upgrade to latest dependencies (#16423)

bumping k8s.io/apiextensions-apiserver 6b81add...79000f4:
  > 79000f4 Update dependencies to v0.35.2 tag
bumping k8s.io/code-generator cf6ffee...df367fb:
  > df367fb Update dependencies to v0.35.2 tag
bumping k8s.io/api 4aa217d...8a137cd:
  > 8a137cd Update dependencies to v0.35.2 tag
bumping k8s.io/apimachinery 72d71ea...72d71ea:
bumping k8s.io/client-go b464ad8...a21b329:
  > a21b329 Update dependencies to v0.35.2 tag
bumping knative.dev/pkg b239e96...1f39e94:
  > 1f39e94 Bump golang.org/x/net from 0.50.0 to 0.51.0 in the golang-x group (# 3326)
  > 08c9466 Bump the k8s group with 5 updates (# 3325)
  > f62171b feat: add shared tls package for reading TLS config from environment (# 3324)
bumping golang.org/x/net ebddb99...60b3f6f:
  > 60b3f6f internal/http3: prevent Server handler from writing longer body than declared
  > b0ca456 internal/http3: fix Write in Server Handler returning the wrong value
  > 1558ba7 publicsuffix: update to 2026-02-06
  > 4e1c745 internal/http3: make Server response include headers that can be inferred
  > 19f580f http2: fix nil panic in typeFrameParser for unassigned frame types
  > 818aad7 internal/http3: add server to client trailer header support
  > c1bbe1a internal/http3: add client to server trailer header support
  > 29181b8 all: remove go1.25 and older build constraints
  > 8109305 all: upgrade go directive to at least 1.25.0 [generated]
  > 0b37bdf quic: don't run TestStreamsCreateConcurrency in synctest bubble
  > 9095c1c internal/http3: more robust handling of request & response with no body

Signed-off-by: Knative Automation <automation@knative.team>

Author: knative-automation

go.mod

@@ -29,17 +29,17 @@ require (
 	golang.org/x/time v0.10.0
 	google.golang.org/api v0.198.0
 	google.golang.org/grpc v1.78.0
-	k8s.io/api v0.35.1
-	k8s.io/apiextensions-apiserver v0.35.1
-	k8s.io/apimachinery v0.35.1
-	k8s.io/client-go v0.35.1
-	k8s.io/code-generator v0.35.1
+	k8s.io/api v0.35.2
+	k8s.io/apiextensions-apiserver v0.35.2
+	k8s.io/apimachinery v0.35.2
+	k8s.io/client-go v0.35.2
+	k8s.io/code-generator v0.35.2
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	knative.dev/caching v0.0.0-20260223015057-21f97c7d8048
 	knative.dev/hack v0.0.0-20260212092700-0126b283bf20
 	knative.dev/networking v0.0.0-20260223015858-080d52fcffb4
-	knative.dev/pkg v0.0.0-20260225113719-b239e967f175
+	knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003
 	sigs.k8s.io/randfill v1.0.0
 	sigs.k8s.io/yaml v1.6.0
 )
@@ -148,7 +148,7 @@ require (
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/crypto v0.48.0 // indirect
 	golang.org/x/mod v0.33.0 // indirect
-	golang.org/x/net v0.50.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/term v0.40.0 // indirect
 	golang.org/x/text v0.34.0 // indirect

