chore: Update indirect dependency to knative.dev/serving v0.37.5

[ckadner]

Motivation

Address https://github.com/kserve/modelmesh-serving/security/dependabot/11

Modifications

Override/replace indirect dependency to knative.dev/serving v0.37.5

• Which has fix Bound buffer for reading stats knative/serving#14523:
  See https://github.com/knative/serving/tree/v0.37.5/pkg/autoscaler/metrics

---

Problems with using `knative.dev/serving v0.39.0`

The Mitigation steps for the Security Vulnerability report suggest updating to knative.dev/serving v0.39.0.

However this forces an upgrade of several other direct/indirect dependencies causing incompatibilities:

• with this upgrade, also k8s.io/api and k8s.io/client-go are upgraded to v0.27.+, but this causes compilation errors:

  # sigs.k8s.io/controller-runtime/pkg/cache
  /root/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/cache/multi_namespace_cache.go:308:9:
  cannot use handles (variable of type map[string]"k8s.io/client-go/tools/cache".ResourceEventHandlerRegistration)
  as "k8s.io/client-go/tools/cache".ResourceEventHandlerRegistration value in return statement:
  map[string]"k8s.io/client-go/tools/cache".ResourceEventHandlerRegistration
  does not implement "k8s.io/client-go/tools/cache".ResourceEventHandlerRegistration (missing method HasSynced)
  

• now controller-runtime v0.15.0 onward supports HasSynced:
  • 🐛 Add cross-version compatibility with client-go 1.27 kubernetes-sigs/controller-runtime#2223
• but we can't upgrade to controller-runtime v0.15.0 without breaking the KServe (0.11.2) API integration

  could not import github.com/kserve/kserve/pkg/apis/serving/v1alpha1 (-: # github.com/kserve/kserve/pkg/apis/serving/v1alpha1
  /root/go/pkg/mod/github.com/kserve/[email protected]/pkg/apis/serving/v1alpha1/inference_graph_validation.go:61:27: cannot use &InferenceGraph{} (value of type *InferenceGraph) as admission.Validator value in variable declaration: *InferenceGraph does not implement admission.Validator (wrong type for method ValidateCreate)
                  have ValidateCreate() error
                  want ValidateCreate() (admission.Warnings, error)
  /root/go/pkg/mod/github.com/kserve/[email protected]/pkg/apis/serving/v1alpha1/trainedmodel_webhook.go:51:27: cannot use &TrainedModel{} (value of type *TrainedModel) as admission.Validator value in variable declaration: *TrainedModel does not implement admission.Validator (wrong type for method ValidateCreate)
                  have ValidateCreate() error
                  want ValidateCreate() (admission.Warnings, error)) (typecheck)
          "github.com/kserve/kserve/pkg/apis/serving/v1alpha1"
  

• so we need to pin "down" k8s.io/api and k8s.io/client-go below v0.27.0 until AddEventHandler return type error kubernetes-sigs/controller-runtime#2302 is addressed.

    k8s.io/api => k8s.io/api v0.26.4
    k8s.io/client-go => k8s.io/client-go v0.26.4
    k8s.io/code-generator => k8s.io/code-generator v0.26.4
  

• that downgrade however would re-introduce another vulnerability we previously mitigated

    // Fixes github.com/elazarl/goproxy Denial of Service (DoS)
    // This dependency was removed from apimachinery 0.27.0
    // remove after upgrade to controller-runtime 0.15.x or apimachinery to 0.27.x
    k8s.io/apimachinery => k8s.io/apimachinery v0.27.0
  

• once we upgrade to KServe v0.12.0 along with Go 1.21 we should be able to upgrade to controller-runtime
  to v0.15.0 and things should get a bit less messy

---

@spolti

[ckadner]

Thanks @spolti -- took quite a bit of finagling to get this update to work. Should get easier once we moved to Go 1.21, KServe 0.12

[oss-prow-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ckadner, spolti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ckadner]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ckadner]

Thanks @spolti for several rounds of reviews! 🙏🏻