From ee01344e1571e6c4bfb123c2a0357f683b7d6dc3 Mon Sep 17 00:00:00 2001 From: Hemant Kumar Date: Wed, 8 Nov 2023 13:23:08 -0500 Subject: [PATCH] CVE-2023-44487: bump github.com/openshift/library-go to release-4.14 --- go.mod | 4 +- go.sum | 8 +-- .../0000_10_controlplanemachineset.crd.yaml | 5 +- ...olplanemachineset.openstack.testsuite.yaml | 47 ++++++++++++++--- .../v1/types_controlplanemachineset.go | 11 ++-- .../v1/zz_generated.swagger_doc_generated.go | 2 +- ...ess-operator_00-ingresscontroller.crd.yaml | 8 +-- .../api/operator/v1/types_ingress.go | 4 +- .../v1/zz_generated.swagger_doc_generated.go | 2 +- .../openshift/api/route/v1/generated.proto | 4 +- .../route/v1/route-CustomNoUpgrade.crd.yaml | 8 +-- .../v1/route-TechPreviewNoUpgrade.crd.yaml | 8 +-- .../openshift/api/route/v1/route.crd.yaml | 8 +-- .../openshift/api/route/v1/types.go | 4 +- .../v1/zz_generated.swagger_doc_generated.go | 2 +- .../library-go/pkg/config/serving/server.go | 4 +- .../pkg/controller/controllercmd/builder.go | 11 +++- .../pkg/controller/controllercmd/cmd.go | 6 +++ .../openshift/library-go/pkg/crypto/crypto.go | 50 +++---------------- vendor/modules.txt | 4 +- 20 files changed, 108 insertions(+), 92 deletions(-) diff --git a/go.mod b/go.mod index d2cc20b1..10c22893 100644 --- a/go.mod +++ b/go.mod @@ -4,10 +4,10 @@ go 1.19 require ( github.com/google/go-cmp v0.5.9 - github.com/openshift/api v0.0.0-20230804173756-26b8597c4de2 + github.com/openshift/api v0.0.0-20230807132801-600991d550ac github.com/openshift/build-machinery-go v0.0.0-20230306181456-d321ffa04533 github.com/openshift/client-go v0.0.0-20230503144108-75015d2347cb - github.com/openshift/library-go v0.0.0-20230724150037-c515269de16e + github.com/openshift/library-go v0.0.0-20231103161458-0ec67489d123 github.com/prometheus/client_golang v1.14.0 github.com/spf13/cobra v1.6.1 k8s.io/api v0.27.4 diff --git a/go.sum b/go.sum index 54789a25..985e7a94 100644 --- a/go.sum +++ b/go.sum @@ -267,14 +267,14 @@ github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRW github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/onsi/ginkgo/v2 v2.9.2 h1:BA2GMJOtfGAfagzYtrAlufIP0lq6QERkFmHLMLPwFSU= github.com/onsi/gomega v1.27.4 h1:Z2AnStgsdSayCMDiCU42qIz+HLqEPcgiOCXjAU/w+8E= -github.com/openshift/api v0.0.0-20230804173756-26b8597c4de2 h1:K7rBUJvIEa9Ei7tyAv4wDwDLpOFKa6nP84JnqxrY73o= -github.com/openshift/api v0.0.0-20230804173756-26b8597c4de2/go.mod h1:yimSGmjsI+XF1mr+AKBs2//fSXIOhhetHGbMlBEfXbs= +github.com/openshift/api v0.0.0-20230807132801-600991d550ac h1:HqT8MmYGXiUGUW0BjygTGOOvqO2wIsTaG3q8nboJyPY= +github.com/openshift/api v0.0.0-20230807132801-600991d550ac/go.mod h1:yimSGmjsI+XF1mr+AKBs2//fSXIOhhetHGbMlBEfXbs= github.com/openshift/build-machinery-go v0.0.0-20230306181456-d321ffa04533 h1:mh3ZYs7kPIIe3UUY6tJcTExmtjnXXUu0MrBuK2W/Qvw= github.com/openshift/build-machinery-go v0.0.0-20230306181456-d321ffa04533/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20230503144108-75015d2347cb h1:Nij5OnaECrkmcRQMAE9LMbQXPo95aqFnf+12B7SyFVI= github.com/openshift/client-go v0.0.0-20230503144108-75015d2347cb/go.mod h1:Rhb3moCqeiTuGHAbXBOlwPubUMlOZEkrEWTRjIF3jzs= -github.com/openshift/library-go v0.0.0-20230724150037-c515269de16e h1:E8KSHPb3c68Bjf7I7+A6B5M3j7q3qB1r4or94P8Hqd8= -github.com/openshift/library-go v0.0.0-20230724150037-c515269de16e/go.mod h1:jPcIZk2ReAozFTDX2s9peO5at1Hs1BS6JvoASSk6NqQ= +github.com/openshift/library-go v0.0.0-20231103161458-0ec67489d123 h1:JfXG50f8yVud5xakwTHoqD00+3HYdLmZuEqn5Sq8ZRQ= +github.com/openshift/library-go v0.0.0-20231103161458-0ec67489d123/go.mod h1:ZFwNwC3opc/7aOvzUbU95zp33Lbxet48h80ryH3p6DY= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= diff --git a/vendor/github.com/openshift/api/machine/v1/0000_10_controlplanemachineset.crd.yaml b/vendor/github.com/openshift/api/machine/v1/0000_10_controlplanemachineset.crd.yaml index 00b5311a..699621ec 100644 --- a/vendor/github.com/openshift/api/machine/v1/0000_10_controlplanemachineset.crd.yaml +++ b/vendor/github.com/openshift/api/machine/v1/0000_10_controlplanemachineset.crd.yaml @@ -261,7 +261,8 @@ spec: rootVolume: description: rootVolume contains settings that will be used by the OpenStack machine provider to create the root volume attached to the VM. If not specified, no root volume will be created. type: object - minProperties: 1 + required: + - volumeType properties: availabilityZone: description: availabilityZone specifies the Cinder availability zone where the root volume will be created. If not specifified, the root volume will be created in the availability zone specified by the volume type in the cinder