go.sum

@@ -401,8 +401,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
 golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
@@ -521,16 +521,16 @@ gotest.tools/v3 v3.1.0 h1:rVV8Tcg/8jHUkPUorwjaMTtemIMVXfIPKiOqnhEhakk=
 gotest.tools/v3 v3.1.0/go.mod h1:fHy7eyTmJFO5bQbUsEGQ1v4m2J3Jz9eWL54TP2/ZuYQ=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.35.1 h1:0PO/1FhlK/EQNVK5+txc4FuhQibV25VLSdLMmGpDE/Q=
-k8s.io/api v0.35.1/go.mod h1:28uR9xlXWml9eT0uaGo6y71xK86JBELShLy4wR1XtxM=
-k8s.io/apiextensions-apiserver v0.35.1 h1:p5vvALkknlOcAqARwjS20kJffgzHqwyQRM8vHLwgU7w=
-k8s.io/apiextensions-apiserver v0.35.1/go.mod h1:2CN4fe1GZ3HMe4wBr25qXyJnJyZaquy4nNlNmb3R7AQ=
-k8s.io/apimachinery v0.35.1 h1:yxO6gV555P1YV0SANtnTjXYfiivaTPvCTKX6w6qdDsU=
-k8s.io/apimachinery v0.35.1/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
-k8s.io/client-go v0.35.1 h1:+eSfZHwuo/I19PaSxqumjqZ9l5XiTEKbIaJ+j1wLcLM=
-k8s.io/client-go v0.35.1/go.mod h1:1p1KxDt3a0ruRfc/pG4qT/3oHmUj1AhSHEcxNSGg+OA=
-k8s.io/code-generator v0.35.1 h1:yLKR2la7Z9cWT5qmk67ayx8xXLM4RRKQMnC8YPvTWRI=
-k8s.io/code-generator v0.35.1/go.mod h1:F2Fhm7aA69tC/VkMXLDokdovltXEF026Tb9yfQXQWKg=
+k8s.io/api v0.35.2 h1:tW7mWc2RpxW7HS4CoRXhtYHSzme1PN1UjGHJ1bdrtdw=
+k8s.io/api v0.35.2/go.mod h1:7AJfqGoAZcwSFhOjcGM7WV05QxMMgUaChNfLTXDRE60=
+k8s.io/apiextensions-apiserver v0.35.2 h1:iyStXHoJZsUXPh/nFAsjC29rjJWdSgUmG1XpApE29c0=
+k8s.io/apiextensions-apiserver v0.35.2/go.mod h1:OdyGvcO1FtMDWQ+rRh/Ei3b6X3g2+ZDHd0MSRGeS8rU=
+k8s.io/apimachinery v0.35.2 h1:NqsM/mmZA7sHW02JZ9RTtk3wInRgbVxL8MPfzSANAK8=
+k8s.io/apimachinery v0.35.2/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/client-go v0.35.2 h1:YUfPefdGJA4aljDdayAXkc98DnPkIetMl4PrKX97W9o=
+k8s.io/client-go v0.35.2/go.mod h1:4QqEwh4oQpeK8AaefZ0jwTFJw/9kIjdQi0jpKeYvz7g=
+k8s.io/code-generator v0.35.2 h1:3874swbO2c26VWTf6lKD4NWGyHIfyBeTCk7caCG3TuU=
+k8s.io/code-generator v0.35.2/go.mod h1:id4XLCm0yAQq5nlvyfAKibMOKnMjzlesAwGw6kM3Adc=
 k8s.io/gengo v0.0.0-20201203183100-97869a43a9d9/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/gengo v0.0.0-20240404160639-a0386bf69313 h1:wBIDZID8ju9pwOiLlV22YYKjFGtiNSWgHf5CnKLRUuM=
 k8s.io/gengo v0.0.0-20240404160639-a0386bf69313/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
@@ -552,8 +552,8 @@ knative.dev/hack v0.0.0-20260212092700-0126b283bf20 h1:Ocya6ILPQxGrozD5gPELC4J2A
 knative.dev/hack v0.0.0-20260212092700-0126b283bf20/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0=
 knative.dev/networking v0.0.0-20260223015858-080d52fcffb4 h1:ZXE3pdtSPB0quCfAFUodFT+VsT2Xaoqdj4r//O+zk18=
 knative.dev/networking v0.0.0-20260223015858-080d52fcffb4/go.mod h1:ITVa/pZZpgmev4E64KDICg9ZC87YLulpF4J8iMgons4=
-knative.dev/pkg v0.0.0-20260225113719-b239e967f175 h1:xqlcqilSLcKK7FgKiKxSQir4FQsGv/liewPe8VzaiGk=
-knative.dev/pkg v0.0.0-20260225113719-b239e967f175/go.mod h1:M6o085LfZ+8XgJkNI5NI8jwEfYSUfjUWb6bJ5E1MD4A=
+knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003 h1:VG+CUgVKm+mLEudP16wLj++xDM2PuVFeua9+MLLBUa8=
+knative.dev/pkg v0.0.0-20260302190359-1f39e94ef003/go.mod h1:mV8s7Uc92am8byZSJPIaVm1NBr0h8vsFL+sEEvMoBbk=
 pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
 pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
 sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=

