Merge pull request #34 from openshift-cloud-team/rebase-bot-master

Merge https://github.com/kubernetes/cloud-provider-gcp:master (49c9a25) into master
openshift · Jul 25, 2023 · 37deba9 · 37deba9
2 parents 130acc6 + 71080c6
commit 37deba9
Show file tree

Hide file tree

Showing 7,490 changed files with 3,536,029 additions and 1,989 deletions.
diff --git a/WORKSPACE b/WORKSPACE
@@ -47,7 +47,7 @@ go_rules_dependencies()
 
 go_download_sdk(
     name = "go_sdk",
-    version = "1.20.4",
+    version = "1.20.5",
 )
 
 go_register_toolchains()

diff --git a/cloudbuild.yaml b/cloudbuild.yaml
@@ -1,24 +1,141 @@
 # See https://cloud.google.com/cloud-build/docs/build-config
 # For more information about Image pushing refer to https://github.com/kubernetes/test-infra/blob/master/config/jobs/image-pushing/README.md
 timeout: 3600s
-
 options:
   substitution_option: ALLOW_LOOSE
-
 steps:
   - name: 'gcr.io/cloud-builders/bazel'
     env:
-    - IMAGE_REGISTRY=gcr.io
-    - IMAGE_REPO=k8s-staging-cloud-provider-gcp
-    - IMAGE_TAG=$SHORT_SHA
+      - IMAGE_REGISTRY=gcr.io
+      - IMAGE_REPO=k8s-staging-cloud-provider-gcp
+      - IMAGE_TAG=${_PULL_BASE_REF}
     args:
       - run
       - //cmd/cloud-controller-manager:publish
-
+  - name: 'gcr.io/cloud-builders/bazel'
+    env:
+      - IMAGE_REGISTRY=gcr.io
+      - IMAGE_REPO=k8s-staging-cloud-provider-gcp
+      - IMAGE_TAG=${_PULL_BASE_REF}
+    args:
+      - run
+      - //cmd/gcp-controller-manager:publish
+  # build gke-exec-auth-plugin binary
+  - name: 'gcr.io/cloud-builders/bazel'
+    args:
+      - --output_user_root=/workspace/bazel-root
+      - --output_base=/workspace/bazel-base-linux-amd64
+      - build
+      - //cmd/gke-exec-auth-plugin
+  - name: 'gcr.io/cloud-builders/gsutil'
+    args:
+      - cp
+      - /workspace/bazel-base-linux-amd64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/gke-exec-auth-plugin/gke-exec-auth-plugin_/gke-exec-auth-plugin
+      - gs://k8s-staging-cloud-provider-gcp/gke-exec-auth-plugin/linux-amd64/${_GIT_TAG}
+  # build gke-gcloud-auth-plugin binary
+  - name: 'gcr.io/cloud-builders/bazel'
+    args:
+      - --output_user_root=/workspace/bazel-root
+      - --output_base=/workspace/bazel-base-linux-amd64
+      - build
+      - //cmd/gke-gcloud-auth-plugin
+  - name: 'gcr.io/cloud-builders/gsutil'
+    args:
+      - cp
+      - /workspace/bazel-base-linux-amd64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/gke-gcloud-auth-plugin/gke-gcloud-auth-plugin_/gke-gcloud-auth-plugin
+      - gs://k8s-staging-cloud-provider-gcp/gke-gcloud-auth-plugin/linux-amd64/${_GIT_TAG}
+  # build auth-provider-gcp binary
+  - name: 'gcr.io/cloud-builders/bazel'
+    args:
+      - --output_user_root=/workspace/bazel-root
+      - --output_base=/workspace/bazel-base-linux-amd64
+      - build
+      - //cmd/auth-provider-gcp
+  - name: 'gcr.io/cloud-builders/gsutil'
+    args:
+      - cp
+      - /workspace/bazel-base-linux-amd64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/auth-provider-gcp/auth-provider-gcp_/auth-provider-gcp
+      - gs://k8s-staging-cloud-provider-gcp/auth-provider-gcp/linux-amd64/${_GIT_TAG}
+  # build gke-exec-auth-plugin binary
+  - name: 'gcr.io/cloud-builders/bazel'
+    args:
+      - --output_user_root=/workspace/bazel-root
+      - --output_base=/workspace/bazel-base-linux-arm64
+      - build
+      - --platforms=@io_bazel_rules_go//go/toolchain:linux_arm64
+      - //cmd/gke-exec-auth-plugin
+  - name: 'gcr.io/cloud-builders/gsutil'
+    args:
+      - cp
+      - /workspace/bazel-base-linux-arm64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/gke-exec-auth-plugin/gke-exec-auth-plugin_/gke-exec-auth-plugin
+      - gs://k8s-staging-cloud-provider-gcp/gke-exec-auth-plugin/linux-arm64/${_GIT_TAG}
+  # build gke-gcloud-auth-plugin binary
+  - name: 'gcr.io/cloud-builders/bazel'
