Fix Godeps.json to point to kubernetes-1.10.12 tags

Automated cherry pick of #70753, #70676 and #70971 upstream release 1.10

Kubernetes-commit: 15008f083eac370234b015cc66f66a00e2303947

Godeps/Godeps.json

@@ -256,331 +256,331 @@
 		},
 		{
 			"ImportPath": "k8s.io/api/admissionregistration/v1alpha1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/admissionregistration/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/apps/v1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/apps/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/apps/v1beta2",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/authentication/v1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/authentication/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/authorization/v1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/authorization/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/autoscaling/v1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/autoscaling/v2beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/batch/v1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/batch/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/batch/v2alpha1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/certificates/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/core/v1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/events/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/extensions/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/imagepolicy/v1alpha1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/networking/v1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/policy/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/rbac/v1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/rbac/v1alpha1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/rbac/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/scheduling/v1alpha1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/settings/v1alpha1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/storage/v1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/storage/v1alpha1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/api/storage/v1beta1",
-			"Rev": "6c0bbc3e58fab96285be9b6ed41b12b58c737a96"
+			"Rev": "38287c0991a57e8e741db42c0c4eca21386722b8"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/equality",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/errors",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/meta",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/resource",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing/fuzzer",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing/roundtrip",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery/announced",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery/registered",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/fuzzer",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/internalversion",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1beta1",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/conversion",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/conversion/queryparams",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/fields",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/labels",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/schema",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/json",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/protobuf",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/recognizer",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/streaming",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/versioning",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/selection",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/types",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/cache",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/clock",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/diff",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/errors",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/framer",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/httpstream",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/intstr",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/json",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/mergepatch",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/net",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/remotecommand",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/runtime",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/sets",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/strategicpatch",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation/field",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/wait",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/yaml",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/version",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/watch",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/json",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/netutil",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/reflect",
-			"Rev": "e386b2658ed20923da8cc9250e552f082899a1ee"
+			"Rev": "688d824527473e1e3f6c3f0b01171308393bdfe3"
 		},
 		{
 			"ImportPath": "k8s.io/kube-openapi/pkg/util/proto",

discovery/restmapper.go

@@ -98,18 +98,20 @@ func NewRESTMapper(groupResources []*APIGroupResources, versionInterfaces meta.V
 					scope = meta.RESTScopeRoot
 				}
 
-				// this is for legacy resources and servers which don't list singular forms.  For those we must still guess.
-				if len(resource.SingularName) == 0 {
-					versionMapper.Add(gv.WithKind(resource.Kind), scope)
-					// TODO this is producing unsafe guesses that don't actually work, but it matches previous behavior
-					versionMapper.Add(gv.WithKind(resource.Kind+"List"), scope)
+				// if we have a slash, then this is a subresource and we shouldn't create mappings for those.
+				if strings.Contains(resource.Name, "/") {
 					continue
 				}
 
 				plural := gv.WithResource(resource.Name)
 				singular := gv.WithResource(resource.SingularName)
-				versionMapper.AddSpecific(gv.WithKind(resource.Kind), plural, singular, scope)
+				// this is for legacy resources and servers which don't list singular forms.  For those we must still guess.
+				if len(resource.SingularName) == 0 {
+					_, singular = meta.UnsafeGuessKindToResource(gv.WithKind(resource.Kind))
+				}
+
 				versionMapper.AddSpecific(gv.WithKind(strings.ToLower(resource.Kind)), plural, singular, scope)
+				versionMapper.AddSpecific(gv.WithKind(resource.Kind), plural, singular, scope)
 				// TODO this is producing unsafe guesses that don't actually work, but it matches previous behavior
 				versionMapper.Add(gv.WithKind(resource.Kind+"List"), scope)
 			}

