Automatic merge from submit-queue (batch tested with PRs 48068, 49587)
DNS name error message improvement
**What this PR does / why we need it**:
Small error message fix. The error message misled me slightly / would have saved time if correct
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
n/a
**Special notes for your reviewer**:
n/a
**Release note**:
n/a
Automatic merge from submit-queue
complete and correct code comment
**What this PR does / why we need it**:
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
```
Automatic merge from submit-queue (batch tested with PRs 50254, 50174, 50179)
Revert "Merge pull request #47353 from apelisse/http-cache"
Some issues were discovered with the caching merged in #47353:
* uses a disk-based cache that is not safe between processes (does not use atomic fs operations)
* writes get/list responses to disk that should not be cached (like `kubectl get secrets`)
* is vulnerable to partially written cache responses being used as responses to future requests
* breaks uses of the client transport that make use of websockets
* defaults to enabling the cache for any client builder using RecommendedConfigOverrideFlags or DefaultClientConfig which affects more components than just kubectl
This reverts commit fc89743dca, reversing changes made to 29ab38e898.
Automatic merge from submit-queue (batch tested with PRs 50208, 50259, 49702, 50267, 48986)
Relax restrictions on environment variable names.
Fixes#2707
The POSIX standard restricts environment variable names to uppercase letters, digits, and the underscore character in shell contexts only. For generic application usage, it is stated that all other characters shall be tolerated. (Reference [here](http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html), my prose reasoning [here](https://github.com/kubernetes/kubernetes/issues/2707#issuecomment-285309156).)
This change relaxes the rules to some degree. Namely, we stop requiring environment variable names to be strict `C_IDENTIFIERS` and start permitting lowercase, dot, and dash characters.
Public container images using environment variable names beyond the shell-only context can benefit from this relaxation. Elasticsearch is one popular example.
Automatic merge from submit-queue
Removed un-used InodePressure condition.
**What this PR does / why we need it**:
Removed un-used InodePressure condition; kubelet did not report it anymore, so remove it.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49103
**Release note**:
```release-note
The node condition 'NodeInodePressure' was removed, as kubelet did not report it.
```
1. Deprecate `.spec.rollbackTo` field in extensions/v1beta1 and
apps/v1beta1 Deployments
2. Remove the same field from apps/v1beta2 Deployment, and remove
its rollback subresource and endpoint
Automatic merge from submit-queue
Fix premature return
**What this PR does / why we need it**: Fixes a bug where the loop is prematurely terminated.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#50040
**Special notes for your reviewer**:
**Release note**:
NONE
Automatic merge from submit-queue (batch tested with PRs 49524, 46760, 50206, 50166, 49603)
Handle missing OpenAPI specs on aggregated servers
Previously, the aggregator would fail to actually set up the aggregator
proxy for an API server that was missing an OpenAPI spec. It would show
up in discovery, but the actual proxying would fail to occur.
Now, we simply log an error if we can't fetch an OpenAPI spec for a
particular aggregated server, and continue on.
Fixes#50165
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50087, 39587, 50042, 50241, 49914)
plugin/pkg/client/auth: add openstack auth provider
This is an implementation of auth provider for OpenStack world, just like python-openstackclient, we read the environment variables of a list `OS_*`, and client will cache a token to interact with each components, we can do the same here, the client side can cache a token locally at the first time, and rotate automatically when it expires.
This requires an implementation of token authenticator at server side, refer:
1. [made by me] https://github.com/kubernetes/kubernetes/pull/25536, I can carry this on when it is fine to go.
2. [made by @kfox1111] https://github.com/kubernetes/kubernetes/pull/25391
The reason why I want to add this is due to the `client-side` nature, it will be confusing to implement it downstream, we would like to add this support here, and customers can get `kubectl` like they usually do(`brew install kubernetes-cli`), and it will just work.
When this is done, we can deprecate the password keystone authenticator as the following reasons:
1. as mentioned at some other places, the `domain` is another parameters which should be provided.
