Update go dependencies

vendor/k8s.io/apiserver/pkg/server/serve.go

@@ -17,6 +17,7 @@ limitations under the License.
 package server
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -25,11 +26,11 @@ import (
 	"strings"
 	"time"
 
+	"github.com/golang/glog"
+	"golang.org/x/net/http2"
+
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/validation"
-
-	"github.com/golang/glog"
-	"github.com/pkg/errors"
 )
 
 const (
@@ -39,13 +40,17 @@ const (
 // serveSecurely runs the secure http server. It fails only if certificates cannot
 // be loaded or the initial listen call fails. The actual server loop (stoppable by closing
 // stopCh) runs in a go routine, i.e. serveSecurely does not block.
-func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error {
+func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
+	if s.Listener == nil {
+		return fmt.Errorf("listener must not be nil")
+	}
+
 	secureServer := &http.Server{
-		Addr:           s.SecureServingInfo.BindAddress,
-		Handler:        s.Handler,
+		Addr:           s.Listener.Addr().String(),
+		Handler:        handler,
 		MaxHeaderBytes: 1 << 20,
 		TLSConfig: &tls.Config{
-			NameToCertificate: s.SecureServingInfo.SNICerts,
+			NameToCertificate: s.SNICerts,
 			// Can't use SSLv3 because of POODLE and BEAST
 			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
 			// Can't use TLSv1.1 because of RC4 cipher usage
@@ -55,66 +60,63 @@ func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error {
 		},
 	}
 
-	if s.SecureServingInfo.MinTLSVersion > 0 {
-		secureServer.TLSConfig.MinVersion = s.SecureServingInfo.MinTLSVersion
+	if s.MinTLSVersion > 0 {
+		secureServer.TLSConfig.MinVersion = s.MinTLSVersion
 	}
-	if len(s.SecureServingInfo.CipherSuites) > 0 {
-		secureServer.TLSConfig.CipherSuites = s.SecureServingInfo.CipherSuites
+	if len(s.CipherSuites) > 0 {
+		secureServer.TLSConfig.CipherSuites = s.CipherSuites
 	}
 
-	if s.SecureServingInfo.Cert != nil {
-		secureServer.TLSConfig.Certificates = []tls.Certificate{*s.SecureServingInfo.Cert}
+	if s.Cert != nil {
+		secureServer.TLSConfig.Certificates = []tls.Certificate{*s.Cert}
 	}
 
 	// append all named certs. Otherwise, the go tls stack will think no SNI processing
 	// is necessary because there is only one cert anyway.
 	// Moreover, if ServerCert.CertFile/ServerCert.KeyFile are not set, the first SNI
 	// cert will become the default cert. That's what we expect anyway.
-	for _, c := range s.SecureServingInfo.SNICerts {
+	for _, c := range s.SNICerts {
 		secureServer.TLSConfig.Certificates = append(secureServer.TLSConfig.Certificates, *c)
 	}
 
-	if s.SecureServingInfo.ClientCA != nil {
+	if s.ClientCA != nil {
 		// Populate PeerCertificates in requests, but don't reject connections without certificates
 		// This allows certificates to be validated by authenticators, while still allowing other auth types
 		secureServer.TLSConfig.ClientAuth = tls.RequestClientCert
 		// Specify allowed CAs for client certificates
-		secureServer.TLSConfig.ClientCAs = s.SecureServingInfo.ClientCA
+		secureServer.TLSConfig.ClientCAs = s.ClientCA
 	}
 
-	glog.Infof("Serving securely on %s", s.SecureServingInfo.BindAddress)
-	var err error
-	s.effectiveSecurePort, err = RunServer(secureServer, s.SecureServingInfo.BindNetwork, stopCh)
-	return err
+	if s.HTTP2MaxStreamsPerConnection > 0 {
+		http2.ConfigureServer(secureServer, &http2.Server{
+			MaxConcurrentStreams: uint32(s.HTTP2MaxStreamsPerConnection),
+		})
+	}
+
+	glog.Infof("Serving securely on %s", secureServer.Addr)
+	return RunServer(secureServer, s.Listener, shutdownTimeout, stopCh)
 }
 
-// RunServer listens on the given port, then spawns a go-routine continuously serving
-// until the stopCh is closed. The port is returned. This function does not block.
-func RunServer(server *http.Server, network string, stopCh <-chan struct{}) (int, error) {
-	if len(server.Addr) == 0 {
-		return 0, errors.New("address cannot be empty")
+// RunServer listens on the given port if listener is not given,
+// then spawns a go-routine continuously serving
+// until the stopCh is closed. This function does not block.
+// TODO: make private when insecure serving is gone from the kube-apiserver
+func RunServer(
+	server *http.Server,
+	ln net.Listener,
+	shutDownTimeout time.Duration,
+	stopCh <-chan struct{},
+) error {
+	if ln == nil {
+		return fmt.Errorf("listener must not be nil")
 	}
 
-	if len(network) == 0 {
-		network = "tcp"
-	}
-
-	ln, err := net.Listen(network, server.Addr)
-	if err != nil {
-		return 0, fmt.Errorf("failed to listen on %v: %v", server.Addr, err)
-	}
-
-	// get port
-	tcpAddr, ok := ln.Addr().(*net.TCPAddr)
-	if !ok {
-		ln.Close()
-		return 0, fmt.Errorf("invalid listen address: %q", ln.Addr().String())
-	}
-
-	// Stop the server by closing the listener
+	// Shutdown server gracefully.
 	go func() {
 		<-stopCh
-		ln.Close()
+		ctx, cancel := context.WithTimeout(context.Background(), shutDownTimeout)
+		server.Shutdown(ctx)
+		cancel()
 	}()
 
 	go func() {
@@ -128,7 +130,7 @@ func RunServer(server *http.Server, network string, stopCh <-chan struct{}) (int
 
 		err := server.Serve(listener)
 
-		msg := fmt.Sprintf("Stopped listening on %s", tcpAddr.String())
+		msg := fmt.Sprintf("Stopped listening on %s", ln.Addr().String())
 		select {
 		case <-stopCh:
 			glog.Info(msg)
@@ -137,7 +139,7 @@ func RunServer(server *http.Server, network string, stopCh <-chan struct{}) (int
 		}
 	}()
 
-	return tcpAddr.Port, nil
+	return nil
 }
 
 type NamedTLSCert struct {