Automatic merge from submit-queue (batch tested with PRs 49081, 49318, 49219, 48989, 48486)
Use case-insensitive header keys for `--requestheader-group-headers`.
This flag is documented as being case-insensitive, but the code was
doing a case-sensitive map lookup.
**Release note**:
```release-note
Bug fix: Parsing of `--requestheader-group-headers` in requests should be case-insensitive.
```
Automatic merge from submit-queue (batch tested with PRs 47738, 49196, 48907, 48533, 48822)
Bumps go-oidc version to include fix for jwt header parsing
**What this PR does / why we need it**:
This bumps the go-oidc dependency to use a fix merged in https://github.com/coreos/go-oidc/pull/153 for OIDC providers that don't set an `Expires` header
**Which issue this PR fixes** :
Partially addresses #42654
Also related: https://github.com/coreos/go-oidc/issues/136
**Special notes for your reviewer**:
None
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 47738, 49196, 48907, 48533, 48822)
ParseEncryptionConfiguration: simplify code
**What this PR does / why we need it**:
Reorder `if`-s to make code a bit more readable. It also improves godoc comment and error message.
**Release note**:
```release-note
NONE
```
PTAL @sakshamsharma
Automatic merge from submit-queue (batch tested with PRs 49238, 49595, 43494, 47897, 48905)
adds an admission plugin initializer to the sample apiserver.
**What this PR does / why we need it**:
this PR adds an admission plugin initializer to the sample apiserver.
the plugin initializer is going to be used by an admission plugin
that will use generated informers/listers to list the cluster-scoped resources.
#47868
**Release note**:
```
NONE
```
Automatic merge from submit-queue (batch tested with PRs 49238, 49595, 43494, 47897, 48905)
Add apps/v1beta2.ReplicaSet
~Depends on #48746~ (merged)
~Depends on #49357~ (merged)
xref: #49135
```release-note
Add a new API object apps/v1beta2.ReplicaSet
```
Automatic merge from submit-queue (batch tested with PRs 49665, 49689, 49495, 49146, 48934)
make it possible to allow discovery errors for controllers
Update the discovery client to return partial discovery information *and* an error. Since we can aggregate API servers, discovery of some resources can fail independently. Callers of this function who want to tolerate the errors can, existing callers will still get an error and fail in normal blocks.
@kubernetes/sig-api-machinery-misc @sttts
Automatic merge from submit-queue (batch tested with PRs 47357, 49514, 49271, 49572, 49476)
Updates etcd-client to 3.1.10
I have no idea why azure sdk update became transitive but godeps we're restored before update
Fixes: https://github.com/kubernetes/kubernetes/issues/49386
xref: https://github.com/kubernetes/kubernetes/pull/49393
```
NONE
```
/cc @kubernetes/sig-scalability-pr-reviews @kubernetes/sig-api-machinery-misc @hongchaodeng @wojtek-t
Automatic merge from submit-queue (batch tested with PRs 49259, 49350)
Add envelope encryption transformer
Essential to implement envelope encryption, using a KEK-DEK based encryption scheme which uses an external root of trust (cloudkms, hardware etc).
* Caches known DEKs.
* Creates a new DEK for each write (most common and recommended way of implementing envelope encryption).
* Relies on an implementation of `envelope.Service` which actually implements the encryption and decryption using the external root of trust.
Essential for #48522
@smarterclayton @jcbsmpsn @cheftako @lavalamp @php-coder @destijl @cjcullen
This PR is generic, and independent of any cloudprovider / cloud / KMS code.
For more context: #48574
Automatic merge from submit-queue (batch tested with PRs 49259, 49350)
update json-patch to fix nil value issue when creating mergepatch
**What this PR does / why we need it**:
When [creating a patch for merge](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/annotate.go#L255), nil value will be considered as different value. This has been fixed and merged in [evanphx/json-patch #45](https://github.com/evanphx/json-patch/pull/45).
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#49044
**Special notes for your reviewer**:
/cc @MikeSpreitzer @mengqiy
**Release note**:
```release-note
Fix nil value issue when creating json patch for merge
```
Automatic merge from submit-queue (batch tested with PRs 48976, 49474, 40050, 49426, 49430)
apimachinery: fail early with deepcopy problems during roundtrip tests
If deepcopy is broken for some type, it's easy to diagnose. This PR let's the roundtrip test to fail early in this case.
Automatic merge from submit-queue (batch tested with PRs 48224, 45431, 45946, 48775, 49396)
Expose informer constructors
**What this PR does / why we need it**:
See #45939
**Which issue this PR fixes**
Fixes#45939
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48224, 45431, 45946, 48775, 49396)
[client-go] Fake Dynamic Client
This commit converts `"k8s.io/client-go/dynamic".Client` to an interface, and implements fake versions of both `ClientPool` and `Client`. This allows components which make uses of these clients to be tested in the same way that clientset-based components can be tested, using the standard `testing.Fake` machinery.
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 48224, 45431, 45946, 48775, 49396)
add reflector metrics
This adds metrics (optionally prometheus) to reflectors so that you can see when one reflector is behaving poorly and just how poorly its doing.
