update vendor

Signed-off-by: Roland.Ma <rolandma@yunify.com>

vendor/k8s.io/client-go/rest/OWNERS

@@ -8,8 +8,6 @@ reviewers:
 - deads2k
 - brendandburns
 - liggitt
-- nikhiljindal
-- gmarek
 - erictune
 - sttts
 - luxas

vendor/k8s.io/client-go/rest/client.go

@@ -94,6 +94,10 @@ type RESTClient struct {
 	// overridden.
 	rateLimiter flowcontrol.RateLimiter
 
+	// warningHandler is shared among all requests created by this client.
+	// If not set, defaultWarningHandler is used.
+	warningHandler WarningHandler
+
 	// Set specific behavior of the client.  If not set http.DefaultClient will be used.
 	Client *http.Client
 }
@@ -123,7 +127,7 @@ func NewRESTClient(baseURL *url.URL, versionedAPIPath string, config ClientConte
 	}, nil
 }
 
-// GetRateLimiter returns rate limier for a given client, or nil if it's called on a nil client
+// GetRateLimiter returns rate limiter for a given client, or nil if it's called on a nil client
 func (c *RESTClient) GetRateLimiter() flowcontrol.RateLimiter {
 	if c == nil {
 		return nil

vendor/k8s.io/client-go/rest/config.go

@@ -23,6 +23,7 @@ import (
 	"io/ioutil"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	gruntime "runtime"
@@ -37,7 +38,7 @@ import (
 	"k8s.io/client-go/transport"
 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/flowcontrol"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 const (
@@ -64,12 +65,12 @@ type Config struct {
 
 	// Server requires Basic authentication
 	Username string
-	Password string
+	Password string `datapolicy:"password"`
 
 	// Server requires Bearer authentication. This client will not attempt to use
 	// refresh tokens for an OAuth2 flow.
 	// TODO: demonstrate an OAuth2 compatible client.
-	BearerToken string
+	BearerToken string `datapolicy:"token"`
 
 	// Path to a file containing a BearerToken.
 	// If set, the contents are periodically read.
@@ -122,12 +123,24 @@ type Config struct {
 	// Rate limiter for limiting connections to the master from this client. If present overwrites QPS/Burst
 	RateLimiter flowcontrol.RateLimiter
 
+	// WarningHandler handles warnings in server responses.
+	// If not set, the default warning handler is used.
+	// See documentation for SetDefaultWarningHandler() for details.
+	WarningHandler WarningHandler
+
 	// The maximum length of time to wait before giving up on a server request. A value of zero means no timeout.
 	Timeout time.Duration
 
 	// Dial specifies the dial function for creating unencrypted TCP connections.
 	Dial func(ctx context.Context, network, address string) (net.Conn, error)
 
+	// Proxy is the proxy func to be used for all requests made by this
+	// transport. If Proxy is nil, http.ProxyFromEnvironment is used. If Proxy
+	// returns a nil *URL, no proxy is used.
+	//
+	// socks5 proxying does not currently support spdy streaming endpoints.
+	Proxy func(*http.Request) (*url.URL, error)
+
 	// Version forces a specific version to be used (if registered)
 	// Do we need this?
 	// Version string
@@ -147,6 +160,15 @@ func (sanitizedAuthConfigPersister) String() string {
 	return "rest.AuthProviderConfigPersister(--- REDACTED ---)"
 }
 
+type sanitizedObject struct{ runtime.Object }
+
+func (sanitizedObject) GoString() string {
+	return "runtime.Object(--- REDACTED ---)"
+}
+func (sanitizedObject) String() string {
+	return "runtime.Object(--- REDACTED ---)"
+}
+
 // GoString implements fmt.GoStringer and sanitizes sensitive fields of Config
 // to prevent accidental leaking via logs.
 func (c *Config) GoString() string {
@@ -170,7 +192,9 @@ func (c *Config) String() string {
 	if cc.AuthConfigPersister != nil {
 		cc.AuthConfigPersister = sanitizedAuthConfigPersister{cc.AuthConfigPersister}
 	}
-
+	if cc.ExecProvider != nil && cc.ExecProvider.Config != nil {
+		cc.ExecProvider.Config = sanitizedObject{Object: cc.ExecProvider.Config}
+	}
 	return fmt.Sprintf("%#v", cc)
 }
 
@@ -191,7 +215,7 @@ type TLSClientConfig struct {
 	// Server should be accessed without verifying the TLS certificate. For testing only.
 	Insecure bool
 	// ServerName is passed to the server for SNI and is used in the client to check server
-	// ceritificates against. If ServerName is empty, the hostname used to contact the
+	// certificates against. If ServerName is empty, the hostname used to contact the
 	// server is used.
 	ServerName string
 
