rebase: update kubernetes to v1.20.0

updated kubernetes packages to latest
release.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>

vendor/k8s.io/client-go/rest/client.go

@@ -94,6 +94,10 @@ type RESTClient struct {
 	// overridden.
 	rateLimiter flowcontrol.RateLimiter
 
+	// warningHandler is shared among all requests created by this client.
+	// If not set, defaultWarningHandler is used.
+	warningHandler WarningHandler
+
 	// Set specific behavior of the client.  If not set http.DefaultClient will be used.
 	Client *http.Client
 }

vendor/k8s.io/client-go/rest/config.go

@@ -23,6 +23,7 @@ import (
 	"io/ioutil"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	gruntime "runtime"
@@ -37,7 +38,7 @@ import (
 	"k8s.io/client-go/transport"
 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/flowcontrol"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 const (
@@ -64,12 +65,12 @@ type Config struct {
 
 	// Server requires Basic authentication
 	Username string
-	Password string
+	Password string `datapolicy:"password"`
 
 	// Server requires Bearer authentication. This client will not attempt to use
 	// refresh tokens for an OAuth2 flow.
 	// TODO: demonstrate an OAuth2 compatible client.
-	BearerToken string
+	BearerToken string `datapolicy:"token"`
 
 	// Path to a file containing a BearerToken.
 	// If set, the contents are periodically read.
@@ -122,12 +123,24 @@ type Config struct {
 	// Rate limiter for limiting connections to the master from this client. If present overwrites QPS/Burst
 	RateLimiter flowcontrol.RateLimiter
 
+	// WarningHandler handles warnings in server responses.
+	// If not set, the default warning handler is used.
+	// See documentation for SetDefaultWarningHandler() for details.
+	WarningHandler WarningHandler
+
 	// The maximum length of time to wait before giving up on a server request. A value of zero means no timeout.
 	Timeout time.Duration
 
 	// Dial specifies the dial function for creating unencrypted TCP connections.
 	Dial func(ctx context.Context, network, address string) (net.Conn, error)
 
+	// Proxy is the proxy func to be used for all requests made by this
+	// transport. If Proxy is nil, http.ProxyFromEnvironment is used. If Proxy
+	// returns a nil *URL, no proxy is used.
+	//
+	// socks5 proxying does not currently support spdy streaming endpoints.
+	Proxy func(*http.Request) (*url.URL, error)
+
 	// Version forces a specific version to be used (if registered)
 	// Do we need this?
 	// Version string
@@ -147,6 +160,15 @@ func (sanitizedAuthConfigPersister) String() string {
 	return "rest.AuthProviderConfigPersister(--- REDACTED ---)"
 }
 
+type sanitizedObject struct{ runtime.Object }
+
+func (sanitizedObject) GoString() string {
+	return "runtime.Object(--- REDACTED ---)"
+}
+func (sanitizedObject) String() string {
+	return "runtime.Object(--- REDACTED ---)"
+}
+
 // GoString implements fmt.GoStringer and sanitizes sensitive fields of Config
 // to prevent accidental leaking via logs.
 func (c *Config) GoString() string {
@@ -170,7 +192,9 @@ func (c *Config) String() string {
 	if cc.AuthConfigPersister != nil {
 		cc.AuthConfigPersister = sanitizedAuthConfigPersister{cc.AuthConfigPersister}
 	}
-
+	if cc.ExecProvider != nil && cc.ExecProvider.Config != nil {
+		cc.ExecProvider.Config = sanitizedObject{Object: cc.ExecProvider.Config}
+	}
 	return fmt.Sprintf("%#v", cc)
 }
 
@@ -191,7 +215,7 @@ type TLSClientConfig struct {
 	// Server should be accessed without verifying the TLS certificate. For testing only.
 	Insecure bool
 	// ServerName is passed to the server for SNI and is used in the client to check server
-	// ceritificates against. If ServerName is empty, the hostname used to contact the
+	// certificates against. If ServerName is empty, the hostname used to contact the
 	// server is used.
 	ServerName string
 
