Merge pull request #109510 from sugangli/pinhole-fw

Firewall Pinhole Fix for ILB and NetLB

vendor/github.com/GoogleCloudPlatform/k8s-cloud-provider/pkg/cloud/meta/meta.go

@@ -127,6 +127,8 @@ var AllServices = []*ServiceInfo{
 			"Patch",
 			"Update",
 			"SetSecurityPolicy",
+			"AddSignedUrlKey",
+			"DeleteSignedUrlKey",
 		},
 		options: AggregatedList,
 	},
@@ -140,6 +142,8 @@ var AllServices = []*ServiceInfo{
 		additionalMethods: []string{
 			"Update",
 			"SetSecurityPolicy",
+			"AddSignedUrlKey",
+			"DeleteSignedUrlKey",
 		},
 		options: AggregatedList,
 	},
@@ -153,6 +157,8 @@ var AllServices = []*ServiceInfo{
 		additionalMethods: []string{
 			"Update",
 			"SetSecurityPolicy",
+			"AddSignedUrlKey",
+			"DeleteSignedUrlKey",
 		},
 		options: AggregatedList,
 	},
@@ -222,6 +228,7 @@ var AllServices = []*ServiceInfo{
 		serviceType: reflect.TypeOf(&alpha.FirewallsService{}),
 		additionalMethods: []string{
 			"Update",
+			"Patch",
 		},
 	},
 	{
@@ -233,6 +240,7 @@ var AllServices = []*ServiceInfo{
 		serviceType: reflect.TypeOf(&beta.FirewallsService{}),
 		additionalMethods: []string{
 			"Update",
+			"Patch",
 		},
 	},
 	{
@@ -243,6 +251,51 @@ var AllServices = []*ServiceInfo{
 		serviceType: reflect.TypeOf(&ga.FirewallsService{}),
 		additionalMethods: []string{
 			"Update",
+			"Patch",
+		},
+	},
+	{
+		Object:      "FirewallPolicy",
+		Service:     "NetworkFirewallPolicies",
+		Resource:    "networkFirewallPolicies",
+		version:     VersionAlpha,
+		keyType:     Global,
+		serviceType: reflect.TypeOf(&alpha.NetworkFirewallPoliciesService{}),
+		additionalMethods: []string{
+			"Patch",
+			"GetRule",
+			"AddRule",
+			"PatchRule",
+			"CloneRules",
+			"RemoveRule",
+			"GetAssociation",
+			"AddAssociation",
+			"RemoveAssociation",
+			"GetIamPolicy",
+			"SetIamPolicy",
+			"TestIamPermissions",
+		},
+	},
+	{
+		Object:      "FirewallPolicy",
+		Service:     "RegionNetworkFirewallPolicies",
+		Resource:    "regionNetworkFirewallPolicies",
+		version:     VersionAlpha,
+		keyType:     Regional,
+		serviceType: reflect.TypeOf(&alpha.RegionNetworkFirewallPoliciesService{}),
+		additionalMethods: []string{
+			"Patch",
+			"GetRule",
+			"AddRule",
+			"PatchRule",
+			"CloneRules",
+			"RemoveRule",
+			"GetAssociation",
+			"AddAssociation",
+			"RemoveAssociation",
+			"GetIamPolicy",
+			"SetIamPolicy",
+			"TestIamPermissions",
 		},
 	},
 	{
@@ -444,6 +497,53 @@ var AllServices = []*ServiceInfo{
 			"UpdateNetworkInterface",
 		},
 	},
+	{
+		Object:      "Image",
+		Service:     "Images",
+		Resource:    "Images",
+		keyType:     Global,
+		serviceType: reflect.TypeOf(&ga.ImagesService{}),
+		additionalMethods: []string{
+			"GetFromFamily",
+			"GetIamPolicy",
