Merge pull request #1416 from ingvagabund/sync-library-go-4.12

OCPBUGS-4478: guard controller: set an explicit hostname to avoid name collisions

bindata/bootkube/bootstrap-manifests/kube-apiserver-pod.yaml

@@ -18,7 +18,7 @@ spec:
   initContainers:
   - name: setup
     terminationMessagePolicy: FallbackToLogsOnError
-    image: {{ .Image }}
+    image: '{{ .Image }}'
     imagePullPolicy: IfNotPresent
     volumeMounts:
     - mountPath: /var/log/kube-apiserver
@@ -36,8 +36,8 @@ spec:
         cpu: 5m
   containers:
   - name: kube-apiserver
-    image: {{ .Image }}
-    imagePullPolicy: {{ .ImagePullPolicy }}
+    image: '{{ .Image }}'
+    imagePullPolicy: '{{ .ImagePullPolicy }}'
     terminationMessagePolicy: FallbackToLogsOnError
     command: [ "/bin/bash", "-ec" ]
     args:
@@ -88,10 +88,9 @@ spec:
     - name: HOST_IP
       valueFrom:
         fieldRef:
-          fieldPath: status.hostIP
-  {{if .OperatorImage}}
+          fieldPath: status.hostIP{{if .OperatorImage}}
   - name: kube-apiserver-insecure-readyz
-    image: {{.OperatorImage}}
+    image: '{{.OperatorImage}}'
     imagePullPolicy: IfNotPresent
     terminationMessagePolicy: FallbackToLogsOnError
     command: ["cluster-kube-apiserver-operator", "insecure-readyz"]
@@ -103,18 +102,17 @@ spec:
     resources:
       requests:
         memory: 50Mi
-        cpu: 5m
-{{end}}
-  terminationGracePeriodSeconds: {{ .TerminationGracePeriodSeconds }}
+        cpu: 5m{{end}}
+  terminationGracePeriodSeconds: +{{ .TerminationGracePeriodSeconds }}
   volumes:
   - hostPath:
-      path: {{ .SecretsHostPath }}
+      path: '{{ .SecretsHostPath }}'
     name: secrets
   - hostPath:
-      path: {{ .CloudProviderHostPath }}
+      path: '{{ .CloudProviderHostPath }}'
     name: etc-kubernetes-cloud
   - hostPath:
-      path: {{ .ConfigHostPath }}
+      path: '{{ .ConfigHostPath }}'
     name: config
   - hostPath:
       path: /etc/ssl/certs

bindata/bootkube/manifests/secret-aggregator-client-signer.yaml

@@ -4,10 +4,10 @@ metadata:
   name: aggregator-client-signer
   namespace: openshift-kube-apiserver-operator
   annotations:
-    "auth.openshift.io/certificate-not-before": {{ .Assets | load "aggregator-signer.crt" | notBefore }}
-    "auth.openshift.io/certificate-not-after": {{ .Assets | load "aggregator-signer.crt" | notAfter }}
-    "auth.openshift.io/certificate-issuer": {{ .Assets | load "aggregator-signer.crt" | issuer }}
+    "auth.openshift.io/certificate-not-before": '{{ .Assets | load "aggregator-signer.crt" | notBefore }}'
+    "auth.openshift.io/certificate-not-after": '{{ .Assets | load "aggregator-signer.crt" | notAfter }}'
+    "auth.openshift.io/certificate-issuer": '{{ .Assets | load "aggregator-signer.crt" | issuer }}'
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Assets | load "aggregator-signer.crt" | base64 }}
-  tls.key: {{ .Assets | load "aggregator-signer.key" | base64 }}
+  tls.crt: '{{ .Assets | load "aggregator-signer.crt" | base64 }}'
+  tls.key: '{{ .Assets | load "aggregator-signer.key" | base64 }}'

bindata/bootkube/manifests/secret-bound-sa-token-signing-key.yaml

@@ -3,6 +3,6 @@ kind: Secret
 metadata:
   name: next-bound-service-account-signing-key
   namespace: openshift-kube-apiserver-operator
-data: 
-  service-account.key: {{ .Assets | load "bound-service-account-signing-key.key" | base64 }}
-  service-account.pub: {{ .Assets | load "bound-service-account-signing-key.pub" | base64 }}
+data:
+  service-account.key: '{{ .Assets | load "bound-service-account-signing-key.key" | base64 }}'
+  service-account.pub: '{{ .Assets | load "bound-service-account-signing-key.pub" | base64 }}'

