From 66cfdf26bf6e3efafaf172df90752cd3d013bf8c Mon Sep 17 00:00:00 2001 From: Vatsal Parekh Date: Sat, 15 Feb 2025 15:34:12 +0530 Subject: [PATCH] Update dependencies for k8s 1.32 Signed-off-by: Vatsal Parekh --- charts/rancher-webhook/Chart.yaml | 2 +- go.mod | 131 +++++------ go.sum | 211 +++++++++--------- pkg/auth/escalation_test.go | 3 +- pkg/auth/rolegetter.go | 10 +- pkg/codegen/main.go | 5 - .../v3/clusterroletemplatebinding.go | 169 ++++++++++++++ .../v3/globalrolebinding.go | 169 ++++++++++++++ pkg/mocks/authRuleResolver.go | 33 +-- pkg/resolvers/aggregateResolver.go | 13 +- pkg/resolvers/aggregateResolver_test.go | 43 ++-- pkg/resolvers/crtbResolver.go | 9 +- pkg/resolvers/crtbResolver_test.go | 3 +- pkg/resolvers/grbRuleResolvers.go | 7 +- pkg/resolvers/grbRuleResolvers_test.go | 3 +- pkg/resolvers/prtbResolver.go | 9 +- pkg/resolvers/prtbResolver_test.go | 3 +- pkg/resources/common/common_test.go | 79 ++++--- .../v1/namespace/projectannotations_test.go | 3 +- .../core/v1/namespace/psalabels_test.go | 3 +- .../v3/globalrole/setup_test.go | 12 +- .../v3/globalrole/validator_test.go | 49 ++-- .../v3/globalrolebinding/setup_test.go | 10 +- .../v3/globalrolebinding/validator_test.go | 45 ++-- .../v3/roletemplate/validator_test.go | 19 +- 25 files changed, 706 insertions(+), 337 deletions(-) diff --git a/charts/rancher-webhook/Chart.yaml b/charts/rancher-webhook/Chart.yaml index 21b369c46..985cf27c6 100644 --- a/charts/rancher-webhook/Chart.yaml +++ b/charts/rancher-webhook/Chart.yaml @@ -11,5 +11,5 @@ annotations: catalog.cattle.io/os: linux catalog.cattle.io/permits-os: linux,windows catalog.cattle.io/rancher-version: ">= 2.10.0-0 < 2.11.0-0" - catalog.cattle.io/kube-version: "< 1.32.0-0" + catalog.cattle.io/kube-version: "< 1.33.0-0" catalog.cattle.io/managed: "true" diff --git a/go.mod b/go.mod index 53aecfc39..16c24de91 100644 --- a/go.mod +++ b/go.mod @@ -6,33 +6,33 @@ toolchain go1.23.6 replace ( github.com/rancher/rke => github.com/rancher/rke v1.7.2 - k8s.io/api => k8s.io/api v0.31.1 - k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.31.1 - k8s.io/apimachinery => k8s.io/apimachinery v0.31.1 - k8s.io/apiserver => k8s.io/apiserver v0.31.1 - k8s.io/cli-runtime => k8s.io/cli-runtime v0.31.1 - k8s.io/client-go => k8s.io/client-go v0.31.1 - k8s.io/cloud-provider => k8s.io/cloud-provider v0.31.1 - k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.31.1 - k8s.io/code-generator => k8s.io/code-generator v0.31.1 - k8s.io/component-helpers => k8s.io/component-helpers v0.31.1 - k8s.io/controller-manager => k8s.io/controller-manager v0.31.1 - k8s.io/cri-api => k8s.io/cri-api v0.31.1 - k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.31.1 - k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.31.1 - k8s.io/endpointslice => k8s.io/endpointslice v0.31.1 - k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.31.1 - k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.31.1 - k8s.io/kube-proxy => k8s.io/kube-proxy v0.31.1 - k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.31.1 - k8s.io/kubectl => k8s.io/kubectl v0.31.1 - k8s.io/kubelet => k8s.io/kubelet v0.31.1 - k8s.io/kubernetes => k8s.io/kubernetes v1.31.1 - k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.31.1 - k8s.io/metrics => k8s.io/metrics v0.31.1 - k8s.io/mount-utils => k8s.io/mount-utils v0.31.1 - k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.31.1 - k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.31.1 + k8s.io/api => k8s.io/api v0.32.1 + k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.32.1 + k8s.io/apimachinery => k8s.io/apimachinery v0.32.1 + k8s.io/apiserver => k8s.io/apiserver v0.32.1 + k8s.io/cli-runtime => k8s.io/cli-runtime v0.32.1 + k8s.io/client-go => k8s.io/client-go v0.32.1 + k8s.io/cloud-provider => k8s.io/cloud-provider v0.32.1 + k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.32.1 + k8s.io/code-generator => k8s.io/code-generator v0.32.1 + k8s.io/component-helpers => k8s.io/component-helpers v0.32.1 + k8s.io/controller-manager => k8s.io/controller-manager v0.32.1 + k8s.io/cri-api => k8s.io/cri-api v0.32.1 + k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.32.1 + k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.32.1 + k8s.io/endpointslice => k8s.io/endpointslice v0.32.1 + k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.32.1 + k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.32.1 + k8s.io/kube-proxy => k8s.io/kube-proxy v0.32.1 + k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.32.1 + k8s.io/kubectl => k8s.io/kubectl v0.32.1 + k8s.io/kubelet => k8s.io/kubelet v0.32.1 + k8s.io/kubernetes => k8s.io/kubernetes v1.32.1 + k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.32.1 + k8s.io/metrics => k8s.io/metrics v0.32.1 + k8s.io/mount-utils => k8s.io/mount-utils v0.32.1 + k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.32.1 + k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.32.1 ) require ( @@ -40,10 +40,10 @@ require ( github.com/evanphx/json-patch v5.9.11+incompatible github.com/gorilla/mux v1.8.1 github.com/rancher/dynamiclistener v0.6.1 - github.com/rancher/lasso v0.2.0 - github.com/rancher/rancher/pkg/apis v0.0.0-20241107150810-8b9e1881ab4b - github.com/rancher/rke v1.7.2 - github.com/rancher/wrangler/v3 v3.1.0 + github.com/rancher/lasso v0.2.1 + github.com/rancher/rancher/pkg/apis v0.0.0-20250213173112-3d729db8a848 + github.com/rancher/rke v1.8.0-rc.1 + github.com/rancher/wrangler/v3 v3.2.0-rc.3 github.com/robfig/cron v1.2.0 github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.10.0 @@ -51,18 +51,19 @@ require ( golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac golang.org/x/text v0.22.0 golang.org/x/tools v0.30.0 - k8s.io/api v0.31.1 - k8s.io/apimachinery v0.31.1 - k8s.io/apiserver v0.31.1 + k8s.io/api v0.32.1 + k8s.io/apimachinery v0.32.1 + k8s.io/apiserver v0.32.1 k8s.io/client-go v12.0.0+incompatible - k8s.io/kubernetes v1.31.1 - k8s.io/pod-security-admission v0.31.1 + k8s.io/kubernetes v1.32.1 + k8s.io/pod-security-admission v0.32.1 k8s.io/utils v0.0.0-20241210054802-24370beab758 - sigs.k8s.io/controller-runtime v0.19.0 + sigs.k8s.io/controller-runtime v0.19.4 sigs.k8s.io/yaml v1.4.0 ) require ( + cel.dev/expr v0.18.0 // indirect github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect @@ -82,22 +83,23 @@ require ( github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/jsonpointer v0.21.0 // indirect - github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/swag v0.23.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect - github.com/google/cel-go v0.20.1 // indirect - github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/btree v1.0.1 // indirect + github.com/google/cel-go v0.22.0 // indirect + github.com/google/gnostic-models v0.6.9 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect - github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/compress v1.17.9 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect @@ -105,22 +107,22 @@ require ( github.com/opencontainers/go-digest v1.0.0 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_golang v1.20.5 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/common v0.55.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect github.com/rancher/aks-operator v1.10.0 // indirect - github.com/rancher/eks-operator v1.10.0 // indirect - github.com/rancher/fleet/pkg/apis v0.11.0-rc.2 // indirect + github.com/rancher/eks-operator v1.11.0-rc.2 // indirect + github.com/rancher/fleet/pkg/apis v0.12.0-alpha.2 // indirect github.com/rancher/gke-operator v1.10.0 // indirect - github.com/rancher/norman v0.0.0-20241001183610-78a520c160ab // indirect + github.com/rancher/norman v0.5.1 // indirect github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/stoewer/go-strcase v1.2.0 // indirect + github.com/stoewer/go-strcase v1.3.0 // indirect github.com/x448/float16 v0.8.4 // indirect - go.etcd.io/etcd/api/v3 v3.5.15 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.5.15 // indirect - go.etcd.io/etcd/client/v3 v3.5.15 // indirect + go.etcd.io/etcd/api/v3 v3.5.16 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect + go.etcd.io/etcd/client/v3 v3.5.16 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect go.opentelemetry.io/otel v1.29.0 // indirect @@ -144,28 +146,27 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect google.golang.org/grpc v1.67.1 // indirect - google.golang.org/protobuf v1.35.1 // indirect + google.golang.org/protobuf v1.36.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.31.1 // indirect + k8s.io/apiextensions-apiserver v0.32.1 // indirect k8s.io/cloud-provider v0.0.0 // indirect - k8s.io/code-generator v0.31.1 // indirect - k8s.io/component-base v0.31.1 // indirect - k8s.io/component-helpers v0.31.1 // indirect - k8s.io/controller-manager v0.31.1 // indirect - k8s.io/gengo v0.0.0-20240826214909-a7b603a56eb7 // indirect - k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70 // indirect - k8s.io/klog v1.0.0 // indirect + k8s.io/code-generator v0.32.1 // indirect + k8s.io/component-base v0.32.1 // indirect + k8s.io/component-helpers v0.32.1 // indirect + k8s.io/controller-manager v0.32.1 // indirect + k8s.io/gengo v0.0.0-20250130153323-76c5745d3511 // indirect + k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kms v0.31.1 // indirect - k8s.io/kube-aggregator v0.31.1 // indirect - k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/kms v0.32.1 // indirect + k8s.io/kube-aggregator v0.32.1 // indirect + k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect k8s.io/kubelet v0.0.0 // indirect - sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect sigs.k8s.io/cluster-api v1.8.3 // indirect - sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.3 // indirect ) diff --git a/go.sum b/go.sum index c60f1628b..39534077d 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo= +cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= @@ -19,7 +21,6 @@ github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03V github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -40,7 +41,6 @@ github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= @@ -49,12 +49,10 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= -github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= -github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= -github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= -github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= @@ -64,16 +62,14 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= -github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= -github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= -github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= -github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/cel-go v0.22.0 h1:b3FJZxpiv1vTMo2/5RDUqAHPxkT8mmMfJIrq1llbf7g= +github.com/google/cel-go v0.22.0/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= +github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= +github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= @@ -82,8 +78,8 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= -github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad h1:a6HEuzUHeKH6hwfN/ZoQgRgVIWFJljSWa/zetS2WTvg= +github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= @@ -98,26 +94,27 