tools/leaderelection/healthzadaptor.go

@@ -0,0 +1,69 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package leaderelection
+
+import (
+	"net/http"
+	"sync"
+	"time"
+)
+
+// HealthzAdaptor associates the /healthz endpoint with the LeaderElection object.
+// It helps deal with the /healthz endpoint being set up prior to the LeaderElection.
+// This contains the code needed to act as an adaptor between the leader
+// election code the health check code. It allows us to provide health
+// status about the leader election. Most specifically about if the leader
+// has failed to renew without exiting the process. In that case we should
+// report not healthy and rely on the kubelet to take down the process.
+type HealthzAdaptor struct {
+	pointerLock sync.Mutex
+	le          *LeaderElector
+	timeout     time.Duration
+}
+
+// Name returns the name of the health check we are implementing.
+func (l *HealthzAdaptor) Name() string {
+	return "leaderElection"
+}
+
+// Check is called by the healthz endpoint handler.
+// It fails (returns an error) if we own the lease but had not been able to renew it.
+func (l *HealthzAdaptor) Check(req *http.Request) error {
+	l.pointerLock.Lock()
+	defer l.pointerLock.Unlock()
+	if l.le == nil {
+		return nil
+	}
+	return l.le.Check(l.timeout)
+}
+
+// SetLeaderElection ties a leader election object to a HealthzAdaptor
+func (l *HealthzAdaptor) SetLeaderElection(le *LeaderElector) {
+	l.pointerLock.Lock()
+	defer l.pointerLock.Unlock()
+	l.le = le
+}
+
+// NewLeaderHealthzAdaptor creates a basic healthz adaptor to monitor a leader election.
+// timeout determines the time beyond the lease expiry to be allowed for timeout.
+// checks within the timeout period after the lease expires will still return healthy.
+func NewLeaderHealthzAdaptor(timeout time.Duration) *HealthzAdaptor {
+	result := &HealthzAdaptor{
+		timeout: timeout,
+	}
+	return result
+}

