This change updates NewPrefixTransformers to not short-circuit on
the first transformer that has a matching prefix. If the same type
of encryption ProviderConfiguration is used more than once, they
will share the same prefix. A failure in the first one should not
prevent a later match from being attempted.
Added TestCBCKeyRotationWithOverlappingProviders unit test to
prevent regressions. Note that this test explicitly exercises this
flow using an EncryptionConfiguration object as the structure of the
resulting transformer is an important part of the check.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: 4dc16f29a7285a4bcaff1915728953d8a55e1b6e
If konnectivity service is enabled, the etcd client will now use it.
This did require moving a few methods to break circular dependencies.
Factored in feedback from lavalamp and wenjiaswe.
Kubernetes-commit: edbb0fa2fe2084d5d9ce0cf9dc0d1b2d820bb392
go fmt
make func private
refactor config_test
Two primary refactorings:
1. config test checkPath method is now each a distinct test
run (which makes it easier to see what is actually failing)
2. TestNewWithDelegate's root path check now parses the json output and
does a comparison against a list of expected paths (no more whitespace
and ordering issues when updating this test, yay).
go fmt
modify and simplify existing integration test for readyz/livez
simplify integration test
set default rbac policy rules for livez
rename a few functions and the entrypoint command line argument (and etcetera)
simplify interface for installing readyz and livez and make auto-register completion a bootstrapped check
untangle some of the nested functions, restructure the code
Kubernetes-commit: aa1b2d6d35c92a31be17357fc66cfc1eca8a67e0
Got the proxy-server coming up in the master.
Added certs and have it comiung up with those certs.
Added a daemonset to run the network-agent.
Adding support for agent running as a sameon set on every node.
Added quick hack to test that proxy server/agent were correctly
tunneling traffic to the kubelet.
Added more WIP for reading network proxy configuration.
Get flags set correctly and fix connection services.
Adding missing ApplyTo
Added ConnectivityService.
Fixed build directives. Added connectivity service configuration.
Fixed log levels.
Fixed minor issues for feature turned off.
Fixed boilerplate and format.
Moved log dialer initialization earlier as per Liggits suggestion.
Fixed a few minor issues in the configuration for GCE.
Fixed scheme allocation
Adding unit test.
Added test for direct connectivity service.
Switching to injecting the Lookup method rather than using a Singleton.
First round of mikedaneses feedback.
Fixed deployment to use yaml and other changes suggested by MikeDanese.
Switched network proxy server/agent which are kebab-case not camelCase.
Picked up DIAL_RSP fix.
Factored in deads2k feedback.
Feedback from mikedanese
Factored in second round of feedback from David.
Fix path in verify.
Factored in anfernee's feedback.
First part of lavalamps feedback.
Factored in more changes from lavalamp and mikedanese.
Renamed network-proxy to konnectivity-server and konnectivity-agent.
Fixed tolerations and config file checking.
Added missing strptr
Finished lavalamps requested rename.
Disambiguating konnectivity service by renaming it egress selector.
Switched feature flag to KUBE_ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE
Kubernetes-commit: ebb65c5f4c51340f42c260cf00bde8629ed68d74
The previous HTTP compression implementation functioned as a filter, which
required it to deal with a number of special cases that complicated the
implementation.
Instead, when we write an API object to a response, handle only that one
case. This will allow a more limited implementation that does not impact
other code flows.
Also, to prevent excessive CPU use on small objects, compression is
disabled on responses smaller than 128Kb in size.
Kubernetes-commit: 4ed2b9875d0498b5c577095075bda341e96fcec2
There was a typo, the test was there but the return was not.
Added test that exposes the difference.
Kubernetes-commit: 7056e216addc7203f24c37a95c5c14ad194dddca
add startup sequence duration and readyz endpoint
add rbac bootstrapping policy for readyz
add integration test around grace period and readyz
rename startup sequence duration flag
copy health checks to fields
rename health-check installed boolean, refactor clock injection logic
cleanup clock injection code
remove todo about poststarthook url registration from healthz
Kubernetes-commit: 54dcf5c9c46fc4782d4861936309349b5a71a1ac
* fix duplicated imports of api/core/v1
* fix duplicated imports of client-go/kubernetes
* fix duplicated imports of rest code
* change import name to more reasonable
Kubernetes-commit: 5268f69405251a4a74130fa903e055a59071179a
firstly, split into two tests: TestLoopbackHostPortIPv4 and TestLoopbackHostPortIPv6.
then improve error handling, going to fail with explicit error message when run host
that does not support ipv6 or ipv4
Kubernetes-commit: 6b73b5031c463437064b1593d00a60107d09dd99
There was no reason to have two types and this avoids ~10% of allocations
on the GET code path.
