go.mod: update k8s deps to v0.26.2 (remove "replace" rule)

Replace rules are not inherited by consumers of buildx as a module, and as
such would default to use the v0.26.2 version. Removing the replace rules
also removes various (indirect) dependencies (although brings in some new
packages from k8s itself).

The "azure" and "gcp" authentication packages in k8s.io/go-client are now
no longer functional, so removing those imports.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

vendor/k8s.io/client-go/tools/auth/clientauth.go

@@ -32,7 +32,7 @@ Having a defined format allows:
 
 The file format is json, marshalled from a struct authcfg.Info.
 
-Clinet libraries in other languages should use the same format.
+Client libraries in other languages should use the same format.
 
 It is not intended to store general preferences, such as default
 namespace, output options, etc.  CLIs (such as kubectl) and UIs should
@@ -65,7 +65,6 @@ package auth
 // TODO: need a way to rotate Tokens.  Therefore, need a way for client object to be reset when the authcfg is updated.
 import (
 	"encoding/json"
-	"io/ioutil"
 	"os"
 
 	restclient "k8s.io/client-go/rest"
@@ -90,7 +89,7 @@ func LoadFromFile(path string) (*Info, error) {
 	if _, err := os.Stat(path); os.IsNotExist(err) {
 		return nil, err
 	}
-	data, err := ioutil.ReadFile(path)
+	data, err := os.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}

vendor/k8s.io/client-go/tools/clientcmd/api/helpers.go

@@ -20,10 +20,11 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path"
 	"path/filepath"
+	"reflect"
+	"strings"
 )
 
 func init() {
@@ -82,21 +83,21 @@ func MinifyConfig(config *Config) error {
 }
 
 var (
-	redactedBytes    []byte
 	dataOmittedBytes []byte
+	redactedBytes    []byte
 )
 
-// Flatten redacts raw data entries from the config object for a human-readable view.
+// ShortenConfig redacts raw data entries from the config object for a human-readable view.
 func ShortenConfig(config *Config) {
-	// trick json encoder into printing a human readable string in the raw data
+	// trick json encoder into printing a human-readable string in the raw data
 	// by base64 decoding what we want to print. Relies on implementation of
 	// http://golang.org/pkg/encoding/json/#Marshal using base64 to encode []byte
 	for key, authInfo := range config.AuthInfos {
 		if len(authInfo.ClientKeyData) > 0 {
-			authInfo.ClientKeyData = redactedBytes
+			authInfo.ClientKeyData = dataOmittedBytes
 		}
 		if len(authInfo.ClientCertificateData) > 0 {
-			authInfo.ClientCertificateData = redactedBytes
+			authInfo.ClientCertificateData = dataOmittedBytes
 		}
 		if len(authInfo.Token) > 0 {
 			authInfo.Token = "REDACTED"
@@ -111,7 +112,7 @@ func ShortenConfig(config *Config) {
 	}
 }
 
-// Flatten changes the config object into a self contained config (useful for making secrets)
+// FlattenConfig changes the config object into a self-contained config (useful for making secrets)
 func FlattenConfig(config *Config) error {
 	for key, authInfo := range config.AuthInfos {
 		baseDir, err := MakeAbs(path.Dir(authInfo.LocationOfOrigin), "")
@@ -152,7 +153,7 @@ func FlattenContent(path *string, contents *[]byte, baseDir string) error {
 
