diff --git a/api/v1alpha1/clusterissuer_types.go b/api/v1alpha1/clusterissuer_types.go index feb6c0e..da14f4d 100644 --- a/api/v1alpha1/clusterissuer_types.go +++ b/api/v1alpha1/clusterissuer_types.go @@ -17,22 +17,40 @@ limitations under the License. package v1alpha1 import ( + "github.com/cert-manager/issuer-lib/api/v1alpha1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -//+kubebuilder:object:root=true -//+kubebuilder:subresource:status -//+kubebuilder:resource:scope=Cluster +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:resource:scope=Cluster +// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status" +// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].reason" +// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message" +// +kubebuilder:printcolumn:name="LastTransition",type="string",type="date",JSONPath=".status.conditions[?(@.type==\"Ready\")].lastTransitionTime" +// +kubebuilder:printcolumn:name="ObservedGeneration",type="integer",JSONPath=".status.conditions[?(@.type==\"Ready\")].observedGeneration" +// +kubebuilder:printcolumn:name="Generation",type="integer",JSONPath=".metadata.generation" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" // ClusterIssuer is the Schema for the clusterissuers API type ClusterIssuer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - Spec IssuerSpec `json:"spec,omitempty"` - Status IssuerStatus `json:"status,omitempty"` + Spec IssuerSpec `json:"spec,omitempty"` + Status v1alpha1.IssuerStatus `json:"status,omitempty"` +} + +func (vi *ClusterIssuer) GetStatus() *v1alpha1.IssuerStatus { + return &vi.Status } +func (vi *ClusterIssuer) GetIssuerTypeIdentifier() string { + return "clusterissuers.sample-issuer.example.com" +} + +var _ v1alpha1.Issuer = &ClusterIssuer{} + //+kubebuilder:object:root=true // ClusterIssuerList contains a list of ClusterIssuer diff --git a/api/v1alpha1/issuer_types.go b/api/v1alpha1/issuer_types.go index 6bc4896..4fa3bb9 100644 --- a/api/v1alpha1/issuer_types.go +++ b/api/v1alpha1/issuer_types.go @@ -17,9 +17,29 @@ limitations under the License. package v1alpha1 import ( + "github.com/cert-manager/issuer-lib/api/v1alpha1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status" +// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].reason" +// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message" +// +kubebuilder:printcolumn:name="LastTransition",type="string",type="date",JSONPath=".status.conditions[?(@.type==\"Ready\")].lastTransitionTime" +// +kubebuilder:printcolumn:name="ObservedGeneration",type="integer",JSONPath=".status.conditions[?(@.type==\"Ready\")].observedGeneration" +// +kubebuilder:printcolumn:name="Generation",type="integer",JSONPath=".metadata.generation" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" + +// Issuer is the Schema for the issuers API +type Issuer struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec IssuerSpec `json:"spec,omitempty"` + Status v1alpha1.IssuerStatus `json:"status,omitempty"` +} + // IssuerSpec defines the desired state of Issuer type IssuerSpec struct { // URL is the base URL for the endpoint of the signing service, @@ -34,26 +54,16 @@ type IssuerSpec struct { AuthSecretName string `json:"authSecretName"` } -// IssuerStatus defines the observed state of Issuer -type IssuerStatus struct { - // List of status conditions to indicate the status of a CertificateRequest. - // Known condition types are `Ready`. - // +optional - Conditions []IssuerCondition `json:"conditions,omitempty"` +func (vi *Issuer) GetStatus() *v1alpha1.IssuerStatus { + return &vi.Status } -//+kubebuilder:object:root=true -//+kubebuilder:subresource:status - -// Issuer is the Schema for the issuers API -type Issuer struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec IssuerSpec `json:"spec,omitempty"` - Status IssuerStatus `json:"status,omitempty"` +func (vi *Issuer) GetIssuerTypeIdentifier() string { + return "issuers.sample-issuer.example.com" } +var _ v1alpha1.Issuer = &Issuer{} + //+kubebuilder:object:root=true // IssuerList contains a list of Issuer @@ -63,61 +73,6 @@ type IssuerList struct { Items []Issuer `json:"items"` } -// IssuerCondition contains condition information for an Issuer. -type IssuerCondition struct { - // Type of the condition, known values are ('Ready'). - Type IssuerConditionType `json:"type"` - - // Status of the condition, one of ('True', 'False', 'Unknown'). - Status ConditionStatus `json:"status"` - - // LastTransitionTime is the timestamp corresponding to the last status - // change of this condition. - // +optional - LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"` - - // Reason is a brief machine readable explanation for the condition's last - // transition. - // +optional - Reason string `json:"reason,omitempty"` - - // Message is a human readable description of the details of the last - // transition, complementing reason. - // +optional - Message string `json:"message,omitempty"` -} - -// IssuerConditionType represents an Issuer condition value. -type IssuerConditionType string - -const ( - // IssuerConditionReady represents the fact that a given Issuer condition - // is in ready state and able to issue certificates. - // If the `status` of this condition is `False`, CertificateRequest controllers - // should prevent attempts to sign certificates. - IssuerConditionReady IssuerConditionType = "Ready" -) - -// ConditionStatus represents a condition's status. -// +kubebuilder:validation:Enum=True;False;Unknown -type ConditionStatus string - -// These are valid condition statuses. "ConditionTrue" means a resource is in -// the condition; "ConditionFalse" means a resource is not in the condition; -// "ConditionUnknown" means kubernetes can't decide if a resource is in the -// condition or not. In the future, we could add other intermediate -// conditions, e.g. ConditionDegraded. -const ( - // ConditionTrue represents the fact that a given condition is true - ConditionTrue ConditionStatus = "True" - - // ConditionFalse represents the fact that a given condition is false - ConditionFalse ConditionStatus = "False" - - // ConditionUnknown represents the fact that a given condition is unknown - ConditionUnknown ConditionStatus = "Unknown" -) - func init() { SchemeBuilder.Register(&Issuer{}, &IssuerList{}) } diff --git a/api/v1alpha1/types.go b/api/v1alpha1/types.go deleted file mode 100644 index fff8433..0000000 --- a/api/v1alpha1/types.go +++ /dev/null @@ -1,23 +0,0 @@ -/* -Copyright 2021 The cert-manager Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -const ( - EventSource = "sample-external-issuer" - EventReasonCertificateRequestReconciler = "CertificateRequestReconciler" - EventReasonIssuerReconciler = "IssuerReconciler" -) diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 9352539..c6544d4 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -111,25 +111,6 @@ func (in *Issuer) DeepCopyObject() runtime.Object { return nil } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IssuerCondition) DeepCopyInto(out *IssuerCondition) { - *out = *in - if in.LastTransitionTime != nil { - in, out := &in.LastTransitionTime, &out.LastTransitionTime - *out = (*in).DeepCopy() - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerCondition. -func (in *IssuerCondition) DeepCopy() *IssuerCondition { - if in == nil { - return nil - } - out := new(IssuerCondition) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IssuerList) DeepCopyInto(out *IssuerList) { *out = *in @@ -176,25 +157,3 @@ func (in *IssuerSpec) DeepCopy() *IssuerSpec { in.DeepCopyInto(out) return out } - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus) { - *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]IssuerCondition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerStatus. -func (in *IssuerStatus) DeepCopy() *IssuerStatus { - if in == nil { - return nil - } - out := new(IssuerStatus) - in.DeepCopyInto(out) - return out -} diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 41385ff..755f92a 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -5,52 +5,41 @@ metadata: creationTimestamp: null name: manager-role rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - cert-manager.io - resources: - - certificaterequests - verbs: - - get - - list - - watch -- apiGroups: - - cert-manager.io - resources: - - certificaterequests/status - verbs: - - get - - patch - - update -- apiGroups: - - sample-issuer.example.com - resources: - - clusterissuers - - issuers - verbs: - - get - - list - - watch -- apiGroups: - - sample-issuer.example.com - resources: - - clusterissuers/status - - issuers/status - verbs: - - get - - patch - - update +- apiGroups: [ "" ] + resources: [ "events" ] + verbs: ["create", "patch"] + +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: ["get", "list", "watch"] + +- apiGroups: [ "sample-issuer.example.com" ] + resources: [ "clusterissuers", "issuers" ] + verbs: ["get", "list", "watch"] + +- apiGroups: [ "sample-issuer.example.com" ] + resources: [ "clusterissuers/status", "issuers/status" ] + verbs: [ "patch" ] + + +- apiGroups: [ "cert-manager.io" ] + resources: [ "certificaterequests" ] + verbs: [ "get", "list", "watch" ] + +- apiGroups: [ "cert-manager.io" ] + resources: [ "certificaterequests/status" ] + verbs: [ "patch" ] + +- apiGroups: [ "certificates.k8s.io" ] + resources: [ "certificatesigningrequests" ] + verbs: [ "get", "list", "watch" ] + +- apiGroups: [ "certificates.k8s.io" ] + resources: [ "certificatesigningrequests/status" ] + verbs: [ "patch" ] + +- apiGroups: [ "certificates.k8s.io" ] + resources: [ "signers" ] + verbs: [ "sign" ] + resourceNames: + - clusterissuers.sample-issuer.example.com/* diff --git a/go.mod b/go.mod index bcf2caa..eb6b28c 100644 --- a/go.mod +++ b/go.mod @@ -1,81 +1,78 @@ module github.com/cert-manager/sample-external-issuer -go 1.20 +go 1.22.0 require ( - github.com/cert-manager/cert-manager v1.12.0 - github.com/go-logr/logr v1.2.4 - github.com/stretchr/testify v1.8.3 - k8s.io/api v0.27.2 - k8s.io/apimachinery v0.27.2 - k8s.io/client-go v0.27.2 - k8s.io/utils v0.0.0-20230505201702-9f6742963106 - sigs.k8s.io/controller-runtime v0.15.0 + github.com/cert-manager/cert-manager v1.15.3 + github.com/cert-manager/issuer-lib v0.8.0 + k8s.io/api v0.31.0 + k8s.io/apimachinery v0.31.0 + k8s.io/client-go v0.31.0 + k8s.io/klog/v2 v2.130.1 + sigs.k8s.io/controller-runtime v0.19.0 ) require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.10.2 // indirect - github.com/evanphx/json-patch v5.6.