tools/leaderelection/healthzadaptor_test.go

@@ -0,0 +1,175 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package leaderelection
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/clock"
+	rl "k8s.io/client-go/tools/leaderelection/resourcelock"
+	"net/http"
+)
+
+type fakeLock struct {
+	identity string
+}
+
+// Get is a dummy to allow us to have a fakeLock for testing.
+func (fl *fakeLock) Get() (ler *rl.LeaderElectionRecord, err error) {
+	return nil, nil
+}
+
+// Create is a dummy to allow us to have a fakeLock for testing.
+func (fl *fakeLock) Create(ler rl.LeaderElectionRecord) error {
+	return nil
+}
+
+// Update is a dummy to allow us to have a fakeLock for testing.
+func (fl *fakeLock) Update(ler rl.LeaderElectionRecord) error {
+	return nil
+}
+
+// RecordEvent is a dummy to allow us to have a fakeLock for testing.
+func (fl *fakeLock) RecordEvent(string) {}
+
+// Identity is a dummy to allow us to have a fakeLock for testing.
+func (fl *fakeLock) Identity() string {
+	return fl.identity
+}
+
+// Describe is a dummy to allow us to have a fakeLock for testing.
+func (fl *fakeLock) Describe() string {
+	return "Dummy implementation of lock for testing"
+}
+
+// TestLeaderElectionHealthChecker tests that the healthcheck for leader election handles its edge cases.
+func TestLeaderElectionHealthChecker(t *testing.T) {
+	current := time.Now()
+	req := &http.Request{}
+
+	tests := []struct {
+		description    string
+		expected       error
+		adaptorTimeout time.Duration
+		elector        *LeaderElector
+	}{
+		{
+			description:    "call check before leader elector initialized",
+			expected:       nil,
+			adaptorTimeout: time.Second * 20,
+			elector:        nil,
+		},
+		{
+			description:    "call check when the the lease is far expired",
+			expected:       fmt.Errorf("failed election to renew leadership on lease %s", "foo"),
+			adaptorTimeout: time.Second * 20,
+			elector: &LeaderElector{
+				config: LeaderElectionConfig{
+					Lock:          &fakeLock{identity: "healthTest"},
+					LeaseDuration: time.Minute,
+					Name:          "foo",
+				},
+				observedRecord: rl.LeaderElectionRecord{
+					HolderIdentity: "healthTest",
+				},
+				observedTime: current,
+				clock:        clock.NewFakeClock(current.Add(time.Hour)),
+			},
+		},
+		{
+			description:    "call check when the the lease is far expired but held by another server",
+			expected:       nil,
+			adaptorTimeout: time.Second * 20,
+			elector: &LeaderElector{
+				config: LeaderElectionConfig{
+					Lock:          &fakeLock{identity: "healthTest"},
+					LeaseDuration: time.Minute,
+					Name:          "foo",
+				},
+				observedRecord: rl.LeaderElectionRecord{
+					HolderIdentity: "otherServer",
+				},
+				observedTime: current,
+				clock:        clock.NewFakeClock(current.Add(time.Hour)),
+			},
+		},
+		{
+			description:    "call check when the the lease is not expired",
+			expected:       nil,
+			adaptorTimeout: time.Second * 20,
+			elector: &LeaderElector{
+				config: LeaderElectionConfig{
+					Lock:          &fakeLock{identity: "healthTest"},
+					LeaseDuration: time.Minute,
+					Name:          "foo",
+				},
+				observedRecord: rl.LeaderElectionRecord{
+					HolderIdentity: "healthTest",
+				},
+				observedTime: current,
+				clock:        clock.NewFakeClock(current),
+			},
+		},
+		{
+			description:    "call check when the the lease is expired but inside the timeout",
+			expected:       nil,
+			adaptorTimeout: time.Second * 20,
+			elector: &LeaderElector{
+				config: LeaderElectionConfig{
+					Lock:          &fakeLock{identity: "healthTest"},
+					LeaseDuration: time.Minute,
+					Name:          "foo",
+				},
+				observedRecord: rl.LeaderElectionRecord{
+					HolderIdentity: "healthTest",
+				},
+				observedTime: current,
+				clock:        clock.NewFakeClock(current.Add(time.Minute).Add(time.Second)),
+			},
+		},
+	}
+
+	for _, test := range tests {
+		adaptor := NewLeaderHealthzAdaptor(test.adaptorTimeout)
+		if adaptor.le != nil {
+			t.Errorf("[%s] leaderChecker started with a LeaderElector %v", test.description, adaptor.le)
+		}
+		if test.elector != nil {
+			test.elector.config.WatchDog = adaptor
+			adaptor.SetLeaderElection(test.elector)
+			if adaptor.le == nil {
+				t.Errorf("[%s] adaptor failed to set the LeaderElector", test.description)
+			}
+		}
+		err := adaptor.Check(req)
+		if test.expected == nil {
+			if err == nil {
+				continue
+			}
+			t.Errorf("[%s] called check, expected no error but received \"%v\"", test.description, err)
+		} else {
+			if err == nil {
+				t.Errorf("[%s] called check and failed to received the expected error \"%v\"", test.description, test.expected)
+			}
+			if err.Error() != test.expected.Error() {
+				t.Errorf("[%s] called check, expected %v, received %v", test.description, test.expected, err)
+			}
+		}
+	}
+}

tools/leaderelection/leaderelection.go

@@ -55,6 +55,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/clock"
 	"k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	rl "k8s.io/client-go/tools/leaderelection/resourcelock"
@@ -79,6 +80,7 @@ func NewLeaderElector(lec LeaderElectionConfig) (*LeaderElector, error) {
 	}
 	return &LeaderElector{
 		config: lec,
+		clock:  clock.RealClock{},
 	}, nil
 }
 
@@ -100,6 +102,13 @@ type LeaderElectionConfig struct {
 	// Callbacks are callbacks that are triggered during certain lifecycle
 	// events of the LeaderElector
 	Callbacks LeaderCallbacks
+
+	// WatchDog is the associated health checker
+	// WatchDog may be null if its not needed/configured.
+	WatchDog *HealthzAdaptor
+
+	// Name is the name of the resource lock for debugging
+	Name string
 }
 
 // LeaderCallbacks are callbacks that are triggered during certain
@@ -132,6 +141,12 @@ type LeaderElector struct {
 	// value observedRecord.HolderIdentity if the transition has
 	// not yet been reported.
 	reportedLeader string
+
+	// clock is wrapper around time to allow for less flaky testing
+	clock clock.Clock
+
+	// name is the name of the resource lock for debugging
+	name string
 }
 