 		var err error
 		absPath := ResolvePath(*path, baseDir)
-		*contents, err = ioutil.ReadFile(absPath)
+		*contents, err = os.ReadFile(absPath)
 		if err != nil {
 			return err
 		}
@@ -189,3 +190,77 @@ func MakeAbs(path, base string) (string, error) {
 	}
 	return filepath.Join(base, path), nil
 }
+
+// RedactSecrets replaces any sensitive values with REDACTED
+func RedactSecrets(config *Config) error {
+	return redactSecrets(reflect.ValueOf(config), false)
+}
+
+func redactSecrets(curr reflect.Value, redact bool) error {
+	redactedBytes = []byte("REDACTED")
+	if !curr.IsValid() {
+		return nil
+	}
+
+	actualCurrValue := curr
+	if curr.Kind() == reflect.Ptr {
+		actualCurrValue = curr.Elem()
+	}
+
+	switch actualCurrValue.Kind() {
+	case reflect.Map:
+		for _, v := range actualCurrValue.MapKeys() {
+			err := redactSecrets(actualCurrValue.MapIndex(v), false)
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+
+	case reflect.String:
+		if redact {
+			if !actualCurrValue.IsZero() {
+				actualCurrValue.SetString("REDACTED")
+			}
+		}
+		return nil
+
+	case reflect.Slice:
+		if actualCurrValue.Type() == reflect.TypeOf([]byte{}) && redact {
+			if !actualCurrValue.IsNil() {
+				actualCurrValue.SetBytes(redactedBytes)
+			}
+			return nil
+		}
+		for i := 0; i < actualCurrValue.Len(); i++ {
+			err := redactSecrets(actualCurrValue.Index(i), false)
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+
+	case reflect.Struct:
+		for fieldIndex := 0; fieldIndex < actualCurrValue.NumField(); fieldIndex++ {
+			currFieldValue := actualCurrValue.Field(fieldIndex)
+			currFieldType := actualCurrValue.Type().Field(fieldIndex)
+			currYamlTag := currFieldType.Tag.Get("datapolicy")
+			currFieldTypeYamlName := strings.Split(currYamlTag, ",")[0]
+			if currFieldTypeYamlName != "" {
+				err := redactSecrets(currFieldValue, true)
+				if err != nil {
+					return err
+				}
+			} else {
+				err := redactSecrets(currFieldValue, false)
+				if err != nil {
+					return err
+				}
+			}
+		}
+		return nil
+
+	default:
+		return nil
+	}
+}

vendor/k8s.io/client-go/tools/clientcmd/api/types.go

@@ -93,6 +93,11 @@ type Cluster struct {
 	// attach, port forward).
 	// +optional
 	ProxyURL string `json:"proxy-url,omitempty"`
+	// DisableCompression allows client to opt-out of response compression for all requests to the server. This is useful
+	// to speed up requests (specifically lists) when client-server network bandwidth is ample, by saving time on
+	// compression (server-side) and decompression (client-side): https://github.com/kubernetes/kubernetes/issues/112296.
+	// +optional
+	DisableCompression bool `json:"disable-compression,omitempty"`
 	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
 	// +optional
 	Extensions map[string]runtime.Object `json:"extensions,omitempty"`

vendor/k8s.io/client-go/tools/clientcmd/api/v1/types.go

@@ -86,6 +86,11 @@ type Cluster struct {
 	// attach, port forward).
 	// +optional
 	ProxyURL string `json:"proxy-url,omitempty"`
+	// DisableCompression allows client to opt-out of response compression for all requests to the server. This is useful
+	// to speed up requests (specifically lists) when client-server network bandwidth is ample, by saving time on
+	// compression (server-side) and decompression (client-side): https://github.com/kubernetes/kubernetes/issues/112296.
+	// +optional
+	DisableCompression bool `json:"disable-compression,omitempty"`
 	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
 	// +optional
 	Extensions []NamedExtension `json:"extensions,omitempty"`

