Update go dependencies

2020-03-24 10:44:24 -03:00 · 2020-03-24 10:44:24 -03:00 · 3eafaa35a1
commit 3eafaa35a1
parent a46126a034
1108 changed files with 32555 additions and 83490 deletions
--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/azure/README.md
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/azure/README.md
@ -38,7 +38,13 @@ This plugin provides an integration with Azure Active Directory device flow. If
   * Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID
   * Be sure to also (create and) select a context that uses above user

- 6. The access token is acquired when first `kubectl` command is executed
+6. (Optionally) the AAD token has `aud` claim with `spn:` prefix. To omit that, add following auth configuration:
+
+   ```
+     --auth-provider-arg=config-mode="1"
+   ```
+
+ 7. The access token is acquired when first `kubectl` command is executed

   ```
   kubectl get pods
--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/azure/azure.go
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/azure/azure.go
@ -22,6 +22,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"strconv"
 	"sync"

 	"github.com/Azure/go-autorest/autorest"
@ -33,6 +34,8 @@ import (
 	restclient "k8s.io/client-go/rest"
 )

+type configMode int
+
 const (
 	azureTokenKey = "azureTokenKey"
 	tokenType     = "Bearer"
@ -46,6 +49,10 @@ const (
 	cfgExpiresOn    = "expires-on"
 	cfgEnvironment  = "environment"
 	cfgApiserverID  = "apiserver-id"
+	cfgConfigMode   = "config-mode"
+
+	configModeDefault       configMode = 0
+	configModeOmitSPNPrefix configMode = 1
 )

 func init() {
@ -78,17 +85,37 @@ func (c *azureTokenCache) setToken(tokenKey string, token *azureToken) {
 }

 func newAzureAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
-	var ts tokenSource
+	var (
+		ts          tokenSource
+		environment azure.Environment
+		err         error
+		mode        configMode
+	)

-	environment, err := azure.EnvironmentFromName(cfg[cfgEnvironment])
+	environment, err = azure.EnvironmentFromName(cfg[cfgEnvironment])
 	if err != nil {
 		environment = azure.PublicCloud
 	}
-	ts, err = newAzureTokenSourceDeviceCode(environment, cfg[cfgClientID], cfg[cfgTenantID], cfg[cfgApiserverID])
+
+	mode = configModeDefault
+	if cfg[cfgConfigMode] != "" {
+		configModeInt, err := strconv.Atoi(cfg[cfgConfigMode])
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse %s, error: %s", cfgConfigMode, err)
+		}
+		mode = configMode(configModeInt)
+		switch mode {
+		case configModeOmitSPNPrefix:
+		case configModeDefault:
+		default:
+			return nil, fmt.Errorf("%s:%s is not a valid mode", cfgConfigMode, cfg[cfgConfigMode])
+		}
+	}
+	ts, err = newAzureTokenSourceDeviceCode(environment, cfg[cfgClientID], cfg[cfgTenantID], cfg[cfgApiserverID], mode)
 	if err != nil {
 		return nil, fmt.Errorf("creating a new azure token source for device code authentication: %v", err)
 	}
-	cacheSource := newAzureTokenSource(ts, cache, cfg, persister)
+	cacheSource := newAzureTokenSource(ts, cache, cfg, mode, persister)

 	return &azureAuthProvider{
 		tokenSource: cacheSource,
@ -156,19 +183,21 @@ type tokenSource interface {
 }

 type azureTokenSource struct {
-	source    tokenSource
-	cache     *azureTokenCache
-	lock      sync.Mutex
-	cfg       map[string]string
-	persister restclient.AuthProviderConfigPersister
+	source     tokenSource
+	cache      *azureTokenCache
+	lock       sync.Mutex
+	configMode configMode
