Merge branch 'main' into dynamic_clients

internal/controller/authenticator/cachecleaner/cachecleaner_test.go

@@ -143,7 +143,7 @@ func TestController(t *testing.T) {
 			if tt.initialCache != nil {
 				tt.initialCache(t, cache)
 			}
-			testLog := testlogger.NewLegacy(t) //nolint: staticcheck  // old test with lots of log statements
+			testLog := testlogger.NewLegacy(t) //nolint:staticcheck  // old test with lots of log statements
 
 			webhooks := informers.Authentication().V1alpha1().WebhookAuthenticators()
 			jwtAuthenticators := informers.Authentication().V1alpha1().JWTAuthenticators()

internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go

@@ -375,7 +375,7 @@ func TestController(t *testing.T) {
 			fakeClient := pinnipedfake.NewSimpleClientset(tt.jwtAuthenticators...)
 			informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0)
 			cache := authncache.New()
-			testLog := testlogger.NewLegacy(t) //nolint: staticcheck  // old test with lots of log statements
+			testLog := testlogger.NewLegacy(t) //nolint:staticcheck  // old test with lots of log statements
 
 			if tt.cache != nil {
 				tt.cache(t, cache, tt.wantClose)

internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package webhookcachefiller implements a controller for filling an authncache.Cache with each added/updated WebhookAuthenticator.
@@ -6,7 +6,6 @@ package webhookcachefiller
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 
 	"github.com/go-logr/logr"
@@ -64,7 +63,7 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
 		return fmt.Errorf("failed to get WebhookAuthenticator %s/%s: %w", ctx.Key.Namespace, ctx.Key.Name, err)
 	}
 
-	webhookAuthenticator, err := newWebhookAuthenticator(&obj.Spec, ioutil.TempFile, clientcmd.WriteToFile)
+	webhookAuthenticator, err := newWebhookAuthenticator(&obj.Spec, os.CreateTemp, clientcmd.WriteToFile)
 	if err != nil {
 		return fmt.Errorf("failed to build webhook config: %w", err)
 	}

internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go

@@ -7,7 +7,7 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"testing"
@@ -88,7 +88,7 @@ func TestController(t *testing.T) {
 			fakeClient := pinnipedfake.NewSimpleClientset(tt.webhooks...)
 			informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0)
 			cache := authncache.New()
-			testLog := testlogger.NewLegacy(t) //nolint: staticcheck  // old test with lots of log statements
+			testLog := testlogger.NewLegacy(t) //nolint:staticcheck  // old test with lots of log statements
 
 			controller := New(cache, informers.Authentication().V1alpha1().WebhookAuthenticators(), testLog.Logger)
 
@@ -121,7 +121,7 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 
 	t.Run("marshal failure", func(t *testing.T) {
 		marshalError := func(_ clientcmdapi.Config, _ string) error { return fmt.Errorf("some marshal error") }
-		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{}, ioutil.TempFile, marshalError)
+		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{}, os.CreateTemp, marshalError)
 		require.Nil(t, res)
 		require.EqualError(t, err, "unable to marshal kubeconfig: some marshal error")
 	})
@@ -130,7 +130,7 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
 			Endpoint: "https://example.com",
 			TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"},
-		}, ioutil.TempFile, clientcmd.WriteToFile)
+		}, os.CreateTemp, clientcmd.WriteToFile)
 		require.Nil(t, res)
 		require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7")
 	})
@@ -139,7 +139,7 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
 			Endpoint: "https://example.com",
 			TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("bad data"))},
-		}, ioutil.TempFile, clientcmd.WriteToFile)
+		}, os.CreateTemp, clientcmd.WriteToFile)
 		require.Nil(t, res)
 		require.EqualError(t, err, "invalid TLS configuration: certificateAuthorityData is not valid PEM: data does not contain any valid RSA or ECDSA certificates")
 	})
@@ -147,14 +147,14 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 	t.Run("valid config with no TLS spec", func(t *testing.T) {
 		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
 			Endpoint: "https://example.com",
-		}, ioutil.TempFile, clientcmd.WriteToFile)
+		}, os.CreateTemp, clientcmd.WriteToFile)
 		require.NotNil(t, res)
 		require.NoError(t, err)
 	})
 
 	t.Run("success", func(t *testing.T) {
 		caBundle, url := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
-			body, err := ioutil.ReadAll(r.Body)
+			body, err := io.ReadAll(r.Body)
 			require.NoError(t, err)
 			require.Contains(t, string(body), "test-token")
 			_, err = w.Write([]byte(`{}`))
@@ -166,7 +166,7 @@ func TestNewWebhookAuthenticator(t *testing.T) {
 				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(caBundle)),
 			},
 		}
-		res, err := newWebhookAuthenticator(spec, ioutil.TempFile, clientcmd.WriteToFile)
+		res, err := newWebhookAuthenticator(spec, os.CreateTemp, clientcmd.WriteToFile)
 		require.NoError(t, err)
 		require.NotNil(t, res)
 

