diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9508587e8c..1dd8530724 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -217,7 +217,7 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-single - name: Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: Build Docker Image nginx-ingress uses: docker/build-push-action@v2 with: @@ -363,27 +363,27 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-multi - name: Setup QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 with: platforms: arm,arm64,ppc64le,s390x if: github.event_name != 'pull_request' - name: Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: DockerHub Login - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} if: github.event_name != 'pull_request' - name: Login to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} if: github.event_name != 'pull_request' - name: Login to Public ECR - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: public.ecr.aws username: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -391,12 +391,12 @@ jobs: if: github.event_name != 'pull_request' - name: Docker meta id: meta - uses: docker/metadata-action@v3 + uses: docker/metadata-action@v4 with: images: | - nginx/nginx-ingress - ghcr.io/nginxinc/kubernetes-ingress - public.ecr.aws/nginx/nginx-ingress + name=nginx/nginx-ingress + name=ghcr.io/nginxinc/kubernetes-ingress + name=public.ecr.aws/nginx/nginx-ingress flavor: suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }},onlatest=true tags: | type=edge @@ -453,7 +453,7 @@ jobs: output: 'trivy-results-${{ matrix.image }}.sarif' ignore-unfixed: 'true' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 continue-on-error: true with: sarif_file: 'trivy-results-${{ matrix.image }}.sarif' @@ -493,21 +493,21 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-multi - name: Setup QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 with: platforms: arm64 if: github.event_name != 'pull_request' - name: Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2 - name: GCR Login - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: gcr.io username: _json_key password: ${{ secrets.GCR_JSON_KEY }} if: github.event_name != 'pull_request' - name: Login to ECR - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com username: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -516,13 +516,13 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v3 + uses: docker/metadata-action@v4 with: images: | - ${{ startsWith(github.ref, 'refs/tags/') && 'gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress' || '' }} - ${{ startsWith(github.ref, 'refs/heads/release') && 'gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/staging/nginx-ic/nginx-plus-ingress' || '' }} - ${{ startsWith(github.ref, 'refs/tags/') && contains(matrix.target, 'aws') && '709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress' || '' }} - gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress,enable=${{ startsWith(github.ref, 'refs/tags/') }} + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/staging/nginx-ic/nginx-plus-ingress,enable=${{ startsWith(github.ref, 'refs/heads/release') }} + name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress,enable=${{ startsWith(github.ref, 'refs/tags/') && contains(matrix.target, 'aws') }} flavor: suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }},onlatest=true tags: | type=edge @@ -592,7 +592,7 @@ jobs: output: 'trivy-results-${{ matrix.image }}.sarif' ignore-unfixed: 'true' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 continue-on-error: true with: sarif_file: 'trivy-results-${{ matrix.image }}.sarif' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 499ef70732..5933b75447 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -29,7 +29,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -40,7 +40,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -54,4 +54,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index fb9fc3f9ab..af8fbabd6c 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -180,25 +180,25 @@ jobs: path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}.html if: always() - name: Setup QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v2 with: platforms: arm,arm64,ppc64le,s390x if: ${{ matrix.needs-updating == 'true' }} - name: DockerHub Login - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} if: ${{ matrix.needs-updating == 'true' }} - name: Login to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} if: ${{ matrix.needs-updating == 'true' }} - name: Login to Public ECR - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: public.ecr.aws username: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -213,12 +213,12 @@ jobs: if: ${{ matrix.needs-updating == 'true' }} - name: Docker meta id: meta - uses: docker/metadata-action@v3 + uses: docker/metadata-action@v4 with: images: | - nginx/nginx-ingress - ghcr.io/nginxinc/kubernetes-ingress - public.ecr.aws/nginx/nginx-ingress + name=nginx/nginx-ingress + name=ghcr.io/nginxinc/kubernetes-ingress + name=public.ecr.aws/nginx/nginx-ingress flavor: | latest=true suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.image, 'opentracing') && '-ot' || '' }},onlatest=true @@ -265,7 +265,7 @@ jobs: ignore-unfixed: 'true' if: ${{ matrix.needs-updating == 'true' }} - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 continue-on-error: true with: sarif_file: 'trivy-results-${{ matrix.image }}.sarif' diff --git a/build/Dockerfile b/build/Dockerfile index 6e28237e22..ac65b73e08 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -31,8 +31,8 @@ FROM docker.io/library/nginx:1.21.6-alpine AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ - # temp fix for CVE-2022-1271 - && apk upgrade --no-cache xz-libs \ + # temp fix for CVE-2022-1271 and CVE-2022-22576 + && apk upgrade --no-cache xz-libs curl libcurl \ && cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \ && ldconfig /usr/local/lib/ diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 0f1fd4de70..c795e5c83b 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -358,7 +358,7 @@ func main() { } if ingressClassRes.Spec.Controller != k8s.IngressControllerName { - glog.Fatalf("IngressClass with name %v has an invalid Spec.Controller %v", ingressClassRes.Name, ingressClassRes.Spec.Controller) + glog.Fatalf("IngressClass with name %v has an invalid Spec.Controller %v; expected %v", ingressClassRes.Name, ingressClassRes.Spec.Controller, k8s.IngressControllerName) } var dynClient dynamic.Interface diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml index c023d42526..c31267c986 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/deployments/helm-chart/templates/controller-daemonset.yaml @@ -122,6 +122,12 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} resources: {{ toYaml .Values.controller.resources | indent 10 }} args: diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml index 2a0042b17a..0816279dba 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/deployments/helm-chart/templates/controller-deployment.yaml @@ -123,6 +123,12 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} args: - -nginx-plus={{ .Values.controller.nginxplus }} - -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md index e106959cec..e14f35b275 100644 --- a/docs/content/configuration/global-configuration/command-line-arguments.md +++ b/docs/content/configuration/global-configuration/command-line-arguments.md @@ -59,7 +59,7 @@ Default `true`. ### -enable-preview-policies -Enables preview policies. This flag is deprecated. To enable OIDC Policies please[-enable-oidc](#cmdoption-enable-oidc) instead. +Enables preview policies. This flag is deprecated. To enable OIDC Policies please use [-enable-oidc](#cmdoption-enable-oidc) instead. Default `false`.   diff --git a/examples/custom-resources/oidc/README.md b/examples/custom-resources/oidc/README.md index e0dfc8095e..50d0d7a5e5 100644 --- a/examples/custom-resources/oidc/README.md +++ b/examples/custom-resources/oidc/README.md @@ -2,7 +2,7 @@ In this example, we deploy a web application, configure load balancing for it via a VirtualServer, and protect the application using an OpenID Connect policy and [Keycloak](https://www.keycloak.org/). -**Note**: The example doesn’t work in clusters with IPv6 networking. +**Note**: The KeyCloak container does not support IPv6 environments. ## Prerequisites diff --git a/go.mod b/go.mod index 9b6e0db090..ad21f2ee69 100644 --- a/go.mod +++ b/go.mod @@ -3,18 +3,19 @@ module github.com/nginxinc/kubernetes-ingress go 1.18 require ( - github.com/aws/aws-sdk-go-v2/config v1.15.3 - github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.3 - github.com/cert-manager/cert-manager v1.8.0 + github.com/aws/aws-sdk-go-v2/config v1.15.4 + github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.4 + github.com/cert-manager/cert-manager v1.8.1-0.20220505101928-4ec33298a243 github.com/golang-jwt/jwt/v4 