vendor/k8s.io/client-go/tools/clientcmd/api/v1/zz_generated.conversion.go

@@ -257,6 +257,7 @@ func autoConvert_v1_Cluster_To_api_Cluster(in *Cluster, out *api.Cluster, s conv
 	out.CertificateAuthority = in.CertificateAuthority
 	out.CertificateAuthorityData = *(*[]byte)(unsafe.Pointer(&in.CertificateAuthorityData))
 	out.ProxyURL = in.ProxyURL
+	out.DisableCompression = in.DisableCompression
 	if err := Convert_Slice_v1_NamedExtension_To_Map_string_To_runtime_Object(&in.Extensions, &out.Extensions, s); err != nil {
 		return err
 	}
@@ -276,6 +277,7 @@ func autoConvert_api_Cluster_To_v1_Cluster(in *api.Cluster, out *Cluster, s conv
 	out.CertificateAuthority = in.CertificateAuthority
 	out.CertificateAuthorityData = *(*[]byte)(unsafe.Pointer(&in.CertificateAuthorityData))
 	out.ProxyURL = in.ProxyURL
+	out.DisableCompression = in.DisableCompression
 	if err := Convert_Map_string_To_runtime_Object_To_Slice_v1_NamedExtension(&in.Extensions, &out.Extensions, s); err != nil {
 		return err
 	}

vendor/k8s.io/client-go/tools/clientcmd/auth_loaders.go

@@ -20,7 +20,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 
 	"golang.org/x/term"
@@ -59,7 +58,7 @@ func (a *PromptingAuthLoader) LoadAuth(path string) (*clientauth.Info, error) {
 		if err != nil {
 			return &auth, err
 		}
-		err = ioutil.WriteFile(path, data, 0600)
+		err = os.WriteFile(path, data, 0600)
 		return &auth, err
 	}
 	authPtr, err := clientauth.LoadFromFile(path)

vendor/k8s.io/client-go/tools/clientcmd/client_config.go

@@ -19,7 +19,6 @@ package clientcmd
 import (
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
@@ -165,6 +164,8 @@ func (config *DirectClientConfig) ClientConfig() (*restclient.Config, error) {
 		clientConfig.Proxy = http.ProxyURL(u)
 	}
 
+	clientConfig.DisableCompression = configClusterInfo.DisableCompression
+
 	if config.overrides != nil && len(config.overrides.Timeout) > 0 {
 		timeout, err := ParseTimeout(config.overrides.Timeout)
 		if err != nil {
@@ -246,7 +247,7 @@ func (config *DirectClientConfig) getUserIdentificationPartialConfig(configAuthI
 		mergedConfig.BearerToken = configAuthInfo.Token
 		mergedConfig.BearerTokenFile = configAuthInfo.TokenFile
 	} else if len(configAuthInfo.TokenFile) > 0 {
-		tokenBytes, err := ioutil.ReadFile(configAuthInfo.TokenFile)
+		tokenBytes, err := os.ReadFile(configAuthInfo.TokenFile)
 		if err != nil {
 			return nil, err
 		}
@@ -586,7 +587,7 @@ func (config *inClusterClientConfig) Namespace() (string, bool, error) {
 	}
 
 	// Fall back to the namespace associated with the service account token, if available
-	if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
+	if data, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
 		if ns := strings.TrimSpace(string(data)); len(ns) > 0 {
 			return ns, false, nil
 		}

vendor/k8s.io/client-go/tools/clientcmd/loader.go

@@ -18,7 +18,6 @@ package clientcmd
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -283,12 +282,12 @@ func (rules *ClientConfigLoadingRules) Migrate() error {
 			return fmt.Errorf("cannot migrate %v to %v because it is a directory", source, destination)
 		}
 
-		data, err := ioutil.ReadFile(source)
+		data, err := os.ReadFile(source)
 		if err != nil {
 			return err
 		}
 		// destination is created with mode 0666 before umask
-		err = ioutil.WriteFile(destination, data, 0666)
+		err = os.WriteFile(destination, data, 0666)
 		if err != nil {
 			return err
 		}
@@ -363,7 +362,7 @@ func (rules *ClientConfigLoadingRules) IsDefaultConfig(config *restclient.Config
 
 // LoadFromFile takes a filename and deserializes the contents into Config object
 func LoadFromFile(filename string) (*clientcmdapi.Config, error) {
-	kubeconfigBytes, err := ioutil.ReadFile(filename)
+	kubeconfigBytes, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
@@ -429,7 +428,7 @@ func WriteToFile(config clientcmdapi.Config, filename string) error {
 		}
 	}
 
