vendor update for CSI 0.3.0

2025-06-14 10:53:34 +00:00 · 2018-07-18 16:47:22 +02:00
parent 6f484f92fc
commit 8ea659f0d5
6810 changed files with 438061 additions and 193861 deletions
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/token/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/token/BUILD
@ -0,0 +1,40 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["token_manager.go"],
+    importpath = "k8s.io/kubernetes/pkg/kubelet/token",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/k8s.io/api/authentication/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/clock:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["token_manager_test.go"],
+    embed = [":go_default_library"],
+    deps = [
+        "//vendor/k8s.io/api/authentication/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/clock:go_default_library",
+    ],
+)
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/token/OWNERS
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/token/OWNERS
@ -0,0 +1,6 @@
+approvers:
+- mikedanese
+reviewers:
+- mikedanese
+- awly
+- tallclair
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/token/token_manager.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/token/token_manager.go
@ -0,0 +1,151 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package token implements a manager of serviceaccount tokens for pods running
+// on the node.
+package token
+
+import (
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/golang/glog"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	"k8s.io/apimachinery/pkg/util/clock"
+	"k8s.io/apimachinery/pkg/util/wait"
+	clientset "k8s.io/client-go/kubernetes"
+)
+
+const (
+	maxTTL   = 24 * time.Hour
+	gcPeriod = time.Minute
+)
+
+// NewManager returns a new token manager.
+func NewManager(c clientset.Interface) *Manager {
+	m := &Manager{
+		getToken: func(name, namespace string, tr *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
+			if c == nil {
+				return nil, errors.New("cannot use TokenManager when kubelet is in standalone mode")
+			}
+			return c.CoreV1().ServiceAccounts(namespace).CreateToken(name, tr)
+		},
+		cache: make(map[string]*authenticationv1.TokenRequest),
+		clock: clock.RealClock{},
+	}
+	go wait.Forever(m.cleanup, gcPeriod)
+	return m
+}
+
+// Manager manages service account tokens for pods.
+type Manager struct {
+
+	// cacheMutex guards the cache
+	cacheMutex sync.RWMutex
+	cache      map[string]*authenticationv1.TokenRequest
+
+	// mocked for testing
+	getToken func(name, namespace string, tr *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error)
+	clock    clock.Clock
+}
+
+// GetServiceAccountToken gets a service account token for a pod from cache or
+// from the TokenRequest API. This process is as follows:
+// * Check the cache for the current token request.
+// * If the token exists and does not require a refresh, return the current token.
+// * Attempt to refresh the token.
+// * If the token is refreshed successfully, save it in the cache and return the token.
+// * If refresh fails and the old token is still valid, log an error and return the old token.
+// * If refresh fails and the old token is no longer valid, return an error
+func (m *Manager) GetServiceAccountToken(namespace, name string, tr *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
+	key := keyFunc(name, namespace, tr)
+	ctr, ok := m.get(key)
+
+	if ok && !m.requiresRefresh(ctr) {
+		return ctr, nil
+	}
+
+	tr, err := m.getToken(name, namespace, tr)
+	if err != nil {
+		switch {
+		case !ok:
+			return nil, fmt.Errorf("failed to fetch token: %v", err)
+		case m.expired(ctr):
+			return nil, fmt.Errorf("token %s expired and refresh failed: %v", key, err)
+		default:
+			glog.Errorf("couldn't update token %s: %v", key, err)
+			return ctr, nil
+		}
+	}
+
+	m.set(key, tr)
+	return tr, nil
+}
+
+func (m *Manager) cleanup() {
+	m.cacheMutex.Lock()
+	defer m.cacheMutex.Unlock()
+	for k, tr := range m.cache {
+		if m.expired(tr) {
+			delete(m.cache, k)
+		}
+	}
+}
+
+func (m *Manager) get(key string) (*authenticationv1.TokenRequest, bool) {
+	m.cacheMutex.RLock()
+	defer m.cacheMutex.RUnlock()
+	ctr, ok := m.cache[key]
+	return ctr, ok
+}
+
+func (m *Manager) set(key string, tr *authenticationv1.TokenRequest) {
+	m.cacheMutex.Lock()
+	defer m.cacheMutex.Unlock()
+	m.cache[key] = tr
+}
+
+func (m *Manager) expired(t *authenticationv1.TokenRequest) bool {
+	return m.clock.Now().After(t.Status.ExpirationTimestamp.Time)
+}
+
+// requiresRefresh returns true if the token is older than 80% of its total
+// ttl, or if the token is older than 24 hours.
