rebase: update kubernetes to latest

updating the kubernetes release to the
latest in main go.mod

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>

vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/group"
 	"k8s.io/apiserver/pkg/authentication/request/anonymous"
@@ -39,7 +40,7 @@ import (
 // DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator
 // built to delegate authentication to a kube API server
 type DelegatingAuthenticatorConfig struct {
-	Anonymous bool
+	Anonymous *apiserver.AnonymousAuthConfig
 
 	// TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored.
 	TokenAccessReviewClient authenticationclient.AuthenticationV1Interface
@@ -112,15 +113,15 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.Secur
 	}
 
 	if len(authenticators) == 0 {
-		if c.Anonymous {
-			return anonymous.NewAuthenticator(), &securityDefinitions, nil
+		if c.Anonymous != nil && c.Anonymous.Enabled {
+			return anonymous.NewAuthenticator(c.Anonymous.Conditions), &securityDefinitions, nil
 		}
-		return nil, nil, errors.New("No authentication method configured")
+		return nil, nil, errors.New("no authentication method configured")
 	}
 
 	authenticator := group.NewAuthenticatedGroupAdder(unionauth.New(authenticators...))
-	if c.Anonymous {
-		authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator())
+	if c.Anonymous != nil && c.Anonymous.Enabled {
+		authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator(c.Anonymous.Conditions))
 	}
 	return authenticator, &securityDefinitions, nil
 }

vendor/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go

@@ -19,25 +19,44 @@ package anonymous
 import (
 	"net/http"
 
+	"k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 )
 
 const (
-	anonymousUser = user.Anonymous
-
+	anonymousUser        = user.Anonymous
 	unauthenticatedGroup = user.AllUnauthenticated
 )
 
-func NewAuthenticator() authenticator.Request {
-	return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
-		auds, _ := authenticator.AudiencesFrom(req.Context())
-		return &authenticator.Response{
-			User: &user.DefaultInfo{
-				Name:   anonymousUser,
-				Groups: []string{unauthenticatedGroup},
-			},
-			Audiences: auds,
-		}, true, nil
-	})
+type Authenticator struct {
+	allowedPaths map[string]bool
+}
+
+func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
+	if len(a.allowedPaths) > 0 && !a.allowedPaths[req.URL.Path] {
+		return nil, false, nil
+	}
+
+	auds, _ := authenticator.AudiencesFrom(req.Context())
+	return &authenticator.Response{
+		User: &user.DefaultInfo{
+			Name:   anonymousUser,
+			Groups: []string{unauthenticatedGroup},
+		},
+		Audiences: auds,
+	}, true, nil
+}
+
+// NewAuthenticator returns a new anonymous authenticator.
+// When conditions is empty all requests are authenticated as anonymous.
+// When conditions are non-empty only those requests that match the at-least one
+// condition are authenticated as anonymous.
+func NewAuthenticator(conditions []apiserver.AnonymousAuthCondition) authenticator.Request {
+	allowedPaths := make(map[string]bool)
+	for _, c := range conditions {
+		allowedPaths[c.Path] = true
+	}
+
+	return &Authenticator{allowedPaths: allowedPaths}
 }

vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go

@@ -17,9 +17,7 @@ limitations under the License.
 package headerrequest
 
 import (
-	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
@@ -27,7 +25,6 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	x509request "k8s.io/apiserver/pkg/authentication/request/x509"
 	"k8s.io/apiserver/pkg/authentication/user"
-	utilcert "k8s.io/client-go/util/cert"
 )
 
 // StringSliceProvider is a way to get a string slice value.  It is heavily used for authentication headers among other places.
@@ -106,48 +103,6 @@ func trimHeaders(headerNames ...string) ([]string, error) {
 	return ret, nil
 }
 
-func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string, groupHeaders []string, extraHeaderPrefixes []string) (authenticator.Request, error) {
-	if len(clientCA) == 0 {
-		return nil, fmt.Errorf("missing clientCA file")
-	}
-
-	// Wrap with an x509 verifier
-	caData, err := ioutil.ReadFile(clientCA)
-	if err != nil {
-		return nil, fmt.Errorf("error reading %s: %v", clientCA, err)
-	}
-	opts := x509request.DefaultVerifyOptions()
-	opts.Roots = x509.NewCertPool()
-	certs, err := utilcert.ParseCertsPEM(caData)
-	if err != nil {
-		return nil, fmt.Errorf("error loading certs from  %s: %v", clientCA, err)
-	}
-	for _, cert := range certs {
-		opts.Roots.AddCert(cert)
-	}
-
-	trimmedNameHeaders, err := trimHeaders(nameHeaders...)
-	if err != nil {
-		return nil, err
-	}
-	trimmedGroupHeaders, err := trimHeaders(groupHeaders...)
-	if err != nil {
-		return nil, err
-	}
-	trimmedExtraHeaderPrefixes, err := trimHeaders(extraHeaderPrefixes...)
-	if err != nil {
-		return nil, err
-	}
-
-	return NewDynamicVerifyOptionsSecure(
-		x509request.StaticVerifierFn(opts),
-		StaticStringSlice(proxyClientNames),
-		StaticStringSlice(trimmedNameHeaders),
-		StaticStringSlice(trimmedGroupHeaders),
-		StaticStringSlice(trimmedExtraHeaderPrefixes),
-	), nil
-}
-
 func NewDynamicVerifyOptionsSecure(verifyOptionFn x509request.VerifyOptionFunc, proxyClientNames, nameHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request {
 	headerAuthenticator := NewDynamic(nameHeaders, groupHeaders, extraHeaderPrefixes)
 

vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"sync/atomic"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -35,7 +36,6 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
-	"sync/atomic"
 )
 
 const (
@@ -74,7 +74,7 @@ type RequestHeaderAuthRequestController struct {
 	configmapInformer       cache.SharedIndexInformer
 	configmapInformerSynced cache.InformerSynced
 
-	queue workqueue.RateLimitingInterface
+	queue workqueue.TypedRateLimitingInterface[string]
 
 	// exportedRequestHeaderBundle is a requestHeaderBundle that contains the last read, non-zero length content of the configmap
 	exportedRequestHeaderBundle atomic.Value
@@ -104,7 +104,10 @@ func NewRequestHeaderAuthRequestController(
 		extraHeaderPrefixesKey: extraHeaderPrefixesKey,
 		allowedClientNamesKey:  allowedClientNamesKey,
 
-		queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "RequestHeaderAuthRequestController"),
+		queue: workqueue.NewTypedRateLimitingQueueWithConfig(
+			workqueue.DefaultTypedControllerRateLimiter[string](),
+			workqueue.TypedRateLimitingQueueConfig[string]{Name: "RequestHeaderAuthRequestController"},
+		),
 	}
 
 	// we construct our own informer because we need such a small subset of the information available.  Just one namespace.