@@ -207,7 +231,7 @@ type TLSClientConfig struct {
 	CertData []byte
 	// KeyData holds PEM-encoded bytes (typically read from a client certificate key file).
 	// KeyData takes precedence over KeyFile
-	KeyData []byte
+	KeyData []byte `datapolicy:"security-key"`
 	// CAData holds PEM-encoded bytes (typically read from a root certificates bundle).
 	// CAData takes precedence over CAFile
 	CAData []byte
@@ -331,7 +355,11 @@ func RESTClientFor(config *Config) (*RESTClient, error) {
 		Negotiator:         runtime.NewClientNegotiator(config.NegotiatedSerializer, gv),
 	}
 
-	return NewRESTClient(baseURL, versionedAPIPath, clientContent, rateLimiter, httpClient)
+	restClient, err := NewRESTClient(baseURL, versionedAPIPath, clientContent, rateLimiter, httpClient)
+	if err == nil && config.WarningHandler != nil {
+		restClient.warningHandler = config.WarningHandler
+	}
+	return restClient, err
 }
 
 // UnversionedRESTClientFor is the same as RESTClientFor, except that it allows
@@ -385,7 +413,11 @@ func UnversionedRESTClientFor(config *Config) (*RESTClient, error) {
 		Negotiator:         runtime.NewClientNegotiator(config.NegotiatedSerializer, gv),
 	}
 
-	return NewRESTClient(baseURL, versionedAPIPath, clientContent, rateLimiter, httpClient)
+	restClient, err := NewRESTClient(baseURL, versionedAPIPath, clientContent, rateLimiter, httpClient)
+	if err == nil && config.WarningHandler != nil {
+		restClient.warningHandler = config.WarningHandler
+	}
+	return restClient, err
 }
 
 // SetKubernetesDefaults sets default values on the provided client config for accessing the
@@ -554,18 +586,20 @@ func AnonymousClientConfig(config *Config) *Config {
 			NextProtos: config.TLSClientConfig.NextProtos,
 		},
 		RateLimiter:        config.RateLimiter,
+		WarningHandler:     config.WarningHandler,
 		UserAgent:          config.UserAgent,
 		DisableCompression: config.DisableCompression,
 		QPS:                config.QPS,
 		Burst:              config.Burst,
 		Timeout:            config.Timeout,
 		Dial:               config.Dial,
+		Proxy:              config.Proxy,
 	}
 }
 
 // CopyConfig returns a copy of the given config
 func CopyConfig(config *Config) *Config {
-	return &Config{
+	c := &Config{
 		Host:            config.Host,
 		APIPath:         config.APIPath,
 		ContentConfig:   config.ContentConfig,
@@ -599,7 +633,13 @@ func CopyConfig(config *Config) *Config {
 		QPS:                config.QPS,
 		Burst:              config.Burst,
 		RateLimiter:        config.RateLimiter,
+		WarningHandler:     config.WarningHandler,
 		Timeout:            config.Timeout,
 		Dial:               config.Dial,
+		Proxy:              config.Proxy,
 	}
+	if config.ExecProvider != nil && config.ExecProvider.Config != nil {
+		c.ExecProvider.Config = config.ExecProvider.Config.DeepCopyObject()
+	}
+	return c
 }

