rebase: update all k8s packages to 0.27.2

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2025-06-13 10:33:35 +00:00 · 2023-06-01 18:58:10 +02:00
parent 07b05616a0
commit 2551a0b05f
618 changed files with 42944 additions and 16168 deletions
--- a/vendor/k8s.io/cloud-provider/options/nodecontroller.go
+++ b/vendor/k8s.io/cloud-provider/options/nodecontroller.go
@ -0,0 +1,62 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+
+	"github.com/spf13/pflag"
+
+	nodeconfig "k8s.io/cloud-provider/controllers/node/config"
+)
+
+// NodeControllerOptions holds the ServiceController options.
+type NodeControllerOptions struct {
+	*nodeconfig.NodeControllerConfiguration
+}
+
+// AddFlags adds flags related to ServiceController for controller manager to the specified FlagSet.
+func (o *NodeControllerOptions) AddFlags(fs *pflag.FlagSet) {
+	if o == nil {
+		return
+	}
+
+	fs.Int32Var(&o.ConcurrentNodeSyncs, "concurrent-node-syncs", o.ConcurrentNodeSyncs, "Number of workers concurrently synchronizing nodes.")
+}
+
+// ApplyTo fills up ServiceController config with options.
+func (o *NodeControllerOptions) ApplyTo(cfg *nodeconfig.NodeControllerConfiguration) error {
+	if o == nil {
+		return nil
+	}
+
+	cfg.ConcurrentNodeSyncs = o.ConcurrentNodeSyncs
+
+	return nil
+}
+
+// Validate checks validation of NodeControllerOptions.
+func (o *NodeControllerOptions) Validate() []error {
+	if o == nil {
+		return nil
+	}
+	var errors []error
+	if o.ConcurrentNodeSyncs <= 0 {
+		errors = append(errors, fmt.Errorf("concurrent-node-syncs must be a positive number"))
+	}
+	return errors
+}
--- a/vendor/k8s.io/cloud-provider/options/options.go
+++ b/vendor/k8s.io/cloud-provider/options/options.go
@ -57,20 +57,40 @@ type CloudControllerManagerOptions struct {
 	Generic           *cmoptions.GenericControllerManagerConfigurationOptions
 	KubeCloudShared   *KubeCloudSharedOptions
 	ServiceController *ServiceControllerOptions
+	NodeController    *NodeControllerOptions

 	SecureServing  *apiserveroptions.SecureServingOptionsWithLoopback
 	Authentication *apiserveroptions.DelegatingAuthenticationOptions
 	Authorization  *apiserveroptions.DelegatingAuthorizationOptions

-	Master     string
-	Kubeconfig string
+	Master string
+
+	WebhookServing *WebhookServingOptions
+	Webhook        *WebhookOptions

 	// NodeStatusUpdateFrequency is the frequency at which the controller updates nodes' status
 	NodeStatusUpdateFrequency metav1.Duration
 }

+// ProviderDefaults are provided by the consumer when calling
+// NewCloudControllerManagerOptions(), so that they can customize certain flag
+// default values.
+type ProviderDefaults struct {
+	// WebhookBindAddress is the default address.  It can be overridden by "--webhook-bind-address".
+	WebhookBindAddress *net.IP
+	// WebhookBindPort is the default port.  It can be overridden by "--webhook-bind-port".
+	WebhookBindPort *int
+}
+
 // NewCloudControllerManagerOptions creates a new ExternalCMServer with a default config.
 func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error) {
+	return NewCloudControllerManagerOptionsWithProviderDefaults(ProviderDefaults{})
+}
+
+// NewCloudControllerManagerOptionsWithProviderDefaults creates a new
+// ExternalCMServer with a default config, but allows the cloud provider to
+// override a select number of default option values.
+func NewCloudControllerManagerOptionsWithProviderDefaults(defaults ProviderDefaults) (*CloudControllerManagerOptions, error) {
 	componentConfig, err := NewDefaultComponentConfig()
 	if err != nil {
 		return nil, err
@ -79,10 +99,15 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
 	s := CloudControllerManagerOptions{
 		Generic:         cmoptions.NewGenericControllerManagerConfigurationOptions(&componentConfig.Generic),
 		KubeCloudShared: NewKubeCloudSharedOptions(&componentConfig.KubeCloudShared),
+		NodeController: &NodeControllerOptions{
+			NodeControllerConfiguration: &componentConfig.NodeController,
+		},
 		ServiceController: &ServiceControllerOptions{
 			ServiceControllerConfiguration: &componentConfig.ServiceController,
 		},
 		SecureServing:             apiserveroptions.NewSecureServingOptions().WithLoopback(),
+		Webhook:                   NewWebhookOptions(),
+		WebhookServing:            NewWebhookServingOptions(defaults),
 		Authentication:            apiserveroptions.NewDelegatingAuthenticationOptions(),
 		Authorization:             apiserveroptions.NewDelegatingAuthorizationOptions(),
 		NodeStatusUpdateFrequency: componentConfig.NodeStatusUpdateFrequency,
@ -111,15 +136,23 @@ func NewDefaultComponentConfig() (*ccmconfig.CloudControllerManagerConfiguration
 	if err := ccmconfigscheme.Scheme.Convert(versioned, internal, nil); err != nil {
 		return nil, err
 	}
+
 	return internal, nil
 }

