summaryrefslogtreecommitdiff
path: root/vendor/k8s.io/client-go/util
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/k8s.io/client-go/util')
-rw-r--r--vendor/k8s.io/client-go/util/cert/OWNERS9
-rw-r--r--vendor/k8s.io/client-go/util/cert/cert.go206
-rw-r--r--vendor/k8s.io/client-go/util/cert/csr.go75
-rw-r--r--vendor/k8s.io/client-go/util/cert/io.go98
-rw-r--r--vendor/k8s.io/client-go/util/cert/pem.go61
-rw-r--r--vendor/k8s.io/client-go/util/connrotation/connrotation.go105
-rw-r--r--vendor/k8s.io/client-go/util/exec/exec.go52
-rw-r--r--vendor/k8s.io/client-go/util/flowcontrol/backoff.go149
-rw-r--r--vendor/k8s.io/client-go/util/flowcontrol/throttle.go143
-rw-r--r--vendor/k8s.io/client-go/util/keyutil/OWNERS7
-rw-r--r--vendor/k8s.io/client-go/util/keyutil/key.go323
11 files changed, 0 insertions, 1228 deletions
diff --git a/vendor/k8s.io/client-go/util/cert/OWNERS b/vendor/k8s.io/client-go/util/cert/OWNERS
deleted file mode 100644
index 3cf036438..000000000
--- a/vendor/k8s.io/client-go/util/cert/OWNERS
+++ /dev/null
@@ -1,9 +0,0 @@
-# See the OWNERS docs at https://go.k8s.io/owners
-
-approvers:
-- sig-auth-certificates-approvers
-reviewers:
-- sig-auth-certificates-reviewers
-labels:
-- sig/auth
-
diff --git a/vendor/k8s.io/client-go/util/cert/cert.go b/vendor/k8s.io/client-go/util/cert/cert.go
deleted file mode 100644
index 9fd097af5..000000000
--- a/vendor/k8s.io/client-go/util/cert/cert.go
+++ /dev/null
@@ -1,206 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package cert
-
-import (
- "bytes"
- "crypto"
- cryptorand "crypto/rand"
- "crypto/rsa"
- "crypto/x509"
- "crypto/x509/pkix"
- "encoding/pem"
- "fmt"
- "io/ioutil"
- "math/big"
- "net"
- "path"
- "strings"
- "time"
-
- "k8s.io/client-go/util/keyutil"
-)
-
-const duration365d = time.Hour * 24 * 365
-
-// Config contains the basic fields required for creating a certificate
-type Config struct {
- CommonName string
- Organization []string
- AltNames AltNames
- Usages []x509.ExtKeyUsage
-}
-
-// AltNames contains the domain names and IP addresses that will be added
-// to the API Server's x509 certificate SubAltNames field. The values will
-// be passed directly to the x509.Certificate object.
-type AltNames struct {
- DNSNames []string
- IPs []net.IP
-}
-
-// NewSelfSignedCACert creates a CA certificate
-func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
- now := time.Now()
- tmpl := x509.Certificate{
- SerialNumber: new(big.Int).SetInt64(0),
- Subject: pkix.Name{
- CommonName: cfg.CommonName,
- Organization: cfg.Organization,
- },
- NotBefore: now.UTC(),
- NotAfter: now.Add(duration365d * 10).UTC(),
- KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
- BasicConstraintsValid: true,
- IsCA: true,
- }
-
- certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
- if err != nil {
- return nil, err
- }
- return x509.ParseCertificate(certDERBytes)
-}
-
-// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host.
-// Host may be an IP or a DNS name
-// You may also specify additional subject alt names (either ip or dns names) for the certificate.
-func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
- return GenerateSelfSignedCertKeyWithFixtures(host, alternateIPs, alternateDNS, "")
-}
-
-// GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host.
-// Host may be an IP or a DNS name. You may also specify additional subject alt names (either ip or dns names)
-// for the certificate.
-//
-// If fixtureDirectory is non-empty, it is a directory path which can contain pre-generated certs. The format is:
-// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
-// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
-// Certs/keys not existing in that directory are created.