vendor/k8s.io/client-go/rest/exec.go

@@ -0,0 +1,85 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"k8s.io/client-go/pkg/apis/clientauthentication"
+	clientauthenticationapi "k8s.io/client-go/pkg/apis/clientauthentication"
+)
+
+// This file contains Config logic related to exec credential plugins.
+
+// ConfigToExecCluster creates a clientauthenticationapi.Cluster with the corresponding fields from
+// the provided Config.
+func ConfigToExecCluster(config *Config) (*clientauthenticationapi.Cluster, error) {
+	caData, err := dataFromSliceOrFile(config.CAData, config.CAFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load CA bundle for execProvider: %v", err)
+	}
+
+	var proxyURL string
+	if config.Proxy != nil {
+		req, err := http.NewRequest("", config.Host, nil)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create proxy URL request for execProvider: %w", err)
+		}
+		url, err := config.Proxy(req)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get proxy URL for execProvider: %w", err)
+		}
+		if url != nil {
+			proxyURL = url.String()
+		}
+	}
+
+	return &clientauthentication.Cluster{
+		Server:                   config.Host,
+		TLSServerName:            config.ServerName,
+		InsecureSkipTLSVerify:    config.Insecure,
+		CertificateAuthorityData: caData,
+		ProxyURL:                 proxyURL,
+		Config:                   config.ExecProvider.Config,
+	}, nil
+}
+
+// ExecClusterToConfig creates a Config with the corresponding fields from the provided
+// clientauthenticationapi.Cluster. The returned Config will be anonymous (i.e., it will not have
+// any authentication-related fields set).
+func ExecClusterToConfig(cluster *clientauthentication.Cluster) (*Config, error) {
+	var proxy func(*http.Request) (*url.URL, error)
+	if cluster.ProxyURL != "" {
+		proxyURL, err := url.Parse(cluster.ProxyURL)
+		if err != nil {
+			return nil, fmt.Errorf("cannot parse proxy URL: %w", err)
+		}
+		proxy = http.ProxyURL(proxyURL)
+	}
+
+	return &Config{
+		Host: cluster.Server,
+		TLSClientConfig: TLSClientConfig{
+			Insecure:   cluster.InsecureSkipTLSVerify,
+			ServerName: cluster.TLSServerName,
+			CAData:     cluster.CertificateAuthorityData,
+		},
+		Proxy: proxy,
+	}, nil
+}

vendor/k8s.io/client-go/rest/fake/fake.go

@@ -0,0 +1,118 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This is made a separate package and should only be imported by tests, because
+// it imports testapi
+package fake
+
+import (
+	"net/http"
+	"net/url"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/util/flowcontrol"
+)
+
+// CreateHTTPClient creates an http.Client that will invoke the provided roundTripper func
+// when a request is made.
+func CreateHTTPClient(roundTripper func(*http.Request) (*http.Response, error)) *http.Client {
+	return &http.Client{
+		Transport: roundTripperFunc(roundTripper),
+	}
+}
+
+type roundTripperFunc func(*http.Request) (*http.Response, error)
+
+func (f roundTripperFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return f(req)
+}
+
+// RESTClient provides a fake RESTClient interface. It is used to mock network
+// interactions via a rest.Request, or to make them via the provided Client to
+// a specific server.
+type RESTClient struct {
+	NegotiatedSerializer runtime.NegotiatedSerializer
+	GroupVersion         schema.GroupVersion
+	VersionedAPIPath     string
+
+	// Err is returned when any request would be made to the server. If Err is set,
+	// Req will not be recorded, Resp will not be returned, and Client will not be
+	// invoked.
+	Err error
+	// Req is set to the last request that was executed (had the methods Do/DoRaw) invoked.
+	Req *http.Request
+	// If Client is specified, the client will be invoked instead of returning Resp if
+	// Err is not set.
+	Client *http.Client
+	// Resp is returned to the caller after Req is recorded, unless Err or Client are set.
+	Resp *http.Response
+}
+
+func (c *RESTClient) Get() *restclient.Request {
+	return c.Verb("GET")
+}
+
+func (c *RESTClient) Put() *restclient.Request {
+	return c.Verb("PUT")
+}
+
+func (c *RESTClient) Patch(pt types.PatchType) *restclient.Request {
+	return c.Verb("PATCH").SetHeader("Content-Type", string(pt))
+}
+
+func (c *RESTClient) Post() *restclient.Request {
+	return c.Verb("POST")
+}
+
+func (c *RESTClient) Delete() *restclient.Request {
+	return c.Verb("DELETE")
+}
+
+func (c *RESTClient) Verb(verb string) *restclient.Request {
+	return c.Request().Verb(verb)
+}
+
+func (c *RESTClient) APIVersion() schema.GroupVersion {
+	return c.GroupVersion
+}
+
+func (c *RESTClient) GetRateLimiter() flowcontrol.RateLimiter {
+	return nil
+}
+
+func (c *RESTClient) Request() *restclient.Request {
+	config := restclient.ClientContentConfig{
+		ContentType:  runtime.ContentTypeJSON,
+		GroupVersion: c.GroupVersion,
+		Negotiator:   runtime.NewClientNegotiator(c.NegotiatedSerializer, c.GroupVersion),
+	}
+	return restclient.NewRequestWithClient(&url.URL{Scheme: "https", Host: "localhost"}, c.VersionedAPIPath, config, CreateHTTPClient(c.do))
+}
+
+// do is invoked when a Request() created by this client is executed.
+func (c *RESTClient) do(req *http.Request) (*http.Response, error) {
+	if c.Err != nil {
+		return nil, c.Err
+	}
+	c.Req = req
+	if c.Client != nil {
+		return c.Client.Do(req)
+	}
+	return c.Resp, nil
+}

vendor/k8s.io/client-go/rest/plugin.go

@@ -21,7 +21,7 @@ import (
 	"net/http"
 	"sync"
 
