Bump sigs.k8s.io/controller-runtime to v0.14.4 (#5507)

* Bump sigs.k8s.io/controller-runtime to v0.14.4

* Update gofmt

vendor/k8s.io/apiserver/pkg/authentication/request/x509/x509.go

@@ -49,19 +49,19 @@ var clientCertificateExpirationHistogram = metrics.NewHistogram(
 		Help:      "Distribution of the remaining lifetime on the certificate used to authenticate a request.",
 		Buckets: []float64{
 			0,
-			(30 * time.Minute).Seconds(),
-			(1 * time.Hour).Seconds(),
-			(2 * time.Hour).Seconds(),
-			(6 * time.Hour).Seconds(),
-			(12 * time.Hour).Seconds(),
-			(24 * time.Hour).Seconds(),
-			(2 * 24 * time.Hour).Seconds(),
-			(4 * 24 * time.Hour).Seconds(),
-			(7 * 24 * time.Hour).Seconds(),
-			(30 * 24 * time.Hour).Seconds(),
-			(3 * 30 * 24 * time.Hour).Seconds(),
-			(6 * 30 * 24 * time.Hour).Seconds(),
-			(12 * 30 * 24 * time.Hour).Seconds(),
+			1800,     // 30 minutes
+			3600,     // 1 hour
+			7200,     // 2 hours
+			21600,    // 6 hours
+			43200,    // 12 hours
+			86400,    // 1 day
+			172800,   // 2 days
+			345600,   // 4 days
+			604800,   // 1 week
+			2592000,  // 1 month
+			7776000,  // 3 months
+			15552000, // 6 months
+			31104000, // 1 year
 		},
 		StabilityLevel: metrics.ALPHA,
 	},

vendor/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go

@@ -36,6 +36,7 @@ import (
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/warning"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"
 )
@@ -59,6 +60,12 @@ type cacheRecord struct {
 	// based on the current time, but that may be okay since cache TTLs are generally
 	// small (seconds).
 	annotations map[string]string
+	warnings    []*cacheWarning
+}
+
+type cacheWarning struct {
+	agent string
+	text  string
 }
 
 type cachedTokenAuthenticator struct {
@@ -128,6 +135,9 @@ func (a *cachedTokenAuthenticator) AuthenticateToken(ctx context.Context, token
 	for key, value := range record.annotations {
 		audit.AddAuditAnnotation(ctx, key, value)
 	}
+	for _, w := range record.warnings {
+		warning.AddWarning(ctx, w.agent, w.text)
+	}
 	return record.resp, true, nil
 }
 
@@ -184,14 +194,19 @@ func (a *cachedTokenAuthenticator) doAuthenticateToken(ctx context.Context, toke
 		if audsOk {
 			ctx = authenticator.WithAudiences(ctx, auds)
 		}
+		recorder := &recorder{}
+		ctx = warning.WithWarningRecorder(ctx, recorder)
 
 		// since this is shared work between multiple requests, we have no way of knowing if any
 		// particular request supports audit annotations.  thus we always attempt to record them.
 		ev := &auditinternal.Event{Level: auditinternal.LevelMetadata}
-		ctx = audit.WithAuditContext(ctx, &audit.AuditContext{Event: ev})
+		ctx = audit.WithAuditContext(ctx)
+		ac := audit.AuditContextFrom(ctx)
+		ac.Event = ev
 
 		record.resp, record.ok, record.err = a.authenticator.AuthenticateToken(ctx, token)
 		record.annotations = ev.Annotations
+		record.warnings = recorder.extractWarnings()
 
 		if !a.cacheErrs && record.err != nil {
 			return record, nil
@@ -269,3 +284,24 @@ func toBytes(s string) []byte {
 func toString(b []byte) string {
 	return *(*string)(unsafe.Pointer(&b))
 }
+
+// simple recorder that only appends warning
+type recorder struct {
+	mu       sync.Mutex
+	warnings []*cacheWarning
+}
+
+// AddWarning adds a warning to recorder.
+func (r *recorder) AddWarning(agent, text string) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	r.warnings = append(r.warnings, &cacheWarning{agent: agent, text: text})
+}
+
+func (r *recorder) extractWarnings() []*cacheWarning {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	warnings := r.warnings
+	r.warnings = nil
+	return warnings
+}