configuration. If the volume type (configured in the OpenStack cluster) does not specify an availability zone, the root volume will be created in the default availability zone specified in the cinder configuration. See https://docs.openstack.org/cinder/latest/admin/availability-zone-type.html for more details. If the OpenStack cluster is deployed with the cross_az_attach configuration option set to false, the root volume will have to be in the same availability zone as the VM (defined by OpenStackFailureDomain.AvailabilityZone). Availability zone names must NOT contain spaces otherwise it will lead to volume that belongs to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information. The maximum length of availability zone name is 63 as per labels limits. @@ -270,7 +271,7 @@ spec: minLength: 1 pattern: ^[^ ]*$ volumeType: - description: volumeType specifies the type of the root volume that will be provisioned. If not specifified, the root volume will be created as the type in the machine template. The maximum length of a volume type name is 255 characters, as per the OpenStack limit. + description: volumeType specifies the type of the root volume that will be provisioned. The maximum length of a volume type name is 255 characters, as per the OpenStack limit. type: string maxLength: 255 minLength: 1 diff --git a/vendor/github.com/openshift/api/machine/v1/stable.controlplanemachineset.openstack.testsuite.yaml b/vendor/github.com/openshift/api/machine/v1/stable.controlplanemachineset.openstack.testsuite.yaml index e5759f4b..a09de51e 100644 --- a/vendor/github.com/openshift/api/machine/v1/stable.controlplanemachineset.openstack.testsuite.yaml +++ b/vendor/github.com/openshift/api/machine/v1/stable.controlplanemachineset.openstack.testsuite.yaml @@ -213,6 +213,7 @@ tests: openstack: - rootVolume: availabilityZone: foo + volumeType: fast expected: | apiVersion: machine.openshift.io/v1 kind: ControlPlaneMachineSet @@ -240,6 +241,7 @@ tests: openstack: - rootVolume: availabilityZone: foo + volumeType: fast - name: Should accept an OpenStack failure domain with only the root volume type provided initial: | apiVersion: machine.openshift.io/v1 @@ -316,6 +318,7 @@ tests: - availabilityZone: foo rootVolume: availabilityZone: foo + volumeType: fast expected: | apiVersion: machine.openshift.io/v1 kind: ControlPlaneMachineSet @@ -344,6 +347,7 @@ tests: - availabilityZone: foo rootVolume: availabilityZone: foo + volumeType: fast - name: Should accept an OpenStack failure domain with both availabilityZone and root volume type provided initial: | apiVersion: machine.openshift.io/v1 @@ -399,7 +403,7 @@ tests: rootVolume: availabilityZone: foo volumeType: bar - - name: Should reject an OpenStack failure domain with too long a rootVolume volumeType name + - name: Should reject an OpenStack failure domain with no rootVolume volumeType provided initial: | apiVersion: machine.openshift.io/v1 kind: ControlPlaneMachineSet @@ -421,11 +425,35 @@ tests: failureDomains: platform: OpenStack openstack: - - availabilityZone: foo - rootVolume: - volumeType: a123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 - expectedError: "spec.template.machines_v1beta1_machine_openshift_io.failureDomains.openstack[0].rootVolume.volumeType: Too long: may not be longer than 255" - - name: Should reject an OpenStack failure domain with an empty rootVolume provided + - rootVolume: + availabilityZone: foo + expectedError: "spec.template.machines_v1beta1_machine_openshift_io.failureDomains.openstack[0].rootVolume.volumeType: Required value, : Invalid value: \"null\": some validation rules were not checked" + - name: Should reject an OpenStack failure domain with an empty rootVolume volumeType provided + initial: | + apiVersion: machine.openshift.io/v1 + kind: ControlPlaneMachineSet + spec: + selector: + matchLabels: + machine.openshift.io/cluster-api-machine-role: master + machine.openshift.io/cluster-api-machine-type: master + template: + machineType: machines_v1beta1_machine_openshift_io + machines_v1beta1_machine_openshift_io: + metadata: + labels: + machine.openshift.io/cluster-api-machine-role: master + machine.openshift.io/cluster-api-machine-type: master + machine.openshift.io/cluster-api-cluster: cluster + spec: + providerSpec: {} + failureDomains: + platform: OpenStack + openstack: + - rootVolume: + volumeType: "" + expectedError: "spec.template.machines_v1beta1_machine_openshift_io.failureDomains.openstack[0].rootVolume.volumeType: Invalid value: \"\": spec.template.machines_v1beta1_machine_openshift_io.failureDomains.openstack[0].rootVolume.volumeType in body should be at