Upgrade k8s package verison (#5358)

* upgrade k8s package version Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> * Script upgrade and code formatting. Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io>
2022-11-15 14:56:38 +08:00
parent 5f91c1663a
commit 44167aa47a
3106 changed files with 321340 additions and 172080 deletions
--- a/vendor/k8s.io/apimachinery/pkg/util/proxy/dial.go
+++ b/vendor/k8s.io/apimachinery/pkg/util/proxy/dial.go
@@ -24,10 +24,9 @@ import (
 	"net/http"
 	"net/url"

-	"k8s.io/klog/v2"
-
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/third_party/forked/golang/netutil"
+	"k8s.io/klog/v2"
 )

 // dialURL will dial the specified URL using the underlying dialer held by the passed
@@ -52,10 +51,7 @@ func dialURL(ctx context.Context, url *url.URL, transport http.RoundTripper) (ne
 		return d.DialContext(ctx, "tcp", dialAddr)
 	case "https":
 		// Get the tls config from the transport if we recognize it
-		var tlsConfig *tls.Config
-		var tlsConn *tls.Conn
-		var err error
-		tlsConfig, err = utilnet.TLSClientConfig(transport)
+		tlsConfig, err := utilnet.TLSClientConfig(transport)
 		if err != nil {
 			klog.V(5).Infof("Unable to unwrap transport %T to get at TLS config: %v", transport, err)
 		}
@@ -75,7 +71,7 @@ func dialURL(ctx context.Context, url *url.URL, transport http.RoundTripper) (ne
 					InsecureSkipVerify: true,
 				}
 			} else if len(tlsConfig.ServerName) == 0 && !tlsConfig.InsecureSkipVerify {
-				// tls.Handshake() requires ServerName or InsecureSkipVerify
+				// tls.HandshakeContext() requires ServerName or InsecureSkipVerify
 				// infer the ServerName from the hostname we're connecting to.
 				inferredHost := dialAddr
 				if host, _, err := net.SplitHostPort(dialAddr); err == nil {
@@ -87,7 +83,7 @@ func dialURL(ctx context.Context, url *url.URL, transport http.RoundTripper) (ne
 				tlsConfig = tlsConfigCopy
 			}

-			// Since this method is primary used within a "Connection: Upgrade" call we assume the caller is
+			// Since this method is primarily used within a "Connection: Upgrade" call we assume the caller is
 			// going to write HTTP/1.1 request to the wire. http2 should not be allowed in the TLSConfig.NextProtos,
 			// so we explicitly set that here. We only do this check if the TLSConfig support http/1.1.
 			if supportsHTTP11(tlsConfig.NextProtos) {
@@ -95,38 +91,21 @@ func dialURL(ctx context.Context, url *url.URL, transport http.RoundTripper) (ne
 				tlsConfig.NextProtos = []string{"http/1.1"}
 			}

-			tlsConn = tls.Client(netConn, tlsConfig)
-			if err := tlsConn.Handshake(); err != nil {
+			tlsConn := tls.Client(netConn, tlsConfig)
+			if err := tlsConn.HandshakeContext(ctx); err != nil {
 				netConn.Close()
 				return nil, err
 			}
-
-		} else {
-			// Dial. This Dial method does not allow to pass a context unfortunately
-			tlsConn, err = tls.Dial("tcp", dialAddr, tlsConfig)
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		// Return if we were configured to skip validation
-		if tlsConfig != nil && tlsConfig.InsecureSkipVerify {
 			return tlsConn, nil
+		} else {
+			// Dial.
+			tlsDialer := tls.Dialer{
+				Config: tlsConfig,
+			}
+			return tlsDialer.DialContext(ctx, "tcp", dialAddr)
 		}
-
-		// Verify
-		host, _, _ := net.SplitHostPort(dialAddr)
-		if tlsConfig != nil && len(tlsConfig.ServerName) > 0 {
-			host = tlsConfig.ServerName
-		}
-		if err := tlsConn.VerifyHostname(host); err != nil {
-			tlsConn.Close()
-			return nil, err
-		}
-
-		return tlsConn, nil
 	default:
-		return nil, fmt.Errorf("Unknown scheme: %s", url.Scheme)
+		return nil, fmt.Errorf("unknown scheme: %s", url.Scheme)
 	}
 }

