rebase: update kubernetes and libraries to v1.22.0 version

Kubernetes v1.22 version has been released and this update ceph csi dependencies to use the same version. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2025-06-13 02:33:34 +00:00 · 2021-08-09 12:49:24 +05:30
parent e077c1fdf5
commit aa698bc3e1
759 changed files with 61864 additions and 6514 deletions
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/authentication.go
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/authentication.go
@ -25,12 +25,17 @@ import (
 	"strings"
 	"time"

+	"go.opentelemetry.io/otel/trace"
+
 	corev1 "k8s.io/api/core/v1"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apiserver/pkg/features"
 	egressselector "k8s.io/apiserver/pkg/server/egressselector"
+	"k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/component-base/traces"
 )

 // AuthenticationInfoResolverWrapper can be used to inject Dial function to the
@ -41,7 +46,8 @@ type AuthenticationInfoResolverWrapper func(AuthenticationInfoResolver) Authenti
 func NewDefaultAuthenticationInfoResolverWrapper(
 	proxyTransport *http.Transport,
 	egressSelector *egressselector.EgressSelector,
-	kubeapiserverClientConfig *rest.Config) AuthenticationInfoResolverWrapper {
+	kubeapiserverClientConfig *rest.Config,
+	tp *trace.TracerProvider) AuthenticationInfoResolverWrapper {

 	webhookAuthResolverWrapper := func(delegate AuthenticationInfoResolver) AuthenticationInfoResolver {
 		return &AuthenticationInfoResolverDelegator{
@ -53,6 +59,9 @@ func NewDefaultAuthenticationInfoResolverWrapper(
 				if err != nil {
 					return nil, err
 				}
+				if feature.DefaultFeatureGate.Enabled(features.APIServerTracing) {
+					ret.Wrap(traces.WrapperFor(tp))
+				}

 				if egressSelector != nil {
 					networkContext := egressselector.ControlPlane.AsNetworkContext()
@ -75,6 +84,9 @@ func NewDefaultAuthenticationInfoResolverWrapper(
 				if err != nil {
 					return nil, err
 				}
+				if feature.DefaultFeatureGate.Enabled(features.APIServerTracing) {
+					ret.Wrap(traces.WrapperFor(tp))
+				}

 				if egressSelector != nil {
 					networkContext := egressselector.Cluster.AsNetworkContext()
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/client.go
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/client.go
@ -25,12 +25,13 @@ import (
 	"net/url"
 	"strconv"

-	"github.com/hashicorp/golang-lru"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apiserver/pkg/util/x509metrics"
 	"k8s.io/client-go/rest"
+	"k8s.io/utils/lru"
 )

 const (
@ -64,10 +65,7 @@ type ClientManager struct {

 // NewClientManager creates a clientManager.
 func NewClientManager(gvs []schema.GroupVersion, addToSchemaFuncs ...func(s *runtime.Scheme) error) (ClientManager, error) {
-	cache, err := lru.New(defaultCacheSize)
-	if err != nil {
-		return ClientManager{}, err
-	}
+	cache := lru.New(defaultCacheSize)
 	hookScheme := runtime.NewScheme()
 	for _, addToSchemaFunc := range addToSchemaFuncs {
 		if err := addToSchemaFunc(hookScheme); err != nil {
@ -148,6 +146,11 @@ func (cm *ClientManager) HookClient(cc ClientConfig) (*rest.RESTClient, error) {

 		cfg.ContentConfig.NegotiatedSerializer = cm.negotiatedSerializer
 		cfg.ContentConfig.ContentType = runtime.ContentTypeJSON
+
+		// Add a transport wrapper that allows detection of TLS connections to
+		// servers without SAN extension in their serving certificates
+		cfg.Wrap(x509metrics.NewMissingSANRoundTripperWrapperConstructor(x509MissingSANCounter))
+
 		client, err := rest.UnversionedRESTClientFor(cfg)
 		if err == nil {
 			cm.cache.Add(string(cacheKey), client)
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/gencerts.sh
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/gencerts.sh
@ -35,6 +35,18 @@ extendedKeyUsage = clientAuth, serverAuth
 subjectAltName = @alt_names
 [alt_names]
 IP.1 = 127.0.0.1
+DNS.1 = localhost
+EOF
+
+cat > server_no_san.conf << EOF
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
 EOF

 cat > client.conf << EOF
@ -64,6 +76,10 @@ openssl genrsa -out serverKey.pem 2048
 openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN_BASE}_server" -config server.conf
 openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf

+# Create a server certiticate w/o SAN
+openssl req -new -key serverKey.pem -out serverNoSAN.csr -subj "/CN=localhost" -config server_no_san.conf
+openssl x509 -req -in serverNoSAN.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCertNoSAN.pem -days 100000 -extensions v3_req -extfile server_no_san.conf
+
 # Create a client certiticate
 openssl genrsa -out clientKey.pem 2048
 openssl req -new -key clientKey.pem -out client.csr -subj "/CN=${CN_BASE}_client" -config client.conf
@ -94,7 +110,7 @@ limitations under the License.
 package webhook
 EOF

