Upgrade k8s package verison (#5358)

* upgrade k8s package version Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> * Script upgrade and code formatting. Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io> Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io>
2022-11-15 14:56:38 +08:00
parent 5f91c1663a
commit 44167aa47a
3106 changed files with 321340 additions and 172080 deletions
--- a/vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
@@ -20,8 +20,6 @@ import (
 	"errors"
 	"time"

-	"github.com/go-openapi/spec"
-
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/group"
@@ -32,8 +30,10 @@ import (
 	"k8s.io/apiserver/pkg/authentication/request/websocket"
 	"k8s.io/apiserver/pkg/authentication/request/x509"
 	"k8s.io/apiserver/pkg/authentication/token/cache"
+	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	webhooktoken "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 	authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1"
+	"k8s.io/kube-openapi/pkg/validation/spec"
 )

 // DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator
@@ -42,7 +42,7 @@ type DelegatingAuthenticatorConfig struct {
 	Anonymous bool

 	// TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored.
-	TokenAccessReviewClient authenticationclient.TokenReviewInterface
+	TokenAccessReviewClient authenticationclient.AuthenticationV1Interface

 	// TokenAccessReviewTimeout specifies a time limit for requests made by the authorization webhook client.
 	TokenAccessReviewTimeout time.Duration
@@ -58,7 +58,7 @@ type DelegatingAuthenticatorConfig struct {
 	// CAContentProvider are the options for verifying incoming connections using mTLS and directly assigning to users.
 	// Generally this is the CA bundle file used to authenticate client certificates
 	// If this is nil, then mTLS will not be used.
-	ClientCertificateCAContentProvider CAContentProvider
+	ClientCertificateCAContentProvider dynamiccertificates.CAContentProvider

 	APIAudiences authenticator.Audiences

@@ -91,7 +91,10 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.Secur
 		if c.WebhookRetryBackoff == nil {
 			return nil, nil, errors.New("retry backoff parameters for delegating authentication webhook has not been specified")
 		}
-		tokenAuth, err := webhooktoken.NewFromInterface(c.TokenAccessReviewClient, c.APIAudiences, *c.WebhookRetryBackoff, c.TokenAccessReviewTimeout)
+		tokenAuth, err := webhooktoken.NewFromInterface(c.TokenAccessReviewClient, c.APIAudiences, *c.WebhookRetryBackoff, c.TokenAccessReviewTimeout, webhooktoken.AuthenticatorMetrics{
+			RecordRequestTotal:   RecordRequestTotal,
+			RecordRequestLatency: RecordRequestLatency,
+		})
 		if err != nil {
 			return nil, nil, err
 		}
--- a/vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go
@@ -24,6 +24,6 @@ import (
 )

 // NewFromTokens returns an authenticator.Request or an error
-func NewFromTokens(tokens map[string]*user.DefaultInfo) authenticator.Request {
-	return bearertoken.New(tokenfile.New(tokens))
+func NewFromTokens(tokens map[string]*user.DefaultInfo, audiences authenticator.Audiences) authenticator.Request {
+	return bearertoken.New(authenticator.WrapAudienceAgnosticToken(audiences, tokenfile.New(tokens)))
 }
--- a/vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory/metrics.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory/metrics.go
@@ -0,0 +1,69 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authenticatorfactory
+
+import (
+	"context"
+
+	compbasemetrics "k8s.io/component-base/metrics"
+	"k8s.io/component-base/metrics/legacyregistry"
+)
+
+type registerables []compbasemetrics.Registerable
+
+// init registers all metrics.
+func init() {
+	for _, metric := range metrics {
+		legacyregistry.MustRegister(metric)
+	}
+}
+
+var (
+	requestTotal = compbasemetrics.NewCounterVec(
+		&compbasemetrics.CounterOpts{
+			Name:           "apiserver_delegated_authn_request_total",
+			Help:           "Number of HTTP requests partitioned by status code.",
+			StabilityLevel: compbasemetrics.ALPHA,
+		},
+		[]string{"code"},
+	)
+
+	requestLatency = compbasemetrics.NewHistogramVec(
+		&compbasemetrics.HistogramOpts{
+			Name:           "apiserver_delegated_authn_request_duration_seconds",
+			Help:           "Request latency in seconds. Broken down by status code.",
+			Buckets:        []float64{0.25, 0.5, 0.7, 1, 1.5, 3, 5, 10},
+			StabilityLevel: compbasemetrics.ALPHA,
+		},
+		[]string{"code"},
+	)
+
+	metrics = registerables{
+		requestTotal,
+		requestLatency,
+	}
+)
+
+// RecordRequestTotal increments the total number of requests for the delegated authentication.
+func RecordRequestTotal(ctx context.Context, code string) {
+	requestTotal.WithContext(ctx).WithLabelValues(code).Inc()
+}
+
+// RecordRequestLatency measures request latency in seconds for the delegated authentication. Broken down by status code.
+func RecordRequestLatency(ctx context.Context, code string, latency float64) {
+	requestLatency.WithContext(ctx).WithLabelValues(code).Observe(latency)
+}
--- a/vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go
@@ -17,9 +17,8 @@ limitations under the License.
 package authenticatorfactory

 import (
-	"crypto/x509"
-
 	"k8s.io/apiserver/pkg/authentication/request/headerrequest"
+	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 )

 type RequestHeaderConfig struct {
@@ -32,17 +31,7 @@ type RequestHeaderConfig struct {
 	ExtraHeaderPrefixes headerrequest.StringSliceProvider
 	// CAContentProvider the options for verifying incoming connections using mTLS.  Generally this points to CA bundle file which is used verify the identity of the front proxy.
 	//	It may produce different options at will.
-	CAContentProvider CAContentProvider
+	CAContentProvider dynamiccertificates.CAContentProvider
 	// AllowedClientNames is a list of common names that may be presented by the authenticating front proxy.  Empty means: accept any.
 	AllowedClientNames headerrequest.StringSliceProvider
 }
-
-// CAContentProvider provides ca bundle byte content
-type CAContentProvider interface {
-	// Name is just an identifier
-	Name() string
-	// CurrentCABundleContent provides ca bundle byte content
-	CurrentCABundleContent() []byte
-	// VerifyOptions provides VerifyOptions for authenticators
-	VerifyOptions() (x509.VerifyOptions, bool)
-}