-func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
- validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew
- maxAge := time.Hour * 24 * 365 // one year self-signed certs
-
- baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
- certFixturePath := path.Join(fixtureDirectory, baseName+".crt")
- keyFixturePath := path.Join(fixtureDirectory, baseName+".key")
- if len(fixtureDirectory) > 0 {
- cert, err := ioutil.ReadFile(certFixturePath)
- if err == nil {
- key, err := ioutil.ReadFile(keyFixturePath)
- if err == nil {
- return cert, key, nil
- }
- return nil, nil, fmt.Errorf("cert %s can be read, but key %s cannot: %v", certFixturePath, keyFixturePath, err)
- }
- maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures
- }
-
- caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
- if err != nil {
- return nil, nil, err
- }
-
- caTemplate := x509.Certificate{
- SerialNumber: big.NewInt(1),
- Subject: pkix.Name{
- CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
- },
- NotBefore: validFrom,
- NotAfter: validFrom.Add(maxAge),
-
- KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
- BasicConstraintsValid: true,
- IsCA: true,
- }
-
- caDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey)
- if err != nil {
- return nil, nil, err
- }
-
- caCertificate, err := x509.ParseCertificate(caDERBytes)
- if err != nil {
- return nil, nil, err
- }
-
- priv, err := rsa.GenerateKey(cryptorand.Reader, 2048)
- if err != nil {
- return nil, nil, err
- }
-
- template := x509.Certificate{
- SerialNumber: big.NewInt(2),
- Subject: pkix.Name{
- CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
- },
- NotBefore: validFrom,
- NotAfter: validFrom.Add(maxAge),
-
- KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
- ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
- BasicConstraintsValid: true,
- }
-
- if ip := net.ParseIP(host); ip != nil {
- template.IPAddresses = append(template.IPAddresses, ip)
- } else {
- template.DNSNames = append(template.DNSNames, host)
- }
-
- template.IPAddresses = append(template.IPAddresses, alternateIPs...)
- template.DNSNames = append(template.DNSNames, alternateDNS...)
-
- derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, caCertificate, &priv.PublicKey, caKey)
- if err != nil {
- return nil, nil, err
- }
-
- // Generate cert, followed by ca
- certBuffer := bytes.Buffer{}
- if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil {
- return nil, nil, err
- }
- if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: caDERBytes}); err != nil {
- return nil, nil, err
- }
-
- // Generate key
- keyBuffer := bytes.Buffer{}
- if err := pem.Encode(&keyBuffer, &pem.Block{Type: keyutil.RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
- return nil, nil, err
- }
-
- if len(fixtureDirectory) > 0 {
- if err := ioutil.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil {
- return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err)
- }
- if err := ioutil.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil {
- return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err)
- }
- }
-
- return certBuffer.Bytes(), keyBuffer.Bytes(), nil
-}
-
-func ipsToStrings(ips []net.IP) []string {
- ss := make([]string, 0, len(ips))
- for _, ip := range ips {
- ss = append(ss, ip.String())
- }
- return ss
-}
diff --git a/vendor/k8s.io/client-go/util/cert/csr.go b/vendor/k8s.io/client-go/util/cert/csr.go
deleted file mode 100644
index 39a6751f7..000000000
--- a/vendor/k8s.io/client-go/util/cert/csr.go
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package cert
-
-import (
- cryptorand "crypto/rand"
- "crypto/rsa"
- "crypto/x509"
- "crypto/x509/pkix"
- "encoding/pem"
- "net"
-)
-
-// MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs.
-// All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.)
-func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error) {
- template := &x509.CertificateRequest{
- Subject: *subject,
- DNSNames: dnsSANs,
- IPAddresses: ipSANs,
- }
-
- return MakeCSRFromTemplate(privateKey, template)
-}
-
-// MakeCSRFromTemplate generates a PEM-encoded CSR using the supplied private
-// key and certificate request as a template. All key types that are
-// implemented via crypto.Signer are supported (This includes *rsa.PrivateKey
-// and *ecdsa.PrivateKey.)
-func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateRequest) ([]byte, error) {
- t := *template
- t.SignatureAlgorithm = sigType(privateKey)
-
- csrDER, err := x509.CreateCertificateRequest(cryptorand.Reader, &t, privateKey)
- if err != nil {
- return nil, err
- }
-
- csrPemBlock := &pem.Block{
- Type: CertificateRequestBlockType,
- Bytes: csrDER,
- }
-
- return pem.EncodeToMemory(csrPemBlock), nil
-}
-
-func sigType(privateKey interface{}) x509.SignatureAlgorithm {
- // Customize the signature for RSA keys, depending on the key size
- if privateKey, ok := privateKey.(*rsa.PrivateKey); ok {
- keySize := privateKey.N.BitLen()
- switch {
- case keySize >= 4096:
- return x509.SHA512WithRSA
- case keySize >= 3072:
- return x509.SHA384WithRSA
- default:
- return x509.SHA256WithRSA
- }
- }
- return x509.UnknownSignatureAlgorithm
-}
diff --git a/vendor/k8s.io/client-go/util/cert/io.go b/vendor/k8s.io/client-go/util/cert/io.go
deleted file mode 100644
index 5efb24894..000000000
--- a/vendor/k8s.io/client-go/util/cert/io.go
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package cert
-
-import (
- "crypto/x509"
- "fmt"
- "io/ioutil"
- "os"
- "path/filepath"
-)
-
-// CanReadCertAndKey returns true if the certificate and key files already exists,
-// otherwise returns false. If lost one of cert and key, returns error.