+			"Patch",
+			"SetIamPolicy",
+			"SetLabels",
+			"TestIamPermissions",
+		},
+	},
+	{
+		Object:      "Image",
+		Service:     "Images",
+		Resource:    "Images",
+		version:     VersionBeta,
+		keyType:     Global,
+		serviceType: reflect.TypeOf(&beta.ImagesService{}),
+		additionalMethods: []string{
+			"GetFromFamily",
+			"GetIamPolicy",
+			"Patch",
+			"SetIamPolicy",
+			"SetLabels",
+			"TestIamPermissions",
+		},
+	},
+	{
+		Object:      "Image",
+		Service:     "Images",
+		Resource:    "Images",
+		version:     VersionAlpha,
+		keyType:     Global,
+		serviceType: reflect.TypeOf(&alpha.ImagesService{}),
+		additionalMethods: []string{
+			"GetFromFamily",
+			"GetIamPolicy",
+			"Patch",
+			"SetIamPolicy",
+			"SetLabels",
+			"TestIamPermissions",
+		},
+	},
 	{
 		Object:      "Network",
 		Service:     "Networks",
@@ -593,6 +693,17 @@ var AllServices = []*ServiceInfo{
 			"RemoveRule",
 		},
 	},
+	{
+		Object:      "ServiceAttachment",
+		Service:     "ServiceAttachments",
+		Resource:    "serviceAttachments",
+		version:     VersionGA,
+		keyType:     Regional,
+		serviceType: reflect.TypeOf(&ga.ServiceAttachmentsService{}),
+		additionalMethods: []string{
+			"Patch",
+		},
+	},
 	{
 		Object:      "ServiceAttachment",
 		Service:     "ServiceAttachments",
@@ -678,6 +789,9 @@ var AllServices = []*ServiceInfo{
 		keyType:     Regional,
 		serviceType: reflect.TypeOf(&alpha.SubnetworksService{}),
 		options:     ListUsable,
+		additionalMethods: []string{
+			"Patch",
+		},
 	},
 	{
 		Object:      "Subnetwork",
@@ -685,8 +799,11 @@ var AllServices = []*ServiceInfo{
 		Resource:    "subnetworks",
 		version:     VersionBeta,
 		keyType:     Regional,
-		serviceType: reflect.TypeOf(&alpha.SubnetworksService{}),
+		serviceType: reflect.TypeOf(&beta.SubnetworksService{}),
 		options:     ListUsable,
+		additionalMethods: []string{
+			"Patch",
+		},
 	},
 	{
 		Object:      "Subnetwork",
@@ -694,8 +811,11 @@ var AllServices = []*ServiceInfo{
 		Resource:    "subnetworks",
 		version:     VersionGA,
 		keyType:     Regional,
-		serviceType: reflect.TypeOf(&alpha.SubnetworksService{}),
+		serviceType: reflect.TypeOf(&ga.SubnetworksService{}),
 		options:     ListUsable,
+		additionalMethods: []string{
+			"Patch",
+		},
 	},
 	{
 		Object:      "TargetHttpProxy",
@@ -870,6 +990,17 @@ var AllServices = []*ServiceInfo{
 			"SetBackendService",
 		},
 	},
+	{
+		Object:      "TargetTcpProxy",
+		Service:     "TargetTcpProxies",
+		Resource:    "targetTcpProxies",
+		version:     VersionGA,
+		keyType:     Global,
+		serviceType: reflect.TypeOf(&ga.TargetTcpProxiesService{}),
+		additionalMethods: []string{
+			"SetBackendService",
+		},
+	},
 	{
 		Object:      "UrlMap",
 		Service:     "UrlMaps",