+    args:
+      - --output_user_root=/workspace/bazel-root
+      - --output_base=/workspace/bazel-base-linux-arm64
+      - build
+      - --platforms=@io_bazel_rules_go//go/toolchain:linux_arm64
+      - //cmd/gke-gcloud-auth-plugin
+  - name: 'gcr.io/cloud-builders/gsutil'
+    args:
+      - cp
+      - /workspace/bazel-base-linux-arm64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/gke-gcloud-auth-plugin/gke-gcloud-auth-plugin_/gke-gcloud-auth-plugin
+      - gs://k8s-staging-cloud-provider-gcp/gke-gcloud-auth-plugin/linux-arm64/${_GIT_TAG}
+  # build auth-provider-gcp binary
+  - name: 'gcr.io/cloud-builders/bazel'
+    args:
+      - --output_user_root=/workspace/bazel-root
+      - --output_base=/workspace/bazel-base-linux-arm64
+      - build
+      - --platforms=@io_bazel_rules_go//go/toolchain:linux_arm64
+      - //cmd/auth-provider-gcp
+  - name: 'gcr.io/cloud-builders/gsutil'
+    args:
+      - cp
+      - /workspace/bazel-base-linux-arm64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/auth-provider-gcp/auth-provider-gcp_/auth-provider-gcp
+      - gs://k8s-staging-cloud-provider-gcp/auth-provider-gcp/linux-arm64/${_GIT_TAG} 
+  # build gke-exec-auth-plugin binary
+  - name: 'gcr.io/cloud-builders/bazel'
+    args:
+      - --output_user_root=/workspace/bazel-root
+      - --output_base=/workspace/bazel-base-windows-amd64
+      - build
+      - --platforms=@io_bazel_rules_go//go/toolchain:windows_amd64
+      - //cmd/gke-exec-auth-plugin
+  - name: 'gcr.io/cloud-builders/gsutil'
+    args:
+      - cp
+      - /workspace/bazel-base-windows-amd64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/gke-exec-auth-plugin/gke-exec-auth-plugin_/gke-exec-auth-plugin.exe
+      - gs://k8s-staging-cloud-provider-gcp/gke-exec-auth-plugin/windows-amd64/${_GIT_TAG}
+  # build gke-gcloud-auth-plugin binary
+  - name: 'gcr.io/cloud-builders/bazel'
+    args:
+      - --output_user_root=/workspace/bazel-root
+      - --output_base=/workspace/bazel-base-windows-amd64
+      - build
+      - --platforms=@io_bazel_rules_go//go/toolchain:windows_amd64
+      - //cmd/gke-gcloud-auth-plugin
+  - name: 'gcr.io/cloud-builders/gsutil'
+    args:
+      - cp
+      - /workspace/bazel-base-windows-amd64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/gke-gcloud-auth-plugin/gke-gcloud-auth-plugin_/gke-gcloud-auth-plugin.exe
+      - gs://k8s-staging-cloud-provider-gcp/gke-gcloud-auth-plugin/windows-amd64/${_GIT_TAG}
+  # build auth-provider-gcp binary
+  - name: 'gcr.io/cloud-builders/bazel'
+    args:
+      - --output_user_root=/workspace/bazel-root
+      - --output_base=/workspace/bazel-base-windows-amd64
+      - build
+      - --platforms=@io_bazel_rules_go//go/toolchain:windows_amd64
+      - //cmd/auth-provider-gcp
+  - name: 'gcr.io/cloud-builders/gsutil'
+    args:
+      - cp
+      - /workspace/bazel-base-windows-amd64/execroot/io_k8s_cloud_provider_gcp/bazel-out/k8-fastbuild/bin/cmd/auth-provider-gcp/auth-provider-gcp_/auth-provider-gcp.exe
+      - gs://k8s-staging-cloud-provider-gcp/auth-provider-gcp/windows-amd64/${_GIT_TAG}
+# TODO: figure out how to do this better, most probably getting rid of bazel
 substitutions:
-  _GIT_TAG: '12345'
   _PULL_BASE_REF: 'master'
-
-tags:
-- 'cloud-controller-manager'
-- $_GIT_TAG
+  _GIT_TAG: '12345'
+
diff --git a/cluster/common.sh b/cluster/common.sh
@@ -288,12 +288,7 @@ function load-or-gen-kube-basicauth() {
 #   KUBE_VERSION
 function set_binary_version() {
   if [[ "${1}" =~ "/" ]]; then
-    IFS='/' read -r -a path <<< "${1}"
-    if [[ "${path[0]}" == "release" ]]; then
-      KUBE_VERSION=$(gsutil cat "gs://kubernetes-release/${1}.txt")
-    else
-      KUBE_VERSION=$(gsutil cat "gs://k8s-release-dev/${1}.txt")
-    fi
+    KUBE_VERSION=$(curl -sL "https://dl.k8s.io/${1}.txt")
   else
     KUBE_VERSION=${1}
   fi