v4.4.1 github.com/golang/glog v1.0.0 - github.com/google/go-cmp v0.5.7 + github.com/google/go-cmp v0.5.8 github.com/kr/pretty v0.3.0 github.com/nginxinc/nginx-plus-go-client v0.9.0 github.com/nginxinc/nginx-prometheus-exporter v0.10.0 github.com/prometheus/client_golang v1.12.1 - github.com/spiffe/go-spiffe v1.1.0 + github.com/spiffe/go-spiffe/v2 v2.1.0 github.com/stretchr/testify v1.7.1 + google.golang.org/grpc v1.46.0 k8s.io/api v0.23.6 k8s.io/apimachinery v0.23.6 k8s.io/client-go v0.23.6 @@ -24,17 +25,18 @@ require ( ) require ( + github.com/Microsoft/go-winio v0.5.2 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect - github.com/aws/aws-sdk-go-v2 v1.16.2 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.11.2 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.11.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.16.3 // indirect + github.com/aws/aws-sdk-go-v2 v1.16.3 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.12.0 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.4 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.10 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.4 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.11 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.11.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.16.4 // indirect github.com/aws/smithy-go v1.11.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect @@ -78,6 +80,7 @@ require ( github.com/rogpeppe/go-internal v1.6.1 // indirect github.com/spf13/cobra v1.3.0 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/zeebo/errs v1.2.2 // indirect go.etcd.io/etcd/api/v3 v3.5.1 // indirect go.etcd.io/etcd/client/pkg/v3 v3.5.1 // indirect go.etcd.io/etcd/client/v3 v3.5.0 // indirect @@ -95,7 +98,7 @@ require ( go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.19.1 // indirect - golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 // indirect + golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect golang.org/x/mod v0.5.0 // indirect golang.org/x/net v0.0.0-20220107192237-5cfca573fb4d // indirect golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect @@ -107,9 +110,9 @@ require ( golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220118154757-00ab72f36ad5 // indirect - google.golang.org/grpc v1.43.0 // indirect - google.golang.org/protobuf v1.27.1 // indirect + google.golang.org/protobuf v1.28.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/square/go-jose.v2 v2.5.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect k8s.io/apiextensions-apiserver v0.23.4 // indirect diff --git a/go.sum b/go.sum index 837647eb56..d3b31c6004 100644 --- a/go.sum +++ b/go.sum @@ -64,6 +64,8 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= +github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= @@ -85,28 +87,28 @@ github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/aws/aws-sdk-go-v2 v1.16.2 h1:fqlCk6Iy3bnCumtrLz9r3mJ/2gUT0pJ0wLFVIdWh+JA= -github.com/aws/aws-sdk-go-v2 v1.16.2/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU= -github.com/aws/aws-sdk-go-v2/config v1.15.3 h1:5AlQD0jhVXlGzwo+VORKiUuogkG7pQcLJNzIzK7eodw= -github.com/aws/aws-sdk-go-v2/config v1.15.3/go.mod h1:9YL3v07Xc/ohTsxFXzan9ZpFpdTOFl4X65BAKYaz8jg= -github.com/aws/aws-sdk-go-v2/credentials v1.11.2 h1:RQQ5fzclAKJyY5TvF+fkjJEwzK4hnxQCLOu5JXzDmQo= -github.com/aws/aws-sdk-go-v2/credentials v1.11.2/go.mod h1:j8YsY9TXTm31k4eFhspiQicfXPLZ0gYXA50i4gxPE8g= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 h1:LWPg5zjHV9oz/myQr4wMs0gi4CjnDN/ILmyZUFYXZsU= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3/go.mod h1:uk1vhHHERfSVCUnqSqz8O48LBYDSC+k6brng09jcMOk= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 h1:onz/VaaxZ7Z4V+WIN9Txly9XLTmoOh1oJ8XcAC3pako= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9/go.mod h1:AnVH5pvai0pAF4lXRq0bmhbes1u9R8wTE+g+183bZNM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 h1:9stUQR/u2KXU6HkFJYlqnZEjBnbgrVbG6I5HN09xZh0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3/go.mod h1:ssOhaLpRlh88H3UmEcsBoVKq309quMvm3Ds8e9d4eJM= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10 h1:by9P+oy3P/CwggN4ClnW2D4oL91QV7pBzBICi1chZvQ= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10/go.mod h1:8DcYQcz0+ZJaSxANlHIsbbi6S+zMwjwdDqwW3r9AzaE= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 h1:Gh1Gpyh01Yvn7ilO/b/hr01WgNpaszfbKMUgqM186xQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3/go.mod h1:wlY6SVjuwvh3TVRpTqdy4I1JpBFLX4UGeKZdWntaocw= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.3 h1:xqXHk4UDW7ii4MRciyLpY87yuZds0iymmgHt3h35xTE= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.3/go.mod h1:HT0cm2+NUCF33MdXjck554HC6VRgQ4q6JIlSqlYZ18Y= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.3 h1:frW4ikGcxfAEDfmQqWgMLp+F1n4nRo9sF39OcIb5BkQ= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.3/go.mod h1:7UQ/e69kU7LDPtY40OyoHYgRmgfGM4mgsLYtcObdveU= -github.com/aws/aws-sdk-go-v2/service/sts v1.16.3 h1:cJGRyzCSVwZC7zZZ1xbx9m32UnrKydRYhOvcD1NYP9Q= -github.com/aws/aws-sdk-go-v2/service/sts v1.16.3/go.mod h1:bfBj0iVmsUyUg4weDB4NxktD9rDGeKSVWnjTnwbx9b8= +github.com/aws/aws-sdk-go-v2 v1.16.3 h1:0W1TSJ7O6OzwuEvIXAtJGvOeQ0SGAhcpxPN2/NK5EhM= +github.com/aws/aws-sdk-go-v2 v1.16.3/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU= +github.com/aws/aws-sdk-go-v2/config v1.15.4 h1:P4mesY1hYUxru4f9SU0XxNKXmzfxsD0FtMIPRBjkH7Q= +github.com/aws/aws-sdk-go-v2/config v1.15.4/go.mod h1:ZijHHh0xd/A+ZY53az0qzC5tT46kt4JVCePf2NX9Lk4= +github.com/aws/aws-sdk-go-v2/credentials v1.12.0 h1:4R/NqlcRFSkR0wxOhgHi+agGpbEr5qMCjn7VqUIJY+E= +github.com/aws/aws-sdk-go-v2/credentials v1.12.0/go.mod h1:9YWk7VW+eyKsoIL6/CljkTrNVWBSK9pkqOPUuijid4A= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.4 h1:FP8gquGeGHHdfY6G5llaMQDF+HAf20VKc8opRwmjf04= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.4/go.mod h1:u/s5/Z+ohUQOPXl00m2yJVyioWDECsbpXTQlaqSlufc= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.10 h1:uFWgo6mGJI1n17nbcvSc6fxVuR3xLNqvXt12JCnEcT8= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.10/go.mod h1:F+EZtuIwjlv35kRJPyBGcsA4f7bnSoz15zOQ2lJq1Z4= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.4 h1:cnsvEKSoHN4oAN7spMMr0zhEW2MHnhAVpmqQg8E6UcM= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.4/go.mod h1:8glyUqVIM4AmeenIsPo0oVh3+NUwnsQml2OFupfQW+0= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.11 h1:6cZRymlLEIlDTEB0+5+An6Zj1CKt6rSE69tOmFeu1nk= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.11/go.mod h1:0MR+sS1b/yxsfAPvAESrw8NfwUoxMinDyw6EYR9BS2U= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.4 h1:b16QW0XWl0jWjLABFc1A+uh145Oqv+xDcObNk0iQgUk= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.4/go.mod h1:uKkN7qmSIsNJVyMtxNQoCEYMvFEXbOg9fwCJPdfp2u8= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.4 h1:qmHavnjRtgdH54nyG4iEk6ZCde9m2S++32INurhaNTk= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.4/go.mod h1:CloMDruFIVZJ8qv2OsY5ENIqzg5c0eeTciVVW3KHdvE= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.4 h1:Uw5wBybFQ1UeA9ts0Y07gbv0ncZnIAyw858tDW0NP2o= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.4/go.mod h1:cPDwJwsP4Kff9mldCXAmddjJL6JGQqtA3Mzer2zyr88= +github.com/aws/aws-sdk-go-v2/service/sts v1.16.4 h1:+xtV90n3abQmgzk1pS++FdxZTrPEDgQng6e4/56WR2A= +github.com/aws/aws-sdk-go-v2/service/sts v1.16.4/go.mod h1:lfSYenAXtavyX2A1LsViglqlG9eEFYxNryTZS5rn3QE= github.com/aws/smithy-go v1.11.2 h1:eG/N+CcUMAvsdffgMvjMKwfyDzIkjM6pfxMJ8Mzc6mE= github.com/aws/smithy-go v1.11.2/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= @@ -123,8 +125,8 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cert-manager/cert-manager v1.8.0 h1:A5FH4FUYGE/4lFYO6QzAWRxvSZfKlb9DZukv6lBPEiw= -github.com/cert-manager/cert-manager v1.8.0/go.mod h1:95Ds29nFWH6YqEgLiQ9WTtsDnTcxrkUPRNfYaKVOzeM= +github.com/cert-manager/cert-manager v1.8.1-0.20220505101928-4ec33298a243 h1:h500MmRynT2Nr2TbP+nO4gyccebh/5a2JWteRLHfWm8= +github.com/cert-manager/cert-manager v1.8.1-0.20220505101928-4ec33298a243/go.mod h1:kQwqiEo4H1RFNiXvsR2ntZKFslI32V2z3Tptk3bg56U= github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= @@ -190,6 +192,7 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ= +github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws= github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= @@ -312,8 +315,9 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= +github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= @@ -627,8 +631,8 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM= -github.com/spiffe/go-spiffe v1.1.0 h1:4GCqq8teavqkCl2j3c/vxQDgr33JidVRVT3mfssR6oM= -github.com/spiffe/go-spiffe v1.1.0/go.mod h1:HyNeJnVYkDyQgB2qcSPxVYkAA2F3lQu51bDxNpFcKxY= +github.com/spiffe/go-spiffe/v2 v2.1.0 h1:IZRlWhyFpPbJOiK8K+MwEFPU/QCdaW4Zf5bmIKBd3XM= +github.com/spiffe/go-spiffe/v2 v2.1.0/go.mod h1:5qg6rpqlwIub0JAiF1UK9IMD6BpPTmvG6yfSgDBs5lg= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -656,6 +660,8 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/zeebo/errs v1.2.2 h1:5NFypMTuSdoySVTqlNs1dEoU21QVamMQJxW/Fii5O7g= +github.com/zeebo/errs v1.2.2/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= @@ -740,8 +746,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 h1:/pEO3GD/ABYAjuakUS6xSEmmlyVS4kxBNkeA9tLJiTI= -golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA= +golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1118,6 +1124,7 @@ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEY google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= @@ -1160,7 +1167,6 @@ google.golang.org/genproto v0.0.0-20220118154757-00ab72f36ad5/go.mod h1:5CzLGKJ6 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= @@ -1185,9 +1191,10 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.43.0 h1:Eeu7bZtDZ2DpRCsLhUlcrLnvYaMK1Gz86a+hMVvELmM= -google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.46.0 h1:oCjezcn6g6A75TGoKYBPgKmVBLexhYLM6MebdrPApP8= +google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/grpc/examples v0.0.0-20201130180447-c456688b1860/go.mod h1:Ly7ZA/ARzg8fnPU9TyZIxoz33sEUuWX7txiqs8lPTgE= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1200,8 +1207,9 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1220,6 +1228,9 @@ gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXL gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w= +gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= diff --git a/internal/configs/config_params.go b/internal/configs/config_params.go index ec3a81aff5..eb56d73ec4 100644 --- a/internal/configs/config_params.go +++ b/internal/configs/config_params.go @@ -119,7 +119,7 @@ type StaticConfigParams struct { EnableInternalRoutes bool MainAppProtectLoadModule bool MainAppProtectDosLoadModule bool - PodName string + InternalRouteServerName string EnableLatencyMetrics bool EnableOIDC bool SSLRejectHandshake bool diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go index a9d8b9ee64..c60fda9d45 100644 --- a/internal/configs/configmaps.go +++ b/internal/configs/configmaps.go @@ -591,7 +591,7 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config AppProtectDosLogFormat: config.MainAppProtectDosLogFormat, AppProtectDosLogFormatEscaping: config.MainAppProtectDosLogFormatEscaping, InternalRouteServer: staticCfgParams.EnableInternalRoutes, - InternalRouteServerName: staticCfgParams.PodName, + InternalRouteServerName: staticCfgParams.InternalRouteServerName, LatencyMetrics: staticCfgParams.EnableLatencyMetrics, OIDC: staticCfgParams.EnableOIDC, } diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go index 697cfbe05e..fbe7a3322d 100644 --- a/internal/configs/configurator.go +++ b/internal/configs/configurator.go @@ -2,10 +2,7 @@ package configs import ( "bytes" - "crypto" - "crypto/x509" "encoding/json" - "encoding/pem" "fmt" "os" "strings" @@ -14,7 +11,7 @@ import ( "github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets" "github.com/nginxinc/nginx-prometheus-exporter/collector" - "github.com/spiffe/go-spiffe/workload" + "github.com/spiffe/go-spiffe/v2/workloadapi" "github.com/nginxinc/kubernetes-ingress/internal/configs/version2" conf_v1alpha1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1alpha1" @@ -125,7 +122,8 @@ type Configurator struct { // NewConfigurator creates a new Configurator. func NewConfigurator(nginxManager nginx.Manager, staticCfgParams *StaticConfigParams, config *ConfigParams, templateExecutor *version1.TemplateExecutor, templateExecutorV2 *version2.TemplateExecutor, isPlus bool, isWildcardEnabled bool, - labelUpdater collector.LabelUpdater, isPrometheusEnabled bool, latencyCollector latCollector.LatencyCollector, isLatencyMetricsEnabled bool) *Configurator { + labelUpdater collector.LabelUpdater, isPrometheusEnabled bool, latencyCollector latCollector.LatencyCollector, isLatencyMetricsEnabled bool, +) *Configurator { metricLabelsIndex := &metricLabelsIndex{ ingressUpstreams: make(map[string][]string), virtualServerUpstreams: make(map[string][]string), @@ -1241,41 +1239,33 @@ func (cnf *Configurator) GetVirtualServerCounts() (vsCount int, vsrCount int) { } // AddOrUpdateSpiffeCerts writes Spiffe certs and keys to disk and reloads NGINX -func (cnf *Configurator) AddOrUpdateSpiffeCerts(svidResponse *workload.X509SVIDs) error { - svid := svidResponse.Default() - privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(svid.PrivateKey.