Update vendor files to point to kubernetes-1.12.0-beta.1

vendor/k8s.io/client-go/util/cert/cert.go

@@ -20,6 +20,7 @@ import (
 	"bytes"
 	"crypto/ecdsa"
 	"crypto/elliptic"
+	"crypto/rand"
 	cryptorand "crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
@@ -27,9 +28,12 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"math"
 	"math/big"
 	"net"
+	"path"
+	"strings"
 	"time"
 )
 
@@ -84,7 +88,7 @@ func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, er
 
 // NewSignedCert creates a signed certificate using the given CA certificate and key
 func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, error) {
-	serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
 	if err != nil {
 		return nil, err
 	}
@@ -136,8 +140,38 @@ func MakeEllipticPrivateKeyPEM() ([]byte, error) {
 
 // GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host.
 // Host may be an IP or a DNS name
-// You may also specify additional subject alt names (either ip or dns names) for the certificate
+// You may also specify additional subject alt names (either ip or dns names) for the certificate.
 func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
+	return GenerateSelfSignedCertKeyWithFixtures(host, alternateIPs, alternateDNS, "")
+}
+
+// GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host.
+// Host may be an IP or a DNS name. You may also specify additional subject alt names (either ip or dns names)
+// for the certificate.
+//
+// If fixtureDirectory is non-empty, it is a directory path which can contain pre-generated certs. The format is:
+// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
+// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
+// Certs/keys not existing in that directory are created.
+func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
+	validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew
+	maxAge := time.Hour * 24 * 365          // one year self-signed certs
+
+	baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
+	certFixturePath := path.Join(fixtureDirectory, baseName+".crt")
+	keyFixturePath := path.Join(fixtureDirectory, baseName+".key")
+	if len(fixtureDirectory) > 0 {
+		cert, err := ioutil.ReadFile(certFixturePath)
+		if err == nil {
+			key, err := ioutil.ReadFile(keyFixturePath)
+			if err == nil {
+				return cert, key, nil
+			}
+			return nil, nil, fmt.Errorf("cert %s can be read, but key %s cannot: %v", certFixturePath, keyFixturePath, err)
+		}
+		maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures
+	}
+
 	caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
 	if err != nil {
 		return nil, nil, err
@@ -148,8 +182,8 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
 		Subject: pkix.Name{
 			CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
 		},
-		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(time.Hour * 24 * 365),
+		NotBefore: validFrom,
+		NotAfter:  validFrom.Add(maxAge),
 
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
@@ -176,8 +210,8 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
 		Subject: pkix.Name{
 			CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
 		},
-		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(time.Hour * 24 * 365),
+		NotBefore: validFrom,
+		NotAfter:  validFrom.Add(maxAge),
 
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
@@ -213,6 +247,15 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
 		return nil, nil, err
 	}
 
+	if len(fixtureDirectory) > 0 {
+		if err := ioutil.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil {
+			return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err)
+		}
+		if err := ioutil.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil {
+			return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err)
+		}
+	}
+
 	return certBuffer.Bytes(), keyBuffer.Bytes(), nil
 }
 
@@ -243,3 +286,11 @@ func FormatCert(c *x509.Certificate) string {
 	}
 	return res
 }
+
+func ipsToStrings(ips []net.IP) []string {
+	ss := make([]string, 0, len(ips))
+	for _, ip := range ips {
+		ss = append(ss, ip.String())
+	}
+	return ss
+}

vendor/k8s.io/client-go/util/certificate/certificate_manager.go

@@ -24,6 +24,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+	"reflect"
 	"sync"
 	"time"
 
@@ -32,6 +33,7 @@ import (
 	certificates "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
 	"k8s.io/client-go/util/cert"
@@ -75,6 +77,13 @@ type Config struct {
 	// part of rotation. It follows the same rules as the template parameter of
 	// crypto.x509.CreateCertificateRequest in the Go standard libraries.
 	Template *x509.CertificateRequest
+	// GetTemplate returns the CertificateRequest that will be used as a template for
+	// generating certificate signing requests for all new keys generated as
+	// part of rotation. It follows the same rules as the template parameter of
+	// crypto.x509.CreateCertificateRequest in the Go standard libraries.
+	// If no template is available, nil may be returned, and no certificate will be requested.
+	// If specified, takes precedence over Template.
+	GetTemplate func() *x509.CertificateRequest
 	// Usages is the types of usages that certificates generated by the manager
 	// can be used for.
 	Usages []certificates.KeyUsage
@@ -136,7 +145,10 @@ func (e *NoCertKeyError) Error() string { return string(*e) }
 
 type manager struct {
 	certSigningRequestClient certificatesclient.CertificateSigningRequestInterface
-	template                 *x509.CertificateRequest
+	getTemplate              func() *x509.CertificateRequest
+	lastRequestLock          sync.Mutex
+	lastRequest              *x509.CertificateRequest
+	dynamicTemplate          bool
 	usages                   []certificates.KeyUsage
 	certStore                Store
 	certAccessLock           sync.RWMutex
@@ -158,9 +170,15 @@ func NewManager(config *Config) (Manager, error) {
 		return nil, err
 	}
 
