Add glide.yaml and vendor deps

vendor/k8s.io/kubernetes/pkg/controller/certificates/BUILD

@@ -0,0 +1,42 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "controller.go",
+        "controller_utils.go",
+        "doc.go",
+        "groupapprove.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api/v1:go_default_library",
+        "//pkg/apis/certificates/v1alpha1:go_default_library",
+        "//pkg/client/cache:go_default_library",
+        "//pkg/client/clientset_generated/release_1_5:go_default_library",
+        "//pkg/client/clientset_generated/release_1_5/typed/certificates/v1alpha1:go_default_library",
+        "//pkg/client/clientset_generated/release_1_5/typed/core/v1:go_default_library",
+        "//pkg/client/record:go_default_library",
+        "//pkg/controller:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//pkg/util/cert:go_default_library",
+        "//pkg/util/runtime:go_default_library",
+        "//pkg/util/wait:go_default_library",
+        "//pkg/util/workqueue:go_default_library",
+        "//pkg/watch:go_default_library",
+        "//vendor:github.com/cloudflare/cfssl/config",
+        "//vendor:github.com/cloudflare/cfssl/signer",
+        "//vendor:github.com/cloudflare/cfssl/signer/local",
+        "//vendor:github.com/golang/glog",
+    ],
+)

vendor/k8s.io/kubernetes/pkg/controller/certificates/controller.go

@@ -0,0 +1,223 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"fmt"
+	"time"
+
+	"k8s.io/kubernetes/pkg/api/v1"
+	certificates "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+	"k8s.io/kubernetes/pkg/client/cache"
+	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5"
+	v1core "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/typed/core/v1"
+	"k8s.io/kubernetes/pkg/client/record"
+	"k8s.io/kubernetes/pkg/controller"
+	"k8s.io/kubernetes/pkg/runtime"
+	utilruntime "k8s.io/kubernetes/pkg/util/runtime"
+	"k8s.io/kubernetes/pkg/util/wait"
+	"k8s.io/kubernetes/pkg/util/workqueue"
+	"k8s.io/kubernetes/pkg/watch"
+
+	"github.com/cloudflare/cfssl/config"
+	"github.com/cloudflare/cfssl/signer"
+	"github.com/cloudflare/cfssl/signer/local"
+	"github.com/golang/glog"
+)
+
+type AutoApprover interface {
+	AutoApprove(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error)
+}
+
+type CertificateController struct {
+	kubeClient clientset.Interface
+
+	// CSR framework and store
+	csrController *cache.Controller
+	csrStore      cache.StoreToCertificateRequestLister
+
+	syncHandler func(csrKey string) error
+
+	approver AutoApprover
+
+	signer *local.Signer
+
+	queue workqueue.RateLimitingInterface
+}
+
+func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Duration, caCertFile, caKeyFile string, approver AutoApprover) (*CertificateController, error) {
+	// Send events to the apiserver
+	eventBroadcaster := record.NewBroadcaster()
+	eventBroadcaster.StartLogging(glog.Infof)
+	eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: kubeClient.Core().Events("")})
+
+	// Configure cfssl signer
+	// TODO: support non-default policy and remote/pkcs11 signing
+	policy := &config.Signing{
+		Default: config.DefaultConfig(),
+	}
+	ca, err := local.NewSignerFromFile(caCertFile, caKeyFile, policy)
+	if err != nil {
+		return nil, err
+	}
+
+	cc := &CertificateController{
+		kubeClient: kubeClient,
+		queue:      workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "certificate"),
+		signer:     ca,
+		approver:   approver,
+	}
+
+	// Manage the addition/update of certificate requests
+	cc.csrStore.Store, cc.csrController = cache.NewInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				return cc.kubeClient.Certificates().CertificateSigningRequests().List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				return cc.kubeClient.Certificates().CertificateSigningRequests().Watch(options)
+			},
+		},
+		&certificates.CertificateSigningRequest{},
+		syncPeriod,
+		cache.ResourceEventHandlerFuncs{
+			AddFunc: func(obj interface{}) {
+				csr := obj.(*certificates.CertificateSigningRequest)
+				glog.V(4).Infof("Adding certificate request %s", csr.Name)
+				cc.enqueueCertificateRequest(obj)
+			},
+			UpdateFunc: func(old, new interface{}) {
+				oldCSR := old.(*certificates.CertificateSigningRequest)
+				glog.V(4).Infof("Updating certificate request %s", oldCSR.Name)
+				cc.enqueueCertificateRequest(new)
+			},
+			DeleteFunc: func(obj interface{}) {
+				csr, ok := obj.(*certificates.CertificateSigningRequest)
+				if !ok {
+					tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
+					if !ok {
+						glog.V(2).Infof("Couldn't get object from tombstone %#v", obj)
+						return
+					}
+					csr, ok = tombstone.Obj.(*certificates.CertificateSigningRequest)
+					if !ok {
+						glog.V(2).Infof("Tombstone contained object that is not a CSR: %#v", obj)
+						return
+					}
+				}
+				glog.V(4).Infof("Deleting certificate request %s", csr.Name)
+				cc.enqueueCertificateRequest(obj)
+			},
+		},
+	)
+	cc.syncHandler = cc.maybeSignCertificate
+	return cc, nil
+}
+
+// Run the main goroutine responsible for watching and syncing jobs.
+func (cc *CertificateController) Run(workers int, stopCh <-chan struct{}) {
+	defer utilruntime.HandleCrash()
+	defer cc.queue.ShutDown()
+
+	go cc.csrController.Run(stopCh)
+
+	glog.Infof("Starting certificate controller manager")
+	for i := 0; i < workers; i++ {
+		go wait.Until(cc.worker, time.Second, stopCh)
+	}
+	<-stopCh
+	glog.Infof("Shutting down certificate controller")
+}
+
+// worker runs a thread that dequeues CSRs, handles them, and marks them done.
+func (cc *CertificateController) worker() {
+	for cc.processNextWorkItem() {
+	}
+}
+
+// processNextWorkItem deals with one key off the queue.  It returns false when it's time to quit.
+func (cc *CertificateController) processNextWorkItem() bool {
+	cKey, quit := cc.queue.Get()
+	if quit {
+		return false
+	}
+	defer cc.queue.Done(cKey)
+
+	err := cc.syncHandler(cKey.(string))
+	if err == nil {
+		cc.queue.Forget(cKey)
+		return true
+	}
+
+	cc.queue.AddRateLimited(cKey)
+	utilruntime.HandleError(fmt.Errorf("Sync %v failed with : %v", cKey, err))
+	return true
+}
+
+func (cc *CertificateController) enqueueCertificateRequest(obj interface{}) {
+	key, err := controller.KeyFunc(obj)
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("Couldn't get key for object %+v: %v", obj, err))
+		return
+	}
+	cc.queue.Add(key)
+}
+
+// maybeSignCertificate will inspect the certificate request and, if it has
+// been approved and meets policy expectations, generate an X509 cert using the
+// cluster CA assets. If successful it will update the CSR approve subresource
+// with the signed certificate.
+func (cc *CertificateController) maybeSignCertificate(key string) error {
+	startTime := time.Now()
+	defer func() {
+		glog.V(4).Infof("Finished syncing certificate request %q (%v)", key, time.Now().Sub(startTime))
+	}()
+	obj, exists, err := cc.csrStore.Store.GetByKey(key)
+	if err != nil {
+		return err
+	}
+	if !exists {
+		glog.V(3).Infof("csr has been deleted: %v", key)
+		return nil
+	}
+	csr := obj.(*certificates.CertificateSigningRequest)
+
+	if cc.approver != nil {
+		csr, err = cc.approver.AutoApprove(csr)
+		if err != nil {
+			return fmt.Errorf("error auto approving csr: %v", err)
+		}
+	}
+
+	// At this point, the controller needs to:
+	// 1. Check the approval conditions
+	// 2. Generate a signed certificate
+	// 3. Update the Status subresource
+
+	if csr.Status.Certificate == nil && IsCertificateRequestApproved(csr) {
+		pemBytes := csr.Spec.Request
+		req := signer.SignRequest{Request: string(pemBytes)}
+		certBytes, err := cc.signer.Sign(req)
+		if err != nil {
+			return err
+		}
+		csr.Status.Certificate = certBytes
+	}
+
+	_, err = cc.kubeClient.Certificates().CertificateSigningRequests().UpdateStatus(csr)
+	return err
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/controller_utils.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import certificates "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+
+// IsCertificateRequestApproved returns true if a certificate request has the
+// "Approved" condition and no "Denied" conditions; false otherwise.
+func IsCertificateRequestApproved(csr *certificates.CertificateSigningRequest) bool {
+	approved, denied := getCertApprovalCondition(&csr.Status)
+	return approved && !denied
+}
+
+// IsCertificateRequestDenied returns true if a certificate request has the
+// "Denied" conditions; false otherwise.
+func IsCertificateRequestDenied(csr *certificates.CertificateSigningRequest) bool {
+	_, denied := getCertApprovalCondition(&csr.Status)
+	return denied
+}
+
+func getCertApprovalCondition(status *certificates.CertificateSigningRequestStatus) (approved bool, denied bool) {
+	for _, c := range status.Conditions {
+		if c.Type == certificates.CertificateApproved {
+			approved = true
+		}
+		if c.Type == certificates.CertificateDenied {
+			denied = true
+		}
+	}
+	return
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package certificates contains logic for watching and synchronizing
+// CertificateSigningRequests.
+package certificates