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.6.0 // indirect - github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect - github.com/go-ldap/ldap/v3 v3.4.4 // indirect - github.com/go-logr/zapr v1.2.4 // indirect - github.com/go-openapi/jsonpointer v0.19.6 // indirect - github.com/go-openapi/jsonreference v0.20.2 // indirect - github.com/go-openapi/swag v0.22.3 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/emicklei/go-restful/v3 v3.12.0 // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/go-asn1-ber/asn1-ber v1.5.6 // indirect + github.com/go-ldap/ldap/v3 v3.4.8 // indirect + github.com/go-logr/logr v1.4.2 // indirect + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect - github.com/google/gnostic v0.6.9 // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.3.0 // indirect - github.com/imdario/mergo v0.3.15 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/prometheus/client_golang v1.15.1 // indirect - github.com/prometheus/client_model v0.4.0 // indirect - github.com/prometheus/common v0.44.0 // indirect - github.com/prometheus/procfs v0.10.0 // indirect - github.com/spf13/cobra v1.7.0 // indirect + github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - go.uber.org/atomic v1.11.0 // indirect + github.com/x448/float16 v0.8.4 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.24.0 // indirect - golang.org/x/crypto v0.21.0 // indirect - golang.org/x/net v0.23.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.18.0 // indirect - golang.org/x/term v0.18.0 // indirect - golang.org/x/text v0.14.0 // indirect - golang.org/x/time v0.3.0 // indirect - gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.33.0 // indirect + go.uber.org/zap v1.27.0 // indirect + golang.org/x/crypto v0.24.0 // indirect + golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect + golang.org/x/net v0.26.0 // indirect + golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/term v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect + golang.org/x/time v0.5.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.27.2 // indirect - k8s.io/component-base v0.27.2 // indirect - k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-aggregator v0.27.2 // indirect - k8s.io/kube-openapi v0.0.0-20230523194449-df37dd07aa00 // indirect - sigs.k8s.io/gateway-api v0.7.0 // indirect + k8s.io/apiextensions-apiserver v0.31.0 // indirect + k8s.io/component-base v0.31.0 // indirect + k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect + sigs.k8s.io/gateway-api v1.1.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect - sigs.k8s.io/yaml v1.3.0 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index 2445ebe..312caf3 100644 --- a/go.sum +++ b/go.sum @@ -1,129 +1,100 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= -github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= -github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= +github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= +github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= -github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cert-manager/cert-manager v1.12.0 h1:CWIZeWop7RwFCIKgSzsxFFGcI2nvudkOICBMDY7SKuI= -github.com/cert-manager/cert-manager v1.12.0/go.mod h1:vRRQLs67q9PN/3SILHpiLbzuG63c4I0+q6pbppEWChs= -github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/cert-manager/cert-manager v1.15.3 h1:/u9T0griwd5MegPfWbB7v0KcVcT9OJrEvPNhc9tl7xQ= +github.com/cert-manager/cert-manager v1.15.3/go.mod h1:stBge/DTvrhfQMB/93+Y62s+gQgZBsfL1o0C/4AL/mI= +github.com/cert-manager/issuer-lib v0.8.0 h1:eOU+P3EQkEKcZc823iLqMH8/Ithkg0Zs8vsXe0lHH4g= +github.com/cert-manager/issuer-lib v0.8.0/go.mod h1:UjE2o4BAboql9XV2VuFz2zfL8qrKEPwuQwLFqjL5pK8= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= -github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE= -github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= -github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= -github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= -github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A= -github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= -github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs= -github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= -github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= -github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= -github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= -github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= -github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= -github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= -github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= +github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= +github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-asn1-ber/asn1-ber v1.5.6 h1:CYsqysemXfEaQbyrLJmdsCRuufHoLa3P/gGWGl5TDrM= +github.com/go-asn1-ber/asn1-ber v1.5.6/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ= +github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= -github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= -github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= -github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= -github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= -github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0= -github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= -github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM= -github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= +github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= +github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= +github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= +github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= +github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg= +github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo= +github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= +github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= +github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8= +github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= +github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= +github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= -github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -131,215 +102,173 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= -github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI= -github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= -github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= -github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= -github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= -github.com/prometheus/procfs v0.10.0 h1:UkG7GPYkO4UZyLnyXjaWYcgOSONqwdBqFUT95ugmt6I= -github.com/prometheus/procfs v0.10.0/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= -github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY= -github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= -github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= -github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= -go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= -go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= -go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= -go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= -golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= +golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= +golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= -golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc= -gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= -google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= -google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= -google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= -google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= -google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= -google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= -google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= -google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo= -k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4= -k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo= -k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ= -k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg= -k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= -k8s.io/client-go v0.27.2 h1:vDLSeuYvCHKeoQRhCXjxXO45nHVv2Ip4Fe0MfioMrhE= -k8s.io/client-go v0.27.2/go.mod h1:tY0gVmUsHrAmjzHX9zs7eCjxcBsf8IiNe7KQ52biTcQ= -k8s.io/component-base v0.27.2 h1:neju+7s/r5O4x4/txeUONNTS9r1HsPbyoPBAtHsDCpo= -k8s.io/component-base v0.27.2/go.mod h1:5UPk7EjfgrfgRIuDBFtsEFAe4DAvP3U+M8RTzoSJkpo= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-aggregator v0.27.2 h1:jfHoPip+qN/fn3OcrYs8/xMuVYvkJHKo0H0DYciqdns= -k8s.io/kube-aggregator v0.27.2/go.mod h1:mwrTt4ESjQ7A6847biwohgZWn8P/KzSFHegEScbSGY4= -k8s.io/kube-openapi v0.0.0-20230523194449-df37dd07aa00 h1:Sb9XaC5itZdDOVp7CTFhW8cxWIuRryoU4Oq6U8eEeOk= -k8s.io/kube-openapi v0.0.0-20230523194449-df37dd07aa00/go.mod h1:kzo02I3kQ4BTtEfVLaPbjvCkX97YqGve33wzlb3fofQ= -k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU= -k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU= -sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= -sigs.k8s.io/gateway-api v0.7.0 h1:/mG8yyJNBifqvuVLW5gwlI4CQs0NR/5q4BKUlf1bVdY= -sigs.k8s.io/gateway-api