diff --git a/cluster/gce/gci/configure.sh b/cluster/gce/gci/configure.sh
@@ -252,7 +252,7 @@ function install-gci-mounter-tools {
   mkdir -p "${CONTAINERIZED_MOUNTER_HOME}"
   chmod a+x "${CONTAINERIZED_MOUNTER_HOME}"
   mkdir -p "${CONTAINERIZED_MOUNTER_HOME}/rootfs"
-  download-or-bust "${mounter_tar_sha}" "https://storage.googleapis.com/kubernetes-release/gci-mounter/mounter.tar"
+  download-or-bust "${mounter_tar_sha}" "https://dl.k8s.io/gci-mounter/mounter.tar"
   cp "${KUBE_HOME}/kubernetes/server/bin/mounter" "${CONTAINERIZED_MOUNTER_HOME}/mounter"
   chmod a+x "${CONTAINERIZED_MOUNTER_HOME}/mounter"
   mv "${KUBE_HOME}/mounter.tar" /tmp/mounter.tar
@@ -295,7 +295,7 @@ function install-node-problem-detector {
   fi
 
   echo "Downloading ${npd_tar}."
-  local -r npd_release_path="${NODE_PROBLEM_DETECTOR_RELEASE_PATH:-https://storage.googleapis.com/kubernetes-release}"
+  local -r npd_release_path="${NODE_PROBLEM_DETECTOR_RELEASE_PATH:-https://dl.k8s.io}"
   download-or-bust "${npd_hash}" "${npd_release_path}/node-problem-detector/${npd_tar}"
   local -r npd_dir="${KUBE_HOME}/node-problem-detector"
   mkdir -p "${npd_dir}"

diff --git a/cluster/gce/upgrade.sh b/cluster/gce/upgrade.sh
@@ -61,9 +61,9 @@ function usage() {
   local release_latest
   local ci_latest
 
-  release_stable=$(gsutil cat gs://kubernetes-release/release/stable.txt)
-  release_latest=$(gsutil cat gs://kubernetes-release/release/latest.txt)
-  ci_latest=$(gsutil cat gs://k8s-release-dev/ci/latest.txt)
+  release_stable=$(curl -sL https://dl.k8s.io/release/stable.txt)
+  release_latest=$(curl -sL https://dl.k8s.io/release/latest.txt)
+  ci_latest=$(curl -sL https://dl.k8s.io/ci/latest.txt)
 
   echo "Right now, versions are as follows:"
   echo "  release/stable: ${0} ${release_stable}"

diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
@@ -519,10 +519,10 @@ function tars_from_version() {
     find-release-tars
     upload-tars
   elif [[ ${KUBE_VERSION} =~ ${KUBE_RELEASE_VERSION_REGEX} ]]; then
-    SERVER_BINARY_TAR_URL="https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/kubernetes-server-linux-amd64.tar.gz"
+    SERVER_BINARY_TAR_URL="https://dl.k8s.io/release/${KUBE_VERSION}/kubernetes-server-linux-amd64.tar.gz"
     # TODO: Clean this up.
     KUBE_MANIFESTS_TAR_URL="${SERVER_BINARY_TAR_URL/server-linux-amd64/manifests}"
-    KUBE_MANIFESTS_TAR_HASH=$(curl "${KUBE_MANIFESTS_TAR_URL}" --silent --show-error | ${sha512sum})
+    KUBE_MANIFESTS_TAR_HASH=$(curl -L "${KUBE_MANIFESTS_TAR_URL}" --silent --show-error | ${sha512sum})
     KUBE_MANIFESTS_TAR_HASH=${KUBE_MANIFESTS_TAR_HASH%%[[:blank:]]*}
   elif [[ ${KUBE_VERSION} =~ ${KUBE_CI_VERSION_REGEX} ]]; then
     SERVER_BINARY_TAR_URL="https://storage.googleapis.com/k8s-release-dev/ci/${KUBE_VERSION}/kubernetes-server-linux-amd64.tar.gz"
@@ -1705,7 +1705,7 @@ function setup-easyrsa {
   # Note: This was heavily cribbed from make-ca-cert.sh
   (set -x
     cd "${KUBE_TEMP}"
-    curl -L -O --connect-timeout 20 --retry 6 --retry-delay 2 https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
+    curl -L -O --connect-timeout 20 --retry 6 --retry-delay 2 https://dl.k8s.io/easy-rsa/easy-rsa.tar.gz
     tar xzf easy-rsa.tar.gz
     mkdir easy-rsa-master/kubelet
     cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/kubelet

