, sub string, allowedSubsWithFilters []SubjectsWithFilters, event *cloudevents.Event, logger *zap.SugaredLogger) bool {
 	if event == nil {
 		return false
 	}
 
 	for _, swf := range allowedSubsWithFilters {
-		for _, s := range swf.subjects {
+		for _, s := range swf.Subjects {
 			if strings.EqualFold(s, sub) || (strings.HasSuffix(s, "*") && strings.HasPrefix(sub, strings.TrimSuffix(s, "*"))) {
-				return subscriptionsapi.CreateSubscriptionsAPIFilters(logger.Desugar(), swf.filters).Filter(ctx, *event) != eventfilter.FailFilter
+				return subscriptionsapi.CreateSubscriptionsAPIFilters(logger.Desugar(), swf.Filters).Filter(ctx, *event) != eventfilter.FailFilter
 			}
 		}
 	}

vendor/knative.dev/eventing/pkg/auth/verifier.go

@@ -17,7 +17,6 @@ limitations under the License.
 package auth
 
 import (
-	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -32,6 +31,7 @@ import (
 	"go.opentelemetry.io/otel"
 	corev1listers "k8s.io/client-go/listers/core/v1"
 	"knative.dev/eventing/pkg/eventingtls"
+	"knative.dev/eventing/pkg/utils"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/network"
 	"knative.dev/pkg/observability/tracing"
@@ -136,6 +136,30 @@ func (v *Verifier) VerifyRequestFromSubject(ctx context.Context, features featur
 	return nil
 }
 
+// VerifyRequestFromSubjectsWithFilters verifies AuthN and AuthZ in the request.
+// In the AuthZ part it checks if the request comes from the given allowedSubject.
+// On verification errors, it sets the responses HTTP status and returns an error.
+// This method is similar to VerifyRequestFromSubject() except that
+// VerifyRequestFromSubjectsWithFilters() allows to check based on a list of
+// subjects with filters.
+func (v *Verifier) VerifyRequestFromSubjectsWithFilters(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubjectsWithFilters []SubjectsWithFilters, resourceNamespace string, req *http.Request, resp http.ResponseWriter) error {
+	if !features.IsOIDCAuthentication() {
+		return nil
+	}
+
+	idToken, err := v.verifyAuthN(ctx, requiredOIDCAudience, req, resp)
+	if err != nil {
+		return fmt.Errorf("authentication of request could not be verified: %w", err)
+	}
+
+	err = v.verifyAuthZBySubjectsWithFilters(ctx, features, idToken, resourceNamespace, allowedSubjectsWithFilters, req, resp)
+	if err != nil {
+		return fmt.Errorf("authorization of request could not be verified: %w", err)
+	}
+
+	return nil
+}
+
 // verifyAuthN verifies if the incoming request contains a correct JWT token
 func (v *Verifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) {
 	token := GetJWTFromHeader(req.Header)
@@ -160,8 +184,20 @@ func (v *Verifier) verifyAuthN(ctx context.Context, audience *string, req *http.
 
 // verifyAuthZ verifies if the given idToken is allowed by the resources eventPolicyStatus
 func (v *Verifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
-	if len(policyRefs) > 0 {
-		req, err := copyRequest(req)
+	subjectsWithFiltersFromApplyingPolicies, err := SubjectWithFiltersFromPolicyRef(v.eventPolicyLister, resourceNamespace, policyRefs)
+	if err != nil {
+		resp.WriteHeader(http.StatusInternalServerError)
+		return fmt.Errorf("could not get subjects with filters from policy: %w", err)
+	}
+
+	return v.verifyAuthZBySubjectsWithFilters(ctx, features, idToken, resourceNamespace, subjectsWithFiltersFromApplyingPolicies, req, resp)
+}
+
+// verifyAuthZBySubjectsWithFilters verifies if the given idToken is allowed by the resources eventPolicyStatus
+// it does the same as verifyAuthZ but taking a subjectWithFilters slice instead
+func (v *Verifier) verifyAuthZBySubjectsWithFilters(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, subjectsWithFiltersFromApplyingPolicies []SubjectsWithFilters, req *http.Request, resp http.ResponseWriter) error {
+	if len(subjectsWithFiltersFromApplyingPolicies) > 0 {
+		req, err := utils.CopyRequest(req)
 		if err != nil {
 			resp.WriteHeader(http.StatusInternalServerError)
 			return fmt.Errorf("failed to copy request body: %w", err)
@@ -176,38 +212,26 @@ func (v *Verifier) verifyAuthZ(ctx context.Context, features feature.Flags, idTo
 			return fmt.Errorf("failed to decode event from request: %w", err)
 		}
 