-	if err := ioutil.WriteFile(filename, content, 0600); err != nil {
+	if err := os.WriteFile(filename, content, 0600); err != nil {
 		return err
 	}
 	return nil

vendor/k8s.io/client-go/tools/clientcmd/overrides.go

@@ -74,6 +74,7 @@ type ClusterOverrideFlags struct {
 	InsecureSkipTLSVerify FlagInfo
 	TLSServerName         FlagInfo
 	ProxyURL              FlagInfo
+	DisableCompression    FlagInfo
 }
 
 // FlagInfo contains information about how to register a flag.  This struct is useful if you want to provide a way for an extender to
@@ -143,25 +144,26 @@ func (f FlagInfo) BindBoolFlag(flags *pflag.FlagSet, target *bool) FlagInfo {
 }
 
 const (
-	FlagClusterName      = "cluster"
-	FlagAuthInfoName     = "user"
-	FlagContext          = "context"
-	FlagNamespace        = "namespace"
-	FlagAPIServer        = "server"
-	FlagTLSServerName    = "tls-server-name"
-	FlagInsecure         = "insecure-skip-tls-verify"
-	FlagCertFile         = "client-certificate"
-	FlagKeyFile          = "client-key"
-	FlagCAFile           = "certificate-authority"
-	FlagEmbedCerts       = "embed-certs"
-	FlagBearerToken      = "token"
-	FlagImpersonate      = "as"
-	FlagImpersonateUID   = "as-uid"
-	FlagImpersonateGroup = "as-group"
-	FlagUsername         = "username"
-	FlagPassword         = "password"
-	FlagTimeout          = "request-timeout"
-	FlagProxyURL         = "proxy-url"
+	FlagClusterName        = "cluster"
+	FlagAuthInfoName       = "user"
+	FlagContext            = "context"
+	FlagNamespace          = "namespace"
+	FlagAPIServer          = "server"
+	FlagTLSServerName      = "tls-server-name"
+	FlagInsecure           = "insecure-skip-tls-verify"
+	FlagCertFile           = "client-certificate"
+	FlagKeyFile            = "client-key"
+	FlagCAFile             = "certificate-authority"
+	FlagEmbedCerts         = "embed-certs"
+	FlagBearerToken        = "token"
+	FlagImpersonate        = "as"
+	FlagImpersonateUID     = "as-uid"
+	FlagImpersonateGroup   = "as-group"
+	FlagUsername           = "username"
+	FlagPassword           = "password"
+	FlagTimeout            = "request-timeout"
+	FlagProxyURL           = "proxy-url"
+	FlagDisableCompression = "disable-compression"
 )
 
 // RecommendedConfigOverrideFlags is a convenience method to return recommended flag names prefixed with a string of your choosing
@@ -198,6 +200,7 @@ func RecommendedClusterOverrideFlags(prefix string) ClusterOverrideFlags {
 		InsecureSkipTLSVerify: FlagInfo{prefix + FlagInsecure, "", "false", "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure"},
 		TLSServerName:         FlagInfo{prefix + FlagTLSServerName, "", "", "If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used."},
 		ProxyURL:              FlagInfo{prefix + FlagProxyURL, "", "", "If provided, this URL will be used to connect via proxy"},
+		DisableCompression:    FlagInfo{prefix + FlagDisableCompression, "", "", "If true, opt-out of response compression for all requests to the server"},
 	}
 }
 
@@ -238,6 +241,7 @@ func BindClusterFlags(clusterInfo *clientcmdapi.Cluster, flags *pflag.FlagSet, f
 	flagNames.InsecureSkipTLSVerify.BindBoolFlag(flags, &clusterInfo.InsecureSkipTLSVerify)
 	flagNames.TLSServerName.BindStringFlag(flags, &clusterInfo.TLSServerName)
 	flagNames.ProxyURL.BindStringFlag(flags, &clusterInfo.ProxyURL)
+	flagNames.DisableCompression.BindBoolFlag(flags, &clusterInfo.DisableCompression)
 }
 