@@ -207,7 +231,7 @@ type TLSClientConfig struct {
 	CertData []byte
 	// KeyData holds PEM-encoded bytes (typically read from a client certificate key file).
 	// KeyData takes precedence over KeyFile
-	KeyData []byte
+	KeyData []byte `datapolicy:"security-key"`
 	// CAData holds PEM-encoded bytes (typically read from a root certificates bundle).
 	// CAData takes precedence over CAFile
 	CAData []byte
@@ -331,7 +355,11 @@ func RESTClientFor(config *Config) (*RESTClient, error) {
 		Negotiator:         runtime.NewClientNegotiator(config.NegotiatedSerializer, gv),
 	}
 
-	return NewRESTClient(baseURL, versionedAPIPath, clientContent, rateLimiter, httpClient)
+	restClient, err := NewRESTClient(baseURL, versionedAPIPath, clientContent, rateLimiter, httpClient)
+	if err == nil && config.WarningHandler != nil {
+		restClient.warningHandler = config.WarningHandler
+	}
+	return restClient, err
 }
 
 // UnversionedRESTClientFor is the same as RESTClientFor, except that it allows
@@ -385,7 +413,11 @@ func UnversionedRESTClientFor(config *Config) (*RESTClient, error) {
 		Negotiator:         runtime.NewClientNegotiator(config.NegotiatedSerializer, gv),
 	}
 
-	return NewRESTClient(baseURL, versionedAPIPath, clientContent, rateLimiter, httpClient)
+	restClient, err := NewRESTClient(baseURL, versionedAPIPath, clientContent, rateLimiter, httpClient)
+	if err == nil && config.WarningHandler != nil {
+		restClient.warningHandler = config.WarningHandler
+	}
+	return restClient, err
 }
 
 // SetKubernetesDefaults sets default values on the provided client config for accessing the
@@ -554,18 +586,20 @@ func AnonymousClientConfig(config *Config) *Config {
 			NextProtos: config.TLSClientConfig.NextProtos,
 		},
 		RateLimiter:        config.RateLimiter,
+		WarningHandler:     config.WarningHandler,
 		UserAgent:          config.UserAgent,
 		DisableCompression: config.DisableCompression,
 		QPS:                config.QPS,
 		Burst:              config.Burst,
 		Timeout:            config.Timeout,
 		Dial:               config.Dial,
+		Proxy:              config.Proxy,
 	}
 }
 
 // CopyConfig returns a copy of the given config
 func CopyConfig(config *Config) *Config {
-	return &Config{
+	c := &Config{
 		Host:            config.Host,
 		APIPath:         config.APIPath,
 		ContentConfig:   config.ContentConfig,
@@ -599,7 +633,13 @@ func CopyConfig(config *Config) *Config {
 		QPS:                config.QPS,
 		Burst:              config.Burst,
 		RateLimiter:        config.RateLimiter,
+		WarningHandler:     config.WarningHandler,
 		Timeout:            config.Timeout,
 		Dial:               config.Dial,
+		Proxy:              config.Proxy,
 	}
+	if config.ExecProvider != nil && config.ExecProvider.Config != nil {
+		c.ExecProvider.Config = config.ExecProvider.Config.DeepCopyObject()
+	}
+	return c
 }

