FORK: use a forked version of knative/pkg

Signed-off-by: Mathew Wicks <5735406+thesuperzapper@users.noreply.github.com>

Author: thesuperzapper

go.mod

@@ -2,6 +2,15 @@ module knative.dev/net-istio
 
 go 1.18
 
+// note, we have forked `knative/pkg` to apply some changes:
+// - https://github.com/deployKF/knative-pkg/tree/fork-1.13
+//
+// to get the pseudo-version of the fork, run:
+// - go get github.com/deployKF/knative-pkg@fork-1.13
+//
+// remember to run `./hack/update-deps.sh` when updating the version
+replace knative.dev/pkg => github.com/deployKF/knative-pkg v0.0.0-20241017230044-3db6060cea05
+
 require (
 github.com/google/go-cmp v0.6.0
 go.uber.org/zap v1.26.0
@@ -14,7 +23,7 @@ require (
 k8s.io/client-go v0.28.5
 knative.dev/hack v0.0.0-20240123162936-f3f03ac0ab1a
 knative.dev/networking v0.0.0-20240116081125-ce0738abf051
-knative.dev/pkg v0.0.0-20240116073220-b488e7be5902
+knative.dev/pkg v0.0.0
 )
 
 require (

go.sum

@@ -68,6 +68,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/deployKF/knative-pkg v0.0.0-20241017230044-3db6060cea05 h1:lKPkJxVmxhvhnfZRdCBL+MuX7Ca/vP3XNHG/A1kG5N4=
+github.com/deployKF/knative-pkg v0.0.0-20241017230044-3db6060cea05/go.mod h1:NYk8mMYoLkO7CQWnNkti4YGGnvLxN6MIDbUvtgeo0C0=
 github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
 github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -691,8 +693,6 @@ knative.dev/hack v0.0.0-20240123162936-f3f03ac0ab1a h1:+4Mdk0Lt3LGAVEI6vYyhfjBlV
 knative.dev/hack v0.0.0-20240123162936-f3f03ac0ab1a/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
 knative.dev/networking v0.0.0-20240116081125-ce0738abf051 h1:bTRVfwmfu4/7U1YBcgBl1VANAwmal6zkoAI9p7PQwDY=
 knative.dev/networking v0.0.0-20240116081125-ce0738abf051/go.mod h1:rdzGL1OVP6VItEiJUN/FTCrDnIzkA6ykhSvaK+0Ne6o=
-knative.dev/pkg v0.0.0-20240116073220-b488e7be5902 h1:H6+JJN23fhwYWCHY1339sY6uhIyoUwDy1a8dN233fdk=
-knative.dev/pkg v0.0.0-20240116073220-b488e7be5902/go.mod h1:NYk8mMYoLkO7CQWnNkti4YGGnvLxN6MIDbUvtgeo0C0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

vendor/knative.dev/pkg/webhook/configmaps/configmaps.go

@@ -58,7 +58,8 @@ type reconciler struct {
 vwhlister admissionlisters.ValidatingWebhookConfigurationLister
 secretlister corelisters.SecretLister
 
-secretName string
+secretName string
+disableNamespaceOwnership bool
 }
 
 var _ controller.Reconciler = (*reconciler)(nil)
@@ -136,13 +137,15 @@ func (ac *reconciler) reconcileValidatingWebhook(ctx context.Context, caCert []b
 
 webhook := configuredWebhook.DeepCopy()
 
-// Set the owner to namespace.
-ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
-if err != nil {
-return fmt.Errorf("failed to fetch namespace: %w", err)
+if !ac.disableNamespaceOwnership {
+// Set the owner to namespace.
+ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
+if err != nil {
+return fmt.Errorf("failed to fetch namespace: %w", err)
+}
+nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+webhook.OwnerReferences = []metav1.OwnerReference{nsRef}
 }
-nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
-webhook.OwnerReferences = []metav1.OwnerReference{nsRef}
 
 for i, wh := range webhook.Webhooks {
 if wh.Name != webhook.Name {

vendor/knative.dev/pkg/webhook/configmaps/controller.go

@@ -47,6 +47,12 @@ func NewAdmissionController(
 secretInformer := secretinformer.Get(ctx)
 options := webhook.GetOptions(ctx)
 
+// if this environment variable is set, it overrides the value in the Options
+disableNamespaceOwnership := webhook.DisableNamespaceOwnershipFromEnv()
+if disableNamespaceOwnership != nil {
+options.DisableNamespaceOwnership = *disableNamespaceOwnership
+}
+
 key := types.NamespacedName{Name: name}
 
 wh := &reconciler{
@@ -61,8 +67,9 @@ func NewAdmissionController(
 key: key,
 path: path,
 
-constructors: make(map[string]reflect.Value),
-secretName: options.SecretName,
+constructors: make(map[string]reflect.Value),
+secretName: options.SecretName,
+disableNamespaceOwnership: options.DisableNamespaceOwnership,
 
 client: client,
 vwhlister: vwhInformer.Lister(),

vendor/knative.dev/pkg/webhook/env.go

@@ -32,6 +32,8 @@ const (
 secretNameEnvKey = "WEBHOOK_SECRET_NAME" //nolint:gosec // This is not a hardcoded credential
 
 tlsMinVersionEnvKey = "WEBHOOK_TLS_MIN_VERSION"
+
+disableNamespaceOwnershipEnvKey = "WEBHOOK_DISABLE_NAMESPACE_OWNERSHIP"
 )
 