internal/controller/impersonatorconfig/impersonator_config_test.go

@@ -11,7 +11,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net"
 	"net/http"
 	"reflect"
@@ -92,7 +92,7 @@ func TestImpersonatorConfigControllerOptions(t *testing.T) {
 				nil,
 				caSignerName,
 				nil,
-				plog.Logr(), // nolint: staticcheck  // old test with no log assertions
+				plog.Logr(), //nolint:staticcheck  // old test with no log assertions
 			)
 			credIssuerInformerFilter = observableWithInformerOption.GetFilterForInformer(credIssuerInformer)
 			servicesInformerFilter = observableWithInformerOption.GetFilterForInformer(servicesInformer)
@@ -360,10 +360,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 				}
 
 				testHTTPServerMutex.Lock() // this is to satisfy the race detector
-				testHTTPServer = &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-					_, err := fmt.Fprint(w, fakeServerResponseBody)
-					r.NoError(err)
-				})}
+				testHTTPServer = &http.Server{
+					Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+						_, err := fmt.Fprint(w, fakeServerResponseBody)
+						r.NoError(err)
+					}),
+					ReadHeaderTimeout: 10 * time.Second,
+				}
 				testHTTPServerMutex.Unlock()
 
 				// Start serving requests in the background.
@@ -480,7 +483,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 			r.NoError(err)
 
 			r.Equal(http.StatusOK, resp.StatusCode)
-			body, err := ioutil.ReadAll(resp.Body)
+			body, err := io.ReadAll(resp.Body)
 			r.NoError(resp.Body.Close())
 			r.NoError(err)
 			r.Equal(fakeServerResponseBody, string(body))
@@ -560,7 +563,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 				impersonatorFunc,
 				caSignerName,
 				signingCertProvider,
-				plog.Logr(), // nolint: staticcheck  // old test with no log assertions
+				plog.Logr(), //nolint:staticcheck  // old test with no log assertions
 			)
 			controllerlib.TestWrap(t, subject, func(syncer controllerlib.Syncer) controllerlib.Syncer {
 				tlsServingCertDynamicCertProvider = syncer.(*impersonatorConfigController).tlsServingCertDynamicCertProvider

internal/controller/issuerconfig/issuerconfig.go

@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package issuerconfig contains helpers for updating CredentialIssuer status entries.
@@ -60,8 +60,7 @@ func mergeStrategy(configToUpdate *v1alpha1.CredentialIssuerStatus, strategy v1a
 }
 
 // weights are a set of priorities for each strategy type.
-//nolint: gochecknoglobals
-var weights = map[v1alpha1.StrategyType]int{
+var weights = map[v1alpha1.StrategyType]int{ //nolint:gochecknoglobals
 	v1alpha1.KubeClusterSigningCertificateStrategyType: 2, // most preferred strategy
 	v1alpha1.ImpersonationProxyStrategyType:            1,
 	// unknown strategy types will have weight 0 by default

internal/controller/kubecertagent/kubecertagent.go

@@ -145,12 +145,12 @@ type agentController struct {
 
 var (
 	// controllerManagerLabels are the Kubernetes labels we expect on the kube-controller-manager Pod.
-	controllerManagerLabels = labels.SelectorFromSet(map[string]string{ // nolint: gochecknoglobals
+	controllerManagerLabels = labels.SelectorFromSet(map[string]string{ //nolint:gochecknoglobals
 		"component": "kube-controller-manager",
 	})
 
 	// agentLabels are the Kubernetes labels we always expect on the kube-controller-manager Pod.
-	agentLabels = labels.SelectorFromSet(map[string]string{ // nolint: gochecknoglobals
+	agentLabels = labels.SelectorFromSet(map[string]string{ //nolint:gochecknoglobals
 		agentPodLabelKey: agentPodLabelValue,
 	})
 )
@@ -179,7 +179,7 @@ func NewAgentController(
 		dynamicCertProvider,
 		&clock.RealClock{},
 		cache.NewExpiring(),
-		plog.Logr(), // nolint: staticcheck  // old controller with lots of log statements
+		plog.Logr(), //nolint:staticcheck  // old controller with lots of log statements
 	)
 }
 

internal/controller/kubecertagent/kubecertagent_test.go

@@ -1110,7 +1110,7 @@ func TestAgentController(t *testing.T) {
 			require.NoError(t, err)
 			if tt.wantAgentDeployment == nil {
 				assert.Empty(t, deployments.Items, "did not expect an agent deployment")
-			} else { // nolint: gocritic
+			} else { //nolint:gocritic
 				if assert.Len(t, deployments.Items, 1, "expected a single agent deployment") {
 					assert.Equal(t, tt.wantAgentDeployment, &deployments.Items[0])
 				}

