Update go dependencies

vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/integration/internal/apiserver.go

@@ -0,0 +1,23 @@
+package internal
+
+var APIServerDefaultArgs = []string{
+	// Allow tests to run offline, by preventing API server from attempting to
+	// use default route to determine its --advertise-address
+	"--advertise-address=127.0.0.1",
+	"--etcd-servers={{ if .EtcdURL }}{{ .EtcdURL.String }}{{ end }}",
+	"--cert-dir={{ .CertDir }}",
+	"--insecure-port={{ if .URL }}{{ .URL.Port }}{{ end }}",
+	"--insecure-bind-address={{ if .URL }}{{ .URL.Hostname }}{{ end }}",
+	"--secure-port={{ if .SecurePort }}{{ .SecurePort }}{{ end }}",
+	"--disable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,ResourceQuota", //nolint
+	"--service-cluster-ip-range=10.0.0.0/24",
+	"--allow-privileged=true",
+}
+
+func DoAPIServerArgDefaulting(args []string) []string {
+	if len(args) != 0 {
+		return args
+	}
+
+	return APIServerDefaultArgs
+}

vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/integration/internal/arguments.go

@@ -0,0 +1,28 @@
+package internal
+
+import (
+	"bytes"
+	"html/template"
+)
+
+func RenderTemplates(argTemplates []string, data interface{}) (args []string, err error) {
+	var t *template.Template
+
+	for _, arg := range argTemplates {
+		t, err = template.New(arg).Parse(arg)
+		if err != nil {
+			args = nil
+			return
+		}
+
+		buf := &bytes.Buffer{}
+		err = t.Execute(buf, data)
+		if err != nil {
+			args = nil
+			return
+		}
+		args = append(args, buf.String())
+	}
+
+	return
+}

vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/integration/internal/bin_path_finder.go

@@ -0,0 +1,35 @@
+package internal
+
+import (
+	"os"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strings"
+)
+
+var assetsPath string
+
+func init() {
+	_, thisFile, _, ok := runtime.Caller(0)
+	if !ok {
+		panic("Could not determine the path of the BinPathFinder")
+	}
+	assetsPath = filepath.Join(filepath.Dir(thisFile), "..", "assets", "bin")
+}
+
+// BinPathFinder checks the an environment variable, derived from the symbolic name,
+// and falls back to a default assets location when this variable is not set
+func BinPathFinder(symbolicName string) (binPath string) {
+	punctuationPattern := regexp.MustCompile("[^A-Z0-9]+")
+	sanitizedName := punctuationPattern.ReplaceAllString(strings.ToUpper(symbolicName), "_")
+	leadingNumberPattern := regexp.MustCompile("^[0-9]+")
+	sanitizedName = leadingNumberPattern.ReplaceAllString(sanitizedName, "")
+	envVar := "TEST_ASSET_" + sanitizedName
+
+	if val, ok := os.LookupEnv(envVar); ok {
+		return val
+	}
+
+	return filepath.Join(assetsPath, symbolicName)
+}

vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/integration/internal/etcd.go

@@ -0,0 +1,38 @@
+package internal
+
+import (
+	"net/url"
+)
+
+var EtcdDefaultArgs = []string{
+	"--listen-peer-urls=http://localhost:0",
+	"--advertise-client-urls={{ if .URL }}{{ .URL.String }}{{ end }}",
+	"--listen-client-urls={{ if .URL }}{{ .URL.String }}{{ end }}",
+	"--data-dir={{ .DataDir }}",
+}
+
+func DoEtcdArgDefaulting(args []string) []string {
+	if len(args) != 0 {
+		return args
+	}
+
+	return EtcdDefaultArgs
+}
+
+func isSecureScheme(scheme string) bool {
+	// https://github.com/coreos/etcd/blob/d9deeff49a080a88c982d328ad9d33f26d1ad7b6/pkg/transport/listener.go#L53
+	if scheme == "https" || scheme == "unixs" {
+		return true
+	}
+	return false
+}
+
+func GetEtcdStartMessage(listenURL url.URL) string {
+	if isSecureScheme(listenURL.Scheme) {
+		// https://github.com/coreos/etcd/blob/a7f1fbe00ec216fcb3a1919397a103b41dca8413/embed/serve.go#L167
+		return "serving client requests on "
+	}
+
+	// https://github.com/coreos/etcd/blob/a7f1fbe00ec216fcb3a1919397a103b41dca8413/embed/serve.go#L124
+	return "serving insecure client requests on "
+}

vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/integration/internal/process.go

@@ -0,0 +1,217 @@
+package internal
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"os/exec"
+	"path"
+	"strconv"
+	"time"
+
+	"github.com/onsi/gomega/gbytes"
+	"github.com/onsi/gomega/gexec"
+
+	"sigs.k8s.io/controller-runtime/pkg/internal/testing/integration/addr"
+)
+
+type ProcessState struct {
+	DefaultedProcessInput
+	Session *gexec.Session
+	// Healthcheck Endpoint. If we get http.StatusOK from this endpoint, we
+	// assume the process is ready to operate. E.g. "/healthz". If this is set,
+	// we ignore StartMessage.
+	HealthCheckEndpoint string
+	// HealthCheckPollInterval is the interval which will be used for polling the
+	// HealthCheckEndpoint.
+	// If left empty it will default to 100 Milliseconds.
+	HealthCheckPollInterval time.Duration
+	// StartMessage is the message to wait for on stderr. If we receive this
+	// message, we assume the process is ready to operate. Ignored if
+	// HealthCheckEndpoint is specified.
+	//
+	// The usage of StartMessage is discouraged, favour HealthCheckEndpoint
+	// instead!
+	//
+	// Deprecated: Use HealthCheckEndpoint in favour of StartMessage
+	StartMessage string
+	Args         []string
+
+	// ready holds wether the process is currently in ready state (hit the ready condition) or not.
+	// It will be set to true on a successful `Start()` and set to false on a successful `Stop()`
+	ready bool
+}
+
+type DefaultedProcessInput struct {
+	URL              url.URL
+	Dir              string
+	DirNeedsCleaning bool
+	Path             string
+	StopTimeout      time.Duration
+	StartTimeout     time.Duration
+}
+
+func DoDefaulting(
+	name string,
+	listenURL *url.URL,
+	dir string,
+	path string,
+	startTimeout time.Duration,
+	stopTimeout time.Duration,
+) (DefaultedProcessInput, error) {
+	defaults := DefaultedProcessInput{
+		Dir:          dir,
+		Path:         path,
+		StartTimeout: startTimeout,
+		StopTimeout:  stopTimeout,
+	}
+
+	if listenURL == nil {
+		port, host, err := addr.Suggest()
+		if err != nil {
+			return DefaultedProcessInput{}, err
+		}
+		defaults.URL = url.URL{
+			Scheme: "http",
+			Host:   net.JoinHostPort(host, strconv.Itoa(port)),
+		}
+	} else {
+		defaults.URL = *listenURL
+	}
+
+	if dir == "" {
+		newDir, err := ioutil.TempDir("", "k8s_test_framework_")
+		if err != nil {
+			return DefaultedProcessInput{}, err
+		}
+		defaults.Dir = newDir
+		defaults.DirNeedsCleaning = true
+	}
+
+	if path == "" {
+		if name == "" {
+			return DefaultedProcessInput{}, fmt.Errorf("must have at least one of name or path")
