From 8aef34f664f6329eb7fcc177472b79869dd6d965 Mon Sep 17 00:00:00 2001 From: Fabio Bertinatto Date: Wed, 12 Jan 2022 11:50:21 -0300 Subject: [PATCH 1/2] bump(openshift/library-go): to get custom CA fixes go get github.com/openshift/library-go@release-4.9 && go mod vendor && go mod tidy --- go.mod | 8 +- go.sum | 40 ++++---- ...000_10_config-operator_01_ingress.crd.yaml | 13 ++- .../openshift/api/config/v1/types.go | 10 +- .../v1/zz_generated.swagger_doc_generated.go | 6 +- vendor/github.com/openshift/api/go.mod | 7 +- vendor/github.com/openshift/api/go.sum | 12 +-- .../make/targets/openshift/images.mk | 4 + .../make/targets/openshift/kustomize.mk | 5 + .../library-go/pkg/crypto/missing_san.go | 40 ++++++++ .../helpers.go | 87 +++++++++++++---- .../csidrivernodeservicecontroller/helpers.go | 93 +++++++++++++++++++ .../resource/resourcemerge/object_merger.go | 90 +++++++++++++++++- .../resourcesynccontroller/interfaces.go | 9 +- .../resourcesync_controller.go | 50 ++++++++-- .../pkg/operator/v1helpers/helpers.go | 39 ++++++++ vendor/github.com/sirupsen/logrus/.travis.yml | 14 ++- .../github.com/sirupsen/logrus/CHANGELOG.md | 36 +++++++ vendor/github.com/sirupsen/logrus/README.md | 2 +- vendor/github.com/sirupsen/logrus/entry.go | 73 ++++++++------- vendor/github.com/sirupsen/logrus/go.sum | 2 - .../sirupsen/logrus/json_formatter.go | 5 +- vendor/github.com/sirupsen/logrus/logger.go | 2 +- .../sirupsen/logrus/terminal_check_unix.go | 2 +- .../sirupsen/logrus/text_formatter.go | 7 +- .../pkg/admission/metrics/metrics.go | 22 ++--- .../plugin/webhook/mutating/dispatcher.go | 6 +- .../plugin/webhook/validating/dispatcher.go | 6 +- .../pkg/endpoints/metrics/metrics.go | 17 +++- .../pkg/server/deprecated_insecure_serving.go | 3 + .../apiserver/pkg/server/options/audit.go | 24 ++--- .../apiserver/pkg/server/secure_serving.go | 14 ++- .../apiserver/pkg/storage/etcd3/store.go | 30 ++++++ vendor/modules.txt | 18 ++-- 34 files changed, 635 insertions(+), 161 deletions(-) create mode 100644 vendor/github.com/openshift/library-go/pkg/crypto/missing_san.go diff --git a/go.mod b/go.mod index 3ec34e1f..df0c0586 100644 --- a/go.mod +++ b/go.mod @@ -3,10 +3,10 @@ module github.com/openshift/gcp-pd-csi-driver-operator go 1.16 require ( - github.com/openshift/api v0.0.0-20210730095913-85e1d547cdee - github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3 - github.com/openshift/client-go v0.0.0-20210730113412-1811c1b3fc0e - github.com/openshift/library-go v0.0.0-20210830145332-4a9873bf5e74 + github.com/openshift/api v0.0.0-20210831091943-07e756545ac1 + github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37 + github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7 + github.com/openshift/library-go v0.0.0-20220112123419-0a017a8d304f github.com/prometheus/client_golang v1.11.0 github.com/spf13/cobra v1.1.3 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 46806f74..b7f1b102 100644 --- a/go.sum +++ b/go.sum @@ -453,14 +453,15 @@ github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= -github.com/openshift/api v0.0.0-20210730095913-85e1d547cdee h1:6c2jWQObJGpqW+3UynpLUUTWv1D7VoMoTUM/kT55glU= -github.com/openshift/api v0.0.0-20210730095913-85e1d547cdee/go.mod h1:ntkQrC1Z6AxxkhDlVpDVjkD+pzdwVUalWyfH40rSyyM= -github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3 h1:hYMLjavR8LrcCva788SxDqYjRc1k2w0LNGi7eX9vY5Y= +github.com/openshift/api v0.0.0-20210831091943-07e756545ac1 h1:BleifEWC+NP/YhYHyQlGrDflXZPxawwOzyLUI+nr4jw= +github.com/openshift/api v0.0.0-20210831091943-07e756545ac1/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8= github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= -github.com/openshift/client-go v0.0.0-20210730113412-1811c1b3fc0e h1:vhwzeXUxLd6JZlWZ+miBzTEpmVctHyHNq9z43ScYxWI= -github.com/openshift/client-go v0.0.0-20210730113412-1811c1b3fc0e/go.mod h1:P1pjphFOgm/nYjmtouHGaSLGtdP25dQICJnYtcYhfEs= -github.com/openshift/library-go v0.0.0-20210830145332-4a9873bf5e74 h1:dueDOyTh+Ccjo4pnJxwrCziPk7I7jTFof8hGom8PKII= -github.com/openshift/library-go v0.0.0-20210830145332-4a9873bf5e74/go.mod h1:3GagmGg6gikg+hAqma7E7axBzs2pjx4+GrAbdl4OYdY= +github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37 h1:40Nw4fwP1tXx0g1UgIGoLA9eoSdLm7jBUXFH5uVYjBA= +github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= +github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7 h1:iKVU5Tga76kiCWpq9giPi0TfI/gZcFoYb7/x+1SkgwM= +github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk= +github.com/openshift/library-go v0.0.0-20220112123419-0a017a8d304f h1:Cw42CAhv+wMcYRbZMiwER3DKhXuAQsfMRznjVvD9NWQ= +github.com/openshift/library-go v0.0.0-20220112123419-0a017a8d304f/go.mod h1:5TSPiu4ZEPW5NwUspgqYqjSD/wF86JWGy+x8jB+9oB4= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= @@ -519,8 +520,9 @@ github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeV github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= -github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= @@ -988,33 +990,29 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= k8s.io/api v0.18.0-beta.2/go.mod h1:2oeNnWEqcSmaM/ibSh3t7xcIqbkGXhzZdn4ezV9T4m0= -k8s.io/api v0.22.0-rc.0/go.mod h1:EUcKB6RvpW74HMRUSSNwpUzrIHBdGT1FeAvOV+txic0= k8s.io/api v0.22.1 h1:ISu3tD/jRhYfSW8jI/Q1e+lRxkR7w9UwQEZ7FgslrwY= k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY= k8s.io/apiextensions-apiserver v0.17.0/go.mod h1:XiIFUakZywkUl54fVXa7QTEHcqQz9HG55nHd1DCoHj8= k8s.io/apiextensions-apiserver v0.18.0-beta.2/go.mod h1:Hnrg5jx8/PbxRbUoqDGxtQkULjwx8FDW4WYJaKNK+fk= -k8s.io/apiextensions-apiserver v0.22.0-rc.0 h1:UtPjFr6a4FckzD+JCSgDEafpcNSnXzdRPpoV7gMWOLI= -k8s.io/apiextensions-apiserver v0.22.0-rc.0/go.mod h1:KSr+2VJ6ye8Fy50q7xHZ/Tw8vrRII82KIKbz9eUFmeo= +k8s.io/apiextensions-apiserver v0.22.1 h1:YSJYzlFNFSfUle+yeEXX0lSQyLEoxoPJySRupepb0gE= +k8s.io/apiextensions-apiserver v0.22.1/go.mod h1:HeGmorjtRmRLE+Q8dJu6AYRoZccvCMsghwS8XTUYb2c= k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= k8s.io/apimachinery v0.18.0-beta.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA= -k8s.io/apimachinery v0.22.0-rc.0/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= k8s.io/apimachinery v0.22.1 h1:DTARnyzmdHMz7bFWFDDm22AM4pLWTQECMpRTFu2d2OM= k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= k8s.io/apiserver v0.18.0-beta.2/go.mod h1:bnblMkMoCFnIfVnVftd0SXJPzyvrk3RtaqSbblphF/A= -k8s.io/apiserver v0.22.0-rc.0 h1:zc6u7PENvmbLpvfjxi2hjI7HNziFYNXhRqYsuglTHYA= -k8s.io/apiserver v0.22.0-rc.0/go.mod h1:1AfFSkRbaPVFzfSIWd0m/onp49mmAOqXR9qrLJFixlw= +k8s.io/apiserver v0.22.1 h1:Ul9Iv8OMB2s45h2tl5XWPpAZo1VPIJ/6N+MESeed7L8= +k8s.io/apiserver v0.22.1/go.mod h1:2mcM6dzSt+XndzVQJX21Gx0/Klo7Aen7i0Ai6tIa400= k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= k8s.io/client-go v0.18.0-beta.2/go.mod h1:UvuVxHjKWIcgy0iMvF+bwNDW7l0mskTNOaOW1Qv5BMA= -k8s.io/client-go v0.22.0-rc.0/go.mod h1:BZGppBKJh4UtgDZcIIh6vHJsJ1iZiXS7EwKZYWhyklo= k8s.io/client-go v0.22.1 h1:jW0ZSHi8wW260FvcXHkIa0NLxFBQszTlhiAVsU5mopw= k8s.io/client-go v0.22.1/go.mod h1:BquC5A4UOo4qVDUtoc04/+Nxp1MeHcVc1HJm1KmG8kk= k8s.io/code-generator v0.17.0/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= k8s.io/code-generator v0.18.0-beta.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= -k8s.io/code-generator v0.22.0-rc.0/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= +k8s.io/code-generator v0.22.1/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= k8s.io/component-base v0.18.0-beta.2/go.mod h1:HVk5FpRnyzQ/MjBr9//e/yEBjTVa2qjGXCTuUzcD7ks= -k8s.io/component-base v0.22.0-rc.0/go.mod h1:DKSub/kewg24bK+3ZJ/csu86fSBYpGdYk837eCTvEKg= k8s.io/component-base v0.22.1 h1:SFqIXsEN3v3Kkr1bS6rstrs1wd45StJqbtgbQ4nRQdo= k8s.io/component-base v0.22.1/go.mod h1:0D+Bl8rrnsPN9v0dyYvkqFfBeAd4u7n77ze+p8CMiPo= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= @@ -1032,8 +1030,8 @@ k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/klog/v2 v2.10.0 h1:R2HDMDJsHVTHA2n4RjwbeYXdOcBymXdX/JRb1v0VGhE= k8s.io/klog/v2 v2.10.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/kube-aggregator v0.18.0-beta.2/go.mod h1:O3Td9mheraINbLHH4pzoFP2gRzG0Wk1COqzdSL4rBPk= -k8s.io/kube-aggregator v0.22.0-rc.0 h1:FenE183nFPnFOFzZmwha8ElJ2/ByvcPu3tpEfx82xgU= -k8s.io/kube-aggregator v0.22.0-rc.0/go.mod h1:g0xtiBSsbMKvewN7xR/Icib4TrHxtvrJcHtYvFsgw7k= +k8s.io/kube-aggregator v0.22.1 h1:hsntyWsnkLiL4ccmoKfqiUVyxnlnqtqPRMuq/mT2wGQ= +k8s.io/kube-aggregator v0.22.1/go.mod h1:VbmI+8fUeCPkzSvarWTrlIGEgUGEGI/66SFajDQ0Pdc= k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM= @@ -1051,8 +1049,8 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.21 h1:pZrqT6D1ELgaNLxcp5I2ArxqW7E5rMNFXUppOajqquo= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.21/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22 h1:fmRfl9WJ4ApJn7LxNuED4m0t18qivVQOxP6aAYG9J6c= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/controller-tools v0.2.8/go.mod h1:9VKHPszmf2DHz/QmHkcfZoewO6BL7pPs9uAiBVsaJSE= sigs.k8s.io/kube-storage-version-migrator v0.0.4 h1:qsCecgZHgdismlTt8xCmS/3numvpxrj58RWJeIg76wc= sigs.k8s.io/kube-storage-version-migrator v0.0.4/go.mod h1:mXfSLkx9xbJHQsgNDDUZK/iQTs2tMbx/hsJlWe6Fthw= diff --git a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_ingress.crd.yaml b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_ingress.crd.yaml index 8c60875d..95fe8dfd 100644 --- a/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_ingress.crd.yaml +++ b/vendor/github.com/openshift/api/config/v1/0000_10_config-operator_01_ingress.crd.yaml @@ -82,10 +82,13 @@ spec: type: array items: type: object + required: + - domainPatterns properties: domainPatterns: - description: "domainPatterns is a list of domains for which the desired HSTS annotations are required. If domainPatterns is specified and a route is created with a spec.host matching one of the domains, the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. \n The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. kubebuilder:validation:MinLength=1" + description: "domainPatterns is a list of domains for which the desired HSTS annotations are required. If domainPatterns is specified and a route is created with a spec.host matching one of the domains, the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. \n The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*." type: array + minItems: 1 items: type: string includeSubDomainsPolicy: @@ -100,13 +103,17 @@ spec: type: object properties: largestMaxAge: - description: The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age This value can be left unspecified, in which case no upper limit is enforced. kubebuilder:validation:minimum=0:maximum=2147483647 + description: The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age This value can be left unspecified, in which case no upper limit is enforced. type: integer format: int32 + maximum: 2147483647 + minimum: 0 smallestMaxAge: - description: The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary tool for administrators to quickly correct mistakes. This value can be left unspecified, in which case no lower limit is enforced. kubebuilder:validation:minimum=0:maximum=2147483647 + description: The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary tool for administrators to quickly correct mistakes. This value can be left unspecified, in which case no lower limit is enforced. type: integer format: int32 + maximum: 2147483647 + minimum: 0 namespaceSelector: description: namespaceSelector specifies a label selector such that the policy applies only to those routes that are in namespaces with labels that match the selector, and are in one of the DomainPatterns. Defaults to the empty LabelSelector, which matches everything. type: object diff --git a/vendor/github.com/openshift/api/config/v1/types.go b/vendor/github.com/openshift/api/config/v1/types.go index 4986c44e..56d00648 100644 --- a/vendor/github.com/openshift/api/config/v1/types.go +++ b/vendor/github.com/openshift/api/config/v1/types.go @@ -323,7 +323,8 @@ type RequiredHSTSPolicy struct { // // The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. // foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - // kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:Required // +required DomainPatterns []string `json:"domainPatterns"` @@ -332,7 +333,6 @@ type RequiredHSTSPolicy struct { // If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. // maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS // policy will eventually expire on that client. - // +required MaxAge MaxAgePolicy `json:"maxAge"` // preloadPolicy directs the client to include hosts in its host preload list so that @@ -355,14 +355,16 @@ type RequiredHSTSPolicy struct { type MaxAgePolicy struct { // The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age // This value can be left unspecified, in which case no upper limit is enforced. - // kubebuilder:validation:minimum=0:maximum=2147483647 + // +kubebuilder:validation:Minimum=0 + // +kubebuilder:validation:Maximum=2147483647 LargestMaxAge *int32 `json:"largestMaxAge,omitempty"` // The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age // Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary // tool for administrators to quickly correct mistakes. // This value can be left unspecified, in which case no lower limit is enforced. - // kubebuilder:validation:minimum=0:maximum=2147483647 + // +kubebuilder:validation:Minimum=0 + // +kubebuilder:validation:Maximum=2147483647 SmallestMaxAge *int32 `json:"smallestMaxAge,omitempty"` } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index 4cb45be7..8287ce6e 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -183,8 +183,8 @@ func (LeaderElection) SwaggerDoc() map[string]string { var map_MaxAgePolicy = map[string]string{ "": "MaxAgePolicy contains a numeric range for specifying a compliant HSTS max-age for the enclosing RequiredHSTSPolicy", - "largestMaxAge": "The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age This value can be left unspecified, in which case no upper limit is enforced. kubebuilder:validation:minimum=0:maximum=2147483647", - "smallestMaxAge": "The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary tool for administrators to quickly correct mistakes. This value can be left unspecified, in which case no lower limit is enforced. kubebuilder:validation:minimum=0:maximum=2147483647", + "largestMaxAge": "The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age This value can be left unspecified, in which case no upper limit is enforced.", + "smallestMaxAge": "The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary tool for administrators to quickly correct mistakes. This value can be left unspecified, in which case no lower limit is enforced.", } func (MaxAgePolicy) SwaggerDoc() map[string]string { @@ -212,7 +212,7 @@ func (RemoteConnectionInfo) SwaggerDoc() map[string]string { var map_RequiredHSTSPolicy = map[string]string{ "namespaceSelector": "namespaceSelector specifies a label selector such that the policy applies only to those routes that are in namespaces with labels that match the selector, and are in one of the DomainPatterns. Defaults to the empty LabelSelector, which matches everything.", - "domainPatterns": "domainPatterns is a list of domains for which the desired HSTS annotations are required. If domainPatterns is specified and a route is created with a spec.host matching one of the domains, the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy.\n\nThe use of wildcards is allowed like this: *.foo.com matches everything under foo.com. foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. kubebuilder:validation:MinLength=1", + "domainPatterns": "domainPatterns is a list of domains for which the desired HSTS annotations are required. If domainPatterns is specified and a route is created with a spec.host matching one of the domains, the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy.\n\nThe use of wildcards is allowed like this: *.foo.com matches everything under foo.com. foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*.", "maxAge": "maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. If set to 0, it negates the effect, and hosts are removed as HSTS hosts. If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS policy will eventually expire on that client.", "preloadPolicy": "preloadPolicy directs the client to include hosts in its host preload list so that it never needs to do an initial load to get the HSTS header (note that this is not defined in RFC 6797 and is therefore client implementation-dependent).", "includeSubDomainsPolicy": "includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com", diff --git a/vendor/github.com/openshift/api/go.mod b/vendor/github.com/openshift/api/go.mod index 4256da15..3eae32c0 100644 --- a/vendor/github.com/openshift/api/go.mod +++ b/vendor/github.com/openshift/api/go.mod @@ -9,9 +9,10 @@ require ( github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3 github.com/spf13/pflag v1.0.5 golang.org/x/tools v0.1.2 - k8s.io/api v0.22.0-rc.0 - k8s.io/apimachinery v0.22.0-rc.0 - k8s.io/code-generator v0.22.0-rc.0 + k8s.io/api v0.22.1 + k8s.io/apimachinery v0.22.1 + k8s.io/code-generator v0.22.1 k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 k8s.io/klog/v2 v2.9.0 + sigs.k8s.io/yaml v1.2.0 ) diff --git a/vendor/github.com/openshift/api/go.sum b/vendor/github.com/openshift/api/go.sum index 0528f025..cf5ee285 100644 --- a/vendor/github.com/openshift/api/go.sum +++ b/vendor/github.com/openshift/api/go.sum @@ -250,12 +250,12 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.22.0-rc.0 h1:LcnCE0nmb2CVpvmlbHkIzjZUHcVpSoNcn8mJkIo4FoQ= -k8s.io/api v0.22.0-rc.0/go.mod h1:EUcKB6RvpW74HMRUSSNwpUzrIHBdGT1FeAvOV+txic0= -k8s.io/apimachinery v0.22.0-rc.0 h1:boMGWXiuYJl4sAEMTEyWJtX4VLEPf0LZ0nUh+vNALIg= -k8s.io/apimachinery v0.22.0-rc.0/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= -k8s.io/code-generator v0.22.0-rc.0 h1:8ZPtFa3yhlV5mz8DpLZYe7FetNH4qtZGkrDnkl2G1MU= -k8s.io/code-generator v0.22.0-rc.0/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= +k8s.io/api v0.22.1 h1:ISu3tD/jRhYfSW8jI/Q1e+lRxkR7w9UwQEZ7FgslrwY= +k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY= +k8s.io/apimachinery v0.22.1 h1:DTARnyzmdHMz7bFWFDDm22AM4pLWTQECMpRTFu2d2OM= +k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= +k8s.io/code-generator v0.22.1 h1:zAcKpn+xe9Iyc4qtZlfg4tD0f+SO2h5+e/s4pZPOVhs= +k8s.io/code-generator v0.22.1/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 h1:Uusb3oh8XcdzDF/ndlI4ToKTYVlkCSJP39SRY2mfRAw= k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= diff --git a/vendor/github.com/openshift/build-machinery-go/make/targets/openshift/images.mk b/vendor/github.com/openshift/build-machinery-go/make/targets/openshift/images.mk index 47cc2279..c53c3f1b 100644 --- a/vendor/github.com/openshift/build-machinery-go/make/targets/openshift/images.mk +++ b/vendor/github.com/openshift/build-machinery-go/make/targets/openshift/images.mk @@ -1,3 +1,7 @@ +include $(addprefix $(dir $(lastword $(MAKEFILE_LIST))), \ + imagebuilder.mk \ +) + # IMAGE_BUILD_EXTRA_FLAGS lets you add extra flags for imagebuilder # e.g. to mount secrets and repo information into base image like: # make images IMAGE_BUILD_EXTRA_FLAGS='-mount ~/projects/origin-repos/4.2/:/etc/yum.repos.d/' diff --git a/vendor/github.com/openshift/build-machinery-go/make/targets/openshift/kustomize.mk b/vendor/github.com/openshift/build-machinery-go/make/targets/openshift/kustomize.mk index 7ff64334..79c26f91 100644 --- a/vendor/github.com/openshift/build-machinery-go/make/targets/openshift/kustomize.mk +++ b/vendor/github.com/openshift/build-machinery-go/make/targets/openshift/kustomize.mk @@ -12,8 +12,13 @@ ensure-kustomize: ifeq "" "$(wildcard $(KUSTOMIZE))" $(info Installing kustomize into '$(KUSTOMIZE)') mkdir -p '$(kustomize_dir)' + @# install_kustomize.sh lays down the binary as `kustomize`, and will + @# also fail if a file of that name already exists. Remove it for + @# backward compatibility (older b-m-gs used the raw file name). + rm -f $(kustomize_dir)/kustomize @# NOTE: Pinning script to a tag rather than `master` for security reasons curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/kustomize/v$(KUSTOMIZE_VERSION)/hack/install_kustomize.sh" | bash -s $(KUSTOMIZE_VERSION) $(kustomize_dir) + mv $(kustomize_dir)/kustomize $(KUSTOMIZE) else $(info Using existing kustomize from "$(KUSTOMIZE)") endif diff --git a/vendor/github.com/openshift/library-go/pkg/crypto/missing_san.go b/vendor/github.com/openshift/library-go/pkg/crypto/missing_san.go new file mode 100644 index 00000000..bf17008a --- /dev/null +++ b/vendor/github.com/openshift/library-go/pkg/crypto/missing_san.go @@ -0,0 +1,40 @@ +package crypto + +import ( + "crypto/x509" + "errors" + "strings" +) + +// CertHasSAN returns true if the given certificate includes a SAN field, else false. +func CertHasSAN(c *x509.Certificate) bool { + if c == nil { + return false + } + + sanOID := []int{2, 5, 29, 17} + + for i := range c.Extensions { + if c.Extensions[i].Id.Equal(sanOID) { + return true + } + } + return false +} + +// IsHostnameError returns true if the error indicates a host name error about legacy CN fields +// else false as a result of `x509.Certificate#VerifyHostname`. +// +// For Golang <1.17: If GODEBUG=x509ignoreCN=0 is set this will always return false. +// In this case, use `crypto.CertHasSAN` to assert validity of the certificate directly. +// +// See https://github.com/golang/go/blob/go1.16.12/src/crypto/x509/verify.go#L119 +func IsHostnameError(err error) bool { + if err != nil && + errors.As(err, &x509.HostnameError{}) && + strings.Contains(err.Error(), "x509: certificate relies on legacy Common Name field") { + return true + } + + return false +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/csi/csidrivercontrollerservicecontroller/helpers.go b/vendor/github.com/openshift/library-go/pkg/operator/csi/csidrivercontrollerservicecontroller/helpers.go index 6bc8206d..6acae36c 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/csi/csidrivercontrollerservicecontroller/helpers.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/csi/csidrivercontrollerservicecontroller/helpers.go @@ -8,6 +8,7 @@ import ( "strings" appsv1 "k8s.io/api/apps/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" corev1 "k8s.io/client-go/informers/core/v1" corev1listers "k8s.io/client-go/listers/core/v1" @@ -48,6 +49,51 @@ func WithObservedProxyDeploymentHook() dc.DeploymentHookFunc { } } +func WithCABundleDeploymentHook( + configMapNamespace string, + configMapName string, + configMapInformer corev1.ConfigMapInformer, +) dc.DeploymentHookFunc { + return func(_ *opv1.OperatorSpec, deployment *appsv1.Deployment) error { + cm, err := configMapInformer.Lister().ConfigMaps(configMapNamespace).Get(configMapName) + if apierrors.IsNotFound(err) { + return nil + } + if err != nil { + return fmt.Errorf("failed to get ConfigMap %s/%s: %v", configMapNamespace, configMapName, err) + } + _, ok := cm.Data["ca-bundle.crt"] + if !ok { + return nil + } + + // Inject the CA bundle into the requested containers. This annotation is congruent to the + // one used by CVO and the proxy hook) to inject proxy information. + containerNamesString := deployment.Annotations["config.openshift.io/inject-proxy-cabundle"] + err = v1helpers.InjectTrustedCAIntoContainers( + &deployment.Spec.Template.Spec, + configMapName, + strings.Split(containerNamesString, ","), + ) + if err != nil { + return err + } + + // Now that the CA bundle is inject into the containers, add an annotation to the deployment + // so that it's rolled out when the ConfigMap content changes. + inputHashes, err := resourcehash.MultipleObjectHashStringMapForObjectReferenceFromLister( + configMapInformer.Lister(), + nil, + resourcehash.NewObjectRef().ForConfigMap().InNamespace(configMapNamespace).Named(configMapName), + ) + if err != nil { + return fmt.Errorf("invalid dependency reference: %w", err) + } + + return addObjectHash(deployment, inputHashes) + } +} + // WithSecretHashAnnotationHook creates a deployment hook that annotates a Deployment with a secret's hash. func WithSecretHashAnnotationHook( namespace string, @@ -63,23 +109,7 @@ func WithSecretHashAnnotationHook( if err != nil { return fmt.Errorf("invalid dependency reference: %w", err) } - if deployment.Annotations == nil { - deployment.Annotations = map[string]string{} - } - if deployment.Spec.Template.Annotations == nil { - deployment.Spec.Template.Annotations = map[string]string{} - } - for k, v := range inputHashes { - annotationKey := fmt.Sprintf("operator.openshift.io/dep-%s", k) - if len(annotationKey) > 63 { - hash := sha256.Sum256([]byte(k)) - annotationKey = fmt.Sprintf("operator.openshift.io/dep-%x", hash) - annotationKey = annotationKey[:63] - } - deployment.Annotations[annotationKey] = v - deployment.Spec.Template.Annotations[annotationKey] = v - } - return nil + return addObjectHash(deployment, inputHashes) } } @@ -194,3 +224,26 @@ func WithLeaderElectionReplacerHook(defaults configv1.LeaderElection) dc.Manifes return []byte(replaced), nil } } + +func addObjectHash(deployment *appsv1.Deployment, inputHashes map[string]string) error { + if deployment == nil { + return fmt.Errorf("invalid deployment: %v", deployment) + } + if deployment.Annotations == nil { + deployment.Annotations = map[string]string{} + } + if deployment.Spec.Template.Annotations == nil { + deployment.Spec.Template.Annotations = map[string]string{} + } + for k, v := range inputHashes { + annotationKey := fmt.Sprintf("operator.openshift.io/dep-%s", k) + if len(annotationKey) > 63 { + hash := sha256.Sum256([]byte(k)) + annotationKey = fmt.Sprintf("operator.openshift.io/dep-%x", hash) + annotationKey = annotationKey[:63] + } + deployment.Annotations[annotationKey] = v + deployment.Spec.Template.Annotations[annotationKey] = v + } + return nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/csi/csidrivernodeservicecontroller/helpers.go b/vendor/github.com/openshift/library-go/pkg/operator/csi/csidrivernodeservicecontroller/helpers.go index f32825d8..1709986e 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/csi/csidrivernodeservicecontroller/helpers.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/csi/csidrivernodeservicecontroller/helpers.go @@ -1,12 +1,17 @@ package csidrivernodeservicecontroller import ( + "crypto/sha256" + "fmt" "strings" opv1 "github.com/openshift/api/operator/v1" appsv1 "k8s.io/api/apps/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + corev1 "k8s.io/client-go/informers/core/v1" "github.com/openshift/library-go/pkg/operator/csi/csiconfigobservercontroller" + "github.com/openshift/library-go/pkg/operator/resource/resourcehash" "github.com/openshift/library-go/pkg/operator/v1helpers" ) @@ -23,3 +28,91 @@ func WithObservedProxyDaemonSetHook() DaemonSetHookFunc { return err } } + +func WithCABundleDaemonSetHook( + configMapNamespace string, + configMapName string, + configMapInformer corev1.ConfigMapInformer, +) DaemonSetHookFunc { + return func(_ *opv1.OperatorSpec, daemonSet *appsv1.DaemonSet) error { + cm, err := configMapInformer.Lister().ConfigMaps(configMapNamespace).Get(configMapName) + if apierrors.IsNotFound(err) { + return nil + } + if err != nil { + return fmt.Errorf("failed to get ConfigMap %s/%s: %v", configMapNamespace, configMapName, err) + } + _, ok := cm.Data["ca-bundle.crt"] + if !ok { + return nil + } + + // Inject the CA bundle into the requested containers. This annotation is congruent to the + // one used by CVO and the proxy hook) to inject proxy information. + containerNamesString := daemonSet.Annotations["config.openshift.io/inject-proxy-cabundle"] + err = v1helpers.InjectTrustedCAIntoContainers( + &daemonSet.Spec.Template.Spec, + configMapName, + strings.Split(containerNamesString, ","), + ) + if err != nil { + return err + } + + // Now that the CA bundle is inject into the containers, add an annotation to the daemonSet + // so that it's rolled out when the ConfigMap content changes. + inputHashes, err := resourcehash.MultipleObjectHashStringMapForObjectReferenceFromLister( + configMapInformer.Lister(), + nil, + resourcehash.NewObjectRef().ForConfigMap().InNamespace(configMapNamespace).Named(configMapName), + ) + if err != nil { + return fmt.Errorf("invalid dependency reference: %w", err) + } + + return addObjectHash(daemonSet, inputHashes) + } +} + +// WithSecretHashAnnotationHook creates a DaemonSet hook that annotates a DaemonSet with a secret's hash. +func WithSecretHashAnnotationHook( + namespace string, + secretName string, + secretInformer