+	cfg        map[string]string
+	persister  restclient.AuthProviderConfigPersister
 }

-func newAzureTokenSource(source tokenSource, cache *azureTokenCache, cfg map[string]string, persister restclient.AuthProviderConfigPersister) tokenSource {
+func newAzureTokenSource(source tokenSource, cache *azureTokenCache, cfg map[string]string, configMode configMode, persister restclient.AuthProviderConfigPersister) tokenSource {
 	return &azureTokenSource{
-		source:    source,
-		cache:     cache,
-		cfg:       cfg,
-		persister: persister,
+		source:     source,
+		cache:      cache,
+		cfg:        cfg,
+		persister:  persister,
+		configMode: configMode,
 	}
 }

@ -232,9 +261,9 @@ func (ts *azureTokenSource) retrieveTokenFromCfg() (*azureToken, error) {
 	if tenantID == "" {
 		return nil, fmt.Errorf("no tenant ID in cfg: %s", cfgTenantID)
 	}
-	apiserverID := ts.cfg[cfgApiserverID]
-	if apiserverID == "" {
-		return nil, fmt.Errorf("no apiserver ID in cfg: %s", apiserverID)
+	resourceID := ts.cfg[cfgApiserverID]
+	if resourceID == "" {
+		return nil, fmt.Errorf("no apiserver ID in cfg: %s", cfgApiserverID)
 	}
 	expiresIn := ts.cfg[cfgExpiresIn]
 	if expiresIn == "" {
@ -244,6 +273,9 @@ func (ts *azureTokenSource) retrieveTokenFromCfg() (*azureToken, error) {
 	if expiresOn == "" {
 		return nil, fmt.Errorf("no expiresOn in cfg: %s", cfgExpiresOn)
 	}
+	if ts.configMode == configModeDefault {
+		resourceID = fmt.Sprintf("spn:%s", resourceID)
+	}

 	return &azureToken{
 		token: adal.Token{
@ -252,13 +284,13 @@ func (ts *azureTokenSource) retrieveTokenFromCfg() (*azureToken, error) {
 			ExpiresIn:    json.Number(expiresIn),
 			ExpiresOn:    json.Number(expiresOn),
 			NotBefore:    json.Number(expiresOn),
-			Resource:     fmt.Sprintf("spn:%s", apiserverID),
+			Resource:     resourceID,
 			Type:         tokenType,
 		},
 		environment: environment,
 		clientID:    clientID,
 		tenantID:    tenantID,
-		apiserverID: apiserverID,
+		apiserverID: resourceID,
 	}, nil
 }

@ -272,6 +304,7 @@ func (ts *azureTokenSource) storeTokenInCfg(token *azureToken) error {
 	newCfg[cfgApiserverID] = token.apiserverID
 	newCfg[cfgExpiresIn] = string(token.token.ExpiresIn)
 	newCfg[cfgExpiresOn] = string(token.token.ExpiresOn)
+	newCfg[cfgConfigMode] = strconv.Itoa(int(ts.configMode))

 	err := ts.persister.Persist(newCfg)
 	if err != nil {
@ -287,9 +320,17 @@ func (ts *azureTokenSource) refreshToken(token *azureToken) (*azureToken, error)
 		return nil, err
 	}

-	oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, token.tenantID)
-	if err != nil {
-		return nil, fmt.Errorf("building the OAuth configuration for token refresh: %v", err)
+	var oauthConfig *adal.OAuthConfig
+	if ts.configMode == configModeOmitSPNPrefix {
+		oauthConfig, err = adal.NewOAuthConfigWithAPIVersion(env.ActiveDirectoryEndpoint, token.tenantID, nil)
+		if err != nil {
+			return nil, fmt.Errorf("building the OAuth configuration without api-version for token refresh: %v", err)
+		}
+	} else {
+		oauthConfig, err = adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, token.tenantID)
+		if err != nil {
+			return nil, fmt.Errorf("building the OAuth configuration for token refresh: %v", err)
+		}
 	}

 	callback := func(t adal.Token) error {
@ -323,9 +364,10 @@ type azureTokenSourceDeviceCode struct {
 	clientID    string
 	tenantID    string
 	apiserverID string
+	configMode  configMode
 }