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
@@ -47,6 +47,13 @@ type AuthProviderConfigPersister interface {
 	Persist(map[string]string) error
 }
 
+type noopPersister struct{}
+
+func (n *noopPersister) Persist(_ map[string]string) error {
+	// no operation persister
+	return nil
+}
+
 // All registered auth provider plugins.
 var pluginsLock sync.Mutex
 var plugins = make(map[string]Factory)
@@ -69,5 +76,8 @@ func GetAuthProvider(clusterAddress string, apc *clientcmdapi.AuthProviderConfig
 	if !ok {
 		return nil, fmt.Errorf("no Auth Provider found for name %q", apc.Name)
 	}
+	if persister == nil {
+		persister = &noopPersister{}
+	}
 	return p(clusterAddress, apc.Config, persister)
 }

vendor/k8s.io/client-go/rest/request.go

@@ -45,7 +45,7 @@ import (
 	restclientwatch "k8s.io/client-go/rest/watch"
 	"k8s.io/client-go/tools/metrics"
 	"k8s.io/client-go/util/flowcontrol"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 var (
@@ -88,9 +88,12 @@ var noBackoff = &NoBackoff{}
 type Request struct {
 	c *RESTClient
 
+	warningHandler WarningHandler
+
 	rateLimiter flowcontrol.RateLimiter
 	backoff     BackoffManager
 	timeout     time.Duration
+	maxRetries  int
 
 	// generic components accessible via method setters
 	verb       string
@@ -134,11 +137,13 @@ func NewRequest(c *RESTClient) *Request {
 	}
 
 	r := &Request{
-		c:           c,
-		rateLimiter: c.rateLimiter,
-		backoff:     backoff,
-		timeout:     timeout,
-		pathPrefix:  pathPrefix,
+		c:              c,
+		rateLimiter:    c.rateLimiter,
+		backoff:        backoff,
+		timeout:        timeout,
+		pathPrefix:     pathPrefix,
+		maxRetries:     10,
+		warningHandler: c.warningHandler,
 	}
 
 	switch {
@@ -216,6 +221,13 @@ func (r *Request) BackOff(manager BackoffManager) *Request {
 	return r
 }
 
+// WarningHandler sets the handler this client uses when warning headers are encountered.
+// If set to nil, this client will use the default warning handler (see SetDefaultWarningHandler).
+func (r *Request) WarningHandler(handler WarningHandler) *Request {
+	r.warningHandler = handler
+	return r
+}
+
 // Throttle receives a rate-limiter and sets or replaces an existing request limiter
 func (r *Request) Throttle(limiter flowcontrol.RateLimiter) *Request {
 	r.rateLimiter = limiter
@@ -230,7 +242,7 @@ func (r *Request) SubResource(subresources ...string) *Request {
 	}
 	subresource := path.Join(subresources...)
 	if len(r.subresource) != 0 {
-		r.err = fmt.Errorf("subresource already set to %q, cannot change to %q", r.resource, subresource)
+		r.err = fmt.Errorf("subresource already set to %q, cannot change to %q", r.subresource, subresource)
 		return r
 	}
 	for _, s := range subresources {
@@ -391,6 +403,18 @@ func (r *Request) Timeout(d time.Duration) *Request {
 	return r
 }
 
+// MaxRetries makes the request use the given integer as a ceiling of retrying upon receiving
+// "Retry-After" headers and 429 status-code in the response. The default is 10 unless this
+// function is specifically called with a different value.
+// A zero maxRetries prevent it from doing retires and return an error immediately.
+func (r *Request) MaxRetries(maxRetries int) *Request {
+	if maxRetries < 0 {
+		maxRetries = 0
+	}
+	r.maxRetries = maxRetries
+	return r
+}
+
 // Body makes the request use obj as the body. Optional.
 // If obj is a string, try to read a file of that name.
 // If obj is a []byte, send it directly.
@@ -487,13 +511,23 @@ func (r Request) finalURLTemplate() url.URL {
 	}
 	r.params = newParams
 	url := r.URL()
-	segments := strings.Split(r.URL().Path, "/")
+
+	segments := strings.Split(url.Path, "/")
 	groupIndex := 0
 	index := 0
-	if r.URL() != nil && r.c.base != nil && strings.Contains(r.URL().Path, r.c.base.Path) {
-		groupIndex += len(strings.Split(r.c.base.Path, "/"))
+	trimmedBasePath := ""
+	if url != nil && r.c.base != nil && strings.Contains(url.Path, r.c.base.Path) {
+		p := strings.TrimPrefix(url.Path, r.c.base.Path)
+		if !strings.HasPrefix(p, "/") {
+			p = "/" + p
+		}
+		// store the base path that we have trimmed so we can append it
+		// before returning the URL
+		trimmedBasePath = r.c.base.Path
+		segments = strings.Split(p, "/")
+		groupIndex = 1
 	}
-	if groupIndex >= len(segments) {
+	if len(segments) <= 2 {
 		return *url
 	}
 
