From 875b0739aa8bed310e59ef22764f6b37d7e82862 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Sat, 11 May 2024 16:54:11 -0500 Subject: [PATCH] Enforce aliases for 'k8s.io/apimachinery/pkg/util/errors' and 'k8s.io/apimachinery/pkg/api/errors' --- .golangci.yaml | 9 ++++ cmd/pinniped/cmd/whoami.go | 6 +-- cmd/pinniped/cmd/whoami_test.go | 4 +- internal/clientcertissuer/issuer.go | 6 +-- internal/concierge/apiserver/apiserver.go | 4 +- .../concierge/impersonator/impersonator.go | 4 +- .../impersonator/impersonator_test.go | 10 ++-- .../controller/apicerts/apiservice_updater.go | 6 +-- internal/controller/apicerts/certs_expirer.go | 6 +-- internal/controller/apicerts/certs_manager.go | 6 +-- .../controller/apicerts/certs_observer.go | 6 +-- .../jwtcachefiller/jwtcachefiller.go | 4 +- .../webhookcachefiller/webhookcachefiller.go | 8 +-- .../impersonatorconfig/impersonator_config.go | 29 +++++------ .../impersonator_config_test.go | 6 +-- .../controller/kubecertagent/kubecertagent.go | 4 +- .../kubecertagent/kubecertagent_test.go | 4 +- .../kubecertagent/legacypodcleaner.go | 8 +-- .../kubecertagent/legacypodcleaner_test.go | 6 +-- .../pod_command_executor_test.go | 4 +- .../federation_domain_watcher.go | 8 +-- .../generator/federation_domain_secrets.go | 10 ++-- .../federation_domain_secrets_test.go | 6 +-- .../generator/supervisor_secrets.go | 8 +-- .../generator/supervisor_secrets_test.go | 8 +-- .../supervisorconfig/jwks_writer.go | 10 ++-- .../oidcclientwatcher/oidc_client_watcher.go | 6 +-- .../supervisorconfig/tls_cert_observer.go | 6 +-- .../clientregistry/clientregistry.go | 4 +- .../fositestorage/accesstoken/accesstoken.go | 4 +- .../authorizationcode/authorizationcode.go | 6 +-- .../openidconnect/openidconnect.go | 4 +- internal/fositestorage/pkce/pkce.go | 4 +- .../refreshtoken/refreshtoken.go | 4 +- internal/groupsuffix/groupsuffix.go | 4 +- internal/kubeclient/middleware.go | 6 +-- .../localuserauthenticator.go | 6 +-- .../oidcclientsecretstorage.go | 6 +-- internal/supervisor/apiserver/apiserver.go | 4 +- internal/testutil/fakekubeapi/fakekubeapi.go | 4 +- .../concierge_credentialrequest_test.go | 4 +- .../concierge_impersonation_proxy_test.go | 52 +++++++++---------- .../concierge_jwtauthenticator_status_test.go | 4 +- .../concierge_kubecertagent_test.go | 8 +-- ...cierge_webhookauthenticator_status_test.go | 4 +- test/integration/concierge_whoami_test.go | 6 +-- test/integration/kubeclient_test.go | 8 +-- test/integration/supervisor_discovery_test.go | 4 +- ...supervisor_federationdomain_status_test.go | 4 +- .../supervisor_oidc_client_test.go | 4 +- .../supervisor_oidcclientsecret_test.go | 6 +-- ...ervisor_storage_garbage_collection_test.go | 12 ++--- test/integration/supervisor_storage_test.go | 4 +- test/testlib/client.go | 12 ++--- 54 files changed, 199 insertions(+), 191 deletions(-) diff --git a/.golangci.yaml b/.golangci.yaml index 4aa0ac499..1504f4263 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -48,6 +48,7 @@ linters: - fatcontext # - canonicalheader Can't do this one since it alerts on valid headers such as X-XSS-Protection - spancheck + - importas issues: exclude-dirs: @@ -91,3 +92,11 @@ linters-settings: - end - record-error - set-status + importas: + no-unaliased: true # All packages explicitly listed below must be aliased + no-extra-aliases: false # Allow other aliases than the ones explicitly listed below + alias: + - pkg: k8s.io/apimachinery/pkg/util/errors + alias: utilerrors + - pkg: k8s.io/apimachinery/pkg/api/errors + alias: apierrors diff --git a/cmd/pinniped/cmd/whoami.go b/cmd/pinniped/cmd/whoami.go index 4a5415c5a..e4aea18ae 100644 --- a/cmd/pinniped/cmd/whoami.go +++ b/cmd/pinniped/cmd/whoami.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package cmd @@ -12,7 +12,7 @@ import ( "time" "github.com/spf13/cobra" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" @@ -99,7 +99,7 @@ func runWhoami(output io.Writer, getClientset getConciergeClientsetFunc, flags * whoAmI, err := clientset.IdentityV1alpha1().WhoAmIRequests().Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{}) if err != nil { hint := "" - if errors.IsNotFound(err) { + if apierrors.IsNotFound(err) { hint = " (is the Pinniped WhoAmI API running and healthy?)" } return fmt.Errorf("could not complete WhoAmIRequest%s: %w", hint, err) diff --git a/cmd/pinniped/cmd/whoami_test.go b/cmd/pinniped/cmd/whoami_test.go index 728953510..e40bd15ca 100644 --- a/cmd/pinniped/cmd/whoami_test.go +++ b/cmd/pinniped/cmd/whoami_test.go @@ -8,7 +8,7 @@ import ( "testing" "github.com/stretchr/testify/require" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" kubetesting "k8s.io/client-go/testing" "k8s.io/client-go/tools/clientcmd" @@ -273,7 +273,7 @@ func TestWhoami(t *testing.T) { }, { name: "calling API fails because WhoAmI API is not installed", - callingAPIErr: errors.NewNotFound(identityv1alpha1.SchemeGroupVersion.WithResource("whoamirequests").GroupResource(), "whatever"), + callingAPIErr: apierrors.NewNotFound(identityv1alpha1.SchemeGroupVersion.WithResource("whoamirequests").GroupResource(), "whatever"), wantError: true, wantStderr: "Error: could not complete WhoAmIRequest (is the Pinniped WhoAmI API running and healthy?): whoamirequests.identity.concierge.pinniped.dev \"whatever\" not found\n", }, diff --git a/internal/clientcertissuer/issuer.go b/internal/clientcertissuer/issuer.go index 1efbc3e7e..f84f7beda 100644 --- a/internal/clientcertissuer/issuer.go +++ b/internal/clientcertissuer/issuer.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package clientcertissuer @@ -8,7 +8,7 @@ import ( "strings" "time" - "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" "go.pinniped.dev/internal/constable" ) @@ -48,7 +48,7 @@ func (c ClientCertIssuers) IssueClientCertPEM(username string, groups []string, errs = append(errs, fmt.Errorf("%s failed to issue client cert: %w", issuer.Name(), err)) } - if err := errors.NewAggregate(errs); err != nil { + if err := utilerrors.NewAggregate(errs); err != nil { return nil, nil, err } diff --git a/internal/concierge/apiserver/apiserver.go b/internal/concierge/apiserver/apiserver.go index a43c82261..ad84f67b5 100644 --- a/internal/concierge/apiserver/apiserver.go +++ b/internal/concierge/apiserver/apiserver.go @@ -11,7 +11,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" @@ -105,7 +105,7 @@ func (c completedConfig) New() (*PinnipedServer, error) { ), ) } - if err := errors.NewAggregate(errs); err != nil { + if err := utilerrors.NewAggregate(errs); err != nil { return nil, fmt.Errorf("could not install API groups: %w", err) } diff --git a/internal/concierge/impersonator/impersonator.go b/internal/concierge/impersonator/impersonator.go index 062ae7aed..f67bb3108 100644 --- a/internal/concierge/impersonator/impersonator.go +++ b/internal/concierge/impersonator/impersonator.go @@ -26,7 +26,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/serializer" - "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/httpstream" utilnet "k8s.io/apimachinery/pkg/util/net" "k8s.io/apimachinery/pkg/util/sets" @@ -349,7 +349,7 @@ func newInternal( if listener != nil { errs = append(errs, listener.Close()) } - return nil, errors.NewAggregate(errs) + return nil, utilerrors.NewAggregate(errs) } return result, nil } diff --git a/internal/concierge/impersonator/impersonator_test.go b/internal/concierge/impersonator/impersonator_test.go index 289a79bea..3a62071bc 100644 --- a/internal/concierge/impersonator/impersonator_test.go +++ b/internal/concierge/impersonator/impersonator_test.go @@ -21,7 +21,7 @@ import ( "github.com/stretchr/testify/require" authenticationv1 "k8s.io/api/authentication/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme" "k8s.io/apimachinery/pkg/runtime" @@ -1010,7 +1010,7 @@ func TestImpersonator(t *testing.T) { probeBody, errProbe := rc.Get().AbsPath("/probe").DoRaw(ctx) if tt.anonymousAuthDisabled { - require.True(t, errors.IsUnauthorized(errProbe), errProbe) + require.True(t, apierrors.IsUnauthorized(errProbe), errProbe) require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}`+"\n", string(probeBody)) } else { require.NoError(t, errProbe) @@ -1019,7 +1019,7 @@ func TestImpersonator(t *testing.T) { notTCRBody, errNotTCR := rc.Get().Resource("tokencredentialrequests").DoRaw(ctx) if tt.anonymousAuthDisabled { - require.True(t, errors.IsUnauthorized(errNotTCR), errNotTCR) + require.True(t, apierrors.IsUnauthorized(errNotTCR), errNotTCR) require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}`+"\n", string(notTCRBody)) } else { require.NoError(t, errNotTCR) @@ -1028,7 +1028,7 @@ func TestImpersonator(t *testing.T) { ducksBody, errDucks := rc.Get().Resource("ducks").DoRaw(ctx) if tt.anonymousAuthDisabled { - require.True(t, errors.IsUnauthorized(errDucks), errDucks) + require.True(t, apierrors.IsUnauthorized(errDucks), errDucks) require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}`+"\n", string(ducksBody)) } else { require.NoError(t, errDucks) @@ -1046,7 +1046,7 @@ func TestImpersonator(t *testing.T) { require.NoError(t, err) _, errBadCert := tcrBadCert.PinnipedConcierge.LoginV1alpha1().TokenCredentialRequests().Create(ctx, &loginv1alpha1.TokenCredentialRequest{}, metav1.CreateOptions{}) - require.True(t, errors.IsUnauthorized(errBadCert), errBadCert) + require.True(t, apierrors.IsUnauthorized(errBadCert), errBadCert) require.EqualError(t, errBadCert, "Unauthorized") }) } diff --git a/internal/controller/apicerts/apiservice_updater.go b/internal/controller/apicerts/apiservice_updater.go index 574d9c88b..f938b436e 100644 --- a/internal/controller/apicerts/apiservice_updater.go +++ b/internal/controller/apicerts/apiservice_updater.