Release 1.9 firecracker

OWNERS

@@ -2,7 +2,6 @@
 
 approvers:
 - knative-release-leads
-- networking-wg-leads
 - technical-oversight-committee
 - serving-wg-leads
 - serving-writers

OWNERS_ALIASES

@@ -2,8 +2,6 @@
 # Do not modify this file, instead modify peribolos/knative.yaml
 
 aliases:
-  api-core-wg-leads:
-  - dprotaso
   client-reviewers:
   - itsmurugappan
   client-wg-leads:
@@ -17,14 +15,11 @@ aliases:
   - rhuss
   - vyasgun
   conformance-task-force-leads:
-  - omerbensaadon
   - salaboy
   conformance-writers:
-  - omerbensaadon
   - salaboy
   docs-reviewers:
   - nainaz
-  - omerbensaadon
   - pmbanugo
   - snneji
   docs-wg-leads:
@@ -89,94 +84,53 @@ aliases:
   - knative-prow-robot
   - knative-prow-updater-robot
   - knative-test-reporter-robot
-  networking-reviewers:
-  - JRBANCEL
-  - ZhiminXiang
-  - andrew-su
-  - carlisia
-  - nak3
-  - tcnghia
-  - vagababov
-  - yanweiguo
-  networking-wg-leads: []
-  networking-writers:
-  - JRBANCEL
-  - vagababov
   operations-reviewers:
-  - Cynocracy
   - aliok
   - houshengbo
-  - jcrossley3
   - matzew
   - maximilien
   operations-wg-leads:
   - houshengbo
   operations-writers:
-  - Cynocracy
   - aliok
   - houshengbo
-  - jcrossley3
   - matzew
   - maximilien
-  pkg-configmap-reviewers:
-  - dprotaso
-  - mattmoor
-  - vagababov
-  pkg-configmap-writers:
-  - dprotaso
-  - mattmoor
-  - vagababov
-  pkg-controller-reviewers:
-  - dprotaso
-  - mattmoor
-  - tcnghia
-  - vagababov
-  pkg-controller-writers:
-  - dprotaso
-  - mattmoor
-  - tcnghia
-  - vagababov
   productivity-leads:
   - kvmware
   - upodroid
   productivity-reviewers:
   - evankanderson
   - mgencur
-  - shinigambit
   productivity-wg-leads:
   - kvmware
   - upodroid
   productivity-writers:
   - cardil
-  - chaodaiG
-  - coryrc
   - kvmware
   - psschwei
   - upodroid
   security-wg-leads:
   - evankanderson
   security-writers:
   - evankanderson
-  serving-observability-reviewers:
-  - skonto
-  - yanweiguo
-  serving-observability-writers:
-  - yanweiguo
+  serving-approvers:
+  - nak3
   serving-reviewers:
+  - KauzClay
   - carlisia
-  - julz
-  - nader-ziada
-  - psschwei
+  - izabelacg
+  - jsanin-vmw
+  - kauana
+  - retocode
   - skonto
   serving-wg-leads:
   - dprotaso
   - psschwei
   serving-writers:
   - dprotaso
-  - julz
+  - nak3
   - psschwei
-  - tcnghia
-  - vagababov
   steering-committee:
   - csantanapr
   - itsmurugappan

README.md

@@ -4,7 +4,7 @@
 [![Go Report Card](https://goreportcard.com/badge/knative/serving)](https://goreportcard.com/report/knative/serving)
 [![Releases](https://img.shields.io/github/release-pre/knative/serving.svg?sort=semver)](https://github.com/knative/serving/releases)
 [![LICENSE](https://img.shields.io/github/license/knative/serving.svg)](https://github.com/knative/serving/blob/main/LICENSE)
-[![Slack Status](https://img.shields.io/badge/slack-join_chat-white.svg?logo=slack&style=social)](https://knative.slack.com)
+[![Slack Status](https://img.shields.io/badge/slack-join_chat-white.svg?logo=slack&style=social)](https://cloud-native.slack.com/archives/C04LGHDR9K7)
 [![codecov](https://codecov.io/gh/knative/serving/branch/main/graph/badge.svg)](https://codecov.io/gh/knative/serving)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5913/badge)](https://bestpractices.coreinfrastructure.org/projects/5913)
 

cmd/OWNERS

@@ -1,10 +1,4 @@
 # The OWNERS file is used by prow to automatically merge approved PRs.
 
-approvers:
-- serving-writers
-
-reviewers:
-- serving-reviewers
-
 labels:
 - area/API

cmd/activator/OWNERS

@@ -1,13 +1,5 @@
 # The OWNERS file is used by prow to automatically merge approved PRs.
 
-approvers:
-- serving-writers
-- networking-writers
-
-reviewers:
-- serving-reviewers
-- networking-reviewers
-
 labels:
 - area/autoscale
 - area/networking

cmd/queue/OWNERS

@@ -1,13 +1,5 @@
 # The OWNERS file is used by prow to automatically merge approved PRs.
 
