Update dependencies to v0.18.0-alpha.1 tag

Update go version in go.mod to 1.13

Kubernetes-commit: b96642aeaeefee838b5f0938e5d04765dd27d39b

CONTRIBUTING.md

@@ -1,8 +1,6 @@
 # Contributing guidelines
 
-Do not open pull requests directly against this repository. They will be ignored. Instead, please open pull requests against [kubernetes/kubernetes](https://git.k8s.io/kubernetes/). 
-The exception is changes to the `README.md` itself. 
-Please follow the same [contributing guide](https://git.k8s.io/kubernetes/CONTRIBUTING.md) you would follow for any other pull request made to kubernetes/kubernetes.
+Do not open pull requests directly against kubernetes/client-go repository (except for README.md); they will be ignored. Instead, please open pull requests and issues against [kubernetes/kubernetes](https://git.k8s.io/kubernetes/).  Please follow the same [contributing guide](https://git.k8s.io/kubernetes/CONTRIBUTING.md) you would follow for any other pull request made to kubernetes/kubernetes.
 
 This repository is published from [kubernetes/kubernetes/staging/src/k8s.io/client-go](https://git.k8s.io/kubernetes/staging/src/k8s.io/client-go) by the [kubernetes publishing-bot](https://git.k8s.io/publishing-bot).
 

Godeps/Godeps.json

@@ -348,11 +348,11 @@
 		},
 		{
 			"ImportPath": "k8s.io/api",
-			"Rev": "v0.17.1"
+			"Rev": "v0.18.0-alpha.1"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery",
-			"Rev": "v0.17.1"
+			"Rev": "v0.18.0-alpha.1"
 		},
 		{
 			"ImportPath": "k8s.io/gengo",

INSTALL.md

@@ -52,14 +52,30 @@ go mod init
 
 ### Add client-go as a dependency
 
-Indicate which version of `client-go` your project requires (replace `kubernetes-1.15.0` with the desired version):
+Indicate which version of `client-go` your project requires:
+
+- If you are using Kubernetes versions >= `v1.17.0`, use a corresponding
+`v0.x.y` tag. For example, `k8s.io/client-go@v0.17.0` corresponds to Kubernetes `v1.17.0`:
 
 ```sh
-go get k8s.io/client-go@kubernetes-1.15.0
+go get k8s.io/client-go@v0.17.0
+```
+
+You can also use a non-semver `kubernetes-1.x.y` tag to refer to a version
+of `client-go` corresponding to a given Kubernetes release. Prior to Kubernetes
+`v1.17.0` these were the only tags available for use with go modules.
+For example, `kubernetes-1.16.3` corresponds to Kubernetes `v1.16.3`.
+However, it is recommended to use semver-like `v0.x.y` tags over non-semver
+`kubernetes-1.x.y` tags to have a seamless experience with go modules.
+
+- If you are using Kubernetes versions < `v1.17.0` (replace `kubernetes-1.16.3` with the desired version):
+
+```sh
+go get k8s.io/client-go@kubernetes-1.16.3
 ```
 
 You can now import and use the `k8s.io/client-go` APIs in your project.
 The next time you `go build`, `go test`, or `go run` your project,
 `k8s.io/client-go` and its dependencies will be downloaded (if needed),
 and detailed dependency version info will be added to your `go.mod` file
-(or you can also run `go mod tidy` to do this directly).
+(or you can also run `go mod tidy` to do this directly).

README.md

@@ -2,7 +2,8 @@
 
 Go clients for talking to a [kubernetes](http://kubernetes.io/) cluster.
 
-We recommend using the `kubernetes-1.x.y` tag matching the current Kubernetes release (`kubernetes-1.15.3` at the time this was written).
+We recommend using the `v0.x.y` tags for Kubernetes releases >= `v1.17.0` and
+`kubernetes-1.x.y` tags for Kubernetes releases < `v1.17.0`.
 See [INSTALL.md](/INSTALL.md) for detailed installation instructions.
 `go get k8s.io/client-go@master` works, but will fetch `master`, which may be less stable than a tagged release.
 