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package apicerts @@ -6,7 +6,7 @@ package apicerts import ( "fmt" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" corev1informers "k8s.io/client-go/informers/core/v1" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" @@ -53,7 +53,7 @@ func NewAPIServiceUpdaterController( func (c *apiServiceUpdaterController) Sync(ctx controllerlib.Context) error { // Try to get the secret from the informer cache. certSecret, err := c.secretInformer.Lister().Secrets(c.namespace).Get(c.certsSecretResourceName) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, c.certsSecretResourceName, err) } diff --git a/internal/controller/apicerts/certs_expirer.go b/internal/controller/apicerts/certs_expirer.go index bb4a28f84..a6edbe62b 100644 --- a/internal/controller/apicerts/certs_expirer.go +++ b/internal/controller/apicerts/certs_expirer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package apicerts @@ -10,7 +10,7 @@ import ( "time" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" corev1informers "k8s.io/client-go/informers/core/v1" "k8s.io/client-go/kubernetes" @@ -74,7 +74,7 @@ func NewCertsExpirerController( // Sync implements controller.Syncer.Sync. func (c *certsExpirerController) Sync(ctx controllerlib.Context) error { secret, err := c.secretInformer.Lister().Secrets(c.namespace).Get(c.certsSecretResourceName) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, c.certsSecretResourceName, err) } diff --git a/internal/controller/apicerts/certs_manager.go b/internal/controller/apicerts/certs_manager.go index d85514527..c99d5162d 100644 --- a/internal/controller/apicerts/certs_manager.go +++ b/internal/controller/apicerts/certs_manager.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package apicerts @@ -8,7 +8,7 @@ import ( "time" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" corev1informers "k8s.io/client-go/informers/core/v1" "k8s.io/client-go/kubernetes" @@ -83,7 +83,7 @@ func NewCertsManagerController( func (c *certsManagerController) Sync(ctx controllerlib.Context) error { // Try to get the secret from the informer cache. _, err := c.secretInformer.Lister().Secrets(c.namespace).Get(c.certsSecretResourceName) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, c.certsSecretResourceName, err) } diff --git a/internal/controller/apicerts/certs_observer.go b/internal/controller/apicerts/certs_observer.go index 704020f7b..631928afe 100644 --- a/internal/controller/apicerts/certs_observer.go +++ b/internal/controller/apicerts/certs_observer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package apicerts @@ -6,7 +6,7 @@ package apicerts import ( "fmt" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" corev1informers "k8s.io/client-go/informers/core/v1" pinnipedcontroller "go.pinniped.dev/internal/controller" @@ -50,7 +50,7 @@ func NewCertsObserverController( func (c *certsObserverController) Sync(_ controllerlib.Context) error { // Try to get the secret from the informer cache. certSecret, err := c.secretInformer.Lister().Secrets(c.namespace).Get(c.certsSecretResourceName) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, c.certsSecretResourceName, err) } diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go index 30016836d..1159aa1da 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go @@ -21,7 +21,7 @@ import ( "k8s.io/apimachinery/pkg/api/equality" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - errorsutil "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apiserver/pkg/apis/apiserver" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc" @@ -229,7 +229,7 @@ func (c *jwtCacheFillerController) Sync(ctx controllerlib.Context) error { // object. The controller simply must wait for a user to correct before running again. // - Other errors, such as networking errors, etc. are the types of errors that should return here // and signal the controller to retry the sync loop. These may be corrected by machines. - return errorsutil.NewAggregate(errs) + return utilerrors.NewAggregate(errs) } func (c *jwtCacheFillerController) extractValueAsJWTAuthenticator(value authncache.Value) *cachedJWTAuthenticator { diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go index 2ad717a9f..284fd6389 100644 --- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go +++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go @@ -14,9 +14,9 @@ import ( k8sauthv1beta1 "k8s.io/api/authentication/v1beta1" "k8s.io/apimachinery/pkg/api/equality" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - errorsutil "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" k8snetutil "k8s.io/apimachinery/pkg/util/net" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" @@ -95,7 +95,7 @@ type webhookCacheFillerController struct { // Sync implements controllerlib.Syncer. func (c *webhookCacheFillerController) Sync(ctx controllerlib.Context) error { obj, err := c.webhooks.Lister().Get(ctx.Key.Name) - if err != nil && errors.IsNotFound(err) { + if err != nil && apierrors.IsNotFound(err) { c.log.Info("Sync() found that the WebhookAuthenticator does not exist yet or was deleted") return nil } @@ -141,7 +141,7 @@ func (c *webhookCacheFillerController) Sync(ctx controllerlib.Context) error { // object. The controller simply must wait for a user to correct before running again. // - other errors, such as networking errors, etc. are the types of errors that should return here // and signal the controller to retry the sync loop. These may be corrected by machines. - return errorsutil.NewAggregate(errs) + return utilerrors.NewAggregate(errs) } // newWebhookAuthenticator creates a webhook from the provided API server url and caBundle diff --git a/internal/controller/impersonatorconfig/impersonator_config.go b/internal/controller/impersonatorconfig/impersonator_config.go index 2a5af83c9..6edbfa82c 100644 --- a/internal/controller/impersonatorconfig/impersonator_config.go +++ b/internal/controller/impersonatorconfig/impersonator_config.go @@ -19,9 +19,8 @@ import ( "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/errors" utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/intstr" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -221,7 +220,7 @@ func (c *impersonatorConfigController) Sync(syncCtx controllerlib.Context) error // recover on a following sync. func strategyReasonForError(err error) v1alpha1.StrategyReason { switch { - case k8serrors.IsConflict(err), k8serrors.IsAlreadyExists(err): + case apierrors.IsConflict(err), apierrors.IsAlreadyExists(err): return v1alpha1.PendingStrategyReason default: return v1alpha1.ErrorDuringSetupStrategyReason @@ -442,7 +441,7 @@ func (c *impersonatorConfigController) shouldHaveClusterIPService(config *v1alph func (c *impersonatorConfigController) serviceExists(serviceName string) (bool, *corev1.Service, error) { service, err := c.servicesInformer.Lister().Services(c.namespace).Get(serviceName) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if notFound { return false, nil, nil } @@ -454,7 +453,7 @@ func (c *impersonatorConfigController) serviceExists(serviceName string) (bool, func (c *impersonatorConfigController) tlsSecretExists() (bool, *corev1.Secret, error) { secret, err := c.secretsInformer.Lister().Secrets(c.namespace).Get(c.tlsSecretName) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if notFound { return false, nil, nil } @@ -481,7 +480,7 @@ func (c *impersonatorConfigController) ensureImpersonatorIsStarted(syncCtx contr // and we'll have a chance to restart the server. close(c.errorCh) // We don't want ensureImpersonatorIsStopped to block on reading this channel. stoppingErr := c.ensureImpersonatorIsStopped(false) - return errors.NewAggregate([]error{runningErr, stoppingErr}) + return utilerrors.NewAggregate([]error{runningErr, stoppingErr}) default: // Seems like it is still running, so nothing to do. return nil @@ -581,7 +580,7 @@ func (c *impersonatorConfigController) ensureLoadBalancerIsStopped(ctx context.C ResourceVersion: &service.ResourceVersion, }, }) - return utilerrors.FilterOut(err, k8serrors.IsNotFound) + return utilerrors.FilterOut(err, apierrors.IsNotFound) } func (c *impersonatorConfigController) ensureClusterIPServiceIsStarted(ctx context.Context, config *v1alpha1.ImpersonationProxySpec) error { @@ -626,7 +625,7 @@ func (c *impersonatorConfigController) ensureClusterIPServiceIsStopped(ctx conte ResourceVersion: &service.ResourceVersion, }, }) - return utilerrors.FilterOut(err, k8serrors.IsNotFound) + return utilerrors.FilterOut(err, apierrors.IsNotFound) } func (c *impersonatorConfigController) createOrUpdateService(ctx context.Context, desiredService *corev1.Service) error { @@ -654,7 +653,7 @@ func (c *impersonatorConfigController) createOrUpdateService(ctx context.Context // Get the Service from the informer, and create it if it does not already exist. existingService, err := c.servicesInformer.Lister().Services(c.namespace).Get(desiredService.Name) - if k8serrors.IsNotFound(err) { + if apierrors.IsNotFound(err) { log.Info("creating service for impersonation proxy") _, err := c.k8sClient.CoreV1().Services(c.namespace).Create(ctx, desiredService, metav1.CreateOptions{}) return