v0.7.0/go.mod h1:Xv0+ZMxX0lu1nSSDIIPEfbVztgNZ+3cfiYrJsa2Ooso= +k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= +k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= +k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= +k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= +k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= +k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= +k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= +k8s.io/component-base v0.31.0 h1:/KIzGM5EvPNQcYgwq5NwoQBaOlVFrghoVGr8lG6vNRs= +k8s.io/component-base v0.31.0/go.mod h1:TYVuzI1QmN4L5ItVdMSXKvH7/DtvIuas5/mm8YT3rTo= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= +sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= +sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/internal/controllers/certificaterequest_controller.go b/internal/controllers/certificaterequest_controller.go deleted file mode 100644 index 8aab456..0000000 --- a/internal/controllers/certificaterequest_controller.go +++ /dev/null @@ -1,254 +0,0 @@ -/* -Copyright 2020 The cert-manager Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package controllers - -import ( - "context" - "errors" - "fmt" - - cmutil "github.com/cert-manager/cert-manager/pkg/api/util" - cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" - utilerrors "k8s.io/apimachinery/pkg/util/errors" - "k8s.io/client-go/tools/record" - "k8s.io/utils/clock" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - - sampleissuerapi "github.com/cert-manager/sample-external-issuer/api/v1alpha1" - "github.com/cert-manager/sample-external-issuer/internal/issuer/signer" - issuerutil "github.com/cert-manager/sample-external-issuer/internal/issuer/util" -) - -var ( - errIssuerRef = errors.New("error interpreting issuerRef") - errGetIssuer = errors.New("error getting issuer") - errIssuerNotReady = errors.New("issuer is not ready") - errSignerBuilder = errors.New("failed to build the signer") - errSignerSign = errors.New("failed to sign") -) - -// CertificateRequestReconciler reconciles a CertificateRequest object -type CertificateRequestReconciler struct { - client.Client - Scheme *runtime.Scheme - SignerBuilder signer.SignerBuilder - ClusterResourceNamespace string - - Clock clock.Clock - CheckApprovedCondition bool - recorder record.EventRecorder -} - -// +kubebuilder:rbac:groups=cert-manager.io,resources=certificaterequests,verbs=get;list;watch -// +kubebuilder:rbac:groups=cert-manager.io,resources=certificaterequests/status,verbs=get;update;patch -// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch -// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch - -func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error) { - log := ctrl.LoggerFrom(ctx) - - // Get the CertificateRequest - var certificateRequest cmapi.CertificateRequest - if err := r.Get(ctx, req.NamespacedName, &certificateRequest); err != nil { - if err := client.IgnoreNotFound(err); err != nil { - return ctrl.Result{}, fmt.Errorf("unexpected get error: %v", err) - } - log.Info("Not found. Ignoring.") - return ctrl.Result{}, nil - } - - // Ignore CertificateRequest if issuerRef doesn't match our group - if certificateRequest.Spec.IssuerRef.Group != sampleissuerapi.GroupVersion.Group { - log.Info("Foreign group. Ignoring.", "group", certificateRequest.Spec.IssuerRef.Group) - return ctrl.Result{}, nil - } - - // Ignore CertificateRequest if it is already Ready - if cmutil.CertificateRequestHasCondition(&certificateRequest, cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionTrue, - }) { - log.Info("CertificateRequest is Ready. Ignoring.") - return ctrl.Result{}, nil - } - // Ignore CertificateRequest if it is already Failed - if cmutil.CertificateRequestHasCondition(&certificateRequest, cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionFalse, - Reason: cmapi.CertificateRequestReasonFailed, - }) { - log.Info("CertificateRequest is Failed. Ignoring.") - return ctrl.Result{}, nil - } - // Ignore CertificateRequest if it already has a Denied Ready Reason - if cmutil.CertificateRequestHasCondition(&certificateRequest, cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionFalse, - Reason: cmapi.CertificateRequestReasonDenied, - }) { - log.Info("CertificateRequest already has a Ready condition with Denied Reason. Ignoring.") - return ctrl.Result{}, nil - } - - if r.CheckApprovedCondition { - // If CertificateRequest has not been approved, exit early. - if !cmutil.CertificateRequestIsApproved(&certificateRequest) { - log.Info("CertificateRequest has not been approved yet. Ignoring.") - return ctrl.Result{}, nil - } - } - - // report gives feedback by updating the Ready Condition of the Certificate Request. - // For added visibility we also log a message and create a Kubernetes Event. - report := func(reason, message string, err error) { - status := cmmeta.ConditionFalse - if reason == cmapi.CertificateRequestReasonIssued { - status = cmmeta.ConditionTrue - } - eventType := corev1.EventTypeNormal - if err != nil { - log.Error(err, message) - eventType = corev1.EventTypeWarning - message = fmt.Sprintf("%s: %v", message, err) - } else { - log.Info(message) - } - r.recorder.Event( - &certificateRequest, - eventType, - sampleissuerapi.EventReasonCertificateRequestReconciler, - message, - ) - cmutil.SetCertificateRequestCondition( - &certificateRequest, - cmapi.CertificateRequestConditionReady, - status, - reason, - message, - ) - } - - // Always attempt to update the Ready condition - defer func() { - if err != nil { - report(cmapi.CertificateRequestReasonPending, "Temporary error. Retrying", err) - } - if updateErr := r.Status().Update(ctx, &certificateRequest); updateErr != nil { - err = utilerrors.NewAggregate([]error{err, updateErr}) - result = ctrl.Result{} - } - }() - - // If CertificateRequest has been denied, mark the CertificateRequest as - // Ready=Denied and set FailureTime if not already. - if cmutil.CertificateRequestIsDenied(&certificateRequest) { - log.Info("CertificateRequest has been denied yet. Marking as failed.") - - if certificateRequest.Status.FailureTime == nil { - nowTime := metav1.NewTime(r.Clock.Now()) - certificateRequest.Status.FailureTime = &nowTime - } - - message := "The CertificateRequest was denied by an approval controller" - report(cmapi.CertificateRequestReasonDenied, message, nil) - return ctrl.Result{}, nil - } - - // Add a Ready condition if one does not already exist - if ready := cmutil.GetCertificateRequestCondition(&certificateRequest, cmapi.CertificateRequestConditionReady); ready == nil { - report(cmapi.CertificateRequestReasonPending, "Initialising Ready condition", nil) - return ctrl.Result{}, nil - } - - // Ignore but log an error if the issuerRef.Kind is unrecognised - issuerGVK := sampleissuerapi.GroupVersion.WithKind(certificateRequest.Spec.IssuerRef.Kind) - issuerRO, err := r.Scheme.New(issuerGVK) - if err != nil { - report(cmapi.CertificateRequestReasonFailed, "Unrecognised kind. Ignoring", fmt.Errorf("%w: %v", errIssuerRef, err)) - return ctrl.Result{}, nil - } - issuer := issuerRO.(client.Object) - // Create a Namespaced name for Issuer and a non-Namespaced name for ClusterIssuer - issuerName := types.NamespacedName{ - Name: certificateRequest.Spec.IssuerRef.Name, - } - var secretNamespace string - switch t := issuer.(type) { - case *sampleissuerapi.Issuer: - issuerName.Namespace = certificateRequest.Namespace - secretNamespace = certificateRequest.Namespace - log = log.WithValues("issuer", issuerName) - case *sampleissuerapi.ClusterIssuer: - secretNamespace = r.ClusterResourceNamespace - log = log.WithValues("clusterissuer", issuerName) - default: - report(cmapi.CertificateRequestReasonFailed, "The issuerRef referred to a registered Kind which is not yet handled. Ignoring", fmt.Errorf("unexpected issuer type: %v", t)) - return ctrl.Result{}, nil - } - - // Get the Issuer or ClusterIssuer - if err := r.Get(ctx, issuerName, issuer); err != nil { - return ctrl.Result{}, fmt.Errorf("%w: %v", errGetIssuer, err) - } - - issuerSpec, issuerStatus, err := issuerutil.GetSpecAndStatus(issuer) - if err != nil { - report(cmapi.CertificateRequestReasonFailed, "Unable to get the IssuerStatus. Ignoring", err) - return ctrl.Result{}, nil - } - - if !issuerutil.IsReady(issuerStatus) { - return ctrl.Result{}, errIssuerNotReady - } - - secretName := types.NamespacedName{ - Name: issuerSpec.AuthSecretName, - Namespace: secretNamespace, - } - - var secret corev1.Secret - if err := r.Get(ctx, secretName, &secret); err != nil { - return ctrl.Result{}, fmt.Errorf("%w, secret name: %s, reason: %v", errGetAuthSecret, secretName, err) - } - - signer, err := r.SignerBuilder(issuerSpec, secret.Data) - if err != nil { - return ctrl.Result{}, fmt.Errorf("%w: %v", errSignerBuilder, err) - } - - signed, err := signer.Sign(certificateRequest.Spec.Request) - if err != nil { - return ctrl.Result{}, fmt.Errorf("%w: %v", errSignerSign, err) - } - certificateRequest.Status.Certificate = signed - - report(cmapi.CertificateRequestReasonIssued, "Signed", nil) - return ctrl.Result{}, nil -} - -func (r *CertificateRequestReconciler) SetupWithManager(mgr ctrl.Manager) error { - r.recorder = mgr.GetEventRecorderFor(sampleissuerapi.EventSource) - return ctrl.NewControllerManagedBy(mgr). - For(&cmapi.CertificateRequest{}). - Complete(r) -} diff --git a/internal/controllers/certificaterequest_controller_test.go b/internal/controllers/certificaterequest_controller_test.go deleted file mode 100644 index 49b4fda..0000000 --- a/internal/controllers/certificaterequest_controller_test.go +++ /dev/null @@ -1,754 +0,0 @@ -package controllers - -import ( - "context" - "errors" - "fmt" - "testing" - "time" - - cmutil "github.com/cert-manager/cert-manager/pkg/api/util" - cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" - cmgen "github.com/cert-manager/cert-manager/test/unit/gen" - logrtesting "github.com/go-logr/logr/testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - corev1 "k8s.io/api/core/v1" - apiequality "k8s.io/apimachinery/pkg/api/equality" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" - "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/client-go/tools/record" - clock "k8s.io/utils/clock/testing" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/client/fake" - "sigs.k8s.io/controller-runtime/pkg/reconcile" - - sampleissuerapi "github.com/cert-manager/sample-external-issuer/api/v1alpha1" - "github.com/cert-manager/sample-external-issuer/internal/issuer/signer" -) - -var ( - fixedClockStart = time.Date(2021, time.January, 1, 1, 0, 0, 0, time.UTC) - fixedClock = clock.NewFakeClock(fixedClockStart) -) - -type fakeSigner struct { - errSign error -} - -func (o *fakeSigner) Sign([]byte) ([]byte, error) { - return []byte("fake signed certificate"), o.errSign -} - -func TestCertificateRequestReconcile(t *testing.T) { - nowMetaTime := metav1.NewTime(fixedClockStart) - - type testCase struct { - name types.NamespacedName - secretObjects []client.Object - issuerObjects []client.Object - crObjects []client.Object - signerBuilder signer.SignerBuilder - clusterResourceNamespace string - expectedResult ctrl.Result - expectedError error - expectedReadyConditionStatus cmmeta.ConditionStatus - expectedReadyConditionReason string - expectedFailureTime *metav1.Time - expectedCertificate []byte - } - tests := map[string]testCase{ - "success-issuer": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "Issuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - issuerObjects: []client.Object{&sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "issuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionTrue, - }, - }, - }, - }, - }, - secretObjects: []client.Object{&corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1-credentials", - Namespace: "ns1", - }, - }, - }, - signerBuilder: func(*sampleissuerapi.IssuerSpec, map[string][]byte) (signer.Signer, error) { - return &fakeSigner{}, nil - }, - expectedReadyConditionStatus: cmmeta.ConditionTrue, - expectedReadyConditionReason: cmapi.CertificateRequestReasonIssued, - expectedFailureTime: nil, - expectedCertificate: []byte("fake signed certificate"), - }, - "success-cluster-issuer": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "clusterissuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "ClusterIssuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - issuerObjects: []client.Object{ - &sampleissuerapi.ClusterIssuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "clusterissuer1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "clusterissuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionTrue, - }, - }, - }, - }, - }, - secretObjects: []client.Object{&corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "clusterissuer1-credentials", - Namespace: "kube-system", - }, - }}, - signerBuilder: func(*sampleissuerapi.IssuerSpec, map[string][]byte) (signer.Signer, error) { - return &fakeSigner{}, nil - }, - clusterResourceNamespace: "kube-system", - expectedReadyConditionStatus: cmmeta.ConditionTrue, - expectedReadyConditionReason: cmapi.CertificateRequestReasonIssued, - expectedFailureTime: nil, - expectedCertificate: []byte("fake signed certificate"), - }, - "certificaterequest-not-found": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - }, - "issuer-ref-foreign-group": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: "foreign-issuer.example.com", - }), - ), - }, - }, - "certificaterequest-already-ready": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "Issuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionTrue, - }), - ), - }, - }, - "certificaterequest-missing-ready-condition": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "Issuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - ), - }, - expectedReadyConditionStatus: cmmeta.ConditionFalse, - expectedReadyConditionReason: cmapi.CertificateRequestReasonPending, - }, - "issuer-ref-unknown-kind": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "ForeignKind", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - expectedReadyConditionStatus: cmmeta.ConditionFalse, - expectedReadyConditionReason: cmapi.CertificateRequestReasonFailed, - }, - "issuer-not-found": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "Issuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - expectedError: errGetIssuer, - expectedReadyConditionStatus: cmmeta.ConditionFalse, - expectedReadyConditionReason: cmapi.CertificateRequestReasonPending, - }, - "clusterissuer-not-found": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "clusterissuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "ClusterIssuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - expectedError: errGetIssuer, - expectedReadyConditionStatus: cmmeta.ConditionFalse, - expectedReadyConditionReason: cmapi.CertificateRequestReasonPending, - }, - "issuer-not-ready": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "Issuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionFalse, - }, - }, - }, - }, - }, - expectedError: errIssuerNotReady, - expectedReadyConditionStatus: cmmeta.ConditionFalse, - expectedReadyConditionReason: cmapi.CertificateRequestReasonPending, - }, - "issuer-secret-not-found": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "Issuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "issuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionTrue, - }, - }, - }, - }, - }, - expectedError: errGetAuthSecret, - expectedReadyConditionStatus: cmmeta.ConditionFalse, - expectedReadyConditionReason: cmapi.CertificateRequestReasonPending, - }, - "signer-builder-error": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "Issuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - secretObjects: []client.Object{ - &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1-credentials", - Namespace: "ns1", - }, - }, - }, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "issuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionTrue, - }, - }, - }, - }, - }, - signerBuilder: func(*sampleissuerapi.IssuerSpec, map[string][]byte) (signer.Signer, error) { - return nil, errors.New("simulated signer builder error") - }, - expectedError: errSignerBuilder, - expectedReadyConditionStatus: cmmeta.ConditionFalse, - expectedReadyConditionReason: cmapi.CertificateRequestReasonPending, - }, - "signer-error": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "Issuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionApproved, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - secretObjects: []client.Object{ - &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1-credentials", - Namespace: "ns1", - }, - }, - }, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "issuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionTrue, - }, - }, - }, - }, - }, - signerBuilder: func(*sampleissuerapi.IssuerSpec, map[string][]byte) (signer.Signer, error) { - return &fakeSigner{errSign: errors.New("simulated sign error")}, nil - }, - expectedError: errSignerSign, - expectedReadyConditionStatus: cmmeta.ConditionFalse, - expectedReadyConditionReason: cmapi.CertificateRequestReasonPending, - }, - "request-not-approved": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "Issuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - secretObjects: []client.Object{ - &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1-credentials", - Namespace: "ns1", - }, - }, - }, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "issuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionTrue, - }, - }, - }, - }, - }, - signerBuilder: func(*sampleissuerapi.IssuerSpec, map[string][]byte) (signer.Signer, error) { - return &fakeSigner{}, nil - }, - expectedFailureTime: nil, - expectedCertificate: nil, - }, - "request-denied": { - name: types.NamespacedName{Namespace: "ns1", Name: "cr1"}, - crObjects: []client.Object{ - cmgen.CertificateRequest( - "cr1", - cmgen.SetCertificateRequestNamespace("ns1"), - cmgen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ - Name: "issuer1", - Group: sampleissuerapi.GroupVersion.Group, - Kind: "Issuer", - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionDenied, - Status: cmmeta.ConditionTrue, - }), - cmgen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{ - Type: cmapi.CertificateRequestConditionReady, - Status: cmmeta.ConditionUnknown, - }), - ), - }, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "issuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionTrue, - }, - }, - }, - }, - }, - secretObjects: []client.Object{ - &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1-credentials", - Namespace: "ns1", - }, - }, - }, - signerBuilder: func(*sampleissuerapi.IssuerSpec, map[string][]byte) (signer.Signer, error) { - return &fakeSigner{}, nil - }, - expectedCertificate: nil, - expectedFailureTime: &nowMetaTime, - expectedReadyConditionStatus: cmmeta.ConditionFalse, - expectedReadyConditionReason: cmapi.CertificateRequestReasonDenied, - }, - } - - scheme := runtime.NewScheme() - require.NoError(t, sampleissuerapi.AddToScheme(scheme)) - require.NoError(t, cmapi.AddToScheme(scheme)) - require.NoError(t, corev1.AddToScheme(scheme)) - - for name, tc := range tests { - t.Run(name, func(t *testing.T) { - eventRecorder := record.NewFakeRecorder(100) - fakeClient := fake.NewClientBuilder(). - WithScheme(scheme). - WithObjects(tc.secretObjects...). - WithObjects(tc.crObjects...). - WithObjects(tc.issuerObjects...). - WithStatusSubresource(tc.issuerObjects...). - WithStatusSubresource(tc.crObjects...). - Build() - controller := CertificateRequestReconciler{ - Client: fakeClient, - Scheme: scheme, - ClusterResourceNamespace: tc.clusterResourceNamespace, - SignerBuilder: tc.signerBuilder, - CheckApprovedCondition: true, - Clock: fixedClock, - recorder: eventRecorder, - } - - var crBefore cmapi.CertificateRequest - if err := fakeClient.Get(context.TODO(), tc.name, &crBefore); err != nil { - require.NoError(t, client.IgnoreNotFound(err), "unexpected