vendor/github.com/googleapis/gax-go/v2/apierror/apierror.go

@@ -0,0 +1,296 @@
+// Copyright 2021, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Package apierror implements a wrapper error for parsing error details from
+// API calls. Currently, only errors representing a gRPC status are supported.
+package apierror
+
+import (
+	"fmt"
+	"strings"
+
+	jsonerror "github.com/googleapis/gax-go/v2/apierror/internal/proto"
+	"google.golang.org/api/googleapi"
+	"google.golang.org/genproto/googleapis/rpc/errdetails"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/encoding/protojson"
+)
+
+// ErrDetails holds the google/rpc/error_details.proto messages.
+type ErrDetails struct {
+	ErrorInfo           *errdetails.ErrorInfo
+	BadRequest          *errdetails.BadRequest
+	PreconditionFailure *errdetails.PreconditionFailure
+	QuotaFailure        *errdetails.QuotaFailure
+	RetryInfo           *errdetails.RetryInfo
+	ResourceInfo        *errdetails.ResourceInfo
+	RequestInfo         *errdetails.RequestInfo
+	DebugInfo           *errdetails.DebugInfo
+	Help                *errdetails.Help
+	LocalizedMessage    *errdetails.LocalizedMessage
+
+	// Unknown stores unidentifiable error details.
+	Unknown []interface{}
+}
+
+func (e ErrDetails) String() string {
+	var d strings.Builder
+	if e.ErrorInfo != nil {
+		d.WriteString(fmt.Sprintf("error details: name = ErrorInfo reason = %s domain = %s metadata = %s\n",
+			e.ErrorInfo.GetReason(), e.ErrorInfo.GetDomain(), e.ErrorInfo.GetMetadata()))
+	}
+
+	if e.BadRequest != nil {
+		v := e.BadRequest.GetFieldViolations()
+		var f []string
+		var desc []string
+		for _, x := range v {
+			f = append(f, x.GetField())
+			desc = append(desc, x.GetDescription())
+		}
+		d.WriteString(fmt.Sprintf("error details: name = BadRequest field = %s desc = %s\n",
+			strings.Join(f, " "), strings.Join(desc, " ")))
+	}
+
+	if e.PreconditionFailure != nil {
+		v := e.PreconditionFailure.GetViolations()
+		var t []string
+		var s []string
+		var desc []string
+		for _, x := range v {
+			t = append(t, x.GetType())
+			s = append(s, x.GetSubject())
+			desc = append(desc, x.GetDescription())
+		}
+		d.WriteString(fmt.Sprintf("error details: name = PreconditionFailure type = %s subj = %s desc = %s\n", strings.Join(t, " "),
+			strings.Join(s, " "), strings.Join(desc, " ")))
+	}
+
+	if e.QuotaFailure != nil {
+		v := e.QuotaFailure.GetViolations()
+		var s []string
+		var desc []string
+		for _, x := range v {
+			s = append(s, x.GetSubject())
+			desc = append(desc, x.GetDescription())
+		}
+		d.WriteString(fmt.Sprintf("error details: name = QuotaFailure subj = %s desc = %s\n",
+			strings.Join(s, " "), strings.Join(desc, " ")))
+	}
+
+	if e.RequestInfo != nil {
+		d.WriteString(fmt.Sprintf("error details: name = RequestInfo id = %s data = %s\n",
+			e.RequestInfo.GetRequestId(), e.RequestInfo.GetServingData()))
+	}
+
+	if e.ResourceInfo != nil {
+		d.WriteString(fmt.Sprintf("error details: name = ResourceInfo type = %s resourcename = %s owner = %s desc = %s\n",
+			e.ResourceInfo.GetResourceType(), e.ResourceInfo.GetResourceName(),
+			e.ResourceInfo.GetOwner(), e.ResourceInfo.GetDescription()))
+
+	}
+	if e.RetryInfo != nil {
+		d.WriteString(fmt.Sprintf("error details: retry in %s\n", e.RetryInfo.GetRetryDelay().AsDuration()))
+
+	}
+	if e.Unknown != nil {
+		var s []string
+		for _, x := range e.Unknown {
+			s = append(s, fmt.Sprintf("%v", x))
+		}
+		d.WriteString(fmt.Sprintf("error details: name = Unknown  desc = %s\n", strings.Join(s, " ")))
+	}
+
+	if e.DebugInfo != nil {
+		d.WriteString(fmt.Sprintf("error details: name = DebugInfo detail = %s stack = %s\n", e.DebugInfo.GetDetail(),
+			strings.Join(e.DebugInfo.GetStackEntries(), " ")))
+	}
+	if e.Help != nil {
+		var desc []string
+		var url []string
+		for _, x := range e.Help.Links {
+			desc = append(desc, x.GetDescription())
+			url = append(url, x.GetUrl())
+		}
+		d.WriteString(fmt.Sprintf("error details: name = Help desc = %s url = %s\n",
+			strings.Join(desc, " "), strings.Join(url, " ")))
+	}
+	if e.LocalizedMessage != nil {
+		d.WriteString(fmt.Sprintf("error details: name = LocalizedMessage locale = %s msg = %s\n",
