vendor: update buildkit to 2943a0838

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

vendor/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go

@@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io"
@@ -28,6 +29,7 @@ import (
 	"os"
 	"os/exec"
 	"reflect"
+	"strings"
 	"sync"
 	"time"
 
@@ -37,17 +39,26 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/apimachinery/pkg/util/clock"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/pkg/apis/clientauthentication"
 	"k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
 	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/client-go/tools/metrics"
 	"k8s.io/client-go/transport"
 	"k8s.io/client-go/util/connrotation"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 const execInfoEnv = "KUBERNETES_EXEC_INFO"
+const onRotateListWarningLength = 1000
+const installHintVerboseHelp = `
+
+It looks like you are trying to use a client-go credential plugin that is not installed.
+
+To learn more about this feature, consult the documentation available at:
+      https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins`
 
 var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
@@ -105,6 +116,44 @@ func (c *cache) put(s string, a *Authenticator) *Authenticator {
 	return a
 }
 
+// sometimes rate limits how often a function f() is called. Specifically, Do()
+// will run the provided function f() up to threshold times every interval
+// duration.
+type sometimes struct {
+	threshold int
+	interval  time.Duration
+
+	clock clock.Clock
+	mu    sync.Mutex
+
+	count  int       // times we have called f() in this window
+	window time.Time // beginning of current window of length interval
+}
+
+func (s *sometimes) Do(f func()) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	now := s.clock.Now()
+	if s.window.IsZero() {
+		s.window = now
+	}
+
+	// If we are no longer in our saved time window, then we get to reset our run
+	// count back to 0 and start increasing towards the threshold again.
+	if inWindow := now.Sub(s.window) < s.interval; !inWindow {
+		s.window = now
+		s.count = 0
+	}
+
+	// If we have not run the function more than threshold times in this current
+	// time window, we get to run it now!
+	if underThreshold := s.count < s.threshold; underThreshold {
+		s.count++
+		f()
+	}
+}
+
 // GetAuthenticator returns an exec-based plugin for providing client credentials.
 func GetAuthenticator(config *api.ExecConfig) (*Authenticator, error) {
 	return newAuthenticator(globalCache, config)
@@ -126,6 +175,13 @@ func newAuthenticator(c *cache, config *api.ExecConfig) (*Authenticator, error)
 		args:  config.Args,
 		group: gv,
 
+		installHint: config.InstallHint,
+		sometimes: &sometimes{
+			threshold: 10,
+			interval:  time.Hour,
+			clock:     clock.RealClock{},
+		},
+
 		stdin:       os.Stdin,
 		stderr:      os.Stderr,
 		interactive: terminal.IsTerminal(int(os.Stdout.Fd())),
@@ -149,6 +205,12 @@ type Authenticator struct {
 	group schema.GroupVersion
 	env   []string
 
+	// Used to avoid log spew by rate limiting install hint printing. We didn't do
+	// this by interval based rate limiting alone since that way may have prevented
+	// the install hint from showing up for kubectl users.
+	sometimes   *sometimes
+	installHint string
+
 	// Stubbable for testing
 	stdin       io.Reader
 	stderr      io.Writer
@@ -164,7 +226,7 @@ type Authenticator struct {
 	cachedCreds *credentials
 	exp         time.Time
 
-	onRotate func()
+	onRotateList []func()
 }
 
 type credentials struct {
@@ -175,6 +237,15 @@ type credentials struct {
 // UpdateTransportConfig updates the transport.Config to use credentials
 // returned by the plugin.
 func (a *Authenticator) UpdateTransportConfig(c *transport.Config) error {
+	// If a bearer token is present in the request - avoid the GetCert callback when
+	// setting up the transport, as that triggers the exec action if the server is
+	// also configured to allow client certificates for authentication. For requests
+	// like "kubectl get --token (token) pods" we should assume the intention is to
+	// use the provided token for authentication.
+	if c.HasTokenAuth() {
+		return nil
+	}
+
 	c.Wrap(func(rt http.RoundTripper) http.RoundTripper {
 		return &roundTripper{a, rt}
 	})
@@ -191,7 +262,15 @@ func (a *Authenticator) UpdateTransportConfig(c *transport.Config) error {
 		dial = (&net.Dialer{Timeout: 30 * time.Second, KeepAlive: 30 * time.Second}).DialContext
 	}
 	d := connrotation.NewDialer(dial)
-	a.onRotate = d.CloseAll
+
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.onRotateList = append(a.onRotateList, d.CloseAll)
+	onRotateListLength := len(a.onRotateList)
+	if onRotateListLength > onRotateListWarningLength {
+		klog.Warningf("constructing many client instances from the same exec auth config can cause performance problems during cert rotation and can exhaust available network connections; %d clients constructed calling %q", onRotateListLength, a.cmd)
+	}
+
 	c.Dial = d.DialContext
 
 	return nil
@@ -251,6 +330,7 @@ func (a *Authenticator) cert() (*tls.Certificate, error) {
 func (a *Authenticator) getCreds() (*credentials, error) {
 	a.mu.Lock()
 	defer a.mu.Unlock()
+
 	if a.cachedCreds != nil && !a.credsExpired() {
 		return a.cachedCreds, nil
 	}
@@ -258,6 +338,7 @@ func (a *Authenticator) getCreds() (*credentials, error) {
 	if err := a.refreshCredsLocked(nil); err != nil {
 		return nil, err
 	}
+
 	return a.cachedCreds, nil
 }
 
@@ -310,7 +391,7 @@ func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) err
 	}
 
 	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("exec: %v", err)
+		return a.wrapCmdRunErrorLocked(err)
 	}
 
 	_, gvk, err := codecs.UniversalDecoder(a.group).Decode(stdout.Bytes(), nil, cred)
@@ -346,6 +427,17 @@ func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) err
 		if err != nil {
 			return fmt.Errorf("failed parsing client key/certificate: %v", err)
 		}
+
+		// Leaf is initialized to be nil:
+		//  https://golang.org/pkg/crypto/tls/#X509KeyPair
+		// Leaf certificate is the first certificate:
+		//  https://golang.org/pkg/crypto/tls/#Certificate
+		// Populating leaf is useful for quickly accessing the underlying x509
+		// certificate values.
+		cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
+		if err != nil {
+			return fmt.Errorf("failed parsing client leaf certificate: %v", err)
+		}
 		newCreds.cert = &cert
 	}
 
@@ -353,8 +445,52 @@ func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) err
 	a.cachedCreds = newCreds
 	// Only close all connections when TLS cert rotates. Token rotation doesn't
 	// need the extra noise.
-	if a.onRotate != nil && oldCreds != nil && !reflect.DeepEqual(oldCreds.cert, a.cachedCreds.cert) {
-		a.onRotate()
+	if oldCreds != nil && !reflect.DeepEqual(oldCreds.cert, a.cachedCreds.cert) {
+		// Can be nil if the exec auth plugin only returned token auth.
+		if oldCreds.cert != nil && oldCreds.cert.Leaf != nil {
+			metrics.ClientCertRotationAge.Observe(time.Now().Sub(oldCreds.cert.Leaf.NotBefore))
+		}
+		for _, onRotate := range a.onRotateList {
+			onRotate()
+		}
 	}
+
+	expiry := time.Time{}
+	if a.cachedCreds.cert != nil && a.cachedCreds.cert.Leaf != nil {
+		expiry = a.cachedCreds.cert.Leaf.NotAfter
+	}
+	expirationMetrics.set(a, expiry)
 	return nil
 }
+
+// wrapCmdRunErrorLocked pulls out the code to construct a helpful error message
+// for when the exec plugin's binary fails to Run().
+//
+// It must be called while holding the Authenticator's mutex.
+func (a *Authenticator) wrapCmdRunErrorLocked(err error) error {
+	switch err.(type) {
+	case *exec.Error: // Binary does not exist (see exec.Error).
+		builder := strings.Builder{}
+		fmt.Fprintf(&builder, "exec: executable %s not found", a.cmd)
+
+		a.sometimes.Do(func() {
+			fmt.Fprint(&builder, installHintVerboseHelp)
+			if a.installHint != "" {
+				fmt.Fprintf(&builder, "\n\n%s", a.installHint)
+			}
+		})
+
+		return errors.New(builder.String())
+
+	case *exec.ExitError: // Binary execution failed (see exec.Cmd.Run()).
+		e := err.(*exec.ExitError)
+		return fmt.Errorf(
+			"exec: executable %s failed with exit code %d",
+			a.cmd,
+			e.ProcessState.ExitCode(),
+		)
+
+	default:
+		return fmt.Errorf("exec: %v", err)
+	}
+}

vendor/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics.go

@@ -0,0 +1,60 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package exec
+
+import (
+	"sync"
+	"time"
+
+	"k8s.io/client-go/tools/metrics"
+)
+
+type certificateExpirationTracker struct {
+	mu        sync.RWMutex
+	m         map[*Authenticator]time.Time
+	metricSet func(*time.Time)
+}
+
+var expirationMetrics = &certificateExpirationTracker{
+	m: map[*Authenticator]time.Time{},
+	metricSet: func(e *time.Time) {
+		metrics.ClientCertExpiry.Set(e)
+	},
+}
+
+// set stores the given expiration time and updates the updates the certificate
+// expiry metric to the earliest expiration time.
+func (c *certificateExpirationTracker) set(a *Authenticator, t time.Time) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.m[a] = t
+
+	earliest := time.Time{}
+	for _, t := range c.m {
+		if t.IsZero() {
+			continue
+		}
+		if earliest.IsZero() || earliest.After(t) {
+			earliest = t
+		}
+	}
+	if earliest.IsZero() {
+		c.metricSet(nil)
+	} else {
+		c.metricSet(&earliest)
+	}
+}

vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go

@@ -33,7 +33,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/yaml"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/util/jsonpath"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 func init() {

vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go

@@ -31,11 +31,11 @@ import (
 	"golang.org/x/oauth2"
 	"k8s.io/apimachinery/pkg/util/net"
 	restclient "k8s.io/client-go/rest"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 const (
-	cfgIssuerUrl                = "idp-issuer-url"
+	cfgIssuerURL                = "idp-issuer-url"
 	cfgClientID                 = "client-id"
 	cfgClientSecret             = "client-secret"
 	cfgCertificateAuthority     = "idp-certificate-authority"
@@ -76,24 +76,25 @@ func newClientCache() *clientCache {
 }
 
 type cacheKey struct {
+	clusterAddress string
 	// Canonical issuer URL string of the provider.
 	issuerURL string
 	clientID  string
 }
 
-func (c *clientCache) getClient(issuer, clientID string) (*oidcAuthProvider, bool) {
+func (c *clientCache) getClient(clusterAddress, issuer, clientID string) (*oidcAuthProvider, bool) {
 	c.mu.RLock()
 	defer c.mu.RUnlock()
-	client, ok := c.cache[cacheKey{issuer, clientID}]
+	client, ok := c.cache[cacheKey{clusterAddress: clusterAddress, issuerURL: issuer, clientID: clientID}]
 	return client, ok
 }
 
 // setClient attempts to put the client in the cache but may return any clients
 // with the same keys set before. This is so there's only ever one client for a provider.
-func (c *clientCache) setClient(issuer, clientID string, client *oidcAuthProvider) *oidcAuthProvider {
+func (c *clientCache) setClient(clusterAddress, issuer, clientID string, client *oidcAuthProvider) *oidcAuthProvider {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	key := cacheKey{issuer, clientID}
+	key := cacheKey{clusterAddress: clusterAddress, issuerURL: issuer, clientID: clientID}
 
 	// If another client has already initialized a client for the given provider we want
 	// to use that client instead of the one we're trying to set. This is so all transports
@@ -107,10 +108,10 @@ func (c *clientCache) setClient(issuer, clientID string, client *oidcAuthProvide
 	return client
 }
 
-func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
-	issuer := cfg[cfgIssuerUrl]
+func newOIDCAuthProvider(clusterAddress string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
+	issuer := cfg[cfgIssuerURL]
 	if issuer == "" {
-		return nil, fmt.Errorf("Must provide %s", cfgIssuerUrl)
+		return nil, fmt.Errorf("Must provide %s", cfgIssuerURL)
 	}
 
 	clientID := cfg[cfgClientID]
@@ -119,7 +120,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A
 	}
 
 	// Check cache for existing provider.
-	if provider, ok := cache.getClient(issuer, clientID); ok {
+	if provider, ok := cache.getClient(clusterAddress, issuer, clientID); ok {
 		return provider, nil
 	}
 
@@ -157,7 +158,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A
 		persister: persister,
 	}
 
-	return cache.setClient(issuer, clientID, provider), nil
+	return cache.setClient(clusterAddress, issuer, clientID, provider), nil
 }
 
 type oidcAuthProvider struct {
@@ -215,7 +216,7 @@ func (r *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	return r.wrapped.RoundTrip(r2)
 }
 
-func (t *roundTripper) WrappedRoundTripper() http.RoundTripper { return t.wrapped }
+func (r *roundTripper) WrappedRoundTripper() http.RoundTripper { return r.wrapped }
 
 func (p *oidcAuthProvider) idToken() (string, error) {
 	p.mu.Lock()
@@ -239,7 +240,7 @@ func (p *oidcAuthProvider) idToken() (string, error) {
 	}
 
 	// Determine provider's OAuth2 token endpoint.
-	tokenURL, err := tokenEndpoint(p.client, p.cfg[cfgIssuerUrl])
+	tokenURL, err := tokenEndpoint(p.client, p.cfg[cfgIssuerURL])
 	if err != nil {
 		return "", err
 	}
@@ -262,7 +263,7 @@ func (p *oidcAuthProvider) idToken() (string, error) {
 		// providers (Okta) don't return this value.
 		//
 		// See https://github.com/kubernetes/kubernetes/issues/36847
-		return "", fmt.Errorf("token response did not contain an id_token, either the scope \"openid\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response.")
+		return "", fmt.Errorf("token response did not contain an id_token, either the scope \"openid\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response")
 	}
 
 	// Create a new config to persist.

vendor/k8s.io/client-go/plugin/pkg/client/auth/openstack/openstack.go

@@ -1,193 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package openstack
-
-import (
-	"fmt"
-	"net/http"
-	"sync"
-	"time"
-
-	"github.com/gophercloud/gophercloud"
-	"github.com/gophercloud/gophercloud/openstack"
-	"k8s.io/klog"
-
-	"k8s.io/apimachinery/pkg/util/net"
-	restclient "k8s.io/client-go/rest"
-)
-
-func init() {
-	if err := restclient.RegisterAuthProviderPlugin("openstack", newOpenstackAuthProvider); err != nil {
-		klog.Fatalf("Failed to register openstack auth plugin: %s", err)
-	}
-}
-
-// DefaultTTLDuration is the time before a token gets expired.
-const DefaultTTLDuration = 10 * time.Minute
-
-// openstackAuthProvider is an authprovider for openstack. this provider reads
-// the environment variables to determine the client identity, and generates a
-// token which will be inserted into the request header later.
-type openstackAuthProvider struct {
-	ttl         time.Duration
-	tokenGetter TokenGetter
-}
-
-// TokenGetter returns a bearer token that can be inserted into request.
-type TokenGetter interface {
-	Token() (string, error)
-}
-
-type tokenGetter struct {
-	authOpt *gophercloud.AuthOptions
-}
-
-// Token creates a token by authenticate with keystone.
-func (t *tokenGetter) Token() (string, error) {
-	var options gophercloud.AuthOptions
-	var err error
-	if t.authOpt == nil {
-		// reads the config from the environment
-		klog.V(4).Info("reading openstack config from the environment variables")
-		options, err = openstack.AuthOptionsFromEnv()
-		if err != nil {
-			return "", fmt.Errorf("failed to read openstack env vars: %s", err)
-		}
-	} else {
-		options = *t.authOpt
-	}
-	client, err := openstack.AuthenticatedClient(options)
-	if err != nil {
-		return "", fmt.Errorf("authentication failed: %s", err)
-	}
-	return client.TokenID, nil
-}
-
-// cachedGetter caches a token until it gets expired, after the expiration, it will
-// generate another token and cache it.
-type cachedGetter struct {
-	mutex       sync.Mutex
-	tokenGetter TokenGetter
-
-	token string
-	born  time.Time
-	ttl   time.Duration
-}
-
-// Token returns the current available token, create a new one if expired.
-func (c *cachedGetter) Token() (string, error) {
-	c.mutex.Lock()
-	defer c.mutex.Unlock()
-
-	var err error
-	// no token or exceeds the TTL
-	if c.token == "" || time.Since(c.born) > c.ttl {
-		c.token, err = c.tokenGetter.Token()
-		if err != nil {
-			return "", fmt.Errorf("failed to get token: %s", err)
-		}
-		c.born = time.Now()
-	}
-	return c.token, nil
-}
-
-// tokenRoundTripper implements the RoundTripper interface: adding the bearer token
-// into the request header.
-type tokenRoundTripper struct {
-	http.RoundTripper
-
-	tokenGetter TokenGetter
-}
-
-var _ net.RoundTripperWrapper = &tokenRoundTripper{}
-
-// RoundTrip adds the bearer token into the request.
-func (t *tokenRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	// if the authorization header already present, use it.
-	if req.Header.Get("Authorization") != "" {
-		return t.RoundTripper.RoundTrip(req)
-	}
-
-	token, err := t.tokenGetter.Token()
-	if err == nil {
-		req.Header.Set("Authorization", "Bearer "+token)
-	} else {
-		klog.V(4).Infof("failed to get token: %s", err)
-	}
-
-	return t.RoundTripper.RoundTrip(req)
-}
-
-func (t *tokenRoundTripper) WrappedRoundTripper() http.RoundTripper { return t.RoundTripper }
-
-// newOpenstackAuthProvider creates an auth provider which works with openstack
-// environment.
-func newOpenstackAuthProvider(_ string, config map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
-	var ttlDuration time.Duration
-	var err error
-
-	klog.Warningf("WARNING: in-tree openstack auth plugin is now deprecated. please use the \"client-keystone-auth\" kubectl/client-go credential plugin instead")
-	ttl, found := config["ttl"]
-	if !found {
-		ttlDuration = DefaultTTLDuration
-		// persist to config
-		config["ttl"] = ttlDuration.String()
-		if err = persister.Persist(config); err != nil {
-			return nil, fmt.Errorf("failed to persist config: %s", err)
-		}
-	} else {
-		ttlDuration, err = time.ParseDuration(ttl)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse ttl config: %s", err)
-		}
-	}
-
-	authOpt := gophercloud.AuthOptions{
-		IdentityEndpoint: config["identityEndpoint"],
-		Username:         config["username"],
-		Password:         config["password"],
-		DomainName:       config["name"],
-		TenantID:         config["tenantId"],
-		TenantName:       config["tenantName"],
-	}
-
-	getter := tokenGetter{}
-	// not empty
-	if (authOpt != gophercloud.AuthOptions{}) {
-		if len(authOpt.IdentityEndpoint) == 0 {
-			return nil, fmt.Errorf("empty %q in the config for openstack auth provider", "identityEndpoint")
-		}
-		getter.authOpt = &authOpt
-	}
-
-	return &openstackAuthProvider{
-		ttl:         ttlDuration,
-		tokenGetter: &getter,
-	}, nil
-}
-
-func (oap *openstackAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper {
-	return &tokenRoundTripper{
-		RoundTripper: rt,
-		tokenGetter: &cachedGetter{
-			tokenGetter: oap.tokenGetter,
-			ttl:         oap.ttl,
-		},
-	}
-}
-
-func (oap *openstackAuthProvider) Login() error { return nil }

vendor/k8s.io/client-go/plugin/pkg/client/auth/openstack/openstack_stub.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package openstack
+
+import (
+	"errors"
+
+	"k8s.io/client-go/rest"
+	"k8s.io/klog/v2"
+)
+
+func init() {
+	if err := rest.RegisterAuthProviderPlugin("openstack", newOpenstackAuthProvider); err != nil {
+		klog.Fatalf("Failed to register openstack auth plugin: %s", err)
+	}
+}
+
+func newOpenstackAuthProvider(_ string, _ map[string]string, _ rest.AuthProviderConfigPersister) (rest.AuthProvider, error) {
+	return nil, errors.New(`The openstack auth plugin has been removed.
+Please use the "client-keystone-auth" kubectl/client-go credential plugin instead.
+See https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-client-keystone-auth.md for further details`)
+}