corev1.SecretInformer, +) DaemonSetHookFunc { + return func(_ *opv1.OperatorSpec, ds *appsv1.DaemonSet) error { + inputHashes, err := resourcehash.MultipleObjectHashStringMapForObjectReferenceFromLister( + nil, + secretInformer.Lister(), + resourcehash.NewObjectRef().ForSecret().InNamespace(namespace).Named(secretName), + ) + if err != nil { + return fmt.Errorf("invalid dependency reference: %w", err) + } + + return addObjectHash(ds, inputHashes) + } +} + +func addObjectHash(daemonSet *appsv1.DaemonSet, inputHashes map[string]string) error { + if daemonSet == nil { + return fmt.Errorf("invalid daemonSet: %v", daemonSet) + } + if daemonSet.Annotations == nil { + daemonSet.Annotations = map[string]string{} + } + if daemonSet.Spec.Template.Annotations == nil { + daemonSet.Spec.Template.Annotations = map[string]string{} + } + for k, v := range inputHashes { + annotationKey := fmt.Sprintf("operator.openshift.io/dep-%s", k) + if len(annotationKey) > 63 { + hash := sha256.Sum256([]byte(k)) + annotationKey = fmt.Sprintf("operator.openshift.io/dep-%x", hash) + annotationKey = annotationKey[:63] + } + daemonSet.Annotations[annotationKey] = v + daemonSet.Spec.Template.Annotations[annotationKey] = v + } + return nil +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourcemerge/object_merger.go b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourcemerge/object_merger.go index 5aee7879..4881c4b8 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resource/resourcemerge/object_merger.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resource/resourcemerge/object_merger.go @@ -5,6 +5,7 @@ import ( "strings" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" ) // EnsureObjectMeta writes namespace, name, labels, and annotations. Don't set other things here. @@ -14,13 +15,15 @@ func EnsureObjectMeta(modified *bool, existing *metav1.ObjectMeta, required meta SetStringIfSet(modified, &existing.Name, required.Name) MergeMap(modified, &existing.Labels, required.Labels) MergeMap(modified, &existing.Annotations, required.Annotations) + MergeOwnerRefs(modified, &existing.OwnerReferences, required.OwnerReferences) } -// WithCleanLabelsAndAnnotations cleans the metadata off the removal annotations/labels +// WithCleanLabelsAndAnnotations cleans the metadata off the removal annotations/labels/ownerrefs // (those that end with trailing "-") func WithCleanLabelsAndAnnotations(obj metav1.Object) metav1.Object { obj.SetAnnotations(cleanRemovalKeys(obj.GetAnnotations())) obj.SetLabels(cleanRemovalKeys(obj.GetLabels())) + obj.SetOwnerReferences(cleanRemovalOwnerRefs(obj.GetOwnerReferences())) return obj } @@ -187,3 +190,88 @@ func SetMapStringStringIfSet(modified *bool, existing *map[string]string, requir *existing = required } } + +func MergeOwnerRefs(modified *bool, existing *[]metav1.OwnerReference, required []metav1.OwnerReference) { + if *existing == nil { + *existing = []metav1.OwnerReference{} + } + + for _, o := range required { + removeOwner := false + + // if "required" ownerRefs contain an owner.UID with "-" as suffix, remove that + // ownerRef from the existing ownerRefs instead of replacing the value + // NOTE: this is the same format as kubectl annotate and kubectl label + if strings.HasSuffix(string(o.UID), "-") { + removeOwner = true + } + + existedIndex := 0 + + for existedIndex < len(*existing) { + if ownerRefMatched(o, (*existing)[existedIndex]) { + break + } + existedIndex++ + } + + if existedIndex == len(*existing) { + // There is no matched ownerref found, append the ownerref + // if it is not to be removed. + if !removeOwner { + *existing = append(*existing, o) + *modified = true + } + continue + } + + if removeOwner { + *existing = append((*existing)[:existedIndex], (*existing)[existedIndex+1:]...) + *modified = true + continue + } + + if !reflect.DeepEqual(o, (*existing)[existedIndex]) { + (*existing)[existedIndex] = o + *modified = true + } + } +} + +func ownerRefMatched(existing, required metav1.OwnerReference) bool { + if existing.Name != required.Name { + return false + } + + if existing.Kind != required.Kind { + return false + } + + existingGV, err := schema.ParseGroupVersion(existing.APIVersion) + + if err != nil { + return false + } + + requiredGV, err := schema.ParseGroupVersion(required.APIVersion) + + if err != nil { + return false + } + + if existingGV.Group != requiredGV.Group { + return false + } + + return true +} + +func cleanRemovalOwnerRefs(required []metav1.OwnerReference) []metav1.OwnerReference { + for k := 0; k < len(required); k++ { + if strings.HasSuffix(string(required[k].UID), "-") { + required = append(required[:k], required[k+1:]...) + k-- + } + } + return required +} diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/interfaces.go b/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/interfaces.go index 69c098d8..c53af8bd 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/interfaces.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/interfaces.go @@ -12,9 +12,16 @@ type ResourceLocation struct { Provider string `json:"provider,omitempty"` } +// PreconditionsFulfilled is a function that indicates whether all prerequisites +// are met and a resource can be synced. +type preconditionsFulfilled func() (bool, error) + +func alwaysFulfilledPreconditions() (bool, error) { return true, nil } + type syncRuleSource struct { ResourceLocation - syncedKeys sets.String // defines the set of keys to sync from source to dest + syncedKeys sets.String // defines the set of keys to sync from source to dest + preconditionsFulfilledFn preconditionsFulfilled // preconditions to fulfill before syncing the resource } type syncRules map[ResourceLocation]syncRuleSource diff --git a/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/resourcesync_controller.go b/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/resourcesync_controller.go index e473f3c1..e8078244 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/resourcesync_controller.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/resourcesynccontroller/resourcesync_controller.go @@ -100,10 +100,20 @@ func (c *ResourceSyncController) Name() string { } func (c *ResourceSyncController) SyncConfigMap(destination, source ResourceLocation) error { - return c.SyncPartialConfigMap(destination, source) + return c.syncConfigMap(destination, source, alwaysFulfilledPreconditions) } func (c *ResourceSyncController) SyncPartialConfigMap(destination ResourceLocation, source ResourceLocation, keys ...string) error { + return c.syncConfigMap(destination, source, alwaysFulfilledPreconditions, keys...) +} + +// SyncConfigMapConditionally adds a new configmap that the resource sync +// controller will synchronise if the given precondition is fulfilled. +func (c *ResourceSyncController) SyncConfigMapConditionally(destination, source ResourceLocation, preconditionsFulfilledFn preconditionsFulfilled) error { + return c.syncConfigMap(destination, source, preconditionsFulfilledFn) +} + +func (c *ResourceSyncController) syncConfigMap(destination ResourceLocation, source ResourceLocation, preconditionsFulfilledFn preconditionsFulfilled, keys ...string) error { if !c.knownNamespaces.Has(destination.Namespace) { return fmt.Errorf("not watching namespace %q", destination.Namespace) } @@ -114,8 +124,9 @@ func (c *ResourceSyncController) SyncPartialConfigMap(destination ResourceLocati c.syncRuleLock.Lock() defer c.syncRuleLock.Unlock() c.configMapSyncRules[destination] = syncRuleSource{ - ResourceLocation: source, - syncedKeys: sets.NewString(keys...), + ResourceLocation: source, + syncedKeys: sets.NewString(keys...), + preconditionsFulfilledFn: preconditionsFulfilledFn, } // make sure the new rule is picked up @@ -124,10 +135,20 @@ func (c *ResourceSyncController) SyncPartialConfigMap(destination ResourceLocati } func (c *ResourceSyncController) SyncSecret(destination, source ResourceLocation) error { - return c.SyncPartialSecret(destination, source) + return c.syncSecret(destination, source, alwaysFulfilledPreconditions) } func (c *ResourceSyncController) SyncPartialSecret(destination, source ResourceLocation, keys ...string) error { + return c.syncSecret(destination, source, alwaysFulfilledPreconditions, keys...) +} + +// SyncSecretConditionally adds a new secret that the resource sync controller +// will synchronise if the given precondition is fulfilled. +func (c *ResourceSyncController) SyncSecretConditionally(destination, source ResourceLocation, preconditionsFulfilledFn preconditionsFulfilled) error { + return c.syncSecret(destination, source, preconditionsFulfilledFn) +} + +func (c *ResourceSyncController) syncSecret(destination, source ResourceLocation, preconditionsFulfilledFn preconditionsFulfilled, keys ...string) error { if !c.knownNamespaces.Has(destination.Namespace) { return fmt.Errorf("not watching namespace %q", destination.Namespace) } @@ -138,8 +159,9 @@ func (c *ResourceSyncController) SyncPartialSecret(destination, source ResourceL c.syncRuleLock.Lock() defer c.syncRuleLock.Unlock() c.secretSyncRules[destination] = syncRuleSource{ - ResourceLocation: source, - syncedKeys: sets.NewString(keys...), + ResourceLocation: source, + syncedKeys: sets.NewString(keys...), + preconditionsFulfilledFn: preconditionsFulfilledFn, } // make sure the new rule is picked up @@ -171,6 +193,14 @@ func (c *ResourceSyncController) Sync(ctx context.Context, syncCtx factory.SyncC errors := []error{} for destination, source := range c.configMapSyncRules { + // skip the sync if the preconditions aren't fulfilled + if