- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: a9593d634c6a053848413e600dadbf974627515f
This change updates the generic webhook logic to use a rest.Config
as its input instead of a kubeconfig file. This exposes all of the
rest.Config knobs to the caller instead of the more limited set
available through the kubeconfig format. This is useful when this
code is being used as a library outside of core Kubernetes. For
example, a downstream consumer may want to override the webhook's
internals such as its TLS configuration.
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: fef7d0ef1e1fbff65e8d445256036704bb9dbcbd
This change allows the http.Client used by the OIDC authenticator to
be overridden. This is useful when this code is being used as a
library outside of core Kubernetes. For example, a downstream
consumer may want to override the http.Client's internals such as
its TLS configuration.
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: 11974cd18a685ea2f5ee25030a10787700dc8464
it turns out that setting a timeout on HTTP client affect watch requests made by the delegated authentication component.
with a 10 second timeout watch requests are being re-established exactly after 10 seconds even though the default request timeout for them is ~5 minutes.
this is because if multiple timeouts were set, the stdlib picks the smaller timeout to be applied, leaving other useless.
for more details see a937729c2c/src/net/http/client.go (L364)
instead of setting a timeout on the HTTP client we should use context for cancellation.
Kubernetes-commit: d690d71d27c78f2f7981b286f5b584455ff30246
This change updates the oidc authenticator to allow specifying an
oidc.KeySet as an input option. This makes it possible to
synchronously initialize the KeySet instead of relying on the
asynchronous initialization that is normally done to support
self-hosted providers. This makes it easier to use this code as a
library.
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: b5a1a45d48b4e90e54f512fc829b2ab9866b282e
This change updates the OIDC authenticator code to use a subset of
the dynamiccertificates.CAContentProvider interface to provide the
root CA bytes. This removes the hard dependency on a file based CA
and makes it easier to use this code as a library.
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: 5dd4c89df38d4a5389c0cbf2c7fe4f6a5d5534ce
webhook.WithExponentialBackoff returns an error, and the priority is:
- A: if the last invocation of the webhook function returned an error
that error should be returned, otherwise
- B: the error associated with the context if it has been canceled or
it has expired, or the ErrWaitTimeout returned by the wait package
once all retries have been exhausted.
caller should check the error returned by webhook.WithExponentialBackoff
to handle both A and B. Currently, we only handle A.
Kubernetes-commit: ae2b353fbf519b29d168c534f88c373fd67a1c31
This change updates the OIDC authenticator to not wait 10 seconds
before attempting to fetch the /.well-known/openid-configuration
metadata from the OIDC issuer. In most situations this results in
the API server being able to verify ID tokens sooner.
Signed-off-by: Monis Khan <mok@vmware.com>
Kubernetes-commit: be99f37a6861f885c263a447656b9470ba4f720f
Currently webhook retry backoff parameters are hard coded, we want
to have the ability to configure the backoff parameters for webhook
retry logic.
Kubernetes-commit: 53a1307f68ccf6c9ffd252eeea2b333e818c1103
Monis Khan
Jordan Liggitt
Anish Ramasekar
Rita Zhang
HirazawaUi
Tim Hockin
Shiming Zhang
David Ashpole
iutx
Davanum Srinivas
Tim Allclair
carlory
tanjing2020
Lukasz Szaszkiewicz
xiaofei.sun
Abu Kashem
ruiwen-zhao
David Eads