-func CanReadCertAndKey(certPath, keyPath string) (bool, error) {
- certReadable := canReadFile(certPath)
- keyReadable := canReadFile(keyPath)
-
- if certReadable == false && keyReadable == false {
- return false, nil
- }
-
- if certReadable == false {
- return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", certPath)
- }
-
- if keyReadable == false {
- return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", keyPath)
- }
-
- return true, nil
-}
-
-// If the file represented by path exists and
-// readable, returns true otherwise returns false.
-func canReadFile(path string) bool {
- f, err := os.Open(path)
- if err != nil {
- return false
- }
-
- defer f.Close()
-
- return true
-}
-
-// WriteCert writes the pem-encoded certificate data to certPath.
-// The certificate file will be created with file mode 0644.
-// If the certificate file already exists, it will be overwritten.
-// The parent directory of the certPath will be created as needed with file mode 0755.
-func WriteCert(certPath string, data []byte) error {
- if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil {
- return err
- }
- return ioutil.WriteFile(certPath, data, os.FileMode(0644))
-}
-
-// NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file.
-// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
-func NewPool(filename string) (*x509.CertPool, error) {
- certs, err := CertsFromFile(filename)
- if err != nil {
- return nil, err
- }
- pool := x509.NewCertPool()
- for _, cert := range certs {
- pool.AddCert(cert)
- }
- return pool, nil
-}
-
-// CertsFromFile returns the x509.Certificates contained in the given PEM-encoded file.
-// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
-func CertsFromFile(file string) ([]*x509.Certificate, error) {
- pemBlock, err := ioutil.ReadFile(file)
- if err != nil {
- return nil, err
- }
- certs, err := ParseCertsPEM(pemBlock)
- if err != nil {
- return nil, fmt.Errorf("error reading %s: %s", file, err)
- }
- return certs, nil
-}
diff --git a/vendor/k8s.io/client-go/util/cert/pem.go b/vendor/k8s.io/client-go/util/cert/pem.go
deleted file mode 100644
index 9185e2e22..000000000
--- a/vendor/k8s.io/client-go/util/cert/pem.go
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package cert
-
-import (
- "crypto/x509"
- "encoding/pem"
- "errors"
-)
-
-const (
- // CertificateBlockType is a possible value for pem.Block.Type.
- CertificateBlockType = "CERTIFICATE"
- // CertificateRequestBlockType is a possible value for pem.Block.Type.
- CertificateRequestBlockType = "CERTIFICATE REQUEST"
-)
-
-// ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array
-// Returns an error if a certificate could not be parsed, or if the data does not contain any certificates
-func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) {
- ok := false
- certs := []*x509.Certificate{}
- for len(pemCerts) > 0 {
- var block *pem.Block
- block, pemCerts = pem.Decode(pemCerts)
- if block == nil {
- break
- }
- // Only use PEM "CERTIFICATE" blocks without extra headers
- if block.Type != CertificateBlockType || len(block.Headers) != 0 {
- continue
- }
-
- cert, err := x509.ParseCertificate(block.Bytes)
- if err != nil {
- return certs, err
- }
-
- certs = append(certs, cert)
- ok = true
- }
-
- if !ok {
- return certs, errors.New("data does not contain any valid RSA or ECDSA certificates")
- }
- return certs, nil
-}
diff --git a/vendor/k8s.io/client-go/util/connrotation/connrotation.go b/vendor/k8s.io/client-go/util/connrotation/connrotation.go
deleted file mode 100644
index 235a9e019..000000000
--- a/vendor/k8s.io/client-go/util/connrotation/connrotation.go
+++ /dev/null
@@ -1,105 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package connrotation implements a connection dialer that tracks and can close
-// all created connections.
-//
-// This is used for credential rotation of long-lived connections, when there's
-// no way to re-authenticate on a live connection.
-package connrotation
-
-import (
- "context"
- "net"
- "sync"
-)
-
-// DialFunc is a shorthand for signature of net.DialContext.
-type DialFunc func(ctx context.Context, network, address string) (net.Conn, error)
-
-// Dialer opens connections through Dial and tracks them.
-type Dialer struct {
- dial DialFunc
-
- mu sync.Mutex
- conns map[*closableConn]struct{}
-}
-
-// NewDialer creates a new Dialer instance.
-//
-// If dial is not nil, it will be used to create new underlying connections.