fulfilled, err := source.preconditionsFulfilledFn(); !fulfilled || err != nil { + if err != nil { + errors = append(errors, err) + } + continue + } + if source.ResourceLocation == emptyResourceLocation { // use the cache to check whether the configmap exists in target namespace, if not skip the extra delete call. if _, err := c.configMapGetter.ConfigMaps(destination.Namespace).Get(ctx, destination.Name, metav1.GetOptions{}); err != nil { @@ -191,6 +221,14 @@ func (c *ResourceSyncController) Sync(ctx context.Context, syncCtx factory.SyncC } } for destination, source := range c.secretSyncRules { + // skip the sync if the preconditions aren't fulfilled + if fulfilled, err := source.preconditionsFulfilledFn(); !fulfilled || err != nil { + if err != nil { + errors = append(errors, err) + } + continue + } + if source.ResourceLocation == emptyResourceLocation { // use the cache to check whether the secret exists in target namespace, if not skip the extra delete call. if _, err := c.secretGetter.Secrets(destination.Namespace).Get(ctx, destination.Name, metav1.GetOptions{}); err != nil { diff --git a/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go b/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go index 1a332f7d..4ef52631 100644 --- a/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go +++ b/vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go @@ -382,3 +382,42 @@ func InjectObservedProxyIntoContainers(podSpec *corev1.PodSpec, containerNames [ return nil } + +func InjectTrustedCAIntoContainers(podSpec *corev1.PodSpec, configMapName string, containerNames []string) error { + podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{ + Name: "non-standard-root-system-trust-ca-bundle", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: configMapName, + }, + Items: []corev1.KeyToPath{ + {Key: "ca-bundle.crt", Path: "tls-ca-bundle.pem"}, + }, + }, + }, + }) + + for _, containerName := range containerNames { + for i := range podSpec.InitContainers { + if podSpec.InitContainers[i].Name == containerName { + podSpec.InitContainers[i].VolumeMounts = append(podSpec.InitContainers[i].VolumeMounts, corev1.VolumeMount{ + Name: "non-standard-root-system-trust-ca-bundle", + MountPath: "/etc/pki/ca-trust/extracted/pem", + ReadOnly: true, + }) + } + } + for i := range podSpec.Containers { + if podSpec.Containers[i].Name == containerName { + podSpec.Containers[i].VolumeMounts = append(podSpec.Containers[i].VolumeMounts, corev1.VolumeMount{ + Name: "non-standard-root-system-trust-ca-bundle", + MountPath: "/etc/pki/ca-trust/extracted/pem", + ReadOnly: true, + }) + } + } + } + + return nil +} diff --git a/vendor/github.com/sirupsen/logrus/.travis.yml b/vendor/github.com/sirupsen/logrus/.travis.yml index 5e20aa41..c1dbd5a3 100644 --- a/vendor/github.com/sirupsen/logrus/.travis.yml +++ b/vendor/github.com/sirupsen/logrus/.travis.yml @@ -4,14 +4,12 @@ git: depth: 1 env: - GO111MODULE=on -go: [1.13.x, 1.14.x] -os: [linux, osx] +go: 1.15.x +os: linux install: - ./travis/install.sh script: - - ./travis/cross_build.sh - - ./travis/lint.sh - - export GOMAXPROCS=4 - - export GORACE=halt_on_error=1 - - go test -race -v ./... - - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then go test -race -v -tags appengine ./... ; fi + - cd ci + - go run mage.go -v -w ../ crossBuild + - go run mage.go -v -w ../ lint + - go run mage.go -v -w ../ test diff --git a/vendor/github.com/sirupsen/logrus/CHANGELOG.md b/vendor/github.com/sirupsen/logrus/CHANGELOG.md index 584026d6..7567f612 100644 --- a/vendor/github.com/sirupsen/logrus/CHANGELOG.md +++ b/vendor/github.com/sirupsen/logrus/CHANGELOG.md @@ -1,3 +1,39 @@ +# 1.8.1 +Code quality: + * move magefile in its own subdir/submodule to remove magefile dependency on logrus consumer + * improve timestamp format documentation + +Fixes: + * fix race condition on logger hooks + + +# 1.8.0 + +Correct versioning number replacing v1.7.1. + +# 1.7.1 + +Beware this release has introduced a new public API and its semver is therefore incorrect. + +Code quality: + * use go 1.15 in travis + * use magefile as task runner + +Fixes: + * small fixes about new go 1.13 error formatting system + * Fix for long time race condiction with mutating data hooks + +Features: + * build support for zos + +# 1.7.0 +Fixes: + * the dependency toward a windows terminal library has been removed + +Features: + * a new buffer pool management API has been added + * a set of `Fn()` functions have been added + # 1.6.0 Fixes: * end of line cleanup diff --git a/vendor/github.com/sirupsen/logrus/README.md b/vendor/github.com/sirupsen/logrus/README.md index 5796706d..5152b6aa 100644 --- a/vendor/github.com/sirupsen/logrus/README.md +++ b/vendor/github.com/sirupsen/logrus/README.md @@ -402,7 +402,7 @@ func (f *MyJSONFormatter) Format(entry *Entry) ([]byte, error) { // source of the official loggers. serialized, err := json.Marshal(entry.Data) if err != nil { - return nil, fmt.Errorf("Failed to marshal fields to JSON, %v", err) + return nil, fmt.Errorf("Failed to marshal fields to JSON, %w", err) } return append(serialized, '\n'), nil } diff --git a/vendor/github.com/sirupsen/logrus/entry.go b/vendor/github.com/sirupsen/logrus/entry.go index 5a5cbfe7..07a1e5fa 100644 --- a/vendor/github.com/sirupsen/logrus/entry.go +++ b/vendor/github.com/sirupsen/logrus/entry.go @@ -78,6 +78,14 @@ func NewEntry(logger *Logger) *Entry { } } +func (entry *Entry) Dup() *Entry { + data := make(Fields, len(entry.Data)) + for k, v := range entry.Data { + data[k] = v + } + return &Entry{Logger: entry.Logger, Data: data, Time: entry.Time, Context: entry.Context, err: entry.err} +} + // Returns the bytes representation of this entry from the formatter. func (entry *Entry) Bytes() ([]byte, error) { return entry.Logger.Formatter.Format(entry) @@ -123,11 +131,9 @@ func (entry *Entry) WithFields(fields Fields) *Entry { for k, v := range fields { isErrField := false if t := reflect.TypeOf(v); t != nil { - switch t.Kind() { - case reflect.Func: + switch { + case t.Kind() == reflect.Func, t.Kind() == reflect.Ptr && t.Elem().Kind() == reflect.Func: isErrField = true - case reflect.Ptr: - isErrField = t.Elem().Kind() == reflect.Func } } if isErrField { @@ -212,68 +218,72 @@ func (entry Entry) HasCaller() (has bool) { entry.Caller != nil } -// This function is not declared with a pointer value because otherwise -// race conditions will occur when using multiple goroutines -func (entry Entry) log(level Level, msg string) { +func (entry *Entry) log(level Level, msg string) { var buffer *bytes.Buffer - // Default to now, but allow users to override if they want. - // - // We don't have to worry about polluting future calls to Entry#log() - // with this assignment because this function is declared with a - // non-pointer receiver. - if entry.Time.IsZero() { - entry.Time = time.Now() + newEntry := entry.Dup() + + if newEntry.Time.IsZero() { + newEntry.Time = time.Now() } - entry.Level = level - entry.Message = msg - entry.Logger.mu.Lock() - if entry.Logger.ReportCaller { - entry.Caller = getCaller() + newEntry.Level = level + newEntry.Message = msg + + newEntry.Logger.mu.Lock() + reportCaller := newEntry.Logger.ReportCaller + newEntry.Logger.mu.Unlock() + + if reportCaller { + newEntry.Caller = getCaller() } - entry.Logger.mu.Unlock() - entry.fireHooks() + newEntry.fireHooks() buffer = getBuffer() defer func() { - entry.Buffer = nil + newEntry.Buffer = nil putBuffer(buffer) }() buffer.Reset() - entry.Buffer = buffer + newEntry.Buffer = buffer - entry.write() + newEntry.write() - entry.Buffer = nil + newEntry.Buffer = nil // To avoid Entry#log() returning a value that only would make sense for // panic() to use in Entry#Panic(), we avoid the allocation by checking // directly here. if level <= PanicLevel { - panic(&entry) + panic(newEntry) } } func (entry *Entry) fireHooks() { + var tmpHooks LevelHooks entry.Logger.mu.Lock() - defer entry.Logger.mu.Unlock() - err := entry.Logger.Hooks.Fire(entry.Level, entry) + tmpHooks = make(LevelHooks, len(entry.Logger.Hooks)) + for k, v := range entry.Logger.Hooks { + tmpHooks[k] = v + } + entry.Logger.mu.Unlock() + + err := tmpHooks.Fire(entry.Level, entry) if err != nil { fmt.Fprintf(os.Stderr, "Failed to fire hook: %v\n", err) } } func (entry *Entry) write() { - entry.Logger.mu.Lock() - defer entry.Logger.mu.Unlock() serialized, err := entry.Logger.Formatter.Format(entry) if err != nil { fmt.Fprintf(os.Stderr, "Failed to obtain reader, %v\n", err) return } - if _, err = entry.Logger.Out.Write(serialized); err != nil { + entry.Logger.mu.Lock() + defer entry.Logger.mu.Unlock() + if _, err := entry.Logger.Out.Write(serialized); err != nil { fmt.Fprintf(os.Stderr, "Failed to write to log, %v\n", err) } } @@ -319,7 +329,6 @@ func (entry *Entry) Fatal(args ...interface{}) { func (entry *Entry) Panic(args ...interface{}) { entry.Log(PanicLevel, args...) - panic(fmt.Sprint(args...)) } // Entry Printf family functions diff --git a/vendor/github.com/sirupsen/logrus/go.sum b/vendor/github.com/sirupsen/logrus/go.sum index 1edc143b..694c18b8 100644 --- a/vendor/github.com/sirupsen/logrus/go.sum +++ b/vendor/github.com/sirupsen/logrus/go.sum @@ -4,7 +4,5 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= diff --git a/vendor/github.com/sirupsen/logrus/json_formatter.go b/vendor/github.com/sirupsen/logrus/json_formatter.go index ba7f2371..c96dc563 100644 --- a/vendor/github.com/sirupsen/logrus/json_formatter.go +++ b/vendor/github.com/sirupsen/logrus/json_formatter.go @@ -23,6 +23,9 @@ func (f