@@ -539,11 +573,11 @@ func (r Request) finalURLTemplate() url.URL {
 			segments[index+3] = "{name}"
 		}
 	}
-	url.Path = path.Join(segments...)
+	url.Path = path.Join(trimmedBasePath, path.Join(segments...))
 	return *url
 }
 
-func (r *Request) tryThrottle(ctx context.Context) error {
+func (r *Request) tryThrottleWithInfo(ctx context.Context, retryInfo string) error {
 	if r.rateLimiter == nil {
 		return nil
 	}
@@ -553,19 +587,32 @@ func (r *Request) tryThrottle(ctx context.Context) error {
 	err := r.rateLimiter.Wait(ctx)
 
 	latency := time.Since(now)
+
+	var message string
+	switch {
+	case len(retryInfo) > 0:
+		message = fmt.Sprintf("Waited for %v, %s - request: %s:%s", latency, retryInfo, r.verb, r.URL().String())
+	default:
+		message = fmt.Sprintf("Waited for %v due to client-side throttling, not priority and fairness, request: %s:%s", latency, r.verb, r.URL().String())
+	}
+
 	if latency > longThrottleLatency {
-		klog.V(3).Infof("Throttling request took %v, request: %s:%s", latency, r.verb, r.URL().String())
+		klog.V(3).Info(message)
 	}
 	if latency > extraLongThrottleLatency {
 		// If the rate limiter latency is very high, the log message should be printed at a higher log level,
 		// but we use a throttled logger to prevent spamming.
-		globalThrottledLogger.Infof("Throttling request took %v, request: %s:%s", latency, r.verb, r.URL().String())
+		globalThrottledLogger.Infof(message)
 	}
-	metrics.RateLimiterLatency.Observe(r.verb, r.finalURLTemplate(), latency)
+	metrics.RateLimiterLatency.Observe(ctx, r.verb, r.finalURLTemplate(), latency)
 
 	return err
 }
 
+func (r *Request) tryThrottle(ctx context.Context) error {
+	return r.tryThrottleWithInfo(ctx, "")
+}
+
 type throttleSettings struct {
 	logLevel       klog.Level
 	minLogInterval time.Duration
@@ -594,7 +641,7 @@ var globalThrottledLogger = &throttledLogger{
 
 func (b *throttledLogger) attemptToLog() (klog.Level, bool) {
 	for _, setting := range b.settings {
-		if bool(klog.V(setting.logLevel)) {
+		if bool(klog.V(setting.logLevel).Enabled()) {
 			// Return early without write locking if possible.
 			if func() bool {
 				setting.lock.RLock()
@@ -614,7 +661,7 @@ func (b *throttledLogger) attemptToLog() (klog.Level, bool) {
 	return -1, false
 }
 
-// Infof will write a log message at each logLevel specified by the reciever's throttleSettings
+// Infof will write a log message at each logLevel specified by the receiver's throttleSettings
 // as long as it hasn't written a log message more recently than minLogInterval.
 func (b *throttledLogger) Infof(message string, args ...interface{}) {
 	if logLevel, ok := b.attemptToLog(); ok {
@@ -644,7 +691,7 @@ func (r *Request) Watch(ctx context.Context) (watch.Interface, error) {
 	}
 	r.backoff.Sleep(r.backoff.CalculateBackoff(r.URL()))
 	resp, err := client.Do(req)
-	updateURLMetrics(r, resp, err)
+	updateURLMetrics(ctx, r, resp, err)
 	if r.c.base != nil {
 		if err != nil {
 			r.backoff.UpdateBackoff(r.c.base, err, 0)
@@ -678,6 +725,8 @@ func (r *Request) Watch(ctx context.Context) (watch.Interface, error) {
 		return nil, err
 	}
 
+	handleWarnings(resp.Header, r.warningHandler)
+
 	frameReader := framer.NewFrameReader(resp.Body)
 	watchEventDecoder := streaming.NewDecoder(frameReader, streamingSerializer)
 