bindata/bootkube/manifests/secret-control-plane-client-signer.yaml

@@ -4,10 +4,10 @@ metadata:
   name: kube-control-plane-signer
   namespace: openshift-kube-apiserver-operator
   annotations:
-    "auth.openshift.io/certificate-not-before": {{ .Assets | load "kube-control-plane-signer.crt" | notBefore }}
-    "auth.openshift.io/certificate-not-after": {{ .Assets | load "kube-control-plane-signer.crt" | notAfter }}
-    "auth.openshift.io/certificate-issuer": {{ .Assets | load "kube-control-plane-signer.crt" | issuer }}
+    "auth.openshift.io/certificate-not-before": '{{ .Assets | load "kube-control-plane-signer.crt" | notBefore }}'
+    "auth.openshift.io/certificate-not-after": '{{ .Assets | load "kube-control-plane-signer.crt" | notAfter }}'
+    "auth.openshift.io/certificate-issuer": '{{ .Assets | load "kube-control-plane-signer.crt" | issuer }}'
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Assets | load "kube-control-plane-signer.crt" | base64 }}
-  tls.key: {{ .Assets | load "kube-control-plane-signer.key" | base64 }}
+  tls.crt: '{{ .Assets | load "kube-control-plane-signer.crt" | base64 }}'
+  tls.key: '{{ .Assets | load "kube-control-plane-signer.key" | base64 }}'

bindata/bootkube/manifests/secret-kube-apiserver-to-kubelet-signer.yaml

@@ -4,10 +4,10 @@ metadata:
   name: kube-apiserver-to-kubelet-signer
   namespace: openshift-kube-apiserver-operator
   annotations:
-    "auth.openshift.io/certificate-not-before": {{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | notBefore }}
-    "auth.openshift.io/certificate-not-after": {{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | notAfter }}
-    "auth.openshift.io/certificate-issuer": {{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | issuer }}
+    "auth.openshift.io/certificate-not-before": '{{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | notBefore }}'
+    "auth.openshift.io/certificate-not-after": '{{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | notAfter }}'
+    "auth.openshift.io/certificate-issuer": '{{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | issuer }}'
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | base64 }}
-  tls.key: {{ .Assets | load "kube-apiserver-to-kubelet-signer.key" | base64 }}
+  tls.crt: '{{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | base64 }}'
+  tls.key: '{{ .Assets | load "kube-apiserver-to-kubelet-signer.key" | base64 }}'

bindata/bootkube/manifests/secret-loadbalancer-serving-signer.yaml

@@ -4,10 +4,10 @@ metadata:
   name: loadbalancer-serving-signer
   namespace: openshift-kube-apiserver-operator
   annotations:
-    "auth.openshift.io/certificate-not-before": {{ .Assets | load "kube-apiserver-lb-signer.crt" | notBefore }}
-    "auth.openshift.io/certificate-not-after": {{ .Assets | load "kube-apiserver-lb-signer.crt" | notAfter }}
-    "auth.openshift.io/certificate-issuer": {{ .Assets | load "kube-apiserver-lb-signer.crt" | issuer }}
+    "auth.openshift.io/certificate-not-before": '{{ .Assets | load "kube-apiserver-lb-signer.crt" | notBefore }}'
+    "auth.openshift.io/certificate-not-after": '{{ .Assets | load "kube-apiserver-lb-signer.crt" | notAfter }}'
+    "auth.openshift.io/certificate-issuer": '{{ .Assets | load "kube-apiserver-lb-signer.crt" | issuer }}'
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Assets | load "kube-apiserver-lb-signer.crt" | base64 }}
-  tls.key: {{ .Assets | load "kube-apiserver-lb-signer.key" | base64 }}
+  tls.crt: '{{ .Assets | load "kube-apiserver-lb-signer.crt" | base64 }}'
+  tls.key: '{{ .Assets | load "kube-apiserver-lb-signer.key" | base64 }}'

bindata/bootkube/manifests/secret-localhost-serving-signer.yaml

@@ -4,10 +4,10 @@ metadata:
   name: localhost-serving-signer
   namespace: openshift-kube-apiserver-operator
   annotations:
-    "auth.openshift.io/certificate-not-before": {{ .Assets | load "kube-apiserver-localhost-signer.crt" | notBefore }}
-    "auth.openshift.io/certificate-not-after": {{ .Assets | load "kube-apiserver-localhost-signer.crt" | notAfter }}
-    "auth.openshift.io/certificate-issuer": {{ .Assets | load "kube-apiserver-localhost-signer.crt" | issuer }}
+    "auth.openshift.io/certificate-not-before": '{{ .Assets | load "kube-apiserver-localhost-signer.crt" | notBefore }}'
+    "auth.openshift.io/certificate-not-after": '{{ .Assets | load "kube-apiserver-localhost-signer.crt" | notAfter }}'
+    "auth.openshift.io/certificate-issuer": '{{ .Assets | load "kube-apiserver-localhost-signer.crt" | issuer }}'
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Assets | load "kube-apiserver-localhost-signer.crt" | base64 }}
-  tls.key: {{ .Assets | load "kube-apiserver-localhost-signer.key" | base64 }}
+  tls.crt: '{{ .Assets | load "kube-apiserver-localhost-signer.crt" | base64 }}'
+  tls.key: '{{ .Assets | load "kube-apiserver-localhost-signer.key" | base64 }}'