+func (m *Manager) requiresRefresh(tr *authenticationv1.TokenRequest) bool {
+	if tr.Spec.ExpirationSeconds == nil {
+		glog.Errorf("expiration seconds was nil for tr: %#v", tr)
+		return false
+	}
+	now := m.clock.Now()
+	exp := tr.Status.ExpirationTimestamp.Time
+	iat := exp.Add(-1 * time.Duration(*tr.Spec.ExpirationSeconds) * time.Second)
+
+	if now.After(iat.Add(maxTTL)) {
+		return true
+	}
+	// Require a refresh if within 20% of the TTL from the expiration time.
+	if now.After(exp.Add(-1 * time.Duration((*tr.Spec.ExpirationSeconds*20)/100) * time.Second)) {
+		return true
+	}
+	return false
+}
+
+// keys should be nonconfidential and safe to log
+func keyFunc(name, namespace string, tr *authenticationv1.TokenRequest) string {
+	return fmt.Sprintf("%q/%q/%#v", name, namespace, tr.Spec)
+}
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/token/token_manager_test.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/token/token_manager_test.go
@ -0,0 +1,223 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package token
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	authenticationv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/clock"
+)
+
+func TestTokenCachingAndExpiration(t *testing.T) {
+	type suite struct {
+		clock *clock.FakeClock
+		tg    *fakeTokenGetter
+		mgr   *Manager
+	}
+
+	cases := []struct {
+		name string
+		exp  time.Duration
+		f    func(t *testing.T, s *suite)
+	}{
+		{
+			name: "rotate hour token expires in the last 12 minutes",
+			exp:  time.Hour,
+			f: func(t *testing.T, s *suite) {
+				s.clock.SetTime(s.clock.Now().Add(50 * time.Minute))
+				if _, err := s.mgr.GetServiceAccountToken("a", "b", &authenticationv1.TokenRequest{}); err != nil {
+					t.Fatalf("unexpected error: %v", err)
+				}
+				if s.tg.count != 2 {
+					t.Fatalf("expected token to be refreshed: call count was %d", s.tg.count)
+				}
+			},
+		},
+		{
+			name: "rotate 24 hour token that expires in 40 hours",
+			exp:  40 * time.Hour,
+			f: func(t *testing.T, s *suite) {
+				s.clock.SetTime(s.clock.Now().Add(25 * time.Hour))
+				if _, err := s.mgr.GetServiceAccountToken("a", "b", &authenticationv1.TokenRequest{}); err != nil {
+					t.Fatalf("unexpected error: %v", err)
+				}
+				if s.tg.count != 2 {
+					t.Fatalf("expected token to be refreshed: call count was %d", s.tg.count)
+				}
+			},
+		},
+		{
+			name: "rotate hour token fails, old token is still valid, doesn't error",
+			exp:  time.Hour,
+			f: func(t *testing.T, s *suite) {
+				s.clock.SetTime(s.clock.Now().Add(50 * time.Minute))
+				tg := &fakeTokenGetter{
+					err: fmt.Errorf("err"),
+				}
+				s.mgr.getToken = tg.getToken
+				tr, err := s.mgr.GetServiceAccountToken("a", "b", &authenticationv1.TokenRequest{})
+				if err != nil {
+					t.Fatalf("unexpected error: %v", err)
+				}
+				if tr.Status.Token != "foo" {
+					t.Fatalf("unexpected token: %v", tr.Status.Token)
+				}
+			},
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			clock := clock.NewFakeClock(time.Time{}.Add(30 * 24 * time.Hour))
+			expSecs := int64(c.exp.Seconds())
+			s := &suite{
+				clock: clock,
+				mgr:   NewManager(nil),
+				tg: &fakeTokenGetter{
+					tr: &authenticationv1.TokenRequest{
+						Spec: authenticationv1.TokenRequestSpec{
+							ExpirationSeconds: &expSecs,
+						},