err @@ -755,7 +754,7 @@ func (c *impersonatorConfigController) readExternalTLSSecret(externalTLSSecretNa func (c *impersonatorConfigController) ensureTLSSecret(ctx context.Context, nameInfo *certNameInfo, ca *certauthority.CA) error { secretFromInformer, err := c.secretsInformer.Lister().Secrets(c.namespace).Get(c.tlsSecretName) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if !notFound && err != nil { return err } @@ -898,12 +897,12 @@ func (c *impersonatorConfigController) ensureTLSSecretIsCreatedAndLoaded(ctx con func (c *impersonatorConfigController) ensureCASecretIsCreated(ctx context.Context) (*certauthority.CA, error) { caSecret, err := c.secretsInformer.Lister().Secrets(c.namespace).Get(c.caSecretName) - if err != nil && !k8serrors.IsNotFound(err) { + if err != nil && !apierrors.IsNotFound(err) { return nil, err } var impersonationCA *certauthority.CA - if k8serrors.IsNotFound(err) { + if apierrors.IsNotFound(err) { impersonationCA, err = c.createCASecret(ctx) } else { crtBytes := caSecret.Data[caCrtKey] @@ -972,7 +971,7 @@ func (c *impersonatorConfigController) findTLSCertificateNameFromEndpointConfig( func (c *impersonatorConfigController) findTLSCertificateNameFromLoadBalancer() (*certNameInfo, error) { lb, err := c.servicesInformer.Lister().Services(c.namespace).Get(c.generatedLoadBalancerServiceName) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if notFound { // We aren't ready and will try again later in this case. return &certNameInfo{ready: false}, nil @@ -1006,7 +1005,7 @@ func (c *impersonatorConfigController) findTLSCertificateNameFromLoadBalancer() func (c *impersonatorConfigController) findTLSCertificateNameFromClusterIPService() (*certNameInfo, error) { clusterIP, err := c.servicesInformer.Lister().Services(c.namespace).Get(c.generatedClusterIPServiceName) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if notFound { // We aren't ready and will try again later in this case. return &certNameInfo{ready: false}, nil @@ -1103,7 +1102,7 @@ func (c *impersonatorConfigController) ensureTLSSecretIsRemoved(ctx context.Cont }) // it is okay if we tried to delete and we got a not found error. This probably means // another instance of the concierge got here first so there's nothing to delete. - return utilerrors.FilterOut(err, k8serrors.IsNotFound) + return utilerrors.FilterOut(err, apierrors.IsNotFound) } func (c *impersonatorConfigController) clearTLSSecret() { diff --git a/internal/controller/impersonatorconfig/impersonator_config_test.go b/internal/controller/impersonatorconfig/impersonator_config_test.go index a39b477af..9dad42e32 100644 --- a/internal/controller/impersonatorconfig/impersonator_config_test.go +++ b/internal/controller/impersonatorconfig/impersonator_config_test.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package impersonatorconfig @@ -25,7 +25,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -3542,7 +3542,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it.Before(func() { addNodeWithRoleToTracker("worker", kubeAPIClient) kubeAPIClient.PrependReactor("create", "services", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { - return true, nil, k8serrors.NewAlreadyExists( + return true, nil, apierrors.NewAlreadyExists( action.GetResource().GroupResource(), action.(coretesting.CreateAction).GetObject().(*corev1.Service).Name, ) diff --git a/internal/controller/kubecertagent/kubecertagent.go b/internal/controller/kubecertagent/kubecertagent.go index 7afcdc147..2a441fc90 100644 --- a/internal/controller/kubecertagent/kubecertagent.go +++ b/internal/controller/kubecertagent/kubecertagent.go @@ -19,7 +19,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" apiequality "k8s.io/apimachinery/pkg/api/equality" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" @@ -396,7 +396,7 @@ func (c *agentController) createOrUpdateDeployment(ctx controllerlib.Context, ne // Try to get the existing Deployment, if it exists. existingDeployment, err := c.agentDeployments.Lister().Deployments(expectedDeployment.Namespace).Get(expectedDeployment.Name) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf("could not get deployments: %w", err) } diff --git a/internal/controller/kubecertagent/kubecertagent_test.go b/internal/controller/kubecertagent/kubecertagent_test.go index 1308e12a8..3f7e38010 100644 --- a/internal/controller/kubecertagent/kubecertagent_test.go +++ b/internal/controller/kubecertagent/kubecertagent_test.go @@ -15,7 +15,7 @@ import ( "go.uber.org/mock/gomock" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -1267,7 +1267,7 @@ func hasDeploymentSynced(client kubernetes.Interface, kubeInformers informers.Sh cachedDep, cachedErr := kubeInformers.Apps().V1().Deployments().Lister().Deployments("concierge"). Get("pinniped-concierge-kube-cert-agent") - if errors.IsNotFound(realErr) && errors.IsNotFound(cachedErr) { + if apierrors.IsNotFound(realErr) && apierrors.IsNotFound(cachedErr) { return } diff --git a/internal/controller/kubecertagent/legacypodcleaner.go b/internal/controller/kubecertagent/legacypodcleaner.go index 8c8a6cf92..8a776811e 100644 --- a/internal/controller/kubecertagent/legacypodcleaner.go +++ b/internal/controller/kubecertagent/legacypodcleaner.go @@ -1,4 +1,4 @@ -// Copyright 2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package kubecertagent @@ -7,7 +7,7 @@ import ( "fmt" "github.com/go-logr/logr" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" corev1informers "k8s.io/client-go/informers/core/v1" @@ -44,7 +44,7 @@ func NewLegacyPodCleanerController( // avoid blind writes to the API agentPod, err := podClient.Get(ctx.Context, ctx.Key.Name, metav1.GetOptions{}) if err != nil { - if k8serrors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return nil } return fmt.Errorf("could not get legacy agent pod: %w", err) @@ -56,7 +56,7 @@ func NewLegacyPodCleanerController( ResourceVersion: &agentPod.ResourceVersion, }, }); err != nil { - if k8serrors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return nil } return fmt.Errorf("could not delete legacy agent pod: %w", err) diff --git a/internal/controller/kubecertagent/legacypodcleaner_test.go b/internal/controller/kubecertagent/legacypodcleaner_test.go index 843c2398e..3aacf6d96 100644 --- a/internal/controller/kubecertagent/legacypodcleaner_test.go +++ b/internal/controller/kubecertagent/legacypodcleaner_test.go @@ -11,7 +11,7 @@ import ( "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/client-go/informers" @@ -111,7 +111,7 @@ func TestLegacyPodCleanerController(t *testing.T) { }, addKubeReactions: func(clientset *kubefake.Clientset) { clientset.PrependReactor("delete", "*", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { - return true, nil, k8serrors.NewNotFound(action.GetResource().GroupResource(), "") + return true, nil, apierrors.NewNotFound(action.GetResource().GroupResource(), "") }) }, wantDistinctErrors: []string{""}, @@ -129,7 +129,7 @@ func TestLegacyPodCleanerController(t *testing.T) { }, addKubeReactions: func(clientset *kubefake.Clientset) { clientset.PrependReactor("get", "*", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { - return true, nil, k8serrors.NewNotFound(action.GetResource().GroupResource(), "") + return true, nil, apierrors.NewNotFound(action.GetResource().GroupResource(), "") }) }, wantDistinctErrors: []string{""}, diff --git a/internal/controller/kubecertagent/pod_command_executor_test.go b/internal/controller/kubecertagent/pod_command_executor_test.go index 938fa16b4..d5e30d3c1 100644 --- a/internal/controller/kubecertagent/pod_command_executor_test.go +++ b/internal/controller/kubecertagent/pod_command_executor_test.go @@ -9,7 +9,7 @@ import ( "testing" "github.com/stretchr/testify/require" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/client-go/rest" "go.pinniped.dev/internal/crypto/ptls" @@ -38,7 +38,7 @@ func TestSecureTLS(t *testing.T) { podCommandExecutor := NewPodCommandExecutor(client.JSONConfig, client.Kubernetes) got, err := podCommandExecutor.Exec(context.Background(), "podNamespace", "podName", "containerName", "command", "arg1", "arg2") - require.Equal(t, &errors.StatusError{}, err) + require.Equal(t, &apierrors.StatusError{}, err) require.Empty(t, got) require.True(t, sawRequest) diff --git a/internal/controller/supervisorconfig/federation_domain_watcher.go b/internal/controller/supervisorconfig/federation_domain_watcher.go index 9152d0f6b..643309bf4 100644 --- a/internal/controller/supervisorconfig/federation_domain_watcher.go +++ b/internal/controller/supervisorconfig/federation_domain_watcher.go @@ -13,11 +13,11 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" - errorsutil "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/utils/clock" @@ -185,7 +185,7 @@ func (c *federationDomainWatcherController) Sync(ctx controllerlib.Context) erro } } - return errorsutil.NewAggregate(errs) + return utilerrors.NewAggregate(errs) } func (c *federationDomainWatcherController) processAllFederationDomains( @@ -454,7 +454,7 @@ func (c *federationDomainWatcherController) findIDPsUIDByObjectRef(objectRef cor switch { case err == nil: idpResourceUID = foundIDP.GetUID() - case errors.IsNotFound(err): + case apierrors.IsNotFound(err): return "", false, nil default: return "", false, err // unexpected error from the informer diff --git a/internal/controller/supervisorconfig/generator/federation_domain_secrets.go b/internal/controller/supervisorconfig/generator/federation_domain_secrets.go index 528721f42..4b511ca6c 100644 --- a/internal/controller/supervisorconfig/generator/federation_domain_secrets.go +++ b/internal/controller/supervisorconfig/generator/federation_domain_secrets.