-for file in caKey caCert badCAKey badCACert serverKey serverCert clientKey clientCert; do
+for file in caKey caCert badCAKey badCACert serverKey serverCert serverCertNoSAN clientKey clientCert; do
 	data=$(cat ${file}.pem)
 	echo "" >> $outfile
 	echo "var $file = []byte(\`$data\`)" >> $outfile
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/metrics.go
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/metrics.go
@ -0,0 +1,39 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhook
+
+import (
+	"k8s.io/component-base/metrics"
+	"k8s.io/component-base/metrics/legacyregistry"
+)
+
+var x509MissingSANCounter = metrics.NewCounter(
+	&metrics.CounterOpts{
+		Subsystem: "webhooks",
+		Namespace: "apiserver",
+		Name:      "x509_missing_san_total",
+		Help: "Counts the number of requests to servers missing SAN extension " +
+			"in their serving certificate OR the number of connection failures " +
+			"due to the lack of x509 certificate SAN extension missing " +
+			"(either/or, based on the runtime environment)",
+		StabilityLevel: metrics.ALPHA,
+	},
+)
+
+func init() {
+	legacyregistry.MustRegister(x509MissingSANCounter)
+}
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/webhook.go
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/webhook.go
@ -28,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apiserver/pkg/util/x509metrics"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 )
@ -107,6 +108,7 @@ func newGenericWebhook(scheme *runtime.Scheme, codecFactory serializer.CodecFact
 	clientConfig.ContentConfig.NegotiatedSerializer = serializer.NegotiatedSerializerWrapper(runtime.SerializerInfo{Serializer: codec})

 	clientConfig.Dial = customDial
+	clientConfig.Wrap(x509metrics.NewMissingSANRoundTripperWrapperConstructor(x509MissingSANCounter))

 	restClient, err := rest.UnversionedRESTClientFor(clientConfig)
 	if err != nil {
--- a/vendor/k8s.io/apiserver/pkg/util/x509metrics/missing_san.go
+++ b/vendor/k8s.io/apiserver/pkg/util/x509metrics/missing_san.go
@ -0,0 +1,92 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package x509metrics
+
+import (
+	"crypto/x509"
+	"errors"
+	"net/http"
+	"strings"
+
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/component-base/metrics"
+)
+
+var _ utilnet.RoundTripperWrapper = &x509MissingSANErrorMetricsRTWrapper{}
+
+type x509MissingSANErrorMetricsRTWrapper struct {
+	rt http.RoundTripper
+
+	counter *metrics.Counter
+}
+
+// NewMissingSANRoundTripperWrapperConstructor returns a RoundTripper wrapper that's usable
+// within ClientConfig.Wrap that increases the `metricCounter` whenever:
+// 1. we get a x509.HostnameError with string `x509: certificate relies on legacy Common Name field`
+//    which indicates an error caused by the deprecation of Common Name field when veryfing remote
+//    hostname
+// 2. the server certificate in response contains no SAN. This indicates that this binary run
+//    with the GODEBUG=x509ignoreCN=0 in env
+func NewMissingSANRoundTripperWrapperConstructor(metricCounter *metrics.Counter) func(rt http.RoundTripper) http.RoundTripper {
+	return func(rt http.RoundTripper) http.RoundTripper {
+		return &x509MissingSANErrorMetricsRTWrapper{
+			rt:      rt,
+			counter: metricCounter,
+		}
+	}
+}
+
+func (w *x509MissingSANErrorMetricsRTWrapper) RoundTrip(req *http.Request) (*http.Response, error) {
+	resp, err := w.rt.RoundTrip(req)
+	checkForHostnameError(err, w.counter)
+	checkRespForNoSAN(resp, w.counter)
+	return resp, err
+}
+
+func (w *x509MissingSANErrorMetricsRTWrapper) WrappedRoundTripper() http.RoundTripper {
+	return w.rt
+}
+
+// checkForHostnameError increases the metricCounter when we're running w/o GODEBUG=x509ignoreCN=0
+// and the client reports a HostnameError about the legacy CN fields
+func checkForHostnameError(err error, metricCounter *metrics.Counter) {
+	if err != nil && errors.As(err, &x509.HostnameError{}) && strings.Contains(err.Error(), "x509: certificate relies on legacy Common Name field") {
+		// increase the count of registered failures due to Go 1.15 x509 cert Common Name deprecation
+		metricCounter.Inc()
+	}
+}
+
+// checkRespForNoSAN increases the metricCounter when the server response contains
+// a leaf certificate w/o the SAN extension
+func checkRespForNoSAN(resp *http.Response, metricCounter *metrics.Counter) {
+	if resp != nil && resp.TLS != nil && len(resp.TLS.PeerCertificates) > 0 {
+		if serverCert := resp.TLS.PeerCertificates[0]; !hasSAN(serverCert) {
+			metricCounter.Inc()
+		}
+	}
+}
+
+func hasSAN(c *x509.Certificate) bool {
+	sanOID := []int{2, 5, 29, 17}
+
+	for _, e := range c.Extensions {
+		if e.Id.Equal(sanOID) {
+			return true
+		}
+	}
+	return false
+}