@@ -44,42 +45,31 @@ See [INSTALL.md](/INSTALL.md) for detailed installation instructions.
 
 ### Versioning
 
-`client-go` follows [semver](http://semver.org/). We will not make
-backwards-incompatible changes without incrementing the major version number. A
-change is backwards-incompatible either if it *i)* changes the public interfaces
-of `client-go`, or *ii)* makes `client-go` incompatible with otherwise supported
-versions of Kubernetes clusters.
+- For each `v1.x.y` Kubernetes release, the major version (first digit)
+would remain `0`.
 
-Changes that add features in a backwards-compatible way will result in bumping
-the minor version (second digit) number.
-
-Bugfixes will result in the patch version (third digit) changing. PRs that are
+- Bugfixes will result in the patch version (third digit) changing. PRs that are
 cherry-picked into an older Kubernetes release branch will result in an update
 to the corresponding branch in `client-go`, with a corresponding new tag
 changing the patch version.
 
-A consequence of this is that `client-go` version numbers will be unrelated to
-Kubernetes version numbers.
-
 #### Branches and tags.
 
-We will create a new branch and tag for each increment in the major version number or
-minor version number. We will create only a new tag for each increment in the patch
+We will create a new branch and tag for each increment in the minor version
+number. We will create only a new tag for each increment in the patch
 version number. See [semver](http://semver.org/) for definitions of major,
 minor, and patch.
 
-The master branch will track HEAD in the main Kubernetes repo and
-accumulate changes. Consider HEAD to have the version `x.(y+1).0-alpha` or
-`(x+1).0.0-alpha` (depending on whether it has accumulated a breaking change or
-not), where `x` and `y` are the current major and minor versions.
+The HEAD of the master branch in client-go will track the HEAD of the master
+branch in the main Kubernetes repo.
 
 #### Compatibility: your code <-> client-go
 
-`client-go` follows [semver](http://semver.org/), so until the major version of
-client-go gets increased, your code will compile and will continue to work with
-explicitly supported versions of Kubernetes clusters. You must use a dependency
-management system and pin a specific major version of `client-go` to get this
-benefit, as HEAD follows the upstream Kubernetes repo.
+The `v0.x.y` tags indicate that go APIs may change in incompatible ways in
+different versions.
+
+See [INSTALL.md](INSTALL.md) for guidelines on requiring a specific
+version of client-go.
 
 #### Compatibility: client-go <-> Kubernetes clusters
 
@@ -92,16 +82,12 @@ We will backport bugfixes--but not new features--into older versions of
 
 #### Compatibility matrix
 
-|                     | Kubernetes 1.9 | Kubernetes 1.10 | Kubernetes 1.11 | Kubernetes 1.12 | Kubernetes 1.13 | Kubernetes 1.14 | Kubernetes 1.15 |
-|---------------------|----------------|-----------------|-----------------|-----------------|-----------------|-----------------|-----------------|
-| client-go 6.0       | ✓              | +-              | +-              | +-              | +-              | +-              | +-              |
-| client-go 7.0       | +-             | ✓               | +-              | +-              | +-              | +-              | +-              |
-| client-go 8.0       | +-             | +-              | ✓               | +-              | +-              | +-              | +-              |
-| client-go 9.0       | +-             | +-              | +-              | ✓               | +-              | +-              | +-              |
-| client-go 10.0      | +-             | +-              | +-              | +-              | ✓               | +-              | +-              |
-| client-go 11.0      | +-             | +-              | +-              | +-              | +-              | ✓               | +-              |
-| client-go 12.0      | +-             | +-              | +-              | +-              | +-              | +-              | ✓               |
-| client-go HEAD      | +-             | +-              | +-              | +-              | +-              | +-              | +-              |
+|                               | Kubernetes 1.15 | Kubernetes 1.16 | Kubernetes 1.17 |
+|-------------------------------|-----------------|-----------------|-----------------|
+| `kubernetes-1.15.0`           | ✓               | +-              | +-              |
+| `kubernetes-1.16.0`           | +-              | ✓               | +-              |
+| `kubernetes-1.17.0`/`v0.17.0` | +-              | +-              | ✓               |
+| `HEAD`                        | +-              | +-              | +-              |
 