+			e.LocalizedMessage.GetLocale(), e.LocalizedMessage.GetMessage()))
+	}
+
+	return d.String()
+}
+
+// APIError wraps either a gRPC Status error or a HTTP googleapi.Error. It
+// implements error and Status interfaces.
+type APIError struct {
+	err     error
+	status  *status.Status
+	httpErr *googleapi.Error
+	details ErrDetails
+}
+
+// Details presents the error details of the APIError.
+func (a *APIError) Details() ErrDetails {
+	return a.details
+}
+
+// Unwrap extracts the original error.
+func (a *APIError) Unwrap() error {
+	return a.err
+}
+
+// Error returns a readable representation of the APIError.
+func (a *APIError) Error() string {
+	var msg string
+	if a.status != nil {
+		msg = a.err.Error()
+	} else if a.httpErr != nil {
+		// Truncate the googleapi.Error message because it dumps the Details in
+		// an ugly way.
+		msg = fmt.Sprintf("googleapi: Error %d: %s", a.httpErr.Code, a.httpErr.Message)
+	}
+	return strings.TrimSpace(fmt.Sprintf("%s\n%s", msg, a.details))
+}
+
+// GRPCStatus extracts the underlying gRPC Status error.
+// This method is necessary to fulfill the interface
+// described in https://pkg.go.dev/google.golang.org/grpc/status#FromError.
+func (a *APIError) GRPCStatus() *status.Status {
+	return a.status
+}
+
+// Reason returns the reason in an ErrorInfo.
+// If ErrorInfo is nil, it returns an empty string.
+func (a *APIError) Reason() string {
+	return a.details.ErrorInfo.GetReason()
+}
+
+// Domain returns the domain in an ErrorInfo.
+// If ErrorInfo is nil, it returns an empty string.
+func (a *APIError) Domain() string {
+	return a.details.ErrorInfo.GetDomain()
+}
+
+// Metadata returns the metadata in an ErrorInfo.
+// If ErrorInfo is nil, it returns nil.
+func (a *APIError) Metadata() map[string]string {
+	return a.details.ErrorInfo.GetMetadata()
+
+}
+
+// FromError parses a Status error or a googleapi.Error and builds an APIError.
+func FromError(err error) (*APIError, bool) {
+	if err == nil {
+		return nil, false
+	}
+
+	ae := APIError{err: err}
+	st, isStatus := status.FromError(err)
+	herr, isHTTPErr := err.(*googleapi.Error)
+
+	switch {
+	case isStatus:
+		ae.status = st
+		ae.details = parseDetails(st.Details())
+	case isHTTPErr:
+		ae.httpErr = herr
+		ae.details = parseHTTPDetails(herr)
+	default:
+		return nil, false
+	}
+
+	return &ae, true
+
+}
+
+// parseDetails accepts a slice of interface{} that should be backed by some
+// sort of proto.Message that can be cast to the google/rpc/error_details.proto
+// types.
+//
+// This is for internal use only.
+func parseDetails(details []interface{}) ErrDetails {
+	var ed ErrDetails
+	for _, d := range details {
+		switch d := d.(type) {
+		case *errdetails.ErrorInfo:
+			ed.ErrorInfo = d
+		case *errdetails.BadRequest:
+			ed.BadRequest = d
+		case *errdetails.PreconditionFailure:
+			ed.PreconditionFailure = d
+		case *errdetails.QuotaFailure:
+			ed.QuotaFailure = d
+		case *errdetails.RetryInfo:
+			ed.RetryInfo = d
+		case *errdetails.ResourceInfo:
+			ed.ResourceInfo = d
+		case *errdetails.RequestInfo:
+			ed.RequestInfo = d
+		case *errdetails.DebugInfo:
+			ed.DebugInfo = d
+		case *errdetails.Help:
+			ed.Help = d
+		case *errdetails.LocalizedMessage:
+			ed.LocalizedMessage = d
+		default:
+			ed.Unknown = append(ed.Unknown, d)
+		}
+	}
+
+	return ed
+}
+
+// parseHTTPDetails will convert the given googleapi.Error into the protobuf
+// representation then parse the Any values that contain the error details.
+//
+// This is for internal use only.
+func parseHTTPDetails(gae *googleapi.Error) ErrDetails {
+	e := &jsonerror.Error{}
+	if err := protojson.Unmarshal([]byte(gae.Body), e); err != nil {
+		// If the error body does not conform to the error schema, ignore it
+		// altogther. See https://cloud.google.com/apis/design/errors#http_mapping.
+		return ErrDetails{}
+	}
+
+	// Coerce the Any messages into proto.Message then parse the details.
+	details := []interface{}{}
+	for _, any := range e.GetError().GetDetails() {
+		m, err := any.UnmarshalNew()
+		if err != nil {
+			// Ignore malformed Any values.
+			continue
+		}
+		details = append(details, m)
+	}
+
+	return parseDetails(details)
+}

