Fresh dep ensure

vendor/k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher/BUILD

@@ -0,0 +1,51 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["publisher.go"],
+    importpath = "k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/controller:go_default_library",
+        "//pkg/util/metrics:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//staging/src/k8s.io/client-go/informers/core/v1:go_default_library",
+        "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
+        "//staging/src/k8s.io/client-go/listers/core/v1:go_default_library",
+        "//staging/src/k8s.io/client-go/tools/cache:go_default_library",
+        "//staging/src/k8s.io/client-go/util/workqueue:go_default_library",
+        "//vendor/k8s.io/klog:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["publisher_test.go"],
+    embed = [":go_default_library"],
+    deps = [
+        "//pkg/controller:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//staging/src/k8s.io/client-go/informers:go_default_library",
+        "//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher/publisher.go

@@ -0,0 +1,222 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rootcacertpublisher
+
+import (
+	"fmt"
+	"reflect"
+	"time"
+
+	"k8s.io/api/core/v1"
+	apierrs "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	coreinformers "k8s.io/client-go/informers/core/v1"
+	clientset "k8s.io/client-go/kubernetes"
+	corelisters "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog"
+	"k8s.io/kubernetes/pkg/controller"
+	"k8s.io/kubernetes/pkg/util/metrics"
+)
+
+// RootCACertConfigMapName is name of the configmap which stores certificates
+// to access api-server
+const RootCACertConfigMapName = "kube-root-ca.crt"
+
+// NewPublisher construct a new controller which would manage the configmap
+// which stores certificates in each namespace. It will make sure certificate
+// configmap exists in each namespace.
+func NewPublisher(cmInformer coreinformers.ConfigMapInformer, nsInformer coreinformers.NamespaceInformer, cl clientset.Interface, rootCA []byte) (*Publisher, error) {
+	e := &Publisher{
+		client: cl,
+		rootCA: rootCA,
+		queue:  workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "root-ca-cert-publisher"),
+	}
+	if cl.CoreV1().RESTClient().GetRateLimiter() != nil {
+		if err := metrics.RegisterMetricAndTrackRateLimiterUsage("root_ca_cert_publisher", cl.CoreV1().RESTClient().GetRateLimiter()); err != nil {
+			return nil, err
+		}
+	}
+
+	cmInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		DeleteFunc: e.configMapDeleted,
+		UpdateFunc: e.configMapUpdated,
+	})
+	e.cmLister = cmInformer.Lister()
+	e.cmListerSynced = cmInformer.Informer().HasSynced
+
+	nsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc:    e.namespaceAdded,
+		UpdateFunc: e.namespaceUpdated,
+	})
+	e.nsListerSynced = nsInformer.Informer().HasSynced
+
+	e.syncHandler = e.syncNamespace
+
+	return e, nil
+
+}
+
+// Publisher manages certificate ConfigMap objects inside Namespaces
+type Publisher struct {
+	client clientset.Interface
+	rootCA []byte
+
+	// To allow injection for testing.
+	syncHandler func(key string) error
+
+	cmLister       corelisters.ConfigMapLister
+	cmListerSynced cache.InformerSynced
+
+	nsListerSynced cache.InformerSynced
+
+	queue workqueue.RateLimitingInterface
+}
+
+// Run starts process
+func (c *Publisher) Run(workers int, stopCh <-chan struct{}) {
+	defer utilruntime.HandleCrash()
+	defer c.queue.ShutDown()
+
+	klog.Infof("Starting root CA certificate configmap publisher")
+	defer klog.Infof("Shutting down root CA certificate configmap publisher")
+
+	if !controller.WaitForCacheSync("crt configmap", stopCh, c.cmListerSynced) {
+		return
+	}
+
+	for i := 0; i < workers; i++ {
+		go wait.Until(c.runWorker, time.Second, stopCh)
+	}
+
+	<-stopCh
+}
+
+func (c *Publisher) configMapDeleted(obj interface{}) {
+	cm, err := convertToCM(obj)
+	if err != nil {
+		utilruntime.HandleError(err)
+		return
+	}
+	if cm.Name != RootCACertConfigMapName {
+		return
+	}
+	c.queue.Add(cm.Namespace)
+}
+
+func (c *Publisher) configMapUpdated(_, newObj interface{}) {
+	cm, err := convertToCM(newObj)
+	if err != nil {
+		utilruntime.HandleError(err)
+		return
+	}
+	if cm.Name != RootCACertConfigMapName {
+		return
+	}
+	c.queue.Add(cm.Namespace)
+}
+
+func (c *Publisher) namespaceAdded(obj interface{}) {
+	namespace := obj.(*v1.Namespace)
+	c.queue.Add(namespace.Name)
+}
+
+func (c *Publisher) namespaceUpdated(oldObj interface{}, newObj interface{}) {
+	newNamespace := newObj.(*v1.Namespace)
+	if newNamespace.Status.Phase != v1.NamespaceActive {
+		return
+	}
+	c.queue.Add(newNamespace.Name)
+}
+
+func (c *Publisher) runWorker() {
+	for c.processNextWorkItem() {
+	}
+}
+
+// processNextWorkItem deals with one key off the queue. It returns false when
+// it's time to quit.