-func newAzureTokenSourceDeviceCode(environment azure.Environment, clientID string, tenantID string, apiserverID string) (tokenSource, error) {
+func newAzureTokenSourceDeviceCode(environment azure.Environment, clientID string, tenantID string, apiserverID string, configMode configMode) (tokenSource, error) {
 	if clientID == "" {
 		return nil, errors.New("client-id is empty")
 	}
@ -340,13 +382,25 @@ func newAzureTokenSourceDeviceCode(environment azure.Environment, clientID strin
 		clientID:    clientID,
 		tenantID:    tenantID,
 		apiserverID: apiserverID,
+		configMode:  configMode,
 	}, nil
 }

 func (ts *azureTokenSourceDeviceCode) Token() (*azureToken, error) {
-	oauthConfig, err := adal.NewOAuthConfig(ts.environment.ActiveDirectoryEndpoint, ts.tenantID)
-	if err != nil {
-		return nil, fmt.Errorf("building the OAuth configuration for device code authentication: %v", err)
+	var (
+		oauthConfig *adal.OAuthConfig
+		err         error
+	)
+	if ts.configMode == configModeOmitSPNPrefix {
+		oauthConfig, err = adal.NewOAuthConfigWithAPIVersion(ts.environment.ActiveDirectoryEndpoint, ts.tenantID, nil)
+		if err != nil {
+			return nil, fmt.Errorf("building the OAuth configuration without api-version for device code authentication: %v", err)
+		}
+	} else {
+		oauthConfig, err = adal.NewOAuthConfig(ts.environment.ActiveDirectoryEndpoint, ts.tenantID)
+		if err != nil {
+			return nil, fmt.Errorf("building the OAuth configuration for device code authentication: %v", err)
+		}
 	}
 	client := &autorest.Client{}
 	deviceCode, err := adal.InitiateDeviceAuth(client, *oauthConfig, ts.clientID, ts.apiserverID)
--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io"
@ -42,6 +43,7 @@ import (
 	"k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
 	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/client-go/tools/metrics"
 	"k8s.io/client-go/transport"
 	"k8s.io/client-go/util/connrotation"
 	"k8s.io/klog"
@ -260,6 +262,7 @@ func (a *Authenticator) cert() (*tls.Certificate, error) {
 func (a *Authenticator) getCreds() (*credentials, error) {
 	a.mu.Lock()
 	defer a.mu.Unlock()
+
 	if a.cachedCreds != nil && !a.credsExpired() {
 		return a.cachedCreds, nil
 	}
@ -267,6 +270,7 @@ func (a *Authenticator) getCreds() (*credentials, error) {
 	if err := a.refreshCredsLocked(nil); err != nil {
 		return nil, err
 	}
+
 	return a.cachedCreds, nil
 }

@ -355,6 +359,17 @@ func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) err
 		if err != nil {
 			return fmt.Errorf("failed parsing client key/certificate: %v", err)
 		}
+
+		// Leaf is initialized to be nil:
+		//  https://golang.org/pkg/crypto/tls/#X509KeyPair
+		// Leaf certificate is the first certificate:
+		//  https://golang.org/pkg/crypto/tls/#Certificate
+		// Populating leaf is useful for quickly accessing the underlying x509
+		// certificate values.
+		cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
+		if err != nil {
+			return fmt.Errorf("failed parsing client leaf certificate: %v", err)
+		}
 		newCreds.cert = &cert
 	}

@ -362,10 +377,20 @@ func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) err
 	a.cachedCreds = newCreds
 	// Only close all connections when TLS cert rotates. Token rotation doesn't
 	// need the extra noise.
-	if len(a.onRotateList) > 0 && oldCreds != nil && !reflect.DeepEqual(oldCreds.cert, a.cachedCreds.cert) {
+	if oldCreds != nil && !reflect.DeepEqual(oldCreds.cert, a.cachedCreds.cert) {
+		// Can be nil if the exec auth plugin only returned token auth.