 // Flags returns flags for a specific CloudController by section name
-func (o *CloudControllerManagerOptions) Flags(allControllers, disabledByDefaultControllers []string) cliflag.NamedFlagSets {
+func (o *CloudControllerManagerOptions) Flags(allControllers, disabledByDefaultControllers, allWebhooks, disabledByDefaultWebhooks []string) cliflag.NamedFlagSets {
 	fss := cliflag.NamedFlagSets{}
 	o.Generic.AddFlags(&fss, allControllers, disabledByDefaultControllers)
 	o.KubeCloudShared.AddFlags(fss.FlagSet("generic"))
+	o.NodeController.AddFlags(fss.FlagSet("node controller"))
 	o.ServiceController.AddFlags(fss.FlagSet("service controller"))
+	if o.Webhook != nil {
+		o.Webhook.AddFlags(fss.FlagSet("webhook"), allWebhooks, disabledByDefaultWebhooks)
+	}
+	if o.WebhookServing != nil {
+		o.WebhookServing.AddFlags(fss.FlagSet("webhook serving"))
+	}

 	o.SecureServing.AddFlags(fss.FlagSet("secure serving"))
 	o.Authentication.AddFlags(fss.FlagSet("authentication"))
@ -127,9 +160,8 @@ func (o *CloudControllerManagerOptions) Flags(allControllers, disabledByDefaultC

 	fs := fss.FlagSet("misc")
 	fs.StringVar(&o.Master, "master", o.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig).")
-	fs.StringVar(&o.Kubeconfig, "kubeconfig", o.Kubeconfig, "Path to kubeconfig file with authorization and master location information.")
+	fs.StringVar(&o.Generic.ClientConnection.Kubeconfig, "kubeconfig", o.Generic.ClientConnection.Kubeconfig, "Path to kubeconfig file with authorization and master location information (the master location can be overridden by the master flag).")
 	fs.DurationVar(&o.NodeStatusUpdateFrequency.Duration, "node-status-update-frequency", o.NodeStatusUpdateFrequency.Duration, "Specifies how often the controller updates nodes' status.")
-
 	utilfeature.DefaultMutableFeatureGate.AddFlag(fss.FlagSet("generic"))

 	return fss
@ -142,7 +174,7 @@ func (o *CloudControllerManagerOptions) ApplyTo(c *config.Config, userAgent stri
 	// Build kubeconfig first to so that if it fails, it doesn't cause leaking
 	// goroutines (started from initializing secure serving - which underneath
 	// creates a queue which in its constructor starts a goroutine).
-	c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Kubeconfig)
+	c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Generic.ClientConnection.Kubeconfig)
 	if err != nil {
 		return err
 	}
@ -161,6 +193,16 @@ func (o *CloudControllerManagerOptions) ApplyTo(c *config.Config, userAgent stri
 	if err = o.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil {
 		return err
 	}
+	if o.Webhook != nil {
+		if err = o.Webhook.ApplyTo(&c.ComponentConfig.Webhook); err != nil {
+			return err
+		}
+	}
+	if o.WebhookServing != nil {
+		if err = o.WebhookServing.ApplyTo(&c.WebhookSecureServing); err != nil {
+			return err
+		}
+	}
 	if err = o.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
 		return err
 	}
@ -198,12 +240,13 @@ func (o *CloudControllerManagerOptions) ApplyTo(c *config.Config, userAgent stri
 	// sync back to component config
 	// TODO: find more elegant way than syncing back the values.
 	c.ComponentConfig.NodeStatusUpdateFrequency = o.NodeStatusUpdateFrequency
+	c.ComponentConfig.NodeController.ConcurrentNodeSyncs = o.NodeController.ConcurrentNodeSyncs

 	return nil
 }

 // Validate is used to validate config before launching the cloud controller manager
-func (o *CloudControllerManagerOptions) Validate(allControllers, disabledByDefaultControllers []string) error {
+func (o *CloudControllerManagerOptions) Validate(allControllers, disabledByDefaultControllers, allWebhooks, disabledByDefaultWebhooks []string) error {
 	errors := []error{}

 	errors = append(errors, o.Generic.Validate(allControllers, disabledByDefaultControllers)...)
@ -213,6 +256,16 @@ func (o *CloudControllerManagerOptions) Validate(allControllers, disabledByDefau
 	errors = append(errors, o.Authentication.Validate()...)
 	errors = append(errors, o.Authorization.Validate()...)

