Bumping k8s version to 1.13.0-beta.1

vendor/k8s.io/client-go/util/certificate/certificate_manager.go

@@ -28,7 +28,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"k8s.io/klog"
 
 	certificates "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -227,17 +227,17 @@ func (m *manager) Start() {
 	// signing API, so don't start the certificate manager if we don't have a
 	// client.
 	if m.certSigningRequestClient == nil {
-		glog.V(2).Infof("Certificate rotation is not enabled, no connection to the apiserver.")
+		klog.V(2).Infof("Certificate rotation is not enabled, no connection to the apiserver.")
 		return
 	}
 
-	glog.V(2).Infof("Certificate rotation is enabled.")
+	klog.V(2).Infof("Certificate rotation is enabled.")
 
 	templateChanged := make(chan struct{})
 	go wait.Forever(func() {
 		deadline := m.nextRotationDeadline()
 		if sleepInterval := deadline.Sub(time.Now()); sleepInterval > 0 {
-			glog.V(2).Infof("Waiting %v for next certificate rotation", sleepInterval)
+			klog.V(2).Infof("Waiting %v for next certificate rotation", sleepInterval)
 
 			timer := time.NewTimer(sleepInterval)
 			defer timer.Stop()
@@ -250,7 +250,7 @@ func (m *manager) Start() {
 					// if the template now matches what we last requested, restart the rotation deadline loop
 					return
 				}
-				glog.V(2).Infof("Certificate template changed, rotating")
+				klog.V(2).Infof("Certificate template changed, rotating")
 			}
 		}
 
@@ -321,7 +321,7 @@ func getCurrentCertificateOrBootstrap(
 	if _, err := store.Update(bootstrapCertificatePEM, bootstrapKeyPEM); err != nil {
 		utilruntime.HandleError(fmt.Errorf("Unable to set the cert/key pair to the bootstrap certificate: %v", err))
 	} else {
-		glog.V(4).Infof("Updated the store to contain the initial bootstrap certificate")
+		klog.V(4).Infof("Updated the store to contain the initial bootstrap certificate")
 	}
 
 	return &bootstrapCert, true, nil
@@ -333,7 +333,7 @@ func getCurrentCertificateOrBootstrap(
 // This method also keeps track of "server health" by interpreting the responses it gets
 // from the server on the various calls it makes.
 func (m *manager) rotateCerts() (bool, error) {
-	glog.V(2).Infof("Rotating certificates")
+	klog.V(2).Infof("Rotating certificates")
 
 	template, csrPEM, keyPEM, privateKey, err := m.generateCSR()
 	if err != nil {
@@ -403,7 +403,7 @@ func (m *manager) certSatisfiesTemplateLocked() bool {
 
 	if template := m.getTemplate(); template != nil {
 		if template.Subject.CommonName != m.cert.Leaf.Subject.CommonName {
-			glog.V(2).Infof("Current certificate CN (%s) does not match requested CN (%s)", m.cert.Leaf.Subject.CommonName, template.Subject.CommonName)
+			klog.V(2).Infof("Current certificate CN (%s) does not match requested CN (%s)", m.cert.Leaf.Subject.CommonName, template.Subject.CommonName)
 			return false
 		}
 
@@ -411,7 +411,7 @@ func (m *manager) certSatisfiesTemplateLocked() bool {
 		desiredDNSNames := sets.NewString(template.DNSNames...)
 		missingDNSNames := desiredDNSNames.Difference(currentDNSNames)
 		if len(missingDNSNames) > 0 {
-			glog.V(2).Infof("Current certificate is missing requested DNS names %v", missingDNSNames.List())
+			klog.V(2).Infof("Current certificate is missing requested DNS names %v", missingDNSNames.List())
 			return false
 		}
 
@@ -425,7 +425,7 @@ func (m *manager) certSatisfiesTemplateLocked() bool {
 		}
 		missingIPs := desiredIPs.Difference(currentIPs)
 		if len(missingIPs) > 0 {
-			glog.V(2).Infof("Current certificate is missing requested IP addresses %v", missingIPs.List())
+			klog.V(2).Infof("Current certificate is missing requested IP addresses %v", missingIPs.List())
 			return false
 		}
 
