update dependencies (#6267)

Signed-off-by: hongming <coder.scala@gmail.com>

vendor/k8s.io/apiserver/pkg/util/webhook/client.go

@@ -24,6 +24,7 @@ import (
 	"net"
 	"net/url"
 	"strconv"
+	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -32,6 +33,7 @@ import (
 	"k8s.io/apiserver/pkg/util/x509metrics"
 	"k8s.io/client-go/rest"
 	"k8s.io/utils/lru"
+	netutils "k8s.io/utils/net"
 )
 
 const (
@@ -128,7 +130,20 @@ func (cm *ClientManager) HookClient(cc ClientConfig) (*rest.RESTClient, error) {
 		return client.(*rest.RESTClient), nil
 	}
 
-	complete := func(cfg *rest.Config) (*rest.RESTClient, error) {
+	cfg, err := cm.hookClientConfig(cc)
+	if err != nil {
+		return nil, err
+	}
+
+	client, err := rest.UnversionedRESTClientFor(cfg)
+	if err == nil {
+		cm.cache.Add(string(cacheKey), client)
+	}
+	return client, err
+}
+
+func (cm *ClientManager) hookClientConfig(cc ClientConfig) (*rest.Config, error) {
+	complete := func(cfg *rest.Config) (*rest.Config, error) {
 		// Avoid client-side rate limiting talking to the webhook backend.
 		// Rate limiting should happen when deciding how many requests to serve.
 		cfg.QPS = -1
@@ -139,11 +154,6 @@ func (cm *ClientManager) HookClient(cc ClientConfig) (*rest.RESTClient, error) {
 		}
 		cfg.TLSClientConfig.CAData = append(cfg.TLSClientConfig.CAData, cc.CABundle...)
 
-		// Use http/1.1 instead of http/2.
-		// This is a workaround for http/2-enabled clients not load-balancing concurrent requests to multiple backends.
-		// See https://issue.k8s.io/75791 for details.
-		cfg.NextProtos = []string{"http/1.1"}
-
 		cfg.ContentConfig.NegotiatedSerializer = cm.negotiatedSerializer
 		cfg.ContentConfig.ContentType = runtime.ContentTypeJSON
 
@@ -153,12 +163,7 @@ func (cm *ClientManager) HookClient(cc ClientConfig) (*rest.RESTClient, error) {
 			x509MissingSANCounter,
 			x509InsecureSHA1Counter,
 		))
-
-		client, err := rest.UnversionedRESTClientFor(cfg)
-		if err == nil {
-			cm.cache.Add(string(cacheKey), client)
-		}
-		return client, err
+		return cfg, nil
 	}
 
 	if cc.Service != nil {
@@ -173,6 +178,12 @@ func (cm *ClientManager) HookClient(cc ClientConfig) (*rest.RESTClient, error) {
 			return nil, err
 		}
 		cfg := rest.CopyConfig(restConfig)
+
+		// Use http/1.1 instead of http/2.
+		// This is a workaround for http/2-enabled clients not load-balancing concurrent requests to multiple backends.
+		// See https://issue.k8s.io/75791 for details.
+		cfg.NextProtos = []string{"http/1.1"}
+
 		serverName := cc.Service.Name + "." + cc.Service.Namespace + ".svc"
 
 		host := net.JoinHostPort(serverName, strconv.Itoa(int(port)))
@@ -225,6 +236,22 @@ func (cm *ClientManager) HookClient(cc ClientConfig) (*rest.RESTClient, error) {
 	cfg := rest.CopyConfig(restConfig)
 	cfg.Host = u.Scheme + "://" + u.Host
 	cfg.APIPath = u.Path
+	if !isLocalHost(u) {
+		cfg.NextProtos = []string{"http/1.1"}
+	}
 
 	return complete(cfg)
 }
+
+func isLocalHost(u *url.URL) bool {
+	host := u.Hostname()
+	if strings.EqualFold(host, "localhost") {
+		return true
+	}
+
+	netIP := netutils.ParseIPSloppy(host)
+	if netIP != nil {
+		return netIP.IsLoopback()
+	}
+	return false
+}

vendor/k8s.io/apiserver/pkg/util/webhook/validation.go

@@ -23,8 +23,18 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/client-go/transport"
 )
 
+func ValidateCABundle(fldPath *field.Path, caBundle []byte) field.ErrorList {
+	var allErrors field.ErrorList
+	_, err := transport.TLSConfigFor(&transport.Config{TLS: transport.TLSConfig{CAData: caBundle}})
+	if err != nil {
+		allErrors = append(allErrors, field.Invalid(fldPath, caBundle, err.Error()))
+	}
+	return allErrors
+}
+
 // ValidateWebhookURL validates webhook's URL.
 func ValidateWebhookURL(fldPath *field.Path, URL string, forceHttps bool) field.ErrorList {
 	var allErrors field.ErrorList