```
BenchmarkGet-12 100000 109045 ns/op 17608 B/op 146 allocs/op
BenchmarkGet-12 100000 108850 ns/op 15942 B/op 132 allocs/op
```
Kubernetes-commit: 0489d0b1cf139253b82f73b072578073bc5616d6
This package contains public/private key utilities copied directly from
client-go/util/cert. All imports were updated.
Future PRs will actually refactor the libraries.
Updates #71004
Kubernetes-commit: 18458392ca24c85c688e655aace1afd04f864cbd
- Fixes https://github.com/kubernetes/kubernetes/issues/72900
The issue here originally is that os.Exit() is called which exits
the process too early (before svc.Execute updates the status to stopped).
This is picked up as service error and leads to restarting,
if restart-on-fail is configured for the windows service.
svc.Execute already guarantees that the application is exited after,
so that os.Exit call would be unnecessary.
This rework also adds graceful shutdown, which also resolves the
underlying root cause. The graceful shutdown is not guaranteed
to succeed, since the service controller can decide to kill
the service any time after exceeding a shutdown timeout.
Kubernetes-commit: f243c8877978cf3d328c536b36cdf0ef5ca08a37
Though the flags are deprecated, the deprecation process revealed that
the flag is important for health checks in more secure environments.
Add a link to #43784 to help developers understand why the flags have
not yet been removed.
Issue #43784
Issue #74172
Issue #59018
Kubernetes-commit: 7dbbab0476b35b74f600f62b6751212ed3afe574
Moved all flag code from `staging/src/k8s.io/apiserver/pkg/util/[flag|globalflag]` to `component-base/cli/[flag|globalflag]` except for the term function because of unwanted dependencies.
Kubernetes-commit: 7744f908306e5131be5a94815ac76a7cba6454f2
is either decided by the schema's version priority, or by the per
resource override.
This fixes a bug where the "batch" group is encoded in v1beta1, which
was hidden when --storage-versions is a valid flag.
Kubernetes-commit: 98a1003f57988ccc361af7aee5d0ae49de66dbb4
Our default recommendation as well as our CI default is 4, so we should
be able to see the health check errors at the same level 4 itself.
Change-Id: I388f945d3522d1f63f0a85f35e765c2d4f2c548a
Kubernetes-commit: 3d6b3857b29b9c738f258344781ce4a9b40b9a0b
Does not help with the bug investigation. the http server is designed to
panic when the http status code is `0`.
This reverts commit 72792d59f46f822cf360e797d886e582a6a2dc60.
Kubernetes-commit: 85ae15621af1d71caf5d0bac2299d17ec1020664
When we spit out a http reponse with a `0` http status code we
should log a trace back so we can easily find where things went wrong.
Change-Id: Ic2aadec3a3de85fbdf64da66d6d12e3c631f409d
Kubernetes-commit: 72792d59f46f822cf360e797d886e582a6a2dc60
Noted that group must be omitted for resources of apiVersion v1 (the
legacy core API) and included for others.
Fixes#65393
Kubernetes-commit: fc20359fed5e3d0e89a60653b9b0d638d4d757d8
This change renames the '--experimental-encryption-provider-config'
flag to '--encryption-provider-config'. The old flag is accepted but
generates a warning.
In 1.14, we will drop support for '--experimental-encryption-provider-config'
entirely.
Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
Kubernetes-commit: 21c1bb883081b13244002271bccc9cf119d4db4f
This reverts commit 54ee58b2d613c636f972312ca80357563292b57d, reversing
changes made to 9e2820e4c9541a7718e9d5b7a0ee62429552023a.
Kubernetes-commit: 8799eb4e2e12e5d144871a35c6288b8433a74c9b
efficiently without checking conflicts, and wire up CRD discovery
controller to serve OpenAPI spec.
Kubernetes-commit: 3222a7033cf9128b76c0677887f4e383821d0475
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
* github.com/kubernetes/repo-infra
* k8s.io/gengo/
* k8s.io/kube-openapi/
* github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods
Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
Kubernetes-commit: 954996e231074dc7429f7be1256a579bedd8344c
kubernetes/kubernetes#67768 accidentally removed population of the the ClientCA
in the delegating auth setup code. This restores it.
Kubernetes-commit: 65cea86e4413cb5899c3b89bda375bb326de5093
This is the old behaviour and we did not intent to change it due to enabled authn/z in general.
As the kube-apiserver this sets the "system:unsecured" user info.
Kubernetes-commit: 8aa0eefce8fbd801a38da46c8704f2d74996e5cd
David Eads