-approvers:
-- serving-writers
-- networking-writers
-
-reviewers:
-- serving-reviewers
-- networking-reviewers
-
 labels:
 - area/autoscale
 - area/networking

cmd/webhook/OWNERS

@@ -1,10 +1,4 @@
 # The OWNERS file is used by prow to automatically merge approved PRs.
 
-approvers:
-- serving-writers
-
-reviewers:
-- serving-reviewers
-
 labels:
 - area/API

docs/encryption/encryption-overview.md

@@ -0,0 +1,21 @@
+# Knative Serving Encryption
+There are two layers where Knative Serving can provide encryption
+* HTTPS on the ingress layer to the cluster
+* HTTPS on the cluster internal components
+
+## Visualization
+![Visualization of Knative encryption](./encryption-overview.drawio.svg)
+
+## HTTPS on the ingress layer
+On this layer Knative Serving provides two modes:
+* Provide certificates manually, refer to the [existing docs](https://knative.dev/docs/serving/using-a-tls-cert/).
+* Provide certificates automatically using `cert-manager`, refer to the [existing docs](https://knative.dev/docs/serving/using-auto-tls/).
+
+
+## HTTPS on the cluster internal components
+**Warning: Alpha feature**
+
+This is currently `work-in-progress` and tracked in https://github.com/knative/serving/issues/11906. You can experiment with this feature using:
+* an ingress layer that already supports the feature (e.g. Kourier or Contour)
+* Set `internal-encryption: "true"` in the `config-network` configmap
+

go.mod

@@ -32,11 +32,11 @@ require (
 	k8s.io/code-generator v0.25.4
 	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1
 	k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2
-	knative.dev/caching v0.0.0-20230117184756-7a31fded064a
-	knative.dev/control-protocol v0.0.0-20230120194803-cffe2086fdab
-	knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9
-	knative.dev/networking v0.0.0-20230123233838-db2bcbea2560
-	knative.dev/pkg v0.0.0-20230117181655-247510c00e9d
+	knative.dev/caching v0.0.0-20230207014047-264c897f4047
+	knative.dev/control-protocol v0.0.0-20230207132547-1ce43d662d86
+	knative.dev/hack v0.0.0-20230207150947-549c3605c670
+	knative.dev/networking v0.0.0-20230207014849-2473e65d6920
+	knative.dev/pkg v0.0.0-20230207013346-decc1cc0acad
 	sigs.k8s.io/yaml v1.3.0
 )
 

go.sum

@@ -1656,16 +1656,16 @@ k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkI
 k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/caching v0.0.0-20230117184756-7a31fded064a h1:n81BoBoyVCEC8wvHz1gg5FzxhJh8kJmCSbMPm9FfAUY=
-knative.dev/caching v0.0.0-20230117184756-7a31fded064a/go.mod h1:9dANNPrOu2VYjha0hNAN82kO4NrIhiLBMmrZ9PTFeUI=
-knative.dev/control-protocol v0.0.0-20230120194803-cffe2086fdab h1:h6eqN3GvBYgnGzv681l0SBKoM0JLv7WMB8bAnvbr7b4=
-knative.dev/control-protocol v0.0.0-20230120194803-cffe2086fdab/go.mod h1:BPH2Zj2XHBrPKgTBNTxKiz6KMzc9Eyt1O7N7fMiVyfQ=
-knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 h1:CDa7s9KspEZqPhk7cN68ZypRLuAvSgr+knoOaXSsrHk=
-knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/networking v0.0.0-20230123233838-db2bcbea2560 h1:iprdS5tKTXtgV9dGryuwJJJTTdl5LusCHOelKdezR3I=
-knative.dev/networking v0.0.0-20230123233838-db2bcbea2560/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo=
-knative.dev/pkg v0.0.0-20230117181655-247510c00e9d h1:pjKDcvHoMib8nRp56eISRmMj/pFMzJljnzvMvGCIReI=
-knative.dev/pkg v0.0.0-20230117181655-247510c00e9d/go.mod h1:VO/fcEsq43seuONRQxZyftWHjpMabYzRHDtpSEQ/eoQ=
+knative.dev/caching v0.0.0-20230207014047-264c897f4047 h1:/dVs+vl1+qEtTDCtB7djPyFDMLkI3cBxZXhOF+nvDJ8=
+knative.dev/caching v0.0.0-20230207014047-264c897f4047/go.mod h1:9dANNPrOu2VYjha0hNAN82kO4NrIhiLBMmrZ9PTFeUI=
+knative.dev/control-protocol v0.0.0-20230207132547-1ce43d662d86 h1:tVRHOEN40dSTYqgqEsYBZsQNikAYTn6OUP65JPEiXXo=
+knative.dev/control-protocol v0.0.0-20230207132547-1ce43d662d86/go.mod h1:BPH2Zj2XHBrPKgTBNTxKiz6KMzc9Eyt1O7N7fMiVyfQ=
+knative.dev/hack v0.0.0-20230207150947-549c3605c670 h1:1+DsejqC6ex9vq8kS9blFqsr/FEpSTR1hRdtFAm/iEA=
+knative.dev/hack v0.0.0-20230207150947-549c3605c670/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
+knative.dev/networking v0.0.0-20230207014849-2473e65d6920 h1:NN7Fr0MVyYhAbGntBXcwLNc4nCAfg3I4pn1FXc5CLiQ=
+knative.dev/networking v0.0.0-20230207014849-2473e65d6920/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo=
+knative.dev/pkg v0.0.0-20230207013346-decc1cc0acad h1:jedK7bc5p5KtxJ5/qGvV3xtYuyddci/F8cynxyyOI6c=
+knative.dev/pkg v0.0.0-20230207013346-decc1cc0acad/go.mod h1:VO/fcEsq43seuONRQxZyftWHjpMabYzRHDtpSEQ/eoQ=
 mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
 mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc=
 mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=