+		}
+		defaults.Path = BinPathFinder(name)
+	}
+
+	if startTimeout == 0 {
+		defaults.StartTimeout = 20 * time.Second
+	}
+
+	if stopTimeout == 0 {
+		defaults.StopTimeout = 20 * time.Second
+	}
+
+	return defaults, nil
+}
+
+type stopChannel chan struct{}
+
+func (ps *ProcessState) Start(stdout, stderr io.Writer) (err error) {
+	if ps.ready {
+		return nil
+	}
+
+	command := exec.Command(ps.Path, ps.Args...)
+
+	ready := make(chan bool)
+	timedOut := time.After(ps.StartTimeout)
+	var pollerStopCh stopChannel
+
+	if ps.HealthCheckEndpoint != "" {
+		healthCheckURL := ps.URL
+		healthCheckURL.Path = ps.HealthCheckEndpoint
+		pollerStopCh = make(stopChannel)
+		go pollURLUntilOK(healthCheckURL, ps.HealthCheckPollInterval, ready, pollerStopCh)
+	} else {
+		startDetectStream := gbytes.NewBuffer()
+		ready = startDetectStream.Detect(ps.StartMessage)
+		stderr = safeMultiWriter(stderr, startDetectStream)
+	}
+
+	ps.Session, err = gexec.Start(command, stdout, stderr)
+	if err != nil {
+		return err
+	}
+
+	select {
+	case <-ready:
+		ps.ready = true
+		return nil
+	case <-timedOut:
+		if pollerStopCh != nil {
+			close(pollerStopCh)
+		}
+		if ps.Session != nil {
+			ps.Session.Terminate()
+		}
+		return fmt.Errorf("timeout waiting for process %s to start", path.Base(ps.Path))
+	}
+}
+
+func safeMultiWriter(writers ...io.Writer) io.Writer {
+	safeWriters := []io.Writer{}
+	for _, w := range writers {
+		if w != nil {
+			safeWriters = append(safeWriters, w)
+		}
+	}
+	return io.MultiWriter(safeWriters...)
+}
+
+func pollURLUntilOK(url url.URL, interval time.Duration, ready chan bool, stopCh stopChannel) {
+	if interval <= 0 {
+		interval = 100 * time.Millisecond
+	}
+	for {
+		res, err := http.Get(url.String())
+		if err == nil {
+			res.Body.Close()
+			if res.StatusCode == http.StatusOK {
+				ready <- true
+				return
+			}
+		}
+
+		select {
+		case <-stopCh:
+			return
+		default:
+			time.Sleep(interval)
+		}
+	}
+}
+
+func (ps *ProcessState) Stop() error {
+	if ps.Session == nil {
+		return nil
+	}
+
+	// gexec's Session methods (Signal, Kill, ...) do not check if the Process is
+	// nil, so we are doing this here for now.
+	// This should probably be fixed in gexec.
+	if ps.Session.Command.Process == nil {
+		return nil
+	}
+
+	detectedStop := ps.Session.Terminate().Exited
+	timedOut := time.After(ps.StopTimeout)
+
+	select {
+	case <-detectedStop:
+		break
+	case <-timedOut:
+		return fmt.Errorf("timeout waiting for process %s to stop", path.Base(ps.Path))
+	}
+	ps.ready = false
+	if ps.DirNeedsCleaning {
+		return os.RemoveAll(ps.Dir)
+	}
+
+	return nil
+}