vendor/k8s.io/client-go/rest/exec.go

@@ -0,0 +1,85 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"k8s.io/client-go/pkg/apis/clientauthentication"
+	clientauthenticationapi "k8s.io/client-go/pkg/apis/clientauthentication"
+)
+
+// This file contains Config logic related to exec credential plugins.
+
+// ConfigToExecCluster creates a clientauthenticationapi.Cluster with the corresponding fields from
+// the provided Config.
+func ConfigToExecCluster(config *Config) (*clientauthenticationapi.Cluster, error) {
+	caData, err := dataFromSliceOrFile(config.CAData, config.CAFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load CA bundle for execProvider: %v", err)
+	}
+
+	var proxyURL string
+	if config.Proxy != nil {
+		req, err := http.NewRequest("", config.Host, nil)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create proxy URL request for execProvider: %w", err)
+		}
+		url, err := config.Proxy(req)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get proxy URL for execProvider: %w", err)
+		}
+		if url != nil {
+			proxyURL = url.String()
+		}
+	}
+
+	return &clientauthentication.Cluster{
+		Server:                   config.Host,
+		TLSServerName:            config.ServerName,
+		InsecureSkipTLSVerify:    config.Insecure,
+		CertificateAuthorityData: caData,
+		ProxyURL:                 proxyURL,
+		Config:                   config.ExecProvider.Config,
+	}, nil
+}
+
+// ExecClusterToConfig creates a Config with the corresponding fields from the provided
+// clientauthenticationapi.Cluster. The returned Config will be anonymous (i.e., it will not have
+// any authentication-related fields set).
+func ExecClusterToConfig(cluster *clientauthentication.Cluster) (*Config, error) {
+	var proxy func(*http.Request) (*url.URL, error)
+	if cluster.ProxyURL != "" {
+		proxyURL, err := url.Parse(cluster.ProxyURL)
+		if err != nil {
+			return nil, fmt.Errorf("cannot parse proxy URL: %w", err)
+		}
+		proxy = http.ProxyURL(proxyURL)
+	}
+
+	return &Config{
+		Host: cluster.Server,
+		TLSClientConfig: TLSClientConfig{
+			Insecure:   cluster.InsecureSkipTLSVerify,
+			ServerName: cluster.TLSServerName,
+			CAData:     cluster.CertificateAuthorityData,
+		},
+		Proxy: proxy,
+	}, nil
+}

vendor/k8s.io/client-go/rest/plugin.go

@@ -21,7 +21,7 @@ import (
 	"net/http"
 	"sync"
 
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )

vendor/k8s.io/client-go/rest/request.go

@@ -45,7 +45,7 @@ import (
 	restclientwatch "k8s.io/client-go/rest/watch"
 	"k8s.io/client-go/tools/metrics"
 	"k8s.io/client-go/util/flowcontrol"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 var (
@@ -88,9 +88,12 @@ var noBackoff = &NoBackoff{}
 type Request struct {
 	c *RESTClient
 
+	warningHandler WarningHandler
+
 	rateLimiter flowcontrol.RateLimiter
 	backoff     BackoffManager
 	timeout     time.Duration
+	maxRetries  int
 
 	// generic components accessible via method setters
 	verb       string
@@ -134,11 +137,13 @@ func NewRequest(c *RESTClient) *Request {
 	}
 
 	r := &Request{
-		c:           c,
-		rateLimiter: c.rateLimiter,
-		backoff:     backoff,
-		timeout:     timeout,
-		pathPrefix:  pathPrefix,
+		c:              c,
+		rateLimiter:    c.rateLimiter,
+		backoff:        backoff,
+		timeout:        timeout,
+		pathPrefix:     pathPrefix,
+		maxRetries:     10,
+		warningHandler: c.warningHandler,
 	}
 
 	switch {
@@ -216,6 +221,13 @@ func (r *Request) BackOff(manager BackoffManager) *Request {
 	return r
 }
 
+// WarningHandler sets the handler this client uses when warning headers are encountered.
+// If set to nil, this client will use the default warning handler (see SetDefaultWarningHandler).
+func (r *Request) WarningHandler(handler WarningHandler) *Request {
+	r.warningHandler = handler
+	return r
+}
+
 // Throttle receives a rate-limiter and sets or replaces an existing request limiter
 func (r *Request) Throttle(limiter flowcontrol.RateLimiter) *Request {
 	r.rateLimiter = limiter
@@ -391,6 +403,18 @@ func (r *Request) Timeout(d time.Duration) *Request {
 	return r
 }
 