FieldMap) resolve(key fieldKey) string { // JSONFormatter formats logs into parsable json type JSONFormatter struct { // TimestampFormat sets the format used for marshaling timestamps. + // The format to use is the same than for time.Format or time.Parse from the standard + // library. + // The standard Library already provides a set of predefined format. TimestampFormat string // DisableTimestamp allows disabling automatic timestamps in output @@ -118,7 +121,7 @@ func (f *JSONFormatter) Format(entry *Entry) ([]byte, error) { encoder.SetIndent("", " ") } if err := encoder.Encode(data); err != nil { - return nil, fmt.Errorf("failed to marshal fields to JSON, %v", err) + return nil, fmt.Errorf("failed to marshal fields to JSON, %w", err) } return b.Bytes(), nil diff --git a/vendor/github.com/sirupsen/logrus/logger.go b/vendor/github.com/sirupsen/logrus/logger.go index dbf627c9..33770445 100644 --- a/vendor/github.com/sirupsen/logrus/logger.go +++ b/vendor/github.com/sirupsen/logrus/logger.go @@ -12,7 +12,7 @@ import ( // LogFunction For big messages, it can be more efficient to pass a function // and only call it if the log level is actually enables rather than // generating the log message and then checking if the level is enabled -type LogFunction func()[]interface{} +type LogFunction func() []interface{} type Logger struct { // The logs are `io.Copy`'d to this in a mutex. It's common to set this to a diff --git a/vendor/github.com/sirupsen/logrus/terminal_check_unix.go b/vendor/github.com/sirupsen/logrus/terminal_check_unix.go index cc4fe6e3..04748b85 100644 --- a/vendor/github.com/sirupsen/logrus/terminal_check_unix.go +++ b/vendor/github.com/sirupsen/logrus/terminal_check_unix.go @@ -1,4 +1,4 @@ -// +build linux aix +// +build linux aix zos // +build !js package logrus diff --git a/vendor/github.com/sirupsen/logrus/text_formatter.go b/vendor/github.com/sirupsen/logrus/text_formatter.go index 3c28b54c..be2c6efe 100644 --- a/vendor/github.com/sirupsen/logrus/text_formatter.go +++ b/vendor/github.com/sirupsen/logrus/text_formatter.go @@ -53,7 +53,10 @@ type TextFormatter struct { // the time passed since beginning of execution. FullTimestamp bool - // TimestampFormat to use for display when a full timestamp is printed + // TimestampFormat to use for display when a full timestamp is printed. + // The format to use is the same than for time.Format or time.Parse from the standard + // library. + // The standard Library already provides a set of predefined format. TimestampFormat string // The fields are sorted by default for a consistent output. For applications @@ -235,6 +238,8 @@ func (f *TextFormatter) printColored(b *bytes.Buffer, entry *Entry, keys []strin levelColor = yellow case ErrorLevel, FatalLevel, PanicLevel: levelColor = red + case InfoLevel: + levelColor = blue default: levelColor = blue } diff --git a/vendor/k8s.io/apiserver/pkg/admission/metrics/metrics.go b/vendor/k8s.io/apiserver/pkg/admission/metrics/metrics.go index bdbc0048..82752fe0 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/metrics/metrics.go +++ b/vendor/k8s.io/apiserver/pkg/admission/metrics/metrics.go @@ -45,8 +45,8 @@ const ( ) var ( - // Use buckets ranging from 5 ms to 10 seconds (admission webhooks timeout at 30 seconds by default). - latencyBuckets = []float64{0.005, 0.025, 0.1, 0.5, 2.5, 5.0, 10.0} + // Use buckets ranging from 5 ms to 2.5 seconds (admission webhooks timeout at 30 seconds by default). + latencyBuckets = []float64{0.005, 0.025, 0.1, 0.5, 2.5} latencySummaryMaxAge = 5 * time.Hour // Metrics provides access to all admission metrics. @@ -126,17 +126,17 @@ func newAdmissionMetrics() *AdmissionMetrics { // Admission metrics for a step of the admission flow. The entire admission flow is broken down into a series of steps // Each step is identified by a distinct type label value. step := newMetricSet("step", - []string{"type", "operation", "rejected", "namespace"}, + []string{"type", "operation", "rejected"}, "Admission sub-step %s, broken out for each operation and API resource and step type (validate or admit).", true) // Built-in admission controller metrics. Each admission controller is identified by name. controller := newMetricSet("controller", - []string{"name", "type", "operation", "rejected", "namespace"}, + []string{"name", "type", "operation", "rejected"}, "Admission controller %s, identified by name and broken out for each operation and API resource and type (validate or admit).", false) // Admission webhook metrics. Each webhook is identified by name. webhook := newMetricSet("webhook", - []string{"name", "type", "operation", "rejected", "namespace"}, + []string{"name", "type", "operation", "rejected"}, "Admission webhook %s, identified by name and broken out for each operation and API resource and type (validate or admit).", false) webhookRejection := metrics.NewCounterVec( @@ -147,7 +147,7 @@ func newAdmissionMetrics() *AdmissionMetrics { Help: "Admission webhook rejection count, identified by name and broken out for each admission type (validating or admit) and operation. Additional labels specify an error type (calling_webhook_error or apiserver_internal_error if an error occurred; no_error otherwise) and optionally a non-zero rejection code if the webhook rejects the request with an HTTP status code (honored by the apiserver when the code is greater or equal to 400). Codes greater than 600 are truncated to 600, to keep the metrics cardinality bounded.", StabilityLevel: metrics.ALPHA, }, - []string{"name", "type", "operation", "error_type", "rejection_code", "namespace"}) + []string{"name", "type", "operation", "error_type", "rejection_code"}) step.mustRegister() controller.mustRegister() @@ -164,27 +164,27 @@ func (m *AdmissionMetrics) reset() { // ObserveAdmissionStep records admission related metrics for a admission step, identified by step type. func (m *AdmissionMetrics) ObserveAdmissionStep(ctx context.Context, elapsed time.Duration, rejected bool, attr admission.Attributes, stepType string, extraLabels ...string) { - m.step.observe(ctx, elapsed, append(extraLabels, stepType, string(attr.GetOperation()), strconv.FormatBool(rejected), attr.GetNamespace())...) + m.step.observe(ctx, elapsed, append(extraLabels, stepType, string(attr.GetOperation()), strconv.FormatBool(rejected))...) } // ObserveAdmissionController records admission related metrics for a built-in admission controller, identified by it's plugin handler name. func (m *AdmissionMetrics) ObserveAdmissionController(ctx context.Context, elapsed time.Duration, rejected bool, attr admission.Attributes, stepType string, extraLabels ...string) { - m.controller.observe(ctx, elapsed, append(extraLabels, stepType, string(attr.GetOperation()), strconv.FormatBool(rejected), attr.GetNamespace())...) + m.controller.observe(ctx, elapsed, append(extraLabels, stepType, string(attr.GetOperation()), strconv.FormatBool(rejected))...) } // ObserveWebhook records admission related metrics for a admission webhook. func (m *AdmissionMetrics) ObserveWebhook(ctx context.Context, elapsed time.Duration, rejected bool, attr admission.Attributes, stepType string, extraLabels ...string) { - m.webhook.observe(ctx, elapsed, append(extraLabels, stepType, string(attr.GetOperation()), strconv.FormatBool(rejected), attr.GetNamespace())...) + m.webhook.observe(ctx, elapsed, append(extraLabels, stepType, string(attr.GetOperation()), strconv.FormatBool(rejected))...) } // ObserveWebhookRejection records admission related metrics for an admission webhook rejection. -func (m *AdmissionMetrics) ObserveWebhookRejection(ctx context.Context, name, stepType string, attr admission.Attributes, errorType WebhookRejectionErrorType, rejectionCode int) { +func (m *AdmissionMetrics) ObserveWebhookRejection(ctx context.Context, name, stepType, operation string, errorType WebhookRejectionErrorType, rejectionCode int) { // We truncate codes greater than 600 to keep the cardinality bounded. // This should be rarely done by a malfunctioning webhook server. if rejectionCode > 600 { rejectionCode = 600 } - m.webhookRejection.WithContext(ctx).WithLabelValues(name, stepType, string(attr.GetOperation()), string(errorType), strconv.Itoa(rejectionCode), attr.GetNamespace()).Inc() + m.webhookRejection.WithContext(ctx).WithLabelValues(name, stepType, operation, string(errorType), strconv.Itoa(rejectionCode)).Inc() } type metricSet struct { diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go index 3ff91250..3b35bb31 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go @@ -148,14 +148,14 @@ func (a *mutatingDispatcher) Dispatch(ctx context.Context, attr admission.Attrib case *webhookutil.ErrCallingWebhook: if !ignoreClientCallFailures { rejected = true - admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "admit", versionedAttr.Attributes, admissionmetrics.WebhookRejectionCallingWebhookError, 0) + admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "admit", string(versionedAttr.Attributes.GetOperation()), admissionmetrics.WebhookRejectionCallingWebhookError, 0) } case *webhookutil.ErrWebhookRejection: rejected = true - admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "admit", versionedAttr.Attributes, admissionmetrics.WebhookRejectionNoError, int(err.Status.ErrStatus.Code)) + admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "admit", string(versionedAttr.Attributes.GetOperation()), admissionmetrics.WebhookRejectionNoError, int(err.Status.ErrStatus.Code)) default: rejected = true - admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "admit", versionedAttr.Attributes, admissionmetrics.WebhookRejectionAPIServerInternalError, 0) + admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "admit", string(versionedAttr.Attributes.GetOperation()), admissionmetrics.WebhookRejectionAPIServerInternalError, 0) } } admissionmetrics.Metrics.ObserveWebhook(ctx, time.Since(t), rejected, versionedAttr.Attributes, "admit", hook.Name) diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go index 199bac2b..250bb02a 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go @@ -119,14 +119,14 @@ func (d *validatingDispatcher) Dispatch(ctx context.Context, attr admission.Attr case *webhookutil.ErrCallingWebhook: if !ignoreClientCallFailures { rejected = true - admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "validating", versionedAttr.Attributes, admissionmetrics.WebhookRejectionCallingWebhookError, 0) + admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "validating", string(versionedAttr.Attributes.GetOperation()), admissionmetrics.WebhookRejectionCallingWebhookError, 0) } case *webhookutil.ErrWebhookRejection: rejected = true - admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "validating", versionedAttr.Attributes, admissionmetrics.WebhookRejectionNoError, int(err.Status.ErrStatus.Code)) + admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "validating", string(versionedAttr.Attributes.GetOperation()), admissionmetrics.WebhookRejectionNoError, int(err.Status.ErrStatus.Code)) default: rejected = true - admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "validating", versionedAttr.Attributes, admissionmetrics.WebhookRejectionAPIServerInternalError, 0) + admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "validating", string(versionedAttr.Attributes.GetOperation()), admissionmetrics.WebhookRejectionAPIServerInternalError, 0) } } admissionmetrics.Metrics.ObserveWebhook(ctx, time.Since(t), rejected, versionedAttr.Attributes, "validating", hook.Name) diff --git a/vendor/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go b/vendor/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go index 7e0715eb..5efc0a83 100644 --- a/vendor/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go +++ b/vendor/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go @@ -370,7 +370,7 @@ func RecordRequestAbort(req *http.Request, requestInfo *request.RequestInfo) { } scope := CleanScope(requestInfo) - reportedVerb := cleanVerb(CanonicalVerb(strings.ToUpper(req.Method), scope), req) + reportedVerb := cleanVerb(CanonicalVerb(strings.ToUpper(req.Method), scope), "", req) resource := requestInfo.Resource subresource := requestInfo.Subresource group := requestInfo.APIGroup @@ -393,7 +393,7 @@ func RecordRequestTermination(req *http.Request, requestInfo *request.RequestInf // InstrumentRouteFunc which is registered in installer.go with predefined // list of verbs (different than those translated to RequestInfo). // However, we need to tweak it e.g. to differentiate GET from LIST. - reportedVerb := cleanVerb(CanonicalVerb(strings.ToUpper(req.Method), scope), req) + reportedVerb := cleanVerb(CanonicalVerb(strings.ToUpper(req.Method), scope), "", req) if requestInfo.IsResourceRequest { requestTerminationsTotal.WithContext(req.Context()).WithLabelValues(reportedVerb, requestInfo.APIGroup, requestInfo.APIVersion, requestInfo.Resource, requestInfo.Subresource, scope, component, codeToString(code)).Inc() @@ -415,7 +415,7 @@ func RecordLongRunning(req *http.Request, requestInfo *request.RequestInfo, comp // InstrumentRouteFunc which is registered in installer.go with predefined // list of verbs (different than those translated to RequestInfo). // However, we need to tweak it e.g. to differentiate GET from LIST. - reportedVerb := cleanVerb(CanonicalVerb(strings.ToUpper(req.Method), scope), req) + reportedVerb := cleanVerb(CanonicalVerb(strings.ToUpper(req.Method), scope), "", req) if requestInfo.IsResourceRequest { g = longRunningRequestGauge.WithContext(req.Context()).WithLabelValues(reportedVerb, requestInfo.APIGroup, requestInfo.APIVersion, requestInfo.Resource, requestInfo.Subresource, scope, component) @@ -434,7 +434,7 @@ func MonitorRequest(req *http.Request, verb, group, version, resource, subresour // InstrumentRouteFunc which is registered in installer.go with predefined // list of verbs (different than those translated to RequestInfo). // However, we need to tweak it e.g. to differentiate GET from LIST. - reportedVerb := cleanVerb(CanonicalVerb(strings.ToUpper(req.Method), scope), req) + reportedVerb := cleanVerb(CanonicalVerb(strings.ToUpper(req.Method), scope), verb, req) dryRun := cleanDryRun(req.URL) elapsedSeconds := elapsed.Seconds() @@ -564,8 +564,15 @@ func CleanVerb(verb string, request *http.Request) string { } // cleanVerb additionally ensures that unknown verbs don't clog up the metrics. -func cleanVerb(verb string, request *http.Request) string { +func cleanVerb(verb, suggestedVerb string, request *http.Request) string { reportedVerb := CleanVerb(verb, request) + // CanonicalVerb (being an input for this function) doesn't handle correctly the + // deprecated path pattern for watch of: + // GET /api/{version}/watch/{resource} + // We correct it manually based on the pass verb from the installer. + if suggestedVerb == "WATCH" || suggestedVerb == "WATCHLIST" { + reportedVerb = "WATCH" + } if validRequestMethods.Has(reportedVerb) { return reportedVerb } diff --git a/vendor/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go b/vendor/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go index 1de20682..04375d1d 100644 --- a/vendor/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go +++ b/vendor/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go @@ -45,6 +45,9 @@ func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTime Addr: s.Listener.Addr().String(), Handler: handler, MaxHeaderBytes: 1 << 20, + + IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout + ReadHeaderTimeout: 32 * time.Second, // just shy of requestTimeoutUpperBound } if len(s.Name) > 0 { diff --git a/vendor/k8s.io/apiserver/pkg/server/options/audit.go b/vendor/k8s.io/apiserver/pkg/server/options/audit.go index 81fa7bae..6e062c98 100644 --- a/vendor/k8s.io/apiserver/pkg/server/options/audit.go +++ b/vendor/k8s.io/apiserver/pkg/server/options/audit.go @@ -511,21 +511,21 @@ func (o *AuditLogOptions) getWriter() (io.Writer, error) { return nil, nil } - if err := o.ensureLogFile(); err != nil { - return nil, err + if o.Path == "-" { + return os.Stdout, nil } - var w io.Writer = os.Stdout - if o.Path != "-" { - w = &lumberjack.Logger{ - Filename: o.Path, - MaxAge: o.MaxAge, - MaxBackups: o.MaxBackups, - MaxSize: o.MaxSize, - Compress: o.Compress, - } + if err := o.ensureLogFile(); err != nil { + return nil, fmt.Errorf("ensureLogFile: %w", err) } - return w, nil + + return &lumberjack.Logger{ + Filename: o.Path, + MaxAge: o.MaxAge, + MaxBackups: o.MaxBackups, + MaxSize: o.MaxSize, + Compress: o.Compress, + }, nil } func (o *AuditLogOptions) ensureLogFile() error { diff --git a/vendor/k8s.io/apiserver/pkg/server/secure_serving.go b/vendor/k8s.io/apiserver/pkg/server/secure_serving.go index c706afb5..5626cb3a 100644 --- a/vendor/k8s.io/apiserver/pkg/server/secure_serving.go +++ b/vendor/k8s.io/apiserver/pkg/server/secure_serving.go @@ -157,6 +157,9 @@ func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Dur Handler: handler, MaxHeaderBytes: 1 << 20, TLSConfig: tlsConfig, + + IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout + ReadHeaderTimeout: 32 * time.Second, // just shy of requestTimeoutUpperBound } // At least 99% of serialized resources in surveyed clusters were smaller than 256kb. @@ -164,7 +167,9 @@ func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Dur // and small enough to allow a per connection buffer of this size multiplied by `MaxConcurrentStreams`. const resourceBody99Percentile = 256 * 1024 - http2Options := &http2.Server{} + http2Options := &http2.Server{ + IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout + } // shrink the per-stream buffer and max framesize from the 1MB default while still accommodating most API POST requests in a single frame http2Options.MaxUploadBufferPerStream = resourceBody99Percentile @@ -218,6 +223,9 @@ func (s *SecureServingInfo) ServeWithListenerStopped(handler http.Handler, shutd Handler: handler, MaxHeaderBytes: 1 << 20, TLSConfig: tlsConfig, + + IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout + ReadHeaderTimeout: 32 * time.Second, // just shy of requestTimeoutUpperBound } // At least 99% of serialized resources in surveyed clusters were smaller than 256kb. @@ -225,7 +233,9 @@ func (s *SecureServingInfo) ServeWithListenerStopped(handler http.Handler, shutd // and small enough to allow a per connection buffer of this size multiplied by `MaxConcurrentStreams`. const resourceBody99Percentile = 256 * 1024 - http2Options := &http2.Server{} + http2Options := &http2.Server{ + IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout + } // shrink the per-stream buffer and max framesize from the 1MB default while still accommodating most API POST requests in a single frame http2Options.MaxUploadBufferPerStream = resourceBody99Percentile diff --git a/vendor/k8s.io/apiserver/pkg/storage/etcd3/store.go b/vendor/k8s.io/apiserver/pkg/storage/etcd3/store.go index 5f36b710..7f558a58 100644 --- a/vendor/k8s.io/apiserver/pkg/storage/etcd3/store.go +++ b/vendor/k8s.io/apiserver/pkg/storage/etcd3/store.go @@ -230,12 +230,22 @@ func (s *store) conditionalDelete( } // It's possible we're working with stale data. + // Remember the revision of the potentially stale data and the resulting update error + cachedRev := origState.rev + cachedUpdateErr := err + // Actually fetch origState, err = getCurrentState() if err != nil { return err } origStateIsCurrent = true + + // it turns out our cached data was not stale, return the error + if cachedRev == origState.rev { + return cachedUpdateErr + } + // Retry continue } @@ -246,12 +256,22 @@ func (s *store) conditionalDelete( } // It's possible we're working with stale data. + // Remember the revision of the potentially stale data and the resulting update error + cachedRev := origState.rev + cachedUpdateErr := err + // Actually fetch origState, err = getCurrentState() if err != nil { return err } origStateIsCurrent = true + + // it turns out our cached data was not stale, return the error + if cachedRev == origState.rev { + return cachedUpdateErr + } + // Retry continue } @@ -345,12 +365,22 @@ func (s *store) GuaranteedUpdate( } // It's possible we were working with stale data + // Remember the revision of the potentially stale data and the resulting update error + cachedRev := origState.rev + cachedUpdateErr := err + // Actually fetch origState, err = getCurrentState() if err != nil { return err } origStateIsCurrent = true + + // it turns out our cached data was not stale, return the error + if cachedRev == origState.rev { + return cachedUpdateErr + } + // Retry continue } diff --git a/vendor/modules.txt b/vendor/modules.txt index 609b24bc..ae8b24d6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -92,7 +92,7 @@ github.com/modern-go/concurrent github.com/modern-go/reflect2 # github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 github.com/munnerz/goautoneg -# github.com/openshift/api v0.0.0-20210730095913-85e1d547cdee +# github.com/openshift/api v0.0.0-20210831091943-07e756545ac1 ## explicit github.com/openshift/api github.com/openshift/api/apiserver @@ -150,7 +150,7 @@ github.com/openshift/api/template github.com/openshift/api/template/v1 github.com/openshift/api/user github.com/openshift/api/user/v1 -# github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3 +# github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37 ## explicit github.com/openshift/build-machinery-go github.com/openshift/build-machinery-go/make @@ -160,7 +160,7 @@ github.com/openshift/build-machinery-go/make/targets/golang github.com/openshift/build-machinery-go/make/targets/openshift github.com/openshift/build-machinery-go/make/targets/openshift/operator github.com/openshift/build-machinery-go/scripts -# github.com/openshift/client-go v0.0.0-20210730113412-1811c1b3fc0e +# github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7 ## explicit github.com/openshift/client-go/config/clientset/versioned github.com/openshift/client-go/config/clientset/versioned/scheme @@ -170,7 +170,7 @@ github.com/openshift/client-go/config/informers/externalversions/config github.com/openshift/client-go/config/informers/externalversions/config/v1 github.com/openshift/client-go/config/informers/externalversions/internalinterfaces github.com/openshift/client-go/config/listers/config/v1 -# github.com/openshift/library-go v0.0.0-20210830145332-4a9873bf5e74 +# github.com/openshift/library-go v0.0.0-20220112123419-0a017a8d304f ## explicit github.com/openshift/library-go/pkg/authorization/hardcodedauthorizer github.com/openshift/library-go/pkg/config/client @@ -229,7 +229,7 @@ github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util # github.com/robfig/cron v1.2.0 github.com/robfig/cron -# github.com/sirupsen/logrus v1.7.0 +# github.com/sirupsen/logrus v1.8.1 github.com/sirupsen/logrus # github.com/spf13/cobra v1.1.3 ## explicit @@ -514,7 +514,7 @@ k8s.io/api/scheduling/v1beta1 k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 -# k8s.io/apiextensions-apiserver v0.22.0-rc.0 +# k8s.io/apiextensions-apiserver v0.22.1 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1 @@ -577,7 +577,7 @@ k8s.io/apimachinery/pkg/version k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.22.0-rc.0 +# k8s.io/apiserver v0.22.1 k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission/configuration k8s.io/apiserver/pkg/admission/initializer @@ -945,7 +945,7 @@ k8s.io/component-base/version # k8s.io/klog/v2 v2.10.0 ## explicit k8s.io/klog/v2 -# k8s.io/kube-aggregator v0.22.0-rc.0 +# k8s.io/kube-aggregator v0.22.1 k8s.io/kube-aggregator/pkg/apis/apiregistration k8s.io/kube-aggregator/pkg/apis/apiregistration/v1 k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1 @@ -969,7 +969,7 @@ k8s.io/utils/net k8s.io/utils/path k8s.io/utils/pointer k8s.io/utils/trace -# sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.21 +# sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client # sigs.k8s.io/kube-storage-version-migrator v0.0.4 From c04cd0e39d7d57cf2fac636185a84028a4250a00 Mon Sep 17 00:00:00 2001 From: Fabio Bertinatto Date: Thu, 23 Dec 2021 15:17:44 -0300 Subject: [PATCH 2/2] Add custom CA bundle support In OCP, it's possible to set a cluster-wide proxy that operators can use to communicate with external APIs. In addition to that, users can also define a custom CA bundle to be used together with the proxy setting. Currently, we are not using that custom CA bundle and this patch fixes that. The main benefit of injecting the CA bundle using the controllers, as opposed to statically mount it using the manifest file, is that we can watch for changes in the trusted CA bundle store and roll out a new Deployment with the new CA bundle. --- assets/cabundle_cm.yaml | 7 +++++++ assets/controller.yaml | 1 + assets/node.yaml | 1 + pkg/operator/starter.go | 24 +++++++++++++++++++----- 4 files changed, 28 insertions(+), 5 deletions(-) create mode 100644 assets/cabundle_cm.yaml diff --git a/assets/cabundle_cm.yaml b/assets/cabundle_cm.yaml new file mode 100644 index 00000000..bd392d2b --- /dev/null +++ b/assets/cabundle_cm.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + config.openshift.io/inject-trusted-cabundle: "true" + name: gcp-pd-csi-driver-trusted-ca-bundle + namespace: openshift-cluster-csi-drivers diff --git a/assets/controller.yaml b/assets/controller.yaml index 0c2470ae..47a9d291 100644 --- a/assets/controller.yaml +++ b/assets/controller.yaml @@ -5,6 +5,7 @@ metadata: namespace: openshift-cluster-csi-drivers annotations: config.openshift.io/inject-proxy: csi-driver + config.openshift.io/inject-proxy-cabundle: csi-driver spec: strategy: type: RollingUpdate diff --git a/assets/node.yaml b/assets/node.yaml index 8cb74699..42b35c97 100644 --- a/assets/node.yaml +++ b/assets/node.yaml @@ -5,6 +5,7 @@ metadata: namespace: openshift-cluster-csi-drivers annotations: config.openshift.io/inject-proxy: csi-driver + config.openshift.io/inject-proxy-cabundle: csi-driver spec: selector: matchLabels: diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go index 508b4bbd..a9d01f2b 100644 --- a/pkg/operator/starter.go +++ b/pkg/operator/starter.go @@ -25,10 +25,11 @@ import ( const ( // Operand and operator run in the same namespace - defaultNamespace = "openshift-cluster-csi-drivers" - operatorName = "gcp-pd-csi-driver-operator" - operandName = "gcp-pd-csi-driver" - secretName = "gcp-pd-cloud-credentials" + defaultNamespace = "openshift-cluster-csi-drivers" + operatorName = "gcp-pd-csi-driver-operator" + operandName = "gcp-pd-csi-driver" + secretName = "gcp-pd-cloud-credentials" + trustedCAConfigMap = "gcp-pd-csi-driver-trusted-ca-bundle" ) func RunOperator(ctx context.Context, controllerConfig *controllercmd.ControllerContext) error { @@ -36,6 +37,7 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller kubeClient := kubeclient.NewForConfigOrDie(rest.AddUserAgent(controllerConfig.KubeConfig, operatorName)) kubeInformersForNamespaces := v1helpers.NewKubeInformersForNamespaces(kubeClient, defaultNamespace, "") secretInformer := kubeInformersForNamespaces.InformersFor(defaultNamespace).Core().V1().Secrets() + configMapInformer := kubeInformersForNamespaces.InformersFor(defaultNamespace).Core().V1().ConfigMaps() nodeInformer := kubeInformersForNamespaces.InformersFor("").Core().V1().Nodes() // Create config clientset and informer. This is used to get the cluster ID @@ -75,6 +77,7 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller "controller_pdb.yaml", "node_sa.yaml", "service.yaml", + "cabundle_cm.yaml", "rbac/attacher_role.yaml", "rbac/attacher_binding.yaml", "rbac/privileged_role.yaml", @@ -105,8 +108,14 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller nodeInformer.Informer(), infraInformer.Informer(), secretInformer.Informer(), + configMapInformer.Informer(), }, csidrivercontrollerservicecontroller.WithObservedProxyDeploymentHook(), + csidrivercontrollerservicecontroller.WithCABundleDeploymentHook( + defaultNamespace, + trustedCAConfigMap, + configMapInformer, + ), csidrivercontrollerservicecontroller.WithSecretHashAnnotationHook( defaultNamespace, secretName, @@ -119,8 +128,13 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller "node.yaml", kubeClient, kubeInformersForNamespaces.InformersFor(defaultNamespace), - nil, // Node doesn't need to react to any changes + []factory.Informer{configMapInformer.Informer()}, csidrivernodeservicecontroller.WithObservedProxyDaemonSetHook(), + csidrivernodeservicecontroller.WithCABundleDaemonSetHook( + defaultNamespace, + trustedCAConfigMap, + configMapInformer, + ), ).WithServiceMonitorController( "GCPPDDriverServiceMonitorController", dynamicClient,