 // PortFromEnv returns the webhook port set by portEnvKey, or default port if env var is not set.
@@ -82,3 +84,15 @@ func TLSMinVersionFromEnv(defaultTLSMinVersion uint16) uint16 {
 panic(fmt.Sprintf("the environment variable %q has to be either '1.2' or '1.3'", tlsMinVersionEnvKey))
 }
 }
+
+func DisableNamespaceOwnershipFromEnv() *bool {
+disableNamespaceOwnership := os.Getenv(disableNamespaceOwnershipEnvKey)
+if disableNamespaceOwnership == "" {
+return nil
+}
+disableNamespaceOwnershipBool, err := strconv.ParseBool(disableNamespaceOwnership)
+if err != nil {
+panic(fmt.Sprintf("failed to convert the environment variable %q : %v", disableNamespaceOwnershipEnvKey, err))
+}
+return &disableNamespaceOwnershipBool
+}

vendor/knative.dev/pkg/webhook/resourcesemantics/defaulting/controller.go

@@ -85,6 +85,12 @@ func newController(ctx context.Context, name string, optsFunc ...OptionFunc) *co
 f(opts)
 }
 
+// if this environment variable is set, it overrides the value in the Options
+disableNamespaceOwnership := webhook.DisableNamespaceOwnershipFromEnv()
+if disableNamespaceOwnership != nil {
+wopts.DisableNamespaceOwnership = *disableNamespaceOwnership
+}
+
 key := types.NamespacedName{Name: name}
 
 wh := &reconciler{
@@ -101,9 +107,10 @@ func newController(ctx context.Context, name string, optsFunc ...OptionFunc) *co
 handlers: opts.types,
 callbacks: opts.callbacks,
 
-withContext: opts.wc,
-disallowUnknownFields: opts.disallowUnknownFields,
-secretName: wopts.SecretName,
+withContext: opts.wc,
+disallowUnknownFields: opts.disallowUnknownFields,
+secretName: wopts.SecretName,
+disableNamespaceOwnership: wopts.DisableNamespaceOwnership,
 
 client: client,
 mwhlister: mwhInformer.Lister(),

vendor/knative.dev/pkg/webhook/resourcesemantics/defaulting/defaulting.go

@@ -69,8 +69,9 @@ type reconciler struct {
 mwhlister admissionlisters.MutatingWebhookConfigurationLister
 secretlister corelisters.SecretLister
 
-disallowUnknownFields bool
-secretName string
+disallowUnknownFields bool
+secretName string
+disableNamespaceOwnership bool
 }
 
 // CallbackFunc is the function to be invoked.
@@ -216,12 +217,14 @@ func (ac *reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt
 
 current := configuredWebhook.DeepCopy()
 
-ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
-if err != nil {
-return fmt.Errorf("failed to fetch namespace: %w", err)
+if !ac.disableNamespaceOwnership {
+ns, err := ac.client.CoreV1().Namespaces().Get(ctx, system.Namespace(), metav1.GetOptions{})
+if err != nil {
+return fmt.Errorf("failed to fetch namespace: %w", err)
+}
+nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
+current.OwnerReferences = []metav1.OwnerReference{nsRef}
 }
-nsRef := *metav1.NewControllerRef(ns, corev1.SchemeGroupVersion.WithKind("Namespace"))
-current.OwnerReferences = []metav1.OwnerReference{nsRef}
 
 for i, wh := range current.Webhooks {
 if wh.Name != current.Name {

vendor/knative.dev/pkg/webhook/webhook.go

@@ -78,6 +78,12 @@ type Options struct {
 // before shutting down.
 GracePeriod time.Duration
 
+// DisableNamespaceOwnership configures if the SYSTEM_NAMESPACE is added as an owner reference to the
+// webhook configuration resources. Overridden by the WEBHOOK_DISABLE_NAMESPACE_OWNERSHIP environment variable.
+// Disabling can be useful to avoid breaking systems that expect ownership to indicate a true controller
+// relationship: https://github.com/knative/serving/issues/15483
+DisableNamespaceOwnership bool
+
 // ControllerOptions encapsulates options for creating a new controller,
 // including throttling and stats behavior.
 ControllerOptions *controller.ControllerOptions

vendor/modules.txt

@@ -970,7 +970,7 @@ knative.dev/networking/test/test_images/runtime/handlers
 knative.dev/networking/test/test_images/timeout
 knative.dev/networking/test/test_images/wsserver
 knative.dev/networking/test/types
-# knative.dev/pkg v0.0.0-20240116073220-b488e7be5902
+# knative.dev/pkg v0.0.0 => github.com/deployKF/knative-pkg v0.0.0-20241017230044-3db6060cea05
 ## explicit; go 1.18
 knative.dev/pkg/apis
 knative.dev/pkg/apis/duck
@@ -1066,3 +1066,4 @@ sigs.k8s.io/structured-merge-diff/v4/value
 ## explicit; go 1.12
 sigs.k8s.io/yaml
 sigs.k8s.io/yaml/goyaml.v2
+# knative.dev/pkg => github.com/deployKF/knative-pkg v0.0.0-20241017230044-3db6060cea05