-// Otherwise net.DialContext is used.
-func NewDialer(dial DialFunc) *Dialer {
- return &Dialer{
- dial: dial,
- conns: make(map[*closableConn]struct{}),
- }
-}
-
-// CloseAll forcibly closes all tracked connections.
-//
-// Note: new connections may get created before CloseAll returns.
-func (d *Dialer) CloseAll() {
- d.mu.Lock()
- conns := d.conns
- d.conns = make(map[*closableConn]struct{})
- d.mu.Unlock()
-
- for conn := range conns {
- conn.Close()
- }
-}
-
-// Dial creates a new tracked connection.
-func (d *Dialer) Dial(network, address string) (net.Conn, error) {
- return d.DialContext(context.Background(), network, address)
-}
-
-// DialContext creates a new tracked connection.
-func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
- conn, err := d.dial(ctx, network, address)
- if err != nil {
- return nil, err
- }
-
- closable := &closableConn{Conn: conn}
-
- // Start tracking the connection
- d.mu.Lock()
- d.conns[closable] = struct{}{}
- d.mu.Unlock()
-
- // When the connection is closed, remove it from the map. This will
- // be no-op if the connection isn't in the map, e.g. if CloseAll()
- // is called.
- closable.onClose = func() {
- d.mu.Lock()
- delete(d.conns, closable)
- d.mu.Unlock()
- }
-
- return closable, nil
-}
-
-type closableConn struct {
- onClose func()
- net.Conn
-}
-
-func (c *closableConn) Close() error {
- go c.onClose()
- return c.Conn.Close()
-}
diff --git a/vendor/k8s.io/client-go/util/exec/exec.go b/vendor/k8s.io/client-go/util/exec/exec.go
deleted file mode 100644
index d170badb6..000000000
--- a/vendor/k8s.io/client-go/util/exec/exec.go
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package exec
-
-// ExitError is an interface that presents an API similar to os.ProcessState, which is
-// what ExitError from os/exec is. This is designed to make testing a bit easier and
-// probably loses some of the cross-platform properties of the underlying library.
-type ExitError interface {
- String() string
- Error() string
- Exited() bool
- ExitStatus() int
-}
-
-// CodeExitError is an implementation of ExitError consisting of an error object
-// and an exit code (the upper bits of os.exec.ExitStatus).
-type CodeExitError struct {
- Err error
- Code int
-}
-
-var _ ExitError = CodeExitError{}
-
-func (e CodeExitError) Error() string {
- return e.Err.Error()
-}
-
-func (e CodeExitError) String() string {
- return e.Err.Error()
-}
-
-func (e CodeExitError) Exited() bool {
- return true
-}
-
-func (e CodeExitError) ExitStatus() int {
- return e.Code
-}
diff --git a/vendor/k8s.io/client-go/util/flowcontrol/backoff.go b/vendor/k8s.io/client-go/util/flowcontrol/backoff.go
deleted file mode 100644
index 39cd72f95..000000000
--- a/vendor/k8s.io/client-go/util/flowcontrol/backoff.go
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package flowcontrol
-
-import (
- "sync"
- "time"
-
- "k8s.io/apimachinery/pkg/util/clock"
- "k8s.io/utils/integer"
-)
-
-type backoffEntry struct {
- backoff time.Duration
- lastUpdate time.Time
-}
-
-type Backoff struct {
- sync.Mutex
- Clock clock.Clock
- defaultDuration time.Duration
- maxDuration time.Duration
- perItemBackoff map[string]*backoffEntry
-}
-
-func NewFakeBackOff(initial, max time.Duration, tc *clock.FakeClock) *Backoff {
- return &Backoff{
- perItemBackoff: map[string]*backoffEntry{},
- Clock: tc,
- defaultDuration: initial,
- maxDuration: max,
- }
-}
-
-func NewBackOff(initial, max time.Duration) *Backoff {
- return &Backoff{
- perItemBackoff: map[string]*backoffEntry{},
- Clock: clock.RealClock{},
- defaultDuration: initial,
- maxDuration: max,
- }
-}
-
-// Get the current backoff Duration
-func (p *Backoff) Get(id string) time.Duration {
- p.Lock()
- defer p.Unlock()
- var delay time.Duration
- entry, ok := p.perItemBackoff[id]
- if ok {
- delay = entry.backoff
- }
- return delay
-}
-
-// move backoff to the next mark, capping at maxDuration
-func (p *Backoff) Next(id string, eventTime time.Time) {
- p.Lock()
- defer p.Unlock()
- entry, ok := p.perItemBackoff[id]
- if !ok || hasExpired(eventTime, entry.lastUpdate, p.maxDuration) {
- entry = p.initEntryUnsafe(id)
- } else {
- delay := entry.backoff * 2 // exponential
- entry.backoff = time.Duration(integer.Int64Min(int64(delay), int64(p.maxDuration)))
- }
- entry.lastUpdate = p.Clock.Now()
-}
-
-// Reset forces clearing of all backoff data for a given key.