 // BindFlags is a convenience method to bind the specified flags to their associated variables

vendor/k8s.io/client-go/tools/reference/ref.go

@@ -34,7 +34,7 @@ var (
 // GetReference returns an ObjectReference which refers to the given
 // object, or an error if the object doesn't follow the conventions
 // that would allow this.
-// TODO: should take a meta.Interface see http://issue.k8s.io/7127
+// TODO: should take a meta.Interface see https://issue.k8s.io/7127
 func GetReference(scheme *runtime.Scheme, obj runtime.Object) (*v1.ObjectReference, error) {
 	if obj == nil {
 		return nil, ErrNilObject

vendor/k8s.io/client-go/tools/remotecommand/errorstream.go

@@ -19,7 +19,6 @@ package remotecommand
 import (
 	"fmt"
 	"io"
-	"io/ioutil"
 
 	"k8s.io/apimachinery/pkg/util/runtime"
 )
@@ -39,7 +38,7 @@ func watchErrorStream(errorStream io.Reader, d errorStreamDecoder) chan error {
 	go func() {
 		defer runtime.HandleCrash()
 
-		message, err := ioutil.ReadAll(errorStream)
+		message, err := io.ReadAll(errorStream)
 		switch {
 		case err != nil && err != io.EOF:
 			errorChan <- fmt.Errorf("error reading from error stream: %s", err)

vendor/k8s.io/client-go/tools/remotecommand/remotecommand.go

@@ -17,6 +17,7 @@ limitations under the License.
 package remotecommand
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -27,7 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/httpstream"
 	"k8s.io/apimachinery/pkg/util/remotecommand"
 	restclient "k8s.io/client-go/rest"
-	spdy "k8s.io/client-go/transport/spdy"
+	"k8s.io/client-go/transport/spdy"
 )
 
 // StreamOptions holds information pertaining to the current streaming session:
@@ -43,11 +44,16 @@ type StreamOptions struct {
 
 // Executor is an interface for transporting shell-style streams.
 type Executor interface {
-	// Stream initiates the transport of the standard shell streams. It will transport any
-	// non-nil stream to a remote system, and return an error if a problem occurs. If tty
-	// is set, the stderr stream is not used (raw TTY manages stdout and stderr over the
-	// stdout stream).
+	// Deprecated: use StreamWithContext instead to avoid possible resource leaks.
+	// See https://github.com/kubernetes/kubernetes/pull/103177 for details.
 	Stream(options StreamOptions) error
+
+	// StreamWithContext initiates the transport of the standard shell streams. It will
+	// transport any non-nil stream to a remote system, and return an error if a problem
+	// occurs. If tty is set, the stderr stream is not used (raw TTY manages stdout and
+	// stderr over the stdout stream).
+	// The context controls the entire lifetime of stream execution.
+	StreamWithContext(ctx context.Context, options StreamOptions) error
 }
 
 type streamCreator interface {
@@ -106,9 +112,14 @@ func NewSPDYExecutorForProtocols(transport http.RoundTripper, upgrader spdy.Upgr
 // Stream opens a protocol streamer to the server and streams until a client closes
 // the connection or the server disconnects.
 func (e *streamExecutor) Stream(options StreamOptions) error {
-	req, err := http.NewRequest(e.method, e.url.String(), nil)
+	return e.StreamWithContext(context.Background(), options)
+}
+
+// newConnectionAndStream creates a new SPDY connection and a stream protocol handler upon it.
+func (e *streamExecutor) newConnectionAndStream(ctx context.Context, options StreamOptions) (httpstream.Connection, streamProtocolHandler, error) {
+	req, err := http.NewRequestWithContext(ctx, e.method, e.url.String(), nil)
 	if err != nil {
-		return fmt.Errorf("error creating request: %v", err)
+		return nil, nil, fmt.Errorf("error creating request: %v", err)
 	}
 
 	conn, protocol, err := spdy.Negotiate(
@@ -118,9 +129,8 @@ func (e *streamExecutor) Stream(options StreamOptions) error {
 		e.protocols...,
 	)
 	if err != nil {
-		return err
+		return nil, nil, err
 	}
-	defer conn.Close()
 
 	var streamer streamProtocolHandler
 
@@ -138,5 +148,35 @@ func (e *streamExecutor) Stream(options StreamOptions) error {
 		streamer = newStreamProtocolV1(options)
 	}
 