@@ -433,7 +433,7 @@ func (m *manager) certSatisfiesTemplateLocked() bool {
 		desiredOrgs := sets.NewString(template.Subject.Organization...)
 		missingOrgs := desiredOrgs.Difference(currentOrgs)
 		if len(missingOrgs) > 0 {
-			glog.V(2).Infof("Current certificate is missing requested orgs %v", missingOrgs.List())
+			klog.V(2).Infof("Current certificate is missing requested orgs %v", missingOrgs.List())
 			return false
 		}
 	}
@@ -468,7 +468,7 @@ func (m *manager) nextRotationDeadline() time.Time {
 	totalDuration := float64(notAfter.Sub(m.cert.Leaf.NotBefore))
 	deadline := m.cert.Leaf.NotBefore.Add(jitteryDuration(totalDuration))
 
-	glog.V(2).Infof("Certificate expiration is %v, rotation deadline is %v", notAfter, deadline)
+	klog.V(2).Infof("Certificate expiration is %v, rotation deadline is %v", notAfter, deadline)
 	if m.certificateExpiration != nil {
 		m.certificateExpiration.Set(float64(notAfter.Unix()))
 	}

vendor/k8s.io/client-go/util/certificate/certificate_store.go

@@ -26,7 +26,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang/glog"
+	"k8s.io/klog"
 )
 
 const (
@@ -127,7 +127,7 @@ func (s *fileStore) Current() (*tls.Certificate, error) {
 	if pairFileExists, err := fileExists(pairFile); err != nil {
 		return nil, err
 	} else if pairFileExists {
-		glog.Infof("Loading cert/key pair from %q.", pairFile)
+		klog.Infof("Loading cert/key pair from %q.", pairFile)
 		return loadFile(pairFile)
 	}
 
@@ -140,7 +140,7 @@ func (s *fileStore) Current() (*tls.Certificate, error) {
 		return nil, err
 	}
 	if certFileExists && keyFileExists {
-		glog.Infof("Loading cert/key pair from (%q, %q).", s.certFile, s.keyFile)
+		klog.Infof("Loading cert/key pair from (%q, %q).", s.certFile, s.keyFile)
 		return loadX509KeyPair(s.certFile, s.keyFile)
 	}
 
@@ -155,7 +155,7 @@ func (s *fileStore) Current() (*tls.Certificate, error) {
 		return nil, err
 	}
 	if certFileExists && keyFileExists {
-		glog.Infof("Loading cert/key pair from (%q, %q).", c, k)
+		klog.Infof("Loading cert/key pair from (%q, %q).", c, k)
 		return loadX509KeyPair(c, k)
 	}
 

vendor/k8s.io/client-go/util/certificate/csr/csr.go

@@ -18,23 +18,19 @@ package csr
 
 import (
 	"crypto"
-	"crypto/sha512"
 	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"reflect"
 	"time"
 
-	"github.com/golang/glog"
+	"k8s.io/klog"
 
 	certificates "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
@@ -43,41 +39,6 @@ import (
 	certutil "k8s.io/client-go/util/cert"
 )
 
-// RequestNodeCertificate will create a certificate signing request for a node
-// (Organization and CommonName for the CSR will be set as expected for node
-// certificates) and send it to API server, then it will watch the object's
-// status, once approved by API server, it will return the API server's issued
-// certificate (pem-encoded). If there is any errors, or the watch timeouts, it
-// will return an error. This is intended for use on nodes (kubelet and
-// kubeadm).
-func RequestNodeCertificate(client certificatesclient.CertificateSigningRequestInterface, privateKeyData []byte, nodeName types.NodeName) (certData []byte, err error) {
-	subject := &pkix.Name{
-		Organization: []string{"system:nodes"},
-		CommonName:   "system:node:" + string(nodeName),
-	}
-
-	privateKey, err := certutil.ParsePrivateKeyPEM(privateKeyData)
-	if err != nil {
-		return nil, fmt.Errorf("invalid private key for certificate request: %v", err)
-	}
-	csrData, err := certutil.MakeCSR(privateKey, subject, nil, nil)
-	if err != nil {
-		return nil, fmt.Errorf("unable to generate certificate request: %v", err)
-	}
-
-	usages := []certificates.KeyUsage{
-		certificates.UsageDigitalSignature,
-		certificates.UsageKeyEncipherment,
-		certificates.UsageClientAuth,
-	}
-	name := digestedName(privateKeyData, subject, usages)
-	req, err := RequestCertificate(client, csrData, name, usages, privateKey)
-	if err != nil {
-		return nil, err
-	}
-	return WaitForCertificate(client, req, 3600*time.Second)
-}
-
 // RequestCertificate will either use an existing (if this process has run
 // before but not to completion) or create a certificate signing request using the
 // PEM encoded CSR and send it to API server, then it will watch the object's
@@ -104,7 +65,7 @@ func RequestCertificate(client certificatesclient.CertificateSigningRequestInter
 	switch {
 	case err == nil:
 	case errors.IsAlreadyExists(err) && len(name) > 0:
-		glog.Infof("csr for this node already exists, reusing")
+		klog.Infof("csr for this node already exists, reusing")
 		req, err = client.Get(name, metav1.GetOptions{})
 		if err != nil {
 			return nil, formatError("cannot retrieve certificate signing request: %v", err)
@@ -112,7 +73,7 @@ func RequestCertificate(client certificatesclient.CertificateSigningRequestInter
 		if err := ensureCompatible(req, csr, privateKey); err != nil {
 			return nil, fmt.Errorf("retrieved csr is not compatible: %v", err)
 		}
-		glog.Infof("csr for this node is still valid")
+		klog.Infof("csr for this node is still valid")
 	default:
 		return nil, formatError("cannot create certificate signing request: %v", err)
 	}
@@ -168,57 +129,25 @@ func WaitForCertificate(client certificatesclient.CertificateSigningRequestInter
 	return event.Object.(*certificates.CertificateSigningRequest).Status.Certificate, nil
 }
 