2. in case the user supplies `apikey` and `secrets`, we might want to fill the `UserInfo` with the real name which is not implemented for now.
cc @erictune @liggitt
```
add openstack auth provider
```
Previously, the aggregator would fail to actually set up the aggregator
proxy for an API server that was missing an OpenAPI spec. It would show
up in discovery, but the actual proxying would fail to occur.
Now, we simply log an error if we can't fetch an OpenAPI spec for a
particular aggregated server, and continue on.
Automatic merge from submit-queue (batch tested with PRs 49868, 50143, 49377, 50141, 50145)
Return Audit-Id http response header for trouble shooting
Users can use Audit-Id http response header to grep the audit events in log.
This provides a fast way to find the events in audit.
**Release note**:
```
Audit-Id HTTP header is included in the apiserver responses for audited requests, except some cases when it's not possible, e.g. pods/exec.
```
@sttts @tallclair
Automatic merge from submit-queue (batch tested with PRs 49855, 49915)
Let controllers ignore initialization timeout when creating pods
Partially address https://github.com/kubernetes/kubernetes/issues/48893#issuecomment-318540129.
This only updates the controllers that create pods with `GenerateName`.
The controllers ignore the timeout error when creating the pods, depending on how the initialization progress:
* If the initialization is successful in less than 5 mins, the controller will observe the creation via the informer. All is good.
* If the initialization fails, server will delete the pod, but the controller won't receive any event. The controller will not create new pod until the Creation expectation expires in 5 min.
* If the initialization takes too long (> 5 mins), the Creation expectation expires and the controller will create extra pods.
I'll send follow-up PRs to fix the latter two cases, e.g., by refactoring the sharedInformer.
Automatic merge from submit-queue
Timeout and Max-in-flight don't report non-resource URLs correctly.
Unify error reporting for 429 and 504 to be correct for timeout and max in flight and eviction. Add better messages to eviction (removing a todo). Return the correct body content for timeouts (reason and code should be correct).
This potentially increases cardinality of 429, but because non-api urls may be under the max-inflight budget we need to report them somewhere (if something breaks and starts fetching API versions endlessly).
```release-note
The 504 timeout error was returning a JSON error body that indicated it was a 500. The body contents now correctly report a 500 error.
```
Automatic merge from submit-queue
go-client: Use httpcache client for all requests, even though only openapi returns ETags for caching
**What this PR does / why we need it**: Use HTTP ETag for caching Swagger spec download
This also adds a new command-line flag "cachedir" to specify where the cache should keep its file. It defaults to `$HOME/.kube/http-cache`.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: partly #38637
**Special notes for your reviewer**:
Because this adds a bunch of dependencies, and removes a couple of files, I do recommend reading each commit individually.
**Release note**:
```release-note
```
Add a new command-line cachedir flag to specify where to store the http
cache responses. This cache will only be used for OpenAPI Swagger spec
for now (as this is the only end-point that returns an ETag).
Automatic merge from submit-queue (batch tested with PRs 50119, 48366, 47181, 41611, 49547)
Move remaining cert helper functions from pkg/serviceaccount to client-go/util/cert
**What this PR does / why we need it**:
Unifies all remaining certificate helper functions from pkh/serviceaccount to client-go/util/cert. Private key functions were moved in #40907
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#40807
**Special notes for your reviewer**:
**Release note**:
Automatic merge from submit-queue
kube-gen: cut off dependencies
Only gengo is left and apimachinery/pkg/openapi. The later will go away when #48861 merges.
This is the preparation that we can use kube-gen also from apimachinery without circular dependencies.
Automatic merge from submit-queue (batch tested with PRs 46685, 49863, 50098, 50070, 50096)
Remove 0,1,3 from rand.String to avoid 'bad words'
**What this PR does / why we need it**:
Remove 0,1,3 from the runes to prevent accidental bad words profanity
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49543
**Special notes for your reviewer**:
/cc @mml @jamesawebb1 @spiffxp
**Release note**:
```release-note
Remove 0,1,3 from rand.String, to avoid 'bad words'
```