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package generator @@ -9,7 +9,7 @@ import ( "reflect" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" corev1informers "k8s.io/client-go/informers/core/v1" "k8s.io/client-go/kubernetes" @@ -75,7 +75,7 @@ func NewFederationDomainSecretsController( func (c *federationDomainSecretsController) Sync(ctx controllerlib.Context) error { federationDomain, err := c.federationDomainInformer.Lister().FederationDomains(ctx.Key.Namespace).Get(ctx.Key.Name) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf( "failed to get %s/%s FederationDomain: %w", @@ -149,7 +149,7 @@ func (c *federationDomainSecretsController) secretNeedsUpdate( ) (bool, *corev1.Secret, error) { // This FederationDomain says it has a secret associated with it. Let's try to get it from the cache. secret, err := c.secretInformer.Lister().Secrets(federationDomain.Namespace).Get(secretName) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return false, nil, fmt.Errorf("cannot get secret: %w", err) } @@ -174,7 +174,7 @@ func (c *federationDomainSecretsController) createOrUpdateSecret( secretClient := c.kubeClient.CoreV1().Secrets((*newSecret).Namespace) return retry.RetryOnConflict(retry.DefaultRetry, func() error { oldSecret, err := secretClient.Get(ctx, (*newSecret).Name, metav1.GetOptions{}) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf("failed to get secret %s/%s: %w", (*newSecret).Namespace, (*newSecret).Name, err) } diff --git a/internal/controller/supervisorconfig/generator/federation_domain_secrets_test.go b/internal/controller/supervisorconfig/generator/federation_domain_secrets_test.go index 18940f0e9..a72537af7 100644 --- a/internal/controller/supervisorconfig/generator/federation_domain_secrets_test.go +++ b/internal/controller/supervisorconfig/generator/federation_domain_secrets_test.go @@ -14,7 +14,7 @@ import ( "github.com/stretchr/testify/require" "go.uber.org/mock/gomock" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -553,7 +553,7 @@ func TestFederationDomainSecretsControllerSync(t *testing.T) { once := sync.Once{} c.PrependReactor("update", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) { var err error - once.Do(func() { err = k8serrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) }) + once.Do(func() { err = apierrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) }) return true, nil, err }) }, @@ -606,7 +606,7 @@ func TestFederationDomainSecretsControllerSync(t *testing.T) { once := sync.Once{} c.PrependReactor("update", "federationdomains", func(_ kubetesting.Action) (bool, runtime.Object, error) { var err error - once.Do(func() { err = k8serrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) }) + once.Do(func() { err = apierrors.NewConflict(secretGVR.GroupResource(), namespace, errors.New("some error")) }) return true, nil, err }) }, diff --git a/internal/controller/supervisorconfig/generator/supervisor_secrets.go b/internal/controller/supervisorconfig/generator/supervisor_secrets.go index bd01a9c70..516e2cf72 100644 --- a/internal/controller/supervisorconfig/generator/supervisor_secrets.go +++ b/internal/controller/supervisorconfig/generator/supervisor_secrets.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package generator provides a supervisorSecretsController that can ensure existence of a generated secret. @@ -11,7 +11,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" corev1informers "k8s.io/client-go/informers/core/v1" "k8s.io/client-go/kubernetes" @@ -75,7 +75,7 @@ func NewSupervisorSecretsController( // Sync implements controllerlib.Syncer.Sync(). func (c *supervisorSecretsController) Sync(ctx controllerlib.Context) error { secret, err := c.secretInformer.Lister().Secrets(ctx.Key.Namespace).Get(ctx.Key.Name) - isNotFound := k8serrors.IsNotFound(err) + isNotFound := apierrors.IsNotFound(err) if !isNotFound && err != nil { return fmt.Errorf("failed to list secret %s/%s: %w", ctx.Key.Namespace, ctx.Key.Name, err) } @@ -115,7 +115,7 @@ func (c *supervisorSecretsController) updateSecret(ctx context.Context, newSecre secrets := c.kubeClient.CoreV1().Secrets((*newSecret).Namespace) return retry.RetryOnConflict(retry.DefaultBackoff, func() error { currentSecret, err := secrets.Get(ctx, secretName, metav1.GetOptions{}) - isNotFound := k8serrors.IsNotFound(err) + isNotFound := apierrors.IsNotFound(err) if !isNotFound && err != nil { return fmt.Errorf("failed to get secret: %w", err) } diff --git a/internal/controller/supervisorconfig/generator/supervisor_secrets_test.go b/internal/controller/supervisorconfig/generator/supervisor_secrets_test.go index 1ac1e9473..53273f918 100644 --- a/internal/controller/supervisorconfig/generator/supervisor_secrets_test.go +++ b/internal/controller/supervisorconfig/generator/supervisor_secrets_test.go @@ -12,7 +12,7 @@ import ( "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -306,7 +306,7 @@ func TestSupervisorSecretsControllerSync(t *testing.T) { client.PrependReactor("update", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) { var err error once.Do(func() { - err = k8serrors.NewConflict(secretsGVR.GroupResource(), generatedSecretName, errors.New("some error")) + err = apierrors.NewConflict(secretsGVR.GroupResource(), generatedSecretName, errors.New("some error")) }) return true, nil, err }) @@ -363,7 +363,7 @@ func TestSupervisorSecretsControllerSync(t *testing.T) { }, apiClient: func(t *testing.T, client *kubernetesfake.Clientset) { client.PrependReactor("get", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) { - return true, nil, k8serrors.NewNotFound(secretsGVR.GroupResource(), generatedSecretName) + return true, nil, apierrors.NewNotFound(secretsGVR.GroupResource(), generatedSecretName) }) client.PrependReactor("create", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) { return true, nil, nil @@ -382,7 +382,7 @@ func TestSupervisorSecretsControllerSync(t *testing.T) { }, apiClient: func(t *testing.T, client *kubernetesfake.Clientset) { client.PrependReactor("get", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) { - return true, nil, k8serrors.NewNotFound(secretsGVR.GroupResource(), generatedSecretName) + return true, nil, apierrors.NewNotFound(secretsGVR.GroupResource(), generatedSecretName) }) client.PrependReactor("create", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) { return true, nil, errors.New("some create error") diff --git a/internal/controller/supervisorconfig/jwks_writer.go b/internal/controller/supervisorconfig/jwks_writer.go index 965f586d3..a5918972d 100644 --- a/internal/controller/supervisorconfig/jwks_writer.go +++ b/internal/controller/supervisorconfig/jwks_writer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package supervisorconfig @@ -14,7 +14,7 @@ import ( "github.com/go-jose/go-jose/v3" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" corev1informers "k8s.io/client-go/informers/core/v1" @@ -110,7 +110,7 @@ func NewJWKSWriterController( // Sync implements controllerlib.Syncer. func (c *jwksWriterController) Sync(ctx controllerlib.Context) error { federationDomain, err := c.federationDomainInformer.Lister().FederationDomains(ctx.Key.Namespace).Get(ctx.Key.Name) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf( "failed to get %s/%s FederationDomain: %w", @@ -176,7 +176,7 @@ func (c *jwksWriterController) secretNeedsUpdate(federationDomain *configv1alpha // This FederationDomain says it has a secret associated with it. Let's try to get it from the cache. secret, err := c.secretInformer.Lister().Secrets(federationDomain.Namespace).Get(federationDomain.Status.Secrets.JWKS.Name) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return false, fmt.Errorf("cannot get secret: %w", err) } @@ -254,7 +254,7 @@ func (c *jwksWriterController) createOrUpdateSecret( secretClient := c.kubeClient.CoreV1().Secrets(newSecret.Namespace) return retry.RetryOnConflict(retry.DefaultRetry, func() error { oldSecret, err := secretClient.Get(ctx, newSecret.Name, metav1.GetOptions{}) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf("cannot get secret: %w", err) } diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go index 9445fc343..dbea00ec8 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package oidcclientwatcher @@ -9,7 +9,7 @@ import ( "strings" "k8s.io/apimachinery/pkg/api/equality" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" corev1informers "k8s.io/client-go/informers/core/v1" @@ -94,7 +94,7 @@ func (c *oidcClientWatcherController) Sync(ctx controllerlib.Context) error { secret, err := c.secretInformer.Lister().Secrets(oidcClient.Namespace).Get(correspondingSecretName) if err != nil { - if !k8serrors.IsNotFound(err) { + if !apierrors.IsNotFound(err) { // Anything other than a NotFound error is unexpected when reading from an informer. return fmt.Errorf("failed to get %s/%s secret: %w", oidcClient.Namespace, correspondingSecretName, err) } diff --git a/internal/controller/supervisorconfig/tls_cert_observer.go b/internal/controller/supervisorconfig/tls_cert_observer.go index 97c0b0c8e..49659e9f0 100644 --- a/internal/controller/supervisorconfig/tls_cert_observer.go +++ b/internal/controller/supervisorconfig/tls_cert_observer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package supervisorconfig @@ -10,7 +10,7 @@ import ( "strings" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" corev1informers "k8s.io/client-go/informers/core/v1" @@ -112,7 +112,7 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error { if err != nil { c.issuerTLSCertSetter.SetDefaultTLSCert(nil) // It's okay if the default TLS cert Secret is not found (it is not required). - if !k8serrors.IsNotFound(err) { + if !apierrors.IsNotFound(err) { // For any other error, log a message which is visible at the default log level. plog.Error("error loading TLS certificate from Secret for Supervisor default TLS cert", err, "defaultCertSecretName", c.defaultTLSCertificateSecretName, diff --git a/internal/federationdomain/clientregistry/clientregistry.go b/internal/federationdomain/clientregistry/clientregistry.go index d46809bb3..0345fb323 100644 --- a/internal/federationdomain/clientregistry/clientregistry.go +++ b/internal/federationdomain/clientregistry/clientregistry.go @@ -12,7 +12,7 @@ import ( coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/ory/fosite" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" @@ -95,7 +95,7 @@ func (m *ClientManager) GetClient(ctx context.Context, id string) (fosite.Client // Try to look up an OIDCClient with the given client ID (which will be the Name of the OIDCClient). oidcClient, err := m.oidcClientsClient.Get(ctx, id, metav1.GetOptions{}) - if errors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return nil, fosite.ErrNotFound.WithDescription("no such client") } if err != nil { diff --git a/internal/fositestorage/accesstoken/accesstoken.go b/internal/fositestorage/accesstoken/accesstoken.go index c67b9cab7..b95e47c09 100644 --- a/internal/fositestorage/accesstoken/accesstoken.go +++ b/internal/fositestorage/accesstoken/accesstoken.go @@ -11,7 +11,7 @@ import ( "github.com/ory/fosite" "github.com/ory/fosite/handler/oauth2" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "go.pinniped.dev/internal/constable" @@ -114,7 +114,7 @@ func (a *accessTokenStorage) getSession(ctx context.Context, signature string) ( session := newValidEmptyAccessTokenSession() rv, err := a.storage.Get(ctx, signature, session) - if errors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error()) } diff --git a/internal/fositestorage/authorizationcode/authorizationcode.go b/internal/fositestorage/authorizationcode/authorizationcode.go index f1187ec83..5b19a217e 100644 --- a/internal/fositestorage/authorizationcode/authorizationcode.go +++ b/internal/fositestorage/authorizationcode/authorizationcode.go @@ -12,7 +12,7 @@ import ( "github.com/ory/fosite" "github.com/ory/fosite/handler/oauth2" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "go.pinniped.dev/internal/constable" @@ -130,7 +130,7 @@ func (a *authorizeCodeStorage) InvalidateAuthorizeCodeSession(ctx context.Contex session.Active = false if _, err := a.storage.Update(ctx, signature, rv, session); err != nil { - if errors.IsConflict(err) { + if apierrors.IsConflict(err) { return &errSerializationFailureWithCause{cause: err} } return err @@ -143,7 +143,7 @@ func (a *authorizeCodeStorage) getSession(ctx context.Context, signature string) session := NewValidEmptyAuthorizeCodeSession() rv, err := a.storage.Get(ctx, signature, session) - if errors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error()) } diff --git a/internal/fositestorage/openidconnect/openidconnect.go b/internal/fositestorage/openidconnect/openidconnect.go index a04bea4c3..c5c7a4a2d 100644 --- a/internal/fositestorage/openidconnect/openidconnect.go +++ b/internal/fositestorage/openidconnect/openidconnect.go @@ -11,7 +11,7 @@ import ( "github.com/ory/fosite" "github.com/ory/fosite/handler/openid" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "go.pinniped.dev/internal/constable" @@ -104,7 +104,7 @@ func (a *openIDConnectRequestStorage) getSession(ctx context.Context, signature session := newValidEmptyOIDCSession() rv, err := a.storage.Get(ctx, signature, session) - if errors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error()) } diff --git a/internal/fositestorage/pkce/pkce.go b/internal/fositestorage/pkce/pkce.go index b0d371b6a..dda38208d 100644 --- a/internal/fositestorage/pkce/pkce.go +++ b/internal/fositestorage/pkce/pkce.go @@ -10,7 +10,7 @@ import ( "github.com/ory/fosite" "github.com/ory/fosite/handler/pkce" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "go.pinniped.dev/internal/constable" @@ -87,7 +87,7 @@ func (a *pkceStorage) getSession(ctx context.Context, signature string) (*sessio session := newValidEmptyPKCESession() rv, err := a.storage.Get(ctx, signature, session) - if errors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error()) } diff --git a/internal/fositestorage/refreshtoken/refreshtoken.go b/internal/fositestorage/refreshtoken/refreshtoken.go index efc96071b..13389afc0 100644 --- a/internal/fositestorage/refreshtoken/refreshtoken.go +++ b/internal/fositestorage/refreshtoken/refreshtoken.go @@ -11,7 +11,7 @@ import ( "github.com/ory/fosite" "github.com/ory/fosite/handler/oauth2" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "go.pinniped.dev/internal/constable" @@ -120,7 +120,7 @@ func (a *refreshTokenStorage) getSession(ctx context.Context, signature string) session := newValidEmptyRefreshTokenSession() rv, err := a.storage.Get(ctx, signature, session) - if errors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error()) } diff --git a/internal/groupsuffix/groupsuffix.go b/internal/groupsuffix/groupsuffix.go index b2d3ccdd5..61a9c168c 100644 --- a/internal/groupsuffix/groupsuffix.go +++ b/internal/groupsuffix/groupsuffix.go @@ -10,7 +10,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/validation" loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" @@ -189,5 +189,5 @@ func Validate(apiGroupSuffix string) error { errs = append(errs, constable.Error(errorString)) } - return errors.NewAggregate(errs) + return utilerrors.NewAggregate(errs) } diff --git a/internal/kubeclient/middleware.go b/internal/kubeclient/middleware.go index 4c5aa3226..eee9557e6 100644 --- a/internal/kubeclient/middleware.go +++ b/internal/kubeclient/middleware.go @@ -12,7 +12,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" ) type Middleware interface { @@ -119,7 +119,7 @@ func (r *request) mutateRequest(obj Object) (*mutationResult, error) { errs = append(errs, err) } } - if err := errors.NewAggregate(errs); err != nil { + if err := utilerrors.NewAggregate(errs); err != nil { return nil, fmt.Errorf("request mutation failed: %w", err) } @@ -148,7 +148,7 @@ func (r *request) mutateResponse(obj Object) (bool, error) { errs = append(errs, err) } } - if err := errors.NewAggregate(errs); err != nil { + if err := utilerrors.NewAggregate(errs); err != nil { return false, fmt.Errorf("response mutation failed: %w", err) } diff --git a/internal/localuserauthenticator/localuserauthenticator.go b/internal/localuserauthenticator/localuserauthenticator.go index d50688d66..33ee42b25 100644 --- a/internal/localuserauthenticator/localuserauthenticator.go +++ b/internal/localuserauthenticator/localuserauthenticator.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package localuserauthenticator provides a authentication webhook program. @@ -27,7 +27,7 @@ import ( "golang.org/x/crypto/bcrypt" authenticationv1beta1 "k8s.io/api/authentication/v1beta1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" k8sinformers "k8s.io/client-go/informers" corev1informers "k8s.io/client-go/informers/core/v1" @@ -114,7 +114,7 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) { defer func() { _ = req.Body.Close() }() secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if err != nil && !notFound { plog.Debug("could not get secret", "err", err) rsp.WriteHeader(http.StatusInternalServerError) diff --git a/internal/oidcclientsecretstorage/oidcclientsecretstorage.go b/internal/oidcclientsecretstorage/oidcclientsecretstorage.go index 1cdba6549..d44d184d9 100644 --- a/internal/oidcclientsecretstorage/oidcclientsecretstorage.go +++ b/internal/oidcclientsecretstorage/oidcclientsecretstorage.go @@ -9,7 +9,7 @@ import ( "fmt" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" @@ -56,7 +56,7 @@ func New(secrets corev1client.SecretInterface) *OIDCClientSecretStorage { func (s *OIDCClientSecretStorage) Get(ctx context.Context, oidcClientUID types.UID) (string, []string, error) { clientSecret := &storedClientSecret{} rv, err := s.storage.Get(ctx, uidToName(oidcClientUID), clientSecret) - if errors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return "", nil, nil } if err != nil { @@ -107,7 +107,7 @@ func (s *OIDCClientSecretStorage) Set(ctx context.Context, resourceVersion, oidc // Returns nil,nil when the corev1.Secret was not found, as this is not an error for a client to not have any secrets yet. func (s *OIDCClientSecretStorage) GetStorageSecret(ctx context.Context, oidcClientUID types.UID) (*corev1.Secret, error) { secret, err := s.secrets.Get(ctx, s.GetName(oidcClientUID), metav1.GetOptions{}) - if errors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return nil, nil } if err != nil { diff --git a/internal/supervisor/apiserver/apiserver.go b/internal/supervisor/apiserver/apiserver.go index 703e61fb4..31f299a57 100644 --- a/internal/supervisor/apiserver/apiserver.go +++ b/internal/supervisor/apiserver/apiserver.go @@ -13,7 +13,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" @@ -109,7 +109,7 @@ func (c completedConfig) New() (*PinnipedServer, error) { ), ) } - if err := errors.NewAggregate(errs); err != nil { + if err := utilerrors.NewAggregate(errs); err != nil { return nil, fmt.Errorf("could not install API groups: %w", err) } diff --git a/internal/testutil/fakekubeapi/fakekubeapi.go b/internal/testutil/fakekubeapi/fakekubeapi.go index 0fb176b34..fc6b6d4c1 100644 --- a/internal/testutil/fakekubeapi/fakekubeapi.go +++ b/internal/testutil/fakekubeapi/fakekubeapi.go @@ -32,7 +32,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/errors" + utilerrors "k8s.io/apimachinery/pkg/util/errors" kubescheme "k8s.io/client-go/kubernetes/scheme" restclient "k8s.io/client-go/rest" aggregatorclientscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" @@ -127,7 +127,7 @@ func decodeObj(r *http.Request) (runtime.Object, error) { } errs = append(errs, err) } - return nil, errors.NewAggregate(errs) + return nil, utilerrors.NewAggregate(errs) } func tryDecodeObj( diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go index 9292f487c..cf3b84191 100644 --- a/test/integration/concierge_credentialrequest_test.go +++ b/test/integration/concierge_credentialrequest_test.go @@ -13,7 +13,7 @@ import ( "github.com/go-jose/go-jose/v3/jwt" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" @@ -176,7 +176,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken_Parallel(t * ) require.Error(t, err) - statusError, isStatus := err.(*errors.StatusError) + statusError, isStatus := err.(*apierrors.StatusError) require.True(t, isStatus, testlib.Sdump(err)) require.Equal(t, 1, len(statusError.ErrStatus.Details.Causes)) diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go index 28ed71704..8713769af 100644 --- a/test/integration/concierge_impersonation_proxy_test.go +++ b/test/integration/concierge_impersonation_proxy_test.go @@ -39,7 +39,7 @@ import ( corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/equality" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme" @@ -537,7 +537,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl // Make sure that the deleted ConfigMap shows up in the informer's cache. testlib.RequireEventually(t, func(requireEventually *require.Assertions) { _, err := informer.Lister().ConfigMaps(namespaceName).Get("configmap-3") - requireEventually.Truef(k8serrors.IsNotFound(err), "expected a NotFound error from get, got %v", err) + requireEventually.Truef(apierrors.IsNotFound(err), "expected a NotFound error from get, got %v", err) list, err := informer.Lister().ConfigMaps(namespaceName).List(configMapLabels.AsSelector()) requireEventually.NoError(err) @@ -579,7 +579,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl // request similar to the one above, except that it will also have an impersonation header. _, err = nestedImpersonationClient.Kubernetes.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{}) // this user is not allowed to impersonate other users - require.True(t, k8serrors.IsForbidden(err), err) + require.True(t, apierrors.IsForbidden(err), err) require.EqualError(t, err, fmt.Sprintf( `users "other-user-to-impersonate" is forbidden: `+ `User "%s" cannot impersonate resource "users" in API group "" at the cluster scope: `+ @@ -628,7 +628,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl refreshCredential).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests(). Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{}) // this user should not be able to impersonate extra - require.True(t, k8serrors.IsForbidden(err), err) + require.True(t, apierrors.IsForbidden(err), err) require.EqualError(t, err, fmt.Sprintf( `userextras.authentication.k8s.io "with a dangerous value" is forbidden: `+ `User "%s" cannot impersonate resource "userextras/some-fancy-key" in API group "authentication.k8s.io" at the cluster scope: `+ @@ -688,7 +688,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl _, err = nestedImpersonationClient.Kubernetes.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{}) // the impersonated user lacks the RBAC to perform this call - require.True(t, k8serrors.IsForbidden(err), err) + require.True(t, apierrors.IsForbidden(err), err) require.EqualError(t, err, fmt.Sprintf( `secrets "%s" is forbidden: User "other-user-to-impersonate" cannot get resource "secrets" in API group "" in the namespace "%s": `+ `decision made by impersonation-proxy.concierge.pinniped.dev`, @@ -731,8 +731,8 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl _, err := nestedImpersonationClient.Kubernetes.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{}) require.EqualError(t, err, "Internal error occurred: unimplemented functionality - unable to act as current user") - require.True(t, k8serrors.IsInternalError(err), err) - require.Equal(t, &k8serrors.StatusError{ + require.True(t, apierrors.IsInternalError(err), err) + require.Equal(t, &apierrors.StatusError{ ErrStatus: metav1.Status{ Status: metav1.StatusFailure, Code: http.StatusInternalServerError, @@ -768,8 +768,8 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl msg := `Internal Server Error: "/api/v1/namespaces/foo/secrets/bar": requested [{UID some-awesome-uid authentication.k8s.io/v1 }] without impersonating a user` full := fmt.Sprintf(`an error on the server (%q) has prevented the request from succeeding (get secrets bar)`, msg) require.EqualError(t, errUID, full) - require.True(t, k8serrors.IsInternalError(errUID), errUID) - require.Equal(t, &k8serrors.StatusError{ + require.True(t, apierrors.IsInternalError(errUID), errUID) + require.Equal(t, &apierrors.StatusError{ ErrStatus: metav1.Status{ Status: metav1.StatusFailure, Code: http.StatusInternalServerError, @@ -804,8 +804,8 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl _, err := testlib.NewKubeclient(t, nestedImpersonationUID).Kubernetes.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{}) require.EqualError(t, err, "Internal error occurred: unimplemented functionality - unable to act as current user") - require.True(t, k8serrors.IsInternalError(err), err) - require.Equal(t, &k8serrors.StatusError{ + require.True(t, apierrors.IsInternalError(err), err) + require.Equal(t, &apierrors.StatusError{ ErrStatus: metav1.Status{ Status: metav1.StatusFailure, Code: http.StatusInternalServerError, @@ -833,7 +833,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl _, err := nestedImpersonationClient.IdentityV1alpha1().WhoAmIRequests(). Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{}) // this SA is not yet allowed to impersonate SAs - require.True(t, k8serrors.IsForbidden(err), err) + require.True(t, apierrors.IsForbidden(err), err) require.EqualError(t, err, fmt.Sprintf( `serviceaccounts "root-ca-cert-publisher" is forbidden: `+ `User "%s" cannot impersonate resource "serviceaccounts" in API group "" in the namespace "kube-system": `+ @@ -910,7 +910,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl whoAmI, ) } else { - require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err)) + require.True(t, apierrors.IsUnauthorized(err), testlib.Sdump(err)) } // Test using a service account token. @@ -941,7 +941,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl expectedGroups := []string{"system:serviceaccounts", "system:serviceaccounts:" + namespaceName, "system:authenticated"} _, tokenRequestProbeErr := kubeClient.ServiceAccounts(namespaceName).CreateToken(ctx, saName, &authenticationv1.TokenRequest{}, metav1.CreateOptions{}) - if k8serrors.IsNotFound(tokenRequestProbeErr) && tokenRequestProbeErr.Error() == "the server could not find the requested resource" { + if apierrors.IsNotFound(tokenRequestProbeErr) && tokenRequestProbeErr.Error() == "the server could not find the requested resource" { return // stop test early since the token request API is not enabled on this cluster - other errors are caught below } @@ -979,7 +979,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl _, badAudErr := impersonationProxySABadAudPinnipedConciergeClient.IdentityV1alpha1().WhoAmIRequests(). Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{}) - require.True(t, k8serrors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr)) + require.True(t, apierrors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr)) tokenRequest, err := kubeClient.ServiceAccounts(namespaceName).CreateToken(ctx, saName, &authenticationv1.TokenRequest{ Spec: authenticationv1.TokenRequestSpec{ @@ -1385,7 +1385,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl Authenticator: corev1.TypedLocalObjectReference{APIGroup: ptr.To("anything.pinniped.dev")}, }, }, metav1.CreateOptions{}) - require.True(t, k8serrors.IsInvalid(err), testlib.Sdump(err)) + require.True(t, apierrors.IsInvalid(err), testlib.Sdump(err)) require.Equal(t, `.login.concierge.pinniped.dev "" is invalid: spec.token.value: Required value: token must be supplied`, err.Error()) require.Equal(t, &loginv1alpha1.TokenCredentialRequest{}, tkr) }) @@ -1409,7 +1409,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl require.Equal(t, "ok", string(healthz)) healthzLog, errHealthzLog := impersonationProxyAdminRestClientAsAnonymous.Get().AbsPath("/healthz/log").DoRaw(ctx) - require.True(t, k8serrors.IsForbidden(errHealthzLog), "%s\n%s", testlib.Sdump(errHealthzLog), string(healthzLog)) + require.True(t, apierrors.IsForbidden(errHealthzLog), "%s\n%s", testlib.Sdump(errHealthzLog), string(healthzLog)) require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/healthz/log\": decision made by impersonation-proxy.concierge.pinniped.dev","reason":"Forbidden","details":{},"code":403}`+"\n", string(healthzLog)) }) }) @@ -1440,7 +1440,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl pod, err := impersonationProxyAnonymousClient.Kubernetes.CoreV1().Pods(metav1.NamespaceSystem). Get(ctx, "does-not-matter", metav1.GetOptions{}) - require.True(t, k8serrors.IsForbidden(err), testlib.Sdump(err)) + require.True(t, apierrors.IsForbidden(err), testlib.Sdump(err)) require.EqualError(t, err, `pods "does-not-matter" is forbidden: User "system:anonymous" cannot get resource "pods" in API group "" in the namespace "kube-system": `+ `decision made by impersonation-proxy.concierge.pinniped.dev`, testlib.Sdump(err)) require.Equal(t, &corev1.Pod{}, pod) @@ -1479,7 +1479,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl parallelIfNotEKS(t) healthz, err := impersonationProxyAnonymousRestClient.Get().AbsPath("/healthz").DoRaw(ctx) - require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err)) + require.True(t, apierrors.IsUnauthorized(err), testlib.Sdump(err)) require.Equal(t, `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}`+"\n", string(healthz)) }) @@ -1492,7 +1492,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl pod, err := impersonationProxyAnonymousClient.Kubernetes.CoreV1().Pods(metav1.NamespaceSystem). Get(ctx, "does-not-matter", metav1.GetOptions{}) - require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err)) + require.True(t, apierrors.IsUnauthorized(err), testlib.Sdump(err)) require.Equal(t, &corev1.Pod{}, pod) }) @@ -1505,7 +1505,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl whoAmI, err := impersonationProxyAnonymousClient.PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests(). Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{}) - require.True(t, k8serrors.IsUnauthorized(err), testlib.Sdump(err)) + require.True(t, apierrors.IsUnauthorized(err), testlib.Sdump(err)) require.Equal(t, &identityv1alpha1.WhoAmIRequest{}, whoAmI) }) }) @@ -1537,7 +1537,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl // sanity check default expected error message _, err := impersonationProxySSRRClient.Create(ctx, invalidSSRR, metav1.CreateOptions{}) - require.True(t, k8serrors.IsBadRequest(err), testlib.Sdump(err)) + require.True(t, apierrors.IsBadRequest(err), testlib.Sdump(err)) require.EqualError(t, err, "no namespace on request") // remove the impersonation proxy SA's permissions @@ -1581,11 +1581,11 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl case errCreate == nil: return false, fmt.Errorf("unexpected nil error for test user create invalid SSRR") - case k8serrors.IsBadRequest(errCreate) && errCreate.Error() == "no namespace on request": + case apierrors.IsBadRequest(errCreate) && errCreate.Error() == "no namespace on request": t.Log("waiting for impersonation proxy service account to lose impersonate permissions") return false, nil // RBAC change has not rolled out yet - case k8serrors.IsForbidden(errCreate) && errCreate.Error() == + case apierrors.IsForbidden(errCreate) && errCreate.Error() == `users "`+env.TestUser.ExpectedUsername+`" is forbidden: User "`+saFullName+ `" cannot impersonate resource "users" in API group "" at the cluster scope`: return true, nil // expected RBAC error @@ -1968,7 +1968,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl // when we disable the impersonator. testlib.RequireEventually(t, func(requireEventually *require.Assertions) { _, err := adminClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, impersonationProxyTLSSecretName(env), metav1.GetOptions{}) - requireEventually.Truef(k8serrors.IsNotFound(err), "expected NotFound error, got %v", err) + requireEventually.Truef(apierrors.IsNotFound(err), "expected NotFound error, got %v", err) }, 2*time.Minute, time.Second) // Check that the generated CA cert Secret was not deleted by the controller because it's supposed to keep this @@ -2301,7 +2301,7 @@ func updateCredentialIssuer(ctx context.Context, t *testing.T, env *testlib.Test func hasImpersonationProxyLoadBalancerService(ctx context.Context, env *testlib.TestEnv, client kubernetes.Interface) (bool, error) { service, err := client.CoreV1().Services(env.ConciergeNamespace).Get(ctx, impersonationProxyLoadBalancerName(env), metav1.GetOptions{}) - if k8serrors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return false, nil } if err != nil { diff --git a/test/integration/concierge_jwtauthenticator_status_test.go b/test/integration/concierge_jwtauthenticator_status_test.go index 24927f67f..dca246aff 100644 --- a/test/integration/concierge_jwtauthenticator_status_test.go +++ b/test/integration/concierge_jwtauthenticator_status_test.go @@ -11,7 +11,7 @@ import ( "time" "github.com/stretchr/testify/require" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" @@ -339,7 +339,7 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) { t.Cleanup(func() { // delete if it exists delErr := jwtAuthenticatorClient.Delete(ctx, tt.jwtAuthenticator.Name, metav1.DeleteOptions{}) - if !errors.IsNotFound(delErr) { + if !apierrors.IsNotFound(delErr) { require.NoError(t, delErr) } }) diff --git a/test/integration/concierge_kubecertagent_test.go b/test/integration/concierge_kubecertagent_test.go index 5afc51baa..b306da99f 100644 --- a/test/integration/concierge_kubecertagent_test.go +++ b/test/integration/concierge_kubecertagent_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package integration @@ -11,7 +11,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/utils/ptr" @@ -133,7 +133,7 @@ func TestLegacyPodCleaner_Parallel(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute) defer cancel() err := kubeClient.CoreV1().Pods(pod.Namespace).Delete(ctx, pod.Name, metav1.DeleteOptions{GracePeriodSeconds: ptr.To[int64](0)}) - if !k8serrors.IsNotFound(err) { + if !apierrors.IsNotFound(err) { require.NoError(t, err, "failed to clean up fake legacy agent pod") } }) @@ -141,7 +141,7 @@ func TestLegacyPodCleaner_Parallel(t *testing.T) { // Expect the legacy-pod-cleaner controller to delete the pod. testlib.RequireEventuallyWithoutError(t, func() (bool, error) { _, err := kubeClient.CoreV1().Pods(pod.Namespace).Get(ctx, pod.Name, metav1.GetOptions{}) - if k8serrors.IsNotFound(err) { + if apierrors.IsNotFound(err) { t.Logf("fake legacy agent pod %s/%s was deleted as expected", pod.Namespace, pod.Name) return true, nil } diff --git a/test/integration/concierge_webhookauthenticator_status_test.go b/test/integration/concierge_webhookauthenticator_status_test.go index 68b019b17..6b1e1f937 100644 --- a/test/integration/concierge_webhookauthenticator_status_test.go +++ b/test/integration/concierge_webhookauthenticator_status_test.go @@ -9,7 +9,7 @@ import ( "time" "github.com/stretchr/testify/require" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" @@ -250,7 +250,7 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) { t.Cleanup(func() { // delete if it exists delErr := webhookAuthenticatorClient.Delete(ctx, tt.webhookAuthenticator.Name, metav1.DeleteOptions{}) - if !errors.IsNotFound(delErr) { + if !apierrors.IsNotFound(delErr) { require.NoError(t, delErr) } }) diff --git a/test/integration/concierge_whoami_test.go b/test/integration/concierge_whoami_test.go index 2b2aab212..3993a7984 100644 --- a/test/integration/concierge_whoami_test.go +++ b/test/integration/concierge_whoami_test.go @@ -18,7 +18,7 @@ import ( certificatesv1 "k8s.io/api/certificates/v1" certificatesv1beta1 "k8s.io/api/certificates/v1beta1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/rest" "k8s.io/client-go/util/cert" @@ -173,7 +173,7 @@ func TestWhoAmI_ServiceAccount_TokenRequest_Parallel(t *testing.T) { require.NoError(t, err) _, tokenRequestProbeErr := coreV1client.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{}, metav1.CreateOptions{}) - if errors.IsNotFound(tokenRequestProbeErr) && tokenRequestProbeErr.Error() == "the server could not find the requested resource" { + if apierrors.IsNotFound(tokenRequestProbeErr) && tokenRequestProbeErr.Error() == "the server could not find the requested resource" { return // stop test early since the token request API is not enabled on this cluster - other errors are caught below } @@ -210,7 +210,7 @@ func TestWhoAmI_ServiceAccount_TokenRequest_Parallel(t *testing.T) { _, badAudErr := testlib.NewKubeclient(t, saBadAudConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests(). Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{}) - require.True(t, errors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr)) + require.True(t, apierrors.IsUnauthorized(badAudErr), testlib.Sdump(badAudErr)) tokenRequest, err := coreV1client.