@eparis
```release-note
Adds metrics for checking reflector health.
```
Automatic merge from submit-queue (batch tested with PRs 49286, 49550)
Remove myself from a bunch of places
I am assigned in reviews which I never get to do. I prefer drive-bys whenever I can do them rather than the bot choosing myself in random, ends up being mere spam.
@smarterclayton please approve.
Automatic merge from submit-queue (batch tested with PRs 49498, 49192)
Unify genclient tags and add more fine control on verbs generated
This will change the syntax of the existing `genclient` tags be like this:
```
// +genclient
// +genclient:noStatus
// +genclient:noVerbs
// +genclient:nonNamespaced
// +genclient:readonly
```
The first one indicates the client will be generated from the struct below and the other tags are basically options to the genclient (which justify why they should be prefixed with `genclient:`)
This also changes the `// +genclientstatus=false` to `// +genclient:noStatus` to follow the pattern and also changes the `// +noMethods=true` to `// +genclient:noVerbs` as we call the REST operations verbs so it will make it consistent with terminology.
In addition to existing options this patch also add two more to allow more fine-grained control on which verbs are going to be generated. This is extra useful for third-party projects (like OpenShift) where some resources does not implement full CRUD, but for example just "create" verb or "create" and "delete"...
To support that, you can use this syntax:
```
// +genclient:onlyVerbs=create,delete
// +genclient:skipVerbs=patch
```
The first one will generate only create and delete functions and second one will generate full CRUD without "patch" actions. This somehow overlaps with the existing "readonly" tag, but I want to keep that tag in place as it reads better in some cases ;-)
Automatic merge from submit-queue
Remove flags low-diskspace-threshold-mb and outofdisk-transition-frequency
issue: #48843
This removes two flags replaced by the eviction manager. These have been depreciated for two releases, which I believe correctly follows the kubernetes depreciation guidelines.
```release-note
Remove depreciated flags: --low-diskspace-threshold-mb and --outofdisk-transition-frequency, which are replaced by --eviction-hard
```
cc @mtaufen since I am changing kubelet flags
cc @vishh @derekwaynecarr
/sig node
Automatic merge from submit-queue
Fix Operation names for subresources
Subresources may have their kind but in operationID and description we should use their parent kind not their own kind. The subresource name represents subresources and no need to repeat in with their kind. e.g. `Scale` has kind of `Scale` and subresource name of `Scale`. This creates names like `read scale of the specified Scale` or `readCoreV1NamespacedScaleScale` for scale on replication controller. This PR fixes description and operation ID for them to `read scale of the specified ReplicationController` and `readCoreV1NamespacedReplicationControllerScale`.
@caesarxuchao I would like this to be patched in 1.7 too as it is useful for all clients and there is no need to wait for 1.8 for this documentation fix.
```release-note
Fixed OpenAPI Description and Nickname of API objects with subresources
```
fixes#49250
Automatic merge from submit-queue (batch tested with PRs 48636, 49088, 49251, 49417, 49494)
StatefulSet: Remove `pod.alpha.kubernetes.io/initialized` annotation.
The `pod.alpha.kubernetes.io/initialized` annotation was originally a tool for validating StatefulSet's ordered Pod creation guarantees during the feature's alpha phase.
If set to "false" on a given Pod, it would interrupt StatefulSet's normal behavior. In v1.5.0, the annotation was deprecated and the default became "true" as part of StatefulSet's graduation to beta.
The annotation is now ignored, meaning it cannot be used to interrupt StatefulSet Pod management.
```release-note
StatefulSet: The deprecated `pod.alpha.kubernetes.io/initialized` annotation for interrupting StatefulSet Pod management is now ignored. If you were setting it to `true` or leaving it unset, no action is required. However, if you were setting it to `false`, be aware that previously-dormant StatefulSets may become active after upgrading.
```
ref #41605
Automatic merge from submit-queue
stop jsonpath panicing on negative array length
Related downstream issue: https://github.com/openshift/origin/issues/15075
Returns error if provided jsonpath value results in a negative slice index after adding the length of the slice:
```go
a := [0, 1, 2, 3]
b := a[-1:] // 3
c := a[-4:] // 0
d := a[-5:] // out of range error
e := a[4:] // out of range error
```
**Release note**:
```release-note
NONE
```
cc @fabianofranz
Automatic merge from submit-queue
Fix tls config copy in dial test
Fixes a bug introduced in 0d42da1b93 (diff-1748ffb7995a87b1f6bfd534dc5a51abL99) that broke the mutation test check (it was checking an object against itself)
Automatic merge from submit-queue (batch tested with PRs 49444, 47864, 48584, 49395, 49118)
rate limiting should not affect system masters
A `system:masters` user is either a loopback connection or someone with complete access to the cluster. Either way, they should not be rate-limited like a normal client since their requests are more important. This moves the maxinflight checker post-authentication and excluded system:masters from the rate limit.
@smarterclayton as discussed.
@kubernetes/sig-api-machinery-misc
This introduces fake implementations of dynamic.Client and
dynamic.ClientPool. They function similarly to the fake generated
clientsets, since they're also based in testing.Fake.