-func (p *Backoff) Reset(id string) {
- p.Lock()
- defer p.Unlock()
- delete(p.perItemBackoff, id)
-}
-
-// Returns True if the elapsed time since eventTime is smaller than the current backoff window
-func (p *Backoff) IsInBackOffSince(id string, eventTime time.Time) bool {
- p.Lock()
- defer p.Unlock()
- entry, ok := p.perItemBackoff[id]
- if !ok {
- return false
- }
- if hasExpired(eventTime, entry.lastUpdate, p.maxDuration) {
- return false
- }
- return p.Clock.Since(eventTime) < entry.backoff
-}
-
-// Returns True if time since lastupdate is less than the current backoff window.
-func (p *Backoff) IsInBackOffSinceUpdate(id string, eventTime time.Time) bool {
- p.Lock()
- defer p.Unlock()
- entry, ok := p.perItemBackoff[id]
- if !ok {
- return false
- }
- if hasExpired(eventTime, entry.lastUpdate, p.maxDuration) {
- return false
- }
- return eventTime.Sub(entry.lastUpdate) < entry.backoff
-}
-
-// Garbage collect records that have aged past maxDuration. Backoff users are expected
-// to invoke this periodically.
-func (p *Backoff) GC() {
- p.Lock()
- defer p.Unlock()
- now := p.Clock.Now()
- for id, entry := range p.perItemBackoff {
- if now.Sub(entry.lastUpdate) > p.maxDuration*2 {
- // GC when entry has not been updated for 2*maxDuration
- delete(p.perItemBackoff, id)
- }
- }
-}
-
-func (p *Backoff) DeleteEntry(id string) {
- p.Lock()
- defer p.Unlock()
- delete(p.perItemBackoff, id)
-}
-
-// Take a lock on *Backoff, before calling initEntryUnsafe
-func (p *Backoff) initEntryUnsafe(id string) *backoffEntry {
- entry := &backoffEntry{backoff: p.defaultDuration}
- p.perItemBackoff[id] = entry
- return entry
-}
-
-// After 2*maxDuration we restart the backoff factor to the beginning
-func hasExpired(eventTime time.Time, lastUpdate time.Time, maxDuration time.Duration) bool {
- return eventTime.Sub(lastUpdate) > maxDuration*2 // consider stable if it's ok for twice the maxDuration
-}
diff --git a/vendor/k8s.io/client-go/util/flowcontrol/throttle.go b/vendor/k8s.io/client-go/util/flowcontrol/throttle.go
deleted file mode 100644
index e671c044d..000000000
--- a/vendor/k8s.io/client-go/util/flowcontrol/throttle.go
+++ /dev/null
@@ -1,143 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package flowcontrol
-
-import (
- "sync"
- "time"
-
- "golang.org/x/time/rate"
-)
-
-type RateLimiter interface {
- // TryAccept returns true if a token is taken immediately. Otherwise,
- // it returns false.
- TryAccept() bool
- // Accept returns once a token becomes available.
- Accept()
- // Stop stops the rate limiter, subsequent calls to CanAccept will return false
- Stop()
- // QPS returns QPS of this rate limiter
- QPS() float32
-}
-
-type tokenBucketRateLimiter struct {
- limiter *rate.Limiter
- clock Clock
- qps float32
-}
-
-// NewTokenBucketRateLimiter creates a rate limiter which implements a token bucket approach.
-// The rate limiter allows bursts of up to 'burst' to exceed the QPS, while still maintaining a
-// smoothed qps rate of 'qps'.
-// The bucket is initially filled with 'burst' tokens, and refills at a rate of 'qps'.
-// The maximum number of tokens in the bucket is capped at 'burst'.
-func NewTokenBucketRateLimiter(qps float32, burst int) RateLimiter {
- limiter := rate.NewLimiter(rate.Limit(qps), burst)
- return newTokenBucketRateLimiter(limiter, realClock{}, qps)
-}
-
-// An injectable, mockable clock interface.
-type Clock interface {
- Now() time.Time
- Sleep(time.Duration)
-}
-
-type realClock struct{}
-
-func (realClock) Now() time.Time {
- return time.Now()
-}
-func (realClock) Sleep(d time.Duration) {
- time.Sleep(d)
-}
-
-// NewTokenBucketRateLimiterWithClock is identical to NewTokenBucketRateLimiter
-// but allows an injectable clock, for testing.