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= -github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= -github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= -github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= +github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4= +github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -127,10 +124,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= -github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag= -github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= -github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= +github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU= +github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk= +github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8= +github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -138,8 +135,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= -github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= @@ -150,22 +147,22 @@ github.com/rancher/aks-operator v1.10.0 h1:9PGJUyzso2Tg9o64sYI6++mCke9ToRchvN5uZ github.com/rancher/aks-operator v1.10.0/go.mod h1:n7CBXwN5mpJZT7/3PYg6cWBAVCqjayhaUiRtTCH1FMQ= github.com/rancher/dynamiclistener v0.6.1 h1:sw4fxjutSedm7uIPD4I/hhAS2zIJIk3wOZLEZEElcYI= github.com/rancher/dynamiclistener v0.6.1/go.mod h1:0KhUMHy3VcGMGavTY3i1/Mr8rVM02wFqNlUzjc+Cplg= -github.com/rancher/eks-operator v1.10.0 h1:a3l3nmoIf5EiYS4BQ+a9Z8+0WwZ3duek6gnrT6VZKwk= -github.com/rancher/eks-operator v1.10.0/go.mod h1:coW31jIfImAHdGsepc7yCXSuixdclQkJn3y26E9tsss= -github.com/rancher/fleet/pkg/apis v0.11.0-rc.2 h1:ZSCdGlmtd0UEZaHgFG2W3c6tx4wjO9x30wPVNJDssZU= -github.com/rancher/fleet/pkg/apis v0.11.0-rc.2/go.mod h1:NO2Vo3bZ1jhjT6Bt+/ydij8O1xeQ1706LeAqWqIhvZQ= +github.com/rancher/eks-operator v1.11.0-rc.2 h1:IP7A9sqmHEpYgi4x/8FYdfw+mgDREN5ZQ3+aUhbGmrs= +github.com/rancher/eks-operator v1.11.0-rc.2/go.mod h1:g9DRfX6MCM5CYvV70YFMNqWtw7WxxyizHDuUENtVMs8= +github.com/rancher/fleet/pkg/apis v0.12.0-alpha.2 h1:bHgFWuz2vy0uaBBmHbR6xYjJTLaeAuXDUrL8PiYXpxs= +github.com/rancher/fleet/pkg/apis v0.12.0-alpha.2/go.mod h1:kWdjnTs14K8pinSAFb3votOgoEUHhAZ0onLIw9Tv404= github.com/rancher/gke-operator v1.10.0 h1:vV9jLErnH5VRBpK/kCzem8T7/yEDqLVXIcv20Or7e7I= github.com/rancher/gke-operator v1.10.0/go.mod h1:k3oIJMCilpaLHeHPRy90S3pfZ05vbe+b+g1ISiHQbLo= -github.com/rancher/lasso v0.2.0 h1:0YaprDYRZNMQoG9/308ZI+oxvof2JUjo9rYT2It38L8= -github.com/rancher/lasso v0.2.0/go.mod h1:stR7zYyew1IOnKYV5vFx1kXX5/pUoKeo5K5c78qAdV8= -github.com/rancher/norman v0.0.0-20241001183610-78a520c160ab h1:ihK6See3y/JilqZlc0CG7NXPN+ue5nY9U7xUZUA8M7I= -github.com/rancher/norman v0.0.0-20241001183610-78a520c160ab/go.mod h1:qX/OG/4wY27xSAcSdRilUBxBumV6Ey2CWpAeaKnBQDs= -github.com/rancher/rancher/pkg/apis v0.0.0-20241107150810-8b9e1881ab4b h1:KwXK3otsV/P2Pi/oqmXJjUU8vKbLrjFLY31lQF0MFCo= -github.com/rancher/rancher/pkg/apis v0.0.0-20241107150810-8b9e1881ab4b/go.mod h1:JQDXc3nYZGsnjLxEyoaTH39wfYKoCLL1gdQe6ShOHNQ= +github.com/rancher/lasso v0.2.1 h1:SZTqMVQn8cAOqvwGBd1/EYOIJ/MGN+UfJrOWvHd4jHU= +github.com/rancher/lasso v0.2.1/go.mod h1:KSV3jBXfdXqdCuMm2uC8kKB9q/wuDYb3h0eHZoRjShM= +github.com/rancher/norman v0.5.1 h1:jbp49IcX2Hn+N2QA3MHdIXeUG0VgCSIjJs4xnqG+j90= +github.com/rancher/norman v0.5.1/go.mod h1:qX/OG/4wY27xSAcSdRilUBxBumV6Ey2CWpAeaKnBQDs= +github.com/rancher/rancher/pkg/apis v0.0.0-20250213173112-3d729db8a848 h1:0mNj9JwUmMtn5lGfPoE1AiCXMRuCRwMbhnmFVqktswM= +github.com/rancher/rancher/pkg/apis v0.0.0-20250213173112-3d729db8a848/go.mod h1:FfFL3Pw7ds9aaaA0JvZ3m8kJXTg6DNknxLBC0vODpuI= github.com/rancher/rke v1.7.2 h1:+2fcl0gCjRHzf1ev9C9ptQ1pjYbDngC1Qv8V/0ki/dk= github.com/rancher/rke v1.7.2/go.mod h1:+x++Mvl0A3jIzNLiu8nkraqZXiHg6VPWv0Xl4iQCg+A= -github.com/rancher/wrangler/v3 v3.1.0 h1:8ETBnQOEcZaR6WBmUSysWW7WnERBOiNTMJr4Dj3UG/s= -github.com/rancher/wrangler/v3 v3.1.0/go.mod h1:gUPHS1ANs2NyByfeERHwkGiQ1rlIa8BpTJZtNSgMlZw= +github.com/rancher/wrangler/v3 v3.2.0-rc.3 h1:MySHWLxLLrGrM2sq5YYp7Ol1kQqYt9lvIzjGR50UZ+c= +github.com/rancher/wrangler/v3 v3.2.0-rc.3/go.mod h1:0C5QyvSrQOff8gQQzpB/L/FF03EQycjR3unSJcKCHno= github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ= github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= @@ -179,13 +176,12 @@ github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= +github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= @@ -196,26 +192,26 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chqDkyE9Z4N61UnQd+KOfgp5Iu53llk= +github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI= -go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE= -go.etcd.io/etcd/api/v3 v3.5.15 h1:3KpLJir1ZEBrYuV2v+Twaa/e2MdDCEZ/70H+lzEiwsk= -go.etcd.io/etcd/api/v3 v3.5.15/go.mod h1:N9EhGzXq58WuMllgH9ZvnEr7SI9pS0k0+DHZezGp7jM= -go.etcd.io/etcd/client/pkg/v3 v3.5.15 h1:fo0HpWz/KlHGMCC+YejpiCmyWDEuIpnTDzpJLB5fWlA= -go.etcd.io/etcd/client/pkg/v3 v3.5.15/go.mod h1:mXDI4NAOwEiszrHCb0aqfAYNCrZP4e9hRca3d1YK8EU= -go.etcd.io/etcd/client/v2 v2.305.13 h1:RWfV1SX5jTU0lbCvpVQe3iPQeAHETWdOTb6pxhd77C8= -go.etcd.io/etcd/client/v2 v2.305.13/go.mod h1:iQnL7fepbiomdXMb3om1rHq96htNNGv2sJkEcZGDRRg= -go.etcd.io/etcd/client/v3 v3.5.15 h1:23M0eY4Fd/inNv1ZfU3AxrbbOdW79r9V9Rl62Nm6ip4= -go.etcd.io/etcd/client/v3 v3.5.15/go.mod h1:CLSJxrYjvLtHsrPKsy7LmZEE+DK2ktfd2bN4RhBMwlU= -go.etcd.io/etcd/pkg/v3 v3.5.13 h1:st9bDWNsKkBNpP4PR1MvM/9NqUPfvYZx/YXegsYEH8M= -go.etcd.io/etcd/pkg/v3 v3.5.13/go.mod h1:N+4PLrp7agI/Viy+dUYpX7iRtSPvKq+w8Y14d1vX+m0= -go.etcd.io/etcd/raft/v3 v3.5.13 h1:7r/NKAOups1YnKcfro2RvGGo2PTuizF/xh26Z2CTAzA= -go.etcd.io/etcd/raft/v3 v3.5.13/go.mod h1:uUFibGLn2Ksm2URMxN1fICGhk8Wu96EfDQyuLhAcAmw= -go.etcd.io/etcd/server/v3 v3.5.13 h1:V6KG+yMfMSqWt+lGnhFpP5z5dRUj1BDRJ5k1fQ9DFok= -go.etcd.io/etcd/server/v3 v3.5.13/go.mod h1:K/8nbsGupHqmr5MkgaZpLlH1QdX1pcNQLAkODy44XcQ= +go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0= +go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= +go.etcd.io/etcd/api/v3 v3.5.16 h1:WvmyJVbjWqK4R1E+B12RRHz3bRGy9XVfh++MgbN+6n0= +go.etcd.io/etcd/api/v3 v3.5.16/go.mod h1:1P4SlIP/VwkDmGo3OlOD7faPeP8KDIFhqvciH5EfN28= +go.etcd.io/etcd/client/pkg/v3 v3.5.16 h1:ZgY48uH6UvB+/7R9Yf4x574uCO3jIx0TRDyetSfId3Q= +go.etcd.io/etcd/client/pkg/v3 v3.5.16/go.mod h1:V8acl8pcEK0Y2g19YlOV9m9ssUe6MgiDSobSoaBAM0E= +go.etcd.io/etcd/client/v2 v2.305.16 h1:kQrn9o5czVNaukf2A2At43cE9ZtWauOtf9vRZuiKXow= +go.etcd.io/etcd/client/v2 v2.305.16/go.mod h1:h9YxWCzcdvZENbfzBTFCnoNumr2ax3F19sKMqHFmXHE= +go.etcd.io/etcd/client/v3 v3.5.16 h1:sSmVYOAHeC9doqi0gv7v86oY/BTld0SEFGaxsU9eRhE= +go.etcd.io/etcd/client/v3 v3.5.16/go.mod h1:X+rExSGkyqxvu276cr2OwPLBaeqFu1cIl4vmRjAD/50= +go.etcd.io/etcd/pkg/v3 v3.5.16 h1:cnavs5WSPWeK4TYwPYfmcr3Joz9BH+TZ6qoUtz6/+mc= +go.etcd.io/etcd/pkg/v3 v3.5.16/go.mod h1:+lutCZHG5MBBFI/U4eYT5yL7sJfnexsoM20Y0t2uNuY= +go.etcd.io/etcd/raft/v3 v3.5.16 h1:zBXA3ZUpYs1AwiLGPafYAKKl/CORn/uaxYDwlNwndAk= +go.etcd.io/etcd/raft/v3 v3.5.16/go.mod h1:P4UP14AxofMJ/54boWilabqqWoW9eLodl6I5GdGzazI= +go.etcd.io/etcd/server/v3 v3.5.16 h1:d0/SAdJ3vVsZvF8IFVb1k8zqMZ+heGcNfft71ul9GWE= +go.etcd.io/etcd/server/v3 v3.5.16/go.mod h1:ynhyZZpdDp1Gq49jkUg5mfkDWZwXnn3eIqCqtJnrD/s= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= @@ -293,16 +289,16 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= +google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ= +google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro= google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f h1:jTm13A2itBi3La6yTGqn8bVSrc3ZZ1r8ENHlIXBfnRA= google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE= google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 h1:QCqS/PdaHTSWGvupk2F/ehwHtGc0/GYkT+3GAcR1CCc= google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= -google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= -google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk= +google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -313,66 +309,63 @@ gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= -k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= -k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= -k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= -k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= -k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= -k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= -k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= -k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= -k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= -k8s.io/cloud-provider v0.31.1 h1:40b6AgDizwm5eWratZbqubTHMob25VWr6NX2Ei5TwZA= -k8s.io/cloud-provider v0.31.1/go.mod h1:xAdkE7fdZdu9rKLuOZUMBfagu7bM+bas3iPux/2nLGg= -k8s.io/code-generator v0.31.1 h1:GvkRZEP2g2UnB2QKT2Dgc/kYxIkDxCHENv2Q1itioVs= -k8s.io/code-generator v0.31.1/go.mod h1:oL2ky46L48osNqqZAeOcWWy0S5BXj50vVdwOtTefqIs= -k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= -k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= -k8s.io/component-helpers v0.31.1 h1:5hZUf3747atdgtR3gPntrG35rC2CkK7rYq2KUraz6Os= -k8s.io/component-helpers v0.31.1/go.mod h1:ye0Gi8KzFNTfpIuzvVDtxJQMP/0Owkukf1vGf22Hl6U= -k8s.io/controller-manager v0.31.1 h1:bwiy8y//EG5lJL2mdbOvZWrOgw2EXXIvwp95VYgoIis= -k8s.io/controller-manager v0.31.1/go.mod h1:O440MSE6EI1AEVhB2Fc8FYqv6r8BHrSXjm5aj3886No= -k8s.io/gengo v0.0.0-20240826214909-a7b603a56eb7 h1:HCbtr1pVu/ElMcTTs18KdMtH5y6f7PQvrjh1QZj3qCI= -k8s.io/gengo v0.0.0-20240826214909-a7b603a56eb7/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70 h1:NGrVE502P0s0/1hudf8zjgwki1X/TByhmAoILTarmzo= -k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70/go.mod h1:VH3AT8AaQOqiGjMF9p0/IM1Dj+82ZwjfxUP1IxaHE+8= -k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc= +k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k= +k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw= +k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto= +k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs= +k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= +k8s.io/apiserver v0.32.1 h1:oo0OozRos66WFq87Zc5tclUX2r0mymoVHRq8JmR7Aak= +k8s.io/apiserver v0.32.1/go.mod h1:UcB9tWjBY7aryeI5zAgzVJB/6k7E97bkr1RgqDz0jPw= +k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU= +k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg= +k8s.io/cloud-provider v0.32.1 h1:74rRhnfca3o4CsjjnIp/C3ARVuSmyNsxgWPtH0yc9Z0= +k8s.io/cloud-provider v0.32.1/go.mod h1:GECSanFT+EeZ/ToX3xlasjETzMUI+VFu92zHUDUsGHw= +k8s.io/code-generator v0.32.1 h1:4lw1kFNDuFYXquTkB7Sl5EwPMUP2yyW9hh6BnFfRZFY= +k8s.io/code-generator v0.32.1/go.mod h1:zaILfm00CVyP/6/pJMJ3zxRepXkxyDfUV5SNG4CjZI4= +k8s.io/component-base v0.32.1 h1:/5IfJ0dHIKBWysGV0yKTFfacZ5yNV1sulPh3ilJjRZk= +k8s.io/component-base v0.32.1/go.mod h1:j1iMMHi/sqAHeG5z+O9BFNCF698a1u0186zkjMZQ28w= +k8s.io/component-helpers v0.32.1 h1:TwdsSM1vW9GjnfX18lkrZbwE5G9psCIS2/rhenTDXd8= +k8s.io/component-helpers v0.32.1/go.mod h1:1JT1Ei3FD29yFQ18F3laj1WyvxYdHIhyxx6adKMFQXI= +k8s.io/controller-manager v0.32.1 h1:z3oQp1O5l0cSzM/MKf8V4olhJ9TmnELoJRPcV/v1s+Y= +k8s.io/controller-manager v0.32.1/go.mod h1:dVA1UZPbqHH4hEhrrnLvQ4d5qVQCklNB8GEzYV59v/4= +k8s.io/gengo v0.0.0-20250130153323-76c5745d3511 h1:4eL6zr5VCj71nu2nOuQ6j6m/kqh5WueXBN8daZkNe90= +k8s.io/gengo v0.0.0-20250130153323-76c5745d3511/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 h1:si3PfKm8dDYxgfbeA6orqrtLkvvIeH8UqffFJDl0bz4= +k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.31.1 