least 1 chars long" + - name: Should reject an OpenStack failure domain with too long a rootVolume volumeType name initial: | apiVersion: machine.openshift.io/v1 kind: ControlPlaneMachineSet @@ -448,8 +476,9 @@ tests: platform: OpenStack openstack: - availabilityZone: foo - rootVolume: {} - expectedError: "spec.template.machines_v1beta1_machine_openshift_io.failureDomains.openstack[0].rootVolume in body should have at least 1 properties" + rootVolume: + volumeType: a123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 + expectedError: "spec.template.machines_v1beta1_machine_openshift_io.failureDomains.openstack[0].rootVolume.volumeType: Too long: may not be longer than 255" - name: Should reject an OpenStack failure domain with both availabilityZone and root volume provided but with missing root volume availabilityZone initial: | apiVersion: machine.openshift.io/v1 @@ -549,6 +578,7 @@ tests: openstack: - rootVolume: availabilityZone: "" + volumeType: fast expectedError: "spec.template.machines_v1beta1_machine_openshift_io.failureDomains.openstack[0].rootVolume.availabilityZone in body should be at least 1 chars long" - name: Should reject an OpenStack failure domain with an invalid availabilityZone provided initial: | @@ -598,4 +628,5 @@ tests: openstack: - rootVolume: availabilityZone: "foo bar" + volumeType: fast expectedError: "spec.template.machines_v1beta1_machine_openshift_io.failureDomains.openstack[0].rootVolume.availabilityZone in body should match" diff --git a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go index b31e0e54..9f81f4d1 100644 --- a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go +++ b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go @@ -325,7 +325,6 @@ type OpenStackFailureDomain struct { // RootVolume represents the volume metadata to boot from. // The original RootVolume struct is defined in the v1alpha1 but it's not best practice to use it directly here so we define a new one // that should stay in sync with the original one. -// +kubebuilder:validation:MinProperties:=1 type RootVolume struct { // availabilityZone specifies the Cinder availability zone where the root volume will be created. // If not specifified, the root volume will be created in the availability zone specified by the volume type in the cinder configuration. @@ -343,12 +342,16 @@ type RootVolume struct { AvailabilityZone string `json:"availabilityZone,omitempty"` // volumeType specifies the type of the root volume that will be provisioned. - // If not specifified, the root volume will be created as the type in the machine template. // The maximum length of a volume type name is 255 characters, as per the OpenStack limit. + // + --- + // + Historically, the installer has always required a volume type to be specified when deploying + // + the control plane with a root volume. This is because the default volume type in Cinder is not guaranteed + // + to be available, therefore we prefer the user to be explicit about the volume type to use. + // + We apply the same logic in CPMS: if the failure domain specifies a root volume, we require the user to specify a volume type. + // +kubebuilder:validation:Required // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=255 - // +optional - VolumeType string `json:"volumeType,omitempty"` + VolumeType string `json:"volumeType"` } // ControlPlaneMachineSetStatus represents the status of the ControlPlaneMachineSet CRD. diff --git a/vendor/github.com/openshift/api/machine/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1/zz_generated.swagger_doc_generated.go index 01269a67..03f4f826 100644 --- a/vendor/github.com/openshift/api/machine/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1/zz_generated.swagger_doc_generated.go @@ -287,7 +287,7 @@ func (OpenStackFailureDomain) SwaggerDoc() map[string]string { var map_RootVolume = map[string]string{ "": "RootVolume represents the volume metadata to boot from. The original RootVolume struct is defined in the v1alpha1 but it's not best practice to use it directly here so we define a new one that should stay in sync with the original one.", "availabilityZone": "availabilityZone specifies the Cinder availability zone where the root volume will be created. If not specifified, the root volume will be created in the availability zone specified by the volume type in the cinder configuration. If the volume type (configured in the OpenStack cluster) does not specify an availability zone, the root volume will be created in the default availability zone specified in the cinder configuration. See https://docs.openstack.org/cinder/latest/admin/availability-zone-type.html