Update go dependencies

2018-07-12 13:19:04 -04:00 · 2018-07-12 13:19:04 -04:00 · 063cc68d1c
commit 063cc68d1c
parent d5cf22c129
1321 changed files with 52830 additions and 31081 deletions
--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/azure/README.md
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/azure/README.md
@ -1,15 +1,14 @@
 # Azure Active Directory plugin for client authentication

-This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and stored them in the kubectl configuration. In addition it will refresh and update the tokens in configuration when expired.
-
+This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and store them in the kubectl configuration. In addition it will refresh and update the tokens in the configuration when expired.

 ## Usage

-1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration)
+1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration). The callback URL does not matter (just cannot be empty).

-2. Create a second Azure Active Directory native application for `kubectl` 
+2. Create a second Azure Active Directory native application for `kubectl`. The callback URL does not matter (just cannot be empty).

-3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes
+3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes.

 4. Configure the `apiserver` to use the Azure Active Directory as an OIDC provider with following options

@ -21,8 +20,9 @@ This plugin provides an integration with Azure Active Directory device flow. If

   * Replace the `APISERVER_APPLICATION_ID` with the application ID of `apiserver` application
   * Replace `TENANT_ID` with your tenant ID.
+   * For a list of alternative username claims that are supported by the OIDC issuer check the JSON response at `https://sts.windows.net/TENANT_ID/.well-known/openid-configuration`.

-5. Configure the `kubectl` to use the `azure` authentication provider 
+5. Configure `kubectl` to use the `azure` authentication provider 

   ```
   kubectl config set-credentials "USER_NAME" --auth-provider=azure \
@ -35,7 +35,8 @@ This plugin provides an integration with Azure Active Directory device flow. If
   * Supported environments: `AzurePublicCloud`, `AzureUSGovernmentCloud`, `AzureChinaCloud`, `AzureGermanCloud`
   * Replace `USER_NAME` and `TENANT_ID` with your user name and tenant ID
   * Replace `APPLICATION_ID` with the application ID of your`kubectl` application ID
-   * Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID 
+   * Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID
+   * Be sure to also (create and) select a context that uses above user

 6. The access token is acquired when first `kubectl` command is executed

@ -45,4 +46,5 @@ This plugin provides an integration with Azure Active Directory device flow. If
   To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DEC7D48GA to authenticate.
   ```

-   * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing next commands.
+   * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing further commands.
+   * The resulting username in Kubernetes depends on your [configuration of the `--oidc-username-claim` and `--oidc-username-prefix` flags on the API server](https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server). If you are using any authorization method you need to give permissions to that user, e.g. by binding the user to a role in the case of RBAC.
--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/azure/azure.go
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/azure/azure.go
@ -297,7 +297,7 @@ func (ts *azureTokenSource) refreshToken(token *azureToken) (*azureToken, error)
 	}

 	return &azureToken{
-		token:       spt.Token,
+		token:       spt.Token(),
 		clientID:    token.clientID,
 		tenantID:    token.tenantID,
 		apiserverID: token.apiserverID,
--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
@ -18,11 +18,15 @@ package exec

 import (
 	"bytes"
+	"context"
+	"crypto/tls"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"os"
 	"os/exec"
+	"reflect"
 	"sync"
 	"time"

@ -34,7 +38,10 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/client-go/pkg/apis/clientauthentication"
 	"k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
+	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/client-go/transport"
+	"k8s.io/client-go/util/connrotation"
 )

 const execInfoEnv = "KUBERNETES_EXEC_INFO"
@ -45,6 +52,7 @@ var codecs = serializer.NewCodecFactory(scheme)
 func init() {
 	v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"})
 	v1alpha1.AddToScheme(scheme)
+	v1beta1.AddToScheme(scheme)
 	clientauthentication.AddToScheme(scheme)
 }

@ -55,6 +63,7 @@ var (
 	// The list of API versions we accept.
 	apiVersions = map[string]schema.GroupVersion{
 		v1alpha1.SchemeGroupVersion.String(): v1alpha1.SchemeGroupVersion,
+		v1beta1.SchemeGroupVersion.String():  v1beta1.SchemeGroupVersion,
 	}
 )

@ -147,14 +156,55 @@ type Authenticator struct {
 	// The mutex also guards calling the plugin. Since the plugin could be
 	// interactive we want to make sure it's only called once.
 	mu          sync.Mutex
-	cachedToken string
+	cachedCreds *credentials
 	exp         time.Time
+
+	onRotate func()
 }