--- a/vendor/k8s.io/apimachinery/pkg/util/proxy/transport.go
+++ b/vendor/k8s.io/apimachinery/pkg/util/proxy/transport.go
@@ -39,7 +39,8 @@ import (

 // atomsToAttrs states which attributes of which tags require URL substitution.
 // Sources: http://www.w3.org/TR/REC-html40/index/attributes.html
-//          http://www.w3.org/html/wg/drafts/html/master/index.html#attributes-1
+//
+//	http://www.w3.org/html/wg/drafts/html/master/index.html#attributes-1
 var atomsToAttrs = map[atom.Atom]sets.String{
 	atom.A:          sets.NewString("href"),
 	atom.Applet:     sets.NewString("codebase"),
@@ -83,7 +84,7 @@ type Transport struct {
 // RoundTrip implements the http.RoundTripper interface
 func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	// Add reverse proxy headers.
-	forwardedURI := path.Join(t.PathPrepend, req.URL.Path)
+	forwardedURI := path.Join(t.PathPrepend, req.URL.EscapedPath())
 	if strings.HasSuffix(req.URL.Path, "/") {
 		forwardedURI = forwardedURI + "/"
 	}
@@ -106,7 +107,11 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	}

 	if redirect := resp.Header.Get("Location"); redirect != "" {
-		resp.Header.Set("Location", t.rewriteURL(redirect, req.URL, req.Host))
+		targetURL, err := url.Parse(redirect)
+		if err != nil {
+			return nil, errors.NewInternalError(fmt.Errorf("error trying to parse Location header: %v", err))
+		}
+		resp.Header.Set("Location", t.rewriteURL(targetURL, req.URL, req.Host))
 		return resp, nil
 	}

@@ -128,14 +133,8 @@ func (rt *Transport) WrappedRoundTripper() http.RoundTripper {

 // rewriteURL rewrites a single URL to go through the proxy, if the URL refers
 // to the same host as sourceURL, which is the page on which the target URL
-// occurred, or if the URL matches the sourceRequestHost. If any error occurs (e.g.
-// parsing), it returns targetURL.
-func (t *Transport) rewriteURL(targetURL string, sourceURL *url.URL, sourceRequestHost string) string {
-	url, err := url.Parse(targetURL)
-	if err != nil {
-		return targetURL
-	}
-
+// occurred, or if the URL matches the sourceRequestHost.
+func (t *Transport) rewriteURL(url *url.URL, sourceURL *url.URL, sourceRequestHost string) string {
 	// Example:
 	//      When API server processes a proxy request to a service (e.g. /api/v1/namespace/foo/service/bar/proxy/),
 	//      the sourceURL.Host (i.e. req.URL.Host) is the endpoint IP address of the service. The
@@ -151,7 +150,7 @@ func (t *Transport) rewriteURL(targetURL string, sourceURL *url.URL, sourceReque
 	isDifferentHost := url.Host != "" && url.Host != sourceURL.Host && url.Host != sourceRequestHost
 	isRelative := !strings.HasPrefix(url.Path, "/")
 	if isDifferentHost || isRelative {
-		return targetURL
+		return url.String()
 	}

 	// Do not rewrite scheme and host if the Transport has empty scheme and host
@@ -178,7 +177,7 @@ func (t *Transport) rewriteURL(targetURL string, sourceURL *url.URL, sourceReque
 // rewriteHTML scans the HTML for tags with url-valued attributes, and updates
 // those values with the urlRewriter function. The updated HTML is output to the
 // writer.
-func rewriteHTML(reader io.Reader, writer io.Writer, urlRewriter func(string) string) error {
+func rewriteHTML(reader io.Reader, writer io.Writer, urlRewriter func(*url.URL) string) error {
 	// Note: This assumes the content is UTF-8.
 	tokenizer := html.NewTokenizer(reader)

@@ -193,7 +192,14 @@ func rewriteHTML(reader io.Reader, writer io.Writer, urlRewriter func(string) st
 			if urlAttrs, ok := atomsToAttrs[token.DataAtom]; ok {
 				for i, attr := range token.Attr {
 					if urlAttrs.Has(attr.Key) {
-						token.Attr[i].Val = urlRewriter(attr.Val)
+						url, err := url.Parse(attr.Val)
+						if err != nil {
+							// Do not rewrite the URL if it isn't valid.  It is intended not
+							// to error here to prevent the inability to understand the
+							// content of the body to cause a fatal error.
+							continue
+						}
+						token.Attr[i].Val = urlRewriter(url)
 					}
 				}
 			}
@@ -248,7 +254,7 @@ func (t *Transport) rewriteResponse(req *http.Request, resp *http.Response) (*ht
 		return resp, nil
 	}