+// MaxRetries makes the request use the given integer as a ceiling of retrying upon receiving
+// "Retry-After" headers and 429 status-code in the response. The default is 10 unless this
+// function is specifically called with a different value.
+// A zero maxRetries prevent it from doing retires and return an error immediately.
+func (r *Request) MaxRetries(maxRetries int) *Request {
+	if maxRetries < 0 {
+		maxRetries = 0
+	}
+	r.maxRetries = maxRetries
+	return r
+}
+
 // Body makes the request use obj as the body. Optional.
 // If obj is a string, try to read a file of that name.
 // If obj is a []byte, send it directly.
@@ -487,13 +511,23 @@ func (r Request) finalURLTemplate() url.URL {
 	}
 	r.params = newParams
 	url := r.URL()
-	segments := strings.Split(r.URL().Path, "/")
+
+	segments := strings.Split(url.Path, "/")
 	groupIndex := 0
 	index := 0
-	if r.URL() != nil && r.c.base != nil && strings.Contains(r.URL().Path, r.c.base.Path) {
-		groupIndex += len(strings.Split(r.c.base.Path, "/"))
+	trimmedBasePath := ""
+	if url != nil && r.c.base != nil && strings.Contains(url.Path, r.c.base.Path) {
+		p := strings.TrimPrefix(url.Path, r.c.base.Path)
+		if !strings.HasPrefix(p, "/") {
+			p = "/" + p
+		}
+		// store the base path that we have trimmed so we can append it
+		// before returning the URL
+		trimmedBasePath = r.c.base.Path
+		segments = strings.Split(p, "/")
+		groupIndex = 1
 	}
-	if groupIndex >= len(segments) {
+	if len(segments) <= 2 {
 		return *url
 	}
 
@@ -539,7 +573,7 @@ func (r Request) finalURLTemplate() url.URL {
 			segments[index+3] = "{name}"
 		}
 	}
-	url.Path = path.Join(segments...)
+	url.Path = path.Join(trimmedBasePath, path.Join(segments...))
 	return *url
 }
 
@@ -594,7 +628,7 @@ var globalThrottledLogger = &throttledLogger{
 
 func (b *throttledLogger) attemptToLog() (klog.Level, bool) {
 	for _, setting := range b.settings {
-		if bool(klog.V(setting.logLevel)) {
+		if bool(klog.V(setting.logLevel).Enabled()) {
 			// Return early without write locking if possible.
 			if func() bool {
 				setting.lock.RLock()
@@ -614,7 +648,7 @@ func (b *throttledLogger) attemptToLog() (klog.Level, bool) {
 	return -1, false
 }
 
-// Infof will write a log message at each logLevel specified by the reciever's throttleSettings
+// Infof will write a log message at each logLevel specified by the receiver's throttleSettings
 // as long as it hasn't written a log message more recently than minLogInterval.
 func (b *throttledLogger) Infof(message string, args ...interface{}) {
 	if logLevel, ok := b.attemptToLog(); ok {
@@ -678,6 +712,8 @@ func (r *Request) Watch(ctx context.Context) (watch.Interface, error) {
 		return nil, err
 	}
 
+	handleWarnings(resp.Header, r.warningHandler)
+
 	frameReader := framer.NewFrameReader(resp.Body)
 	watchEventDecoder := streaming.NewDecoder(frameReader, streamingSerializer)
 
@@ -750,6 +786,7 @@ func (r *Request) Stream(ctx context.Context) (io.ReadCloser, error) {
 
 	switch {
 	case (resp.StatusCode >= 200) && (resp.StatusCode < 300):
+		handleWarnings(resp.Header, r.warningHandler)
 		return resp.Body, nil
 
 	default:
@@ -831,7 +868,6 @@ func (r *Request) request(ctx context.Context, fn func(*http.Request, *http.Resp
 	}
 
 	// Right now we make about ten retry attempts if we get a Retry-After response.
-	maxRetries := 10
 	retries := 0
 	for {
 
@@ -894,7 +930,7 @@ func (r *Request) request(ctx context.Context, fn func(*http.Request, *http.Resp
 			}()
 
 			retries++
-			if seconds, wait := checkWait(resp); wait && retries < maxRetries {
+			if seconds, wait := checkWait(resp); wait && retries <= r.maxRetries {
 				if seeker, ok := r.body.(io.Seeker); ok && r.body != nil {
 					_, err := seeker.Seek(0, 0)
 					if err != nil {
@@ -1007,6 +1043,7 @@ func (r *Request) transformResponse(resp *http.Response, req *http.Request) Resu
 				body:        body,
 				contentType: contentType,
 				statusCode:  resp.StatusCode,
+				warnings:    handleWarnings(resp.Header, r.warningHandler),
 			}
 		}
 	}
@@ -1025,6 +1062,7 @@ func (r *Request) transformResponse(resp *http.Response, req *http.Request) Resu
 			statusCode:  resp.StatusCode,
 			decoder:     decoder,
 			err:         err,
+			warnings:    handleWarnings(resp.Header, r.warningHandler),
 		}
 	}
 