+	if o.Webhook != nil {
+		errors = append(errors, o.Webhook.Validate(allWebhooks, disabledByDefaultWebhooks)...)
+	}
+	if o.WebhookServing != nil {
+		errors = append(errors, o.WebhookServing.Validate()...)
+
+		if o.WebhookServing.BindPort == o.SecureServing.BindPort {
+			errors = append(errors, fmt.Errorf("--webhook-secure-port cannot be the same value as --secure-port"))
+		}
+	}
 	if len(o.KubeCloudShared.CloudProvider.Name) == 0 {
 		errors = append(errors, fmt.Errorf("--cloud-provider cannot be empty"))
 	}
@ -229,8 +282,8 @@ func resyncPeriod(c *config.Config) func() time.Duration {
 }

 // Config return a cloud controller manager config objective
-func (o *CloudControllerManagerOptions) Config(allControllers, disabledByDefaultControllers []string) (*config.Config, error) {
-	if err := o.Validate(allControllers, disabledByDefaultControllers); err != nil {
+func (o *CloudControllerManagerOptions) Config(allControllers, disabledByDefaultControllers, allWebhooks, disabledByDefaultWebhooks []string) (*config.Config, error) {
+	if err := o.Validate(allControllers, disabledByDefaultControllers, allWebhooks, disabledByDefaultWebhooks); err != nil {
 		return nil, err
 	}

@ -238,6 +291,12 @@ func (o *CloudControllerManagerOptions) Config(allControllers, disabledByDefault
 		return nil, fmt.Errorf("error creating self-signed certificates: %v", err)
 	}