-	return streamer.stream(conn)
+	return conn, streamer, nil
+}
+
+// StreamWithContext opens a protocol streamer to the server and streams until a client closes
+// the connection or the server disconnects or the context is done.
+func (e *streamExecutor) StreamWithContext(ctx context.Context, options StreamOptions) error {
+	conn, streamer, err := e.newConnectionAndStream(ctx, options)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	panicChan := make(chan any, 1)
+	errorChan := make(chan error, 1)
+	go func() {
+		defer func() {
+			if p := recover(); p != nil {
+				panicChan <- p
+			}
+		}()
+		errorChan <- streamer.stream(conn)
+	}()
+
+	select {
+	case p := <-panicChan:
+		panic(p)
+	case err := <-errorChan:
+		return err
+	case <-ctx.Done():
+		return ctx.Err()
+	}
 }

vendor/k8s.io/client-go/tools/remotecommand/v1.go

@@ -19,7 +19,6 @@ package remotecommand
 import (
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 
 	"k8s.io/api/core/v1"
@@ -29,8 +28,8 @@ import (
 
 // streamProtocolV1 implements the first version of the streaming exec & attach
 // protocol. This version has some bugs, such as not being able to detect when
-// non-interactive stdin data has ended. See http://issues.k8s.io/13394 and
-// http://issues.k8s.io/13395 for more details.
+// non-interactive stdin data has ended. See https://issues.k8s.io/13394 and
+// https://issues.k8s.io/13395 for more details.
 type streamProtocolV1 struct {
 	StreamOptions
 
@@ -111,7 +110,7 @@ func (p *streamProtocolV1) stream(conn streamCreator) error {
 
 	// always read from errorStream
 	go func() {
-		message, err := ioutil.ReadAll(p.errorStream)
+		message, err := io.ReadAll(p.errorStream)
 		if err != nil && err != io.EOF {
 			errorChan <- fmt.Errorf("Error reading from error stream: %s", err)
 			return

vendor/k8s.io/client-go/tools/remotecommand/v2.go

@@ -19,7 +19,6 @@ package remotecommand
 import (
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"sync"
 
@@ -126,7 +125,7 @@ func (p *streamProtocolV2) copyStdin() {
 
 			// this "copy" doesn't actually read anything - it's just here to wait for
 			// the server to close remoteStdin.
-			if _, err := io.Copy(ioutil.Discard, p.remoteStdin); err != nil {
+			if _, err := io.Copy(io.Discard, p.remoteStdin); err != nil {
 				runtime.HandleError(err)
 			}
 		}()
@@ -145,7 +144,7 @@ func (p *streamProtocolV2) copyStdout(wg *sync.WaitGroup) {
 		// make sure, packet in queue can be consumed.
 		// block in queue may lead to deadlock in conn.server
 		// issue: https://github.com/kubernetes/kubernetes/issues/96339
-		defer io.Copy(ioutil.Discard, p.remoteStdout)
+		defer io.Copy(io.Discard, p.remoteStdout)
 
 		if _, err := io.Copy(p.Stdout, p.remoteStdout); err != nil {
 			runtime.HandleError(err)
@@ -162,7 +161,7 @@ func (p *streamProtocolV2) copyStderr(wg *sync.WaitGroup) {
 	go func() {
 		defer runtime.HandleCrash()
 		defer wg.Done()
-		defer io.Copy(ioutil.Discard, p.remoteStderr)
+		defer io.Copy(io.Discard, p.remoteStderr)
 
 		if _, err := io.Copy(p.Stderr, p.remoteStderr); err != nil {
 			runtime.HandleError(err)