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{ Spec: authenticationv1.TokenRequestSpec{ diff --git a/test/integration/kubeclient_test.go b/test/integration/kubeclient_test.go index 292b26852..a08fbed3f 100644 --- a/test/integration/kubeclient_test.go +++ b/test/integration/kubeclient_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package integration @@ -12,7 +12,7 @@ import ( "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" @@ -98,7 +98,7 @@ func TestKubeClientOwnerRef(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() err := regularAggregationClient.ApiregistrationV1().APIServices().Delete(ctx, parentAPIService.Name, metav1.DeleteOptions{}) - if errors.IsNotFound(err) { + if apierrors.IsNotFound(err) { return } require.NoError(t, err) @@ -310,7 +310,7 @@ func isEventuallyDeleted(t *testing.T, f func() error) { switch { case err == nil: return false, nil - case errors.IsNotFound(err): + case apierrors.IsNotFound(err): return true, nil default: return false, err diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index e1ea9dec4..2d3d9ff5d 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -19,7 +19,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/util/retry" @@ -376,7 +376,7 @@ func temporarilyRemoveAllFederationDomainsAndDefaultTLSCertSecret( // Also remove the supervisor's default TLS cert originalSecret, err := kubeClient.CoreV1().Secrets(ns).Get(ctx, defaultTLSCertSecretName, metav1.GetOptions{}) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) require.False(t, err != nil && !notFound, "unexpected error when getting %s", defaultTLSCertSecretName) if notFound { originalSecret = nil diff --git a/test/integration/supervisor_federationdomain_status_test.go b/test/integration/supervisor_federationdomain_status_test.go index 82c213bc5..79bf8eae8 100644 --- a/test/integration/supervisor_federationdomain_status_test.go +++ b/test/integration/supervisor_federationdomain_status_test.go @@ -12,7 +12,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/util/retry" "k8s.io/utils/ptr" @@ -914,7 +914,7 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) { t.Cleanup(func() { // Delete it if it exists. delErr := fdClient.Delete(ctx, tt.fd.Name, metav1.DeleteOptions{}) - if !k8serrors.IsNotFound(delErr) { + if !apierrors.IsNotFound(delErr) { require.NoError(t, delErr) } }) diff --git a/test/integration/supervisor_oidc_client_test.go b/test/integration/supervisor_oidc_client_test.go index 0d0bc6ccb..29dffa227 100644 --- a/test/integration/supervisor_oidc_client_test.go +++ b/test/integration/supervisor_oidc_client_test.go @@ -13,7 +13,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" @@ -393,7 +393,7 @@ func TestOIDCClientStaticValidation_Parallel(t *testing.T) { }, fixWant: func(t *testing.T, err error, want string) string { // sort the error causes and use that to rebuild a sorted error message - statusErr := &errors.StatusError{} + statusErr := &apierrors.StatusError{} require.ErrorAs(t, err, &statusErr) require.Len(t, statusErr.ErrStatus.Details.Causes, 4) out := make([]string, 0, len(statusErr.ErrStatus.Details.Causes)) diff --git a/test/integration/supervisor_oidcclientsecret_test.go b/test/integration/supervisor_oidcclientsecret_test.go index 1eb38b77f..4f517e34f 100644 --- a/test/integration/supervisor_oidcclientsecret_test.go +++ b/test/integration/supervisor_oidcclientsecret_test.go @@ -15,7 +15,7 @@ import ( "github.com/stretchr/testify/require" "golang.org/x/crypto/bcrypt" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/yaml" @@ -916,7 +916,7 @@ func TestCreateOIDCClientSecretRequest_Parallel(t *testing.T) { _, err := kubeClient.CoreV1().Secrets(oidcClient.Namespace). Get(cleanupCtx, oidcclientsecretstorage.New(nil).GetName(oidcClient.UID), metav1.GetOptions{}) requireEventually.Error(err, "deleting OIDCClient should result in deleting storage secrets") - requireEventually.True(k8serrors.IsNotFound(err), + requireEventually.True(apierrors.IsNotFound(err), "deleting OIDCClient should result in deleting storage secrets") }, 2*time.Minute, 250*time.Millisecond) }) @@ -984,7 +984,7 @@ func TestCreateOIDCClientSecretRequest_Parallel(t *testing.T) { Get(ctx, oidcclientsecretstorage.New(nil).GetName(oidcClient.UID), metav1.GetOptions{}) if !hasSecretBeenGenerated { require.Error(t, getStorageSecretError, "expected not found error") - require.True(t, k8serrors.IsNotFound(getStorageSecretError), "expected not found error") + require.True(t, apierrors.IsNotFound(getStorageSecretError), "expected not found error") // no storage secret was created, so no reason to continue making assertions continue } diff --git a/test/integration/supervisor_storage_garbage_collection_test.go b/test/integration/supervisor_storage_garbage_collection_test.go index 6dd3efa66..c37013840 100644 --- a/test/integration/supervisor_storage_garbage_collection_test.go +++ b/test/integration/supervisor_storage_garbage_collection_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package integration @@ -11,7 +11,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" @@ -54,12 +54,12 @@ func TestStorageGarbageCollection_Parallel(t *testing.T) { slightlyLongerThanGCControllerFullResyncPeriod := 3*time.Minute + 30*time.Second testlib.RequireEventually(t, func(requireEventually *require.Assertions) { _, err := secrets.Get(ctx, secretAlreadyExpired.Name, metav1.GetOptions{}) - requireEventually.Truef(k8serrors.IsNotFound(err), "wanted a NotFound error but got %v", err) + requireEventually.Truef(apierrors.IsNotFound(err), "wanted a NotFound error but got %v", err) }, slightlyLongerThanGCControllerFullResyncPeriod, 250*time.Millisecond) testlib.RequireEventually(t, func(requireEventually *require.Assertions) { _, err := secrets.Get(ctx, secretWhichWillExpireBeforeTheTestEnds.Name, metav1.GetOptions{}) - requireEventually.Truef(k8serrors.IsNotFound(err), "wanted a NotFound error but got %v", err) + requireEventually.Truef(apierrors.IsNotFound(err), "wanted a NotFound error but got %v", err) }, slightlyLongerThanGCControllerFullResyncPeriod, 250*time.Millisecond) // The unexpired secret should not have been deleted within the timeframe of this test run. @@ -96,7 +96,7 @@ func updateSecretEveryTwoSeconds(stopCh chan struct{}, errCh chan error, secrets case updateErr == nil: // continue to next update - case k8serrors.IsConflict(updateErr), k8serrors.IsNotFound(updateErr): + case apierrors.IsConflict(updateErr), apierrors.IsNotFound(updateErr): select { case _, ok := <-stopCh: if !ok { // stopCh is closed meaning that test is already finished so these errors are expected @@ -121,7 +121,7 @@ func createSecret(ctx context.Context, t *testing.T, secrets corev1client.Secret ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() err := secrets.Delete(ctx, secret.Name, metav1.DeleteOptions{}) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) if !notFound { // it's okay if the Secret was already deleted, but other errors are cleanup failures require.NoError(t, err) diff --git a/test/integration/supervisor_storage_test.go b/test/integration/supervisor_storage_test.go index 9da514620..8bee33c5f 100644 --- a/test/integration/supervisor_storage_test.go +++ b/test/integration/supervisor_storage_test.go @@ -14,7 +14,7 @@ import ( "github.com/ory/fosite/compose" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "go.pinniped.dev/internal/federationdomain/clientregistry" @@ -85,7 +85,7 @@ func TestAuthorizeCodeStorage(t *testing.T) { // trying to create the session again fails because it already exists err = storage.CreateAuthorizeCodeSession(ctx, signature, session.Request) require.Error(t, err) - require.True(t, errors.IsAlreadyExists(err)) + require.True(t, apierrors.IsAlreadyExists(err)) // check that the data stored in Kube matches what we put in initialSecret, err := secrets.Get(ctx, name, metav1.GetOptions{}) diff --git a/test/testlib/client.go b/test/testlib/client.go index 9be61147a..406ff5cef 100644 --- a/test/testlib/client.go +++ b/test/testlib/client.go @@ -19,7 +19,7 @@ import ( corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" @@ -33,7 +33,7 @@ import ( configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" - supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" "go.pinniped.dev/internal/groupsuffix" "go.pinniped.dev/internal/kubeclient" @@ -80,13 +80,13 @@ func NewKubernetesClientset(t *testing.T) kubernetes.Interface { return NewKubeclient(t, NewClientConfig(t)).Kubernetes } -func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface { +func NewSupervisorClientset(t *testing.T) pinnipedsupervisorclientset.Interface { t.Helper() return NewKubeclient(t, NewClientConfig(t)).PinnipedSupervisor } -func NewAnonymousSupervisorClientset(t *testing.T) supervisorclientset.Interface { +func NewAnonymousSupervisorClientset(t *testing.T) pinnipedsupervisorclientset.Interface { t.Helper() return NewKubeclient(t, NewAnonymousClientRestConfig(t)).PinnipedSupervisor @@ -380,7 +380,7 @@ func CreateTestFederationDomain( deleteCtx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() err := federationDomainsClient.Delete(deleteCtx, federationDomain.Name, metav1.DeleteOptions{}) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) // It's okay if it is not found, because it might have been deleted by another part of this test. if !notFound { require.NoErrorf(t, err, "could not cleanup test FederationDomain %s/%s", federationDomain.Namespace, federationDomain.Name) @@ -609,7 +609,7 @@ func CreateTestOIDCIdentityProviderWithObjectMeta(t *testing.T, spec idpv1alpha1 t.Cleanup(func() { t.Logf("cleaning up test OIDCIdentityProvider %s/%s", created.Namespace, created.Name) err := upstreams.Delete(context.Background(), created.Name, metav1.DeleteOptions{}) - notFound := k8serrors.IsNotFound(err) + notFound := apierrors.IsNotFound(err) // It's okay if it is not found, because it might have been deleted by another part of this test. if !notFound { require.NoErrorf(t, err, "could not cleanup test OIDCIdentityProvider %s/%s", created.Namespace, created.Name)