error from fake client") - } - - result, reconcileErr := controller.Reconcile( - ctrl.LoggerInto(context.TODO(), logrtesting.NewTestLogger(t)), - reconcile.Request{NamespacedName: tc.name}, - ) - - var actualEvents []string - for { - select { - case e := <-eventRecorder.Events: - actualEvents = append(actualEvents, e) - continue - default: - break - } - break - } - if tc.expectedError != nil { - assertErrorIs(t, tc.expectedError, reconcileErr) - } else { - assert.NoError(t, reconcileErr) - } - - assert.Equal(t, tc.expectedResult, result, "Unexpected result") - - // For tests where the target CertificateRequest exists, we perform some further checks, - // otherwise exit early. - var crAfter cmapi.CertificateRequest - if err := fakeClient.Get(context.TODO(), tc.name, &crAfter); err != nil { - require.NoError(t, client.IgnoreNotFound(err), "unexpected error from fake client") - return - } - - // If the CR is unchanged after the Reconcile then we expect no - // Events and need not perform any further checks. - // NB: controller-runtime FakeClient updates the Resource version. - if crBefore.ResourceVersion == crAfter.ResourceVersion { - assert.Empty(t, actualEvents, "Events should only be created if the CertificateRequest is modified") - return - } - - // Certificate checks. - // Always check the certificate, in case it has been unexpectedly - // set without also having first added and updated the Ready - // condition. - assert.Equal(t, tc.expectedCertificate, crAfter.Status.Certificate) - - if !apiequality.Semantic.DeepEqual(tc.expectedFailureTime, crAfter.Status.FailureTime) { - assert.Equal(t, tc.expectedFailureTime, crAfter.Status.FailureTime) - } - - // Condition checks - condition := cmutil.GetCertificateRequestCondition(&crAfter, cmapi.CertificateRequestConditionReady) - // If the CertificateRequest is expected to have a Ready condition then we perform some extra checks. - if tc.expectedReadyConditionStatus != "" { - if assert.NotNilf( - t, - condition, - "Ready condition was expected but not found: tc.expectedReadyConditionStatus == %v", - tc.expectedReadyConditionStatus, - ) { - verifyCertificateRequestReadyCondition(t, tc.expectedReadyConditionStatus, tc.expectedReadyConditionReason, condition) - } - } else { - assert.Nil(t, condition, "Unexpected Ready condition") - } - - // Event checks - if condition != nil { - // The desired Event behaviour is as follows: - // - // * An Event should always be generated when the Ready condition is set. - // * Event contents should match the status and message of the condition. - // * Event type should be Warning if the Reconcile failed (temporary error) - // * Event type should be warning if the condition status is failed (permanent error) - expectedEventType := corev1.EventTypeNormal - if reconcileErr != nil || condition.Reason == cmapi.CertificateRequestReasonFailed { - expectedEventType = corev1.EventTypeWarning - } - // If there was a Reconcile error, there will be a retry and - // this should be reflected in the Event message. - eventMessage := condition.Message - if reconcileErr != nil { - eventMessage = fmt.Sprintf("Temporary error. Retrying: %v", reconcileErr) - } - // Each Reconcile should only emit a single Event - assert.Equal( - t, - []string{fmt.Sprintf("%s %s %s", expectedEventType, sampleissuerapi.EventReasonCertificateRequestReconciler, eventMessage)}, - actualEvents, - "expected a single event matching the condition", - ) - } else { - assert.Empty(t, actualEvents, "Found unexpected Events without a corresponding Ready condition") - } - }) - } -} - -func assertErrorIs(t *testing.T, expectedError, actualError error) { - if !assert.Error(t, actualError) { - return - } - assert.Truef(t, errors.Is(actualError, expectedError), "unexpected error type. expected: %v, got: %v", expectedError, actualError) -} - -func verifyCertificateRequestReadyCondition(t *testing.T, status cmmeta.ConditionStatus, reason string, condition *cmapi.CertificateRequestCondition) { - assert.Equal(t, status, condition.Status, "unexpected condition status") - validReasons := sets.NewString( - cmapi.CertificateRequestReasonPending, - cmapi.CertificateRequestReasonFailed, - cmapi.CertificateRequestReasonIssued, - cmapi.CertificateRequestReasonDenied, - ) - assert.Contains(t, validReasons, reason, "unexpected condition reason") - assert.Equal(t, reason, condition.Reason, "unexpected condition reason") -} diff --git a/internal/controllers/issuer_controller.go b/internal/controllers/issuer_controller.go deleted file mode 100644 index 0968ede..0000000 --- a/internal/controllers/issuer_controller.go +++ /dev/null @@ -1,171 +0,0 @@ -/* -Copyright 2020 The cert-manager Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package controllers - -import ( - "context" - "errors" - "fmt" - "time" - - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" - utilerrors "k8s.io/apimachinery/pkg/util/errors" - "k8s.io/client-go/tools/record" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - - sampleissuerapi "github.com/cert-manager/sample-external-issuer/api/v1alpha1" - "github.com/cert-manager/sample-external-issuer/internal/issuer/signer" - issuerutil "github.com/cert-manager/sample-external-issuer/internal/issuer/util" -) - -const ( - defaultHealthCheckInterval = time.Minute -) - -var ( - errGetAuthSecret = errors.New("failed to get Secret containing Issuer credentials") - errHealthCheckerBuilder = errors.New("failed to build the healthchecker") - errHealthCheckerCheck = errors.New("healthcheck failed") -) - -// IssuerReconciler reconciles a Issuer object -type IssuerReconciler struct { - client.Client - Kind string - Scheme *runtime.Scheme - ClusterResourceNamespace string - HealthCheckerBuilder signer.HealthCheckerBuilder - recorder record.EventRecorder -} - -// +kubebuilder:rbac:groups=sample-issuer.example.com,resources=issuers;clusterissuers,verbs=get;list;watch -// +kubebuilder:rbac:groups=sample-issuer.example.com,resources=issuers/status;clusterissuers/status,verbs=get;update;patch -// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch -// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch - -func (r *IssuerReconciler) newIssuer() (client.Object, error) { - issuerGVK := sampleissuerapi.GroupVersion.WithKind(r.Kind) - ro, err := r.Scheme.New(issuerGVK) - if err != nil { - return nil, err - } - return ro.(client.Object), nil -} - -func (r *IssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error) { - log := ctrl.LoggerFrom(ctx) - - issuer, err := r.newIssuer() - if err != nil { - log.Error(err, "Unrecognised issuer type") - return ctrl.Result{}, nil - } - if err := r.Get(ctx, req.NamespacedName, issuer); err != nil { - if err := client.IgnoreNotFound(err); err != nil { - return ctrl.Result{}, fmt.Errorf("unexpected get error: %v", err) - } - log.Info("Not found. Ignoring.") - return ctrl.Result{}, nil - } - - issuerSpec, issuerStatus, err := issuerutil.GetSpecAndStatus(issuer) - if err != nil { - log.Error(err, "Unexpected error while getting issuer spec and status. Not retrying.") - return ctrl.Result{}, nil - } - - // report gives feedback by updating the Ready Condition of the {Cluster}Issuer - // For added visibility we also log a message and create a Kubernetes Event. - report := func(conditionStatus sampleissuerapi.ConditionStatus, message string, err error) { - eventType := corev1.EventTypeNormal - if err != nil { - log.Error(err, message) - eventType = corev1.EventTypeWarning - message = fmt.Sprintf("%s: %v", message, err) - } else { - log.Info(message) - } - r.recorder.Event( - issuer, - eventType, - sampleissuerapi.EventReasonIssuerReconciler, - message, - ) - issuerutil.SetReadyCondition(issuerStatus, conditionStatus, sampleissuerapi.EventReasonIssuerReconciler, message) - } - - // Always attempt to update the Ready condition - defer func() { - if err != nil { - report(sampleissuerapi.ConditionFalse, "Temporary error. Retrying", err) - } - if updateErr := r.Status().Update(ctx, issuer); updateErr != nil { - err = utilerrors.NewAggregate([]error{err, updateErr}) - result = ctrl.Result{} - } - }() - - if ready := issuerutil.GetReadyCondition(issuerStatus); ready == nil { - report(sampleissuerapi.ConditionUnknown, "First seen", nil) - return ctrl.Result{}, nil - } - - secretName := types.NamespacedName{ - Name: issuerSpec.AuthSecretName, - } - - switch issuer.(type) { - case *sampleissuerapi.Issuer: - secretName.Namespace = req.Namespace - case *sampleissuerapi.ClusterIssuer: - secretName.Namespace = r.ClusterResourceNamespace - default: - log.Error(fmt.Errorf("unexpected issuer type: %t", issuer), "Not retrying.") - return ctrl.Result{}, nil - } - - var secret corev1.Secret - if err := r.Get(ctx, secretName, &secret); err != nil { - return ctrl.Result{}, fmt.Errorf("%w, secret name: %s, reason: %v", errGetAuthSecret, secretName, err) - } - - checker, err := r.HealthCheckerBuilder(issuerSpec, secret.Data) - if err != nil { - return ctrl.Result{}, fmt.Errorf("%w: %v", errHealthCheckerBuilder, err) - } - - if err := checker.Check(); err != nil { - return ctrl.Result{}, fmt.Errorf("%w: %v", errHealthCheckerCheck, err) - } - - report(sampleissuerapi.ConditionTrue, "Success", nil) - return ctrl.Result{RequeueAfter: defaultHealthCheckInterval}, nil -} - -func (r *IssuerReconciler) SetupWithManager(mgr ctrl.Manager) error { - issuerType, err := r.newIssuer() - if err != nil { - return err - } - r.recorder = mgr.GetEventRecorderFor(sampleissuerapi.EventSource) - return ctrl.NewControllerManagedBy(mgr). - For(issuerType). - Complete(r) -} diff --git a/internal/controllers/issuer_controller_test.go b/internal/controllers/issuer_controller_test.go deleted file mode 100644 index 01ceed6..0000000 --- a/internal/controllers/issuer_controller_test.go +++ /dev/null @@ -1,364 +0,0 @@ -package controllers - -import ( - "context" - "errors" - "fmt" - "testing" - - logrtesting "github.com/go-logr/logr/testing" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/tools/record" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/client/fake" - "sigs.k8s.io/controller-runtime/pkg/reconcile" - - sampleissuerapi "github.com/cert-manager/sample-external-issuer/api/v1alpha1" - "github.com/cert-manager/sample-external-issuer/internal/issuer/signer" - issuerutil "github.com/cert-manager/sample-external-issuer/internal/issuer/util" -) - -type fakeHealthChecker struct { - errCheck error -} - -func (o *fakeHealthChecker) Check() error { - return o.errCheck -} - -func TestIssuerReconcile(t *testing.T) { - type testCase struct { - kind string - name types.NamespacedName - issuerObjects []client.Object - secretObjects []client.Object - healthCheckerBuilder signer.HealthCheckerBuilder - clusterResourceNamespace string - expectedResult ctrl.Result - expectedError error - expectedReadyConditionStatus sampleissuerapi.ConditionStatus - } - - tests := map[string]testCase{ - "success-issuer": { - kind: "Issuer", - name: types.NamespacedName{Namespace: "ns1", Name: "issuer1"}, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "issuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionUnknown, - }, - }, - }, - }, - }, - secretObjects: []client.Object{ - &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1-credentials", - Namespace: "ns1", - }, - }, - }, - healthCheckerBuilder: func(*sampleissuerapi.IssuerSpec, map[string][]byte) (signer.HealthChecker, error) { - return &fakeHealthChecker{}, nil - }, - expectedReadyConditionStatus: sampleissuerapi.ConditionTrue, - expectedResult: ctrl.Result{RequeueAfter: defaultHealthCheckInterval}, - }, - "success-clusterissuer": { - kind: "ClusterIssuer", - name: types.NamespacedName{Name: "clusterissuer1"}, - issuerObjects: []client.Object{ - &sampleissuerapi.ClusterIssuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "clusterissuer1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "clusterissuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionUnknown, - }, - }, - }, - }, - }, - secretObjects: []client.Object{ - &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "clusterissuer1-credentials", - Namespace: "kube-system", - }, - }, - }, - healthCheckerBuilder: func(*sampleissuerapi.IssuerSpec, map[string][]byte) (signer.HealthChecker, error) { - return &fakeHealthChecker{}, nil - }, - clusterResourceNamespace: "kube-system", - expectedReadyConditionStatus: sampleissuerapi.ConditionTrue, - expectedResult: ctrl.Result{RequeueAfter: defaultHealthCheckInterval}, - }, - "issuer-kind-unrecognised": { - kind: "UnrecognizedType", - name: types.NamespacedName{Namespace: "ns1", Name: "issuer1"}, - }, - "issuer-not-found": { - name: types.NamespacedName{Namespace: "ns1", Name: "issuer1"}, - }, - "issuer-missing-ready-condition": { - name: types.NamespacedName{Namespace: "ns1", Name: "issuer1"}, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - }, - }, - expectedReadyConditionStatus: sampleissuerapi.ConditionUnknown, - }, - "issuer-missing-secret": { - name: types.NamespacedName{Namespace: "ns1", Name: "issuer1"}, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "issuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionUnknown, - }, - }, - }, - }, - }, - expectedError: errGetAuthSecret, - expectedReadyConditionStatus: sampleissuerapi.ConditionFalse, - }, - "issuer-failing-healthchecker-builder": { - name: types.NamespacedName{Namespace: "ns1", Name: "issuer1"}, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "issuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionUnknown, - }, - }, - }, - }, - }, - secretObjects: []client.Object{ - &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1-credentials", - Namespace: "ns1", - }, - }, - }, - healthCheckerBuilder: func(*sampleissuerapi.IssuerSpec, map[string][]byte) (signer.HealthChecker, error) { - return nil, errors.New("simulated health checker builder error") - }, - expectedError: errHealthCheckerBuilder, - expectedReadyConditionStatus: sampleissuerapi.ConditionFalse, - }, - "issuer-failing-healthchecker-check": { - name: types.NamespacedName{Namespace: "ns1", Name: "issuer1"}, - issuerObjects: []client.Object{ - &sampleissuerapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1", - Namespace: "ns1", - }, - Spec: sampleissuerapi.IssuerSpec{ - AuthSecretName: "issuer1-credentials", - }, - Status: sampleissuerapi.IssuerStatus{ - Conditions: []sampleissuerapi.IssuerCondition{ - { - Type: sampleissuerapi.IssuerConditionReady, - Status: sampleissuerapi.ConditionUnknown, - }, - }, - }, - }, - }, - secretObjects: []client.Object{ - &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "issuer1-credentials", - Namespace: "ns1", - }, - }, - }, - healthCheckerBuilder: func(*sampleissuerapi.IssuerSpec, map[string][]byte) (signer.HealthChecker, error) { - return &fakeHealthChecker{errCheck: errors.New("simulated health check error")}, nil - }, - expectedError: errHealthCheckerCheck, - expectedReadyConditionStatus: sampleissuerapi.ConditionFalse, - }, - } - - scheme := runtime.NewScheme() - require.NoError(t, sampleissuerapi.AddToScheme(scheme)) - require.NoError(t, corev1.AddToScheme(scheme)) - - for name, tc := range tests { - t.Run(name, func(t *testing.T) { - eventRecorder := record.NewFakeRecorder(100) - fakeClient := fake.NewClientBuilder(). - WithScheme(scheme). - WithObjects(tc.secretObjects...). - WithObjects(tc.issuerObjects...). - WithStatusSubresource(tc.issuerObjects...). - Build() - if tc.kind == "" { - tc.kind = "Issuer" - } - controller := IssuerReconciler{ - Kind: tc.kind, - Client: fakeClient, - Scheme: scheme, - HealthCheckerBuilder: tc.healthCheckerBuilder, - ClusterResourceNamespace: tc.clusterResourceNamespace, - recorder: eventRecorder, - } - - issuerBefore, err := controller.newIssuer() - if err == nil { - if err := fakeClient.Get(context.TODO(), tc.name, issuerBefore); err != nil { - require.NoError(t, client.IgnoreNotFound(err), "unexpected error from fake client") - } - } - - result, reconcileErr := controller.Reconcile( - ctrl.LoggerInto(context.TODO(), logrtesting.NewTestLogger(t)), - reconcile.Request{NamespacedName: tc.name}, - ) - - var actualEvents []string - for { - select { - case e := <-eventRecorder.Events: - actualEvents = append(actualEvents, e) - continue - default: - break - } - break - } - - if tc.expectedError != nil { - assertErrorIs(t, tc.expectedError, reconcileErr) - } else { - assert.NoError(t, reconcileErr) - } - - assert.Equal(t, tc.expectedResult, result, "Unexpected result") - - // For tests where the target {Cluster}Issuer exists, we perform some further checks, - // otherwise exit early. - issuerAfter, err := controller.newIssuer() - if err == nil { - if err := fakeClient.Get(context.TODO(), tc.name, issuerAfter); err != nil { - require.NoError(t, client.IgnoreNotFound(err), "unexpected error from fake client") - } - } - if issuerAfter == nil { - return - } - - // If the CR is unchanged after the Reconcile then we expect no - // Events and need not perform any further checks. - // NB: controller-runtime FakeClient updates the Resource version. - if issuerBefore.GetResourceVersion() == issuerAfter.GetResourceVersion() { - assert.Empty(t, actualEvents, "Events should only be created if the {Cluster}Issuer is modified") - return - } - _, issuerStatusAfter, err := issuerutil.GetSpecAndStatus(issuerAfter) - require.NoError(t, err) - - condition := issuerutil.GetReadyCondition(issuerStatusAfter) - - if tc.expectedReadyConditionStatus != "" { - if assert.NotNilf( - t, - condition, - "Ready condition was expected but not found: tc.expectedReadyConditionStatus == %v", - tc.expectedReadyConditionStatus, - ) { - verifyIssuerReadyCondition(t, tc.expectedReadyConditionStatus, condition) - } - } else { - assert.Nil(t, condition, "Unexpected Ready condition") - } - - // Event checks - if condition != nil { - // The desired Event behaviour is as follows: - // - // * An Event should always be generated when the Ready condition is set. - // * Event contents should match the status and message of the condition. - // * Event type should be Warning if the Reconcile failed (temporary error) - // * Event type should be warning if the condition status is failed (permanent error) - expectedEventType := corev1.EventTypeNormal - if reconcileErr != nil || condition.Status == sampleissuerapi.ConditionFalse { - expectedEventType = corev1.EventTypeWarning - } - // If there was a Reconcile error, there will be a retry and - // this should be reflected in the Event message. - eventMessage := condition.Message - if reconcileErr != nil { - eventMessage = fmt.Sprintf("Temporary error. Retrying: %v", reconcileErr) - } - // Each Reconcile should only emit a single Event - assert.Equal( - t, - []string{fmt.Sprintf("%s %s %s", expectedEventType, sampleissuerapi.EventReasonIssuerReconciler, eventMessage)}, - actualEvents, - "expected a single event matching the condition", - ) - } else { - assert.Empty(t, actualEvents, "Found unexpected Events without a corresponding Ready condition") - } - }) - } -} - -func verifyIssuerReadyCondition(t *testing.T, status sampleissuerapi.ConditionStatus, condition *sampleissuerapi.IssuerCondition) { - assert.Equal(t, status, condition.Status, "unexpected condition status") -} diff --git a/internal/controllers/signer.go b/internal/controllers/signer.go new file mode 100644 index 0000000..1b23ac7 --- /dev/null +++ b/internal/controllers/signer.go @@ -0,0 +1,172 @@ +/* +Copyright 2023 The cert-manager Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "context" + "crypto/x509" + "errors" + "fmt" + "time" + + "github.com/cert-manager/cert-manager/pkg/util/pki" + issuerapi "github.com/cert-manager/issuer-lib/api/v1alpha1" + "github.com/cert-manager/issuer-lib/controllers" + "github.com/cert-manager/issuer-lib/controllers/signer" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + + sampleissuerapi "github.com/cert-manager/sample-external-issuer/api/v1alpha1" +) + +var ( + errGetAuthSecret = errors.New("failed to get Secret containing