+	getTemplate := config.GetTemplate
+	if getTemplate == nil {
+		getTemplate = func() *x509.CertificateRequest { return config.Template }
+	}
+
 	m := manager{
 		certSigningRequestClient: config.CertificateSigningRequestClient,
-		template:                 config.Template,
+		getTemplate:              getTemplate,
+		dynamicTemplate:          config.GetTemplate != nil,
 		usages:                   config.Usages,
 		certStore:                config.CertificateStore,
 		cert:                     cert,
@@ -215,12 +233,32 @@ func (m *manager) Start() {
 
 	glog.V(2).Infof("Certificate rotation is enabled.")
 
+	templateChanged := make(chan struct{})
 	go wait.Forever(func() {
 		deadline := m.nextRotationDeadline()
 		if sleepInterval := deadline.Sub(time.Now()); sleepInterval > 0 {
 			glog.V(2).Infof("Waiting %v for next certificate rotation", sleepInterval)
-			time.Sleep(sleepInterval)
+
+			timer := time.NewTimer(sleepInterval)
+			defer timer.Stop()
+
+			select {
+			case <-timer.C:
+				// unblock when deadline expires
+			case <-templateChanged:
+				if reflect.DeepEqual(m.getLastRequest(), m.getTemplate()) {
+					// if the template now matches what we last requested, restart the rotation deadline loop
+					return
+				}
+				glog.V(2).Infof("Certificate template changed, rotating")
+			}
 		}
+
+		// Don't enter rotateCerts and trigger backoff if we don't even have a template to request yet
+		if m.getTemplate() == nil {
+			return
+		}
+
 		backoff := wait.Backoff{
 			Duration: 2 * time.Second,
 			Factor:   2,
@@ -231,7 +269,18 @@ func (m *manager) Start() {
 			utilruntime.HandleError(fmt.Errorf("Reached backoff limit, still unable to rotate certs: %v", err))
 			wait.PollInfinite(32*time.Second, m.rotateCerts)
 		}
-	}, 0)
+	}, time.Second)
+
+	if m.dynamicTemplate {
+		go wait.Forever(func() {
+			// check if the current template matches what we last requested
+			if !reflect.DeepEqual(m.getLastRequest(), m.getTemplate()) {
+				// if the template is different, queue up an interrupt of the rotation deadline loop.
+				// if we've requested a CSR that matches the new template by the time the interrupt is handled, the interrupt is disregarded.
+				templateChanged <- struct{}{}
+			}
+		}, time.Second)
+	}
 }
 
 func getCurrentCertificateOrBootstrap(
@@ -286,7 +335,7 @@ func getCurrentCertificateOrBootstrap(
 func (m *manager) rotateCerts() (bool, error) {
 	glog.V(2).Infof("Rotating certificates")
 
-	csrPEM, keyPEM, privateKey, err := m.generateCSR()
+	template, csrPEM, keyPEM, privateKey, err := m.generateCSR()
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("Unable to generate a certificate signing request: %v", err))
 		return false, nil
@@ -300,6 +349,9 @@ func (m *manager) rotateCerts() (bool, error) {
 		return false, m.updateServerError(err)
 	}
 
+	// Once we've successfully submitted a CSR for this template, record that we did so
+	m.setLastRequest(template)
+
 	// Wait for the certificate to be signed. Instead of one long watch, we retry with slightly longer
 	// intervals each time in order to tolerate failures from the server AND to preserve the liveliness
 	// of the cert manager loop. This creates slightly more traffic against the API server in return
@@ -353,6 +405,36 @@ func (m *manager) nextRotationDeadline() time.Time {
 		return time.Now()
 	}
 
