[release-1.10] TLS minimum version for tag to digest defaults to 1.2 again and is configurable #13963

knative-prow-robot · 2023-05-08T17:16:58Z

This is an automated cherry-pick of #13962

Tag to digest min TLS version is 1.2 and can be configured higher using the controller environment variable `TAG_TO_DIGEST_TLS_MIN_VERSION` and supports values `"1.2"` and `"1.3"`

quay.io only supports 1.2

dprotaso · 2023-05-08T17:19:10Z

/lgtm
/approve

knative-prow · 2023-05-08T17:19:14Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, knative-prow-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [dprotaso]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

codecov · 2023-05-08T17:26:30Z

Codecov Report

Patch coverage: 81.81% and project coverage change: -0.02 ⚠️

Comparison is base (2c1bb07) 86.22% compared to head (3a2fc4f) 86.21%.

Additional details and impacted files

@@               Coverage Diff                @@
##           release-1.10   #13963      +/-   ##
================================================
- Coverage         86.22%   86.21%   -0.02%     
================================================
  Files               199      199              
  Lines             14749    14759      +10     
================================================
+ Hits              12718    12724       +6     
- Misses             1729     1733       +4     
  Partials            302      302

Impacted Files	Coverage Δ
pkg/reconciler/revision/resolve.go	`78.00% <81.81%> (+0.50%)`	⬆️

... and 3 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

dprotaso · 2023-05-09T01:44:25Z

/retest

…native#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]>

… configurable (knative#13963) (#310) * Min TLS for tag to digest defaults to 1.2 again and is configurable (knative#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]> * Add lint check only for openshift specific files --------- Co-authored-by: Knative Prow Robot <[email protected]> Co-authored-by: dprotaso <[email protected]>

* Min TLS for tag to digest defaults to 1.2 again and is configurable (knative#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]> * drop safe to evict annotations (knative#14051) this prevents nodes from draining Co-authored-by: dprotaso <[email protected]> * [release-1.10] RandomChoice 2 policy wasn't random when the number of targets is 2 (with equal weight) (knative#14052) * RandomChoice 2 policy wasn't random when the number of targets is 2 * fix linting --------- Co-authored-by: dprotaso <[email protected]> * Sync upstream release --------- Co-authored-by: Knative Prow Robot <[email protected]> Co-authored-by: dprotaso <[email protected]> Co-authored-by: John Doe <johndoe@localhost> Co-authored-by: nak3 <[email protected]>

* Min TLS for tag to digest defaults to 1.2 again and is configurable (knative#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]> * drop safe to evict annotations (knative#14051) this prevents nodes from draining Co-authored-by: dprotaso <[email protected]> * [release-1.10] RandomChoice 2 policy wasn't random when the number of targets is 2 (with equal weight) (knative#14052) * RandomChoice 2 policy wasn't random when the number of targets is 2 * fix linting --------- Co-authored-by: dprotaso <[email protected]> * [release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14377) * add seccompProfile to queue container security context * run as non root by default * update tests to expect new default run as nonroot * fix perms --------- Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Dave Protasowski <[email protected]> * Fix secure pod defaults backports --------- Co-authored-by: Knative Prow Robot <[email protected]> Co-authored-by: dprotaso <[email protected]> Co-authored-by: Clay Kauzlaric <[email protected]>

* Min TLS for tag to digest defaults to 1.2 again and is configurable (knative#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]> * drop safe to evict annotations (knative#14051) this prevents nodes from draining Co-authored-by: dprotaso <[email protected]> * [release-1.10] RandomChoice 2 policy wasn't random when the number of targets is 2 (with equal weight) (knative#14052) * RandomChoice 2 policy wasn't random when the number of targets is 2 * fix linting --------- Co-authored-by: dprotaso <[email protected]> * [release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14377) * add seccompProfile to queue container security context * run as non root by default * update tests to expect new default run as nonroot * fix perms --------- Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Dave Protasowski <[email protected]> * Leave a comment which will trigger a new dot release (knative#14501) * [release-1.10] bump x/net to v0.17 (knative#14517) * [release-1.10] bump x/net to v0.17 * Re-generate test/config/tls/cert-secret.yaml (knative#14324) * Run hack/upgrade * Update secure-pod-defaults patch * Use a static value for S-O branch --------- Co-authored-by: Knative Prow Robot <[email protected]> Co-authored-by: dprotaso <[email protected]> Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Kenjiro Nakayama <[email protected]>

* Min TLS for tag to digest defaults to 1.2 again and is configurable (knative#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]> * drop safe to evict annotations (knative#14051) this prevents nodes from draining Co-authored-by: dprotaso <[email protected]> * [release-1.10] RandomChoice 2 policy wasn't random when the number of targets is 2 (with equal weight) (knative#14052) * RandomChoice 2 policy wasn't random when the number of targets is 2 * fix linting --------- Co-authored-by: dprotaso <[email protected]> * [release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14377) * add seccompProfile to queue container security context * run as non root by default * update tests to expect new default run as nonroot * fix perms --------- Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Dave Protasowski <[email protected]> * Leave a comment which will trigger a new dot release (knative#14501) * [release-1.10] bump x/net to v0.17 (knative#14517) * [release-1.10] bump x/net to v0.17 * Re-generate test/config/tls/cert-secret.yaml (knative#14324) * Run hack/upgrade * Bound buffer for reading stats (knative#14541) Co-authored-by: Evan Anderson <[email protected]> --------- Co-authored-by: Knative Prow Robot <[email protected]> Co-authored-by: dprotaso <[email protected]> Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Kenjiro Nakayama <[email protected]> Co-authored-by: Evan Anderson <[email protected]>

Min TLS for tag to digest defaults to 1.2 again and is configurable

3a2fc4f

quay.io only supports 1.2

knative-prow-robot mentioned this pull request May 8, 2023

TLS minimum version for tag to digest defaults to 1.2 again and is configurable #13962

Merged

knative-prow bot added the area/API API objects and controllers label May 8, 2023

knative-prow bot requested review from jsanin-vmw and skonto May 8, 2023 17:17

knative-prow bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 8, 2023

knative-prow bot assigned dprotaso May 8, 2023

knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label May 8, 2023

knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 8, 2023

knative-prow bot merged commit fc055b1 into knative:release-1.10 May 9, 2023

k4leung4 mentioned this pull request May 9, 2023

bump knative serving to 0.37.1 chainguard-dev/hakn#121

Merged

nak3 pushed a commit to nak3/serving that referenced this pull request May 10, 2023

Min TLS for tag to digest defaults to 1.2 again and is configurable (k…

8195ce3

…native#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[release-1.10] TLS minimum version for tag to digest defaults to 1.2 again and is configurable #13963

[release-1.10] TLS minimum version for tag to digest defaults to 1.2 again and is configurable #13963

knative-prow-robot commented May 8, 2023

dprotaso commented May 8, 2023

knative-prow bot commented May 8, 2023

codecov bot commented May 8, 2023 •

edited

Loading

dprotaso commented May 9, 2023

[release-1.10] TLS minimum version for tag to digest defaults to 1.2 again and is configurable #13963

[release-1.10] TLS minimum version for tag to digest defaults to 1.2 again and is configurable #13963

Conversation

knative-prow-robot commented May 8, 2023

dprotaso commented May 8, 2023

knative-prow bot commented May 8, 2023

codecov bot commented May 8, 2023 • edited Loading

Codecov Report

dprotaso commented May 9, 2023

codecov bot commented May 8, 2023 •

edited

Loading