Issuer credentials") + errHealthCheckerBuilder = errors.New("failed to build the healthchecker") + errHealthCheckerCheck = errors.New("healthcheck failed") + + errIssuerRef = errors.New("error interpreting issuerRef") + errGetIssuer = errors.New("error getting issuer") + errIssuerNotReady = errors.New("issuer is not ready") + errSignerBuilder = errors.New("failed to build the signer") + errSignerSign = errors.New("failed to sign") +) + +type HealthChecker interface { + Check() error +} + +type HealthCheckerBuilder func(*sampleissuerapi.IssuerSpec, map[string][]byte) (HealthChecker, error) + +type Signer interface { + Sign(*x509.Certificate) ([]byte, error) +} + +type SignerBuilder func(*sampleissuerapi.IssuerSpec, map[string][]byte) (Signer, error) + +type Issuer struct { + HealthCheckerBuilder HealthCheckerBuilder + SignerBuilder SignerBuilder + ClusterResourceNamespace string + + client client.Client +} + +func (s Issuer) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error { + s.client = mgr.GetClient() + + return (&controllers.CombinedController{ + IssuerTypes: []issuerapi.Issuer{&sampleissuerapi.Issuer{}}, + ClusterIssuerTypes: []issuerapi.Issuer{&sampleissuerapi.ClusterIssuer{}}, + + FieldOwner: "sampleissuer.cert-manager.io", + MaxRetryDuration: 1 * time.Minute, + + Sign: s.Sign, + Check: s.Check, + EventRecorder: mgr.GetEventRecorderFor("sampleissuer.cert-manager.io"), + }).SetupWithManager(ctx, mgr) +} + +func (o *Issuer) getIssuerDetails(issuerObject issuerapi.Issuer) (*sampleissuerapi.IssuerSpec, string, error) { + switch t := issuerObject.(type) { + case *sampleissuerapi.Issuer: + return &t.Spec, issuerObject.GetNamespace(), nil + case *sampleissuerapi.ClusterIssuer: + return &t.Spec, o.ClusterResourceNamespace, nil + default: + // A permanent error will cause the Issuer to not retry until the + // Issuer is updated. + return nil, "", signer.PermanentError{ + Err: fmt.Errorf("unexpected issuer type: %t", issuerObject), + } + } +} + +func (o *Issuer) getSecretData(ctx context.Context, issuerSpec *sampleissuerapi.IssuerSpec, namespace string) (map[string][]byte, error) { + secretName := types.NamespacedName{ + Namespace: namespace, + Name: issuerSpec.AuthSecretName, + } + + var secret corev1.Secret + if err := o.client.Get(ctx, secretName, &secret); err != nil { + return nil, fmt.Errorf("%w, secret name: %s, reason: %v", errGetAuthSecret, secretName, err) + } + + checker, err := o.HealthCheckerBuilder(issuerSpec, secret.Data) + if err != nil { + return nil, fmt.Errorf("%w: %v", errHealthCheckerBuilder, err) + } + + if err := checker.Check(); err != nil { + return nil, fmt.Errorf("%w: %v", errHealthCheckerCheck, err) + } + + return secret.Data, nil +} + +func (o *Issuer) Check(ctx context.Context, issuerObject issuerapi.Issuer) error { + issuerSpec, namespace, err := o.getIssuerDetails(issuerObject) + if err != nil { + return err + } + + _, err = o.getSecretData(ctx, issuerSpec, namespace) + return err +} + +func (o *Issuer) Sign(ctx context.Context, cr signer.CertificateRequestObject, issuerObject issuerapi.Issuer) (signer.PEMBundle, error) { + issuerSpec, namespace, err := o.getIssuerDetails(issuerObject) + if err != nil { + // Returning an IssuerError will change the status of the Issuer to Failed too. + return signer.PEMBundle{}, signer.IssuerError{ + Err: err, + } + } + + secretData, err := o.getSecretData(ctx, issuerSpec, namespace) + if err != nil { + // Returning an IssuerError will change the status of the Issuer to Failed too. + return signer.PEMBundle{}, signer.IssuerError{ + Err: err, + } + } + + certTemplate, _, _, err := cr.GetRequest() + if err != nil { + return signer.PEMBundle{}, err + } + + signerObj, err := o.SignerBuilder(issuerSpec, secretData) + if err != nil { + return signer.PEMBundle{}, fmt.Errorf("%w: %v", errSignerBuilder, err) + } + + signed, err := signerObj.Sign(certTemplate) + if err != nil { + return signer.PEMBundle{}, fmt.Errorf("%w: %v", errSignerSign, err) + } + + bundle, err := pki.ParseSingleCertificateChainPEM(signed) + if err != nil { + return signer.PEMBundle{}, err + } + + return signer.PEMBundle(bundle), nil +} diff --git a/internal/issuer/util/util.go b/internal/issuer/util/util.go deleted file mode 100644 index fc0908d..0000000 --- a/internal/issuer/util/util.go +++ /dev/null @@ -1,77 +0,0 @@ -/* -Copyright 2020 The cert-manager Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package util - -import ( - "fmt" - - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "sigs.k8s.io/controller-runtime/pkg/client" - - sampleissuerapi "github.com/cert-manager/sample-external-issuer/api/v1alpha1" -) - -func GetSpecAndStatus(issuer client.Object) (*sampleissuerapi.IssuerSpec, *sampleissuerapi.IssuerStatus, error) { - switch t := issuer.(type) { - case *sampleissuerapi.Issuer: - return &t.Spec, &t.Status, nil - case *sampleissuerapi.ClusterIssuer: - return &t.Spec, &t.Status, nil - default: - return nil, nil, fmt.Errorf("not an issuer type: %t", t) - } -} - -func SetReadyCondition(status *sampleissuerapi.IssuerStatus, conditionStatus sampleissuerapi.ConditionStatus, reason, message string) { - ready := GetReadyCondition(status) - if ready == nil { - ready = &sampleissuerapi.IssuerCondition{ - Type: sampleissuerapi.IssuerConditionReady, - } - status.Conditions = append(status.Conditions, *ready) - } - if ready.Status != conditionStatus { - ready.Status = conditionStatus - now := metav1.Now() - ready.LastTransitionTime = &now - } - ready.Reason = reason - ready.Message = message - - for i, c := range status.Conditions { - if c.Type == sampleissuerapi.IssuerConditionReady { - status.Conditions[i] = *ready - return - } - } -} - -func GetReadyCondition(status *sampleissuerapi.IssuerStatus) *sampleissuerapi.IssuerCondition { - for _, c := range status.Conditions { - if c.Type == sampleissuerapi.IssuerConditionReady { - return &c - } - } - return nil -} - -func IsReady(status *sampleissuerapi.IssuerStatus) bool { - if c := GetReadyCondition(status); c != nil { - return c.Status == sampleissuerapi.ConditionTrue - } - return false -} diff --git a/internal/issuer/util/util_test.go b/internal/issuer/util/util_test.go deleted file mode 100644 index dee355b..0000000 --- a/internal/issuer/util/util_test.go +++ /dev/null @@ -1,35 +0,0 @@ -/* -Copyright 2020 The cert-manager Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package util - -import ( - "testing" - - "github.com/stretchr/testify/assert" - - sampleissuerapi "github.com/cert-manager/sample-external-issuer/api/v1alpha1" -) - -func TestSetReadyCondition(t *testing.T) { - var issuerStatus sampleissuerapi.IssuerStatus - - SetReadyCondition(&issuerStatus, sampleissuerapi.ConditionTrue, "reason1", "message1") - assert.Equal(t, "message1", GetReadyCondition(&issuerStatus).Message) - - SetReadyCondition(&issuerStatus, sampleissuerapi.ConditionFalse, "reason2", "message2") - assert.Equal(t, "message2", GetReadyCondition(&issuerStatus).Message) -} diff --git a/internal/issuer/signer/authority.go b/internal/signer/authority.go similarity index 55% rename from internal/issuer/signer/authority.go rename to internal/signer/authority.go index eaae332..d8295e0 100644 --- a/internal/issuer/signer/authority.go +++ b/internal/signer/authority.go @@ -1,5 +1,5 @@ /* -Copyright 2019 The Kubernetes Authors. +Copyright 2023 The cert-manager Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -21,12 +21,9 @@ import ( "crypto/rand" "crypto/x509" "fmt" - "math/big" "time" ) -var serialNumberLimit = new(big.Int).Lsh(big.NewInt(1), 128) - // CertificateAuthority implements a certificate authority that supports policy // based signing. It's used by the signing controller. type CertificateAuthority struct { @@ -43,7 +40,7 @@ type CertificateAuthority struct { // Sign signs a certificate request, applying a SigningPolicy and returns a DER // encoded x509 certificate. -func (ca *CertificateAuthority) Sign(crDER []byte, policy SigningPolicy) ([]byte, error) { +func (ca *CertificateAuthority) Sign(certTemplate *x509.Certificate, policy SigningPolicy) ([]byte, error) { now := time.Now() if ca.Now != nil { now = ca.Now() @@ -54,46 +51,21 @@ func (ca *CertificateAuthority) Sign(crDER []byte, policy SigningPolicy) ([]byte return nil, fmt.Errorf("the signer has expired: NotAfter=%v", ca.Certificate.NotAfter) } - cr, err := x509.ParseCertificateRequest(crDER) - if err != nil { - return nil, fmt.Errorf("unable to parse certificate request: %v", err) - } - if err := cr.CheckSignature(); err != nil { - return nil, fmt.Errorf("unable to verify certificate request signature: %v", err) - } - - serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) - if err != nil { - return nil, fmt.Errorf("unable to generate a serial number for %s: %v", cr.Subject.CommonName, err) - } - - tmpl := &x509.Certificate{ - SerialNumber: serialNumber, - Subject: cr.Subject, - DNSNames: cr.DNSNames, - IPAddresses: cr.IPAddresses, - EmailAddresses: cr.EmailAddresses, - URIs: cr.URIs, - PublicKeyAlgorithm: cr.PublicKeyAlgorithm, - PublicKey: cr.PublicKey, - Extensions: cr.Extensions, - ExtraExtensions: cr.ExtraExtensions, - NotBefore: nbf, - } - if err := policy.apply(tmpl); err != nil { + if err := policy.apply(certTemplate); err != nil { return nil, err } - if !tmpl.NotAfter.Before(ca.Certificate.NotAfter) { - tmpl.NotAfter = ca.Certificate.NotAfter + if !certTemplate.NotAfter.Before(ca.Certificate.NotAfter) { + certTemplate.NotAfter = ca.Certificate.NotAfter } if !now.Before(ca.Certificate.NotAfter) { return nil, fmt.Errorf("refusing to sign a certificate that expired in the past") } - der, err := x509.CreateCertificate(rand.Reader, tmpl, ca.Certificate, cr.PublicKey, ca.PrivateKey) + der, err := x509.CreateCertificate(rand.Reader, certTemplate, ca.Certificate, certTemplate.PublicKey, ca.PrivateKey) if err != nil { return nil, fmt.Errorf("failed to sign certificate: %v", err) } + return der, nil } diff --git a/internal/issuer/signer/signer.go b/internal/signer/example.go