From 8bd361ef6ecb90e184339bf1a743f02caee22b39 Mon Sep 17 00:00:00 2001
From: Knative Automation <automation@knative.team>
Date: Wed, 11 Mar 2026 14:09:59 +0000
Subject: [PATCH] upgrade to latest dependencies

bumping knative.dev/client/pkg 8342632...f035c02:
  > f035c02 upgrade to latest dependencies (# 2154)
bumping knative.dev/eventing 104b623...60fa543:
  > 60fa543 fix: use system.Namespace() instead of hardcoded namespace in broker TLS config (# 8905)
  > 201aa12 [Automated] Update eventing-eventing-integrations nightly (# 8908)
  > edc33d0 feat: use centralized TLS configuration from knative/pkg/tls (# 8901)
bumping knative.dev/serving d686bb2...f8e91a0:
  > f8e91a0 Update net-istio nightly (# 16453)
  > 0d2a677 Update net-contour nightly (# 16451)
  > b1ac6d9 Update net-kourier nightly (# 16450)

Signed-off-by: Knative Automation <automation@knative.team>
---
 go.mod                                        |   6 +-
 go.sum                                        |  12 +-
 .../eventing/pkg/eventingtls/eventingtls.go   |  43 ++++-
 vendor/knative.dev/pkg/network/tls/config.go  | 156 ++++++++++++++++++
 vendor/knative.dev/pkg/tls/config.go          |  39 +++++
 vendor/modules.txt                            |   8 +-
 6 files changed, 244 insertions(+), 20 deletions(-)
 create mode 100644 vendor/knative.dev/pkg/network/tls/config.go
 create mode 100644 vendor/knative.dev/pkg/tls/config.go

diff --git a/go.mod b/go.mod
index 39e26ef3..b7b02b4b 100644
--- a/go.mod
+++ b/go.mod
@@ -13,10 +13,10 @@ require (
 	k8s.io/api v0.35.2
 	k8s.io/apimachinery v0.35.2
 	k8s.io/client-go v0.35.2
-	knative.dev/client/pkg v0.0.0-20260310143814-8342632107e5
+	knative.dev/client/pkg v0.0.0-20260311023114-f035c02eaa46
 	knative.dev/hack v0.0.0-20260310014051-c448fdb867e2
 	knative.dev/networking v0.0.0-20260310141215-8340ed7fd0e1
-	knative.dev/serving v0.48.1-0.20260310211214-d686bb2b8684
+	knative.dev/serving v0.48.1-0.20260311135821-f8e91a05ce79
 )
 