-		subjectsWithFiltersFromApplyingPolicies := []subjectsWithFilters{}
-		for _, p := range policyRefs {
-			policy, err := v.eventPolicyLister.EventPolicies(resourceNamespace).Get(p.Name)
-			if err != nil {
-				resp.WriteHeader(http.StatusInternalServerError)
-				return fmt.Errorf("failed to get eventPolicy: %w", err)
-			}
-
-			subjectsWithFiltersFromApplyingPolicies = append(subjectsWithFiltersFromApplyingPolicies, subjectsWithFilters{subjects: policy.Status.From, filters: policy.Spec.Filters})
-		}
-
 		if !SubjectAndFiltersPass(ctx, idToken.Subject, subjectsWithFiltersFromApplyingPolicies, event, v.logger) {
 			resp.WriteHeader(http.StatusForbidden)
 			return fmt.Errorf("token is from subject %q, but only %#v are part of applying event policies", idToken.Subject, subjectsWithFiltersFromApplyingPolicies)
 		}
 
 		return nil
-	} else {
-		if features.IsAuthorizationDefaultModeDenyAll() {
-			resp.WriteHeader(http.StatusForbidden)
-			return fmt.Errorf("no event policies apply for resource and %s is set to %s", feature.AuthorizationDefaultMode, feature.AuthorizationDenyAll)
-
-		} else if features.IsAuthorizationDefaultModeSameNamespace() {
-			if !strings.HasPrefix(idToken.Subject, fmt.Sprintf("%s:%s:", kubernetesServiceAccountPrefix, resourceNamespace)) {
-				resp.WriteHeader(http.StatusForbidden)
-				return fmt.Errorf("no policies apply for resource. %s is set to %s, but token is from subject %q, which is not part of %q namespace", feature.AuthorizationDefaultMode, feature.AuthorizationDenyAll, idToken.Subject, resourceNamespace)
-			}
+	}
 
-			return nil
+	if features.IsAuthorizationDefaultModeDenyAll() {
+		resp.WriteHeader(http.StatusForbidden)
+		return fmt.Errorf("no event policies apply for resource and %s is set to %s", feature.AuthorizationDefaultMode, feature.AuthorizationDenyAll)
+	} else if features.IsAuthorizationDefaultModeSameNamespace() {
+		if !strings.HasPrefix(idToken.Subject, fmt.Sprintf("%s:%s:", kubernetesServiceAccountPrefix, resourceNamespace)) {
+			resp.WriteHeader(http.StatusForbidden)
+			return fmt.Errorf("no policies apply for resource. %s is set to %s, but token is from subject %q, which is not part of %q namespace", feature.AuthorizationDefaultMode, feature.AuthorizationDenyAll, idToken.Subject, resourceNamespace)
 		}
-		// else: allow all
+
+		return nil
 	}
+	// else: allow all
 
 	return nil
 }
@@ -335,35 +359,6 @@ func (v *Verifier) getKubernetesOIDCDiscovery(features feature.Flags, client *ht
 	return openIdConfig, nil
 }
 
-// copyRequest makes a copy of the http request which can be consumed as needed, leaving the original request
-// able to be consumed as well.
-func copyRequest(req *http.Request) (*http.Request, error) {
-	// check if we actually need to copy the body, otherwise we can return the original request
-	if req.Body == nil || req.Body == http.NoBody {
-		return req, nil
-	}
-
-	var buf bytes.Buffer
-	if _, err := buf.ReadFrom(req.Body); err != nil {
-		return nil, fmt.Errorf("failed to read request body while copying it: %w", err)
-	}
-
-	if err := req.Body.Close(); err != nil {
-		return nil, fmt.Errorf("failed to close original request body ready while copying request: %w", err)
-	}
-
-	// set the original request body to be readable again
-	req.Body = io.NopCloser(&buf)
-
-	// return a new request with a readable body and same headers as the original
-	// we don't need to set any other fields as cloudevents only uses the headers
-	// and body to construct the Message/Event.
-	return &http.Request{
-		Header: req.Header,
-		Body:   io.NopCloser(bytes.NewReader(buf.Bytes())),
-	}, nil
-}
-
 type openIDMetadata struct {
 	Issuer        string   `json:"issuer"`
 	JWKSURI       string   `json:"jwks_uri"`
@@ -372,7 +367,22 @@ type openIDMetadata struct {
 	SigningAlgs   []string `json:"id_token_signing_alg_values_supported"`
 }
 