-// This digest should include all the relevant pieces of the CSR we care about.
-// We can't direcly hash the serialized CSR because of random padding that we
-// regenerate every loop and we include usages which are not contained in the
-// CSR. This needs to be kept up to date as we add new fields to the node
-// certificates and with ensureCompatible.
-func digestedName(privateKeyData []byte, subject *pkix.Name, usages []certificates.KeyUsage) string {
-	hash := sha512.New512_256()
-
-	// Here we make sure two different inputs can't write the same stream
-	// to the hash. This delimiter is not in the base64.URLEncoding
-	// alphabet so there is no way to have spill over collisions. Without
-	// it 'CN:foo,ORG:bar' hashes to the same value as 'CN:foob,ORG:ar'
-	const delimiter = '|'
-	encode := base64.RawURLEncoding.EncodeToString
-
-	write := func(data []byte) {
-		hash.Write([]byte(encode(data)))
-		hash.Write([]byte{delimiter})
-	}
-
-	write(privateKeyData)
-	write([]byte(subject.CommonName))
-	for _, v := range subject.Organization {
-		write([]byte(v))
-	}
-	for _, v := range usages {
-		write([]byte(v))
-	}
-
-	return "node-csr-" + encode(hash.Sum(nil))
-}
-
 // ensureCompatible ensures that a CSR object is compatible with an original CSR
 func ensureCompatible(new, orig *certificates.CertificateSigningRequest, privateKey interface{}) error {
-	newCsr, err := ParseCSR(new)
+	newCSR, err := parseCSR(new)
 	if err != nil {
 		return fmt.Errorf("unable to parse new csr: %v", err)
 	}
-	origCsr, err := ParseCSR(orig)
+	origCSR, err := parseCSR(orig)
 	if err != nil {
 		return fmt.Errorf("unable to parse original csr: %v", err)
 	}
-	if !reflect.DeepEqual(newCsr.Subject, origCsr.Subject) {
-		return fmt.Errorf("csr subjects differ: new: %#v, orig: %#v", newCsr.Subject, origCsr.Subject)
+	if !reflect.DeepEqual(newCSR.Subject, origCSR.Subject) {
+		return fmt.Errorf("csr subjects differ: new: %#v, orig: %#v", newCSR.Subject, origCSR.Subject)
 	}
 	signer, ok := privateKey.(crypto.Signer)
 	if !ok {
 		return fmt.Errorf("privateKey is not a signer")
 	}
-	newCsr.PublicKey = signer.Public()
-	if err := newCsr.CheckSignature(); err != nil {
+	newCSR.PublicKey = signer.Public()
+	if err := newCSR.CheckSignature(); err != nil {
 		return fmt.Errorf("error validating signature new CSR against old key: %v", err)
 	}
 	if len(new.Status.Certificate) > 0 {
@@ -247,17 +176,12 @@ func formatError(format string, err error) error {
 	return fmt.Errorf(format, err)
 }
 
