diff options
Diffstat (limited to 'vendor/k8s.io/client-go/util')
-rw-r--r-- | vendor/k8s.io/client-go/util/cert/OWNERS | 9 | ||||
-rw-r--r-- | vendor/k8s.io/client-go/util/cert/cert.go | 206 | ||||
-rw-r--r-- | vendor/k8s.io/client-go/util/cert/csr.go | 75 | ||||
-rw-r--r-- | vendor/k8s.io/client-go/util/cert/io.go | 98 | ||||
-rw-r--r-- | vendor/k8s.io/client-go/util/cert/pem.go | 61 | ||||
-rw-r--r-- | vendor/k8s.io/client-go/util/connrotation/connrotation.go | 105 | ||||
-rw-r--r-- | vendor/k8s.io/client-go/util/exec/exec.go | 52 | ||||
-rw-r--r-- | vendor/k8s.io/client-go/util/flowcontrol/backoff.go | 149 | ||||
-rw-r--r-- | vendor/k8s.io/client-go/util/flowcontrol/throttle.go | 143 | ||||
-rw-r--r-- | vendor/k8s.io/client-go/util/keyutil/OWNERS | 7 | ||||
-rw-r--r-- | vendor/k8s.io/client-go/util/keyutil/key.go | 323 |
11 files changed, 0 insertions, 1228 deletions
diff --git a/vendor/k8s.io/client-go/util/cert/OWNERS b/vendor/k8s.io/client-go/util/cert/OWNERS deleted file mode 100644 index 3cf036438..000000000 --- a/vendor/k8s.io/client-go/util/cert/OWNERS +++ /dev/null @@ -1,9 +0,0 @@ -# See the OWNERS docs at https://go.k8s.io/owners - -approvers: -- sig-auth-certificates-approvers -reviewers: -- sig-auth-certificates-reviewers -labels: -- sig/auth - diff --git a/vendor/k8s.io/client-go/util/cert/cert.go b/vendor/k8s.io/client-go/util/cert/cert.go deleted file mode 100644 index 9fd097af5..000000000 --- a/vendor/k8s.io/client-go/util/cert/cert.go +++ /dev/null @@ -1,206 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package cert - -import ( - "bytes" - "crypto" - cryptorand "crypto/rand" - "crypto/rsa" - "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" - "fmt" - "io/ioutil" - "math/big" - "net" - "path" - "strings" - "time" - - "k8s.io/client-go/util/keyutil" -) - -const duration365d = time.Hour * 24 * 365 - -// Config contains the basic fields required for creating a certificate -type Config struct { - CommonName string - Organization []string - AltNames AltNames - Usages []x509.ExtKeyUsage -} - -// AltNames contains the domain names and IP addresses that will be added -// to the API Server's x509 certificate SubAltNames field. The values will -// be passed directly to the x509.Certificate object. -type AltNames struct { - DNSNames []string - IPs []net.IP -} - -// NewSelfSignedCACert creates a CA certificate -func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { - now := time.Now() - tmpl := x509.Certificate{ - SerialNumber: new(big.Int).SetInt64(0), - Subject: pkix.Name{ - CommonName: cfg.CommonName, - Organization: cfg.Organization, - }, - NotBefore: now.UTC(), - NotAfter: now.Add(duration365d * 10).UTC(), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - BasicConstraintsValid: true, - IsCA: true, - } - - certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key) - if err != nil { - return nil, err - } - return x509.ParseCertificate(certDERBytes) -} - -// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host. -// Host may be an IP or a DNS name -// You may also specify additional subject alt names (either ip or dns names) for the certificate. -func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) { - return GenerateSelfSignedCertKeyWithFixtures(host, alternateIPs, alternateDNS, "") -} - -// GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host. -// Host may be an IP or a DNS name. You may also specify additional subject alt names (either ip or dns names) -// for the certificate. -// -// If fixtureDirectory is non-empty, it is a directory path which can contain pre-generated certs. The format is: -// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt -// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key -// Certs/keys not existing in that directory are created. -func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) { - validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew - maxAge := time.Hour * 24 * 365 // one year self-signed certs - - baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-")) - certFixturePath := path.Join(fixtureDirectory, baseName+".crt") - keyFixturePath := path.Join(fixtureDirectory, baseName+".key") - if len(fixtureDirectory) > 0 { - cert, err := ioutil.ReadFile(certFixturePath) - if err == nil { - key, err := ioutil.ReadFile(keyFixturePath) - if err == nil { - return cert, key, nil - } - return nil, nil, fmt.Errorf("cert %s can be read, but key %s cannot: %v", certFixturePath, keyFixturePath, err) - } - maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures - } - - caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048) - if err != nil { - return nil, nil, err - } - - caTemplate := x509.Certificate{ - SerialNumber: big.NewInt(1), - Subject: pkix.Name{ - CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()), - }, - NotBefore: validFrom, - NotAfter: validFrom.Add(maxAge), - - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - BasicConstraintsValid: true, - IsCA: true, - } - - caDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey) - if err != nil { - return nil, nil, err - } - - caCertificate, err := x509.ParseCertificate(caDERBytes) - if err != nil { - return nil, nil, err - } - - priv, err := rsa.GenerateKey(cryptorand.Reader, 2048) - if err != nil { - return nil, nil, err - } - - template := x509.Certificate{ - SerialNumber: big.NewInt(2), - Subject: pkix.Name{ - CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()), - }, - NotBefore: validFrom, - NotAfter: validFrom.Add(maxAge), - - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - BasicConstraintsValid: true, - } - - if ip := net.ParseIP(host); ip != nil { - template.IPAddresses = append(template.IPAddresses, ip) - } else { - template.DNSNames = append(template.DNSNames, host) - } - - template.IPAddresses = append(template.IPAddresses, alternateIPs...) - template.DNSNames = append(template.DNSNames, alternateDNS...) - - derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, caCertificate, &priv.PublicKey, caKey) - if err != nil { - return nil, nil, err - } - - // Generate cert, followed by ca - certBuffer := bytes.Buffer{} - if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil { - return nil, nil, err - } - if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: caDERBytes}); err != nil { - return nil, nil, err - } - - // Generate key - keyBuffer := bytes.Buffer{} - if err := pem.Encode(&keyBuffer, &pem.Block{Type: keyutil.RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil { - return nil, nil, err - } - - if len(fixtureDirectory) > 0 { - if err := ioutil.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil { - return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err) - } - if err := ioutil.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil { - return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err) - } - } - - return certBuffer.Bytes(), keyBuffer.Bytes(), nil -} - -func ipsToStrings(ips []net.IP) []string { - ss := make([]string, 0, len(ips)) - for _, ip := range ips { - ss = append(ss, ip.String()) - } - return ss -} diff --git a/vendor/k8s.io/client-go/util/cert/csr.go b/vendor/k8s.io/client-go/util/cert/csr.go deleted file mode 100644 index 39a6751f7..000000000 --- a/vendor/k8s.io/client-go/util/cert/csr.go +++ /dev/null @@ -1,75 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package cert - -import ( - cryptorand "crypto/rand" - "crypto/rsa" - "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" - "net" -) - -// MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs. -// All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.) -func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error) { - template := &x509.CertificateRequest{ - Subject: *subject, - DNSNames: dnsSANs, - IPAddresses: ipSANs, - } - - return MakeCSRFromTemplate(privateKey, template) -} - -// MakeCSRFromTemplate generates a PEM-encoded CSR using the supplied private -// key and certificate request as a template. All key types that are -// implemented via crypto.Signer are supported (This includes *rsa.PrivateKey -// and *ecdsa.PrivateKey.) -func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateRequest) ([]byte, error) { - t := *template - t.SignatureAlgorithm = sigType(privateKey) - - csrDER, err := x509.CreateCertificateRequest(cryptorand.Reader, &t, privateKey) - if err != nil { - return nil, err - } - - csrPemBlock := &pem.Block{ - Type: CertificateRequestBlockType, - Bytes: csrDER, - } - - return pem.EncodeToMemory(csrPemBlock), nil -} - -func sigType(privateKey interface{}) x509.SignatureAlgorithm { - // Customize the signature for RSA keys, depending on the key size - if privateKey, ok := privateKey.