(crypto.PrivateKey)) +func (cnf *Configurator) AddOrUpdateSpiffeCerts(svidResponse *workloadapi.X509Context) error { + svid := svidResponse.DefaultSVID() + trustDomain := svid.ID.TrustDomain() + caBundle, err := svidResponse.Bundles.GetX509BundleForTrustDomain(trustDomain) if err != nil { - return fmt.Errorf("error when marshaling private key: %w", err) + return fmt.Errorf("error parsing CA bundle from SPIFFE SVID response: %w", err) } - cnf.nginxManager.CreateSecret(spiffeKeyFileName, createSpiffeKey(privateKeyBytes), spiffeKeyFileMode) - cnf.nginxManager.CreateSecret(spiffeCertFileName, createSpiffeCert(svid.Certificates), spiffeCertsFileMode) - cnf.nginxManager.CreateSecret(spiffeBundleFileName, createSpiffeCert(svid.TrustBundle), spiffeCertsFileMode) + pemBundle, err := caBundle.Marshal() + if err != nil { + return fmt.Errorf("unable to marshal X.509 SVID Bundle: %w", err) + } - err = cnf.reload(nginx.ReloadForOtherUpdate) + pemCerts, pemKey, err := svid.Marshal() if err != nil { - return fmt.Errorf("error when reloading NGINX when updating the SPIFFE Certs: %w", err) + return fmt.Errorf("unable to marshal X.509 SVID: %w", err) } - return nil -} -func createSpiffeKey(content []byte) []byte { - return pem.EncodeToMemory(&pem.Block{ - Type: "EC PRIVATE KEY", - Bytes: content, - }) -} + cnf.nginxManager.CreateSecret(spiffeKeyFileName, pemKey, spiffeKeyFileMode) + cnf.nginxManager.CreateSecret(spiffeCertFileName, pemCerts, spiffeCertsFileMode) + cnf.nginxManager.CreateSecret(spiffeBundleFileName, pemBundle, spiffeCertsFileMode) -func createSpiffeCert(certs []*x509.Certificate) []byte { - pemData := make([]byte, 0, len(certs)) - for _, c := range certs { - b := &pem.Block{ - Type: "CERTIFICATE", - Bytes: c.Raw, - } - pemData = append(pemData, pem.EncodeToMemory(b)...) + err = cnf.reload(nginx.ReloadForOtherUpdate) + if err != nil { + return fmt.Errorf("error when reloading NGINX when updating the SPIFFE Certs: %w", err) } - return pemData + return nil } func (cnf *Configurator) updateApResources(ingEx *IngressEx) *AppProtectResources { @@ -1444,7 +1434,6 @@ func (cnf *Configurator) DeleteAppProtectLogConf(resource *unstructured.Unstruct func (cnf *Configurator) RefreshAppProtectUserSigs( userSigs []*unstructured.Unstructured, delPols []string, ingExes []*IngressEx, mergeableIngresses []*MergeableIngresses, vsExes []*VirtualServerEx, ) (Warnings, error) { - allWarnings, err := cnf.addOrUpdateIngressesAndVirtualServers(ingExes, mergeableIngresses, vsExes) if err != nil { return allWarnings, err @@ -1487,7 +1476,7 @@ func (cnf *Configurator) DeleteAppProtectDosLogConf(resource *unstructured.Unstr // AddInternalRouteConfig adds internal route server to NGINX Configuration and reloads NGINX func (cnf *Configurator) AddInternalRouteConfig() error { cnf.staticCfgParams.EnableInternalRoutes = true - cnf.staticCfgParams.PodName = os.Getenv("POD_NAME") + cnf.staticCfgParams.InternalRouteServerName = fmt.Sprintf("%s.%s.svc", os.Getenv("POD_SERVICEACCOUNT"), os.Getenv("POD_NAMESPACE")) mainCfg := GenerateNginxMainConfig(cnf.staticCfgParams, cnf.cfgParams) mainCfgContent, err := cnf.templateExecutor.ExecuteMainConfigTemplate(mainCfg) if err != nil { diff --git a/internal/configs/configurator_test.go b/internal/configs/configurator_test.go index fd7a4a85ce..dc7c53d0fb 100644 --- a/internal/configs/configurator_test.go +++ b/internal/configs/configurator_test.go @@ -334,8 +334,13 @@ func TestAddInternalRouteConfig(t *testing.T) { if err != nil { t.Errorf("Failed to create a test configurator: %v", err) } - // set pod name in env - err = os.Setenv("POD_NAME", "nginx-ingress") + // set service account in env + err = os.Setenv("POD_SERVICEACCOUNT", "nginx-ingress") + if err != nil { + t.Errorf("Failed to set pod name in environment: %v", err) + } + // set namespace in env + err = os.Setenv("POD_NAMESPACE", "default") if err != nil { t.Errorf("Failed to set pod name in environment: %v", err) } @@ -347,8 +352,8 @@ func TestAddInternalRouteConfig(t *testing.T) { if !cnf.staticCfgParams.EnableInternalRoutes { t.Errorf("AddInternalRouteConfig failed to set EnableInteralRoutes field of staticCfgParams to true") } - if cnf.staticCfgParams.PodName != "nginx-ingress" { - t.Errorf("AddInternalRouteConfig failed to set PodName field of staticCfgParams") + if cnf.staticCfgParams.InternalRouteServerName != "nginx-ingress.default.svc" { + t.Errorf("AddInternalRouteConfig failed to set InternalRouteServerName field of