rebase: update K8s packages to v0.32.1

Update K8s packages in go.mod to v0.32.1

Signed-off-by: Praveen M <m.praveen@ibm.com>

vendor/k8s.io/apiserver/pkg/cel/environment/base.go

@@ -33,7 +33,8 @@ import (
 	"k8s.io/apiserver/pkg/cel/library"
 	genericfeatures "k8s.io/apiserver/pkg/features"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	utilversion "k8s.io/apiserver/pkg/util/version"
+	"k8s.io/component-base/featuregate"
+	utilversion "k8s.io/component-base/version"
 )
 
 // DefaultCompatibilityVersion returns a default compatibility version for use with EnvSet
@@ -49,7 +50,7 @@ import (
 // A default version number equal to the current Kubernetes major.minor version
 // indicates fast forward CEL features that can be used when rollback is no longer needed.
 func DefaultCompatibilityVersion() *version.Version {
-	effectiveVer := utilversion.DefaultComponentGlobalsRegistry.EffectiveVersionFor(utilversion.DefaultKubeComponent)
+	effectiveVer := featuregate.DefaultComponentGlobalsRegistry.EffectiveVersionFor(featuregate.DefaultKubeComponent)
 	if effectiveVer == nil {
 		effectiveVer = utilversion.DefaultKubeEffectiveVersion()
 	}
@@ -71,9 +72,9 @@ var baseOptsWithoutStrictCost = []VersionedOptions{
 			cel.EagerlyValidateDeclarations(true),
 			cel.DefaultUTCTimeZone(true),
 
-			library.URLs(),
-			library.Regex(),
-			library.Lists(),
+			UnversionedLib(library.URLs),
+			UnversionedLib(library.Regex),
+			UnversionedLib(library.Lists),
 
 			// cel-go v0.17.7 change the cost of has() from 0 to 1, but also provided the CostEstimatorOptions option to preserve the old behavior, so we enabled it at the same time we bumped our cel version to v0.17.7.
 			// Since it is a regression fix, we apply it uniformly to all code use v0.17.7.
@@ -91,7 +92,7 @@ var baseOptsWithoutStrictCost = []VersionedOptions{
 	{
 		IntroducedVersion: version.MajorMinor(1, 27),
 		EnvOptions: []cel.EnvOption{
-			library.Authz(),
+			UnversionedLib(library.Authz),
 		},
 	},
 	{
@@ -99,7 +100,7 @@ var baseOptsWithoutStrictCost = []VersionedOptions{
 		EnvOptions: []cel.EnvOption{
 			cel.CrossTypeNumericComparisons(true),
 			cel.OptionalTypes(),
-			library.Quantity(),
+			UnversionedLib(library.Quantity),
 		},
 	},
 	// add the new validator in 1.29
@@ -138,15 +139,15 @@ var baseOptsWithoutStrictCost = []VersionedOptions{
 	{
 		IntroducedVersion: version.MajorMinor(1, 30),
 		EnvOptions: []cel.EnvOption{
-			library.IP(),
-			library.CIDR(),
+			UnversionedLib(library.IP),
+			UnversionedLib(library.CIDR),
 		},
 	},
 	// Format Library
 	{
 		IntroducedVersion: version.MajorMinor(1, 31),
 		EnvOptions: []cel.EnvOption{
-			library.Format(),
+			UnversionedLib(library.Format),
 		},
 	},
 	// Authz selectors
@@ -165,7 +166,14 @@ var baseOptsWithoutStrictCost = []VersionedOptions{
 			return enabled
 		},
 		EnvOptions: []cel.EnvOption{
-			library.AuthzSelectors(),
+			UnversionedLib(library.AuthzSelectors),
+		},
+	},
+	// Two variable comprehensions
+	{
+		IntroducedVersion: version.MajorMinor(1, 32),
+		EnvOptions: []cel.EnvOption{
+			UnversionedLib(ext.TwoVarComprehensions),
 		},
 	},
 }
@@ -191,6 +199,19 @@ var StrictCostOpt = VersionedOptions{
 	},
 }
 
+// cacheBaseEnvs controls whether calls to MustBaseEnvSet are cached.
+// Defaults to true, may be disabled by calling DisableBaseEnvSetCachingForTests.
+var cacheBaseEnvs = true
+
+// DisableBaseEnvSetCachingForTests clears and disables base env caching.
+// This is only intended for unit tests exercising MustBaseEnvSet directly with different enablement options.
+// It does not clear other initialization paths that may cache results of calling MustBaseEnvSet.
+func DisableBaseEnvSetCachingForTests() {
+	cacheBaseEnvs = false
+	baseEnvs.Clear()
+	baseEnvsWithOption.Clear()
+}
+
 // MustBaseEnvSet returns the common CEL base environments for Kubernetes for Version, or panics
 // if the version is nil, or does not have major and minor components.
 //
@@ -216,7 +237,9 @@ func MustBaseEnvSet(ver *version.Version, strictCost bool) *EnvSet {
 		}
 		entry, _, _ = baseEnvsSingleflight.Do(key, func() (interface{}, error) {
 			entry := mustNewEnvSet(ver, baseOpts)
-			baseEnvs.Store(key, entry)
+			if cacheBaseEnvs {
+				baseEnvs.Store(key, entry)
+			}
 			return entry, nil
 		})
 	} else {
@@ -225,7 +248,9 @@ func MustBaseEnvSet(ver *version.Version, strictCost bool) *EnvSet {
 		}
 		entry, _, _ = baseEnvsWithOptionSingleflight.Do(key, func() (interface{}, error) {
 			entry := mustNewEnvSet(ver, baseOptsWithoutStrictCost)
-			baseEnvsWithOption.Store(key, entry)
+			if cacheBaseEnvs {
+				baseEnvsWithOption.Store(key, entry)
+			}
 			return entry, nil
 		})
 	}
@@ -239,3 +264,20 @@ var (
 	baseEnvsSingleflight           = &singleflight.Group{}
 	baseEnvsWithOptionSingleflight = &singleflight.Group{}
 )
+
+// UnversionedLib wraps library initialization calls like ext.Sets() or library.IP()
+// to force compilation errors if the call evolves to include a varadic variable option.
+//
+// This provides automatic detection of a problem that is hard to catch in review--
+// If a CEL library used in Kubernetes is unversioned and then become versioned, and we
+// fail to set a desired version, the libraries defaults to the latest version, changing
+// CEL environment without controlled rollout, bypassing the entire purpose of the base
+// environment.
+//
+// If usages of this function fail to compile: add version=1 argument to all call sites
+// that fail compilation while removing the UnversionedLib wrapper. Next, review
+// the changes in the library present in higher versions and, if needed, use VersionedOptions to
+// the base environment to roll out to a newer version safely.
+func UnversionedLib(initializer func() cel.EnvOption) cel.EnvOption {
+	return initializer()
+}