vendor/golang.org/x/net/http2/frame.go

@@ -0,0 +1,176 @@
+/*
+Copyright 2026 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tls
+
+import (
+	cryptotls "crypto/tls"
+	"fmt"
+	"os"
+	"strings"
+)
+
+// Environment variable name suffixes for TLS configuration.
+// Use with a prefix to namespace them, e.g. "WEBHOOK_" + MinVersionEnvKey
+// reads the WEBHOOK_TLS_MIN_VERSION variable.
+const (
+	MinVersionEnvKey       = "TLS_MIN_VERSION"
+	MaxVersionEnvKey       = "TLS_MAX_VERSION"
+	CipherSuitesEnvKey     = "TLS_CIPHER_SUITES"
+	CurvePreferencesEnvKey = "TLS_CURVE_PREFERENCES"
+)
+
+// Config holds parsed TLS configuration values that can be used
+// to build a *crypto/tls.Config.
+type Config struct {
+	MinVersion       uint16
+	MaxVersion       uint16
+	CipherSuites     []uint16
+	CurvePreferences []cryptotls.CurveID
+}
+
+// NewConfigFromEnv reads TLS configuration from environment variables and
+// returns a Config. The prefix is prepended to each standard env-var suffix;
+// for example with prefix "WEBHOOK_" the function reads
+// WEBHOOK_TLS_MIN_VERSION, WEBHOOK_TLS_MAX_VERSION, etc.
+// Fields whose corresponding env var is unset are left at their zero value.
+func NewConfigFromEnv(prefix string) (*Config, error) {
+	var cfg Config
+
+	if v := os.Getenv(prefix + MinVersionEnvKey); v != "" {
+		ver, err := parseVersion(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s %q: %w", prefix, MinVersionEnvKey, v, err)
+		}
+		cfg.MinVersion = ver
+	}
+
+	if v := os.Getenv(prefix + MaxVersionEnvKey); v != "" {
+		ver, err := parseVersion(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s %q: %w", prefix, MaxVersionEnvKey, v, err)
+		}
+		cfg.MaxVersion = ver
+	}
+
+	if v := os.Getenv(prefix + CipherSuitesEnvKey); v != "" {
+		suites, err := parseCipherSuites(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s: %w", prefix, CipherSuitesEnvKey, err)
+		}
+		cfg.CipherSuites = suites
+	}
+
+	if v := os.Getenv(prefix + CurvePreferencesEnvKey); v != "" {
+		curves, err := parseCurvePreferences(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s: %w", prefix, CurvePreferencesEnvKey, err)
+		}
+		cfg.CurvePreferences = curves
+	}
+
+	return &cfg, nil
+}
+
+// TLSConfig constructs a *crypto/tls.Config from the parsed configuration.
+// The caller typically adds additional fields such as GetCertificate.
+func (c *Config) TLSConfig() *cryptotls.Config {
+	//nolint:gosec // Min version is caller-configurable; default is TLS 1.3.
+	return &cryptotls.Config{
+		MinVersion:       c.MinVersion,
+		MaxVersion:       c.MaxVersion,
+		CipherSuites:     c.CipherSuites,
+		CurvePreferences: c.CurvePreferences,
+	}
+}
+
+// parseVersion converts a TLS version string to the corresponding
+// crypto/tls constant. Accepted values are "1.2" and "1.3".
+func parseVersion(v string) (uint16, error) {
+	switch v {
+	case "1.2":
+		return cryptotls.VersionTLS12, nil
+	case "1.3":
+		return cryptotls.VersionTLS13, nil
+	default:
+		return 0, fmt.Errorf("unsupported TLS version %q: must be %q or %q", v, "1.2", "1.3")
+	}
+}
+
+// parseCipherSuites parses a comma-separated list of TLS cipher-suite names
+// (e.g. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
+// into a slice of cipher-suite IDs. Names must match those returned by
+// crypto/tls.CipherSuiteName.
+func parseCipherSuites(s string) ([]uint16, error) {
+	lookup := cipherSuiteLookup()
+	parts := strings.Split(s, ",")
+	suites := make([]uint16, 0, len(parts))
+
+	for _, name := range parts {
+		name = strings.TrimSpace(name)
+		if name == "" {
+			continue
+		}
+		id, ok := lookup[name]
+		if !ok {
+			return nil, fmt.Errorf("unknown cipher suite %q", name)
+		}
+		suites = append(suites, id)
+	}
+
+	return suites, nil
+}
+
+// parseCurvePreferences parses a comma-separated list of elliptic-curve names
+// (e.g. "X25519,CurveP256") into a slice of crypto/tls.CurveID values.
+// Both Go constant names (CurveP256) and standard names (P-256) are accepted.
+func parseCurvePreferences(s string) ([]cryptotls.CurveID, error) {
+	parts := strings.Split(s, ",")
+	curves := make([]cryptotls.CurveID, 0, len(parts))
+
+	for _, name := range parts {
+		name = strings.TrimSpace(name)
+		if name == "" {
+			continue
+		}
+		id, ok := curvesByName[name]
+		if !ok {
+			return nil, fmt.Errorf("unknown curve %q", name)
+		}
+		curves = append(curves, id)
+	}
+
+	return curves, nil
+}
+
+func cipherSuiteLookup() map[string]uint16 {
+	m := make(map[string]uint16)
+	for _, cs := range cryptotls.CipherSuites() {
+		m[cs.Name] = cs.ID
+	}
+	return m
+}
+
+var curvesByName = map[string]cryptotls.CurveID{
+	"CurveP256":      cryptotls.CurveP256,
+	"CurveP384":      cryptotls.CurveP384,
+	"CurveP521":      cryptotls.CurveP521,
+	"X25519":         cryptotls.X25519,
+	"X25519MLKEM768": cryptotls.X25519MLKEM768,
+	"P-256":          cryptotls.CurveP256,
+	"P-384":          cryptotls.CurveP384,
+	"P-521":          cryptotls.CurveP521,
+}

vendor/golang.org/x/net/publicsuffix/data/children

@@ -72,6 +72,8 @@ func SecretNameFromEnv(defaultSecretName string) string {
 	return secret
 }
 