vendor/github.com/googleapis/gax-go/v2/apierror/internal/proto/README.md

@@ -0,0 +1,30 @@
+# HTTP JSON Error Schema
+
+The `error.proto` represents the HTTP-JSON schema used by Google APIs to convey
+error payloads as described by https://cloud.google.com/apis/design/errors#http_mapping.
+This package is for internal parsing logic only and should not be used in any
+other context.
+
+## Regeneration
+
+To regenerate the protobuf Go code you will need the following:
+
+* A local copy of [googleapis], the absolute path to which should be exported to
+the environment variable `GOOGLEAPIS`
+* The protobuf compiler [protoc]
+* The Go [protobuf plugin]
+* The [goimports] tool
+
+From this directory run the following command:
+```sh
+protoc -I $GOOGLEAPIS -I. --go_out=. --go_opt=module=github.com/googleapis/gax-go/v2/apierror/internal/proto error.proto
+goimports -w .
+```
+
+Note: the `module` plugin option ensures the generated code is placed in this
+directory, and not in several nested directories defined by `go_package` option.
+
+[googleapis]: https://github.com/googleapis/googleapis
+[protoc]: https://github.com/protocolbuffers/protobuf#protocol-compiler-installation
+[protobuf plugin]: https://developers.google.com/protocol-buffers/docs/reference/go-generated
+[goimports]: https://pkg.go.dev/golang.org/x/tools/cmd/goimports