 // Run starts the leader election loop
@@ -154,6 +169,9 @@ func RunOrDie(lec LeaderElectionConfig) {
 	if err != nil {
 		panic(err)
 	}
+	if lec.WatchDog != nil {
+		lec.WatchDog.SetLeaderElection(le)
+	}
 	le.Run()
 }
 
@@ -229,14 +247,14 @@ func (le *LeaderElector) tryAcquireOrRenew() bool {
 			return false
 		}
 		le.observedRecord = leaderElectionRecord
-		le.observedTime = time.Now()
+		le.observedTime = le.clock.Now()
 		return true
 	}
 
 	// 2. Record obtained, check the Identity & Time
 	if !reflect.DeepEqual(le.observedRecord, *oldLeaderElectionRecord) {
 		le.observedRecord = *oldLeaderElectionRecord
-		le.observedTime = time.Now()
+		le.observedTime = le.clock.Now()
 	}
 	if le.observedTime.Add(le.config.LeaseDuration).After(now.Time) &&
 		oldLeaderElectionRecord.HolderIdentity != le.config.Lock.Identity() {
@@ -259,7 +277,7 @@ func (le *LeaderElector) tryAcquireOrRenew() bool {
 		return false
 	}
 	le.observedRecord = leaderElectionRecord
-	le.observedTime = time.Now()
+	le.observedTime = le.clock.Now()
 	return true
 }
 
@@ -272,3 +290,19 @@ func (l *LeaderElector) maybeReportTransition() {
 		go l.config.Callbacks.OnNewLeader(l.reportedLeader)
 	}
 }
+
+// Check will determine if the current lease is expired by more than timeout.
+func (le *LeaderElector) Check(maxTolerableExpiredLease time.Duration) error {
+	if !le.IsLeader() {
+		// Currently not concerned with the case that we are hot standby
+		return nil
+	}
+	// If we are more than timeout seconds after the lease duration that is past the timeout
+	// on the lease renew. Time to start reporting ourselves as unhealthy. We should have
+	// died but conditions like deadlock can prevent this. (See #70819)
+	if le.clock.Since(le.observedTime) > le.config.LeaseDuration+maxTolerableExpiredLease {
+		return fmt.Errorf("failed election to renew leadership on lease %s", le.config.Name)
+	}
+
+	return nil
+}

tools/leaderelection/leaderelection_test.go

@@ -26,6 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/clock"
 	fakecorev1 "k8s.io/client-go/kubernetes/typed/core/v1/fake"
 	core "k8s.io/client-go/testing"
 	rl "k8s.io/client-go/tools/leaderelection/resourcelock"
@@ -257,6 +258,7 @@ func testTryAcquireOrRenew(t *testing.T, objectType string) {
 			config:         lec,
 			observedRecord: test.observedRecord,
 			observedTime:   test.observedTime,
+			clock:          clock.RealClock{},
 		}
 
 		if test.expectSuccess != le.tryAcquireOrRenew() {

transport/round_trippers.go

@@ -17,6 +17,7 @@ limitations under the License.
 package transport
 
 import (
+	"bytes"
 	"fmt"
 	"net/http"
 	"strings"
@@ -129,7 +130,7 @@ func SetAuthProxyHeaders(req *http.Request, username string, groups []string, ex
 	}
 	for key, values := range extra {
 		for _, value := range values {
-			req.Header.Add("X-Remote-Extra-"+key, value)
+			req.Header.Add("X-Remote-Extra-"+headerKeyEscape(key), value)
 		}
 	}
 }
@@ -246,7 +247,7 @@ func (rt *impersonatingRoundTripper) RoundTrip(req *http.Request) (*http.Respons
 	}
 	for k, vv := range rt.impersonate.Extra {
 		for _, v := range vv {
-			req.Header.Add(ImpersonateUserExtraHeaderPrefix+k, v)
+			req.Header.Add(ImpersonateUserExtraHeaderPrefix+headerKeyEscape(k), v)
 		}
 	}
 