internal/controller/kubecertagent/legacypodcleaner_test.go

@@ -149,7 +149,7 @@ func TestLegacyPodCleanerController(t *testing.T) {
 			}
 
 			kubeInformers := informers.NewSharedInformerFactory(kubeClientset, 0)
-			log := testlogger.NewLegacy(t) //nolint: staticcheck  // old test with lots of log statements
+			log := testlogger.NewLegacy(t) //nolint:staticcheck  // old test with lots of log statements
 			controller := NewLegacyPodCleanerController(
 				AgentConfig{
 					Namespace: "concierge",

internal/controller/supervisorconfig/generator/supervisor_secrets.go

@@ -1,7 +1,7 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// Package secretgenerator provides a supervisorSecretsController that can ensure existence of a generated secret.
+// Package generator provides a supervisorSecretsController that can ensure existence of a generated secret.
 package generator
 
 import (
@@ -24,8 +24,7 @@ import (
 )
 
 // generateKey is stubbed out for the purpose of testing. The default behavior is to generate a symmetric key.
-//nolint:gochecknoglobals
-var generateKey = generateSymmetricKey
+var generateKey = generateSymmetricKey //nolint:gochecknoglobals
 
 type supervisorSecretsController struct {
 	labels         map[string]string

internal/controller/supervisorconfig/jwks_writer.go

@@ -50,8 +50,7 @@ const (
 )
 
 // generateKey is stubbed out for the purpose of testing. The default behavior is to generate an EC key.
-//nolint:gochecknoglobals
-var generateKey = generateECKey
+var generateKey = generateECKey //nolint:gochecknoglobals
 
 func generateECKey(r io.Reader) (interface{}, error) {
 	return ecdsa.GenerateKey(elliptic.P256(), r)

internal/controller/supervisorconfig/jwks_writer_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package supervisorconfig
@@ -10,7 +10,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"io"
-	"io/ioutil"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -259,7 +259,7 @@ func TestJWKSWriterControllerSync(t *testing.T) {
 
 	const namespace = "tuna-namespace"
 
-	goodKeyPEM, err := ioutil.ReadFile("testdata/good-ec-key.pem")
+	goodKeyPEM, err := os.ReadFile("testdata/good-ec-key.pem")
 	require.NoError(t, err)
 	block, _ := pem.Decode(goodKeyPEM)
 	require.NotNil(t, block, "expected block to be non-nil...is goodKeyPEM a valid PEM?")
@@ -747,7 +747,7 @@ func TestJWKSWriterControllerSync(t *testing.T) {
 func readJWKJSON(t *testing.T, path string) []byte {
 	t.Helper()
 
-	data, err := ioutil.ReadFile(path)
+	data, err := os.ReadFile(path)
 	require.NoError(t, err)
 
 	// Trim whitespace from our testdata so that we match the compact JSON encoding of

internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go

@@ -68,7 +68,7 @@ const (
 )
 
 var (
-	disallowedAdditionalAuthorizeParameters = map[string]bool{ // nolint: gochecknoglobals
+	disallowedAdditionalAuthorizeParameters = map[string]bool{ //nolint:gochecknoglobals
 		// Reject these AdditionalAuthorizeParameters to avoid allowing the user's config to overwrite the parameters
 		// that are always used by Pinniped in authcode authorization requests. The OIDC library used would otherwise
 		// happily treat the user's config as an override. Users can already set the "client_id" and "scope" params

internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go

@@ -91,7 +91,7 @@ func TestOIDCUpstreamWatcherControllerFilterSecret(t *testing.T) {
 				nil,
 				pinnipedInformers.IDP().V1alpha1().OIDCIdentityProviders(),
 				secretInformer,
-				plog.Logr(), // nolint: staticcheck  // old test with no log assertions
+				plog.Logr(), //nolint:staticcheck  // old test with no log assertions
 				withInformer.WithInformer,
 			)
 
@@ -1400,7 +1400,7 @@ oidc: issuer did not match the issuer returned by provider, expected "` + testIs
 			pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
 			fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...)
 			kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
-			testLog := testlogger.NewLegacy(t) // nolint: staticcheck  // old test with lots of log statements
+			testLog := testlogger.NewLegacy(t) //nolint:staticcheck  // old test with lots of log statements
 			cache := provider.NewDynamicUpstreamIDPProvider()
 			cache.SetOIDCIdentityProviders([]provider.UpstreamOIDCIdentityProviderI{
 				&upstreamoidc.ProviderConfig{Name: "initial-entry"},

internal/controller/supervisorconfig/tls_cert_observer_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package supervisorconfig
@@ -6,8 +6,8 @@ package supervisorconfig
 import (
 	"context"
 	"crypto/tls"
-	"io/ioutil"
 	"net/url"
+	"os"
 	"testing"
 
 	"github.com/sclevine/spec"
@@ -170,7 +170,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
 		}
 
 		var readTestFile = func(path string) []byte {
-			data, err := ioutil.ReadFile(path)
+			data, err := os.ReadFile(path)
 			r.NoError(err)
 			return data
 		}