-// WrapTransport instruments an existing http.RoundTripper with credentials returned
-// by the plugin.
-func (a *Authenticator) WrapTransport(rt http.RoundTripper) http.RoundTripper {
-	return &roundTripper{a, rt}
+type credentials struct {
+	token string
+	cert  *tls.Certificate
+}
+
+// UpdateTransportConfig updates the transport.Config to use credentials
+// returned by the plugin.
+func (a *Authenticator) UpdateTransportConfig(c *transport.Config) error {
+	wt := c.WrapTransport
+	c.WrapTransport = func(rt http.RoundTripper) http.RoundTripper {
+		if wt != nil {
+			rt = wt(rt)
+		}
+		return &roundTripper{a, rt}
+	}
+
+	getCert := c.TLS.GetCert
+	c.TLS.GetCert = func() (*tls.Certificate, error) {
+		// If previous GetCert is present and returns a valid non-nil
+		// certificate, use that. Otherwise use cert from exec plugin.
+		if getCert != nil {
+			cert, err := getCert()
+			if err != nil {
+				return nil, err
+			}
+			if cert != nil {
+				return cert, nil
+			}
+		}
+		return a.cert()
+	}
+
+	var dial func(ctx context.Context, network, addr string) (net.Conn, error)
+	if c.Dial != nil {
+		dial = c.Dial
+	} else {
+		dial = (&net.Dialer{Timeout: 30 * time.Second, KeepAlive: 30 * time.Second}).DialContext
+	}
+	d := connrotation.NewDialer(dial)
+	a.onRotate = d.CloseAll
+	c.Dial = d.DialContext
+
+	return nil
 }

 type roundTripper struct {
@ -169,11 +219,13 @@ func (r *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 		return r.base.RoundTrip(req)
 	}

-	token, err := r.a.token()
+	creds, err := r.a.getCreds()
 	if err != nil {
-		return nil, fmt.Errorf("getting token: %v", err)
+		return nil, fmt.Errorf("getting credentials: %v", err)
+	}
+	if creds.token != "" {
+		req.Header.Set("Authorization", "Bearer "+creds.token)
 	}
-	req.Header.Set("Authorization", "Bearer "+token)

 	res, err := r.base.RoundTrip(req)
 	if err != nil {
@ -184,47 +236,60 @@ func (r *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 			Header: res.Header,
 			Code:   int32(res.StatusCode),
 		}
-		if err := r.a.refresh(token, resp); err != nil {
-			glog.Errorf("refreshing token: %v", err)
+		if err := r.a.maybeRefreshCreds(creds, resp); err != nil {
+			glog.Errorf("refreshing credentials: %v", err)
 		}
 	}
 	return res, nil
 }

-func (a *Authenticator) tokenExpired() bool {
+func (a *Authenticator) credsExpired() bool {
 	if a.exp.IsZero() {
 		return false
 	}
 	return a.now().After(a.exp)
 }

-func (a *Authenticator) token() (string, error) {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	if a.cachedToken != "" && !a.tokenExpired() {
-		return a.cachedToken, nil
+func (a *Authenticator) cert() (*tls.Certificate, error) {
+	creds, err := a.getCreds()
+	if err != nil {
+		return nil, err
 	}
-
-	return a.getToken(nil)
+	return creds.cert, nil
 }

-// refresh executes the plugin to force a rotation of the token.
-func (a *Authenticator) refresh(token string, r *clientauthentication.Response) error {
+func (a *Authenticator) getCreds() (*credentials, error) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	if a.cachedCreds != nil && !a.credsExpired() {
+		return a.cachedCreds, nil
+	}
+
+	if err := a.refreshCredsLocked(nil); err != nil {
+		return nil, err
+	}
+	return a.cachedCreds, nil
+}
+
+// maybeRefreshCreds executes the plugin to force a rotation of the
+// credentials, unless they were rotated already.
+func (a *Authenticator) maybeRefreshCreds(creds *credentials, r *clientauthentication.Response) error {
 	a.mu.Lock()
 	defer a.mu.Unlock()

-	if token != a.cachedToken {
-		// Token already rotated.
+	// Since we're not making a new pointer to a.cachedCreds in getCreds, no
+	// need to do deep comparison.
+	if creds != a.cachedCreds {
+		// Credentials already rotated.
 		return nil
 	}