-func NewTokenBucketRateLimiterWithClock(qps float32, burst int, c Clock) RateLimiter {
- limiter := rate.NewLimiter(rate.Limit(qps), burst)
- return newTokenBucketRateLimiter(limiter, c, qps)
-}
-
-func newTokenBucketRateLimiter(limiter *rate.Limiter, c Clock, qps float32) RateLimiter {
- return &tokenBucketRateLimiter{
- limiter: limiter,
- clock: c,
- qps: qps,
- }
-}
-
-func (t *tokenBucketRateLimiter) TryAccept() bool {
- return t.limiter.AllowN(t.clock.Now(), 1)
-}
-
-// Accept will block until a token becomes available
-func (t *tokenBucketRateLimiter) Accept() {
- now := t.clock.Now()
- t.clock.Sleep(t.limiter.ReserveN(now, 1).DelayFrom(now))
-}
-
-func (t *tokenBucketRateLimiter) Stop() {
-}
-
-func (t *tokenBucketRateLimiter) QPS() float32 {
- return t.qps
-}
-
-type fakeAlwaysRateLimiter struct{}
-
-func NewFakeAlwaysRateLimiter() RateLimiter {
- return &fakeAlwaysRateLimiter{}
-}
-
-func (t *fakeAlwaysRateLimiter) TryAccept() bool {
- return true
-}
-
-func (t *fakeAlwaysRateLimiter) Stop() {}
-
-func (t *fakeAlwaysRateLimiter) Accept() {}
-
-func (t *fakeAlwaysRateLimiter) QPS() float32 {
- return 1
-}
-
-type fakeNeverRateLimiter struct {
- wg sync.WaitGroup
-}
-
-func NewFakeNeverRateLimiter() RateLimiter {
- rl := fakeNeverRateLimiter{}
- rl.wg.Add(1)
- return &rl
-}
-
-func (t *fakeNeverRateLimiter) TryAccept() bool {
- return false
-}
-
-func (t *fakeNeverRateLimiter) Stop() {
- t.wg.Done()
-}
-
-func (t *fakeNeverRateLimiter) Accept() {
- t.wg.Wait()
-}
-
-func (t *fakeNeverRateLimiter) QPS() float32 {
- return 1
-}
diff --git a/vendor/k8s.io/client-go/util/keyutil/OWNERS b/vendor/k8s.io/client-go/util/keyutil/OWNERS
deleted file mode 100644
index 470b7a1c9..000000000
--- a/vendor/k8s.io/client-go/util/keyutil/OWNERS
+++ /dev/null
@@ -1,7 +0,0 @@
-approvers:
-- sig-auth-certificates-approvers
-reviewers:
-- sig-auth-certificates-reviewers
-labels:
-- sig/auth
-
diff --git a/vendor/k8s.io/client-go/util/keyutil/key.go b/vendor/k8s.io/client-go/util/keyutil/key.go
deleted file mode 100644
index 83c2c6254..000000000
--- a/vendor/k8s.io/client-go/util/keyutil/key.go
+++ /dev/null
@@ -1,323 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package keyutil contains utilities for managing public/private key pairs.
-package keyutil
-
-import (
- "crypto"
- "crypto/ecdsa"
- "crypto/elliptic"
- cryptorand "crypto/rand"
- "crypto/rsa"
- "crypto/x509"
- "encoding/pem"
- "fmt"
- "io/ioutil"
- "os"
- "path/filepath"
-)
-
-const (
- // ECPrivateKeyBlockType is a possible value for pem.Block.Type.
- ECPrivateKeyBlockType = "EC PRIVATE KEY"
- // RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
- RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
- // PrivateKeyBlockType is a possible value for pem.Block.Type.
- PrivateKeyBlockType = "PRIVATE KEY"
- // PublicKeyBlockType is a possible value for pem.Block.Type.
- PublicKeyBlockType = "PUBLIC KEY"
-)
-
-// MakeEllipticPrivateKeyPEM creates an ECDSA private key
-func MakeEllipticPrivateKeyPEM() ([]byte, error) {
- privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
- if err != nil {
- return nil, err
- }
-
- derBytes, err := x509.MarshalECPrivateKey(privateKey)
- if err != nil {
- return nil, err
- }
-
- privateKeyPemBlock := &pem.Block{
- Type: ECPrivateKeyBlockType,
- Bytes: derBytes,
- }
- return pem.EncodeToMemory(privateKeyPemBlock), nil
-}
-
-// WriteKey writes the pem-encoded key data to keyPath.
-// The key file will be created with file mode 0600.
-// If the key file already exists, it will be overwritten.