@@ -691,7 +740,7 @@ func (r *Request) Watch(ctx context.Context) (watch.Interface, error) {
 
 // updateURLMetrics is a convenience function for pushing metrics.
 // It also handles corner cases for incomplete/invalid request data.
-func updateURLMetrics(req *Request, resp *http.Response, err error) {
+func updateURLMetrics(ctx context.Context, req *Request, resp *http.Response, err error) {
 	url := "none"
 	if req.c.base != nil {
 		url = req.c.base.Host
@@ -700,10 +749,10 @@ func updateURLMetrics(req *Request, resp *http.Response, err error) {
 	// Errors can be arbitrary strings. Unbound label cardinality is not suitable for a metric
 	// system so we just report them as `<error>`.
 	if err != nil {
-		metrics.RequestResult.Increment("<error>", req.verb, url)
+		metrics.RequestResult.Increment(ctx, "<error>", req.verb, url)
 	} else {
 		//Metrics for failure codes
-		metrics.RequestResult.Increment(strconv.Itoa(resp.StatusCode), req.verb, url)
+		metrics.RequestResult.Increment(ctx, strconv.Itoa(resp.StatusCode), req.verb, url)
 	}
 }
 
@@ -736,7 +785,7 @@ func (r *Request) Stream(ctx context.Context) (io.ReadCloser, error) {
 	}
 	r.backoff.Sleep(r.backoff.CalculateBackoff(r.URL()))
 	resp, err := client.Do(req)
-	updateURLMetrics(r, resp, err)
+	updateURLMetrics(ctx, r, resp, err)
 	if r.c.base != nil {
 		if err != nil {
 			r.backoff.UpdateBackoff(r.URL(), err, 0)
@@ -750,6 +799,7 @@ func (r *Request) Stream(ctx context.Context) (io.ReadCloser, error) {
 
 	switch {
 	case (resp.StatusCode >= 200) && (resp.StatusCode < 300):
+		handleWarnings(resp.Header, r.warningHandler)
 		return resp.Body, nil
 
 	default:
@@ -800,7 +850,7 @@ func (r *Request) request(ctx context.Context, fn func(*http.Request, *http.Resp
 	//Metrics for total request latency
 	start := time.Now()
 	defer func() {
-		metrics.RequestLatency.Observe(r.verb, r.finalURLTemplate(), time.Since(start))
+		metrics.RequestLatency.Observe(ctx, r.verb, r.finalURLTemplate(), time.Since(start))
 	}()
 
 	if r.err != nil {
@@ -831,8 +881,8 @@ func (r *Request) request(ctx context.Context, fn func(*http.Request, *http.Resp
 	}
 
 	// Right now we make about ten retry attempts if we get a Retry-After response.
-	maxRetries := 10
 	retries := 0
+	var retryInfo string
 	for {
 
 		url := r.URL().String()
@@ -848,12 +898,13 @@ func (r *Request) request(ctx context.Context, fn func(*http.Request, *http.Resp
 			// We are retrying the request that we already send to apiserver
 			// at least once before.
 			// This request should also be throttled with the client-internal rate limiter.
-			if err := r.tryThrottle(ctx); err != nil {
+			if err := r.tryThrottleWithInfo(ctx, retryInfo); err != nil {
 				return err
 			}
+			retryInfo = ""
 		}
 		resp, err := client.Do(req)
-		updateURLMetrics(r, resp, err)
+		updateURLMetrics(ctx, r, resp, err)
 		if err != nil {
 			r.backoff.UpdateBackoff(r.URL(), err, 0)
 		} else {
@@ -894,7 +945,8 @@ func (r *Request) request(ctx context.Context, fn func(*http.Request, *http.Resp
 			}()
 
 			retries++
-			if seconds, wait := checkWait(resp); wait && retries < maxRetries {
+			if seconds, wait := checkWait(resp); wait && retries <= r.maxRetries {
+				retryInfo = getRetryReason(retries, seconds, resp, err)
 				if seeker, ok := r.body.(io.Seeker); ok && r.body != nil {
 					_, err := seeker.Seek(0, 0)
 					if err != nil {
@@ -1007,6 +1059,7 @@ func (r *Request) transformResponse(resp *http.Response, req *http.Request) Resu
 				body:        body,
 				contentType: contentType,
 				statusCode:  resp.StatusCode,
+				warnings:    handleWarnings(resp.Header, r.warningHandler),
 			}
 		}
 	}
@@ -1025,6 +1078,7 @@ func (r *Request) transformResponse(resp *http.Response, req *http.Request) Resu
 			statusCode:  resp.StatusCode,
 			decoder:     decoder,
 			err:         err,
+			warnings:    handleWarnings(resp.Header, r.warningHandler),
 		}
 	}
 