for more details. If the OpenStack cluster is deployed with the cross_az_attach configuration option set to false, the root volume will have to be in the same availability zone as the VM (defined by OpenStackFailureDomain.AvailabilityZone). Availability zone names must NOT contain spaces otherwise it will lead to volume that belongs to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information. The maximum length of availability zone name is 63 as per labels limits.", - "volumeType": "volumeType specifies the type of the root volume that will be provisioned. If not specifified, the root volume will be created as the type in the machine template. The maximum length of a volume type name is 255 characters, as per the OpenStack limit.", + "volumeType": "volumeType specifies the type of the root volume that will be provisioned. The maximum length of a volume type name is 255 characters, as per the OpenStack limit. ", } func (RootVolume) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/operator/v1/0000_50_ingress-operator_00-ingresscontroller.crd.yaml b/vendor/github.com/openshift/api/operator/v1/0000_50_ingress-operator_00-ingresscontroller.crd.yaml index 7639bed0..4ff57e35 100644 --- a/vendor/github.com/openshift/api/operator/v1/0000_50_ingress-operator_00-ingresscontroller.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/0000_50_ingress-operator_00-ingresscontroller.crd.yaml @@ -296,8 +296,8 @@ spec: - message: set is required when type is Set, and forbidden otherwise rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) : !has(self.set)' name: - description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.' - maxLength: 1024 + description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.' + maxLength: 255 minLength: 1 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ type: string @@ -356,8 +356,8 @@ spec: - message: set is required when type is Set, and forbidden otherwise rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) : !has(self.set)' name: - description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.' - maxLength: 1024 + description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.' + maxLength: 255 minLength: 1 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ type: string diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingress.go b/vendor/github.com/openshift/api/operator/v1/types_ingress.go index 120695d1..3d9f512a 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_ingress.go +++ b/vendor/github.com/openshift/api/operator/v1/types_ingress.go @@ -1473,11 +1473,11 @@ type IngressControllerHTTPHeader struct { // The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". // The following header names are reserved and may not be modified via this API: // Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. - // It must be no more than 1024 characters in length. + // It must be no more than 255 characters in length. // Header name must be unique. // +kubebuilder:validation:Required // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MaxLength=255 // +kubebuilder:validation:Pattern="^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$" // +kubebuilder:validation:XValidation:rule="self.lowerAscii() != 'strict-transport-security'",message="strict-transport-security header may not be modified via header actions" // +kubebuilder:validation:XValidation:rule="self.lowerAscii() != 'proxy'",message="proxy header may not be modified via header actions" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index f3ebb503..d10bbd51 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -852,7 +852,7 @@ func (IngressControllerCaptureHTTPHeaders) SwaggerDoc() map[string]string { var map_IngressControllerHTTPHeader = map[string]string{ "": "IngressControllerHTTPHeader specifies configuration for setting or deleting an HTTP header.", - "name": "name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, \"-!#$%&'*+.^_`\". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.", + "name": "name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, \"-!#$%&'*+.^_`\". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.", "action": "action specifies actions to perform on headers, such as setting or deleting headers.", } diff --git a/vendor/github.com/openshift/api/route/v1/generated.proto b/vendor/github.com/openshift/api/route/v1/generated.proto index bec5208c..d31fa522 100644 --- a/vendor/github.com/openshift/api/route/v1/generated.proto +++ b/vendor/github.com/openshift/api/route/v1/generated.proto @@ -72,11 +72,11 @@ message RouteHTTPHeader { // The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". // The following header names are reserved and may not be modified via this API: // Strict-Transport-Security, Proxy, Cookie, Set-Cookie. - // It must be no more than 1024 characters in length. + // It must be no more than 255 characters in length. // Header name must be unique. // +kubebuilder:validation:Required // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MaxLength=255 // +kubebuilder:validation:Pattern="^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$" // +kubebuilder:validation:XValidation:rule="self.lowerAscii() != 'strict-transport-security'",message="strict-transport-security header may not be modified via header actions" // +kubebuilder:validation:XValidation:rule="self.lowerAscii() != 'proxy'",message="proxy header may not be modified via header actions" diff --git a/vendor/github.com/openshift/api/route/v1/route-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/route/v1/route-CustomNoUpgrade.crd.yaml index 5c0f9c75..13461f66 100644 --- a/vendor/github.com/openshift/api/route/v1/route-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/route/v1/route-CustomNoUpgrade.crd.yaml @@ -128,9 +128,9 @@ spec: - rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) : !has(self.set)' message: set is required when type is Set, and forbidden otherwise name: - description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.' + description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.' type: string - maxLength: 1024 + maxLength: 255 minLength: 1 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ x-kubernetes-validations: @@ -186,9 +186,9 @@ spec: - rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) : !has(self.set)' message: set is required when type is Set, and forbidden otherwise name: - description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.' + description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.' type: string - maxLength: 1024 + maxLength: 255 minLength: 1 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ x-kubernetes-validations: diff --git a/vendor/github.com/openshift/api/route/v1/route-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/route/v1/route-TechPreviewNoUpgrade.crd.yaml index cc7533fe..87b617ca 100644 --- a/vendor/github.com/openshift/api/route/v1/route-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/route/v1/route-TechPreviewNoUpgrade.crd.yaml @@ -128,9 +128,9 @@ spec: - rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) : !has(self.set)' message: set is required when type is Set, and forbidden otherwise name: - description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.' + description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.' type: string - maxLength: 1024 + maxLength: 255 minLength: 1 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ x-kubernetes-validations: @@ -186,9 +186,9 @@ spec: - rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) : !has(self.set)' message: set is required when type is Set, and forbidden otherwise name: - description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.' + description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.' type: string - maxLength: 1024 + maxLength: 255 minLength: 1 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ x-kubernetes-validations: diff --git a/vendor/github.com/openshift/api/route/v1/route.crd.yaml b/vendor/github.com/openshift/api/route/v1/route.crd.yaml index d3b16966..cda46fc3 100644 --- a/vendor/github.com/openshift/api/route/v1/route.crd.yaml +++ b/vendor/github.com/openshift/api/route/v1/route.crd.yaml @@ -139,8 +139,8 @@ spec: - message: set is required when type is Set, and forbidden otherwise rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) : !has(self.set)' name: - description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.' - maxLength: 1024 + description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.' + maxLength: 255 minLength: 1 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ type: string @@ -197,8 +197,8 @@ spec: - message: set is required when type is Set, and forbidden otherwise rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) : !has(self.set)' name: - description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.' - maxLength: 1024 + description: 'name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, "-!#$%&''*+.^_`". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.' + maxLength: 255 minLength: 1 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ type: string diff --git a/vendor/github.com/openshift/api/route/v1/types.go b/vendor/github.com/openshift/api/route/v1/types.go index 2f195a6a..2de728bc 100644 --- a/vendor/github.com/openshift/api/route/v1/types.go +++ b/vendor/github.com/openshift/api/route/v1/types.go @@ -240,11 +240,11 @@ type RouteHTTPHeader struct { // The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". // The following header names are reserved and may not be modified via this API: // Strict-Transport-Security, Proxy, Cookie, Set-Cookie. - // It must be no more than 1024 characters in length. + // It must be no more than 255 characters in length. // Header name must be unique. // +kubebuilder:validation:Required // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MaxLength=255 // +kubebuilder:validation:Pattern="^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$" // +kubebuilder:validation:XValidation:rule="self.lowerAscii() != 'strict-transport-security'",message="strict-transport-security header may not be modified via header actions" // +kubebuilder:validation:XValidation:rule="self.lowerAscii() != 'proxy'",message="proxy header may not be modified via header actions" diff --git a/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go index abcec62c..8d495871 100644 --- a/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/route/v1/zz_generated.swagger_doc_generated.go @@ -33,7 +33,7 @@ func (Route) SwaggerDoc() map[string]string { var map_RouteHTTPHeader = map[string]string{ "": "RouteHTTPHeader specifies configuration for setting or deleting an HTTP header.", - "name": "name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, \"-!#$%&'*+.^_`\". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 1024 characters in length. Header name must be unique.", + "name": "name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2. The name must consist only of alphanumeric and the following special characters, \"-!#$%&'*+.^_`\". The following header names are reserved and may not be modified via this API: Strict-Transport-Security, Proxy, Cookie, Set-Cookie. It must be no more than 255 characters in length. Header name must be unique.", "action": "action specifies actions to perform on headers, such as setting or deleting headers.", } diff --git a/vendor/github.com/openshift/library-go/pkg/config/serving/server.go b/vendor/github.com/openshift/library-go/pkg/config/serving/server.go index 3b11518d..15ebf898 100644 --- a/vendor/github.com/openshift/library-go/pkg/config/serving/server.go +++ b/vendor/github.com/openshift/library-go/pkg/config/serving/server.go @@ -20,7 +20,7 @@ import ( ) func ToServerConfig(ctx context.Context, servingInfo configv1.HTTPServingInfo, authenticationConfig operatorv1alpha1.DelegatedAuthentication, authorizationConfig operatorv1alpha1.DelegatedAuthorization, - kubeConfigFile string, kubeClient *kubernetes.Clientset, le *configv1.LeaderElection) (*genericapiserver.Config, error) { + kubeConfigFile string, kubeClient *kubernetes.Clientset, le *configv1.LeaderElection, enableHTTP2 bool) (*genericapiserver.Config, error) { scheme := runtime.NewScheme() metav1.AddToGroupVersion(scheme, metav1.SchemeGroupVersion) config := genericapiserver.NewConfig(serializer.NewCodecFactory(scheme)) @@ -82,6 +82,8 @@ func ToServerConfig(ctx context.Context, servingInfo configv1.HTTPServingInfo, a } } + config.SecureServing.DisableHTTP2 = !enableHTTP2 + return config, nil } diff --git a/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go b/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go index 906fe282..918ef7c6 100644 --- a/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go +++ b/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/builder.go @@ -94,6 +94,9 @@ type ControllerBuilder struct { // Keep track if we defaulted leader election, used to make sure we don't stomp on the users intent for leader election // We use this flag to determine at runtime if we can alter leader election for SNO configurations userExplicitlySetLeaderElectionValues bool + + // Allow enabling HTTP2 + enableHTTP2 bool } // NewController returns a builder struct for constructing the command you want to run @@ -172,6 +175,12 @@ func (b *ControllerBuilder) WithServer(servingInfo configv1.HTTPServingInfo, aut return b } +// WithHTTP2 indicates that http2 should be enabled +func (b *ControllerBuilder) WithHTTP2() *ControllerBuilder { + b.enableHTTP2 = true + return b +} + // WithHealthChecks adds a list of healthchecks to the server func (b *ControllerBuilder) WithHealthChecks(healthChecks ...healthz.HealthChecker) *ControllerBuilder { b.healthChecks = append(b.healthChecks, healthChecks...) @@ -269,7 +278,7 @@ func (b *ControllerBuilder) Run(ctx