Bump sigs.k8s.io/controller-runtime to v0.14.4 (#5507)

* Bump sigs.k8s.io/controller-runtime to v0.14.4 * Update gofmt
2023-02-08 14:06:15 +08:00
parent 129e6fbec3
commit 1c49fcd57e
1404 changed files with 141422 additions and 47769 deletions
--- a/vendor/k8s.io/apiserver/pkg/audit/context.go
+++ b/vendor/k8s.io/apiserver/pkg/audit/context.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"sync"

+	"k8s.io/apimachinery/pkg/types"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/klog/v2"
@@ -28,38 +29,31 @@ import (
 // The key type is unexported to prevent collisions
 type key int

-const (
-	// auditAnnotationsKey is the context key for the audit annotations.
-	// TODO: consolidate all audit info under the AuditContext, rather than storing 3 separate keys.
-	auditAnnotationsKey key = iota
+// auditKey is the context key for storing the audit context that is being
+// captured and the evaluated policy that applies to the given request.
+const auditKey key = iota

-	// auditKey is the context key for storing the audit event that is being
-	// captured and the evaluated policy that applies to the given request.
-	auditKey
+// AuditContext holds the information for constructing the audit events for the current request.
+type AuditContext struct {
+	// RequestAuditConfig is the audit configuration that applies to the request
+	RequestAuditConfig RequestAuditConfig

-	// auditAnnotationsMutexKey is the context key for the audit annotations mutex.
-	auditAnnotationsMutexKey
-)
+	// Event is the audit Event object that is being captured to be written in
+	// the API audit log. It is set to nil when the request is not being audited.
+	Event *auditinternal.Event

-// annotations = *[]annotation instead of a map to preserve order of insertions
-type annotation struct {
-	key, value string
+	// annotations holds audit annotations that are recorded before the event has been initialized.
+	// This is represented as a slice rather than a map to preserve order.
+	annotations []annotation
+	// annotationMutex guards annotations AND event.Annotations
+	annotationMutex sync.Mutex
+
+	// auditID is the Audit ID associated with this request.
+	auditID types.UID
 }

-// WithAuditAnnotations returns a new context that can store audit annotations
-// via the AddAuditAnnotation function.  This function is meant to be called from
-// an early request handler to allow all later layers to set audit annotations.
-// This is required to support flows where handlers that come before WithAudit
-// (such as WithAuthentication) wish to set audit annotations.
-func WithAuditAnnotations(parent context.Context) context.Context {
-	// this should never really happen, but prevent double registration of this slice
-	if _, ok := parent.Value(auditAnnotationsKey).(*[]annotation); ok {
-		return parent
-	}
-	parent = withAuditAnnotationsMutex(parent)
-
-	var annotations []annotation // avoid allocations until we actually need it
-	return genericapirequest.WithValue(parent, auditAnnotationsKey, &annotations)
+type annotation struct {
+	key, value string
 }

 // AddAuditAnnotation sets the audit annotation for the given key, value pair.
@@ -70,102 +64,79 @@ func WithAuditAnnotations(parent context.Context) context.Context {
 // Handlers that are unaware of their position in the overall request flow should
 // prefer AddAuditAnnotation over LogAnnotation to avoid dropping annotations.
 func AddAuditAnnotation(ctx context.Context, key, value string) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}

-	mutex.Lock()
-	defer mutex.Unlock()
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()

-	ae := AuditEventFrom(ctx)
-	var ctxAnnotations *[]annotation
-	if ae == nil {
-		ctxAnnotations, _ = ctx.Value(auditAnnotationsKey).(*[]annotation)
-	}
-
-	addAuditAnnotationLocked(ae, ctxAnnotations, key, value)
+	addAuditAnnotationLocked(ac, key, value)
 }

 // AddAuditAnnotations is a bulk version of AddAuditAnnotation. Refer to AddAuditAnnotation for
 // restrictions on when this can be called.
 // keysAndValues are the key-value pairs to add, and must have an even number of items.
 func AddAuditAnnotations(ctx context.Context, keysAndValues ...string) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}

-	mutex.Lock()
-	defer mutex.Unlock()
-
-	ae := AuditEventFrom(ctx)
-	var ctxAnnotations *[]annotation
-	if ae == nil {
-		ctxAnnotations, _ = ctx.Value(auditAnnotationsKey).(*[]annotation)
-	}
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()

 	if len(keysAndValues)%2 != 0 {
 		klog.Errorf("Dropping mismatched audit annotation %q", keysAndValues[len(keysAndValues)-1])
 	}
 	for i := 0; i < len(keysAndValues); i += 2 {
-		addAuditAnnotationLocked(ae, ctxAnnotations, keysAndValues[i], keysAndValues[i+1])
+		addAuditAnnotationLocked(ac, keysAndValues[i], keysAndValues[i+1])
 	}
 }

 // AddAuditAnnotationsMap is a bulk version of AddAuditAnnotation. Refer to AddAuditAnnotation for
 // restrictions on when this can be called.
 func AddAuditAnnotationsMap(ctx context.Context, annotations map[string]string) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}