@@ -1033,6 +1071,7 @@ func (r *Request) transformResponse(resp *http.Response, req *http.Request) Resu
 		contentType: contentType,
 		statusCode:  resp.StatusCode,
 		decoder:     decoder,
+		warnings:    handleWarnings(resp.Header, r.warningHandler),
 	}
 }
 
@@ -1040,11 +1079,11 @@ func (r *Request) transformResponse(resp *http.Response, req *http.Request) Resu
 func truncateBody(body string) string {
 	max := 0
 	switch {
-	case bool(klog.V(10)):
+	case bool(klog.V(10).Enabled()):
 		return body
-	case bool(klog.V(9)):
+	case bool(klog.V(9).Enabled()):
 		max = 10240
-	case bool(klog.V(8)):
+	case bool(klog.V(8).Enabled()):
 		max = 1024
 	}
 
@@ -1059,7 +1098,7 @@ func truncateBody(body string) string {
 // allocating a new string for the body output unless necessary. Uses a simple heuristic to determine
 // whether the body is printable.
 func glogBody(prefix string, body []byte) {
-	if klog.V(8) {
+	if klog.V(8).Enabled() {
 		if bytes.IndexFunc(body, func(r rune) bool {
 			return r < 0x0a
 		}) != -1 {
@@ -1168,6 +1207,7 @@ func retryAfterSeconds(resp *http.Response) (int, bool) {
 // Result contains the result of calling Request.Do().
 type Result struct {
 	body        []byte
+	warnings    []net.WarningHeader
 	contentType string
 	err         error
 	statusCode  int
@@ -1281,6 +1321,11 @@ func (r Result) Error() error {
 	return r.err
 }
 
+// Warnings returns any warning headers received in the response
+func (r Result) Warnings() []net.WarningHeader {
+	return r.warnings
+}
+
 // NameMayNotBe specifies strings that cannot be used as names specified as path segments (like the REST API or etcd store)
 var NameMayNotBe = []string{".", ".."}
 

vendor/k8s.io/client-go/rest/transport.go

@@ -21,6 +21,7 @@ import (
 	"errors"
 	"net/http"
 
+	"k8s.io/client-go/pkg/apis/clientauthentication"
 	"k8s.io/client-go/plugin/pkg/client/auth/exec"
 	"k8s.io/client-go/transport"
 )
@@ -85,7 +86,8 @@ func (c *Config) TransportConfig() (*transport.Config, error) {
 			Groups:   c.Impersonate.Groups,
 			Extra:    c.Impersonate.Extra,
 		},
-		Dial: c.Dial,
+		Dial:  c.Dial,
+		Proxy: c.Proxy,
 	}
 
 	if c.ExecProvider != nil && c.AuthProvider != nil {
@@ -93,7 +95,15 @@ func (c *Config) TransportConfig() (*transport.Config, error) {
 	}
 
 	if c.ExecProvider != nil {
-		provider, err := exec.GetAuthenticator(c.ExecProvider)
+		var cluster *clientauthentication.Cluster
+		if c.ExecProvider.ProvideClusterInfo {
+			var err error
+			cluster, err = ConfigToExecCluster(c)
+			if err != nil {
+				return nil, err
+			}
+		}
+		provider, err := exec.GetAuthenticator(c.ExecProvider, cluster)
 		if err != nil {
 			return nil, err
 		}

vendor/k8s.io/client-go/rest/urlbackoff.go

@@ -22,7 +22,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/util/flowcontrol"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 // Set of resp. Codes that we backoff for.

