update reconciler-test to current release-1.11 (#531)

go.mod

@@ -47,7 +47,7 @@ require (
 	knative.dev/hack v0.0.0-20230712131415-ddae80293c43
 	knative.dev/hack/schema v0.0.0-20230712131415-ddae80293c43
 	knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626
-	knative.dev/reconciler-test v0.0.0-20240118172306-00c4131cf6be
+	knative.dev/reconciler-test v0.0.0-20240206112133-c345dafdf302
 	sigs.k8s.io/yaml v1.3.0
 )
 

go.sum

@@ -947,6 +947,8 @@ knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626 h1:qFE+UDBRg6cpF5LbA0sv1XK4XZ
 knative.dev/pkg v0.0.0-20231023150739-56bfe0dd9626/go.mod h1:g+UCgSKQ2f15kHYu/V3CPtoKo5F1x/2Y1ot0NSK7gA0=
 knative.dev/reconciler-test v0.0.0-20240118172306-00c4131cf6be h1:22QG+BjSX3LK5rE+ID3iy3OpJOyvGIE6F4FATnL/Zi8=
 knative.dev/reconciler-test v0.0.0-20240118172306-00c4131cf6be/go.mod h1:Yw7Jkv+7PjDitG6CUkakWc/5SZa8Tm/sgXfaFy305Ng=
+knative.dev/reconciler-test v0.0.0-20240206112133-c345dafdf302 h1:W8fEMNvbCl/Xi9FXf28wLpUQUCLZIr4k4uCPbMe+BxE=
+knative.dev/reconciler-test v0.0.0-20240206112133-c345dafdf302/go.mod h1:Yw7Jkv+7PjDitG6CUkakWc/5SZa8Tm/sgXfaFy305Ng=
 pgregory.net/rapid v0.3.3 h1:jCjBsY4ln4Atz78QoBWxUEvAHaFyNDQg9+WU62aCn1U=
 pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

vendor/knative.dev/reconciler-test/pkg/eventshub/assert/step.go

@@ -1,8 +1,10 @@
 package assert
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
 
 	cetest "github.com/cloudevents/sdk-go/v2/test"
@@ -144,13 +146,40 @@ func MatchPeerCertificatesFromSecret(namespace, name string, key string) eventsh
 			return fmt.Errorf("failed to match peer certificates, connection is not TLS")
 		}
 
-		for _, cert := range info.Connection.TLS.PemPeerCertificates {
-			if cert == string(value) {
-				return nil
+		// secret value can, in general, be a certificate chain (a sequence of PEM-encoded certificate blocks)
+		valueBlock, valueRest := pem.Decode(value)
+		if valueBlock == nil {
+			// error if there's not even a single certificate in the value
+			return fmt.Errorf("failed to decode secret certificate:\n%s", string(value))
+		}
+		// for each certificate in the chain, check if it's present in info.Connection.TLS.PemPeerCertificates
+		for valueBlock != nil {
+			found := false
+			for _, cert := range info.Connection.TLS.PemPeerCertificates {
+				certBlock, _ := pem.Decode([]byte(cert))
+				if certBlock == nil {
+					return fmt.Errorf("failed to decode peer certificate:\n%s", cert)
+				}
+
+				if certBlock.Type == valueBlock.Type && string(certBlock.Bytes) == string(valueBlock.Bytes) {
+					found = true
+					break
+				}
+			}
+
+			if !found {
+				pemBytes, _ := json.MarshalIndent(info.Connection.TLS.PemPeerCertificates, "", "  ")
+				return fmt.Errorf("failed to find peer certificate with value\n%s\nin:\n%s", string(value), string(pemBytes))
 			}
+
+			valueBlock, valueRest = pem.Decode(valueRest)
+		}
+
+		// any non-whitespace suffix not parsed as a PEM is suspicious, so we treat it as an error:
+		if "" != string(bytes.TrimSpace(valueRest)) {
+			return fmt.Errorf("failed to decode secret certificate starting with\n%s\nin:\n%s", string(valueRest), string(value))
 		}
 
-		bytes, _ := json.MarshalIndent(info.Connection.TLS.PemPeerCertificates, "", "  ")
-		return fmt.Errorf("failed to find peer certificate with value\n%s\nin:\n%s", string(value), string(bytes))
+		return nil
 	}
 }

vendor/modules.txt

@@ -1315,7 +1315,7 @@ knative.dev/pkg/webhook/resourcesemantics
 knative.dev/pkg/webhook/resourcesemantics/conversion
 knative.dev/pkg/webhook/resourcesemantics/defaulting
 knative.dev/pkg/webhook/resourcesemantics/validation
-# knative.dev/reconciler-test v0.0.0-20240118172306-00c4131cf6be
+# knative.dev/reconciler-test v0.0.0-20240206112133-c345dafdf302
 ## explicit; go 1.18
 knative.dev/reconciler-test/cmd/eventshub
 knative.dev/reconciler-test/pkg/environment