-type subjectsWithFilters struct {
-	filters  []eventingv1.SubscriptionsAPIFilter
-	subjects []string
+func SubjectWithFiltersFromPolicyRef(eventPolicyLister listerseventingv1alpha1.EventPolicyLister, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef) ([]SubjectsWithFilters, error) {
+	subjectsWithFiltersFromApplyingPolicies := make([]SubjectsWithFilters, 0, len(policyRefs))
+
+	for _, p := range policyRefs {
+		policy, err := eventPolicyLister.EventPolicies(resourceNamespace).Get(p.Name)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get eventPolicy: %w", err)
+		}
+
+		subjectsWithFiltersFromApplyingPolicies = append(subjectsWithFiltersFromApplyingPolicies, SubjectsWithFilters{Subjects: policy.Status.From, Filters: policy.Spec.Filters})
+	}
+
+	return subjectsWithFiltersFromApplyingPolicies, nil
+}
+
+type SubjectsWithFilters struct {
+	Filters  []eventingv1.SubscriptionsAPIFilter `json:"filters,omitempty"`
+	Subjects []string                            `json:"subjects,omitempty"`
 }

vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go

@@ -36,6 +36,7 @@ import (
 	corev1listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/logging"
 )
@@ -195,6 +196,17 @@ func IsHttpsSink(sink string) bool {
 	return strings.EqualFold(s.Scheme, "https")
 }
 
+// GetHttpsAddress returns the (first) https address out of the list of addresses
+func GetHttpsAddress(addresses []duckv1.Addressable) *duckv1.Addressable {
+	for _, address := range addresses {
+		if IsHttpsSink(address.URL.String()) {
+			return &address
+		}
+	}
+
+	return nil
+}
+
 // certPool returns a x509.CertPool with the combined certs from:
 // - the system cert pool
 // - the knative trust bundle in TrustBundleMountPath

vendor/knative.dev/eventing/pkg/utils/utils.go

@@ -17,6 +17,10 @@ limitations under the License.
 package utils
 
 import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
 	"regexp"
 	"strings"
 
@@ -91,3 +95,32 @@ func GenerateFixedName(owner metav1.Object, prefix string) string {
 	// A dot must be followed by [a-z0-9] to be DNS1123 compliant. Make sure we are not joining a dot and a dash.
 	return strings.TrimSuffix(prefix, ".") + uid
 }
+
+// CopyRequest makes a copy of the http request which can be consumed as needed, leaving the original request
+// able to be consumed as well.
+func CopyRequest(req *http.Request) (*http.Request, error) {
+	// check if we actually need to copy the body, otherwise we can return the original request
+	if req.Body == nil || req.Body == http.NoBody {
+		return req, nil
+	}
+
+	var buf bytes.Buffer
+	if _, err := buf.ReadFrom(req.Body); err != nil {
+		return nil, fmt.Errorf("failed to read request body while copying it: %w", err)
+	}
+
+	if err := req.Body.Close(); err != nil {
+		return nil, fmt.Errorf("failed to close original request body ready while copying request: %w", err)
+	}
+
+	// set the original request body to be readable again
+	req.Body = io.NopCloser(&buf)
+
+	// return a new request with a readable body and same headers as the original
+	// we don't need to set any other fields as cloudevents only uses the headers
+	// and body to construct the Message/Event.
+	return &http.Request{
+		Header: req.Header,
+		Body:   io.NopCloser(bytes.NewReader(buf.Bytes())),
+	}, nil
+}

vendor/modules.txt

@@ -1483,7 +1483,7 @@ k8s.io/utils/trace
 ## explicit; go 1.24.0
 knative.dev/caching/pkg/apis/caching
 knative.dev/caching/pkg/apis/caching/v1alpha1
-# knative.dev/eventing v0.46.1-0.20250909143134-e804605aa34a
+# knative.dev/eventing v0.46.1-0.20250910170819-d5e9973e559b
 ## explicit; go 1.24.0
 knative.dev/eventing/cmd/heartbeats
 knative.dev/eventing/pkg/apis
@@ -1714,7 +1714,7 @@ knative.dev/reconciler-test/pkg/resources/service
 knative.dev/reconciler-test/pkg/resources/serviceaccount
 knative.dev/reconciler-test/pkg/state
 knative.dev/reconciler-test/resources/certificate
-# knative.dev/serving v0.46.1-0.20250909224032-a87c794330dc
+# knative.dev/serving v0.46.1-0.20250910032334-93577e9cb30c
 ## explicit; go 1.24.0
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1