+// Deprecated: Use knative.dev/pkg/tls.NewConfigFromEnv instead.
+// TLS configuration is now read automatically inside webhook.New via the shared tls package.
 func TLSMinVersionFromEnv(defaultTLSMinVersion uint16) uint16 {
 	switch tlsMinVersion := os.Getenv(tlsMinVersionEnvKey); tlsMinVersion {
 	case "1.2":

vendor/golang.org/x/net/publicsuffix/data/nodes

@@ -34,6 +34,7 @@ import (
 	"knative.dev/pkg/network"
 	"knative.dev/pkg/network/handlers"
 	"knative.dev/pkg/observability/semconv"
+	knativetls "knative.dev/pkg/tls"
 
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"go.opentelemetry.io/otel/attribute"
@@ -48,7 +49,15 @@ import (
 	"knative.dev/pkg/system"
 )
 
-// Options contains the configuration for the webhook
+// Options contains the configuration for the webhook.
+//
+// TLS fields (TLSMinVersion, TLSMaxVersion, TLSCipherSuites, TLSCurvePreferences)
+// are resolved with the following precedence:
+//  1. Values set explicitly in Options (programmatic).
+//  2. WEBHOOK_TLS_* environment variables (WEBHOOK_TLS_MIN_VERSION,
+//     WEBHOOK_TLS_MAX_VERSION, WEBHOOK_TLS_CIPHER_SUITES, WEBHOOK_TLS_CURVE_PREFERENCES).
+//  3. Defaults (TLS 1.3 minimum version; zero values for the rest, meaning the
+//     Go standard library picks its defaults).
 type Options struct {
 	// TLSMinVersion contains the minimum TLS version that is acceptable to communicate with the API server.
 	// TLS 1.3 is the minimum version if not specified otherwise.
@@ -182,11 +191,36 @@ func New(
 
 	logger := logging.FromContext(ctx)
 
-	defaultTLSMinVersion := uint16(tls.VersionTLS13)
+	tlsCfg, err := knativetls.NewConfigFromEnv("WEBHOOK_")
+	if err != nil {
+		return nil, fmt.Errorf("reading TLS configuration from environment: %w", err)
+	}
+
+	// Replace the TLS configuration with the one from the environment if not set.
+	// Default to TLS 1.3 as the minimum version when neither the caller nor the
+	// environment specifies one.
 	if opts.TLSMinVersion == 0 {
-		opts.TLSMinVersion = TLSMinVersionFromEnv(defaultTLSMinVersion)
-	} else if opts.TLSMinVersion != tls.VersionTLS12 && opts.TLSMinVersion != tls.VersionTLS13 {
-		return nil, fmt.Errorf("unsupported TLS version: %d", opts.TLSMinVersion)
+		if tlsCfg.MinVersion != 0 {
+			opts.TLSMinVersion = tlsCfg.MinVersion
+		} else {
+			opts.TLSMinVersion = tls.VersionTLS13
+		}
+	}
+	if opts.TLSMaxVersion == 0 && tlsCfg.MaxVersion != 0 {
+		opts.TLSMaxVersion = tlsCfg.MaxVersion
+	}
+	if opts.TLSCipherSuites == nil && len(tlsCfg.CipherSuites) > 0 {
+		opts.TLSCipherSuites = tlsCfg.CipherSuites
+	}
+	if opts.TLSCurvePreferences == nil && len(tlsCfg.CurvePreferences) > 0 {
+		opts.TLSCurvePreferences = tlsCfg.CurvePreferences
+	}
+
+	if opts.TLSMinVersion != 0 && opts.TLSMinVersion != tls.VersionTLS12 && opts.TLSMinVersion != tls.VersionTLS13 {
+		return nil, fmt.Errorf("unsupported TLS minimum version %d: must be TLS 1.2 or TLS 1.3", opts.TLSMinVersion)
+	}
+	if opts.TLSMaxVersion != 0 && opts.TLSMinVersion > opts.TLSMaxVersion {
+		return nil, fmt.Errorf("TLS minimum version (%#x) is greater than maximum version (%#x)", opts.TLSMinVersion, opts.TLSMaxVersion)
 	}
 
 	syncCtx, cancel := context.WithCancel(context.Background())