-	_, err := a.getToken(r)
-	return err
+	return a.refreshCredsLocked(r)
 }

-// getToken executes the plugin and reads the credentials from stdout. It must be
-// called while holding the Authenticator's mutex.
-func (a *Authenticator) getToken(r *clientauthentication.Response) (string, error) {
+// refreshCredsLocked executes the plugin and reads the credentials from
+// stdout. It must be called while holding the Authenticator's mutex.
+func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) error {
 	cred := &clientauthentication.ExecCredential{
 		Spec: clientauthentication.ExecCredentialSpec{
 			Response:    r,
@ -232,13 +297,18 @@ func (a *Authenticator) getToken(r *clientauthentication.Response) (string, erro
 		},
 	}

-	data, err := runtime.Encode(codecs.LegacyCodec(a.group), cred)
-	if err != nil {
-		return "", fmt.Errorf("encode ExecCredentials: %v", err)
-	}
-
 	env := append(a.environ(), a.env...)
-	env = append(env, fmt.Sprintf("%s=%s", execInfoEnv, data))
+	if a.group == v1alpha1.SchemeGroupVersion {
+		// Input spec disabled for beta due to lack of use. Possibly re-enable this later if
+		// someone wants it back.
+		//
+		// See: https://github.com/kubernetes/kubernetes/issues/61796
+		data, err := runtime.Encode(codecs.LegacyCodec(a.group), cred)
+		if err != nil {
+			return fmt.Errorf("encode ExecCredentials: %v", err)
+		}
+		env = append(env, fmt.Sprintf("%s=%s", execInfoEnv, data))
+	}

 	stdout := &bytes.Buffer{}
 	cmd := exec.Command(a.cmd, a.args...)
@ -250,23 +320,26 @@ func (a *Authenticator) getToken(r *clientauthentication.Response) (string, erro
 	}

 	if err := cmd.Run(); err != nil {
-		return "", fmt.Errorf("exec: %v", err)
+		return fmt.Errorf("exec: %v", err)
 	}

 	_, gvk, err := codecs.UniversalDecoder(a.group).Decode(stdout.Bytes(), nil, cred)
 	if err != nil {
-		return "", fmt.Errorf("decode stdout: %v", err)
+		return fmt.Errorf("decoding stdout: %v", err)
 	}
 	if gvk.Group != a.group.Group || gvk.Version != a.group.Version {
-		return "", fmt.Errorf("exec plugin is configured to use API version %s, plugin returned version %s",
+		return fmt.Errorf("exec plugin is configured to use API version %s, plugin returned version %s",
 			a.group, schema.GroupVersion{Group: gvk.Group, Version: gvk.Version})
 	}

 	if cred.Status == nil {
-		return "", fmt.Errorf("exec plugin didn't return a status field")
+		return fmt.Errorf("exec plugin didn't return a status field")
 	}
-	if cred.Status.Token == "" {
-		return "", fmt.Errorf("exec plugin didn't return a token")
+	if cred.Status.Token == "" && cred.Status.ClientCertificateData == "" && cred.Status.ClientKeyData == "" {
+		return fmt.Errorf("exec plugin didn't return a token or cert/key pair")
+	}
+	if (cred.Status.ClientCertificateData == "") != (cred.Status.ClientKeyData == "") {
+		return fmt.Errorf("exec plugin returned only certificate or key, not both")
 	}

 	if cred.Status.ExpirationTimestamp != nil {
@ -274,7 +347,24 @@ func (a *Authenticator) getToken(r *clientauthentication.Response) (string, erro
 	} else {
 		a.exp = time.Time{}
 	}
-	a.cachedToken = cred.Status.Token

-	return a.cachedToken, nil
+	newCreds := &credentials{
+		token: cred.Status.Token,
+	}
+	if cred.Status.ClientKeyData != "" && cred.Status.ClientCertificateData != "" {
+		cert, err := tls.X509KeyPair([]byte(cred.Status.ClientCertificateData), []byte(cred.Status.ClientKeyData))
+		if err != nil {
+			return fmt.Errorf("failed parsing client key/certificate: %v", err)
+		}
+		newCreds.cert = &cert
+	}
+
+	oldCreds := a.cachedCreds
+	a.cachedCreds = newCreds
+	// Only close all connections when TLS cert rotates. Token rotation doesn't
+	// need the extra noise.
+	if a.onRotate != nil && oldCreds != nil && !reflect.DeepEqual(oldCreds.cert, a.cachedCreds.cert) {
+		a.onRotate()
+	}
+	return nil
 }
--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go
@ -18,6 +18,7 @@ package gcp