-// The parent directory of the keyPath will be created as needed with file mode 0755.
-func WriteKey(keyPath string, data []byte) error {
- if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil {
- return err
- }
- return ioutil.WriteFile(keyPath, data, os.FileMode(0600))
-}
-
-// LoadOrGenerateKeyFile looks for a key in the file at the given path. If it
-// can't find one, it will generate a new key and store it there.
-func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) {
- loadedData, err := ioutil.ReadFile(keyPath)
- // Call verifyKeyData to ensure the file wasn't empty/corrupt.
- if err == nil && verifyKeyData(loadedData) {
- return loadedData, false, err
- }
- if !os.IsNotExist(err) {
- return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err)
- }
-
- generatedData, err := MakeEllipticPrivateKeyPEM()
- if err != nil {
- return nil, false, fmt.Errorf("error generating key: %v", err)
- }
- if err := WriteKey(keyPath, generatedData); err != nil {
- return nil, false, fmt.Errorf("error writing key to %s: %v", keyPath, err)
- }
- return generatedData, true, nil
-}
-
-// MarshalPrivateKeyToPEM converts a known private key type of RSA or ECDSA to
-// a PEM encoded block or returns an error.
-func MarshalPrivateKeyToPEM(privateKey crypto.PrivateKey) ([]byte, error) {
- switch t := privateKey.(type) {
- case *ecdsa.PrivateKey:
- derBytes, err := x509.MarshalECPrivateKey(t)
- if err != nil {
- return nil, err
- }
- block := &pem.Block{
- Type: ECPrivateKeyBlockType,
- Bytes: derBytes,
- }
- return pem.EncodeToMemory(block), nil
- case *rsa.PrivateKey:
- block := &pem.Block{
- Type: RSAPrivateKeyBlockType,
- Bytes: x509.MarshalPKCS1PrivateKey(t),
- }
- return pem.EncodeToMemory(block), nil
- default:
- return nil, fmt.Errorf("private key is not a recognized type: %T", privateKey)
- }
-}
-
-// PrivateKeyFromFile returns the private key in rsa.PrivateKey or ecdsa.PrivateKey format from a given PEM-encoded file.
-// Returns an error if the file could not be read or if the private key could not be parsed.
-func PrivateKeyFromFile(file string) (interface{}, error) {
- data, err := ioutil.ReadFile(file)
- if err != nil {
- return nil, err
- }
- key, err := ParsePrivateKeyPEM(data)
- if err != nil {
- return nil, fmt.Errorf("error reading private key file %s: %v", file, err)
- }
- return key, nil
-}
-
-// PublicKeysFromFile returns the public keys in rsa.PublicKey or ecdsa.PublicKey format from a given PEM-encoded file.
-// Reads public keys from both public and private key files.
-func PublicKeysFromFile(file string) ([]interface{}, error) {
- data, err := ioutil.ReadFile(file)
- if err != nil {
- return nil, err
- }
- keys, err := ParsePublicKeysPEM(data)
- if err != nil {
- return nil, fmt.Errorf("error reading public key file %s: %v", file, err)
- }
- return keys, nil
-}
-
-// verifyKeyData returns true if the provided data appears to be a valid private key.
-func verifyKeyData(data []byte) bool {
- if len(data) == 0 {
- return false
- }
- _, err := ParsePrivateKeyPEM(data)
- return err == nil
-}
-
-// ParsePrivateKeyPEM returns a private key parsed from a PEM block in the supplied data.
-// Recognizes PEM blocks for "EC PRIVATE KEY", "RSA PRIVATE KEY", or "PRIVATE KEY"
-func ParsePrivateKeyPEM(keyData []byte) (interface{}, error) {
- var privateKeyPemBlock *pem.Block
- for {
- privateKeyPemBlock, keyData = pem.Decode(keyData)
- if privateKeyPemBlock == nil {
- break
- }
-
- switch privateKeyPemBlock.Type {
- case ECPrivateKeyBlockType:
- // ECDSA Private Key in ASN.1 format
- if key, err := x509.ParseECPrivateKey(privateKeyPemBlock.Bytes); err == nil {
- return key, nil
- }
- case RSAPrivateKeyBlockType:
- // RSA Private Key in PKCS#1 format
- if key, err := x509.ParsePKCS1PrivateKey(privateKeyPemBlock.Bytes); err == nil {
- return key, nil
- }
- case PrivateKeyBlockType:
- // RSA or ECDSA Private Key in unencrypted PKCS#8 format
- if key, err := x509.ParsePKCS8PrivateKey(privateKeyPemBlock.Bytes); err == nil {
- return key, nil
- }
- }
-
- // tolerate non-key PEM blocks for compatibility with things like "EC PARAMETERS" blocks
- // originally, only the first PEM block was parsed and expected to be a key block
- }
-
- // we read all the PEM blocks and didn't recognize one
- return nil, fmt.Errorf("data does not contain a valid RSA or ECDSA private key")
-}
-
-// ParsePublicKeysPEM is a helper function for reading an array of rsa.PublicKey or ecdsa.PublicKey from a PEM-encoded byte array.