@@ -1033,6 +1087,7 @@ func (r *Request) transformResponse(resp *http.Response, req *http.Request) Resu
 		contentType: contentType,
 		statusCode:  resp.StatusCode,
 		decoder:     decoder,
+		warnings:    handleWarnings(resp.Header, r.warningHandler),
 	}
 }
 
@@ -1040,11 +1095,11 @@ func (r *Request) transformResponse(resp *http.Response, req *http.Request) Resu
 func truncateBody(body string) string {
 	max := 0
 	switch {
-	case bool(klog.V(10)):
+	case bool(klog.V(10).Enabled()):
 		return body
-	case bool(klog.V(9)):
+	case bool(klog.V(9).Enabled()):
 		max = 10240
-	case bool(klog.V(8)):
+	case bool(klog.V(8).Enabled()):
 		max = 1024
 	}
 
@@ -1059,7 +1114,7 @@ func truncateBody(body string) string {
 // allocating a new string for the body output unless necessary. Uses a simple heuristic to determine
 // whether the body is printable.
 func glogBody(prefix string, body []byte) {
-	if klog.V(8) {
+	if klog.V(8).Enabled() {
 		if bytes.IndexFunc(body, func(r rune) bool {
 			return r < 0x0a
 		}) != -1 {
@@ -1165,9 +1220,30 @@ func retryAfterSeconds(resp *http.Response) (int, bool) {
 	return 0, false
 }
 
+func getRetryReason(retries, seconds int, resp *http.Response, err error) string {
+	// priority and fairness sets the UID of the FlowSchema associated with a request
+	// in the following response Header.
+	const responseHeaderMatchedFlowSchemaUID = "X-Kubernetes-PF-FlowSchema-UID"
+
+	message := fmt.Sprintf("retries: %d, retry-after: %ds", retries, seconds)
+
+	switch {
+	case resp.StatusCode == http.StatusTooManyRequests:
+		// it is server-side throttling from priority and fairness
+		flowSchemaUID := resp.Header.Get(responseHeaderMatchedFlowSchemaUID)
+		return fmt.Sprintf("%s - retry-reason: due to server-side throttling, FlowSchema UID: %q", message, flowSchemaUID)
+	case err != nil:
+		// it's a retriable error
+		return fmt.Sprintf("%s - retry-reason: due to retriable error, error: %v", message, err)
+	default:
+		return fmt.Sprintf("%s - retry-reason: %d", message, resp.StatusCode)
+	}
+}
+
 // Result contains the result of calling Request.Do().
 type Result struct {
 	body        []byte
+	warnings    []net.WarningHeader
 	contentType string
 	err         error
 	statusCode  int
@@ -1281,6 +1357,11 @@ func (r Result) Error() error {
 	return r.err
 }
 
+// Warnings returns any warning headers received in the response
+func (r Result) Warnings() []net.WarningHeader {
+	return r.warnings
+}
+
 // NameMayNotBe specifies strings that cannot be used as names specified as path segments (like the REST API or etcd store)
 var NameMayNotBe = []string{".", ".."}
 

vendor/k8s.io/client-go/rest/transport.go

@@ -21,6 +21,7 @@ import (
 	"errors"
 	"net/http"
 
+	"k8s.io/client-go/pkg/apis/clientauthentication"
 	"k8s.io/client-go/plugin/pkg/client/auth/exec"
 	"k8s.io/client-go/transport"
 )
@@ -85,7 +86,8 @@ func (c *Config) TransportConfig() (*transport.Config, error) {
 			Groups:   c.Impersonate.Groups,
 			Extra:    c.Impersonate.Extra,
 		},
-		Dial: c.Dial,
+		Dial:  c.Dial,
+		Proxy: c.Proxy,
 	}
 
 	if c.ExecProvider != nil && c.AuthProvider != nil {
@@ -93,7 +95,15 @@ func (c *Config) TransportConfig() (*transport.Config, error) {
 	}
 
 	if c.ExecProvider != nil {
-		provider, err := exec.GetAuthenticator(c.ExecProvider)
+		var cluster *clientauthentication.Cluster
+		if c.ExecProvider.ProvideClusterInfo {
+			var err error
+			cluster, err = ConfigToExecCluster(c)
+			if err != nil {
+				return nil, err
+			}
+		}
+		provider, err := exec.GetAuthenticator(c.ExecProvider, cluster)
 		if err != nil {
 			return nil, err
 		}

vendor/k8s.io/client-go/rest/urlbackoff.go

@@ -22,7 +22,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/util/flowcontrol"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 // Set of resp. Codes that we backoff for.