similarity index 79% rename from internal/issuer/signer/signer.go rename to internal/signer/example.go index e8a5b63..5f20a6e 100644 --- a/internal/issuer/signer/signer.go +++ b/internal/signer/example.go @@ -1,31 +1,37 @@ +/* +Copyright 2023 The cert-manager Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package signer import ( + "crypto/x509" "encoding/pem" "time" capi "k8s.io/api/certificates/v1beta1" sampleissuerapi "github.com/cert-manager/sample-external-issuer/api/v1alpha1" + "github.com/cert-manager/sample-external-issuer/internal/controllers" ) -type HealthChecker interface { - Check() error -} - -type HealthCheckerBuilder func(*sampleissuerapi.IssuerSpec, map[string][]byte) (HealthChecker, error) - -type Signer interface { - Sign([]byte) ([]byte, error) -} - -type SignerBuilder func(*sampleissuerapi.IssuerSpec, map[string][]byte) (Signer, error) - -func ExampleHealthCheckerFromIssuerAndSecretData(*sampleissuerapi.IssuerSpec, map[string][]byte) (HealthChecker, error) { +func ExampleHealthCheckerFromIssuerAndSecretData(*sampleissuerapi.IssuerSpec, map[string][]byte) (controllers.HealthChecker, error) { return &exampleSigner{}, nil } -func ExampleSignerFromIssuerAndSecretData(*sampleissuerapi.IssuerSpec, map[string][]byte) (Signer, error) { +func ExampleSignerFromIssuerAndSecretData(*sampleissuerapi.IssuerSpec, map[string][]byte) (controllers.Signer, error) { return &exampleSigner{}, nil } @@ -88,11 +94,7 @@ YcXl/jdU/2nHdY6r7m6xIapxs0hdDMF/lML2SszUIukZw73NJp3x7L9enCY= duration = time.Hour * 24 * 365 ) -func (o *exampleSigner) Sign(csrBytes []byte) ([]byte, error) { - csr, err := parseCSR(csrBytes) - if err != nil { - return nil, err - } +func (o *exampleSigner) Sign(certTemplate *x509.Certificate) ([]byte, error) { key, err := parseKey(keyPEM) if err != nil { return nil, err @@ -101,12 +103,14 @@ func (o *exampleSigner) Sign(csrBytes []byte) ([]byte, error) { if err != nil { return nil, err } + ca := &CertificateAuthority{ Certificate: cert, PrivateKey: key, Backdate: 5 * time.Minute, } - crtDER, err := ca.Sign(csr.Raw, PermissiveSigningPolicy{ + + crtDER, err := ca.Sign(certTemplate, PermissiveSigningPolicy{ TTL: duration, Usages: []capi.KeyUsage{ capi.UsageServerAuth, @@ -115,6 +119,7 @@ func (o *exampleSigner) Sign(csrBytes []byte) ([]byte, error) { if err != nil { return nil, err } + return pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", Bytes: crtDER, diff --git a/internal/issuer/signer/policies.go b/internal/signer/policies.go similarity index 99% rename from internal/issuer/signer/policies.go rename to internal/signer/policies.go index 9a21e48..1caae71 100644 --- a/internal/issuer/signer/policies.go +++ b/internal/signer/policies.go @@ -1,5 +1,5 @@ /* -Copyright 2019 The Kubernetes Authors. +Copyright 2023 The cert-manager Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/internal/issuer/signer/x509util.go b/internal/signer/x509util.go similarity index 74% rename from internal/issuer/signer/x509util.go rename to internal/signer/x509util.go index a2ea23d..84946b9 100644 --- a/internal/issuer/signer/x509util.go +++ b/internal/signer/x509util.go @@ -1,11 +1,11 @@ /* -Copyright 2020 The Kubernetes Authors. +Copyright 2023 The cert-manager Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -40,12 +40,3 @@ func parseCert(pemBytes []byte) (*x509.Certificate, error) { } return x509.ParseCertificate(block.Bytes) } - -func parseCSR(pemBytes []byte) (*x509.CertificateRequest, error) { - // extract PEM from request object - block, _ := pem.Decode(pemBytes) - if block == nil || block.Type != "CERTIFICATE REQUEST" { - return nil, errors.New("PEM block type must be CERTIFICATE REQUEST") - } - return x509.ParseCertificateRequest(block.Bytes) -} diff --git a/main.go b/main.go index e0ffb1d..e3ff1f7 100644 --- a/main.go +++ b/main.go @@ -17,45 +17,36 @@ limitations under the License. package main import ( + "context" "errors" "flag" "fmt" - "io/ioutil" "os" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. _ "k8s.io/client-go/plugin/pkg/client/auth" + "k8s.io/klog/v2" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" - "k8s.io/utils/clock" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" sampleissuerv1alpha1 "github.com/cert-manager/sample-external-issuer/api/v1alpha1" "github.com/cert-manager/sample-external-issuer/internal/controllers" - "github.com/cert-manager/sample-external-issuer/internal/issuer/signer" + "github.com/cert-manager/sample-external-issuer/internal/signer" "github.com/cert-manager/sample-external-issuer/internal/version" //+kubebuilder:scaffold:imports ) const inClusterNamespacePath = "/var/run/secrets/kubernetes.io/serviceaccount/namespace" -var ( - scheme = runtime.NewScheme() - setupLog = ctrl.Log.WithName("setup") -) - -func init() { - utilruntime.Must(clientgoscheme.AddToScheme(scheme)) - utilruntime.Must(cmapi.AddToScheme(scheme)) - utilruntime.Must(sampleissuerv1alpha1.AddToScheme(scheme)) - //+kubebuilder:scaffold:scheme -} - func main() { var metricsAddr string var probeAddr string @@ -80,26 +71,34 @@ func main() { flag.Parse() + logr := zap.New(zap.UseFlagOptions(&opts)) + + klog.SetLogger(logr) + ctrl.SetLogger(logr) + + logr.Info("Version", "version", version.Version) + if printVersion { - fmt.Println(version.Version) return } - ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) - - if clusterResourceNamespace == "" { - var err error - clusterResourceNamespace, err = getInClusterNamespace() - if err != nil { - if errors.Is(err, errNotInCluster) { - setupLog.Error(err, "please supply --cluster-resource-namespace") - } else { - setupLog.Error(err, "unexpected error while getting in-cluster Namespace") - } - os.Exit(1) + setupLog := logr.WithName("setup") + + if err := getInClusterNamespace(&clusterResourceNamespace); err != nil { + if errors.Is(err, errNotInCluster) { + setupLog.Error(err, "please supply --cluster-resource-namespace") + } else { + setupLog.Error(err, "unexpected error while getting in-cluster Namespace") } + os.Exit(1) } + scheme := runtime.NewScheme() + utilruntime.Must(clientgoscheme.AddToScheme(scheme)) + utilruntime.Must(cmapi.AddToScheme(scheme)) + utilruntime.Must(sampleissuerv1alpha1.AddToScheme(scheme)) + // +kubebuilder:scaffold:scheme + setupLog.Info( "starting", "version", version.Version, @@ -109,9 +108,13 @@ func main() { ) mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ - Scheme: scheme, - MetricsBindAddress: metricsAddr, - Port: 9443, + Scheme: scheme, + Metrics: server.Options{ + BindAddress: metricsAddr, + }, + WebhookServer: webhook.NewServer(webhook.Options{ + Port: 9443, + }), HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "54c549fd.example.com", @@ -125,49 +128,38 @@ func main() { // the manager stops, so would be fine to enable this option. However, // if you are doing or is intended to do any operation such as perform cleanups // after the manager stops then its usage might be unsafe. - // LeaderElectionReleaseOnCancel: true, + LeaderElectionReleaseOnCancel: true, }) if err != nil { setupLog.Error(err, "unable to start manager") os.Exit(1) } - if err = (&controllers.IssuerReconciler{ - Kind: "Issuer", - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), - ClusterResourceNamespace: clusterResourceNamespace, + ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler()) + defer cancel() + + if err = (&controllers.Issuer{ HealthCheckerBuilder: signer.ExampleHealthCheckerFromIssuerAndSecretData, - }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "Issuer") - os.Exit(1) - } - if err = (&controllers.IssuerReconciler{ - Kind: "ClusterIssuer", - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), + SignerBuilder: signer.ExampleSignerFromIssuerAndSecretData, ClusterResourceNamespace: clusterResourceNamespace, - HealthCheckerBuilder: signer.ExampleHealthCheckerFromIssuerAndSecretData, - }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "ClusterIssuer") + }).SetupWithManager(ctx, mgr); err != nil { + setupLog.Error(err, "unable to create Signer controllers") os.Exit(1) } - if err = (&controllers.CertificateRequestReconciler{ - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), - ClusterResourceNamespace: clusterResourceNamespace, - SignerBuilder: signer.ExampleSignerFromIssuerAndSecretData, - CheckApprovedCondition: !disableApprovedCheck, - Clock: clock.RealClock{}, - }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "CertificateRequest") + // +kubebuilder:scaffold:builder + + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up health check") + os.Exit(1) + } + if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up ready check") os.Exit(1) } - // +kubebuilder:scaffold:builder setupLog.Info("starting manager") - if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { + if err := mgr.Start(ctx); err != nil { setupLog.Error(err, "problem running manager") os.Exit(1) } @@ -176,20 +168,26 @@ func main() { var errNotInCluster = errors.New("not running in-cluster") // Copied from controller-runtime/pkg/leaderelection -func getInClusterNamespace() (string, error) { +func getInClusterNamespace(clusterResourceNamespace *string) error { + if *clusterResourceNamespace != "" { + return nil + } + // Check whether the namespace file exists. // If not, we are not running in cluster so can't guess the namespace. _, err := os.Stat(inClusterNamespacePath) if os.IsNotExist(err) { - return "", errNotInCluster + return errNotInCluster } else if err != nil { - return "", fmt.Errorf("error checking namespace file: %w", err) + return fmt.Errorf("error checking namespace file: %w", err) } // Load the namespace file and return its content - namespace, err := ioutil.ReadFile(inClusterNamespacePath) + namespace, err := os.ReadFile(inClusterNamespacePath) if err != nil { - return "", fmt.Errorf("error reading namespace file: %w", err) + return fmt.Errorf("error reading namespace file: %w", err) } - return string(namespace), nil + *clusterResourceNamespace = string(namespace) + + return nil }