diff --git a/cluster/get-kube-binaries.sh b/cluster/get-kube-binaries.sh
@@ -46,7 +46,7 @@
 #
 #  Set KUBERNETES_SKIP_CONFIRM to skip the installation confirmation prompt.
 #  Set KUBERNETES_RELEASE_URL to choose where to download binaries from.
-#    (Defaults to https://storage.googleapis.com/kubernetes-release/release).
+#    (Defaults to https://dl.k8s.io/release).
 #  Set KUBERNETES_DOWNLOAD_TESTS to additionally download and extract the test
 #    binaries tarball.
 

diff --git a/cluster/get-kube.sh b/cluster/get-kube.sh
@@ -29,7 +29,7 @@
 #    stable release, (e.g. 'v1.3.7').
 #    See https://github.com/kubernetes/kubernetes/releases for release options.
 #  Set KUBERNETES_RELEASE_URL to choose where to download binaries from.
-#    (Defaults to https://storage.googleapis.com/kubernetes-release/release).
+#    (Defaults to https://dl.k8s.io/release).
 #
 #  Set KUBERNETES_SERVER_ARCH to choose the server (Kubernetes cluster)
 #  architecture to download:

diff --git a/cmd/cloud-controller-manager/BUILD b/cmd/cloud-controller-manager/BUILD
@@ -31,11 +31,9 @@ go_library(
         "//providers/gce",
         "//vendor/github.com/spf13/pflag",
         "//vendor/k8s.io/apimachinery/pkg/util/wait",
-        "//vendor/k8s.io/client-go/tools/cache",
         "//vendor/k8s.io/cloud-provider",
         "//vendor/k8s.io/cloud-provider-gcp/crd/client/network/clientset/versioned",
         "//vendor/k8s.io/cloud-provider-gcp/crd/client/network/informers/externalversions",
-        "//vendor/k8s.io/cloud-provider-gcp/crd/client/network/informers/externalversions/network/v1:network",
         "//vendor/k8s.io/cloud-provider/app",
         "//vendor/k8s.io/cloud-provider/app/config",
         "//vendor/k8s.io/cloud-provider/options",

diff --git a/cmd/cloud-controller-manager/gkenetworkparamsetcontroller.go b/cmd/cloud-controller-manager/gkenetworkparamsetcontroller.go
@@ -5,10 +5,9 @@ import (
 	"fmt"
 	"time"
 
-	"k8s.io/client-go/tools/cache"
 	cloudprovider "k8s.io/cloud-provider"
 	networkclientset "k8s.io/cloud-provider-gcp/crd/client/network/clientset/versioned"
-	v1informers "k8s.io/cloud-provider-gcp/crd/client/network/informers/externalversions/network/v1"
+	networkinformers "k8s.io/cloud-provider-gcp/crd/client/network/informers/externalversions"
 	gkenetworkparamsetcontroller "k8s.io/cloud-provider-gcp/pkg/controller/gkenetworkparamset"
 	"k8s.io/cloud-provider-gcp/providers/gce"
 	"k8s.io/cloud-provider/app"
@@ -41,17 +40,18 @@ func startGkeNetworkParamsController(ccmConfig *cloudcontrollerconfig.CompletedC
 		return nil, false, err
 	}
 
-	//no resync, we dont want to automatically update objects if their state changes in gcp
-	gkeNetworkParamSetInformer := v1informers.NewGKENetworkParamSetInformer(networkClient, 0*time.Second, cache.Indexers{})
+	nwInfFactory := networkinformers.NewSharedInformerFactory(networkClient, 30*time.Second)
+	nwInformer := nwInfFactory.Networking().V1().Networks()
+	gnpInformer := nwInfFactory.Networking().V1().GKENetworkParamSets()
 
 	gkeNetworkParamsetController := gkenetworkparamsetcontroller.NewGKENetworkParamSetController(
 		networkClient,
-		gkeNetworkParamSetInformer,
+		gnpInformer,
+		nwInformer,
 		gceCloud,
+		nwInfFactory,
 	)
 