+		if oldCreds.cert != nil && oldCreds.cert.Leaf != nil {
+			metrics.ClientCertRotationAge.Observe(time.Now().Sub(oldCreds.cert.Leaf.NotBefore))
+		}
 		for _, onRotate := range a.onRotateList {
 			onRotate()
 		}
 	}
+
+	expiry := time.Time{}
+	if a.cachedCreds.cert != nil && a.cachedCreds.cert.Leaf != nil {
+		expiry = a.cachedCreds.cert.Leaf.NotAfter
+	}
+	expirationMetrics.set(a, expiry)
 	return nil
 }
--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics.go
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics.go
@ -0,0 +1,60 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package exec
+
+import (
+	"sync"
+	"time"
+
+	"k8s.io/client-go/tools/metrics"
+)
+
+type certificateExpirationTracker struct {
+	mu        sync.RWMutex
+	m         map[*Authenticator]time.Time
+	metricSet func(*time.Time)
+}
+
+var expirationMetrics = &certificateExpirationTracker{
+	m: map[*Authenticator]time.Time{},
+	metricSet: func(e *time.Time) {
+		metrics.ClientCertExpiry.Set(e)
+	},
+}
+
+// set stores the given expiration time and updates the updates the certificate
+// expiry metric to the earliest expiration time.
+func (c *certificateExpirationTracker) set(a *Authenticator, t time.Time) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.m[a] = t
+
+	earliest := time.Time{}
+	for _, t := range c.m {
+		if t.IsZero() {
+			continue
+		}
+		if earliest.IsZero() || earliest.After(t) {
+			earliest = t
+		}
+	}
+	if earliest.IsZero() {
+		c.metricSet(nil)
+	} else {
+		c.metricSet(&earliest)
+	}
+}
--- a/vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go
+++ b/vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go
@ -76,24 +76,25 @@ func newClientCache() *clientCache {
 }

 type cacheKey struct {
+	clusterAddress string
 	// Canonical issuer URL string of the provider.
 	issuerURL string
 	clientID  string
 }

-func (c *clientCache) getClient(issuer, clientID string) (*oidcAuthProvider, bool) {
+func (c *clientCache) getClient(clusterAddress, issuer, clientID string) (*oidcAuthProvider, bool) {
 	c.mu.RLock()
 	defer c.mu.RUnlock()
-	client, ok := c.cache[cacheKey{issuer, clientID}]
+	client, ok := c.cache[cacheKey{clusterAddress: clusterAddress, issuerURL: issuer, clientID: clientID}]
 	return client, ok
 }

 // setClient attempts to put the client in the cache but may return any clients
 // with the same keys set before. This is so there's only ever one client for a provider.
-func (c *clientCache) setClient(issuer, clientID string, client *oidcAuthProvider) *oidcAuthProvider {
+func (c *clientCache) setClient(clusterAddress, issuer, clientID string, client *oidcAuthProvider) *oidcAuthProvider {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	key := cacheKey{issuer, clientID}
+	key := cacheKey{clusterAddress: clusterAddress, issuerURL: issuer, clientID: clientID}

 	// If another client has already initialized a client for the given provider we want
 	// to use that client instead of the one we're trying to set. This is so all transports
@ -107,7 +108,7 @@ func (c *clientCache) setClient(issuer, clientID string, client *oidcAuthProvide
 	return client
 }

-func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
+func newOIDCAuthProvider(clusterAddress string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
 	issuer := cfg[cfgIssuerUrl]
 	if issuer == "" {
 		return nil, fmt.Errorf("Must provide %s", cfgIssuerUrl)
@ -119,7 +120,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A
 	}

 	// Check cache for existing provider.
-	if provider, ok := cache.getClient(issuer, clientID); ok {
+	if provider, ok := cache.getClient(clusterAddress, issuer, clientID); ok {
 		return provider, nil
 	}

@ -157,7 +158,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A
 		persister: persister,
 	}

-	return cache.setClient(issuer, clientID, provider), nil
+	return cache.setClient(clusterAddress, issuer, clientID, provider), nil
 }

 type oidcAuthProvider struct {