(*rsa.PrivateKey); ok { - keySize := privateKey.N.BitLen() - switch { - case keySize >= 4096: - return x509.SHA512WithRSA - case keySize >= 3072: - return x509.SHA384WithRSA - default: - return x509.SHA256WithRSA - } - } - return x509.UnknownSignatureAlgorithm -} diff --git a/vendor/k8s.io/client-go/util/cert/io.go b/vendor/k8s.io/client-go/util/cert/io.go deleted file mode 100644 index 5efb24894..000000000 --- a/vendor/k8s.io/client-go/util/cert/io.go +++ /dev/null @@ -1,98 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package cert - -import ( - "crypto/x509" - "fmt" - "io/ioutil" - "os" - "path/filepath" -) - -// CanReadCertAndKey returns true if the certificate and key files already exists, -// otherwise returns false. If lost one of cert and key, returns error. -func CanReadCertAndKey(certPath, keyPath string) (bool, error) { - certReadable := canReadFile(certPath) - keyReadable := canReadFile(keyPath) - - if certReadable == false && keyReadable == false { - return false, nil - } - - if certReadable == false { - return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", certPath) - } - - if keyReadable == false { - return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", keyPath) - } - - return true, nil -} - -// If the file represented by path exists and -// readable, returns true otherwise returns false. -func canReadFile(path string) bool { - f, err := os.Open(path) - if err != nil { - return false - } - - defer f.Close() - - return true -} - -// WriteCert writes the pem-encoded certificate data to certPath. -// The certificate file will be created with file mode 0644. -// If the certificate file already exists, it will be overwritten. -// The parent directory of the certPath will be created as needed with file mode 0755. -func WriteCert(certPath string, data []byte) error { - if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil { - return err - } - return ioutil.WriteFile(certPath, data, os.FileMode(0644)) -} - -// NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file. -// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates -func NewPool(filename string) (*x509.CertPool, error) { - certs, err := CertsFromFile(filename) - if err != nil { - return nil, err - } - pool := x509.NewCertPool() - for _, cert := range certs { - pool.AddCert(cert) - } - return pool, nil -} - -// CertsFromFile returns the x509.Certificates contained in the given PEM-encoded file. -// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates -func CertsFromFile(file string) ([]*x509.Certificate, error) { - pemBlock, err := ioutil.ReadFile(file) - if err != nil { - return nil, err - } - certs, err := ParseCertsPEM(pemBlock) - if err != nil { - return nil, fmt.Errorf("error reading %s: %s", file, err) - } - return certs, nil -} diff --git a/vendor/k8s.io/client-go/util/cert/pem.go b/vendor/k8s.io/client-go/util/cert/pem.go deleted file mode 100644 index 9185e2e22..000000000 --- a/vendor/k8s.io/client-go/util/cert/pem.go +++ /dev/null @@ -1,61 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package cert - -import ( - "crypto/x509" - "encoding/pem" - "errors" -) - -const ( - // CertificateBlockType is a possible value for pem.Block.Type. - CertificateBlockType = "CERTIFICATE" - // CertificateRequestBlockType is a possible value for pem.Block.Type. - CertificateRequestBlockType = "CERTIFICATE REQUEST" -) - -// ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array -// Returns an error if a certificate could not be parsed, or if the data does not contain any certificates -func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { - ok := false - certs := []*x509.Certificate{} - for len(pemCerts) > 0 { - var block *pem.Block - block, pemCerts = pem.Decode(pemCerts) - if block == nil { - break - } - // Only use PEM "CERTIFICATE" blocks without extra headers - if block.Type != CertificateBlockType || len(block.Headers) != 0 { - continue - } - - cert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - return certs, err - } - - certs = append(certs, cert) - ok = true - } - - if !ok { - return certs, errors.New("data does not contain any valid RSA or ECDSA certificates") - } - return certs, nil -} diff --git a/vendor/k8s.io/client-go/util/connrotation/connrotation.go b/vendor/k8s.io/client-go/util/connrotation/connrotation.go deleted file mode 100644 index 235a9e019..000000000 --- a/vendor/k8s.io/client-go/util/connrotation/connrotation.go +++ /dev/null @@ -1,105 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package connrotation implements a connection dialer that tracks and can close -// all created connections. -// -// This is used for credential rotation of long-lived connections, when there's -// no way to re-authenticate on a live connection. -package connrotation - -import ( - "context" - "net" - "sync" -) - -// DialFunc is a shorthand for signature of net.DialContext. -type DialFunc func(ctx context.Context, network, address string) (net.Conn, error) - -// Dialer opens connections through Dial and tracks them. -type Dialer struct { - dial DialFunc - - mu sync.Mutex - conns map[*closableConn]struct{} -} - -// NewDialer creates a new Dialer instance. -// -// If dial is not nil, it will be used to create new underlying connections. -// Otherwise net.DialContext is used. -func NewDialer(dial DialFunc) *Dialer { - return &Dialer{ - dial: dial, - conns: make(map[*closableConn]struct{}), - } -} - -// CloseAll forcibly closes all tracked connections. -// -// Note: new connections may get created before CloseAll returns. -func (d *Dialer) CloseAll() { - d.mu.Lock() - conns := d.conns - d.conns = make(map[*closableConn]struct{}) - d.mu.Unlock() - - for conn := range conns { - conn.Close() - } -} - -// Dial creates a new tracked connection. -func (d *Dialer) Dial(network, address string) (net.Conn, error) { - return d.DialContext(context.Background(), network, address) -} - -// DialContext creates a new tracked connection. -func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) { - conn, err := d.dial(ctx, network, address) - if err != nil { - return nil, err - } - - closable := &closableConn{Conn: conn} - - // Start tracking the connection - d.mu.Lock() - d.conns[closable] = struct{}{} - d.mu.Unlock() - - // When the connection is closed, remove it from the map. This will - // be no-op if the connection isn't in the map, e.g. if CloseAll() - // is called. - closable.onClose = func() { - d.mu.Lock() - delete(d.conns, closable) - d.mu.Unlock() - } - - return closable, nil -} - -type closableConn struct { - onClose func() - net.Conn -} - -func (c *closableConn) Close() error { - go c.onClose() - return c.Conn.Close() -} diff --git a/vendor/k8s.io/client-go/util/exec/exec.go b/vendor/k8s.io/client-go/util/exec/exec.go deleted file mode 100644 index d170badb6..000000000 --- a/vendor/k8s.io/client-go/util/exec/exec.go +++ /dev/null @@ -1,52 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package exec - -// ExitError is an interface that presents an API similar to os.ProcessState, which is -// what ExitError from os/exec is. This is designed to make testing a bit easier and -// probably loses some of the cross-platform properties of the underlying library. -type ExitError interface { - String() string - Error() string - Exited() bool - ExitStatus() int -} - -// CodeExitError is an implementation of ExitError consisting of an error object -// and an exit code (the upper bits of os.exec.ExitStatus). -type CodeExitError struct { - Err error - Code int -} - -var _ ExitError = CodeExitError{} - -func (e CodeExitError) Error() string { - return e.Err.Error() -} - -func (e CodeExitError) String() string { - return e.Err.Error() -} - -func (e CodeExitError) Exited() bool { - return true -} - -func (e CodeExitError) ExitStatus() int { - return e.Code -} diff --git a/vendor/k8s.io/client-go/util/flowcontrol/backoff.go b/vendor/k8s.io/client-go/util/flowcontrol/backoff.go deleted file mode 100644 index 39cd72f95..000000000 --- a/vendor/k8s.io/client-go/util/flowcontrol/backoff.go +++ /dev/null @@ -1,149 +0,0 @@ -/* -Copyright 2015 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package flowcontrol - -import ( - "sync" - "time" - - "k8s.io/apimachinery/pkg/util/clock" - "k8s.io/utils/integer" -) - -type backoffEntry struct { - backoff time.Duration - lastUpdate time.Time -} - -type Backoff struct { - sync.Mutex - Clock clock.Clock - defaultDuration time.Duration - maxDuration time.Duration - perItemBackoff map[string]*backoffEntry -} - -func NewFakeBackOff(initial, max time.Duration, tc *clock.FakeClock) *Backoff { - return &Backoff{ - perItemBackoff: map[string]*backoffEntry{}, - Clock: tc, - defaultDuration: initial, - maxDuration: max, - } -} - -func NewBackOff(initial, max time.Duration) *Backoff { - return &Backoff{ - perItemBackoff: map[string]*backoffEntry{}, - Clock: clock.RealClock{}, - defaultDuration: initial, - maxDuration: max, - } -} - -// Get the current backoff Duration -func (p *Backoff) Get(id string) time.Duration { - p.Lock() - defer p.Unlock() - var delay time.Duration - entry, ok := p.perItemBackoff[id] - if ok { - delay = entry.backoff - } - return delay -} - -// move backoff to the next mark, capping at maxDuration -func (p *Backoff) Next(id string, eventTime time.Time) { - p.Lock() - defer p.Unlock() - entry, ok := p.perItemBackoff[id] - if !ok || hasExpired(eventTime, entry.lastUpdate, p.maxDuration) { - entry = p.initEntryUnsafe(id) - } else { - delay := entry.backoff * 2 // exponential - entry.backoff = time.Duration(integer.Int64Min(int64(delay), int64(p.maxDuration))) - } - entry.lastUpdate = p.Clock.Now() -} - -// Reset forces clearing of all backoff data for a given key. -func (p *Backoff) Reset(id string) { - p.Lock() - defer p.Unlock() - delete(p.perItemBackoff, id) -} - -// Returns True if the elapsed time since eventTime is smaller than the current backoff window -func (p *Backoff) IsInBackOffSince(id string, eventTime time.Time) bool { - p.Lock() - defer p.Unlock() - entry, ok := p.perItemBackoff[id] - if !ok { - return false - } - if hasExpired(eventTime, entry.lastUpdate, p.maxDuration) { - return false - } - return p.Clock.Since(eventTime) < entry.backoff -} - -// Returns True if time since lastupdate is less than the current backoff window. -func (p *Backoff) IsInBackOffSinceUpdate(id string, eventTime time.Time) bool { - p.Lock() - defer p.Unlock() - entry, ok := p.perItemBackoff[id] - if !ok { - return false - } - if hasExpired(eventTime, entry.lastUpdate, p.maxDuration) { - return false - } - return eventTime.Sub(entry.lastUpdate) < entry.backoff -} - -// Garbage collect records that have aged past maxDuration. Backoff users are expected -// to invoke this periodically. -func (p *Backoff) GC() { - p.Lock() - defer p.Unlock() - now := p.Clock.Now() - for id, entry := range p.perItemBackoff { - if now.Sub(entry.lastUpdate) > p.maxDuration*2 { - // GC when entry has not been updated for 2*maxDuration - delete(p.perItemBackoff, id) - } - } -} - -func (p *Backoff) DeleteEntry(id string) { - p.Lock() - defer p.Unlock() - delete(p.perItemBackoff, id) -} - -// Take a lock on *Backoff, before calling initEntryUnsafe -func (p *Backoff) initEntryUnsafe(id string) *backoffEntry { - entry := &backoffEntry{backoff: p.defaultDuration} - p.perItemBackoff[id] = entry - return entry -} - -// After 2*maxDuration we restart the backoff factor to the beginning -func hasExpired(eventTime time.Time, lastUpdate time.Time, maxDuration time.Duration) bool { - return eventTime.Sub(lastUpdate) > maxDuration*2 // consider stable if it's ok for twice the maxDuration -} diff --git a/vendor/k8s.io/client-go/util/flowcontrol/throttle.go b/vendor/k8s.io/client-go/util/flowcontrol/throttle.go deleted file mode 100644 index e671c044d..000000000 --- a/vendor/k8s.io/client-go/util/flowcontrol/throttle.go +++ /dev/null @@ -1,143 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package flowcontrol - -import ( - "sync" - "time" - - "golang.org/x/time/rate" -) - -type RateLimiter interface { - // TryAccept returns true if a token is taken immediately. Otherwise, - // it returns false. - TryAccept() bool - // Accept returns once a token becomes available. - Accept() - // Stop stops the rate limiter, subsequent calls to CanAccept will return false - Stop() - // QPS returns QPS of this rate limiter - QPS() float32 -} - -type tokenBucketRateLimiter struct { - limiter *rate.Limiter - clock Clock - qps float32 -} - -// NewTokenBucketRateLimiter creates a rate limiter which implements a token bucket approach. -// The rate limiter allows bursts of up to 'burst' to exceed the QPS, while still maintaining a -// smoothed qps rate of 'qps'. -// The bucket is initially filled with 'burst' tokens, and refills at a rate of 'qps'. -// The maximum number of tokens in the bucket is capped at 'burst'. -func NewTokenBucketRateLimiter(qps float32, burst int) RateLimiter { - limiter := rate.NewLimiter(rate.Limit(qps), burst) - return newTokenBucketRateLimiter(limiter, realClock{}, qps) -} - -// An injectable, mockable clock interface. -type Clock interface { - Now() time.Time - Sleep(time.Duration) -} - -type realClock struct{} - -func (realClock) Now() time.Time { - return time.Now() -} -func (realClock) Sleep(d time.Duration) { - time.Sleep(d) -} - -// NewTokenBucketRateLimiterWithClock is identical to NewTokenBucketRateLimiter -// but allows an injectable clock, for testing. -func NewTokenBucketRateLimiterWithClock(qps float32, burst int, c Clock) RateLimiter { - limiter := rate.NewLimiter(rate.Limit(qps), burst) - return newTokenBucketRateLimiter(limiter, c, qps) -} - -func newTokenBucketRateLimiter(limiter *rate.Limiter, c Clock, qps float32) RateLimiter { - return &tokenBucketRateLimiter{ - limiter: limiter, - clock: c, - qps: qps, - } -} - -func (t *tokenBucketRateLimiter) TryAccept() bool { - return t.limiter.AllowN(t.clock.Now(), 1) -} - -// Accept will block until a token becomes available -func (t *tokenBucketRateLimiter) Accept() { - now := t.clock.Now() - t.clock.Sleep(t.limiter.ReserveN(now, 1).DelayFrom(now)) -} - -func (t *tokenBucketRateLimiter) Stop() { -} - -func (t *tokenBucketRateLimiter) QPS() float32 { - return t.qps -} - -type fakeAlwaysRateLimiter struct{} - -func NewFakeAlwaysRateLimiter() RateLimiter { - return &fakeAlwaysRateLimiter{} -} - -func (t *fakeAlwaysRateLimiter) TryAccept() bool { - return true -} - -func (t *fakeAlwaysRateLimiter) Stop() {} - -func (t *fakeAlwaysRateLimiter) Accept() {} - -func (t *fakeAlwaysRateLimiter) QPS() float32 { - return 1 -} - -type fakeNeverRateLimiter struct { - wg sync.WaitGroup -} - -func NewFakeNeverRateLimiter() RateLimiter { - rl := fakeNeverRateLimiter{} - rl.wg.Add(1) - return &rl -} - -func (t *fakeNeverRateLimiter) TryAccept() bool { - return false -} - -func (t *fakeNeverRateLimiter) Stop() { - t.wg.Done() -} - -func (t *fakeNeverRateLimiter) Accept() { - t.wg.Wait() -} - -func (t *fakeNeverRateLimiter) QPS() float32 { - return 1 -} diff --git a/vendor/k8s.io/client-go/util/keyutil/OWNERS b/vendor/k8s.io/client-go/util/keyutil/OWNERS deleted file mode 100644 index 470b7a1c9..000000000 --- a/vendor/k8s.io/client-go/util/keyutil/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -approvers: -- sig-auth-certificates-approvers -reviewers: -- sig-auth-certificates-reviewers -labels: -- sig/auth - diff --git a/vendor/k8s.io/client-go/util/keyutil/key.go b/vendor/k8s.io/client-go/util/keyutil/key.go deleted file mode 100644 index 83c2c6254..000000000 --- a/vendor/k8s.io/client-go/util/keyutil/key.go +++ /dev/null @@ -1,323 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package keyutil contains utilities for managing public/private key pairs. -package keyutil - -import ( - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - cryptorand "crypto/rand" - "crypto/rsa" - "crypto/x509" - "encoding/pem" - "fmt" - "io/ioutil" - "os" - "path/filepath" -) - -const ( - // ECPrivateKeyBlockType is a possible value for pem.Block.Type. - ECPrivateKeyBlockType = "EC PRIVATE KEY" - // RSAPrivateKeyBlockType is a possible value for pem.Block.Type. - RSAPrivateKeyBlockType = "RSA PRIVATE KEY" - // PrivateKeyBlockType is a possible value for pem.Block.Type. - PrivateKeyBlockType = "PRIVATE KEY" - // PublicKeyBlockType is a possible value for pem.Block.Type. - PublicKeyBlockType = "PUBLIC KEY" -) - -// MakeEllipticPrivateKeyPEM creates an ECDSA private key -func MakeEllipticPrivateKeyPEM() ([]byte, error) { - privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader) - if err != nil { - return nil, err - } - - derBytes, err := x509.MarshalECPrivateKey(privateKey) - if err != nil { - return nil, err - } - - privateKeyPemBlock := &pem.Block{ - Type: ECPrivateKeyBlockType, - Bytes: derBytes, - } - return pem.EncodeToMemory(privateKeyPemBlock), nil -} - -// WriteKey writes the pem-encoded key data to keyPath. -// The key file will be created with file mode 0600. -// If the key file already exists, it will be overwritten. -// The parent directory of the keyPath will be created as needed with file mode 0755. -func WriteKey(keyPath string, data []byte) error { - if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil { - return err - } - return ioutil.WriteFile(keyPath, data, os.FileMode(0600)) -} - -// LoadOrGenerateKeyFile looks for a key in the file at the given path. If it -// can't find one, it will generate a new key and store it there. -func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) { - loadedData, err := ioutil.ReadFile(keyPath) - // Call verifyKeyData to ensure the file wasn't empty/corrupt. - if err == nil && verifyKeyData(loadedData) { - return loadedData, false, err - } - if !os.IsNotExist(err) { - return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err) - } - - generatedData, err := MakeEllipticPrivateKeyPEM() - if err != nil { - return nil, false, fmt.Errorf("error generating key: %v", err) - } - if err := WriteKey(keyPath, generatedData); err != nil { - return nil, false, fmt.Errorf("error writing key to %s: %v", keyPath, err) - } - return generatedData, true, nil -} - -// MarshalPrivateKeyToPEM converts a known private key type of RSA or ECDSA to -// a PEM encoded block or returns an error. -func MarshalPrivateKeyToPEM(privateKey crypto.PrivateKey) ([]byte, error) { - switch t := privateKey.(type) { - case *ecdsa.PrivateKey: - derBytes, err := x509.MarshalECPrivateKey(t) - if err != nil { - return nil, err - } - block := &pem.Block{ - Type: ECPrivateKeyBlockType, - Bytes: derBytes, - } - return pem.EncodeToMemory(block), nil - case *rsa.PrivateKey: - block := &pem.Block{ - Type: RSAPrivateKeyBlockType, - Bytes: x509.MarshalPKCS1PrivateKey(t), - } - return pem.EncodeToMemory(block), nil - default: - return nil, fmt.Errorf("private key is not a recognized type: %T", privateKey) - } -} - -// PrivateKeyFromFile returns the private key in rsa.PrivateKey or ecdsa.PrivateKey format from a given PEM-encoded file. -// Returns an error if the file could not be read or if the private key could not be parsed. -func PrivateKeyFromFile(file string) (interface{}, error) { - data, err := ioutil.ReadFile(file) - if err != nil { - return nil, err - } - key, err := ParsePrivateKeyPEM(data) - if err != nil { - return nil, fmt.Errorf("error reading private key file %s: %v", file, err) - } - return key, nil -} - -// PublicKeysFromFile returns the public keys in rsa.PublicKey or ecdsa.PublicKey format from a given PEM-encoded file. -// Reads public keys from both public and private key files. -func PublicKeysFromFile(file string) ([]interface{}, error) { - data, err := ioutil.ReadFile(file) - if err != nil { - return nil, err - } - keys, err := ParsePublicKeysPEM(data) - if err != nil { - return nil, fmt.Errorf("error reading public key file %s: %v", file, err) - } - return keys, nil -} - -// verifyKeyData returns true if the provided data appears to be a valid private key. -func verifyKeyData(data []byte) bool { - if len(data) == 0 { - return false - } - _, err := ParsePrivateKeyPEM(data) - return err == nil -} - -// ParsePrivateKeyPEM returns a private key parsed from a PEM block in the supplied data. -// Recognizes PEM blocks for "EC PRIVATE KEY", "RSA PRIVATE KEY", or "PRIVATE KEY" -func ParsePrivateKeyPEM(keyData []byte) (interface{}, error) { - var privateKeyPemBlock *pem.Block - for { - privateKeyPemBlock, keyData = pem.Decode(keyData) - if privateKeyPemBlock == nil { - break - } - - switch privateKeyPemBlock.Type { - case ECPrivateKeyBlockType: - // ECDSA Private Key in ASN.1 format - if key, err := x509.ParseECPrivateKey(privateKeyPemBlock.Bytes); err == nil { - return key, nil - } - case RSAPrivateKeyBlockType: - // RSA Private Key in PKCS#1 format - if key, err := x509.ParsePKCS1PrivateKey(privateKeyPemBlock.Bytes); err == nil { - return key, nil - } - case