+	// Ensure the currently held certificate satisfies the requested subject CN and SANs
+	if template := m.getTemplate(); template != nil {
+		if template.Subject.CommonName != m.cert.Leaf.Subject.CommonName {
+			glog.V(2).Infof("Current certificate CN (%s) does not match requested CN (%s), rotating now", m.cert.Leaf.Subject.CommonName, template.Subject.CommonName)
+			return time.Now()
+		}
+
+		currentDNSNames := sets.NewString(m.cert.Leaf.DNSNames...)
+		desiredDNSNames := sets.NewString(template.DNSNames...)
+		missingDNSNames := desiredDNSNames.Difference(currentDNSNames)
+		if len(missingDNSNames) > 0 {
+			glog.V(2).Infof("Current certificate is missing requested DNS names %v, rotating now", missingDNSNames.List())
+			return time.Now()
+		}
+
+		currentIPs := sets.NewString()
+		for _, ip := range m.cert.Leaf.IPAddresses {
+			currentIPs.Insert(ip.String())
+		}
+		desiredIPs := sets.NewString()
+		for _, ip := range template.IPAddresses {
+			desiredIPs.Insert(ip.String())
+		}
+		missingIPs := desiredIPs.Difference(currentIPs)
+		if len(missingIPs) > 0 {
+			glog.V(2).Infof("Current certificate is missing requested IP addresses %v, rotating now", missingIPs.List())
+			return time.Now()
+		}
+	}
+
 	notAfter := m.cert.Leaf.NotAfter
 	totalDuration := float64(notAfter.Sub(m.cert.Leaf.NotBefore))
 	deadline := m.cert.Leaf.NotBefore.Add(jitteryDuration(totalDuration))
@@ -408,22 +490,38 @@ func (m *manager) updateServerError(err error) error {
 	return nil
 }
 
-func (m *manager) generateCSR() (csrPEM []byte, keyPEM []byte, key interface{}, err error) {
+func (m *manager) generateCSR() (template *x509.CertificateRequest, csrPEM []byte, keyPEM []byte, key interface{}, err error) {
 	// Generate a new private key.
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
 	if err != nil {
-		return nil, nil, nil, fmt.Errorf("unable to generate a new private key: %v", err)
+		return nil, nil, nil, nil, fmt.Errorf("unable to generate a new private key: %v", err)
 	}
 	der, err := x509.MarshalECPrivateKey(privateKey)
 	if err != nil {
-		return nil, nil, nil, fmt.Errorf("unable to marshal the new key to DER: %v", err)
+		return nil, nil, nil, nil, fmt.Errorf("unable to marshal the new key to DER: %v", err)
 	}
 
 	keyPEM = pem.EncodeToMemory(&pem.Block{Type: cert.ECPrivateKeyBlockType, Bytes: der})
 
-	csrPEM, err = cert.MakeCSRFromTemplate(privateKey, m.template)
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("unable to create a csr from the private key: %v", err)
+	template = m.getTemplate()
+	if template == nil {
+		return nil, nil, nil, nil, fmt.Errorf("unable to create a csr, no template available")
 	}
-	return csrPEM, keyPEM, privateKey, nil
+	csrPEM, err = cert.MakeCSRFromTemplate(privateKey, template)
+	if err != nil {
+		return nil, nil, nil, nil, fmt.Errorf("unable to create a csr from the private key: %v", err)
+	}
+	return template, csrPEM, keyPEM, privateKey, nil
+}
+
+func (m *manager) getLastRequest() *x509.CertificateRequest {
+	m.lastRequestLock.Lock()
+	defer m.lastRequestLock.Unlock()
+	return m.lastRequest
+}
+
+func (m *manager) setLastRequest(r *x509.CertificateRequest) {
+	m.lastRequestLock.Lock()
+	defer m.lastRequestLock.Unlock()
+	m.lastRequest = r
 }

vendor/k8s.io/client-go/util/certificate/certificate_manager_test.go

@@ -186,7 +186,7 @@ func TestSetRotationDeadline(t *testing.T) {
 						NotAfter:  tc.notAfter,
 					},
 				},
-				template:              &x509.CertificateRequest{},
+				getTemplate:           func() *x509.CertificateRequest { return &x509.CertificateRequest{} },
 				usages:                []certificates.KeyUsage{},
 				certificateExpiration: &g,
 			}
@@ -221,8 +221,8 @@ func TestRotateCertCreateCSRError(t *testing.T) {
 				NotAfter:  now.Add(-1 * time.Hour),
 			},
 		},
-		template: &x509.CertificateRequest{},
-		usages:   []certificates.KeyUsage{},
+		getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} },
+		usages:      []certificates.KeyUsage{},
 		certSigningRequestClient: fakeClient{
 			failureType: createError,
 		},
@@ -244,8 +244,8 @@ func TestRotateCertWaitingForResultError(t *testing.T) {
 				NotAfter:  now.Add(-1 * time.Hour),
 			},
 		},
-		template: &x509.CertificateRequest{},
-		usages:   []certificates.KeyUsage{},
+		getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} },
+		usages:      []certificates.KeyUsage{},
 		certSigningRequestClient: fakeClient{
 			failureType: watchError,
 		},

vendor/k8s.io/client-go/util/certificate/csr/csr.go

@@ -24,10 +24,11 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
-	"github.com/golang/glog"
 	"reflect"
 	"time"
 
+	"github.com/golang/glog"
+
 	certificates "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -38,6 +39,7 @@ import (
 	"k8s.io/apimachinery/pkg/watch"
 	certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
 	"k8s.io/client-go/tools/cache"
+	watchtools "k8s.io/client-go/tools/watch"
 	certutil "k8s.io/client-go/util/cert"
 )
 