-	mutex.Lock()
-	defer mutex.Unlock()
-
-	ae := AuditEventFrom(ctx)
-	var ctxAnnotations *[]annotation
-	if ae == nil {
-		ctxAnnotations, _ = ctx.Value(auditAnnotationsKey).(*[]annotation)
-	}
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()

 	for k, v := range annotations {
-		addAuditAnnotationLocked(ae, ctxAnnotations, k, v)
+		addAuditAnnotationLocked(ac, k, v)
 	}
 }

 // addAuditAnnotationLocked is the shared code for recording an audit annotation. This method should
 // only be called while the auditAnnotationsMutex is locked.
-func addAuditAnnotationLocked(ae *auditinternal.Event, annotations *[]annotation, key, value string) {
-	if ae != nil {
-		logAnnotation(ae, key, value)
-	} else if annotations != nil {
-		*annotations = append(*annotations, annotation{key: key, value: value})
+func addAuditAnnotationLocked(ac *AuditContext, key, value string) {
+	if ac.Event != nil {
+		logAnnotation(ac.Event, key, value)
+	} else {
+		ac.annotations = append(ac.annotations, annotation{key: key, value: value})
 	}
 }

 // This is private to prevent reads/write to the slice from outside of this package.
 // The audit event should be directly read to get access to the annotations.
 func addAuditAnnotationsFrom(ctx context.Context, ev *auditinternal.Event) {
-	mutex, ok := auditAnnotationsMutex(ctx)
-	if !ok {
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
 		// auditing is not enabled
 		return
 	}

-	mutex.Lock()
-	defer mutex.Unlock()
+	ac.annotationMutex.Lock()
+	defer ac.annotationMutex.Unlock()

-	annotations, ok := ctx.Value(auditAnnotationsKey).(*[]annotation)
-	if !ok {
-		return // no annotations to copy
-	}
-
-	for _, kv := range *annotations {
+	for _, kv := range ac.annotations {
 		logAnnotation(ev, kv.key, kv.value)
 	}
 }
@@ -185,12 +156,13 @@ func logAnnotation(ae *auditinternal.Event, key, value string) {
 	ae.Annotations[key] = value
 }

-// WithAuditContext returns a new context that stores the pair of the audit
-// configuration object that applies to the given request and
-// the audit event that is going to be written to the API audit log.
-func WithAuditContext(parent context.Context, ev *AuditContext) context.Context {
-	parent = withAuditAnnotationsMutex(parent)
-	return genericapirequest.WithValue(parent, auditKey, ev)
+// WithAuditContext returns a new context that stores the AuditContext.
+func WithAuditContext(parent context.Context) context.Context {
+	if AuditContextFrom(parent) != nil {
+		return parent // Avoid double registering.
+	}
+
+	return genericapirequest.WithValue(parent, auditKey, &AuditContext{})
 }

 // AuditEventFrom returns the audit event struct on the ctx
@@ -209,17 +181,46 @@ func AuditContextFrom(ctx context.Context) *AuditContext {
 	return ev
 }

-// WithAuditAnnotationMutex adds a mutex for guarding context.AddAuditAnnotation.
-func withAuditAnnotationsMutex(parent context.Context) context.Context {
-	if _, ok := parent.Value(auditAnnotationsMutexKey).(*sync.Mutex); ok {
-		return parent
+// WithAuditID sets the AuditID on the AuditContext. The AuditContext must already be present in the
+// request context. If the specified auditID is empty, no value is set.
+func WithAuditID(ctx context.Context, auditID types.UID) {
+	if auditID == "" {
+		return
+	}
+	ac := AuditContextFrom(ctx)
+	if ac == nil {
+		return
+	}
+	ac.auditID = auditID
+	if ac.Event != nil {
+		ac.Event.AuditID = auditID
 	}
-	var mutex sync.Mutex
-	return genericapirequest.WithValue(parent, auditAnnotationsMutexKey, &mutex)
 }

-// AuditAnnotationsMutex returns the audit annotations mutex from the context.
-func auditAnnotationsMutex(ctx context.Context) (*sync.Mutex, bool) {
-	mutex, ok := ctx.Value(auditAnnotationsMutexKey).(*sync.Mutex)
-	return mutex, ok
+// AuditIDFrom returns the value of the audit ID from the request context.
+func AuditIDFrom(ctx context.Context) (types.UID, bool) {
+	if ac := AuditContextFrom(ctx); ac != nil {
+		return ac.auditID, ac.auditID != ""
+	}
+	return "", false
+}
+
+// GetAuditIDTruncated returns the audit ID (truncated) from the request context.
+// If the length of the Audit-ID value exceeds the limit, we truncate it to keep
+// the first N (maxAuditIDLength) characters.
+// This is intended to be used in logging only.
+func GetAuditIDTruncated(ctx context.Context) string {
+	auditID, ok := AuditIDFrom(ctx)
+	if !ok {
+		return ""
+	}
+
+	// if the user has specified a very long audit ID then we will use the first N characters
+	// Note: assuming Audit-ID header is in ASCII
+	const maxAuditIDLength = 64
+	if len(auditID) > maxAuditIDLength {
+		auditID = auditID[:maxAuditIDLength]
+	}
+
+	return string(auditID)
 }