PrivateKeyBlockType: - // RSA or ECDSA Private Key in unencrypted PKCS#8 format - if key, err := x509.ParsePKCS8PrivateKey(privateKeyPemBlock.Bytes); err == nil { - return key, nil - } - } - - // tolerate non-key PEM blocks for compatibility with things like "EC PARAMETERS" blocks - // originally, only the first PEM block was parsed and expected to be a key block - } - - // we read all the PEM blocks and didn't recognize one - return nil, fmt.Errorf("data does not contain a valid RSA or ECDSA private key") -} - -// ParsePublicKeysPEM is a helper function for reading an array of rsa.PublicKey or ecdsa.PublicKey from a PEM-encoded byte array. -// Reads public keys from both public and private key files. -func ParsePublicKeysPEM(keyData []byte) ([]interface{}, error) { - var block *pem.Block - keys := []interface{}{} - for { - // read the next block - block, keyData = pem.Decode(keyData) - if block == nil { - break - } - - // test block against parsing functions - if privateKey, err := parseRSAPrivateKey(block.Bytes); err == nil { - keys = append(keys, &privateKey.PublicKey) - continue - } - if publicKey, err := parseRSAPublicKey(block.Bytes); err == nil { - keys = append(keys, publicKey) - continue - } - if privateKey, err := parseECPrivateKey(block.Bytes); err == nil { - keys = append(keys, &privateKey.PublicKey) - continue - } - if publicKey, err := parseECPublicKey(block.Bytes); err == nil { - keys = append(keys, publicKey) - continue - } - - // tolerate non-key PEM blocks for backwards compatibility - // originally, only the first PEM block was parsed and expected to be a key block - } - - if len(keys) == 0 { - return nil, fmt.Errorf("data does not contain any valid RSA or ECDSA public keys") - } - return keys, nil -} - -// parseRSAPublicKey parses a single RSA public key from the provided data -func parseRSAPublicKey(data []byte) (*rsa.PublicKey, error) { - var err error - - // Parse the key - var parsedKey interface{} - if parsedKey, err = x509.ParsePKIXPublicKey(data); err != nil { - if cert, err := x509.ParseCertificate(data); err == nil { - parsedKey = cert.PublicKey - } else { - return nil, err - } - } - - // Test if parsed key is an RSA Public Key - var pubKey *rsa.PublicKey - var ok bool - if pubKey, ok = parsedKey.(*rsa.PublicKey); !ok { - return nil, fmt.Errorf("data doesn't contain valid RSA Public Key") - } - - return pubKey, nil -} - -// parseRSAPrivateKey parses a single RSA private key from the provided data -func parseRSAPrivateKey(data []byte) (*rsa.PrivateKey, error) { - var err error - - // Parse the key - var parsedKey interface{} - if parsedKey, err = x509.ParsePKCS1PrivateKey(data); err != nil { - if parsedKey, err = x509.ParsePKCS8PrivateKey(data); err != nil { - return nil, err - } - } - - // Test if parsed key is an RSA Private Key - var privKey *rsa.PrivateKey - var ok bool - if privKey, ok = parsedKey.(*rsa.PrivateKey); !ok { - return nil, fmt.Errorf("data doesn't contain valid RSA Private Key") - } - - return privKey, nil -} - -// parseECPublicKey parses a single ECDSA public key from the provided data -func parseECPublicKey(data []byte) (*ecdsa.PublicKey, error) { - var err error - - // Parse the key - var parsedKey interface{} - if parsedKey, err = x509.ParsePKIXPublicKey(data); err != nil { - if cert, err := x509.ParseCertificate(data); err == nil { - parsedKey = cert.PublicKey - } else { - return nil, err - } - } - - // Test if parsed key is an ECDSA Public Key - var pubKey *ecdsa.PublicKey - var ok bool - if pubKey, ok = parsedKey.(*ecdsa.PublicKey); !ok { - return nil, fmt.Errorf("data doesn't contain valid ECDSA Public Key") - } - - return pubKey, nil -} - -// parseECPrivateKey parses a single ECDSA private key from the provided data -func parseECPrivateKey(data []byte) (*ecdsa.PrivateKey, error) { - var err error - - // Parse the key - var parsedKey interface{} - if parsedKey, err = x509.ParseECPrivateKey(data); err != nil { - return nil, err - } - - // Test if parsed key is an ECDSA Private Key - var privKey *ecdsa.PrivateKey - var ok bool - if privKey, ok = parsedKey.(*ecdsa.PrivateKey); !ok { - return nil, fmt.Errorf("data doesn't contain valid ECDSA Private Key") - } - - return privKey, nil -} |