vendor/k8s.io/client-go/rest/warnings.go

@@ -0,0 +1,147 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"sync"
+
+	"k8s.io/klog/v2"
+
+	"k8s.io/apimachinery/pkg/util/net"
+)
+
+// WarningHandler is an interface for handling warning headers
+type WarningHandler interface {
+	// HandleWarningHeader is called with the warn code, agent, and text when a warning header is countered.
+	HandleWarningHeader(code int, agent string, text string)
+}
+
+var (
+	defaultWarningHandler     WarningHandler = WarningLogger{}
+	defaultWarningHandlerLock sync.RWMutex
+)
+
+// SetDefaultWarningHandler sets the default handler clients use when warning headers are encountered.
+// By default, warnings are logged. Several built-in implementations are provided:
+//  - NoWarnings suppresses warnings.
+//  - WarningLogger logs warnings.
+//  - NewWarningWriter() outputs warnings to the provided writer.
+func SetDefaultWarningHandler(l WarningHandler) {
+	defaultWarningHandlerLock.Lock()
+	defer defaultWarningHandlerLock.Unlock()
+	defaultWarningHandler = l
+}
+func getDefaultWarningHandler() WarningHandler {
+	defaultWarningHandlerLock.RLock()
+	defer defaultWarningHandlerLock.RUnlock()
+	l := defaultWarningHandler
+	return l
+}
+
+// NoWarnings is an implementation of WarningHandler that suppresses warnings.
+type NoWarnings struct{}
+
+func (NoWarnings) HandleWarningHeader(code int, agent string, message string) {}
+
+// WarningLogger is an implementation of WarningHandler that logs code 299 warnings
+type WarningLogger struct{}
+
+func (WarningLogger) HandleWarningHeader(code int, agent string, message string) {
+	if code != 299 || len(message) == 0 {
+		return
+	}
+	klog.Warning(message)
+}
+
+type warningWriter struct {
+	// out is the writer to output warnings to
+	out io.Writer
+	// opts contains options controlling warning output
+	opts WarningWriterOptions
+	// writtenLock guards written and writtenCount
+	writtenLock  sync.Mutex
+	writtenCount int
+	written      map[string]struct{}
+}
+
+// WarningWriterOptions controls the behavior of a WarningHandler constructed using NewWarningWriter()
+type WarningWriterOptions struct {
+	// Deduplicate indicates a given warning message should only be written once.
+	// Setting this to true in a long-running process handling many warnings can result in increased memory use.
+	Deduplicate bool
+	// Color indicates that warning output can include ANSI color codes
+	Color bool
+}
+
+// NewWarningWriter returns an implementation of WarningHandler that outputs code 299 warnings to the specified writer.
+func NewWarningWriter(out io.Writer, opts WarningWriterOptions) *warningWriter {
+	h := &warningWriter{out: out, opts: opts}
+	if opts.Deduplicate {
+		h.written = map[string]struct{}{}
+	}
+	return h
+}
+
+const (
+	yellowColor = "\u001b[33;1m"
+	resetColor  = "\u001b[0m"
+)
+
+// HandleWarningHeader prints warnings with code=299 to the configured writer.
+func (w *warningWriter) HandleWarningHeader(code int, agent string, message string) {
+	if code != 299 || len(message) == 0 {
+		return
+	}
+
+	w.writtenLock.Lock()
+	defer w.writtenLock.Unlock()
+
+	if w.opts.Deduplicate {
+		if _, alreadyWritten := w.written[message]; alreadyWritten {
+			return
+		}
+		w.written[message] = struct{}{}
+	}
+	w.writtenCount++
+
+	if w.opts.Color {
+		fmt.Fprintf(w.out, "%sWarning:%s %s\n", yellowColor, resetColor, message)
+	} else {
+		fmt.Fprintf(w.out, "Warning: %s\n", message)
+	}
+}
+
+func (w *warningWriter) WarningCount() int {
+	w.writtenLock.Lock()
+	defer w.writtenLock.Unlock()
+	return w.writtenCount
+}
+
+func handleWarnings(headers http.Header, handler WarningHandler) []net.WarningHeader {
+	if handler == nil {
+		handler = getDefaultWarningHandler()
+	}
+
+	warnings, _ := net.ParseWarningHeaders(headers["Warning"])
+	for _, warning := range warnings {
+		handler.HandleWarningHeader(warning.Code, warning.Agent, warning.Text)
+	}
+	return warnings
+}