h1:cGLyV3cIwb0ovpP/jtyIe2mEuQ/MkbhmeBF2IYCA9Io= -k8s.io/kms v0.31.1/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= -k8s.io/kube-aggregator v0.31.1 h1:vrYBTTs3xMrpiEsmBjsLETZE9uuX67oQ8B3i1BFfMPw= -k8s.io/kube-aggregator v0.31.1/go.mod h1:+aW4NX50uneozN+BtoCxI4g7ND922p8Wy3tWKFDiWVk= -k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= -k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= -k8s.io/kubelet v0.31.1 h1:aAxwVxGzbbMKKk/FnSjvkN52K3LdHhjhzmYcyGBuE0c= -k8s.io/kubelet v0.31.1/go.mod h1:8ZbexYHqUO946gXEfFmnMZiK2UKRGhk7LlGvJ71p2Ig= -k8s.io/kubernetes v1.31.1 h1:1fcYJe8SAhtannpChbmnzHLwAV9Je99PrGaFtBvCxms= -k8s.io/kubernetes v1.31.1/go.mod h1:/YGPL//Fb9mdv5vukvAQ7Xon+Bqwry52bmjTdORAw+Q= -k8s.io/pod-security-admission v0.31.1 h1:j++ISpfQU0mWpKhoS4tY06Wm5EKdn65teL4lPJhEMIM= -k8s.io/pod-security-admission v0.31.1/go.mod h1:0aE5T6MGm/50Nr/diBrC6+wwpxsT2E7NECe+TepUuEg= +k8s.io/kms v0.32.1 h1:TW6cswRI/fawoQRFGWLmEceO37rZXupdoRdmO019jCc= +k8s.io/kms v0.32.1/go.mod h1:Bk2evz/Yvk0oVrvm4MvZbgq8BD34Ksxs2SRHn4/UiOM= +k8s.io/kube-aggregator v0.32.1 h1:cztPyIHbo6tgrhYHDqmdmvxUufJKuxgAC/vog7yeWek= +k8s.io/kube-aggregator v0.32.1/go.mod h1:sXjL5T8FO/rlBzTbBhahw9V5Nnr1UtzZHKTj9WxQCOU= +k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y= +k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4= +k8s.io/kubelet v0.32.1 h1:bB91GvMsZb+LfzBxnjPEr1Fal/sdxZtYphlfwAaRJGw= +k8s.io/kubelet v0.32.1/go.mod h1:4sAEZ6PlewD0GroV3zscY7llym6kmNNTVmUI/Qshm6w= +k8s.io/kubernetes v1.32.1 h1:46YPpIBCT9dkmeglstZ2Gg4LGaAdro1/3IQ+1AfbF1s= +k8s.io/kubernetes v1.32.1/go.mod h1:tiIKO63GcdPRBHW2WiUFm3C0eoLczl3f7qi56Dm1W8I= +k8s.io/pod-security-admission v0.32.1 h1:jcQjcxSwMsqcnr8ADiYe3Yhts0zEvY8BPEIFY6ducxU= +k8s.io/pod-security-admission v0.32.1/go.mod h1:psSkvN+noAracLrouPjVDID/7TiMWoHQLNoBTVCY/nw= k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0= k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 h1:CPT0ExVicCzcpeN4baWEV2ko2Z/AsiZgEdwgcfwLgMo= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/cluster-api v1.8.3 h1:N6i25rF5QMadwVg2UPfuO6CzmNXjqnF2r1MAO+kcsro= sigs.k8s.io/cluster-api v1.8.3/go.mod h1:pXv5LqLxuIbhGIXykyNKiJh+KrLweSBajVHHitPLyoY= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= -sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/controller-runtime v0.19.4 h1:SUmheabttt0nx8uJtoII4oIP27BVVvAKFvdvGFwV/Qo= +sigs.k8s.io/controller-runtime v0.19.4/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= +sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= +sigs.k8s.io/structured-merge-diff/v4 v4.4.3 h1:sCP7Vv3xx/CWIuTPVN38lUPx0uw0lcLfzaiDa8Ja01A= +sigs.k8s.io/structured-merge-diff/v4 v4.4.3/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/pkg/auth/escalation_test.go b/pkg/auth/escalation_test.go index f56843054..83686ee13 100644 --- a/pkg/auth/escalation_test.go +++ b/pkg/auth/escalation_test.go @@ -178,7 +178,8 @@ func (e *EscalationSuite) TestRequestUserHasVerb() { const errorUser = "errorUser" goodRequest := e.newDefaultRequest(testUser) k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) diff --git a/pkg/auth/rolegetter.go b/pkg/auth/rolegetter.go index 22ccd0cd5..be8939a70 100644 --- a/pkg/auth/rolegetter.go +++ b/pkg/auth/rolegetter.go @@ -1,6 +1,8 @@ package auth import ( + "context" + wranglerv1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/rbac/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/labels" @@ -15,21 +17,21 @@ type RBACRestGetter struct { } // GetRole gets role within the given namespace that matches the provided name. -func (r RBACRestGetter) GetRole(namespace, name string) (*rbacv1.Role, error) { +func (r RBACRestGetter) GetRole(_ context.Context, namespace, name string) (*rbacv1.Role, error) { return r.Roles.Get(namespace, name) } // ListRoleBindings list all roleBindings in the given namespace. -func (r RBACRestGetter) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error) { +func (r RBACRestGetter) ListRoleBindings(_ context.Context, namespace string) ([]*rbacv1.RoleBinding, error) { return r.RoleBindings.List(namespace, labels.NewSelector()) } // GetClusterRole gets the clusterRole with the given name. -func (r RBACRestGetter) GetClusterRole(name string) (*rbacv1.ClusterRole, error) { +func (r RBACRestGetter) GetClusterRole(_ context.Context, name string) (*rbacv1.ClusterRole, error) { return r.ClusterRoles.Get(name) } // ListClusterRoleBindings list all clusterRoleBindings. -func (r RBACRestGetter) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error) { +func (r RBACRestGetter) ListClusterRoleBindings(_ context.Context) ([]*rbacv1.ClusterRoleBinding, error) { return r.ClusterRoleBindings.List(labels.NewSelector()) } diff --git a/pkg/codegen/main.go b/pkg/codegen/main.go index 4602a85b2..b30fe58bc 100644 --- a/pkg/codegen/main.go +++ b/pkg/codegen/main.go @@ -1,8 +1,3 @@ -// Turn off creation of Alias types, which break code generation. -// This can be removed after migrating to k8s 1.32 code generators that are aware of the new type. -// For more details see https://github.com/rancher/rancher/issues/47207 -//go:debug gotypesalias=0 - package main import ( diff --git a/pkg/generated/controllers/management.cattle.io/v3/clusterroletemplatebinding.go b/pkg/generated/controllers/management.cattle.io/v3/clusterroletemplatebinding.go index d23b9daa3..99a18fb00 100644 --- a/pkg/generated/controllers/management.cattle.io/v3/clusterroletemplatebinding.go +++ b/pkg/generated/controllers/management.cattle.io/v3/clusterroletemplatebinding.go @@ -19,8 +19,19 @@ limitations under the License. package v3 import ( + "context" + "sync" + "time" + v3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3" + "github.com/rancher/wrangler/v3/pkg/apply" + "github.com/rancher/wrangler/v3/pkg/condition" "github.com/rancher/wrangler/v3/pkg/generic" + "github.com/rancher/wrangler/v3/pkg/kv" + "k8s.io/apimachinery/pkg/api/equality" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" ) // ClusterRoleTemplateBindingController interface for managing ClusterRoleTemplateBinding resources. @@ -37,3 +48,161 @@ type ClusterRoleTemplateBindingClient interface { type ClusterRoleTemplateBindingCache interface { generic.CacheInterface[*v3.ClusterRoleTemplateBinding] } + +// ClusterRoleTemplateBindingStatusHandler is executed for every added or modified ClusterRoleTemplateBinding. Should return the new status to be updated +type ClusterRoleTemplateBindingStatusHandler func(obj *v3.ClusterRoleTemplateBinding, status v3.ClusterRoleTemplateBindingStatus) (v3.ClusterRoleTemplateBindingStatus, error) + +// ClusterRoleTemplateBindingGeneratingHandler is the top-level handler that is executed for every ClusterRoleTemplateBinding event. It extends ClusterRoleTemplateBindingStatusHandler by a returning a slice of child objects to be passed to apply.Apply +type ClusterRoleTemplateBindingGeneratingHandler func(obj *v3.ClusterRoleTemplateBinding, status v3.ClusterRoleTemplateBindingStatus) ([]runtime.Object, v3.ClusterRoleTemplateBindingStatus, error) + +// RegisterClusterRoleTemplateBindingStatusHandler configures a ClusterRoleTemplateBindingController to execute a ClusterRoleTemplateBindingStatusHandler for every events observed. +// If a non-empty condition is provided, it will be updated in the status conditions for every handler execution +func RegisterClusterRoleTemplateBindingStatusHandler(ctx context.Context, controller ClusterRoleTemplateBindingController, condition condition.Cond, name string, handler ClusterRoleTemplateBindingStatusHandler) { + statusHandler := &clusterRoleTemplateBindingStatusHandler{ + client: controller, + condition: condition, + handler: handler, + } + controller.AddGenericHandler(ctx, name, generic.FromObjectHandlerToHandler(statusHandler.sync)) +} + +// RegisterClusterRoleTemplateBindingGeneratingHandler configures a ClusterRoleTemplateBindingController to execute a ClusterRoleTemplateBindingGeneratingHandler for every events observed, passing the returned objects to the provided apply.Apply. +// If a non-empty condition is provided, it will be updated in the status conditions for every handler execution +func RegisterClusterRoleTemplateBindingGeneratingHandler(ctx context.Context, controller ClusterRoleTemplateBindingController, apply apply.Apply, + condition condition.Cond, name string, handler ClusterRoleTemplateBindingGeneratingHandler, opts *generic.GeneratingHandlerOptions) { + statusHandler := &clusterRoleTemplateBindingGeneratingHandler{ + ClusterRoleTemplateBindingGeneratingHandler: handler, + apply: apply, + name: name, + gvk: controller.GroupVersionKind(), + } + if opts != nil { + statusHandler.opts = *opts + } + controller.OnChange(ctx, name, statusHandler.Remove) + RegisterClusterRoleTemplateBindingStatusHandler(ctx, controller, condition, name, statusHandler.Handle) +} + +type clusterRoleTemplateBindingStatusHandler struct { + client ClusterRoleTemplateBindingClient + condition condition.Cond + handler ClusterRoleTemplateBindingStatusHandler +} + +// sync is executed on every resource addition or modification. Executes the configured handlers and sends the updated status to the Kubernetes API +func (a *clusterRoleTemplateBindingStatusHandler) sync(key string, obj *v3.ClusterRoleTemplateBinding) (*v3.ClusterRoleTemplateBinding, error) { + if obj == nil { + return obj, nil + } + + origStatus := obj.Status.DeepCopy() + obj = obj.DeepCopy() + newStatus, err := a.handler(obj, obj.Status) + if err != nil { + // Revert to old status on error + newStatus = *origStatus.DeepCopy() + } + + if a.condition != "" { + if errors.IsConflict(err) { + a.condition.SetError(&newStatus, "", nil) + } else { + a.condition.SetError(&newStatus, "", err) + } + } + if !equality.Semantic.DeepEqual(origStatus, &newStatus) { + if a.condition != "" { + // Since status has changed, update the lastUpdatedTime + a.condition.LastUpdated(&newStatus, time.Now().UTC().Format(time.RFC3339)) + } + + var newErr error + obj.Status = newStatus + newObj, newErr := a.client.UpdateStatus(obj) + if err == nil { + err = newErr + } + if newErr == nil { + obj = newObj + } + } + return obj, err +} + +type clusterRoleTemplateBindingGeneratingHandler struct { + ClusterRoleTemplateBindingGeneratingHandler + apply apply.Apply + opts generic.GeneratingHandlerOptions + gvk schema.GroupVersionKind + name string + seen sync.Map +} + +// Remove handles the observed deletion of a resource, cascade deleting every associated resource previously applied +func (a *clusterRoleTemplateBindingGeneratingHandler) Remove(key string, obj *v3.ClusterRoleTemplateBinding) (*v3.ClusterRoleTemplateBinding, error) { + if obj != nil { + return obj, nil + } + + obj = &v3.ClusterRoleTemplateBinding{} + obj.Namespace, obj.Name = kv.RSplit(key, "/") + obj.SetGroupVersionKind(a.gvk) + + if a.opts.UniqueApplyForResourceVersion { + a.seen.Delete(key) + } + + return nil, generic.ConfigureApplyForObject(a.apply, obj, &a.opts). + WithOwner(obj). + WithSetID(a.name). + ApplyObjects() +} + +// Handle executes the configured ClusterRoleTemplateBindingGeneratingHandler and pass the resulting objects to apply.Apply, finally returning the new status of the resource +func (a *clusterRoleTemplateBindingGeneratingHandler) Handle(obj *v3.ClusterRoleTemplateBinding, status v3.ClusterRoleTemplateBindingStatus) (v3.ClusterRoleTemplateBindingStatus, error) { + if !obj.DeletionTimestamp.IsZero() { + return status, nil + } + + objs, newStatus, err := a.ClusterRoleTemplateBindingGeneratingHandler(obj, status) + if err != nil { + return newStatus, err + } + if !a.isNewResourceVersion(obj) { + return newStatus, nil + } + + err = generic.ConfigureApplyForObject(a.apply, obj, &a.opts). + WithOwner(obj). + WithSetID(a.name). + ApplyObjects(objs...) + if err != nil { + return newStatus, err + } + a.storeResourceVersion(obj) + return newStatus, nil +} + +// isNewResourceVersion detects if a specific resource version was already successfully processed. +// Only used if UniqueApplyForResourceVersion is set in generic.GeneratingHandlerOptions +func (a *clusterRoleTemplateBindingGeneratingHandler) isNewResourceVersion(obj *v3.ClusterRoleTemplateBinding) bool { + if !a.opts.UniqueApplyForResourceVersion { + return true + } + + // Apply once per resource version + key := obj.Namespace + "/" + obj.Name + previous, ok := a.seen.Load(key) + return !ok || previous != obj.ResourceVersion +} + +// storeResourceVersion keeps track of the latest resource version of an object for which Apply was executed +// Only used if UniqueApplyForResourceVersion is set in generic.GeneratingHandlerOptions +func (a *clusterRoleTemplateBindingGeneratingHandler) storeResourceVersion(obj *v3.ClusterRoleTemplateBinding) { + if !a.opts.UniqueApplyForResourceVersion { + return + } + + key := obj.Namespace + "/" + obj.Name + a.seen.Store(key, obj.ResourceVersion) +} diff --git a/pkg/generated/controllers/management.cattle.io/v3/globalrolebinding.go b/pkg/generated/controllers/management.cattle.io/v3/globalrolebinding.go index 72e41861d..6deb0bfbe 100644 --- a/pkg/generated/controllers/management.cattle.io/v3/globalrolebinding.go +++ b/pkg/generated/controllers/management.cattle.io/v3/globalrolebinding.go @@ -19,8 +19,19 @@ limitations under the License. package v3 import ( + "context" + "sync" + "time" + v3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3" + "github.com/rancher/wrangler/v3/pkg/apply" + "github.com/rancher/wrangler/v3/pkg/condition" "github.com/rancher/wrangler/v3/pkg/generic" + "github.com/rancher/wrangler/v3/pkg/kv" + "k8s.io/apimachinery/pkg/api/equality" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" ) // GlobalRoleBindingController interface for managing GlobalRoleBinding resources. @@ -37,3 +48,161 @@ type GlobalRoleBindingClient interface { type GlobalRoleBindingCache interface { generic.NonNamespacedCacheInterface[*v3.GlobalRoleBinding] } + +// GlobalRoleBindingStatusHandler is executed for every added or modified GlobalRoleBinding. Should return the new status to be updated +type GlobalRoleBindingStatusHandler func(obj *v3.GlobalRoleBinding, status v3.GlobalRoleBindingStatus) (v3.GlobalRoleBindingStatus, error) + +// GlobalRoleBindingGeneratingHandler is the top-level handler that is executed for every GlobalRoleBinding event. It extends GlobalRoleBindingStatusHandler by a returning a slice of child objects to be passed to apply.Apply +type GlobalRoleBindingGeneratingHandler func(obj *v3.GlobalRoleBinding, status v3.GlobalRoleBindingStatus) ([]runtime.Object, v3.GlobalRoleBindingStatus, error) + +// RegisterGlobalRoleBindingStatusHandler configures a GlobalRoleBindingController to execute a GlobalRoleBindingStatusHandler for every events observed. +// If a non-empty condition is provided, it will be updated in the status conditions for every handler execution +func RegisterGlobalRoleBindingStatusHandler(ctx context.Context, controller GlobalRoleBindingController, condition condition.Cond, name string, handler GlobalRoleBindingStatusHandler) { + statusHandler := &globalRoleBindingStatusHandler{ + client: controller, + condition: condition, + handler: handler, + } + controller.AddGenericHandler(ctx, name, generic.FromObjectHandlerToHandler(statusHandler.sync)) +} + +// RegisterGlobalRoleBindingGeneratingHandler configures a GlobalRoleBindingController to execute a GlobalRoleBindingGeneratingHandler for every events observed, passing the returned objects to the provided apply.Apply. +// If a non-empty condition is provided, it will be updated in the status conditions for every handler execution +func RegisterGlobalRoleBindingGeneratingHandler(ctx context.Context, controller GlobalRoleBindingController, apply apply.Apply, + condition condition.Cond, name string, handler GlobalRoleBindingGeneratingHandler, opts *generic.GeneratingHandlerOptions) { + statusHandler := &globalRoleBindingGeneratingHandler{ + GlobalRoleBindingGeneratingHandler: handler, + apply: apply, + name: name, + gvk: controller.GroupVersionKind(), + } + if opts != nil { + statusHandler.opts = *opts + } + controller.OnChange(ctx, name, statusHandler.Remove) + RegisterGlobalRoleBindingStatusHandler(ctx, controller, condition, name, statusHandler.Handle) +} + +type globalRoleBindingStatusHandler struct { + client GlobalRoleBindingClient + condition condition.Cond + handler GlobalRoleBindingStatusHandler +} + +// sync is executed on every resource addition or modification. Executes the configured handlers and sends the updated status to the Kubernetes API +func (a *globalRoleBindingStatusHandler) sync(key string, obj *v3.GlobalRoleBinding) (*v3.GlobalRoleBinding, error) { + if obj == nil { + return obj, nil + } + + origStatus := obj.Status.DeepCopy() + obj = obj.DeepCopy() + newStatus, err := a.handler(obj, obj.Status) + if err != nil { + // Revert to old status on error + newStatus = *origStatus.DeepCopy() + } + + if a.condition != "" { + if errors.IsConflict(err) { + a.condition.SetError(&newStatus, "", nil) + } else { + a.condition.SetError(&newStatus, "", err) + } + } + if !equality.Semantic.DeepEqual(origStatus, &newStatus) { + if a.condition != "" { + // Since status has changed, update the lastUpdatedTime + a.condition.LastUpdated(&newStatus, time.Now().UTC().Format(time.RFC3339)) + } + + var newErr error + obj.Status = newStatus + newObj, newErr := a.client.UpdateStatus(obj) + if err == nil { + err = newErr + } + if newErr == nil { + obj = newObj + } + } + return obj, err +} + +type globalRoleBindingGeneratingHandler struct { + GlobalRoleBindingGeneratingHandler + apply apply.Apply + opts generic.GeneratingHandlerOptions + gvk schema.GroupVersionKind + name string + seen sync.Map +} + +// Remove handles the observed deletion of a resource, cascade deleting every associated resource previously applied +func (a *globalRoleBindingGeneratingHandler) Remove(key string, obj *v3.GlobalRoleBinding) (*v3.GlobalRoleBinding, error) { + if obj != nil { + return obj, nil + } + + obj = &v3.GlobalRoleBinding{} + obj.Namespace, obj.Name = kv.RSplit(key, "/") + obj.SetGroupVersionKind(a.gvk) + + if a.opts.UniqueApplyForResourceVersion { + a.seen.Delete(key) + } + + return nil, generic.ConfigureApplyForObject(a.apply, obj, &a.opts). + WithOwner(obj). + WithSetID(a.name). + ApplyObjects() +} + +// Handle executes the configured GlobalRoleBindingGeneratingHandler and pass the resulting objects to apply.Apply, finally returning the new status of the resource +func (a *globalRoleBindingGeneratingHandler) Handle(obj *v3.GlobalRoleBinding, status v3.GlobalRoleBindingStatus) (v3.GlobalRoleBindingStatus, error) { + if !obj.DeletionTimestamp.IsZero() { + return status, nil + } + + objs, newStatus, err := a.GlobalRoleBindingGeneratingHandler(obj, status) + if err != nil { + return newStatus, err + } + if !a.isNewResourceVersion(obj) { + return newStatus, nil + } + + err = generic.ConfigureApplyForObject(a.apply, obj, &a.opts). + WithOwner(obj). + WithSetID(a.name). + ApplyObjects(objs...) + if err != nil { + return newStatus, err + } + a.storeResourceVersion(obj) + return newStatus, nil +} + +// isNewResourceVersion detects if a specific resource version was already successfully processed. +// Only used if UniqueApplyForResourceVersion is set in generic.GeneratingHandlerOptions +func (a *globalRoleBindingGeneratingHandler) isNewResourceVersion(obj *v3.GlobalRoleBinding) bool { + if !a.opts.UniqueApplyForResourceVersion { + return true + } + + // Apply once per resource version + key := obj.Namespace + "/" + obj.Name + previous, ok := a.seen.Load(key) + return !ok || previous != obj.ResourceVersion +} + +// storeResourceVersion keeps track of the latest resource version of an object for which Apply was executed +// Only used if UniqueApplyForResourceVersion is set in generic.GeneratingHandlerOptions +func (a *globalRoleBindingGeneratingHandler) storeResourceVersion(obj *v3.GlobalRoleBinding) { + if !a.opts.UniqueApplyForResourceVersion { + return + } + + key := obj.Namespace + "/" + obj.Name + a.seen.Store(key, obj.ResourceVersion) +} diff --git a/pkg/mocks/authRuleResolver.go b/pkg/mocks/authRuleResolver.go index 2893114b2..db57eae05 100644 --- a/pkg/mocks/authRuleResolver.go +++ b/pkg/mocks/authRuleResolver.go @@ -1,14 +1,20 @@ // Code generated by MockGen. DO NOT EDIT. // Source: k8s.io/kubernetes/pkg/registry/rbac/validation (interfaces: AuthorizationRuleResolver) +// +// Generated by this command: +// +// mockgen --build_flags=--mod=mod -package resolvers -destination ./mockAuthRuleResolver_test.go k8s.io/kubernetes/pkg/registry/rbac/validation AuthorizationRuleResolver +// // Package resolvers is a generated GoMock package. package mocks import ( + context "context" fmt "fmt" reflect "reflect" - "go.uber.org/mock/gomock" + gomock "go.uber.org/mock/gomock" v1 "k8s.io/api/rbac/v1" user "k8s.io/apiserver/pkg/authentication/user" ) @@ -17,6 +23,7 @@ import ( type MockAuthorizationRuleResolver struct { ctrl *gomock.Controller recorder *MockAuthorizationRuleResolverMockRecorder + isgomock struct{} } // MockAuthorizationRuleResolverMockRecorder is the mock recorder for MockAuthorizationRuleResolver. @@ -37,43 +44,43 @@ func (m *MockAuthorizationRuleResolver) EXPECT() *MockAuthorizationRuleResolverM } // GetRoleReferenceRules mocks base method. -func (m *MockAuthorizationRuleResolver) GetRoleReferenceRules(arg0 v1.RoleRef, arg1 string) ([]v1.PolicyRule, error) { +func (m *MockAuthorizationRuleResolver) GetRoleReferenceRules(ctx context.Context, roleRef v1.RoleRef, namespace string) ([]v1.PolicyRule, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "GetRoleReferenceRules", arg0, arg1) + ret := m.ctrl.Call(m, "GetRoleReferenceRules", ctx, roleRef, namespace) ret0, _ := ret[0].([]v1.PolicyRule) ret1, _ := ret[1].(error) return ret0, ret1 } // GetRoleReferenceRules indicates an expected call of GetRoleReferenceRules. -func (mr *MockAuthorizationRuleResolverMockRecorder) GetRoleReferenceRules(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockAuthorizationRuleResolverMockRecorder) GetRoleReferenceRules(ctx, roleRef, namespace any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetRoleReferenceRules", reflect.TypeOf((*MockAuthorizationRuleResolver)(nil).GetRoleReferenceRules), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetRoleReferenceRules", reflect.TypeOf((*MockAuthorizationRuleResolver)(nil).GetRoleReferenceRules), ctx, roleRef, namespace) } // RulesFor mocks base method. -func (m *MockAuthorizationRuleResolver) RulesFor(arg0 user.Info, arg1 string) ([]v1.PolicyRule, error) { +func (m *MockAuthorizationRuleResolver) RulesFor(ctx context.Context, user user.Info, namespace string) ([]v1.PolicyRule, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "RulesFor", arg0, arg1) + ret := m.ctrl.Call(m, "RulesFor", ctx, user, namespace) ret0, _ := ret[0].([]v1.PolicyRule) ret1, _ := ret[1].(error) return ret0, ret1 } // RulesFor indicates an expected call of RulesFor. -func (mr *MockAuthorizationRuleResolverMockRecorder) RulesFor(arg0, arg1 interface{}) *gomock.Call { +func (mr *MockAuthorizationRuleResolverMockRecorder) RulesFor(ctx, user, namespace any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RulesFor", reflect.TypeOf((*MockAuthorizationRuleResolver)(nil).RulesFor), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RulesFor", reflect.TypeOf((*MockAuthorizationRuleResolver)(nil).RulesFor), ctx, user, namespace) } // VisitRulesFor mocks base method. -func (m *MockAuthorizationRuleResolver) VisitRulesFor(arg0 user.Info, arg1 string, arg2 func(fmt.Stringer, *v1.PolicyRule, error) bool) { +func (m *MockAuthorizationRuleResolver) VisitRulesFor(ctx context.Context, user user.Info, namespace string, visitor func(fmt.Stringer, *v1.PolicyRule, error) bool) { m.ctrl.T.Helper() - m.ctrl.Call(m, "VisitRulesFor", arg0, arg1, arg2) + m.ctrl.Call(m, "VisitRulesFor", ctx, user, namespace, visitor) } // VisitRulesFor indicates an expected call of VisitRulesFor. -func (mr *MockAuthorizationRuleResolverMockRecorder) VisitRulesFor(arg0, arg1, arg2 interface{}) *gomock.Call { +func (mr *MockAuthorizationRuleResolverMockRecorder) VisitRulesFor(ctx, user, namespace, visitor any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VisitRulesFor", reflect.TypeOf((*MockAuthorizationRuleResolver)(nil).VisitRulesFor), arg0, arg1, arg2) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VisitRulesFor", reflect.TypeOf((*MockAuthorizationRuleResolver)(nil).VisitRulesFor), ctx, user, namespace, visitor) } diff --git a/pkg/resolvers/aggregateResolver.go b/pkg/resolvers/aggregateResolver.go index 11cf4b0e2..da1a64ab5 100644 --- a/pkg/resolvers/aggregateResolver.go +++ b/pkg/resolvers/aggregateResolver.go @@ -1,6 +1,7 @@ package resolvers import ( + "context" "fmt" rbacv1 "k8s.io/api/rbac/v1" @@ -21,10 +22,10 @@ func NewAggregateRuleResolver(resolvers ...validation.AuthorizationRuleResolver) } // GetRoleReferenceRules calls GetRoleReferenceRules on each resolver and returns all returned rules and errors. -func (a *AggregateRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error) { +func (a *AggregateRuleResolver) GetRoleReferenceRules(ctx context.Context, roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error) { visitor := &ruleAccumulator{} for _, resolver := range a.resolvers { - rules, err := resolver.GetRoleReferenceRules(roleRef, namespace) + rules, err := resolver.GetRoleReferenceRules(ctx, roleRef, namespace) visitRules(nil, rules, err, visitor.visit) } return visitor.rules, visitor.getError() @@ -33,16 +34,16 @@ func (a *AggregateRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, na // RulesFor returns the list of rules that apply to a given user in a given namespace and error for all Resolvers. If an error is returned, the slice of // PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations // can be made on the basis of those rules that are found. -func (a *AggregateRuleResolver) RulesFor(user user.Info, namespace string) (rules []rbacv1.PolicyRule, retError error) { +func (a *AggregateRuleResolver) RulesFor(ctx context.Context, user user.Info, namespace string) (rules []rbacv1.PolicyRule, retError error) { visitor := &ruleAccumulator{} - a.VisitRulesFor(user, namespace, visitor.visit) + a.VisitRulesFor(ctx, user, namespace, visitor.visit) return visitor.rules, visitor.getError() } // VisitRulesFor invokes VisitRulesFor() on each resolver. // If visitor() returns false, visiting is short-circuited for that resolver. -func (a *AggregateRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) { +func (a *AggregateRuleResolver) VisitRulesFor(ctx context.Context, user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) { for _, resolver := range a.resolvers { - resolver.VisitRulesFor(user, namespace, visitor) + resolver.VisitRulesFor(ctx, user, namespace, visitor) } } diff --git a/pkg/resolvers/aggregateResolver_test.go b/pkg/resolvers/aggregateResolver_test.go index 2f25aba70..409a2b840 100644 --- a/pkg/resolvers/aggregateResolver_test.go +++ b/pkg/resolvers/aggregateResolver_test.go @@ -3,6 +3,7 @@ package resolvers // test generated with: // mockgen --build_flags=--mod=mod -package resolvers -destination ./mockAuthRuleResolver_test.go "k8s.io/kubernetes/pkg/registry/rbac/validation" AuthorizationRuleResolver import ( + "context" "fmt" "testing" @@ -57,14 +58,14 @@ func (a *AggregateResolverSuite) TestAggregateRuleResolverGetRules() { resolvers: func(t *testing.T) ([]validation.AuthorizationRuleResolver, Rules) { expectedRules := []rbacv1.PolicyRule{a.ruleAdmin} resolver := mocks.NewMockAuthorizationRuleResolver(gomock.NewController(t)) - resolver.EXPECT().VisitRulesFor(testUser, testNameSpace, gomock.Any()). - DoAndReturn(func(_ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { + resolver.EXPECT().VisitRulesFor(context.Background(), testUser, testNameSpace, gomock.Any()). + DoAndReturn(func(_ context.Context, _ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { for _, rule := range expectedRules { visitor(nil, &rule, nil) } return true }) - resolver.EXPECT().GetRoleReferenceRules(gomock.Any(), gomock.Any()).Return(expectedRules, nil) + resolver.EXPECT().GetRoleReferenceRules(context.Background(), gomock.Any(), gomock.Any()).Return(expectedRules, nil) return []validation.AuthorizationRuleResolver{resolver}, expectedRules }, }, @@ -76,14 +77,14 @@ func (a *AggregateResolverSuite) TestAggregateRuleResolverGetRules() { resolvers: func(t *testing.T) ([]validation.AuthorizationRuleResolver, Rules) { expectedRules := []rbacv1.PolicyRule{} resolver := mocks.NewMockAuthorizationRuleResolver(gomock.NewController(t)) - resolver.EXPECT().VisitRulesFor(gomock.Any(), testNameSpace, gomock.Any()). - DoAndReturn(func(_ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { + resolver.EXPECT().VisitRulesFor(context.Background(), gomock.Any(), testNameSpace, gomock.Any()). + DoAndReturn(func(_ context.Context, _ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { visitor(nil, nil, errNotFound) return true }) resolver2 := mocks.NewMockAuthorizationRuleResolver(gomock.NewController(t)) - resolver2.EXPECT().VisitRulesFor(gomock.Any(), testNameSpace, gomock.Any()). - DoAndReturn(func(_ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { + resolver2.EXPECT().VisitRulesFor(context.Background(), gomock.Any(), testNameSpace, gomock.Any()). + DoAndReturn(func(_ context.Context, _ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { visitor(nil, nil, errNotFound) return true }) @@ -97,20 +98,20 @@ func (a *AggregateResolverSuite) TestAggregateRuleResolverGetRules() { resolvers: func(t *testing.T) ([]validation.AuthorizationRuleResolver, Rules) { expectedRules := []rbacv1.PolicyRule{a.ruleReadPods} resolver := mocks.NewMockAuthorizationRuleResolver(gomock.NewController(t)) - resolver.EXPECT().VisitRulesFor(testUser, testNameSpace, gomock.Any()). - DoAndReturn(func(_ user.Info, _ string, _ func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { + resolver.EXPECT().VisitRulesFor(context.Background(), testUser, testNameSpace, gomock.Any()). + DoAndReturn(func(_ context.Context, _ user.Info, _ string, _ func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { return true }) - resolver.EXPECT().GetRoleReferenceRules(gomock.Any(), gomock.Any()).Return(expectedRules, nil) + resolver.EXPECT().GetRoleReferenceRules(context.Background(), gomock.Any(), gomock.Any()).Return(expectedRules, nil) resolver2 := mocks.NewMockAuthorizationRuleResolver(gomock.NewController(t)) - resolver2.EXPECT().VisitRulesFor(testUser, testNameSpace, gomock.Any()). - DoAndReturn(func(_ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { + resolver2.EXPECT().VisitRulesFor(context.Background(), testUser, testNameSpace, gomock.Any()). + DoAndReturn(func(_ context.Context, _ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { for _, rule := range expectedRules { visitor(nil, &rule, nil) } return true }) - resolver2.EXPECT().GetRoleReferenceRules(gomock.Any(), gomock.Any()).Return(nil, nil) + resolver2.EXPECT().GetRoleReferenceRules(context.Background(), gomock.Any(), gomock.Any()).Return(nil, nil) return []validation.AuthorizationRuleResolver{resolver, resolver2}, expectedRules }, }, @@ -122,23 +123,23 @@ func (a *AggregateResolverSuite) TestAggregateRuleResolverGetRules() { expectedRules1 := []rbacv1.PolicyRule{a.ruleAdmin} expectedRules2 := []rbacv1.PolicyRule{a.ruleReadPods} resolver := mocks.NewMockAuthorizationRuleResolver(gomock.NewController(t)) - resolver.EXPECT().VisitRulesFor(testUser, testNameSpace, gomock.Any()). - DoAndReturn(func(_ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { + resolver.EXPECT().VisitRulesFor(context.Background(), testUser, testNameSpace, gomock.Any()). + DoAndReturn(func(_ context.Context, _ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { for _, rule := range expectedRules1 { visitor(nil, &rule, nil) } return true }) - resolver.EXPECT().GetRoleReferenceRules(gomock.Any(), gomock.Any()).Return(expectedRules1, nil) + resolver.EXPECT().GetRoleReferenceRules(context.Background(), gomock.Any(), gomock.Any()).Return(expectedRules1, nil) resolver2 := mocks.NewMockAuthorizationRuleResolver(gomock.NewController(t)) - resolver2.EXPECT().VisitRulesFor(testUser, testNameSpace, gomock.Any()). - DoAndReturn(func(_ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { + resolver2.EXPECT().VisitRulesFor(context.Background(), testUser, testNameSpace, gomock.Any()). + DoAndReturn(func(_ context.Context, _ user.Info, _ string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) bool { for _, rule := range expectedRules2 { visitor(nil, &rule, nil) } return true }) - resolver2.EXPECT().GetRoleReferenceRules(gomock.Any(), gomock.Any()).Return(expectedRules2, nil) + resolver2.EXPECT().GetRoleReferenceRules(context.Background(), gomock.Any(), gomock.Any()).Return(expectedRules2, nil) return []validation.AuthorizationRuleResolver{resolver, resolver2}, append(expectedRules1, expectedRules2...) }, }, @@ -147,7 +148,7 @@ func (a *AggregateResolverSuite) TestAggregateRuleResolverGetRules() { a.Run(tt.name, func() { resolverList, expectedRules := tt.resolvers(a.T()) agg := NewAggregateRuleResolver(resolverList...) - gotRules, err := agg.RulesFor(tt.user, tt.namespace) + gotRules, err := agg.RulesFor(context.Background(), tt.user, tt.namespace) if tt.wantErr { a.Errorf(err, "AggregateRuleResolver.RulesFor() error = %v, wantErr %v", err, tt.wantErr) // still check result because function is suppose to return partial results. @@ -161,7 +162,7 @@ func (a *AggregateResolverSuite) TestAggregateRuleResolverGetRules() { if !expectedRules.Equal(gotRules) { a.Fail("List of rules did not match", "wanted=%+v got=%+v", expectedRules, gotRules) } - gotRules, err = agg.GetRoleReferenceRules(rbacv1.RoleRef{}, tt.namespace) + gotRules, err = agg.GetRoleReferenceRules(context.Background(), rbacv1.RoleRef{}, tt.namespace) if !expectedRules.Equal(gotRules) { a.Fail("List of rules did not match", "wanted=%+v got=%+v", expectedRules, gotRules) } diff --git a/pkg/resolvers/crtbResolver.go b/pkg/resolvers/crtbResolver.go index ff91ffca4..04f42028a 100644 --- a/pkg/resolvers/crtbResolver.go +++ b/pkg/resolvers/crtbResolver.go @@ -1,6 +1,7 @@ package resolvers import ( + "context" "fmt" apisv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3" @@ -33,22 +34,22 @@ func NewCRTBRuleResolver(crtbCache v3.ClusterRoleTemplateBindingCache, roleTempl // GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't // use these primitives to refer to role templates return empty list. -func (c *CRTBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error) { +func (c *CRTBRuleResolver) GetRoleReferenceRules(context.Context, rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error) { return []rbacv1.PolicyRule{}, nil } // RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of // PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations // can be made on the basis of those rules that are found. -func (c *CRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error) { +func (c *CRTBRuleResolver) RulesFor(ctx context.Context, user user.Info, namespace string) ([]rbacv1.PolicyRule, error) { visitor := &ruleAccumulator{} - c.VisitRulesFor(user, namespace, visitor.visit) + c.VisitRulesFor(ctx, user, namespace, visitor.visit) return visitor.rules, visitor.getError() } // VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. // If visitor() returns false, visiting is short-circuited. -func (c *CRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) { +func (c *CRTBRuleResolver) VisitRulesFor(_ context.Context, user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) { // for each group check if there are any CRTBs that match subject and namespace using the indexer. // For each returned binding get a list of it's rules with the RoleTemplateResolver and call visit for each rule. for _, group := range user.GetGroups() { diff --git a/pkg/resolvers/crtbResolver_test.go b/pkg/resolvers/crtbResolver_test.go index d74d5e2da..1abe810ea 100644 --- a/pkg/resolvers/crtbResolver_test.go +++ b/pkg/resolvers/crtbResolver_test.go @@ -1,6 +1,7 @@ package resolvers import ( + "context" "testing" apisv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3" @@ -250,7 +251,7 @@ func (c *CRTBResolverSuite) TestCRTBRuleResolver() { } for _, tt := range tests { c.Run(tt.name, func() { - gotRules, err := resolver.RulesFor(tt.user, tt.clusterName) + gotRules, err := resolver.RulesFor(context.Background(), tt.user, tt.clusterName) if tt.wantErr { c.Errorf(err, "CRTBRuleResolver.RulesFor() error = %v, wantErr %v", err, tt.wantErr) // still check result because function is suppose to return partial results. diff --git a/pkg/resolvers/grbRuleResolvers.go b/pkg/resolvers/grbRuleResolvers.go index 19c0c0b2a..eda37aea3 100644 --- a/pkg/resolvers/grbRuleResolvers.go +++ b/pkg/resolvers/grbRuleResolvers.go @@ -1,6 +1,7 @@ package resolvers import ( + "context" "fmt" apisv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3" @@ -80,14 +81,14 @@ func NewGRBRuleResolvers(grbCache v3.GlobalRoleBindingCache, grResolver *auth.Gl // GetRoleReferenceRules is used to find which rules are granted by a rolebinding/clusterRoleBinding. Since we don't // use these primitives to refer to the globalRoles, this function returns an empty slice. -func (g *GRBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error) { +func (g *GRBRuleResolver) GetRoleReferenceRules(context.Context, rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error) { return []rbacv1.PolicyRule{}, nil } // RulesFor returns the list of Cluster rules that apply in a given namespace (usually either the namespace of a // specific cluster or "" for all clusters). If an error is returned, the slice of PolicyRules may not be complete, // but contains all retrievable rules. -func (g *GRBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error) { +func (g *GRBRuleResolver) RulesFor(_ context.Context, user user.Info, namespace string) ([]rbacv1.PolicyRule, error) { visitor := &ruleAccumulator{} g.visitRulesForWithRuleResolver(user, namespace, visitor.visit, g.ruleResolver) return visitor.rules, visitor.getError() @@ -95,7 +96,7 @@ func (g *GRBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.P // VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. // If visitor() returns false, visiting is short-circuited. This will return different rules for the "local" namespace. -func (g *GRBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) { +func (g *GRBRuleResolver) VisitRulesFor(_ context.Context, user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) { g.visitRulesForWithRuleResolver(user, namespace, visitor, g.ruleResolver) } diff --git a/pkg/resolvers/grbRuleResolvers_test.go b/pkg/resolvers/grbRuleResolvers_test.go index 3909bfcde..9dc4a54a7 100644 --- a/pkg/resolvers/grbRuleResolvers_test.go +++ b/pkg/resolvers/grbRuleResolvers_test.go @@ -1,6 +1,7 @@ package resolvers import ( + "context" "fmt" "testing" @@ -327,7 +328,7 @@ func (g *GRBClusterRuleResolverSuite) TestGRBClusterRuleResolver() { grResolver := auth.NewGlobalRoleResolver(auth.NewRoleTemplateResolver(state.rtCache, nil), state.grCache) grbResolvers := NewGRBRuleResolvers(state.grbCache, grResolver) - rules, err := grbResolvers.ICRResolver.RulesFor(g.userInfo, test.namespace) + rules, err := grbResolvers.ICRResolver.RulesFor(context.Background(), g.userInfo, test.namespace) g.Require().Len(rules, len(test.wantRules)) for _, rule := range test.wantRules { g.Require().Contains(rules, rule) diff --git a/pkg/resolvers/prtbResolver.go b/pkg/resolvers/prtbResolver.go index 4d8d4a515..cfa102b27 100644 --- a/pkg/resolvers/prtbResolver.go +++ b/pkg/resolvers/prtbResolver.go @@ -1,6 +1,7 @@ package resolvers import ( + "context" "fmt" "strings" @@ -34,22 +35,22 @@ func NewPRTBRuleResolver(prtbCache v3.ProjectRoleTemplateBindingCache, roleTempl // GetRoleReferenceRules is used to find which roles are granted by a rolebinding/clusterrolebinding. Since we don't // use these primitives to refer to role templates return empty list. -func (p *PRTBRuleResolver) GetRoleReferenceRules(rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error) { +func (p *PRTBRuleResolver) GetRoleReferenceRules(context.Context, rbacv1.RoleRef, string) ([]rbacv1.PolicyRule, error) { return []rbacv1.PolicyRule{}, nil } // RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of // PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations // can be made on the basis of those rules that are found. -func (p *PRTBRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error) { +func (p *PRTBRuleResolver) RulesFor(ctx context.Context, user user.Info, namespace string) ([]rbacv1.PolicyRule, error) { visitor := &ruleAccumulator{} - p.VisitRulesFor(user, namespace, visitor.visit) + p.VisitRulesFor(ctx, user, namespace, visitor.visit) return visitor.rules, visitor.getError() } // VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules. // If visitor() returns false, visiting is short-circuited. -func (p *PRTBRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) { +func (p *PRTBRuleResolver) VisitRulesFor(_ context.Context, user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool) { // for each group check if there are any PRTBs that match subject and namespace using the indexer. // For each returned binding get a list of it's rules with the RoleTemplateResolver and call visit for each rule. for _, group := range user.GetGroups() { diff --git a/pkg/resolvers/prtbResolver_test.go b/pkg/resolvers/prtbResolver_test.go index a2aa8a383..edc47be7f 100644 --- a/pkg/resolvers/prtbResolver_test.go +++ b/pkg/resolvers/prtbResolver_test.go @@ -1,6 +1,7 @@ package resolvers import ( + "context" "testing" apisv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3" @@ -252,7 +253,7 @@ func (p *PRTBResolverSuite) TestPRTBRuleResolver() { p.Run(tt.name, func() { namespace, ok := namespaceFromProject(tt.projectName) p.Require().True(ok, "failed to split project namespace from project name") - gotRules, err := resolver.RulesFor(tt.user, namespace) + gotRules, err := resolver.RulesFor(context.Background(), tt.user, namespace) if tt.wantErr { p.Errorf(err, "PRTBRuleResolver.RulesFor() error = %v, wantErr %v", err, tt.wantErr) // still check result because function is suppose to return partial results. diff --git a/pkg/resources/common/common_test.go b/pkg/resources/common/common_test.go index 847bd50ce..b13837cc6 100644 --- a/pkg/resources/common/common_test.go +++ b/pkg/resources/common/common_test.go @@ -1,6 +1,7 @@ package common import ( + "context" "fmt" "testing" @@ -11,6 +12,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/authentication/user" + v1Authorization "k8s.io/client-go/kubernetes/typed/authorization/v1" k8fake "k8s.io/client-go/kubernetes/typed/authorization/v1/fake" k8testing "k8s.io/client-go/testing" ) @@ -132,15 +134,15 @@ type testRuleResolver struct { returnRules []v1.PolicyRule } -func (t testRuleResolver) GetRoleReferenceRules(v1.RoleRef, string) ([]v1.PolicyRule, error) { +func (t testRuleResolver) GetRoleReferenceRules(context.Context, v1.RoleRef, string) ([]v1.PolicyRule, error) { return nil, nil } -func (t testRuleResolver) RulesFor(user.Info, string) ([]v1.PolicyRule, error) { +func (t testRuleResolver) RulesFor(context.Context, user.Info, string) ([]v1.PolicyRule, error) { return t.returnRules, nil } -func (t testRuleResolver) VisitRulesFor(user.Info, string, func(fmt.Stringer, *v1.PolicyRule, error) bool) { +func (t testRuleResolver) VisitRulesFor(context.Context, user.Info, string, func(fmt.Stringer, *v1.PolicyRule, error) bool) { } var ( @@ -155,7 +157,7 @@ func TestIsRulesAllowed(t *testing.T) { request := &admission.Request{} gvr := schema.GroupVersionResource{} type stateSnapshot struct { - sar func() *k8fake.FakeSubjectAccessReviews + sar func() v1Authorization.SubjectAccessReviewInterface resolver testRuleResolver wantError bool hasVerbBeenChecked bool @@ -172,7 +174,7 @@ func TestIsRulesAllowed(t *testing.T) { rules: []v1.PolicyRule{adminRule}, states: []stateSnapshot{ { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { return nil }, resolver: testRuleResolver{returnRules: []v1.PolicyRule{adminRule}}, @@ -185,10 +187,11 @@ func TestIsRulesAllowed(t *testing.T) { rules: []v1.PolicyRule{adminRule}, states: []stateSnapshot{ { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} - fakeSAR.Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() + k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) review.Status.Allowed = false @@ -209,10 +212,11 @@ func TestIsRulesAllowed(t *testing.T) { rules: []v1.PolicyRule{adminRule}, states: []stateSnapshot{ { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} - fakeSAR.Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() + k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) review.Status.Allowed = true @@ -233,10 +237,11 @@ func TestIsRulesAllowed(t *testing.T) { rules: []v1.PolicyRule{adminRule}, states: []stateSnapshot{ { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} - fakeSAR.Fake.AddReactor("create", "subjectaccessreviews", func(_ k8testing.Action) (handled bool, ret runtime.Object, err error) { + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() + k8Fake.AddReactor("create", "subjectaccessreviews", func(_ k8testing.Action) (handled bool, ret runtime.Object, err error) { return true, nil, fmt.Errorf("error") }) return fakeSAR @@ -253,7 +258,7 @@ func TestIsRulesAllowed(t *testing.T) { rules: []v1.PolicyRule{adminRule}, states: []stateSnapshot{ { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { return nil }, resolver: testRuleResolver{returnRules: []v1.PolicyRule{adminRule}}, @@ -262,10 +267,11 @@ func TestIsRulesAllowed(t *testing.T) { hasVerb: false, }, { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} - fakeSAR.Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() + k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) review.Status.Allowed = false @@ -285,10 +291,11 @@ func TestIsRulesAllowed(t *testing.T) { rules: []v1.PolicyRule{adminRule}, states: []stateSnapshot{ { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} - fakeSAR.Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() + k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) review.Status.Allowed = true @@ -302,12 +309,13 @@ func TestIsRulesAllowed(t *testing.T) { hasVerb: true, }, { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { // this would return false if it gets called // since we already checked for the verb, it gets bypassed k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} - fakeSAR.Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() + k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) review.Status.Allowed = false @@ -327,10 +335,11 @@ func TestIsRulesAllowed(t *testing.T) { rules: []v1.PolicyRule{adminRule}, states: []stateSnapshot{ { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} - fakeSAR.Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() + k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) review.Status.Allowed = false @@ -345,12 +354,13 @@ func TestIsRulesAllowed(t *testing.T) { hasVerb: false, }, { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { // this would return false if it gets called // since we already checked for the verb, it gets bypassed k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} - fakeSAR.Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() + k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) review.Status.Allowed = false @@ -370,10 +380,11 @@ func TestIsRulesAllowed(t *testing.T) { rules: []v1.PolicyRule{adminRule}, states: []stateSnapshot{ { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} - fakeSAR.Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() + k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (bool, runtime.Object, error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) review.Status.Allowed = false @@ -387,7 +398,7 @@ func TestIsRulesAllowed(t *testing.T) { hasVerb: false, }, { - sar: func() *k8fake.FakeSubjectAccessReviews { + sar: func() v1Authorization.SubjectAccessReviewInterface { return nil }, resolver: testRuleResolver{returnRules: []v1.PolicyRule{adminRule}}, diff --git a/pkg/resources/core/v1/namespace/projectannotations_test.go b/pkg/resources/core/v1/namespace/projectannotations_test.go index e0f5ca30e..105295d00 100644 --- a/pkg/resources/core/v1/namespace/projectannotations_test.go +++ b/pkg/resources/core/v1/namespace/projectannotations_test.go @@ -196,7 +196,8 @@ func TestValidateProjectNamespaceAnnotations(t *testing.T) { test := test t.Run(test.name, func(t *testing.T) { k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() admitter := projectNamespaceAdmitter{ sar: fakeSAR, } diff --git a/pkg/resources/core/v1/namespace/psalabels_test.go b/pkg/resources/core/v1/namespace/psalabels_test.go index bb96d31c7..1232a53dd 100644 --- a/pkg/resources/core/v1/namespace/psalabels_test.go +++ b/pkg/resources/core/v1/namespace/psalabels_test.go @@ -342,7 +342,8 @@ func TestValidatePSALabels(t *testing.T) { } k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() admitter := psaLabelAdmitter{ sar: fakeSAR, } diff --git a/pkg/resources/management.cattle.io/v3/globalrole/setup_test.go b/pkg/resources/management.cattle.io/v3/globalrole/setup_test.go index 639a7be89..b48760915 100644 --- a/pkg/resources/management.cattle.io/v3/globalrole/setup_test.go +++ b/pkg/resources/management.cattle.io/v3/globalrole/setup_test.go @@ -18,6 +18,7 @@ import ( v1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + v1Authorization "k8s.io/client-go/kubernetes/typed/authorization/v1" k8fake "k8s.io/client-go/kubernetes/typed/authorization/v1/fake" k8testing "k8s.io/client-go/testing" "k8s.io/kubernetes/pkg/registry/rbac/validation" @@ -197,7 +198,8 @@ type testState struct { rtCacheMock *fake.MockNonNamespacedCacheInterface[*v3.RoleTemplate] grCacheMock *fake.MockNonNamespacedCacheInterface[*v3.GlobalRole] grbCacheMock *fake.MockNonNamespacedCacheInterface[*v3.GlobalRoleBinding] - sarMock *k8fake.FakeSubjectAccessReviews + sar *v1Authorization.SubjectAccessReviewInterface + fakeClient *k8testing.Fake resolver validation.AuthorizationRuleResolver } @@ -296,15 +298,17 @@ func newDefaultState(t *testing.T) testState { rtCacheMock.EXPECT().Get(clusterOwnerRT.Name).Return(&clusterOwnerRT, nil).AnyTimes() rtCacheMock.EXPECT().Get(baseRT.Name).Return(&baseRT, nil).AnyTimes() rtCacheMock.EXPECT().Get(clusterOwnerRT.Name).Return(&clusterOwnerRT, nil).AnyTimes() - k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} + fakeTesting := &k8testing.Fake{} + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: fakeTesting} + fakeSAR := fakeAuth.SubjectAccessReviews() resolver, _ := validation.NewTestRuleResolver(nil, nil, clusterRoles, clusterRoleBindings) return testState{ rtCacheMock: rtCacheMock, grCacheMock: grCacheMock, grbCacheMock: grbCacheMock, - sarMock: fakeSAR, + sar: &fakeSAR, + fakeClient: fakeTesting, resolver: resolver, } } diff --git a/pkg/resources/management.cattle.io/v3/globalrole/validator_test.go b/pkg/resources/management.cattle.io/v3/globalrole/validator_test.go index fe43b330e..63ac921ba 100644 --- a/pkg/resources/management.cattle.io/v3/globalrole/validator_test.go +++ b/pkg/resources/management.cattle.io/v3/globalrole/validator_test.go @@ -16,7 +16,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" - k8fake "k8s.io/client-go/kubernetes/typed/authorization/v1/fake" k8testing "k8s.io/client-go/testing" "k8s.io/kubernetes/pkg/registry/rbac/validation" ) @@ -189,7 +188,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: false, @@ -204,7 +203,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(true, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(true, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: true, @@ -219,7 +218,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, fmt.Errorf("server not available"), testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, fmt.Errorf("server not available"), testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: false, @@ -239,7 +238,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: false, @@ -259,7 +258,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(true, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(true, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: true, @@ -275,7 +274,7 @@ func TestAdmit(t *testing.T) { }, stateSetup: func(state testState) { state.rtCacheMock.EXPECT().Get(roleTemplate.Name).Return(&roleTemplate, nil).AnyTimes() - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: false, @@ -291,7 +290,7 @@ func TestAdmit(t *testing.T) { }, stateSetup: func(state testState) { state.rtCacheMock.EXPECT().Get(roleTemplate.Name).Return(&roleTemplate, nil).AnyTimes() - setSarResponse(true, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(true, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: true, @@ -307,7 +306,7 @@ func TestAdmit(t *testing.T) { }, stateSetup: func(state testState) { state.rtCacheMock.EXPECT().Get(roleTemplate.Name).Return(&roleTemplate, nil).AnyTimes() - setSarResponse(false, fmt.Errorf("server not available"), testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, fmt.Errorf("server not available"), testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: false, @@ -336,7 +335,7 @@ func TestAdmit(t *testing.T) { Context: "cluster", }, nil) state.rtCacheMock.EXPECT().Get("error").Return(nil, errServer) - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, wantErr: true, @@ -558,7 +557,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, adminUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, adminUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: false, @@ -576,7 +575,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(true, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(true, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: true, @@ -593,7 +592,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, @@ -612,7 +611,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, adminUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, adminUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: true, @@ -629,7 +628,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: true, @@ -653,7 +652,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: false, @@ -677,7 +676,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(true, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(true, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: true, @@ -734,7 +733,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, @@ -757,7 +756,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, @@ -780,7 +779,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, @@ -837,7 +836,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(false, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(false, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: false, @@ -865,7 +864,7 @@ func TestAdmit(t *testing.T) { return baseGR }, stateSetup: func(state testState) { - setSarResponse(true, nil, testUser, newDefaultGR().Name, state.sarMock) + setSarResponse(true, nil, testUser, newDefaultGR().Name, state.fakeClient) }, }, allowed: true, @@ -882,7 +881,7 @@ func TestAdmit(t *testing.T) { } grResolver := state.createBaseGRResolver() grbResolvers := state.createBaseGRBResolvers(grResolver) - admitters := globalrole.NewValidator(state.resolver, grbResolvers, state.sarMock, grResolver).Admitters() + admitters := globalrole.NewValidator(state.resolver, grbResolvers, *state.sar, grResolver).Admitters() assert.Len(t, admitters, 1) req := createGRRequest(t, test) @@ -920,8 +919,8 @@ func Test_UnexpectedErrors(t *testing.T) { require.Error(t, err, "Admit should fail on unhandled operations") } -func setSarResponse(allowed bool, testErr error, targetUser string, targetGrName string, sarMock *k8fake.FakeSubjectAccessReviews) { - sarMock.Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { +func setSarResponse(allowed bool, testErr error, targetUser string, targetGrName string, fake *k8testing.Fake) { + fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) spec := review.Spec diff --git a/pkg/resources/management.cattle.io/v3/globalrolebinding/setup_test.go b/pkg/resources/management.cattle.io/v3/globalrolebinding/setup_test.go index e1a8be77f..a96f5ea6c 100644 --- a/pkg/resources/management.cattle.io/v3/globalrolebinding/setup_test.go +++ b/pkg/resources/management.cattle.io/v3/globalrolebinding/setup_test.go @@ -19,6 +19,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + v1Authorization "k8s.io/client-go/kubernetes/typed/authorization/v1" k8fake "k8s.io/client-go/kubernetes/typed/authorization/v1/fake" k8testing "k8s.io/client-go/testing" "k8s.io/kubernetes/pkg/registry/rbac/validation" @@ -47,7 +48,8 @@ type testState struct { rtCacheMock *fake.MockNonNamespacedCacheInterface[*v3.RoleTemplate] grCacheMock *fake.MockNonNamespacedCacheInterface[*v3.GlobalRole] grbCacheMock *fake.MockNonNamespacedCacheInterface[*v3.GlobalRoleBinding] - sarMock *k8fake.FakeSubjectAccessReviews + sarMock *v1Authorization.SubjectAccessReviewInterface + fakeClient *k8testing.Fake resolver validation.AuthorizationRuleResolver } @@ -392,14 +394,16 @@ func newDefaultState(t *testing.T) testState { rtCacheMock.EXPECT().Get(clusterOwnerRT.Name).Return(&clusterOwnerRT, nil).AnyTimes() k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() resolver, _ := validation.NewTestRuleResolver(nil, nil, clusterRoles, clusterRoleBindings) return testState{ rtCacheMock: rtCacheMock, grCacheMock: grCacheMock, grbCacheMock: grbCacheMock, - sarMock: fakeSAR, + sarMock: &fakeSAR, + fakeClient: k8Fake, resolver: resolver, } } diff --git a/pkg/resources/management.cattle.io/v3/globalrolebinding/validator_test.go b/pkg/resources/management.cattle.io/v3/globalrolebinding/validator_test.go index 390395c11..cd086f203 100644 --- a/pkg/resources/management.cattle.io/v3/globalrolebinding/validator_test.go +++ b/pkg/resources/management.cattle.io/v3/globalrolebinding/validator_test.go @@ -18,7 +18,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" - k8fake "k8s.io/client-go/kubernetes/typed/authorization/v1/fake" k8testing "k8s.io/client-go/testing" ) @@ -188,7 +187,7 @@ func TestAdmit(t *testing.T) { }, oldGRB: func() *v3.GlobalRoleBinding { return nil }, stateSetup: func(ts testState) { - setSarResponse(false, nil, adminUser, adminGR.Name, ts.sarMock) + setSarResponse(false, nil, adminUser, adminGR.Name, ts.fakeClient) }, }, allowed: true, @@ -205,7 +204,7 @@ func TestAdmit(t *testing.T) { }, oldGRB: func() *v3.GlobalRoleBinding { return nil }, stateSetup: func(ts testState) { - setSarResponse(false, nil, noPrivUser, baseGR.Name, ts.sarMock) + setSarResponse(false, nil, noPrivUser, baseGR.Name, ts.fakeClient) }, }, allowed: true, @@ -222,7 +221,7 @@ func TestAdmit(t *testing.T) { }, oldGRB: func() *v3.GlobalRoleBinding { return nil }, stateSetup: func(ts testState) { - setSarResponse(false, nil, testUser, adminGR.Name, ts.sarMock) + setSarResponse(false, nil, testUser, adminGR.Name, ts.fakeClient) }, }, allowed: false, @@ -239,7 +238,7 @@ func TestAdmit(t *testing.T) { }, oldGRB: func() *v3.GlobalRoleBinding { return nil }, stateSetup: func(ts testState) { - setSarResponse(true, nil, testUser, adminGR.Name, ts.sarMock) + setSarResponse(true, nil, testUser, adminGR.Name, ts.fakeClient) }, }, allowed: true, @@ -256,7 +255,7 @@ func TestAdmit(t *testing.T) { }, oldGRB: func() *v3.GlobalRoleBinding { return nil }, stateSetup: func(ts testState) { - setSarResponse(false, nil, testUser, adminGR.Name, ts.sarMock) + setSarResponse(false, nil, testUser, adminGR.Name, ts.fakeClient) }, }, allowed: false, @@ -273,7 +272,7 @@ func TestAdmit(t *testing.T) { }, oldGRB: func() *v3.GlobalRoleBinding { return nil }, stateSetup: func(ts testState) { - setSarResponse(true, nil, testUser, adminGR.Name, ts.sarMock) + setSarResponse(true, nil, testUser, adminGR.Name, ts.fakeClient) }, }, allowed: true, @@ -290,7 +289,7 @@ func TestAdmit(t *testing.T) { }, oldGRB: func() *v3.GlobalRoleBinding { return nil }, stateSetup: func(ts testState) { - setSarResponse(false, nil, testUser, adminGR.Name, ts.sarMock) + setSarResponse(false, nil, testUser, adminGR.Name, ts.fakeClient) }, }, allowed: false, @@ -307,7 +306,7 @@ func TestAdmit(t *testing.T) { }, oldGRB: func() *v3.GlobalRoleBinding { return nil }, stateSetup: func(ts testState) { - setSarResponse(true, nil, testUser, adminGR.Name, ts.sarMock) + setSarResponse(true, nil, testUser, adminGR.Name, ts.fakeClient) }, }, allowed: true, @@ -324,7 +323,7 @@ func TestAdmit(t *testing.T) { }, oldGRB: func() *v3.GlobalRoleBinding { return nil }, stateSetup: func(ts testState) { - setSarResponse(false, fmt.Errorf("server not available"), testUser, adminGR.Name, ts.sarMock) + setSarResponse(false, fmt.Errorf("server not available"), testUser, adminGR.Name, ts.fakeClient) }, }, allowed: false, @@ -344,7 +343,7 @@ func TestAdmit(t *testing.T) { stateSetup: func(ts testState) { ts.grCacheMock.EXPECT().Get(adminClusterGR.Name).Return(&adminClusterGR, nil) ts.rtCacheMock.EXPECT().Get(adminRT.Name).Return(&adminRT, nil).AnyTimes() - setSarResponse(false, nil, testUser, adminClusterGR.Name, ts.sarMock) + setSarResponse(false, nil, testUser, adminClusterGR.Name, ts.fakeClient) }, }, allowed: false, @@ -364,7 +363,7 @@ func TestAdmit(t *testing.T) { stateSetup: func(ts testState) { ts.grCacheMock.EXPECT().Get(adminClusterGR.Name).Return(&adminClusterGR, nil) ts.rtCacheMock.EXPECT().Get(adminRT.Name).Return(&adminRT, nil).AnyTimes() - setSarResponse(true, nil, testUser, adminClusterGR.Name, ts.sarMock) + setSarResponse(true, nil, testUser, adminClusterGR.Name, ts.fakeClient) }, }, allowed: true, @@ -384,7 +383,7 @@ func TestAdmit(t *testing.T) { stateSetup: func(ts testState) { ts.grCacheMock.EXPECT().Get(adminClusterGR.Name).Return(&adminClusterGR, nil) ts.rtCacheMock.EXPECT().Get(adminRT.Name).Return(&adminRT, nil).AnyTimes() - setSarResponse(false, fmt.Errorf("server not available"), testUser, adminClusterGR.Name, ts.sarMock) + setSarResponse(false, fmt.Errorf("server not available"), testUser, adminClusterGR.Name, ts.fakeClient) }, }, allowed: false, @@ -401,7 +400,7 @@ func TestAdmit(t *testing.T) { }, stateSetup: func(ts testState) { ts.grCacheMock.EXPECT().Get(namespacedRulesGR.Name).Return(&namespacedRulesGR, nil) - setSarResponse(false, nil, adminUser, namespacedRulesGR.Name, ts.sarMock) + setSarResponse(false, nil, adminUser, namespacedRulesGR.Name, ts.fakeClient) }, }, allowed: true, @@ -427,7 +426,7 @@ func TestAdmit(t *testing.T) { }, } ts.grCacheMock.EXPECT().Get(namespacedRulesGR.Name).Return(gr, nil) - setSarResponse(false, nil, adminUser, namespacedRulesGR.Name, ts.sarMock) + setSarResponse(false, nil, adminUser, namespacedRulesGR.Name, ts.fakeClient) }, }, allowed: true, @@ -446,7 +445,7 @@ func TestAdmit(t *testing.T) { }, stateSetup: func(ts testState) { ts.grCacheMock.EXPECT().Get(namespacedRulesGR.Name).Return(&namespacedRulesGR, nil) - setSarResponse(false, nil, testUser, namespacedRulesGR.Name, ts.sarMock) + setSarResponse(false, nil, testUser, namespacedRulesGR.Name, ts.fakeClient) }, }, allowed: false, @@ -465,7 +464,7 @@ func TestAdmit(t *testing.T) { }, stateSetup: func(ts testState) { ts.grCacheMock.EXPECT().Get(namespacedRulesGR.Name).Return(&namespacedRulesGR, nil) - setSarResponse(true, nil, testUser, namespacedRulesGR.Name, ts.sarMock) + setSarResponse(true, nil, testUser, namespacedRulesGR.Name, ts.fakeClient) }, }, allowed: true, @@ -489,7 +488,7 @@ func TestAdmit(t *testing.T) { }, notFoundName) ts.grCacheMock.EXPECT().Get(notFoundRoleGR.Name).Return(¬FoundRoleGR, nil) ts.rtCacheMock.EXPECT().Get(notFoundName).Return(nil, notFoundError) - setSarResponse(false, nil, testUser, notFoundRoleGR.Name, ts.sarMock) + setSarResponse(false, nil, testUser, notFoundRoleGR.Name, ts.fakeClient) }, }, allowed: false, @@ -508,7 +507,7 @@ func TestAdmit(t *testing.T) { }, stateSetup: func(ts testState) { ts.grCacheMock.EXPECT().Get(errName).Return(nil, errServer) - setSarResponse(false, nil, testUser, errName, ts.sarMock) + setSarResponse(false, nil, testUser, errName, ts.fakeClient) }, }, wantError: true, @@ -796,7 +795,7 @@ func TestAdmit(t *testing.T) { } grResolver := auth.NewGlobalRoleResolver(auth.NewRoleTemplateResolver(state.rtCacheMock, nil), state.grCacheMock) gbrResolvers := resolvers.NewGRBRuleResolvers(state.grbCacheMock, grResolver) - admitters := globalrolebinding.NewValidator(state.resolver, gbrResolvers, state.sarMock, grResolver).Admitters() + admitters := globalrolebinding.NewValidator(state.resolver, gbrResolvers, *state.sarMock, grResolver).Admitters() require.Len(t, admitters, 1) req := createGRBRequest(t, test) @@ -817,7 +816,7 @@ func Test_UnexpectedErrors(t *testing.T) { state := newDefaultState(t) grResolver := auth.NewGlobalRoleResolver(auth.NewRoleTemplateResolver(state.rtCacheMock, nil), state.grCacheMock) gbrResolvers := resolvers.NewGRBRuleResolvers(state.grbCacheMock, grResolver) - validator := globalrolebinding.NewValidator(state.resolver, gbrResolvers, state.sarMock, grResolver) + validator := globalrolebinding.NewValidator(state.resolver, gbrResolvers, *state.sarMock, grResolver) admitters := validator.Admitters() require.Len(t, admitters, 1, "wanted only one admitter") admitter := admitters[0] @@ -839,8 +838,8 @@ func Test_UnexpectedErrors(t *testing.T) { require.Error(t, err, "Admit should fail on bad request object") } -func setSarResponse(allowed bool, testErr error, targetUser string, targetGrName string, sarMock *k8fake.FakeSubjectAccessReviews) { - sarMock.Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { +func setSarResponse(allowed bool, testErr error, targetUser string, targetGrName string, fake *k8testing.Fake) { + fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) spec := review.Spec diff --git a/pkg/resources/management.cattle.io/v3/roletemplate/validator_test.go b/pkg/resources/management.cattle.io/v3/roletemplate/validator_test.go index b1b20c732..732af8e18 100644 --- a/pkg/resources/management.cattle.io/v3/roletemplate/validator_test.go +++ b/pkg/resources/management.cattle.io/v3/roletemplate/validator_test.go @@ -63,7 +63,8 @@ func (r *RoleTemplateSuite) Test_PrivilegeEscalation() { grCache.EXPECT().AddIndexer(expectedGlobalRefIndex, gomock.Any()).AnyTimes() k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) @@ -269,7 +270,8 @@ func (r *RoleTemplateSuite) Test_UpdateValidation() { grCache.EXPECT().AddIndexer(expectedGlobalRefIndex, gomock.Any()) k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() k8Fake.AddReactor("create", "subjectaccessreviews", func(action k8testing.Action) (handled bool, ret runtime.Object, err error) { createAction := action.(k8testing.CreateActionImpl) review := createAction.GetObject().(*authorizationv1.SubjectAccessReview) @@ -572,8 +574,8 @@ func (r *RoleTemplateSuite) Test_Create() { grCache.EXPECT().AddIndexer(expectedGlobalRefIndex, gomock.Any()).AnyTimes() k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} - + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() tests := []tableTest{ { name: "base test valid RT", @@ -757,7 +759,8 @@ func (r *RoleTemplateSuite) Test_Delete() { resolver, _ := validation.NewTestRuleResolver(nil, nil, nil, nil) k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() type testMocks struct { rtResolver *auth.RoleTemplateResolver grCache controllerv3.GlobalRoleCache @@ -929,7 +932,8 @@ func (r *RoleTemplateSuite) Test_ErrorHandling() { grCache.EXPECT().AddIndexer(expectedGlobalRefIndex, gomock.Any()) k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() validator := roletemplate.NewValidator(resolver, roleResolver, fakeSAR, grCache) admitters := validator.Admitters() r.Len(admitters, 1, "wanted only one admitter") @@ -967,7 +971,8 @@ func (r *RoleTemplateSuite) Test_CheckCircularRef() { resolver, _ := validation.NewTestRuleResolver(nil, nil, clusterRoles, clusterRoleBindings) k8Fake := &k8testing.Fake{} - fakeSAR := &k8fake.FakeSubjectAccessReviews{Fake: &k8fake.FakeAuthorizationV1{Fake: k8Fake}} + fakeAuth := &k8fake.FakeAuthorizationV1{Fake: k8Fake} + fakeSAR := fakeAuth.SubjectAccessReviews() tests := []struct { name string