bindata/bootkube/manifests/secret-service-network-serving-signer.yaml

@@ -4,10 +4,10 @@ metadata:
   name: service-network-serving-signer
   namespace: openshift-kube-apiserver-operator
   annotations:
-    "auth.openshift.io/certificate-not-before": {{ .Assets | load "kube-apiserver-service-network-signer.crt" | notBefore }}
-    "auth.openshift.io/certificate-not-after": {{ .Assets | load "kube-apiserver-service-network-signer.crt" | notAfter }}
-    "auth.openshift.io/certificate-issuer": {{ .Assets | load "kube-apiserver-service-network-signer.crt" | issuer }}
+    "auth.openshift.io/certificate-not-before": '{{ .Assets | load "kube-apiserver-service-network-signer.crt" | notBefore }}'
+    "auth.openshift.io/certificate-not-after": '{{ .Assets | load "kube-apiserver-service-network-signer.crt" | notAfter }}'
+    "auth.openshift.io/certificate-issuer": '{{ .Assets | load "kube-apiserver-service-network-signer.crt" | issuer }}'
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Assets | load "kube-apiserver-service-network-signer.crt" | base64 }}
-  tls.key: {{ .Assets | load "kube-apiserver-service-network-signer.key" | base64 }}
+  tls.crt: '{{ .Assets | load "kube-apiserver-service-network-signer.crt" | base64 }}'
+  tls.key: '{{ .Assets | load "kube-apiserver-service-network-signer.key" | base64 }}'

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/openshift/api v0.0.0-20221013123531-622889ac07cf
 	github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d
 	github.com/openshift/client-go v0.0.0-20220831193253-4950ae70c8ea
-	github.com/openshift/library-go v0.0.0-20221021005159-d93563844063
+	github.com/openshift/library-go v0.0.0-20221212171543-669323ec9bca
 	github.com/pkg/profile v1.5.0 // indirect
 	github.com/prometheus-operator/prometheus-operator/pkg/client v0.45.0
 	github.com/prometheus/client_golang v1.12.1

go.sum

@@ -423,8 +423,8 @@ github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d h1:RR
 github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/client-go v0.0.0-20220831193253-4950ae70c8ea h1:7JbjIzWt3Q75ErY1PAZ+gCA+bErI6HSlpffHFmMMzqM=
 github.com/openshift/client-go v0.0.0-20220831193253-4950ae70c8ea/go.mod h1:+J8DqZC60acCdpYkwVy/KH4cudgWiFZRNOBeghCzdGA=
-github.com/openshift/library-go v0.0.0-20221021005159-d93563844063 h1:Mn2LKR04FBEiXk1g2r6cB98G7M3sCUp58qb89Uz5kcE=
-github.com/openshift/library-go v0.0.0-20221021005159-d93563844063/go.mod h1:KPBAXGaq7pPmA+1wUVtKr5Axg3R68IomWDkzaOxIhxM=
+github.com/openshift/library-go v0.0.0-20221212171543-669323ec9bca h1:zAugG9rbkcjEDsnIcyaxmOszs5G3xuIzqNZGw9kS20Y=
+github.com/openshift/library-go v0.0.0-20221212171543-669323ec9bca/go.mod h1:KPBAXGaq7pPmA+1wUVtKr5Axg3R68IomWDkzaOxIhxM=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=

pkg/test/assets_test.go

@@ -18,8 +18,13 @@ func TestYamlCorrectness(t *testing.T) {
 
 func readAllYaml(path string, t *testing.T) {
 	// TODO: validate also recovery manifest but they take different template and are covered by unit tests
-	manifests, err := assets.New(path, render.TemplateData{}, func(info os.FileInfo) bool {
-		return assets.OnlyYaml(info) && !strings.HasPrefix(info.Name(), "recovery-") &&
+	manifests, err := assets.New(path, render.TemplateData{}, func(path string, info os.FileInfo) (bool, error) {
+		is, err := assets.OnlyYaml(path, info)
+		if err != nil {
+			return is, err
+		}
+
+		return is && !strings.HasPrefix(info.Name(), "recovery-") &&
 			// the dashboard is a ConfigMap yaml but it has an embedded json in data that causes the reader to fail.
 			!strings.HasSuffix(info.Name(), "api_performance_dashboard.yaml") &&
 			// there is an alert message containing $labels strings that cause the reader to fail.
@@ -29,7 +34,7 @@ func readAllYaml(path string, t *testing.T) {
 			// there is an alert message containing $labels strings that cause the reader to fail.
 			!strings.HasSuffix(info.Name(), "podsecurity-violations.yaml") &&
 			// the kas's pod manifest contains go template values and fails compilation
-			!strings.HasSuffix(info.Name(), "pod.yaml")
+			!strings.HasSuffix(info.Name(), "pod.yaml"), nil
 
 	})
 	if err != nil {

vendor/modules.txt

@@ -297,7 +297,7 @@ github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/i
 github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/operatorcontrolplane
 github.com/openshift/client-go/operatorcontrolplane/informers/externalversions/operatorcontrolplane/v1alpha1
 github.com/openshift/client-go/operatorcontrolplane/listers/operatorcontrolplane/v1alpha1
-# github.com/openshift/library-go v0.0.0-20221021005159-d93563844063
+# github.com/openshift/library-go v0.0.0-20221212171543-669323ec9bca
 ## explicit; go 1.18
 github.com/openshift/library-go/pkg/assets
 github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer