vendor: bump k8s to v0.25.4

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

vendor/k8s.io/client-go/plugin/pkg/client/auth/azure/azure.go

@@ -88,9 +88,8 @@ var warnOnce sync.Once
 
 func newAzureAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
 	// deprecated in v1.22, remove in v1.25
-	// this should be updated to use klog.Warningf in v1.24 to more actively warn consumers
 	warnOnce.Do(func() {
-		klog.V(1).Infof(`WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin instead.
+		klog.Warningf(`WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.26+; use https://github.com/Azure/kubelogin instead.
 To learn more, consult https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins`)
 	})
 

vendor/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go

@@ -38,17 +38,17 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
-	"k8s.io/apimachinery/pkg/util/clock"
+	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/client-go/pkg/apis/clientauthentication"
 	"k8s.io/client-go/pkg/apis/clientauthentication/install"
 	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
-	clientauthenticationv1alpha1 "k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
 	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/client-go/tools/metrics"
 	"k8s.io/client-go/transport"
 	"k8s.io/client-go/util/connrotation"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/clock"
 )
 
 const execInfoEnv = "KUBERNETES_EXEC_INFO"
@@ -72,9 +72,8 @@ var (
 	globalCache = newCache()
 	// The list of API versions we accept.
 	apiVersions = map[string]schema.GroupVersion{
-		clientauthenticationv1alpha1.SchemeGroupVersion.String(): clientauthenticationv1alpha1.SchemeGroupVersion,
-		clientauthenticationv1beta1.SchemeGroupVersion.String():  clientauthenticationv1beta1.SchemeGroupVersion,
-		clientauthenticationv1.SchemeGroupVersion.String():       clientauthenticationv1.SchemeGroupVersion,
+		clientauthenticationv1beta1.SchemeGroupVersion.String(): clientauthenticationv1beta1.SchemeGroupVersion,
+		clientauthenticationv1.SchemeGroupVersion.String():      clientauthenticationv1.SchemeGroupVersion,
 	}
 )
 
@@ -200,14 +199,18 @@ func newAuthenticator(c *cache, isTerminalFunc func(int) bool, config *api.ExecC
 		now:             time.Now,
 		environ:         os.Environ,
 
-		defaultDialer: defaultDialer,
-		connTracker:   connTracker,
+		connTracker: connTracker,
 	}
 
 	for _, env := range config.Env {
 		a.env = append(a.env, env.Name+"="+env.Value)
 	}
 
+	// these functions are made comparable and stored in the cache so that repeated clientset
+	// construction with the same rest.Config results in a single TLS cache and Authenticator
+	a.getCert = &transport.GetCertHolder{GetCert: a.cert}
+	a.dial = &transport.DialHolder{Dial: defaultDialer.DialContext}
+
 	return c.put(key, a), nil
 }
 
@@ -262,8 +265,6 @@ type Authenticator struct {
 	now             func() time.Time
 	environ         func() []string
 
-	// defaultDialer is used for clients which don't specify a custom dialer
-	defaultDialer *connrotation.Dialer
 	// connTracker tracks all connections opened that we need to close when rotating a client certificate
 	connTracker *connrotation.ConnectionTracker
 
@@ -274,6 +275,12 @@ type Authenticator struct {
 	mu          sync.Mutex
 	cachedCreds *credentials
 	exp         time.Time
+
+	// getCert makes Authenticator.cert comparable to support TLS config caching
+	getCert *transport.GetCertHolder
+	// dial is used for clients which do not specify a custom dialer
+	// it is comparable to support TLS config caching
+	dial *transport.DialHolder
 }
 
 type credentials struct {
@@ -289,8 +296,8 @@ func (a *Authenticator) UpdateTransportConfig(c *transport.Config) error {
 	// also configured to allow client certificates for authentication. For requests
 	// like "kubectl get --token (token) pods" we should assume the intention is to
 	// use the provided token for authentication. The same can be said for when the
-	// user specifies basic auth.
-	if c.HasTokenAuth() || c.HasBasicAuth() {
+	// user specifies basic auth or cert auth.
+	if c.HasTokenAuth() || c.HasBasicAuth() || c.HasCertAuth() {
 		return nil
 	}
 
@@ -298,29 +305,37 @@ func (a *Authenticator) UpdateTransportConfig(c *transport.Config) error {
 		return &roundTripper{a, rt}
 	})
 
-	if c.TLS.GetCert != nil {
+	if c.HasCertCallback() {
 		return errors.New("can't add TLS certificate callback: transport.Config.TLS.GetCert already set")
 	}
-	c.TLS.GetCert = a.cert
+	c.TLS.GetCert = a.getCert.GetCert
+	c.TLS.GetCertHolder = a.getCert // comparable for TLS config caching
 
-	var d *connrotation.Dialer
 	if c.Dial != nil {
 		// if c has a custom dialer, we have to wrap it
-		d = connrotation.NewDialerWithTracker(c.Dial, a.connTracker)
+		// TLS config caching is not supported for this config
+		d := connrotation.NewDialerWithTracker(c.Dial, a.connTracker)
+		c.Dial = d.DialContext
+		c.DialHolder = nil
 	} else {
-		d = a.defaultDialer
+		c.Dial = a.dial.Dial
+		c.DialHolder = a.dial // comparable for TLS config caching
 	}
 
-	c.Dial = d.DialContext
-
 	return nil
 }
 
+var _ utilnet.RoundTripperWrapper = &roundTripper{}
+
 type roundTripper struct {
 	a    *Authenticator
 	base http.RoundTripper
 }
 
+func (r *roundTripper) WrappedRoundTripper() http.RoundTripper {
+	return r.base
+}
+
 func (r *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	// If a user has already set credentials, use that. This makes commands like
 	// "kubectl get --token (token) pods" work.
@@ -341,11 +356,7 @@ func (r *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 		return nil, err
 	}
 	if res.StatusCode == http.StatusUnauthorized {
-		resp := &clientauthentication.Response{
-			Header: res.Header,
-			Code:   int32(res.StatusCode),
-		}
-		if err := r.a.maybeRefreshCreds(creds, resp); err != nil {
+		if err := r.a.maybeRefreshCreds(creds); err != nil {
 			klog.Errorf("refreshing credentials: %v", err)
 		}
 	}
@@ -375,7 +386,7 @@ func (a *Authenticator) getCreds() (*credentials, error) {
 		return a.cachedCreds, nil
 	}
 
-	if err := a.refreshCredsLocked(nil); err != nil {
+	if err := a.refreshCredsLocked(); err != nil {
 		return nil, err
 	}
 
@@ -384,7 +395,7 @@ func (a *Authenticator) getCreds() (*credentials, error) {
 
 // maybeRefreshCreds executes the plugin to force a rotation of the
 // credentials, unless they were rotated already.
-func (a *Authenticator) maybeRefreshCreds(creds *credentials, r *clientauthentication.Response) error {
+func (a *Authenticator) maybeRefreshCreds(creds *credentials) error {
 	a.mu.Lock()
 	defer a.mu.Unlock()
 
@@ -395,12 +406,12 @@ func (a *Authenticator) maybeRefreshCreds(creds *credentials, r *clientauthentic
 		return nil
 	}
 
-	return a.refreshCredsLocked(r)
+	return a.refreshCredsLocked()
 }
 
 // refreshCredsLocked executes the plugin and reads the credentials from
 // stdout. It must be called while holding the Authenticator's mutex.
-func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) error {
+func (a *Authenticator) refreshCredsLocked() error {
 	interactive, err := a.interactiveFunc()
 	if err != nil {
 		return fmt.Errorf("exec plugin cannot support interactive mode: %w", err)
@@ -408,7 +419,6 @@ func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) err
 
 	cred := &clientauthentication.ExecCredential{
 		Spec: clientauthentication.ExecCredentialSpec{
-			Response:    r,
 			Interactive: interactive,
 		},
 	}

vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp/OWNERS

@@ -1,8 +1,8 @@
 # See the OWNERS docs at https://go.k8s.io/owners
 
 approvers:
-- cjcullen
-- jlowdermilk
+  - cjcullen
 reviewers:
-- cjcullen
-- jlowdermilk
+  - cjcullen
+emeritus_approvers:
+  - jlowdermilk

vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go

@@ -59,55 +59,54 @@ var (
 // tokens for kubectl to authenticate itself to the apiserver. A sample json config
 // is provided below with all recognized options described.
 //
-// {
-//   'auth-provider': {
-//     # Required
-//     "name": "gcp",
+//	{
+//	  'auth-provider': {
+//	    # Required
+//	    "name": "gcp",
 //
-//     'config': {
-//       # Authentication options
-//       # These options are used while getting a token.
+//	    'config': {
+//	      # Authentication options
+//	      # These options are used while getting a token.
 //
-//       # comma-separated list of GCP API scopes. default value of this field
-//       # is "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email".
-// 		 # to override the API scopes, specify this field explicitly.
-//       "scopes": "https://www.googleapis.com/auth/cloud-platform"
+//	      # comma-separated list of GCP API scopes. default value of this field
+//	      # is "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email".
+//			 # to override the API scopes, specify this field explicitly.
+//	      "scopes": "https://www.googleapis.com/auth/cloud-platform"
 //
-//       # Caching options
+//	      # Caching options
 //
-//       # Raw string data representing cached access token.
-//       "access-token": "ya29.CjWdA4GiBPTt",
-//       # RFC3339Nano expiration timestamp for cached access token.
-//       "expiry": "2016-10-31 22:31:9.123",
+//	      # Raw string data representing cached access token.
+//	      "access-token": "ya29.CjWdA4GiBPTt",
+//	      # RFC3339Nano expiration timestamp for cached access token.
+//	      "expiry": "2016-10-31 22:31:9.123",
 //
-//       # Command execution options
-//       # These options direct the plugin to execute a specified command and parse
-//       # token and expiry time from the output of the command.
+//	      # Command execution options
+//	      # These options direct the plugin to execute a specified command and parse
+//	      # token and expiry time from the output of the command.
 //
-//       # Command to execute for access token. Command output will be parsed as JSON.
-//       # If "cmd-args" is not present, this value will be split on whitespace, with
-//       # the first element interpreted as the command, remaining elements as args.
-//       "cmd-path": "/usr/bin/gcloud",
+//	      # Command to execute for access token. Command output will be parsed as JSON.
+//	      # If "cmd-args" is not present, this value will be split on whitespace, with
+//	      # the first element interpreted as the command, remaining elements as args.
+//	      "cmd-path": "/usr/bin/gcloud",
 //
-//       # Arguments to pass to command to execute for access token.
-//       "cmd-args": "config config-helper --output=json"
+//	      # Arguments to pass to command to execute for access token.
+//	      "cmd-args": "config config-helper --output=json"
 //
-//       # JSONPath to the string field that represents the access token in
-//       # command output. If omitted, defaults to "{.access_token}".
-//       "token-key": "{.credential.access_token}",
+//	      # JSONPath to the string field that represents the access token in
+//	      # command output. If omitted, defaults to "{.access_token}".
+//	      "token-key": "{.credential.access_token}",
 //
-//       # JSONPath to the string field that represents expiration timestamp
-//       # of the access token in the command output. If omitted, defaults to
-//       # "{.token_expiry}"
-//       "expiry-key": ""{.credential.token_expiry}",
-//
-//       # golang reference time in the format that the expiration timestamp uses.
-//       # If omitted, defaults to time.RFC3339Nano
-//       "time-fmt": "2006-01-02 15:04:05.999999999"
-//     }
-//   }
-// }
+//	      # JSONPath to the string field that represents expiration timestamp
+//	      # of the access token in the command output. If omitted, defaults to
+//	      # "{.token_expiry}"
+//	      "expiry-key": ""{.credential.token_expiry}",
 //
+//	      # golang reference time in the format that the expiration timestamp uses.
+//	      # If omitted, defaults to time.RFC3339Nano
+//	      "time-fmt": "2006-01-02 15:04:05.999999999"
+//	    }
+//	  }
+//	}
 type gcpAuthProvider struct {
 	tokenSource oauth2.TokenSource
 	persister   restclient.AuthProviderConfigPersister
@@ -116,11 +115,9 @@ type gcpAuthProvider struct {
 var warnOnce sync.Once
 
 func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
-	// deprecated in v1.22, remove in v1.25
-	// this should be updated to use klog.Warningf in v1.24 to more actively warn consumers
 	warnOnce.Do(func() {
-		klog.V(1).Infof(`WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use gcloud instead.
-To learn more, consult https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins`)
+		klog.Warningf(`WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.26+; use gcloud instead.
+To learn more, consult https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke`)
 	})
 
 	ts, err := tokenSource(isCmdTokenSource(gcpConfig), gcpConfig)