-	go gkeNetworkParamSetInformer.Run(controllerCtx.Stop)
-
 	go gkeNetworkParamsetController.Run(1, controllerCtx.Stop, controllerCtx.ControllerManagerMetrics)
 	return nil, true, nil
 }
diff --git a/cmd/gcp-controller-manager/BUILD b/cmd/gcp-controller-manager/BUILD
@@ -42,8 +42,8 @@ go_library(
         "//cmd/gcp-controller-manager:__subpackages__",
     ],
     deps = [
+        "//cmd/gcp-controller-manager/dpwi/auth",
         "//cmd/gcp-controller-manager/dpwi/configmap",
-        "//cmd/gcp-controller-manager/dpwi/hms",
         "//cmd/gcp-controller-manager/dpwi/nodesyncer",
         "//cmd/gcp-controller-manager/dpwi/pods",
         "//cmd/gcp-controller-manager/dpwi/serviceaccounts",

diff --git a/cmd/gcp-controller-manager/dpwi/README.md b/cmd/gcp-controller-manager/dpwi/README.md
@@ -3,7 +3,7 @@ This directory dpwi is short for Direct Path (via [ALTS](https://cloud.google.co
 It
 * listens to events of pods, service accounts, config maps, nodes
 * verifies if a KSA (Kubernetes Service Account) can act as a GSA (Google Service Account)
-* extracts all verified GSAs on a node and calls HMS to Sync. Down-streams will mint the credentials on the node.
+* extracts all verified GSAs on a node and calls Auth service to Sync. Down-streams will mint the credentials on the node.
 
 Below is the system graph and a brief introduction about how each component works.
  # System graph
@@ -12,14 +12,14 @@ Below is the system graph and a brief introduction about how each component work
 ## SA Verifier
 This is a key component that it interacts with all other handlers.
 
-It can verify if a KSA can act as a GSA by calling HMS and store the allowed/denied result. Since there can be many concurrent calls, we can use singleflight to minimize the calls to HMS.
+It can verify if a KSA can act as a GSA by calling Auth service and store the allowed/denied result. Since there can be many concurrent calls, we can use singleflight to minimize the calls to Auth service.
 
 It provides 3 APIs
-* ForceVerify(ksa) - Get the annotated GSA. If GSA is not empty, call HMS to verify the permission no matter if it has been verified or not. Store the result.
+* ForceVerify(ksa) - Get the annotated GSA. If GSA is not empty, call Auth service to verify the permission no matter if it has been verified or not. Store the result.
 Only SA Event Handler calls this API.
 
 
-* VerifiedGSA(ksa) - If it has the result locally, use it. Otherwise, call HMS to verify it.
+* VerifiedGSA(ksa) - If it has the result locally, use it. Otherwise, call Auth service to verify it.
 This is for the Pod event handler and the node sync event handler.
 
 
@@ -38,7 +38,7 @@ Since the IAM propagation can take up to 7 minutes, we will retry SA event if it
 If the pod’s KSA can act as a GSA (by calling the SA verifier), it triggers a node event.
 
 ## Node Event Handler
-For a node event, it iterates all pods on the node, makes sure each pod is verified, collects the complete list of GSAs and calls HMS to Sync.
+For a node event, it iterates all pods on the node, makes sure each pod is verified, collects the complete list of GSAs and calls Auth service to Sync.
 
 We use workqueue to store the events, so if there’re many concurrent events for the same node, they will be collapsed into one.
 

diff --git a/cmd/gcp-controller-manager/dpwi/hms/BUILD → cmd/gcp-controller-manager/dpwi/auth/BUILD b/cmd/gcp-controller-manager/dpwi/hms/BUILD → cmd/gcp-controller-manager/dpwi/auth/BUILD
@@ -1,12 +1,12 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 
 go_library(
-    name = "hms",
+    name = "auth",
     srcs = [
-        "hms.go",
-        "hms_fake.go",
+        "auth.go",
+        "auth_fake.go",
     ],
-    importpath = "k8s.io/cloud-provider-gcp/cmd/gcp-controller-manager/dpwi/hms",
+    importpath = "k8s.io/cloud-provider-gcp/cmd/gcp-controller-manager/dpwi/auth",
     visibility = ["//visibility:public"],
     deps = [
         "//vendor/k8s.io/apimachinery/pkg/runtime",
@@ -19,7 +19,7 @@ go_library(
 )
 
 go_test(
-    name = "hms_test",
-    srcs = ["hms_test.go"],
-    embed = [":hms"],
+    name = "auth_test",
+    srcs = ["auth_test.go"],
+    embed = [":auth"],
 )