Update PodDisruptionBudget to policy/v1

README.md

@@ -26,7 +26,7 @@ Vitess Operator Version | Recommended Vitess Versions | Recommended Kubernetes V
 `v2.7.*` | `v14.0.*`                   | `v1.20.*`, `v1.21.*`, or `v1.22.*`
 `v2.8.*` | `v15.0.*`                   | `v1.22.*`, `v1.23.*`, or `v1.24.*`
 `v2.9.*` | `v16.0.*`                   | `v1.22.*`, `v1.23.*`, or `v1.24.*`
-`latest` | `latest`                    | `v1.22.*`, `v1.23.*`, or `v1.24.*`
+`latest` | `latest`                    | `v1.22.*`, `v1.23.*`, `v1.24.*`, or `v1.25.*`
 
 If for some reason you must attempt to use versions outside the recommend
 window, we still welcome bug reports since a workaround might be possible.

pkg/controller/etcdlockserver/etcdlockserver_controller.go

@@ -23,7 +23,7 @@ import (
 	"github.com/sirupsen/logrus"
 
 	corev1 "k8s.io/api/core/v1"
-	policyv1beta1 "k8s.io/api/policy/v1beta1"
+	policyv1 "k8s.io/api/policy/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/errors"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -58,7 +58,7 @@ var watchResources = []client.Object{
 	&corev1.Pod{},
 	&corev1.Service{},
 	&corev1.PersistentVolumeClaim{},
-	&policyv1beta1.PodDisruptionBudget{},
+	&policyv1.PodDisruptionBudget{},
 }
 
 // Add creates a new EtcdLockserver Controller and adds it to the Manager. The Manager will set fields on the Controller

pkg/controller/etcdlockserver/reconcile_pdb.go

@@ -19,7 +19,7 @@ package etcdlockserver
 import (
 	"context"
 
-	policyv1beta1 "k8s.io/api/policy/v1beta1"
+	policyv1 "k8s.io/api/policy/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -50,13 +50,13 @@ func (r *ReconcileEtcdLockserver) reconcilePodDisruptionBudget(ctx context.Conte
 		Name:      etcd.PDBName(lockserverName),
 	}
 	err := r.reconciler.ReconcileObject(ctx, ls, key, labels, true, reconciler.Strategy{
-		Kind: &policyv1beta1.PodDisruptionBudget{},
+		Kind: &policyv1.PodDisruptionBudget{},
 
 		New: func(key client.ObjectKey) runtime.Object {
 			return etcd.NewPDB(key, labels)
 		},
 		UpdateInPlace: func(key client.ObjectKey, obj runtime.Object) {
-			curObj := obj.(*policyv1beta1.PodDisruptionBudget)
+			curObj := obj.(*policyv1.PodDisruptionBudget)
 			etcd.UpdatePDBInPlace(curObj, labels)
 		},
 	})

pkg/operator/etcd/pdb.go

@@ -17,7 +17,7 @@ limitations under the License.
 package etcd
 
 import (
-	policyv1beta1 "k8s.io/api/policy/v1beta1"
+	policyv1 "k8s.io/api/policy/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -37,18 +37,18 @@ func PDBName(lockserverName string) string {
 }
 
 // NewPDB creates a new PDB.
-func NewPDB(key client.ObjectKey, labels map[string]string) *policyv1beta1.PodDisruptionBudget {
+func NewPDB(key client.ObjectKey, labels map[string]string) *policyv1.PodDisruptionBudget {
 	// This tells `kubectl drain` not to delete one of the members unless the
 	// number of remaining members will still be at least QuorumSize.
 	minAvailable := intstr.FromInt(QuorumSize)
 
-	return &policyv1beta1.PodDisruptionBudget{
+	return &policyv1.PodDisruptionBudget{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: key.Namespace,
 			Name:      key.Name,
 			Labels:    labels,
 		},
-		Spec: policyv1beta1.PodDisruptionBudgetSpec{
+		Spec: policyv1.PodDisruptionBudgetSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: labels,
 			},
@@ -58,7 +58,7 @@ func NewPDB(key client.ObjectKey, labels map[string]string) *policyv1beta1.PodDi
 }
 
 // UpdatePDBInPlace updates an existing PDB in-place.
-func UpdatePDBInPlace(obj *policyv1beta1.PodDisruptionBudget, labels map[string]string) {
+func UpdatePDBInPlace(obj *policyv1.PodDisruptionBudget, labels map[string]string) {
 	// Update labels, but ignore existing ones we don't set.
 	update.Labels(&obj.Labels, labels)
 }

test/integration/framework/apiserver.go

@@ -26,11 +26,14 @@ import (
 	"os/exec"
 	"strconv"
 
+	"github.com/google/uuid"
 	"k8s.io/client-go/rest"
 	"k8s.io/klog"
 )
 
 var apiserverURL = ""
+var apiserverToken = uuid.New().String()
+var apiserverDatadir = ""
 
 const installApiserver = `
 Cannot find kube-apiserver, cannot run integration tests
@@ -57,25 +60,38 @@ func startApiserver() (func(), error) {
 	if err != nil {
 		return nil, fmt.Errorf("could not get a port: %v", err)
 	}
-	apiserverURL = fmt.Sprintf("http://127.0.0.1:%d", apiserverPort)
+	apiserverURL = fmt.Sprintf("https://127.0.0.1:%d", apiserverPort)
 	klog.Infof("starting kube-apiserver on %s", apiserverURL)
 
 	apiserverDataDir, err := ioutil.TempDir(os.TempDir(), "integration_test_apiserver_data")
 	if err != nil {
 		return nil, fmt.Errorf("unable to make temp kube-apiserver data dir: %v", err)
 	}
-	klog.Infof("storing kube-apiserver data in: %v", apiserverDataDir)
+	apiserverDatadir = apiserverDataDir
+	klog.Infof("storing kube-apiserver data in: %v", apiserverDatadir)
+
+	// create token auth file
+	os.WriteFile(fmt.Sprintf("%s/token.csv", apiserverDatadir), []byte(fmt.Sprintf("%s,testrunner,1", apiserverToken)), 0644)
+
+	// create authorization policy file
+	abac1 := "{\"apiVersion\": \"abac.authorization.kubernetes.io/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"user\": \"testrunner\", \"namespace\": \"*\", \"resource\": \"*\", \"apiGroup\": \"*\"}}"
+	abac2 := "{\"apiVersion\": \"abac.authorization.kubernetes.io/v1beta1\", \"kind\": \"Policy\", \"spec\": {\"group\": \"system:authenticated\", \"readonly\": true, \"nonResourcePath\": \"*\"}}"
+	os.WriteFile(fmt.Sprintf("%s/auth-policy.json", apiserverDatadir), []byte(fmt.Sprintf("%s\n%s", abac1, abac2)), 0644)
+
 
 	ctx, cancel := context.WithCancel(context.Background())
 	cmd := exec.CommandContext(
 		ctx,
 		apiserverPath,
-		"--cert-dir", apiserverDataDir,
-		"--insecure-port", strconv.Itoa(apiserverPort),
-		// We don't use the secure port, but we need to pick something that
-		// doesn't conflict with other test apiservers.
-		"--secure-port", strconv.Itoa(apiserverPort+1),
+		"--authorization-policy-file", fmt.Sprintf("%s/auth-policy.json", apiserverDatadir),
+		"--authorization-mode", "ABAC",
+		"--cert-dir", apiserverDatadir,
 		"--etcd-servers", etcdURL,
+		"--secure-port", strconv.Itoa(apiserverPort),
+		"--service-account-issuer", "api",
+		"--service-account-key-file", fmt.Sprintf("%s/apiserver.key", apiserverDatadir),
+		"--service-account-signing-key-file", fmt.Sprintf("%s/apiserver.key", apiserverDatadir),
+		"--token-auth-file", fmt.Sprintf("%s/token.csv", apiserverDatadir),
 	)
 
 	// Uncomment these to see kube-apiserver output in test logs.
@@ -87,7 +103,7 @@ func startApiserver() (func(), error) {
 		cancel()
 		err := cmd.Wait()
 		klog.Infof("kube-apiserver exit status: %v", err)
-		err = os.RemoveAll(apiserverDataDir)
+		err = os.RemoveAll(apiserverDatadir)
 		if err != nil {
 			klog.Warningf("error during kube-apiserver cleanup: %v", err)
 		}
@@ -99,14 +115,28 @@ func startApiserver() (func(), error) {
 	return stop, nil
 }
 
-// ApiserverURL returns the URL of the kube-apiserver instance started by TestMain.
-func ApiserverURL() string {
-	return apiserverURL
-}
-
 // ApiserverConfig returns a rest.Config to connect to the test instance.
 func ApiserverConfig() *rest.Config {
 	return &rest.Config{
 		Host: ApiserverURL(),
+		BearerToken: apiserverToken,
+		TLSClientConfig: rest.TLSClientConfig{
+			Insecure: true,
+		},
 	}
 }
+
+// ApiserverCert returns the generated kube-apiserver certificate authority
+func ApiserverCert() string {
+	return fmt.Sprintf("%s/apiserver.crt", apiserverDatadir)
+}
+
+// ApiserverToken returns the token used for authentication
+func ApiserverToken() string {
+	return apiserverToken
+}
+
+// ApiserverURL returns the URL of the kube-apiserver instance started by TestMain.
+func ApiserverURL() string {
+	return apiserverURL
+}

test/integration/framework/main.go

@@ -241,7 +241,13 @@ func execKubectlStdin(stdin io.Reader, args ...string) ([]byte, error) {
 	if err != nil {
 		return nil, fmt.Errorf("cannot exec kubectl: %v", err)
 	}
-	cmdline := append([]string{"--server", ApiserverURL()}, args...)
+	cmdline := append([]string{
+		"--server", ApiserverURL(),
+		"--tls-server-name", "10.0.0.1",
+		"--certificate-authority", ApiserverCert(),
+		"--token", ApiserverToken(),
+		}, args...)
+
 	cmd := exec.Command(execPath, cmdline...)
 	cmd.Stdin = stdin
 	return cmd.CombinedOutput()

tools/get-kube-binaries.sh

@@ -9,7 +9,7 @@ set -euo pipefail
 # The integration test framework expects these binaries to be found in the PATH.
 
 # This is the kube-apiserver version to test against.
-KUBE_VERSION="${KUBE_VERSION:-v1.19.1}"
+KUBE_VERSION="${KUBE_VERSION:-v1.25.8}"
 KUBERNETES_RELEASE_URL="${KUBERNETES_RELEASE_URL:-https://dl.k8s.io}"
 
 # This should be the etcd version downloaded by kubernetes/hack/lib/etcd.sh