staticCfgParams") } } diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index ed8762e3a5..2c79db23d5 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -35,7 +35,7 @@ import ( "github.com/golang/glog" "github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets" - "github.com/spiffe/go-spiffe/workload" + "github.com/spiffe/go-spiffe/v2/workloadapi" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" @@ -152,7 +152,7 @@ type LoadBalancerController struct { metricsCollector collectors.ControllerCollector globalConfigurationValidator *validation.GlobalConfigurationValidator transportServerValidator *validation.TransportServerValidator - spiffeController *SpiffeController + spiffeCertFetcher *SpiffeCertFetcher internalRoutesEnabled bool syncLock sync.Mutex isNginxReady bool @@ -247,7 +247,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc lbc.syncQueue = newTaskQueue(lbc.sync) if input.SpireAgentAddress != "" { var err error - lbc.spiffeController, err = NewSpiffeController(lbc.syncSVIDRotation, input.SpireAgentAddress) + lbc.spiffeCertFetcher, err = NewSpiffeCertFetcher(lbc.syncSVIDRotation, input.SpireAgentAddress) if err != nil { glog.Fatalf("failed to create Spiffe Controller: %v", err) } @@ -544,8 +544,8 @@ func (lbc *LoadBalancerController) addIngressLinkHandler(handlers cache.Resource func (lbc *LoadBalancerController) Run() { lbc.ctx, lbc.cancel = context.WithCancel(context.Background()) - if lbc.spiffeController != nil { - err := lbc.spiffeController.Start(lbc.ctx.Done(), lbc.addInternalRouteServer) + if lbc.spiffeCertFetcher != nil { + err := lbc.spiffeCertFetcher.Start(lbc.ctx, lbc.addInternalRouteServer) if err != nil { glog.Fatal(err) } @@ -768,7 +768,7 @@ func (lbc *LoadBalancerController) preSyncSecrets() { func (lbc *LoadBalancerController) sync(task task) { glog.V(3).Infof("Syncing %v", task.Key) - if lbc.spiffeController != nil { + if lbc.spiffeCertFetcher != nil { lbc.syncLock.Lock() defer lbc.syncLock.Unlock() } @@ -3279,7 +3279,7 @@ func formatWarningMessages(w []string) string { return strings.Join(w, "; ") } -func (lbc *LoadBalancerController) syncSVIDRotation(svidResponse *workload.X509SVIDs) { +func (lbc *LoadBalancerController) syncSVIDRotation(svidResponse *workloadapi.X509Context) { lbc.syncLock.Lock() defer lbc.syncLock.Unlock() glog.V(3).Info("Rotating SPIFFE Certificates") diff --git a/internal/k8s/spiffe.go b/internal/k8s/spiffe.go index dfb7cfcfb6..cdcb439d7e 100644 --- a/internal/k8s/spiffe.go +++ b/internal/k8s/spiffe.go @@ -1,45 +1,67 @@ package k8s import ( + "context" "errors" "fmt" - "strings" "time" "github.com/golang/glog" - "github.com/spiffe/go-spiffe/workload" + "github.com/spiffe/go-spiffe/v2/workloadapi" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" ) -// SpiffeController controls spiffe -type SpiffeController struct { - watcher *spiffeWatcher - client *workload.X509SVIDClient +// Client wraps the workloadapi.Client +type Client interface { + WatchX509Context(context.Context, workloadapi.X509ContextWatcher) error + Close() error } -// NewSpiffeController creates the spiffeWatcher and the Spiffe Workload API Client, +// SpiffeCertFetcher fetches certs from the X509 SPIFFE Workload API. +type SpiffeCertFetcher struct { + client Client + watcher *spiffeWatcher + watchErrCh chan error +} + +// NewSpiffeCertFetcher creates the spiffeWatcher and the Spiffe Workload API Client, // returns an error if the client cannot connect to the Spire Agent. -func NewSpiffeController(sync func(*workload.X509SVIDs), spireAgentAddr string) (*SpiffeController, error) { - watcher := &spiffeWatcher{sync: sync} - client, err := workload.NewX509SVIDClient(watcher, workload.WithAddr("unix://"+spireAgentAddr)) +func NewSpiffeCertFetcher(sync func(*workloadapi.X509Context), spireAgentAddr string) (*SpiffeCertFetcher, error) { + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + client, err := workloadapi.New(ctx, workloadapi.WithAddr("unix://"+spireAgentAddr)) if err != nil { - return nil, fmt.Errorf("failed to create Spiffe Workload API Client: %w", err) + return nil, fmt.Errorf("could not create SPIFFE Workload API Client: %w", err) } - sc := &SpiffeController{ - watcher: watcher, - client: client, - } - return sc, nil + + return &SpiffeCertFetcher{ + watchErrCh: make(chan error), + client: client, + watcher: &spiffeWatcher{sync: sync}, + }, nil } // Start starts the Spiffe Workload API Client and waits for the Spiffe certs to be written to