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@ -27,7 +28,6 @@ import (
 	"time"

 	"github.com/golang/glog"
-	"golang.org/x/net/context"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	"k8s.io/apimachinery/pkg/util/net"
--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go
@ -279,7 +279,7 @@ func (p *oidcAuthProvider) idToken() (string, error) {

 	// Persist new config and if successful, update the in memory config.
 	if err = p.persister.Persist(newCfg); err != nil {
-		return "", fmt.Errorf("could not perist new tokens: %v", err)
+		return "", fmt.Errorf("could not persist new tokens: %v", err)
 	}
 	p.cfg = newCfg

--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/openstack/openstack.go
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/openstack/openstack.go
@ -23,6 +23,7 @@ import (
 	"time"

 	"github.com/golang/glog"
+	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack"

 	"k8s.io/apimachinery/pkg/util/net"
@ -42,8 +43,7 @@ const DefaultTTLDuration = 10 * time.Minute
 // the environment variables to determine the client identity, and generates a
 // token which will be inserted into the request header later.
 type openstackAuthProvider struct {
-	ttl time.Duration
-
+	ttl         time.Duration
 	tokenGetter TokenGetter
 }

@ -52,13 +52,23 @@ type TokenGetter interface {
 	Token() (string, error)
 }

-type tokenGetter struct{}
+type tokenGetter struct {
+	authOpt *gophercloud.AuthOptions
+}

 // Token creates a token by authenticate with keystone.
-func (*tokenGetter) Token() (string, error) {
-	options, err := openstack.AuthOptionsFromEnv()
-	if err != nil {
-		return "", fmt.Errorf("failed to read openstack env vars: %s", err)
+func (t *tokenGetter) Token() (string, error) {
+	var options gophercloud.AuthOptions
+	var err error
+	if t.authOpt == nil {
+		// reads the config from the environment
+		glog.V(4).Info("reading openstack config from the environment variables")
+		options, err = openstack.AuthOptionsFromEnv()
+		if err != nil {
+			return "", fmt.Errorf("failed to read openstack env vars: %s", err)
+		}
+	} else {
+		options = *t.authOpt
 	}
 	client, err := openstack.AuthenticatedClient(options)
 	if err != nil {
@ -85,7 +95,7 @@ func (c *cachedGetter) Token() (string, error) {

 	var err error
 	// no token or exceeds the TTL
-	if c.token == "" || time.Now().Sub(c.born) > c.ttl {
+	if c.token == "" || time.Since(c.born) > c.ttl {
 		c.token, err = c.tokenGetter.Token()
 		if err != nil {
 			return "", fmt.Errorf("failed to get token: %s", err)
@ -126,10 +136,11 @@ func (t *tokenRoundTripper) WrappedRoundTripper() http.RoundTripper { return t.R

 // newOpenstackAuthProvider creates an auth provider which works with openstack
 // environment.
-func newOpenstackAuthProvider(clusterAddress string, config map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
+func newOpenstackAuthProvider(_ string, config map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
 	var ttlDuration time.Duration
 	var err error

+	glog.Warningf("WARNING: in-tree openstack auth plugin is now deprecated. please use the \"client-keystone-auth\" kubectl/client-go credential plugin instead")
 	ttl, found := config["ttl"]
 	if !found {
 		ttlDuration = DefaultTTLDuration
@ -145,11 +156,27 @@ func newOpenstackAuthProvider(clusterAddress string, config map[string]string, p
 		}
 	}

-	// TODO: read/persist client configuration(OS_XXX env vars) in config
+	authOpt := gophercloud.AuthOptions{
+		IdentityEndpoint: config["identityEndpoint"],
+		Username:         config["username"],
+		Password:         config["password"],
+		DomainName:       config["name"],
+		TenantID:         config["tenantId"],
+		TenantName:       config["tenantName"],
+	}
+
+	getter := tokenGetter{}
+	// not empty
+	if (authOpt != gophercloud.AuthOptions{}) {
+		if len(authOpt.IdentityEndpoint) == 0 {
+			return nil, fmt.Errorf("empty %q in the config for openstack auth provider", "identityEndpoint")
+		}
+		getter.authOpt = &authOpt
+	}

 	return &openstackAuthProvider{
 		ttl:         ttlDuration,
-		tokenGetter: &tokenGetter{},
+		tokenGetter: &getter,
 	}, nil
 }