-// Reads public keys from both public and private key files.
-func ParsePublicKeysPEM(keyData []byte) ([]interface{}, error) {
- var block *pem.Block
- keys := []interface{}{}
- for {
- // read the next block
- block, keyData = pem.Decode(keyData)
- if block == nil {
- break
- }
-
- // test block against parsing functions
- if privateKey, err := parseRSAPrivateKey(block.Bytes); err == nil {
- keys = append(keys, &privateKey.PublicKey)
- continue
- }
- if publicKey, err := parseRSAPublicKey(block.Bytes); err == nil {
- keys = append(keys, publicKey)
- continue
- }
- if privateKey, err := parseECPrivateKey(block.Bytes); err == nil {
- keys = append(keys, &privateKey.PublicKey)
- continue
- }
- if publicKey, err := parseECPublicKey(block.Bytes); err == nil {
- keys = append(keys, publicKey)
- continue
- }
-
- // tolerate non-key PEM blocks for backwards compatibility
- // originally, only the first PEM block was parsed and expected to be a key block
- }
-
- if len(keys) == 0 {
- return nil, fmt.Errorf("data does not contain any valid RSA or ECDSA public keys")
- }
- return keys, nil
-}
-
-// parseRSAPublicKey parses a single RSA public key from the provided data
-func parseRSAPublicKey(data []byte) (*rsa.PublicKey, error) {
- var err error
-
- // Parse the key
- var parsedKey interface{}
- if parsedKey, err = x509.ParsePKIXPublicKey(data); err != nil {
- if cert, err := x509.ParseCertificate(data); err == nil {
- parsedKey = cert.PublicKey
- } else {
- return nil, err
- }
- }
-
- // Test if parsed key is an RSA Public Key
- var pubKey *rsa.PublicKey
- var ok bool
- if pubKey, ok = parsedKey.(*rsa.PublicKey); !ok {
- return nil, fmt.Errorf("data doesn't contain valid RSA Public Key")
- }
-
- return pubKey, nil
-}
-
-// parseRSAPrivateKey parses a single RSA private key from the provided data
-func parseRSAPrivateKey(data []byte) (*rsa.PrivateKey, error) {
- var err error
-
- // Parse the key
- var parsedKey interface{}
- if parsedKey, err = x509.ParsePKCS1PrivateKey(data); err != nil {
- if parsedKey, err = x509.ParsePKCS8PrivateKey(data); err != nil {
- return nil, err
- }
- }
-
- // Test if parsed key is an RSA Private Key
- var privKey *rsa.PrivateKey
- var ok bool
- if privKey, ok = parsedKey.(*rsa.PrivateKey); !ok {
- return nil, fmt.Errorf("data doesn't contain valid RSA Private Key")
- }
-
- return privKey, nil
-}
-
-// parseECPublicKey parses a single ECDSA public key from the provided data
-func parseECPublicKey(data []byte) (*ecdsa.PublicKey, error) {
- var err error
-
- // Parse the key
- var parsedKey interface{}
- if parsedKey, err = x509.ParsePKIXPublicKey(data); err != nil {
- if cert, err := x509.ParseCertificate(data); err == nil {
- parsedKey = cert.PublicKey
- } else {
- return nil, err
- }
- }
-
- // Test if parsed key is an ECDSA Public Key
- var pubKey *ecdsa.PublicKey
- var ok bool
- if pubKey, ok = parsedKey.(*ecdsa.PublicKey); !ok {
- return nil, fmt.Errorf("data doesn't contain valid ECDSA Public Key")
- }
-
- return pubKey, nil
-}
-
-// parseECPrivateKey parses a single ECDSA private key from the provided data
-func parseECPrivateKey(data []byte) (*ecdsa.PrivateKey, error) {
- var err error
-
- // Parse the key
- var parsedKey interface{}
- if parsedKey, err = x509.ParseECPrivateKey(data); err != nil {
- return nil, err
- }
-
- // Test if parsed key is an ECDSA Private Key
- var privKey *ecdsa.PrivateKey
- var ok bool
- if privKey, ok = parsedKey.(*ecdsa.PrivateKey); !ok {
- return nil, fmt.Errorf("data doesn't contain valid ECDSA Private Key")
- }
-
- return privKey, nil
-}