@@ -422,3 +423,110 @@ func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, e
 func (rt *debuggingRoundTripper) WrappedRoundTripper() http.RoundTripper {
 	return rt.delegatedRoundTripper
 }
+
+func legalHeaderByte(b byte) bool {
+	return int(b) < len(legalHeaderKeyBytes) && legalHeaderKeyBytes[b]
+}
+
+func shouldEscape(b byte) bool {
+	// url.PathUnescape() returns an error if any '%' is not followed by two
+	// hexadecimal digits, so we'll intentionally encode it.
+	return !legalHeaderByte(b) || b == '%'
+}
+
+func headerKeyEscape(key string) string {
+	var buf bytes.Buffer
+	for i := 0; i < len(key); i++ {
+		b := key[i]
+		if shouldEscape(b) {
+			// %-encode bytes that should be escaped:
+			// https://tools.ietf.org/html/rfc3986#section-2.1
+			fmt.Fprintf(&buf, "%%%02X", b)
+			continue
+		}
+		buf.WriteByte(b)
+	}
+	return buf.String()
+}
+
+// legalHeaderKeyBytes was copied from net/http/lex.go's isTokenTable.
+// See https://httpwg.github.io/specs/rfc7230.html#rule.token.separators
+var legalHeaderKeyBytes = [127]bool{
+	'%':  true,
+	'!':  true,
+	'#':  true,
+	'$':  true,
+	'&':  true,
+	'\'': true,
+	'*':  true,
+	'+':  true,
+	'-':  true,
+	'.':  true,
+	'0':  true,
+	'1':  true,
+	'2':  true,
+	'3':  true,
+	'4':  true,
+	'5':  true,
+	'6':  true,
+	'7':  true,
+	'8':  true,
+	'9':  true,
+	'A':  true,
+	'B':  true,
+	'C':  true,
+	'D':  true,
+	'E':  true,
+	'F':  true,
+	'G':  true,
+	'H':  true,
+	'I':  true,
+	'J':  true,
+	'K':  true,
+	'L':  true,
+	'M':  true,
+	'N':  true,
+	'O':  true,
+	'P':  true,
+	'Q':  true,
+	'R':  true,
+	'S':  true,
+	'T':  true,
+	'U':  true,
+	'W':  true,
+	'V':  true,
+	'X':  true,
+	'Y':  true,
+	'Z':  true,
+	'^':  true,
+	'_':  true,
+	'`':  true,
+	'a':  true,
+	'b':  true,
+	'c':  true,
+	'd':  true,
+	'e':  true,
+	'f':  true,
+	'g':  true,
+	'h':  true,
+	'i':  true,
+	'j':  true,
+	'k':  true,
+	'l':  true,
+	'm':  true,
+	'n':  true,
+	'o':  true,
+	'p':  true,
+	'q':  true,
+	'r':  true,
+	's':  true,
+	't':  true,
+	'u':  true,
+	'v':  true,
+	'w':  true,
+	'x':  true,
+	'y':  true,
+	'z':  true,
+	'|':  true,
+	'~':  true,
+}

transport/round_trippers_test.go

@@ -18,6 +18,7 @@ package transport
 
 import (
 	"net/http"
+	"net/url"
 	"reflect"
 	"strings"
 	"testing"
@@ -125,6 +126,32 @@ func TestImpersonationRoundTripper(t *testing.T) {
 				ImpersonateUserExtraHeaderPrefix + "Second": {"B", "b"},
 			},
 		},
+		{
+			name: "escape handling",
+			impersonationConfig: ImpersonationConfig{
+				UserName: "user",
+				Extra: map[string][]string{
+					"test.example.com/thing.thing": {"A", "a"},
+				},
+			},
+			expected: map[string][]string{
+				ImpersonateUserHeader:                                               {"user"},
+				ImpersonateUserExtraHeaderPrefix + `Test.example.com%2fthing.thing`: {"A", "a"},
+			},
+		},
+		{
+			name: "double escape handling",
+			impersonationConfig: ImpersonationConfig{
+				UserName: "user",
+				Extra: map[string][]string{
+					"test.example.com/thing.thing%20another.thing": {"A", "a"},
+				},
+			},
+			expected: map[string][]string{
+				ImpersonateUserHeader: {"user"},
+				ImpersonateUserExtraHeaderPrefix + `Test.example.com%2fthing.thing%2520another.thing`: {"A", "a"},
+			},
+		},
 	}
 