vendor/k8s.io/kubernetes/pkg/controller/certificates/groupapprove.go

@@ -0,0 +1,86 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+
+	certificates "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
+	clientcertificates "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/typed/certificates/v1alpha1"
+	certutil "k8s.io/kubernetes/pkg/util/cert"
+	utilruntime "k8s.io/kubernetes/pkg/util/runtime"
+)
+
+// groupApprover implements AutoApprover for signing Kubelet certificates.
+type groupApprover struct {
+	client                        clientcertificates.CertificateSigningRequestInterface
+	approveAllKubeletCSRsForGroup string
+}
+
+// NewGroupApprover creates an approver that accepts any CSR requests where the subject group contains approveAllKubeletCSRsForGroup.
+func NewGroupApprover(client clientcertificates.CertificateSigningRequestInterface, approveAllKubeletCSRsForGroup string) AutoApprover {
+	return &groupApprover{
+		client: client,
+		approveAllKubeletCSRsForGroup: approveAllKubeletCSRsForGroup,
+	}
+}
+
+func (cc *groupApprover) AutoApprove(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) {
+	// short-circuit if we're not auto-approving
+	if cc.approveAllKubeletCSRsForGroup == "" {
+		return csr, nil
+	}
+	// short-circuit if we're already approved or denied
+	if approved, denied := getCertApprovalCondition(&csr.Status); approved || denied {
+		return csr, nil
+	}
+
+	isKubeletBootstrapGroup := false
+	for _, g := range csr.Spec.Groups {
+		if g == cc.approveAllKubeletCSRsForGroup {
+			isKubeletBootstrapGroup = true
+			break
+		}
+	}
+	if !isKubeletBootstrapGroup {
+		return csr, nil
+	}
+
+	x509cr, err := certutil.ParseCSRV1alpha1(csr)
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("unable to parse csr %q: %v", csr.Name, err))
+		return csr, nil
+	}
+	if !reflect.DeepEqual([]string{"system:nodes"}, x509cr.Subject.Organization) {
+		return csr, nil
+	}
+	if !strings.HasPrefix(x509cr.Subject.CommonName, "system:node:") {
+		return csr, nil
+	}
+	if len(x509cr.DNSNames)+len(x509cr.EmailAddresses)+len(x509cr.IPAddresses) != 0 {
+		return csr, nil
+	}
+
+	csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{
+		Type:    certificates.CertificateApproved,
+		Reason:  "AutoApproved",
+		Message: "Auto approving of all kubelet CSRs is enabled on the controller manager",
+	})
+	return cc.client.UpdateApproval(csr)
+}