vendor/sigs.k8s.io/controller-runtime/pkg/internal/testing/integration/internal/tinyca.go

@@ -0,0 +1,149 @@
+package internal
+
+// NB(directxman12): nothing has verified that this has good settings.  In fact,
+// the setting generated here are probably terrible, but they're fine for integration
+// tests.  These ABSOLUTELY SHOULD NOT ever be exposed in the public API.  They're
+// ONLY for use with envtest's ability to configure webhook testing.
+// If I didn't otherwise not want to add a dependency on cfssl, I'd just use that.
+
+import (
+	"crypto"
+	crand "crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net"
+	"time"
+
+	certutil "k8s.io/client-go/util/cert"
+)
+
+var (
+	rsaKeySize = 2048 // a decent number, as of 2019
+	bigOne     = big.NewInt(1)
+)
+
+// CertPair is a private key and certificate for use for client auth, as a CA, or serving.
+type CertPair struct {
+	Key  crypto.Signer
+	Cert *x509.Certificate
+}
+
+// CertBytes returns the PEM-encoded version of the certificate for this pair.
+func (k CertPair) CertBytes() []byte {
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: k.Cert.Raw,
+	})
+}
+
+// AsBytes encodes keypair in the appropriate formats for on-disk storage (PEM and
+// PKCS8, respectively).
+func (k CertPair) AsBytes() (cert []byte, key []byte, err error) {
+	cert = k.CertBytes()
+
+	rawKeyData, err := x509.MarshalPKCS8PrivateKey(k.Key)
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to encode private key: %v", err)
+	}
+
+	key = pem.EncodeToMemory(&pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: rawKeyData,
+	})
+
+	return cert, key, nil
+}
+
+// TinyCA supports signing serving certs and client-certs,
+// and can be used as an auth mechanism with envtest.
+type TinyCA struct {
+	CA      CertPair
+	orgName string
+
+	nextSerial *big.Int
+}
+
+// newPrivateKey generates a new private key of a relatively sane size (see
+// rsaKeySize).
+func newPrivateKey() (crypto.Signer, error) {
+	return rsa.GenerateKey(crand.Reader, rsaKeySize)
+}
+
+func NewTinyCA() (*TinyCA, error) {
+	caPrivateKey, err := newPrivateKey()
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate private key for CA: %v", err)
+	}
+	caCfg := certutil.Config{CommonName: "envtest-environment", Organization: []string{"envtest"}}
+	caCert, err := certutil.NewSelfSignedCACert(caCfg, caPrivateKey)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate certificate for CA: %v", err)
+	}
+
+	return &TinyCA{
+		CA:         CertPair{Key: caPrivateKey, Cert: caCert},
+		orgName:    "envtest",
+		nextSerial: big.NewInt(1),
+	}, nil
+}
+
+func (c *TinyCA) makeCert(cfg certutil.Config) (CertPair, error) {
+	now := time.Now()
+
+	key, err := newPrivateKey()
+	if err != nil {
+		return CertPair{}, fmt.Errorf("unable to create private key: %v", err)
+	}
+
+	serial := new(big.Int).Set(c.nextSerial)
+	c.nextSerial.Add(c.nextSerial, bigOne)
+
+	template := x509.Certificate{
+		Subject:      pkix.Name{CommonName: cfg.CommonName, Organization: cfg.Organization},
+		DNSNames:     cfg.AltNames.DNSNames,
+		IPAddresses:  cfg.AltNames.IPs,
+		SerialNumber: serial,
+
+		KeyUsage:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage: cfg.Usages,
+
+		// technically not necessary for testing, but let's set anyway just in case.
+		NotBefore: now.UTC(),
+		// 1 week -- the default for cfssl, and just long enough for a
+		// long-term test, but not too long that anyone would try to use this
+		// seriously.
+		NotAfter: now.Add(168 * time.Hour).UTC(),
+	}
+
+	certRaw, err := x509.CreateCertificate(crand.Reader, &template, c.CA.Cert, key.Public(), c.CA.Key)
+	if err != nil {
+		return CertPair{}, fmt.Errorf("unable to create certificate: %v", err)
+	}
+
+	cert, err := x509.ParseCertificate(certRaw)
+	if err != nil {
+		return CertPair{}, fmt.Errorf("generated invalid certificate, could not parse: %v", err)
+	}
+
+	return CertPair{
+		Key:  key,
+		Cert: cert,
+	}, nil
+}
+
+// NewServingCert returns a new CertPair for a serving HTTPS on localhost.
+func (c *TinyCA) NewServingCert() (CertPair, error) {
+	return c.makeCert(certutil.Config{
+		CommonName:   "localhost",
+		Organization: []string{c.orgName},
+		AltNames: certutil.AltNames{
+			DNSNames: []string{"localhost"},
+			IPs:      []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+		},
+		Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	})
+}