pkg/activator/OWNERS

@@ -1,13 +1,5 @@
 # The OWNERS file is used by prow to automatically merge approved PRs.
 
-approvers:
-- serving-writers
-- networking-writers
-
-reviewers:
-- serving-reviewers
-- networking-reviewers
-
 labels:
 - area/autoscale
 - area/networking

pkg/http/OWNERS

@@ -1,10 +1,4 @@
 # The OWNERS file is used by prow to automatically merge approved PRs.
 
-approvers:
-- networking-writers
-
-reviewers:
-- networking-reviewers
-
 labels:
 - area/networking

pkg/logging/OWNERS

@@ -1,10 +1,4 @@
 # The OWNERS file is used by prow to automatically merge approved PRs.
 
-approvers:
-- serving-observability-writers
-
-reviewers:
-- serving-observability-reviewers
-
 labels:
 - area/monitoring

pkg/metrics/OWNERS

@@ -1,12 +1,4 @@
 # The OWNERS file is used by prow to automatically merge approved PRs.
 
-approvers:
-- serving-observability-writers
-- serving-wg-leads
-- networking-wg-leads
-
-reviewers:
-- serving-observability-reviewers
-
 labels:
 - area/monitoring

pkg/queue/OWNERS

@@ -1,13 +1,5 @@
 # The OWNERS file is used by prow to automatically merge approved PRs.
 
-approvers:
-- serving-writers
-- networking-writers
-
-reviewers:
-- serving-reviewers
-- networking-reviewers
-
 labels:
 - area/autoscale
 - area/networking

pkg/queue/sharedmain/main.go

@@ -31,7 +31,9 @@ import (
 	"go.uber.org/automaxprocs/maxprocs"
 	"go.uber.org/zap"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"knative.dev/control-protocol/pkg/certificates"
 	netheader "knative.dev/networking/pkg/http/header"
@@ -114,6 +116,10 @@ type config struct {
 	ConcurrencyStateEndpoint  string `split_words:"true"` // optional
 	ConcurrencyStateTokenPath string `split_words:"true"` // optional
 
+	// vHive configuration
+	GuestAddr string `split_words:"true" required:"true"`
+	GuestPort string `split_words:"true" required:"true"`
+
 	Env
 }
 
@@ -233,6 +239,22 @@ func Main(opts ...Option) error {
 	// Setup probe to run for checking user-application healthiness.
 	// Do not set up probe if concurrency state endpoint is set, as
 	// paused containers don't play well with k8s readiness probes.
+	servingProbe := &corev1.Probe{
+		SuccessThreshold: 1,
+		ProbeHandler: corev1.ProbeHandler{
+			TCPSocket: &corev1.TCPSocketAction{
+				Host: env.GuestAddr,
+				Port: intstr.FromString(env.GuestPort),
+			},
+		},
+	}
+
+	var err error
+	env.ServingReadinessProbe, err = readiness.EncodeProbe(servingProbe)
+	if err != nil {
+		logger.Fatalw("Failed to create stats reporter", zap.Error(err))
+	}
+
 	probe := func() bool { return true }
 	if env.ServingReadinessProbe != "" && env.ConcurrencyStateEndpoint == "" {
 		probe = buildProbe(logger, env.ServingReadinessProbe, env.EnableHTTP2AutoDetection).ProbeContainer
@@ -343,7 +365,7 @@ func buildServer(ctx context.Context, env config, transport http.RoundTripper, p
 	ce *queue.ConcurrencyEndpoint, enableTLS bool) (*http.Server, *pkghandler.Drainer) {
 	// TODO: If TLS is enabled, execute probes twice and tracking two different sets of container health.
 
-	target := net.JoinHostPort("127.0.0.1", env.UserPort)
+	target := net.JoinHostPort(env.GuestAddr, env.GuestPort)
 
 	httpProxy := pkghttp.NewHeaderPruningReverseProxy(target, pkghttp.NoHostOverride, activator.RevisionHeaders, false /* use HTTP */)
 	httpProxy.Transport = transport