vendor/k8s.io/client-go/rest/warnings.go

@@ -0,0 +1,147 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"sync"
+
+	"k8s.io/klog/v2"
+
+	"k8s.io/apimachinery/pkg/util/net"
+)
+
+// WarningHandler is an interface for handling warning headers
+type WarningHandler interface {
+	// HandleWarningHeader is called with the warn code, agent, and text when a warning header is countered.
+	HandleWarningHeader(code int, agent string, text string)
+}
+
+var (
+	defaultWarningHandler     WarningHandler = WarningLogger{}
+	defaultWarningHandlerLock sync.RWMutex
+)
+
+// SetDefaultWarningHandler sets the default handler clients use when warning headers are encountered.
+// By default, warnings are logged. Several built-in implementations are provided:
+//  - NoWarnings suppresses warnings.
+//  - WarningLogger logs warnings.
+//  - NewWarningWriter() outputs warnings to the provided writer.
+func SetDefaultWarningHandler(l WarningHandler) {
+	defaultWarningHandlerLock.Lock()
+	defer defaultWarningHandlerLock.Unlock()
+	defaultWarningHandler = l
+}
+func getDefaultWarningHandler() WarningHandler {
+	defaultWarningHandlerLock.RLock()
+	defer defaultWarningHandlerLock.RUnlock()
+	l := defaultWarningHandler
+	return l
+}
+
+// NoWarnings is an implementation of WarningHandler that suppresses warnings.
+type NoWarnings struct{}
+
+func (NoWarnings) HandleWarningHeader(code int, agent string, message string) {}
+
+// WarningLogger is an implementation of WarningHandler that logs code 299 warnings
+type WarningLogger struct{}
+
+func (WarningLogger) HandleWarningHeader(code int, agent string, message string) {
+	if code != 299 || len(message) == 0 {
+		return
+	}
+	klog.Warning(message)
+}
+
+type warningWriter struct {
+	// out is the writer to output warnings to
+	out io.Writer
+	// opts contains options controlling warning output
+	opts WarningWriterOptions
+	// writtenLock guards written and writtenCount
+	writtenLock  sync.Mutex
+	writtenCount int
+	written      map[string]struct{}
+}
+
+// WarningWriterOptions controls the behavior of a WarningHandler constructed using NewWarningWriter()
+type WarningWriterOptions struct {
+	// Deduplicate indicates a given warning message should only be written once.
+	// Setting this to true in a long-running process handling many warnings can result in increased memory use.
+	Deduplicate bool
+	// Color indicates that warning output can include ANSI color codes
+	Color bool
+}
+
+// NewWarningWriter returns an implementation of WarningHandler that outputs code 299 warnings to the specified writer.
+func NewWarningWriter(out io.Writer, opts WarningWriterOptions) *warningWriter {
+	h := &warningWriter{out: out, opts: opts}
+	if opts.Deduplicate {
+		h.written = map[string]struct{}{}
+	}
+	return h
+}
+
+const (
+	yellowColor = "\u001b[33;1m"
+	resetColor  = "\u001b[0m"
+)
+
+// HandleWarningHeader prints warnings with code=299 to the configured writer.
+func (w *warningWriter) HandleWarningHeader(code int, agent string, message string) {
+	if code != 299 || len(message) == 0 {
+		return
+	}
+
+	w.writtenLock.Lock()
+	defer w.writtenLock.Unlock()
+
+	if w.opts.Deduplicate {
+		if _, alreadyWritten := w.written[message]; alreadyWritten {
+			return
+		}
+		w.written[message] = struct{}{}
+	}
+	w.writtenCount++
+
+	if w.opts.Color {
+		fmt.Fprintf(w.out, "%sWarning:%s %s\n", yellowColor, resetColor, message)
+	} else {
+		fmt.Fprintf(w.out, "Warning: %s\n", message)
+	}
+}
+
+func (w *warningWriter) WarningCount() int {
+	w.writtenLock.Lock()
+	defer w.writtenLock.Unlock()
+	return w.writtenCount
+}
+
+func handleWarnings(headers http.Header, handler WarningHandler) []net.WarningHeader {
+	if handler == nil {
+		handler = getDefaultWarningHandler()
+	}
+
+	warnings, _ := net.ParseWarningHeaders(headers["Warning"])
+	for _, warning := range warnings {
+		handler.HandleWarningHeader(warning.Code, warning.Agent, warning.Text)
+	}
+	return warnings
+}