+func (c *Publisher) processNextWorkItem() bool {
+	key, quit := c.queue.Get()
+	if quit {
+		return false
+	}
+	defer c.queue.Done(key)
+
+	if err := c.syncHandler(key.(string)); err != nil {
+		utilruntime.HandleError(fmt.Errorf("syncing %q failed: %v", key, err))
+		c.queue.AddRateLimited(key)
+		return true
+	}
+
+	c.queue.Forget(key)
+	return true
+}
+
+func (c *Publisher) syncNamespace(ns string) error {
+	startTime := time.Now()
+	defer func() {
+		klog.V(4).Infof("Finished syncing namespace %q (%v)", ns, time.Since(startTime))
+	}()
+
+	cm, err := c.cmLister.ConfigMaps(ns).Get(RootCACertConfigMapName)
+	switch {
+	case apierrs.IsNotFound(err):
+		_, err := c.client.CoreV1().ConfigMaps(ns).Create(&v1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: RootCACertConfigMapName,
+			},
+			Data: map[string]string{
+				"ca.crt": string(c.rootCA),
+			},
+		})
+		return err
+	case err != nil:
+		return err
+	}
+
+	data := map[string]string{
+		"ca.crt": string(c.rootCA),
+	}
+
+	if reflect.DeepEqual(cm.Data, data) {
+		return nil
+	}
+
+	cm.Data = data
+
+	_, err = c.client.CoreV1().ConfigMaps(ns).Update(cm)
+	return err
+}
+
+func convertToCM(obj interface{}) (*v1.ConfigMap, error) {
+	cm, ok := obj.(*v1.ConfigMap)
+	if !ok {
+		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
+		if !ok {
+			return nil, fmt.Errorf("Couldn't get object from tombstone %#v", obj)
+		}
+		cm, ok = tombstone.Obj.(*v1.ConfigMap)
+		if !ok {
+			return nil, fmt.Errorf("Tombstone contained object that is not a ConfigMap %#v", obj)
+		}
+	}
+	return cm, nil
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher/publisher_test.go

@@ -0,0 +1,177 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rootcacertpublisher
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/diff"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/kubernetes/pkg/controller"
+)
+
+func TestConfigMapCreation(t *testing.T) {
+	ns := metav1.NamespaceDefault
+	fakeRootCA := []byte("fake-root-ca")
+
+	caConfigMap := defaultCrtConfigMapPtr(fakeRootCA)
+	addFieldCM := defaultCrtConfigMapPtr(fakeRootCA)
+	addFieldCM.Data["test"] = "test"
+	modifyFieldCM := defaultCrtConfigMapPtr([]byte("abc"))
+	otherConfigMap := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "other",
+			Namespace:       ns,
+			ResourceVersion: "1",
+		},
+	}
+	updateOtherConfigMap := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "other",
+			Namespace:       ns,
+			ResourceVersion: "1",
+		},
+		Data: map[string]string{"aa": "bb"},
+	}
+
+	existNS := &v1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{Name: ns},
+		Status: v1.NamespaceStatus{
+			Phase: v1.NamespaceActive,
+		},
+	}
+	newNs := &v1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{Name: "new"},
+		Status: v1.NamespaceStatus{
+			Phase: v1.NamespaceActive,
+		},
+	}
+	terminatingNS := &v1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{Name: ns},
+		Status: v1.NamespaceStatus{
+			Phase: v1.NamespaceTerminating,
+		},
+	}
+
+	type action struct {
+		verb string
+		name string
+	}
+	testcases := map[string]struct {
+		ExistingConfigMaps []*v1.ConfigMap