+	if o.WebhookServing != nil {
+		if err := o.WebhookServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{netutils.ParseIPSloppy("127.0.0.1")}); err != nil {
+			return nil, fmt.Errorf("error creating self-signed certificates for webhook: %v", err)
+		}
+	}
+
 	c := &config.Config{}
 	if err := o.ApplyTo(c, CloudControllerManagerUserAgent); err != nil {
 		return nil, err
--- a/vendor/k8s.io/cloud-provider/options/webhook.go
+++ b/vendor/k8s.io/cloud-provider/options/webhook.go
@ -0,0 +1,206 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+
+	"github.com/spf13/pflag"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/pkg/server/dynamiccertificates"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
+	"k8s.io/cloud-provider/config"
+	netutils "k8s.io/utils/net"
+)
+
+const (
+	CloudControllerManagerWebhookPort = 10260
+)
+
+type WebhookOptions struct {
+	// Webhooks is the list of webhook names that should be enabled or disabled
+	Webhooks []string
+}
+
+func NewWebhookOptions() *WebhookOptions {
+	o := &WebhookOptions{}
+	return o
+}
+
+func (o *WebhookOptions) AddFlags(fs *pflag.FlagSet, allWebhooks, disabledByDefaultWebhooks []string) {
+	fs.StringSliceVar(&o.Webhooks, "webhooks", o.Webhooks, fmt.Sprintf(""+
+		"A list of webhooks to enable. '*' enables all on-by-default webhooks, 'foo' enables the webhook "+
+		"named 'foo', '-foo' disables the webhook named 'foo'.\nAll webhooks: %s\nDisabled-by-default webhooks: %s",
+		strings.Join(allWebhooks, ", "), strings.Join(disabledByDefaultWebhooks, ", ")))
+}
+
+func (o *WebhookOptions) Validate(allWebhooks, disabledByDefaultWebhooks []string) []error {
+	allErrors := []error{}
+
+	allWebhooksSet := sets.NewString(allWebhooks...)
+	toValidate := sets.NewString(o.Webhooks...)
+	toValidate.Insert(disabledByDefaultWebhooks...)
+	for _, webhook := range toValidate.List() {
+		if webhook == "*" {
+			continue
+		}
+		webhook = strings.TrimPrefix(webhook, "-")
+		if !allWebhooksSet.Has(webhook) {
+			allErrors = append(allErrors, fmt.Errorf("%q is not in the list of known webhooks", webhook))
+		}
+	}
+
+	return allErrors
+}
+
+func (o *WebhookOptions) ApplyTo(cfg *config.WebhookConfiguration) error {
+	if o == nil {
+		return nil
+	}
+
+	cfg.Webhooks = o.Webhooks
+
+	return nil
+}
+
+type WebhookServingOptions struct {
+	*apiserveroptions.SecureServingOptions
+}
+
+func NewWebhookServingOptions(defaults ProviderDefaults) *WebhookServingOptions {
+	var (
+		bindAddress net.IP
+		bindPort    int
+	)
+
+	if defaults.WebhookBindAddress != nil {
+		bindAddress = *defaults.WebhookBindAddress
+	} else {
+		bindAddress = netutils.ParseIPSloppy("0.0.0.0")
+	}
+
+	if defaults.WebhookBindPort != nil {
+		bindPort = *defaults.WebhookBindPort
+	} else {
+		bindPort = CloudControllerManagerWebhookPort
+	}
+
+	return &WebhookServingOptions{
+		SecureServingOptions: &apiserveroptions.SecureServingOptions{
+			BindAddress: bindAddress,
+			BindPort:    bindPort,
+			ServerCert: apiserveroptions.GeneratableKeyCert{
+				CertDirectory: "",
+				PairName:      "cloud-controller-manager-webhook",
+			},
+		},
+	}
+}
+
+func (o *WebhookServingOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.IPVar(&o.BindAddress, "webhook-bind-address", o.BindAddress, ""+
+		"The IP address on which to listen for the --webhook-secure-port port. The "+
+		"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
+		fmt.Sprintf("clients. If set to an unspecified address (0.0.0.0 or ::), all interfaces will be used. If unset, defaults to %v.", o.BindAddress))
+
+	fs.IntVar(&o.BindPort, "webhook-secure-port", o.BindPort, fmt.Sprintf("Secure port to serve cloud provider webhooks. If unset, defaults to %d.", o.BindPort))
+
+	fs.StringVar(&o.ServerCert.CertDirectory, "webhook-cert-dir", o.ServerCert.CertDirectory, ""+
+		"The directory where the TLS certs are located. "+
+		"If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.")
+
+	fs.StringVar(&o.ServerCert.CertKey.CertFile, "webhook-tls-cert-file", o.ServerCert.CertKey.CertFile, ""+
+		"File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated "+
+		"after server cert). If HTTPS serving is enabled, and --tls-cert-file and "+
+		"--tls-private-key-file are not provided, a self-signed certificate and key "+
+		"are generated for the public address and saved to the directory specified by --cert-dir.")
+
+	fs.StringVar(&o.ServerCert.CertKey.KeyFile, "webhook-tls-private-key-file", o.ServerCert.CertKey.KeyFile,
+		"File containing the default x509 private key matching --tls-cert-file.")
+}
+
+func (o *WebhookServingOptions) Validate() []error {
+	allErrors := []error{}
+	if o.BindPort < 0 || o.BindPort > 65535 {
+		allErrors = append(allErrors, fmt.Errorf("--webhook-secure-port %v must be between 0 and 65535, inclusive. A value of 0 disables the webhook endpoint entirely.", o.BindPort))
+	}
+
+	if (len(o.ServerCert.CertKey.CertFile) != 0 || len(o.ServerCert.CertKey.KeyFile) != 0) && o.ServerCert.GeneratedCert != nil {
+		allErrors = append(allErrors, fmt.Errorf("cert/key file and in-memory certificate cannot both be set"))
+	}
+
+	return allErrors
+}
+
+func (o *WebhookServingOptions) ApplyTo(cfg **server.SecureServingInfo) error {
+	if o == nil {
+		return nil
+	}
+
+	if o.BindPort <= 0 {
+		return nil
+	}
+
+	var err error
+	var listener net.Listener
+	addr := net.JoinHostPort(o.BindAddress.String(), strconv.Itoa(o.BindPort))
+
+	l := net.ListenConfig{}
+
+	listener, o.BindPort, err = createListener(addr, l)
+	if err != nil {
+		return fmt.Errorf("failed to create listener: %v", err)
+	}
+
+	*cfg = &server.SecureServingInfo{
+		Listener: listener,
+	}
+
+	serverCertFile, serverKeyFile := o.ServerCert.CertKey.CertFile, o.ServerCert.CertKey.KeyFile
+	if len(serverCertFile) != 0 || len(serverKeyFile) != 0 {
+		var err error
+		(*cfg).Cert, err = dynamiccertificates.NewDynamicServingContentFromFiles("serving-cert", serverCertFile, serverKeyFile)
+		if err != nil {
+			return err
+		}
+	} else if o.ServerCert.GeneratedCert != nil {
+		(*cfg).Cert = o.ServerCert.GeneratedCert
+	}
+
+	return nil
+}
+
+func createListener(addr string, config net.ListenConfig) (net.Listener, int, error) {
+	ln, err := config.Listen(context.TODO(), "tcp", addr)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to listen on %v: %v", addr, err)
+	}
+
+	// get port
+	tcpAddr, ok := ln.Addr().(*net.TCPAddr)
+	if !ok {
+		ln.Close()
+		return nil, 0, fmt.Errorf("invalid listen address: %q", ln.Addr().String())
+	}
+
+	return ln, tcpAddr.Port, nil
+}