-// ParseCSR extracts the CSR from the API object and decodes it.
-func ParseCSR(obj *certificates.CertificateSigningRequest) (*x509.CertificateRequest, error) {
+// parseCSR extracts the CSR from the API object and decodes it.
+func parseCSR(obj *certificates.CertificateSigningRequest) (*x509.CertificateRequest, error) {
 	// extract PEM from request object
-	pemBytes := obj.Spec.Request
-	block, _ := pem.Decode(pemBytes)
+	block, _ := pem.Decode(obj.Spec.Request)
 	if block == nil || block.Type != "CERTIFICATE REQUEST" {
 		return nil, fmt.Errorf("PEM block type must be CERTIFICATE REQUEST")
 	}
-	csr, err := x509.ParseCertificateRequest(block.Bytes)
-	if err != nil {
-		return nil, err
-	}
-	return csr, nil
+	return x509.ParseCertificateRequest(block.Bytes)
 }

vendor/k8s.io/client-go/util/certificate/csr/csr_test.go

@@ -1,135 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package csr
-
-import (
-	"fmt"
-	"testing"
-
-	certificates "k8s.io/api/certificates/v1beta1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	watch "k8s.io/apimachinery/pkg/watch"
-	certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
-	certutil "k8s.io/client-go/util/cert"
-)
-
-func TestRequestNodeCertificateNoKeyData(t *testing.T) {
-	certData, err := RequestNodeCertificate(&fakeClient{}, []byte{}, "fake-node-name")
-	if err == nil {
-		t.Errorf("Got no error, wanted error an error because there was an empty private key passed in.")
-	}
-	if certData != nil {
-		t.Errorf("Got cert data, wanted nothing as there should have been an error.")
-	}
-}
-
-func TestRequestNodeCertificateErrorCreatingCSR(t *testing.T) {
-	client := &fakeClient{
-		failureType: createError,
-	}
-	privateKeyData, err := certutil.MakeEllipticPrivateKeyPEM()
-	if err != nil {
-		t.Fatalf("Unable to generate a new private key: %v", err)
-	}
-
-	certData, err := RequestNodeCertificate(client, privateKeyData, "fake-node-name")
-	if err == nil {
-		t.Errorf("Got no error, wanted error an error because client.Create failed.")
-	}
-	if certData != nil {
-		t.Errorf("Got cert data, wanted nothing as there should have been an error.")
-	}
-}
-
-func TestRequestNodeCertificate(t *testing.T) {
-	privateKeyData, err := certutil.MakeEllipticPrivateKeyPEM()
-	if err != nil {
-		t.Fatalf("Unable to generate a new private key: %v", err)
-	}
-
-	certData, err := RequestNodeCertificate(&fakeClient{}, privateKeyData, "fake-node-name")
-	if err != nil {
-		t.Errorf("Got %v, wanted no error.", err)
-	}
-	if certData == nil {
-		t.Errorf("Got nothing, expected a CSR.")
-	}
-}
-
-type FailureType int
-
-const (
-	noError FailureType = iota
-	createError
-	certificateSigningRequestDenied
-)
-
-type fakeClient struct {
-	certificatesclient.CertificateSigningRequestInterface
-	watch       *watch.FakeWatcher
-	failureType FailureType
-}
-
-func (c *fakeClient) Create(*certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) {
-	if c.failureType == createError {
-		return nil, fmt.Errorf("fakeClient failed creating request")
-	}
-	csr := certificates.CertificateSigningRequest{
-		ObjectMeta: metav1.ObjectMeta{
-			UID:  "fake-uid",
-			Name: "fake-certificate-signing-request-name",
-		},
-	}
-	return &csr, nil
-}
-
-func (c *fakeClient) List(opts metav1.ListOptions) (*certificates.CertificateSigningRequestList, error) {
-	return &certificates.CertificateSigningRequestList{}, nil
-}
-
-func (c *fakeClient) Watch(opts metav1.ListOptions) (watch.Interface, error) {
-	c.watch = watch.NewFakeWithChanSize(1, false)
-	c.watch.Add(c.generateCSR())
-	c.watch.Stop()
-	return c.watch, nil
-}
-
-func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest {
-	var condition certificates.CertificateSigningRequestCondition
-	if c.failureType == certificateSigningRequestDenied {
-		condition = certificates.CertificateSigningRequestCondition{
-			Type: certificates.CertificateDenied,
-		}
-	} else {
-		condition = certificates.CertificateSigningRequestCondition{
-			Type: certificates.CertificateApproved,
-		}
-	}
-
-	csr := certificates.CertificateSigningRequest{
-		ObjectMeta: metav1.ObjectMeta{
-			UID: "fake-uid",
-		},
-		Status: certificates.CertificateSigningRequestStatus{
-			Conditions: []certificates.CertificateSigningRequestCondition{
-				condition,
-			},
-			Certificate: []byte{},
-		},
-	}
-	return &csr
-}