 	for _, tc := range tcs {
@@ -159,9 +186,10 @@ func TestImpersonationRoundTripper(t *testing.T) {
 
 func TestAuthProxyRoundTripper(t *testing.T) {
 	for n, tc := range map[string]struct {
-		username string
-		groups   []string
-		extra    map[string][]string
+		username      string
+		groups        []string
+		extra         map[string][]string
+		expectedExtra map[string][]string
 	}{
 		"allfields": {
 			username: "user",
@@ -170,6 +198,34 @@ func TestAuthProxyRoundTripper(t *testing.T) {
 				"one": {"alpha", "bravo"},
 				"two": {"charlie", "delta"},
 			},
+			expectedExtra: map[string][]string{
+				"one": {"alpha", "bravo"},
+				"two": {"charlie", "delta"},
+			},
+		},
+		"escaped extra": {
+			username: "user",
+			groups:   []string{"groupA", "groupB"},
+			extra: map[string][]string{
+				"one":             {"alpha", "bravo"},
+				"example.com/two": {"charlie", "delta"},
+			},
+			expectedExtra: map[string][]string{
+				"one":               {"alpha", "bravo"},
+				"example.com%2ftwo": {"charlie", "delta"},
+			},
+		},
+		"double escaped extra": {
+			username: "user",
+			groups:   []string{"groupA", "groupB"},
+			extra: map[string][]string{
+				"one": {"alpha", "bravo"},
+				"example.com/two%20three": {"charlie", "delta"},
+			},
+			expectedExtra: map[string][]string{
+				"one": {"alpha", "bravo"},
+				"example.com%2ftwo%2520three": {"charlie", "delta"},
+			},
 		},
 	} {
 		rt := &testRoundTripper{}
@@ -210,9 +266,64 @@ func TestAuthProxyRoundTripper(t *testing.T) {
 				actualExtra[extraKey] = append(actualExtra[key], values...)
 			}
 		}
-		if e, a := tc.extra, actualExtra; !reflect.DeepEqual(e, a) {
+		if e, a := tc.expectedExtra, actualExtra; !reflect.DeepEqual(e, a) {
 			t.Errorf("%s expected %v, got %v", n, e, a)
 			continue
 		}
 	}
 }
+
+// TestHeaderEscapeRoundTrip tests to see if foo == url.PathUnescape(headerEscape(foo))
+// This behavior is important for client -> API server transmission of extra values.
+func TestHeaderEscapeRoundTrip(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name string
+		key  string
+	}{
+		{
+			name: "alpha",
+			key:  "alphabetical",
+		},
+		{
+			name: "alphanumeric",
+			key:  "alph4num3r1c",
+		},
+		{
+			name: "percent encoded",
+			key:  "percent%20encoded",
+		},
+		{
+			name: "almost percent encoded",
+			key:  "almost%zzpercent%xxencoded",
+		},
+		{
+			name: "illegal char & percent encoding",
+			key:  "example.com/percent%20encoded",
+		},
+		{
+			name: "weird unicode stuff",
+			key:  "example.com/ᛒᚥᛏᛖᚥᚢとロビン",
+		},
+		{
+			name: "header legal chars",
+			key:  "abc123!#$+.-_*\\^`~|'",
+		},
+		{
+			name: "legal path, illegal header",
+			key:  "@=:",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			escaped := headerKeyEscape(tc.key)
+			unescaped, err := url.PathUnescape(escaped)
+			if err != nil {
+				t.Fatalf("url.PathUnescape(%q) returned error: %v", escaped, err)
+			}
+			if tc.key != unescaped {
+				t.Errorf("url.PathUnescape(headerKeyEscape(%q)) returned %q, wanted %q", tc.key, unescaped, tc.key)
+			}
+		})
+	}
+}