context.Context, config *unstructured.Unstru var server *genericapiserver.GenericAPIServer if b.servingInfo != nil { - serverConfig, err := serving.ToServerConfig(ctx, *b.servingInfo, *b.authenticationConfig, *b.authorizationConfig, kubeConfig, kubeClient, b.leaderElection) + serverConfig, err := serving.ToServerConfig(ctx, *b.servingInfo, *b.authenticationConfig, *b.authorizationConfig, kubeConfig, kubeClient, b.leaderElection, b.enableHTTP2) if err != nil { return err } diff --git a/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go b/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go index 68e74792..1ca734a7 100644 --- a/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go +++ b/vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go @@ -45,6 +45,9 @@ type ControllerCommandConfig struct { // DisableServing disables serving metrics, debug and health checks and so on. DisableServing bool + // Allow enabling HTTP2 + EnableHTTP2 bool + // DisableLeaderElection allows leader election to be suspended DisableLeaderElection bool @@ -314,6 +317,9 @@ func (c *ControllerCommandConfig) StartController(ctx context.Context) error { if !c.DisableServing { builder = builder.WithServer(config.ServingInfo, config.Authentication, config.Authorization) + if c.EnableHTTP2 { + builder = builder.WithHTTP2() + } } return builder.Run(controllerCtx, unstructuredConfig) diff --git a/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go b/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go index 554112c4..c585a65b 100644 --- a/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go +++ b/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go @@ -758,15 +758,17 @@ func GetServerCert(certFile, keyFile string, hostnames sets.String) (*TLSCertifi } cert := server.Certs[0] - ips, dns := IPAddressesDNSNames(hostnames.List()) - missingIps := ipsNotInSlice(ips, cert.IPAddresses) - missingDns := stringsNotInSlice(dns, cert.DNSNames) - if len(missingIps) == 0 && len(missingDns) == 0 { + certNames := sets.NewString() + for _, ip := range cert.IPAddresses { + certNames.Insert(ip.String()) + } + certNames.Insert(cert.DNSNames...) + if hostnames.Equal(certNames) { klog.V(4).Infof("Found existing server certificate in %s", certFile) return server, nil } - return nil, fmt.Errorf("Existing server certificate in %s was missing some hostnames (%v) or IP addresses (%v).", certFile, missingDns, missingIps) + return nil, fmt.Errorf("Existing server certificate in %s does not match required hostnames.", certFile) } func (ca *CA) MakeAndWriteServerCert(certFile, keyFile string, hostnames sets.String, expireDays int) (*TLSCertificateConfig, error) { @@ -1212,41 +1214,3 @@ func writeKeyFile(f io.Writer, key crypto.PrivateKey) error { return nil } - -func stringsNotInSlice(needles []string, haystack []string) []string { - missing := []string{} - for _, needle := range needles { - if !stringInSlice(needle, haystack) { - missing = append(missing, needle) - } - } - return missing -} - -func stringInSlice(needle string, haystack []string) bool { - for _, straw := range haystack { - if needle == straw { - return true - } - } - return false -} - -func ipsNotInSlice(needles []net.IP, haystack []net.IP) []net.IP { - missing := []net.IP{} - for _, needle := range needles { - if !ipInSlice(needle, haystack) { - missing = append(missing, needle) - } - } - return missing -} - -func ipInSlice(needle net.IP, haystack []net.IP) bool { - for _, straw := range haystack { - if needle.Equal(straw) { - return true - } - } - return false -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 082a0ca3..bb712925 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -160,7 +160,7 @@ github.com/modern-go/reflect2 # github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 ## explicit github.com/munnerz/goautoneg -# github.com/openshift/api v0.0.0-20230804173756-26b8597c4de2 +# github.com/openshift/api v0.0.0-20230807132801-600991d550ac ## explicit; go 1.20 github.com/openshift/api github.com/openshift/api/apiserver @@ -273,7 +273,7 @@ github.com/openshift/client-go/operator/informers/externalversions/operator/v1 github.com/openshift/client-go/operator/informers/externalversions/operator/v1alpha1 github.com/openshift/client-go/operator/listers/operator/v1 github.com/openshift/client-go/operator/listers/operator/v1alpha1 -# github.com/openshift/library-go v0.0.0-20230724150037-c515269de16e +# github.com/openshift/library-go v0.0.0-20231103161458-0ec67489d123 ## explicit; go 1.20 github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer github.com/openshift/library-go/pkg/config/client