 require (
@@ -104,7 +104,7 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
-	knative.dev/eventing v0.48.1-0.20260310120613-104b6237f845 // indirect
+	knative.dev/eventing v0.48.1-0.20260310212212-60fa543deb11 // indirect
 	knative.dev/pkg v0.0.0-20260310013839-5504026dd1b6 // indirect
 	sigs.k8s.io/gateway-api v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
diff --git a/go.sum b/go.sum
index 6248f9d3..11e03612 100644
--- a/go.sum
+++ b/go.sum
@@ -303,18 +303,18 @@ k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZ
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/client/pkg v0.0.0-20260310143814-8342632107e5 h1:RPzJ8qcg5h+jyqpA405TqZ9ihyldS4HC3NkrG5WjUFk=
-knative.dev/client/pkg v0.0.0-20260310143814-8342632107e5/go.mod h1:PXr4AWXN7zHoK08QV6DCDXi5RbO5OxHFV1MMtZwKkyw=
-knative.dev/eventing v0.48.1-0.20260310120613-104b6237f845 h1:i6Dhhq07M5qqgRaYQ1aTcnpAnPGHPMoyd41bc9Dy7UI=
-knative.dev/eventing v0.48.1-0.20260310120613-104b6237f845/go.mod h1:nn4erf/DV7kg4qlIjz00JJjqqP6X58PaETGjDgbY8Jo=
+knative.dev/client/pkg v0.0.0-20260311023114-f035c02eaa46 h1:XZNod773abFvuMJsQ2M3+AXIsyvHqGd0/gqiDMcLJeY=
+knative.dev/client/pkg v0.0.0-20260311023114-f035c02eaa46/go.mod h1:tHLgww7ONbLylf3pFLfUiGY562cR6KFG9veDF9AH4MU=
+knative.dev/eventing v0.48.1-0.20260310212212-60fa543deb11 h1:e/PDnLDTeZ1TE60JSlrbg/yu3XnIF7EdWeMh/FMBMXU=
+knative.dev/eventing v0.48.1-0.20260310212212-60fa543deb11/go.mod h1:nn4erf/DV7kg4qlIjz00JJjqqP6X58PaETGjDgbY8Jo=
 knative.dev/hack v0.0.0-20260310014051-c448fdb867e2 h1:b35SGLEp03D8oGf8mE9HBt3yfNgYpAK0fw46hFXs9w4=
 knative.dev/hack v0.0.0-20260310014051-c448fdb867e2/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0=
 knative.dev/networking v0.0.0-20260310141215-8340ed7fd0e1 h1:MA7om/7ZLLj7dXmaHTUCoGOgd8AfCCdsKvBPBhPtisg=
 knative.dev/networking v0.0.0-20260310141215-8340ed7fd0e1/go.mod h1:72PhQ+qnOAwz9FFK8y301eWuiQ6vD9qVUFnDBjNhju8=
 knative.dev/pkg v0.0.0-20260310013839-5504026dd1b6 h1:oVpQ0Y+FUmRQer8kdqJjQL20KveZa5sCfnBWeJi4nyQ=
 knative.dev/pkg v0.0.0-20260310013839-5504026dd1b6/go.mod h1:ziEj0TQOWvBw7t/VSkqaZlv++Qk8FfiuI72ZDmv23nI=
-knative.dev/serving v0.48.1-0.20260310211214-d686bb2b8684 h1:rm/iRB2+Gn2C98rZHF8JkmU8Eduvbk+2CrejLWvoYUU=
-knative.dev/serving v0.48.1-0.20260310211214-d686bb2b8684/go.mod h1:jdUcDEFlVNOSNTI03zKqx92BIT9Sh+mK0tlZCobXhrs=
+knative.dev/serving v0.48.1-0.20260311135821-f8e91a05ce79 h1:7ij6hSu2Qu5NCH9DIv7OhNG6mtrq0xwJPZkwXtwHV4w=
+knative.dev/serving v0.48.1-0.20260311135821-f8e91a05ce79/go.mod h1:jdUcDEFlVNOSNTI03zKqx92BIT9Sh+mK0tlZCobXhrs=
 sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=
 sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
diff --git a/vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go b/vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go
index 6e5cd4de..290ca775 100644
--- a/vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go
+++ b/vendor/knative.dev/eventing/pkg/eventingtls/eventingtls.go
@@ -39,6 +39,7 @@ import (
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/logging"
+	pkgtls "knative.dev/pkg/tls"
 )
 
 const (
@@ -58,6 +59,8 @@ const (
 	BrokerFilterServerTLSSecretName = "mt-broker-filter-server-tls" //nolint:gosec // This is not a hardcoded credential
 	// BrokerIngressServerTLSSecretName is the name of the tls secret for the broker ingress server
 	BrokerIngressServerTLSSecretName = "mt-broker-ingress-server-tls" //nolint:gosec // This is not a hardcoded credential
+	// RequestReplyServerTLSSecretName is the name of the tls secret for the request reply server
+	RequestReplyServerTLSSecretName = "request-reply-server-tls" //nolint:gosec // This is not a hardcoded credential
 )
 
 type ClientConfig struct {
@@ -170,10 +173,13 @@ func GetTLSClientConfig(config ClientConfig) (*tls.Config, error) {
 		return nil, err
 	}
 
-	return &tls.Config{
-		RootCAs:    pool,
-		MinVersion: DefaultMinTLSVersion,
-	}, nil
+	cfg, err := defaultTLSConfigFromEnv()
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.RootCAs = pool
+	return cfg, nil
 }
 
 func NewDefaultServerConfig() ServerConfig {
@@ -181,10 +187,31 @@ func NewDefaultServerConfig() ServerConfig {
 }
 
 func GetTLSServerConfig(config ServerConfig) (*tls.Config, error) {
-	return &tls.Config{
-		MinVersion:     DefaultMinTLSVersion,
-		GetCertificate: config.GetCertificate,
-	}, nil
+	cfg, err := defaultTLSConfigFromEnv()
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.GetCertificate = config.GetCertificate
+	return cfg, nil
+}
+
+// defaultTLSConfigFromEnv loads TLS configuration from environment variables
+// using the shared knative/pkg/tls utility. DefaultConfigFromEnv defaults to
+// TLS 1.3, but eventing historically defaults to TLS 1.2, so we fall back to
+// 1.2 unless TLS_MIN_VERSION is explicitly set.
+// TODO: switch to TLS 1.3 to align with the rest of the system.
+func defaultTLSConfigFromEnv() (*tls.Config, error) {
+	cfg, err := pkgtls.DefaultConfigFromEnv("")
+	if err != nil {
+		return nil, fmt.Errorf("failed to load TLS config from env: %w", err)
+	}
+
+	if os.Getenv(pkgtls.MinVersionEnvKey) == "" {
+		cfg.MinVersion = DefaultMinTLSVersion
+	}
+
+	return cfg, nil
 }
 
 // IsHttpsSink returns true if the sink has scheme equal to https.
diff --git a/vendor/knative.dev/pkg/network/tls/config.go b/vendor/knative.dev/pkg/network/tls/config.go
new file mode 100644
index 00000000..6cd205ba
--- /dev/null
+++ b/vendor/knative.dev/pkg/network/tls/config.go
@@ -0,0 +1,156 @@
+/*
+Copyright 2026 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tls
+
+import (
+	cryptotls "crypto/tls"
+	"fmt"
+	"os"
+	"strings"
+)
+
+// Environment variable name suffixes for TLS configuration.
+// Use with a prefix to namespace them, e.g. "WEBHOOK_" + MinVersionEnvKey
+// reads the WEBHOOK_TLS_MIN_VERSION variable.
+const (
+	MinVersionEnvKey       = "TLS_MIN_VERSION"
+	MaxVersionEnvKey       = "TLS_MAX_VERSION"
+	CipherSuitesEnvKey     = "TLS_CIPHER_SUITES"
+	CurvePreferencesEnvKey = "TLS_CURVE_PREFERENCES"
+)
+
+// DefaultConfigFromEnv returns a tls.Config with secure defaults.
+// The prefix is prepended to each standard env-var suffix;
+// for example with prefix "WEBHOOK_" the function reads
+// WEBHOOK_TLS_MIN_VERSION, WEBHOOK_TLS_MAX_VERSION, etc.
+func DefaultConfigFromEnv(prefix string) (*cryptotls.Config, error) {
+	cfg := &cryptotls.Config{
+		MinVersion: cryptotls.VersionTLS13,
+	}
+
+	if v := os.Getenv(prefix + MinVersionEnvKey); v != "" {
+		ver, err := parseVersion(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s %q: %w", prefix, MinVersionEnvKey, v, err)
+		}
+		cfg.MinVersion = ver
+	}
+
+	if v := os.Getenv(prefix + MaxVersionEnvKey); v != "" {
+		ver, err := parseVersion(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s %q: %w", prefix, MaxVersionEnvKey, v, err)
+		}
+		cfg.MaxVersion = ver
+	}
+
+	if v := os.Getenv(prefix + CipherSuitesEnvKey); v != "" {
+		suites, err := parseCipherSuites(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s: %w", prefix, CipherSuitesEnvKey, err)
+		}
+		cfg.CipherSuites = suites
+	}
+
+	if v := os.Getenv(prefix + CurvePreferencesEnvKey); v != "" {
+		curves, err := parseCurvePreferences(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s: %w", prefix, CurvePreferencesEnvKey, err)
+		}
+		cfg.CurvePreferences = curves
+	}
+
+	return cfg, nil
+}
+
+// parseVersion converts a TLS version string to the corresponding
+// crypto/tls constant. Accepted values are "1.2" and "1.3".
+func parseVersion(v string) (uint16, error) {
+	switch v {
+	case "1.2":
+		return cryptotls.VersionTLS12, nil
+	case "1.3":
+		return cryptotls.VersionTLS13, nil
+	default:
+		return 0, fmt.Errorf("unsupported TLS version %q: must be %q or %q", v, "1.2", "1.3")
+	}
+}
+
+// parseCipherSuites parses a comma-separated list of TLS cipher-suite names
+// (e.g. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
+// into a slice of cipher-suite IDs. Names must match those returned by
+// crypto/tls.CipherSuiteName.
+func parseCipherSuites(s string) ([]uint16, error) {
+	lookup := cipherSuiteLookup()
+	parts := strings.Split(s, ",")
+	suites := make([]uint16, 0, len(parts))
+
+	for _, name := range parts {
+		name = strings.TrimSpace(name)
+		if name == "" {
+			continue
+		}
+		id, ok := lookup[name]
+		if !ok {
+			return nil, fmt.Errorf("unknown cipher suite %q", name)
+		}
+		suites = append(suites, id)
+	}
+
+	return suites, nil
+}
+
+// parseCurvePreferences parses a comma-separated list of elliptic-curve names
+// (e.g. "X25519,CurveP256") into a slice of crypto/tls.CurveID values.
+// Both Go constant names (CurveP256) and standard names (P-256) are accepted.
+func parseCurvePreferences(s string) ([]cryptotls.CurveID, error) {
+	parts := strings.Split(s, ",")
+	curves := make([]cryptotls.CurveID, 0, len(parts))
+
+	for _, name := range parts {
+		name = strings.TrimSpace(name)
+		if name == "" {
+			continue
+		}
+		id, ok := curvesByName[name]
+		if !ok {
+			return nil, fmt.Errorf("unknown curve %q", name)
+		}
+		curves = append(curves, id)
+	}
+
+	return curves, nil
+}
+
+func cipherSuiteLookup() map[string]uint16 {
+	m := make(map[string]uint16)
+	for _, cs := range cryptotls.CipherSuites() {
+		m[cs.Name] = cs.ID
+	}
+	return m
+}
+
+var curvesByName = map[string]cryptotls.CurveID{
+	"CurveP256":      cryptotls.CurveP256,
+	"CurveP384":      cryptotls.CurveP384,
+	"CurveP521":      cryptotls.CurveP521,
+	"X25519":         cryptotls.X25519,
+	"X25519MLKEM768": cryptotls.X25519MLKEM768,
+	"P-256":          cryptotls.CurveP256,
+	"P-384":          cryptotls.CurveP384,
+	"P-521":          cryptotls.CurveP521,
+}
diff --git a/vendor/knative.dev/pkg/tls/config.go b/vendor/knative.dev/pkg/tls/config.go
new file mode 100644
index 00000000..e4d975e0
--- /dev/null
+++ b/vendor/knative.dev/pkg/tls/config.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2026 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Deprecated: Use knative.dev/pkg/network/tls instead.
+// This package is kept for backward compatibility and re-exports all
+// public symbols from knative.dev/pkg/network/tls.
+package tls
+
+import (
+	networktls "knative.dev/pkg/network/tls"
+)
+
+// Deprecated: Use knative.dev/pkg/network/tls.MinVersionEnvKey instead.
+const MinVersionEnvKey = networktls.MinVersionEnvKey
+
+// Deprecated: Use knative.dev/pkg/network/tls.MaxVersionEnvKey instead.
+const MaxVersionEnvKey = networktls.MaxVersionEnvKey
+
+// Deprecated: Use knative.dev/pkg/network/tls.CipherSuitesEnvKey instead.
+const CipherSuitesEnvKey = networktls.CipherSuitesEnvKey
+
+// Deprecated: Use knative.dev/pkg/network/tls.CurvePreferencesEnvKey instead.
+const CurvePreferencesEnvKey = networktls.CurvePreferencesEnvKey
+
+// Deprecated: Use knative.dev/pkg/network/tls.DefaultConfigFromEnv instead.
+var DefaultConfigFromEnv = networktls.DefaultConfigFromEnv
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 04878526..db775017 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -925,7 +925,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/trace
-# knative.dev/client/pkg v0.0.0-20260310143814-8342632107e5
+# knative.dev/client/pkg v0.0.0-20260311023114-f035c02eaa46
 ## explicit; go 1.25.0
 knative.dev/client/pkg/apis/client
 knative.dev/client/pkg/apis/client/v1alpha1
@@ -952,7 +952,7 @@ knative.dev/client/pkg/util/errors
 knative.dev/client/pkg/util/mock
 knative.dev/client/pkg/util/test
 knative.dev/client/pkg/wait
-# knative.dev/eventing v0.48.1-0.20260310120613-104b6237f845
+# knative.dev/eventing v0.48.1-0.20260310212212-60fa543deb11
 ## explicit; go 1.25.0
 knative.dev/eventing/pkg/apis/common/integration/v1alpha1
 knative.dev/eventing/pkg/apis/config
@@ -1026,6 +1026,7 @@ knative.dev/pkg/leaderelection
 knative.dev/pkg/logging
 knative.dev/pkg/logging/logkey
 knative.dev/pkg/network
+knative.dev/pkg/network/tls
 knative.dev/pkg/observability/attributekey
 knative.dev/pkg/observability/metrics/k8s
 knative.dev/pkg/observability/runtime
@@ -1042,8 +1043,9 @@ knative.dev/pkg/test/environment
 knative.dev/pkg/test/ingress
 knative.dev/pkg/test/logging
 knative.dev/pkg/test/spoof
+knative.dev/pkg/tls
 knative.dev/pkg/tracker
-# knative.dev/serving v0.48.1-0.20260310211214-d686bb2b8684
+# knative.dev/serving v0.48.1-0.20260311135821-f8e91a05ce79
 ## explicit; go 1.25.0
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1