-	urlRewriter := func(targetUrl string) string {
+	urlRewriter := func(targetUrl *url.URL) string {
 		return t.rewriteURL(targetUrl, req.URL, req.Host)
 	}
 	err := rewriteHTML(reader, writer, urlRewriter)
--- a/vendor/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
+++ b/vendor/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
@@ -60,6 +60,8 @@ type UpgradeAwareHandler struct {
 	// Location is the location of the upstream proxy. It is used as the location to Dial on the upstream server
 	// for upgrade requests unless UseRequestLocationOnUpgrade is true.
 	Location *url.URL
+	// AppendLocationPath determines if the original path of the Location should be appended to the upstream proxy request path
+	AppendLocationPath bool
 	// Transport provides an optional round tripper to use to proxy. If nil, the default proxy transport is used
 	Transport http.RoundTripper
 	// UpgradeTransport, if specified, will be used as the backend transport when upgrade requests are provided.
@@ -67,11 +69,6 @@ type UpgradeAwareHandler struct {
 	UpgradeTransport UpgradeRequestRoundTripper
 	// WrapTransport indicates whether the provided Transport should be wrapped with default proxy transport behavior (URL rewriting, X-Forwarded-* header setting)
 	WrapTransport bool
-	// InterceptRedirects determines whether the proxy should sniff backend responses for redirects,
-	// following them as necessary.
-	InterceptRedirects bool
-	// RequireSameHostRedirects only allows redirects to the same host. It is only used if InterceptRedirects=true.
-	RequireSameHostRedirects bool
 	// UseRequestLocation will use the incoming request URL when talking to the backend server.
 	UseRequestLocation bool
 	// UseLocationHost overrides the HTTP host header in requests to the backend server to use the Host from Location.
@@ -86,6 +83,8 @@ type UpgradeAwareHandler struct {
 	MaxBytesPerSec int64
 	// Responder is passed errors that occur while setting up proxying.
 	Responder ErrorResponder
+	// Reject to forward redirect response
+	RejectForwardingRedirects bool
 }

 const defaultFlushInterval = 200 * time.Millisecond
@@ -190,6 +189,26 @@ func NewUpgradeAwareHandler(location *url.URL, transport http.RoundTripper, wrap
 	}
 }

+func proxyRedirectsforRootPath(path string, w http.ResponseWriter, req *http.Request) bool {
+	redirect := false
+	method := req.Method
+
+	// From pkg/genericapiserver/endpoints/handlers/proxy.go#ServeHTTP:
+	// Redirect requests with an empty path to a location that ends with a '/'
+	// This is essentially a hack for http://issue.k8s.io/4958.
+	// Note: Keep this code after tryUpgrade to not break that flow.
+	if len(path) == 0 && (method == http.MethodGet || method == http.MethodHead) {
+		var queryPart string
+		if len(req.URL.RawQuery) > 0 {
+			queryPart = "?" + req.URL.RawQuery
+		}
+		w.Header().Set("Location", req.URL.Path+"/"+queryPart)
+		w.WriteHeader(http.StatusMovedPermanently)
+		redirect = true
+	}
+	return redirect
+}
+
 // ServeHTTP handles the proxy request
 func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	if h.tryUpgrade(w, req) {
@@ -209,17 +228,8 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request
 		loc.Path += "/"
 	}

-	// From pkg/genericapiserver/endpoints/handlers/proxy.go#ServeHTTP:
-	// Redirect requests with an empty path to a location that ends with a '/'
-	// This is essentially a hack for http://issue.k8s.io/4958.
-	// Note: Keep this code after tryUpgrade to not break that flow.
-	if len(loc.Path) == 0 {
-		var queryPart string
-		if len(req.URL.RawQuery) > 0 {
-			queryPart = "?" + req.URL.RawQuery
-		}
-		w.Header().Set("Location", req.URL.Path+"/"+queryPart)
-		w.WriteHeader(http.StatusMovedPermanently)
+	proxyRedirect := proxyRedirectsforRootPath(loc.Path, w, req)
+	if proxyRedirect {
 		return
 	}

@@ -239,10 +249,41 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request
 		newReq.Host = h.Location.Host
 	}