+		AddedNamespace     *v1.Namespace
+		UpdatedNamespace   *v1.Namespace
+		DeletedConfigMap   *v1.ConfigMap
+		UpdatedConfigMap   *v1.ConfigMap
+		ExpectActions      []action
+	}{
+		"create new namesapce": {
+			AddedNamespace: newNs,
+			ExpectActions:  []action{{verb: "create", name: RootCACertConfigMapName}},
+		},
+		"delete other configmap": {
+			ExistingConfigMaps: []*v1.ConfigMap{otherConfigMap, caConfigMap},
+			DeletedConfigMap:   otherConfigMap,
+		},
+		"delete ca configmap": {
+			ExistingConfigMaps: []*v1.ConfigMap{otherConfigMap, caConfigMap},
+			DeletedConfigMap:   caConfigMap,
+			ExpectActions:      []action{{verb: "create", name: RootCACertConfigMapName}},
+		},
+		"update ca configmap with adding field": {
+			ExistingConfigMaps: []*v1.ConfigMap{caConfigMap},
+			UpdatedConfigMap:   addFieldCM,
+			ExpectActions:      []action{{verb: "update", name: RootCACertConfigMapName}},
+		},
+		"update ca configmap with modifying field": {
+			ExistingConfigMaps: []*v1.ConfigMap{caConfigMap},
+			UpdatedConfigMap:   modifyFieldCM,
+			ExpectActions:      []action{{verb: "update", name: RootCACertConfigMapName}},
+		},
+		"update with other configmap": {
+			ExistingConfigMaps: []*v1.ConfigMap{caConfigMap, otherConfigMap},
+			UpdatedConfigMap:   updateOtherConfigMap,
+		},
+		"update namespace with terminating state": {
+			UpdatedNamespace: terminatingNS,
+		},
+	}
+
+	for k, tc := range testcases {
+		t.Run(k, func(t *testing.T) {
+			client := fake.NewSimpleClientset(caConfigMap, existNS)
+			informers := informers.NewSharedInformerFactory(fake.NewSimpleClientset(), controller.NoResyncPeriodFunc())
+			cmInformer := informers.Core().V1().ConfigMaps()
+			nsInformer := informers.Core().V1().Namespaces()
+			controller, err := NewPublisher(cmInformer, nsInformer, client, fakeRootCA)
+			if err != nil {
+				t.Fatalf("error creating ServiceAccounts controller: %v", err)
+			}
+
+			cmStore := cmInformer.Informer().GetStore()
+
+			controller.syncHandler = controller.syncNamespace
+
+			for _, s := range tc.ExistingConfigMaps {
+				cmStore.Add(s)
+			}
+
+			if tc.AddedNamespace != nil {
+				controller.namespaceAdded(tc.AddedNamespace)
+			}
+			if tc.UpdatedNamespace != nil {
+				controller.namespaceUpdated(nil, tc.UpdatedNamespace)
+			}
+
+			if tc.DeletedConfigMap != nil {
+				cmStore.Delete(tc.DeletedConfigMap)
+				controller.configMapDeleted(tc.DeletedConfigMap)
+			}
+
+			if tc.UpdatedConfigMap != nil {
+				cmStore.Add(tc.UpdatedConfigMap)
+				controller.configMapUpdated(nil, tc.UpdatedConfigMap)
+			}
+
+			for controller.queue.Len() != 0 {
+				controller.processNextWorkItem()
+			}
+
+			actions := client.Actions()
+			if reflect.DeepEqual(actions, tc.ExpectActions) {
+				t.Errorf("Unexpected actions:\n%s", diff.ObjectGoPrintDiff(actions, tc.ExpectActions))
+			}
+		})
+	}
+}
+
+func defaultCrtConfigMapPtr(rootCA []byte) *v1.ConfigMap {
+	tmp := v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: RootCACertConfigMapName,
+		},
+		Data: map[string]string{
+			"ca.crt": string(rootCA),
+		},
+	}
+	tmp.Namespace = metav1.NamespaceDefault
+	return &tmp
+}