+						Status: authenticationv1.TokenRequestStatus{
+							Token:               "foo",
+							ExpirationTimestamp: metav1.Time{Time: clock.Now().Add(c.exp)},
+						},
+					},
+				},
+			}
+			s.mgr.getToken = s.tg.getToken
+			s.mgr.clock = s.clock
+			if _, err := s.mgr.GetServiceAccountToken("a", "b", &authenticationv1.TokenRequest{}); err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if s.tg.count != 1 {
+				t.Fatalf("unexpected client call, got: %d, want: 1", s.tg.count)
+			}
+
+			if _, err := s.mgr.GetServiceAccountToken("a", "b", &authenticationv1.TokenRequest{}); err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if s.tg.count != 1 {
+				t.Fatalf("expected token to be served from cache: saw %d", s.tg.count)
+			}
+
+			c.f(t, s)
+		})
+	}
+}
+
+func TestRequiresRefresh(t *testing.T) {
+	start := time.Now()
+	cases := []struct {
+		now, exp      time.Time
+		expectRefresh bool
+	}{
+		{
+			now:           start.Add(10 * time.Minute),
+			exp:           start.Add(60 * time.Minute),
+			expectRefresh: false,
+		},
+		{
+			now:           start.Add(50 * time.Minute),
+			exp:           start.Add(60 * time.Minute),
+			expectRefresh: true,
+		},
+		{
+			now:           start.Add(25 * time.Hour),
+			exp:           start.Add(60 * time.Hour),
+			expectRefresh: true,
+		},
+		{
+			now:           start.Add(70 * time.Minute),
+			exp:           start.Add(60 * time.Minute),
+			expectRefresh: true,
+		},
+	}
+
+	for i, c := range cases {
+		t.Run(fmt.Sprint(i), func(t *testing.T) {
+			clock := clock.NewFakeClock(c.now)
+			secs := int64(c.exp.Sub(start).Seconds())
+			tr := &authenticationv1.TokenRequest{
+				Spec: authenticationv1.TokenRequestSpec{
+					ExpirationSeconds: &secs,
+				},
+				Status: authenticationv1.TokenRequestStatus{
+					ExpirationTimestamp: metav1.Time{Time: c.exp},
+				},
+			}
+			mgr := NewManager(nil)
+			mgr.clock = clock
+
+			rr := mgr.requiresRefresh(tr)
+			if rr != c.expectRefresh {
+				t.Fatalf("unexpected requiresRefresh result, got: %v, want: %v", rr, c.expectRefresh)
+			}
+		})
+	}
+}
+
+type fakeTokenGetter struct {
+	count int
+	tr    *authenticationv1.TokenRequest
+	err   error
+}
+
+func (ftg *fakeTokenGetter) getToken(name, namespace string, tr *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
+	ftg.count++
+	return ftg.tr, ftg.err
+}
+
+func TestCleanup(t *testing.T) {
+	cases := []struct {
+		name              string
+		relativeExp       time.Duration
+		expectedCacheSize int
+	}{
+		{
+			name:              "don't cleanup unexpired tokens",
+			relativeExp:       -1 * time.Hour,
+			expectedCacheSize: 0,
+		},
+		{
+			name:              "cleanup expired tokens",
+			relativeExp:       time.Hour,
+			expectedCacheSize: 1,
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			clock := clock.NewFakeClock(time.Time{}.Add(24 * time.Hour))
+			mgr := NewManager(nil)
+			mgr.clock = clock
+
+			mgr.set("key", &authenticationv1.TokenRequest{
+				Status: authenticationv1.TokenRequestStatus{
+					ExpirationTimestamp: metav1.Time{Time: mgr.clock.Now().Add(c.relativeExp)},
+				},
+			})
+			mgr.cleanup()
+			if got, want := len(mgr.cache), c.expectedCacheSize; got != want {
+				t.Fatalf("unexpected number of cache entries after cleanup, got: %d, want: %d", got, want)
+			}
+		})
+	}
+}