@@ -121,7 +123,7 @@ func RequestCertificate(client certificatesclient.CertificateSigningRequestInter
 func WaitForCertificate(client certificatesclient.CertificateSigningRequestInterface, req *certificates.CertificateSigningRequest, timeout time.Duration) (certData []byte, err error) {
 	fieldSelector := fields.OneTermEqualSelector("metadata.name", req.Name).String()
 
-	event, err := cache.ListWatchUntil(
+	event, err := watchtools.ListWatchUntil(
 		timeout,
 		&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {

vendor/k8s.io/client-go/util/flowcontrol/backoff_test.go

@@ -75,7 +75,7 @@ func TestBackoffReset(t *testing.T) {
 	}
 }
 
-func TestBackoffHightWaterMark(t *testing.T) {
+func TestBackoffHighWaterMark(t *testing.T) {
 	id := "_idHiWaterMark"
 	tc := clock.NewFakeClock(time.Now())
 	step := time.Second

vendor/k8s.io/client-go/util/jsonpath/node.go

@@ -80,7 +80,7 @@ func (l *ListNode) append(n Node) {
 }
 
 func (l *ListNode) String() string {
-	return fmt.Sprintf("%s", l.Type())
+	return l.Type().String()
 }
 
 // TextNode holds plain text.
@@ -210,7 +210,7 @@ func newWildcard() *WildcardNode {
 }
 
 func (i *WildcardNode) String() string {
-	return fmt.Sprintf("%s", i.Type())
+	return i.Type().String()
 }
 
 // RecursiveNode means a recursive descent operator
@@ -223,7 +223,7 @@ func newRecursive() *RecursiveNode {
 }
 
 func (r *RecursiveNode) String() string {
-	return fmt.Sprintf("%s", r.Type())
+	return r.Type().String()
 }
 
 // UnionNode is union of ListNode
@@ -237,7 +237,7 @@ func newUnion(nodes []*ListNode) *UnionNode {
 }
 
 func (u *UnionNode) String() string {
-	return fmt.Sprintf("%s", u.Type())
+	return u.Type().String()
 }
 
 // BoolNode holds bool value

vendor/k8s.io/client-go/util/jsonpath/parser.go

@@ -94,7 +94,7 @@ func (p *Parser) consumeText() string {
 
 // next returns the next rune in the input.
 func (p *Parser) next() rune {
-	if int(p.pos) >= len(p.input) {
+	if p.pos >= len(p.input) {
 		p.width = 0
 		return eof
 	}
@@ -266,7 +266,7 @@ Loop:
 		}
 	}
 	text := p.consumeText()
-	text = string(text[1 : len(text)-1])
+	text = text[1 : len(text)-1]
 	if text == "*" {
 		text = ":"
 	}
@@ -373,7 +373,7 @@ Loop:
 	}
 	reg := regexp.MustCompile(`^([^!<>=]+)([!<>=]+)(.+?)$`)
 	text := p.consumeText()
-	text = string(text[:len(text)-2])
+	text = text[:len(text)-2]
 	value := reg.FindStringSubmatch(text)
 	if value == nil {
 		parser, err := parseAction("text", text)

vendor/k8s.io/client-go/util/workqueue/parallelizer.go

@@ -17,6 +17,7 @@ limitations under the License.
 package workqueue
 
 import (
+	"context"
 	"sync"
 
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -24,9 +25,20 @@ import (
 
 type DoWorkPieceFunc func(piece int)
 
-// Parallelize is a very simple framework that allow for parallelizing
+// Parallelize is a very simple framework that allows for parallelizing
 // N independent pieces of work.
 func Parallelize(workers, pieces int, doWorkPiece DoWorkPieceFunc) {
+	ParallelizeUntil(nil, workers, pieces, doWorkPiece)
+}
+
+// ParallelizeUntil is a framework that allows for parallelizing N
+// independent pieces of work until done or the context is canceled.
+func ParallelizeUntil(ctx context.Context, workers, pieces int, doWorkPiece DoWorkPieceFunc) {
+	var stop <-chan struct{}
+	if ctx != nil {
+		stop = ctx.Done()
+	}
+
 	toProcess := make(chan int, pieces)
 	for i := 0; i < pieces; i++ {
 		toProcess <- i
@@ -44,7 +56,12 @@ func Parallelize(workers, pieces int, doWorkPiece DoWorkPieceFunc) {
 			defer utilruntime.HandleCrash()
 			defer wg.Done()
 			for piece := range toProcess {
-				doWorkPiece(piece)
+				select {
+				case <-stop:
+					return
+				default:
+					doWorkPiece(piece)
+				}
 			}
 		}()
 	}