disk. // If the certs are not available after 30 seconds an error is returned. -// On success, calls onStart function and kicks off the Spiffe Controller's run loop. -func (sc *SpiffeController) Start(stopCh <-chan struct{}, onStart func()) error { +// On success, calls onStart function and kicks off the SpiffeCertFetcher's run loop. +func (sc *SpiffeCertFetcher) Start(ctx context.Context, onStart func()) error { glog.V(3).Info("Starting SPIFFE Workload API Client") - err := sc.client.Start() - if err != nil { - return fmt.Errorf("failed to start Spiffe Workload API Client: %w", err) - } + + go func() { + defer func() { + if err := sc.client.Close(); err != nil && status.Code(err) != codes.Canceled { + glog.V(3).Info("error closing SPIFFE Workload API Client: ", err) + } + }() + err := sc.client.WatchX509Context(ctx, sc.watcher) + if err != nil && status.Code(err) != codes.Canceled { + sc.watchErrCh <- err + } + }() + + stopCh := ctx.Done() timeout := time.After(30 * time.Second) duration := 100 * time.Millisecond for { @@ -50,8 +72,10 @@ func (sc *SpiffeController) Start(stopCh <-chan struct{}, onStart func()) error select { case <-timeout: return errors.New("timed out waiting for SPIFFE trust bundle") + case err := <-sc.watchErrCh: + return fmt.Errorf("error waiting for initial trust bundle: %w", err) case <-stopCh: - return sc.client.Stop() + return sc.client.Close() default: break } @@ -63,34 +87,37 @@ func (sc *SpiffeController) Start(stopCh <-chan struct{}, onStart func()) error } // Run waits until a message is sent on the stop channel and stops the Spiffe Workload API Client. -func (sc *SpiffeController) Run(stopCh <-chan struct{}) { +func (sc *SpiffeCertFetcher) Run(stopCh <-chan struct{}) { <-stopCh - err := sc.client.Stop() - if err != nil { + if err := sc.client.Close(); err != nil { glog.Errorf("failed to stop Spiffe Workload API Client: %v", err) } } -// spiffeWatcher is a sample implementation of the workload.X509SVIDWatcher interface +// spiffeWatcher is a sample implementation of the workload.X509ContextWatcher interface type spiffeWatcher struct { - sync func(*workload.X509SVIDs) + sync func(*workloadapi.X509Context) synced bool } -// UpdateX509SVIDs is run every time an SVID is updated -func (w *spiffeWatcher) UpdateX509SVIDs(svids *workload.X509SVIDs) { - for _, svid := range svids.SVIDs { - glog.V(3).Infof("SVID updated for spiffeID: %q", svid.SPIFFEID) - } - w.sync(svids) +// OnX509ContextUpdate is called when a new X.509 Context is fetched from the SPIFFE Workload API. +func (w *spiffeWatcher) OnX509ContextUpdate(svidResponse *workloadapi.X509Context) { + glog.V(3).Infof("SVID updated for for spiffeID: %q\n", svidResponse.DefaultSVID().ID) + w.sync(svidResponse) w.synced = true } -// OnError is run when the client runs into an error -func (w *spiffeWatcher) OnError(err error) { - if strings.Contains(err.Error(), "PermissionDenied") { - glog.V(3).Infof("X509SVIDClient still waiting for certificates: %v", err) +// OnX509WatchError is called when there is an error watching the X.509 Contexts from the SPIFFE Workload API. +func (w *spiffeWatcher) OnX509ContextWatchError(err error) { + msg := "For more information check the logs of the Spire agents and server." + switch status.Code(err) { + case codes.Unavailable: + glog.V(3).Infof("X509SVIDClient cannot connect to the Spire agent: %v. %s", err, msg) + case codes.PermissionDenied: + glog.V(3).Infof("X509SVIDClient still waiting for certificates: %v. %s", err, msg) + case codes.Canceled: return + default: + glog.V(3).Infof("X509SVIDClient error: %v. %s", err, msg) } - glog.Fatal(err) } diff --git a/perf-tests/requirements.txt b/perf-tests/requirements.txt index 873ac736eb..bdc1cb79a0 100644 --- a/perf-tests/requirements.txt +++ b/perf-tests/requirements.txt @@ -1,7 +1,7 @@ PyYAML==6.0 requests==2.27.1 kubernetes==23.3.0 -pytest==7.1.1 +pytest==7.1.2 ipaddress==1.0.23 # >= 1.0.17 cffi==1.15.0 certifi==2021.10.8 diff --git a/tests/requirements.txt b/tests/requirements.txt index fc04704ebb..63cd238304 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -2,7 +2,7 @@ PyYAML==6.0 requests==2.27.1 forcediphttpsadapter==1.0.2 kubernetes==23.3.0 -pytest==7.1.1 +pytest==7.1.2 ipaddress==1.0.23 # >= 1.0.17 cffi==1.15.0 pyOpenSSL==22.0.0 @@ -12,6 +12,6 @@ pytest-html==3.1.1 pytest-profiling==1.7.0 more-itertools==8.12.0 mock==4.0.3 -grpcio==1.45.0 -grpcio-tools==1.45.0 +grpcio==1.46.0 +grpcio-tools==1.46.0 flaky==3.7.0