-	proxy := httputil.NewSingleHostReverseProxy(&url.URL{Scheme: h.Location.Scheme, Host: h.Location.Host})
+	// create the target location to use for the reverse proxy
+	reverseProxyLocation := &url.URL{Scheme: h.Location.Scheme, Host: h.Location.Host}
+	if h.AppendLocationPath {
+		reverseProxyLocation.Path = h.Location.Path
+	}
+
+	proxy := httputil.NewSingleHostReverseProxy(reverseProxyLocation)
 	proxy.Transport = h.Transport
 	proxy.FlushInterval = h.FlushInterval
 	proxy.ErrorLog = log.New(noSuppressPanicError{}, "", log.LstdFlags)
+	if h.RejectForwardingRedirects {
+		oldModifyResponse := proxy.ModifyResponse
+		proxy.ModifyResponse = func(response *http.Response) error {
+			code := response.StatusCode
+			if code >= 300 && code <= 399 && len(response.Header.Get("Location")) > 0 {
+				// close the original response
+				response.Body.Close()
+				msg := "the backend attempted to redirect this request, which is not permitted"
+				// replace the response
+				*response = http.Response{
+					StatusCode:    http.StatusBadGateway,
+					Status:        fmt.Sprintf("%d %s", response.StatusCode, http.StatusText(response.StatusCode)),
+					Body:          io.NopCloser(strings.NewReader(msg)),
+					ContentLength: int64(len(msg)),
+				}
+			} else {
+				if oldModifyResponse != nil {
+					if err := oldModifyResponse(response); err != nil {
+						return err
+					}
+				}
+			}
+			return nil
+		}
+	}
 	if h.Responder != nil {
 		// if an optional error interceptor/responder was provided wire it
 		// the custom responder might be used for providing a unified error reporting
@@ -282,23 +323,21 @@ func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Reques
 		location = *req.URL
 		location.Scheme = h.Location.Scheme
 		location.Host = h.Location.Host
+		if h.AppendLocationPath {
+			location.Path = singleJoiningSlash(h.Location.Path, location.Path)
+		}
 	}

 	clone := utilnet.CloneRequest(req)
 	// Only append X-Forwarded-For in the upgrade path, since httputil.NewSingleHostReverseProxy
 	// handles this in the non-upgrade path.
 	utilnet.AppendForwardedForHeader(clone)
-	if h.InterceptRedirects {
-		klog.V(6).Infof("Connecting to backend proxy (intercepting redirects) %s\n  Headers: %v", &location, clone.Header)
-		backendConn, rawResponse, err = utilnet.ConnectWithRedirects(req.Method, &location, clone.Header, req.Body, utilnet.DialerFunc(h.DialForUpgrade), h.RequireSameHostRedirects)
-	} else {
-		klog.V(6).Infof("Connecting to backend proxy (direct dial) %s\n  Headers: %v", &location, clone.Header)
-		if h.UseLocationHost {
-			clone.Host = h.Location.Host
-		}
-		clone.URL = &location
-		backendConn, err = h.DialForUpgrade(clone)
+	klog.V(6).Infof("Connecting to backend proxy (direct dial) %s\n  Headers: %v", &location, clone.Header)
+	if h.UseLocationHost {
+		clone.Host = h.Location.Host
 	}
+	clone.URL = &location
+	backendConn, err = h.DialForUpgrade(clone)
 	if err != nil {
 		klog.V(6).Infof("Proxy connection error: %v", err)
 		h.Responder.Error(w, req, err)
@@ -414,6 +453,20 @@ func (h *UpgradeAwareHandler) tryUpgrade(w http.ResponseWriter, req *http.Reques
 	return true
 }

+// FIXME: Taken from net/http/httputil/reverseproxy.go as singleJoiningSlash is not exported to be re-used.
+// See-also: https://github.com/golang/go/issues/44290
+func singleJoiningSlash(a, b string) string {
+	aslash := strings.HasSuffix(a, "/")
+	bslash := strings.HasPrefix(b, "/")
+	switch {
+	case aslash && bslash:
+		return a + b[1:]
+	case !aslash && !bslash:
+		return a + "/" + b
+	}
+	return a + b
+}
+
 func (h *UpgradeAwareHandler) DialForUpgrade(req *http.Request) (net.Conn, error) {
 	if h.UpgradeTransport == nil {
 		return dial(req, h.Transport)