vendor/github.com/googleapis/gax-go/v2/apierror/internal/proto/error.pb.go

@@ -0,0 +1,278 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.27.1
+// 	protoc        v3.15.8
+// source: error.proto
+
+package jsonerror
+
+import (
+	reflect "reflect"
+	sync "sync"
+
+	code "google.golang.org/genproto/googleapis/rpc/code"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	anypb "google.golang.org/protobuf/types/known/anypb"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// The error format v2 for Google JSON REST APIs.
+// Copied from https://cloud.google.com/apis/design/errors#http_mapping.
+//
+// NOTE: This schema is not used for other wire protocols.
+type Error struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The actual error payload. The nested message structure is for backward
+	// compatibility with Google API client libraries. It also makes the error
+	// more readable to developers.
+	Error *Error_Status `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+}
+
+func (x *Error) Reset() {
+	*x = Error{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_error_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Error) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Error) ProtoMessage() {}
+
+func (x *Error) ProtoReflect() protoreflect.Message {
+	mi := &file_error_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Error.ProtoReflect.Descriptor instead.
+func (*Error) Descriptor() ([]byte, []int) {
+	return file_error_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Error) GetError() *Error_Status {
+	if x != nil {
+		return x.Error
+	}
+	return nil
+}
+
+// This message has the same semantics as `google.rpc.Status`. It uses HTTP
+// status code instead of gRPC status code. It has an extra field `status`
+// for backward compatibility with Google API Client Libraries.
+type Error_Status struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The HTTP status code that corresponds to `google.rpc.Status.code`.
+	Code int32 `protobuf:"varint,1,opt,name=code,proto3" json:"code,omitempty"`
+	// This corresponds to `google.rpc.Status.message`.
+	Message string `protobuf:"bytes,2,opt,name=message,proto3" json:"message,omitempty"`
+	// This is the enum version for `google.rpc.Status.code`.
+	Status code.Code `protobuf:"varint,4,opt,name=status,proto3,enum=google.rpc.Code" json:"status,omitempty"`
+	// This corresponds to `google.rpc.Status.details`.
+	Details []*anypb.Any `protobuf:"bytes,5,rep,name=details,proto3" json:"details,omitempty"`
+}
+
+func (x *Error_Status) Reset() {
+	*x = Error_Status{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_error_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Error_Status) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Error_Status) ProtoMessage() {}
+
+func (x *Error_Status) ProtoReflect() protoreflect.Message {
+	mi := &file_error_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Error_Status.ProtoReflect.Descriptor instead.
+func (*Error_Status) Descriptor() ([]byte, []int) {
+	return file_error_proto_rawDescGZIP(), []int{0, 0}
+}
+
+func (x *Error_Status) GetCode() int32 {
+	if x != nil {
+		return x.Code
+	}
+	return 0
+}
+
+func (x *Error_Status) GetMessage() string {
+	if x != nil {
+		return x.Message
+	}
+	return ""
+}
+
+func (x *Error_Status) GetStatus() code.Code {
+	if x != nil {
+		return x.Status
+	}
+	return code.Code(0)
+}
+
+func (x *Error_Status) GetDetails() []*anypb.Any {
+	if x != nil {
+		return x.Details
+	}
+	return nil
+}
+
+var File_error_proto protoreflect.FileDescriptor
+
+var file_error_proto_rawDesc = []byte{
+	0x0a, 0x0b, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x65,
+	0x72, 0x72, 0x6f, 0x72, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a,
+	0x15, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x6f, 0x64, 0x65,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc5, 0x01, 0x0a, 0x05, 0x45, 0x72, 0x72, 0x6f, 0x72,
+	0x12, 0x29, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x13, 0x2e, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x2e, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x2e, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x90, 0x01, 0x0a, 0x06,
+	0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x05, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x73,
+	0x73, 0x61, 0x67, 0x65, 0x12, 0x28, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04,
+	0x20, 0x01, 0x28, 0x0e, 0x32, 0x10, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70,
+	0x63, 0x2e, 0x43, 0x6f, 0x64, 0x65, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2e,
+	0x0a, 0x07, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
+	0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x07, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x42, 0x43,
+	0x5a, 0x41, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f,
+	0x67, 0x6c, 0x65, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x67, 0x61, 0x78, 0x2d, 0x67, 0x6f, 0x2f, 0x76,
+	0x32, 0x2f, 0x61, 0x70, 0x69, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72,
+	0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x3b, 0x6a, 0x73, 0x6f, 0x6e, 0x65, 0x72,
+	0x72, 0x6f, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_error_proto_rawDescOnce sync.Once
+	file_error_proto_rawDescData = file_error_proto_rawDesc
+)
+
+func file_error_proto_rawDescGZIP() []byte {
+	file_error_proto_rawDescOnce.Do(func() {
+		file_error_proto_rawDescData = protoimpl.X.CompressGZIP(file_error_proto_rawDescData)
+	})
+	return file_error_proto_rawDescData
+}
+
+var file_error_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_error_proto_goTypes = []interface{}{
+	(*Error)(nil),        // 0: error.Error
+	(*Error_Status)(nil), // 1: error.Error.Status
+	(code.Code)(0),       // 2: google.rpc.Code
+	(*anypb.Any)(nil),    // 3: google.protobuf.Any
+}
+var file_error_proto_depIdxs = []int32{
+	1, // 0: error.Error.error:type_name -> error.Error.Status
+	2, // 1: error.Error.Status.status:type_name -> google.rpc.Code
+	3, // 2: error.Error.Status.details:type_name -> google.protobuf.Any
+	3, // [3:3] is the sub-list for method output_type
+	3, // [3:3] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
+}
+
+func init() { file_error_proto_init() }
+func file_error_proto_init() {
+	if File_error_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_error_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Error); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_error_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Error_Status); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_error_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_error_proto_goTypes,
+		DependencyIndexes: file_error_proto_depIdxs,
+		MessageInfos:      file_error_proto_msgTypes,
+	}.Build()
+	File_error_proto = out.File
+	file_error_proto_rawDesc = nil
+	file_error_proto_goTypes = nil
+	file_error_proto_depIdxs = nil
+}

vendor/github.com/googleapis/gax-go/v2/apierror/internal/proto/error.proto

@@ -0,0 +1,46 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package error;
+
+import "google/protobuf/any.proto";
+import "google/rpc/code.proto";
+
+option go_package = "github.com/googleapis/gax-go/v2/apierror/internal/proto;jsonerror";
+
+// The error format v2 for Google JSON REST APIs.
+// Copied from https://cloud.google.com/apis/design/errors#http_mapping.
+//
+// NOTE: This schema is not used for other wire protocols.
+message Error {
+  // This message has the same semantics as `google.rpc.Status`. It uses HTTP
+  // status code instead of gRPC status code. It has an extra field `status`
+  // for backward compatibility with Google API Client Libraries.
+  message Status {
+    // The HTTP status code that corresponds to `google.rpc.Status.code`.
+    int32 code = 1;
+    // This corresponds to `google.rpc.Status.message`.
+    string message = 2;
+    // This is the enum version for `google.rpc.Status.code`.
+    google.rpc.Code status = 4;
+    // This corresponds to `google.rpc.Status.details`.
+    repeated google.protobuf.Any details = 5;
+  }
+  // The actual error payload. The nested message structure is for backward
+  // compatibility with Google API client libraries. It also makes the error
+  // more readable to developers.
+  Status error = 1;
+}

vendor/github.com/googleapis/gax-go/v2/call_option.go

@@ -47,7 +47,7 @@ type CallOption interface {
 
 // Retryer is used by Invoke to determine retry behavior.
 type Retryer interface {
-	// Retry reports whether a request should be retriedand how long to pause before retrying
+	// Retry reports whether a request should be retried and how long to pause before retrying
 	// if the previous attempt returned with err. Invoke never calls Retry with nil error.
 	Retry(err error) (pause time.Duration, shouldRetry bool)
 }
@@ -63,6 +63,31 @@ func WithRetry(fn func() Retryer) CallOption {
 	return retryerOption(fn)
 }
 
+// OnErrorFunc returns a Retryer that retries if and only if the previous attempt
+// returns an error that satisfies shouldRetry.
+//
+// Pause times between retries are specified by bo. bo is only used for its
+// parameters; each Retryer has its own copy.
+func OnErrorFunc(bo Backoff, shouldRetry func(err error) bool) Retryer {
+	return &errorRetryer{
+		shouldRetry: shouldRetry,
+		backoff:     bo,
+	}
+}
+
+type errorRetryer struct {
+	backoff     Backoff
+	shouldRetry func(err error) bool
+}
+
+func (r *errorRetryer) Retry(err error) (time.Duration, bool) {
+	if r.shouldRetry(err) {
+		return r.backoff.Pause(), true
+	}
+
+	return 0, false
+}
+
 // OnCodes returns a Retryer that retries if and only if
 // the previous attempt returns a GRPC error whose error code is stored in cc.
 // Pause times between retries are specified by bo.
@@ -94,22 +119,25 @@ func (r *boRetryer) Retry(err error) (time.Duration, bool) {
 	return 0, false
 }
 
-// Backoff implements exponential backoff.
-// The wait time between retries is a random value between 0 and the "retry envelope".
-// The envelope starts at Initial and increases by the factor of Multiplier every retry,
-// but is capped at Max.
+// Backoff implements exponential backoff. The wait time between retries is a
+// random value between 0 and the "retry period" - the time between retries. The
+// retry period starts at Initial and increases by the factor of Multiplier
+// every retry, but is capped at Max.
+//
+// Note: MaxNumRetries / RPCDeadline is specifically not provided. These should
+// be built on top of Backoff.
 type Backoff struct {
-	// Initial is the initial value of the retry envelope, defaults to 1 second.
+	// Initial is the initial value of the retry period, defaults to 1 second.
 	Initial time.Duration
 
-	// Max is the maximum value of the retry envelope, defaults to 30 seconds.
+	// Max is the maximum value of the retry period, defaults to 30 seconds.
 	Max time.Duration
 
-	// Multiplier is the factor by which the retry envelope increases.
+	// Multiplier is the factor by which the retry period increases.
 	// It should be greater than 1 and defaults to 2.
 	Multiplier float64
 
-	// cur is the current retry envelope
+	// cur is the current retry period.
 	cur time.Duration
 }
 

vendor/github.com/googleapis/gax-go/v2/gax.go

@@ -36,4 +36,4 @@
 package gax
 
 // Version specifies the gax-go version being used.
-const Version = "2.0.4"
+const Version = "2.1.1"

vendor/github.com/googleapis/gax-go/v2/invoke.go

@@ -33,13 +33,15 @@ import (
 	"context"
 	"strings"
 	"time"
+
+	"github.com/googleapis/gax-go/v2/apierror"
 )
 
 // APICall is a user defined call stub.
 type APICall func(context.Context, CallSettings) error
 
-// Invoke calls the given APICall,
-// performing retries as specified by opts, if any.
+// Invoke calls the given APICall, performing retries as specified by opts, if
+// any.
 func Invoke(ctx context.Context, call APICall, opts ...CallOption) error {
 	var settings CallSettings
 	for _, opt := range opts {
@@ -71,9 +73,6 @@ func invoke(ctx context.Context, call APICall, settings CallSettings, sp sleeper
 		if err == nil {
 			return nil
 		}
-		if settings.Retry == nil {
-			return err
-		}
 		// Never retry permanent certificate errors. (e.x. if ca-certificates
 		// are not installed). We should only make very few, targeted
 		// exceptions: many (other) status=Unavailable should be retried, such
@@ -83,6 +82,12 @@ func invoke(ctx context.Context, call APICall, settings CallSettings, sp sleeper
 		if strings.Contains(err.Error(), "x509: certificate signed by unknown authority") {
 			return err
 		}
+		if apierr, ok := apierror.FromError(err); ok {
+			err = apierr
+		}
+		if settings.Retry == nil {
+			return err
+		}
 		if retryer == nil {
 			if r := settings.Retry(); r != nil {
 				retryer = r