 Key:
 
@@ -122,19 +108,21 @@ between client-go versions.
 
 | Branch         | Canonical source code location       | Maintenance status            |
 |----------------|--------------------------------------|-------------------------------|
-| client-go 1.4  | Kubernetes main repo, 1.4 branch     | = -                           |
-| client-go 1.5  | Kubernetes main repo, 1.5 branch     | = -                           |
-| client-go 2.0  | Kubernetes main repo, 1.5 branch     | = -                           |
-| client-go 3.0  | Kubernetes main repo, 1.6 branch     | = -                           |
-| client-go 4.0  | Kubernetes main repo, 1.7 branch     | = -                           |
-| client-go 5.0  | Kubernetes main repo, 1.8 branch     | = -                           |
-| client-go 6.0  | Kubernetes main repo, 1.9 branch     | = -                           |
-| client-go 7.0  | Kubernetes main repo, 1.10 branch    | = -                           |
-| client-go 8.0  | Kubernetes main repo, 1.11 branch    | =-                            |
-| client-go 9.0  | Kubernetes main repo, 1.12 branch    | =-                            |
-| client-go 10.0 | Kubernetes main repo, 1.13 branch    | ✓                             |
-| client-go 11.0 | Kubernetes main repo, 1.14 branch    | ✓                             |
-| client-go 12.0 | Kubernetes main repo, 1.15 branch    | ✓                             |
+| `release-1.4`  | Kubernetes main repo, 1.4 branch     | = -                           |
+| `release-1.5`  | Kubernetes main repo, 1.5 branch     | = -                           |
+| `release-2.0`  | Kubernetes main repo, 1.5 branch     | = -                           |
+| `release-3.0`  | Kubernetes main repo, 1.6 branch     | = -                           |
+| `release-4.0`  | Kubernetes main repo, 1.7 branch     | = -                           |
+| `release-5.0`  | Kubernetes main repo, 1.8 branch     | = -                           |
+| `release-6.0`  | Kubernetes main repo, 1.9 branch     | = -                           |
+| `release-7.0`  | Kubernetes main repo, 1.10 branch    | = -                           |
+| `release-8.0`  | Kubernetes main repo, 1.11 branch    | =-                            |
+| `release-9.0`  | Kubernetes main repo, 1.12 branch    | =-                            |
+| `release-10.0` | Kubernetes main repo, 1.13 branch    | =-                            |
+| `release-11.0` | Kubernetes main repo, 1.14 branch    | ✓                             |
+| `release-12.0` | Kubernetes main repo, 1.15 branch    | ✓                             |
+| `release-13.0` | Kubernetes main repo, 1.16 branch    | ✓                             |
+| `release-14.0` | Kubernetes main repo, 1.17 branch    | ✓                             |
 | client-go HEAD | Kubernetes main repo, master branch  | ✓                             |
 
 Key:
@@ -161,14 +149,19 @@ existing users won't be broken.
 
 This repository is still a mirror of
 [k8s.io/kubernetes/staging/src/client-go](https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/client-go),
-the code development is still done in the staging area. Since Kubernetes 1.8
-release, when syncing the code from the staging area, we also sync the Kubernetes
-version tags to client-go, prefixed with "kubernetes-". For example, if you check
-out the `kubernetes-1.15.3` tag in client-go, the code you get is exactly the
-same as if you check out the `v1.15.3` tag in Kubernetes, and change directory to
-`staging/src/k8s.io/client-go`. The purpose is to let users quickly find matching
-commits among published repos, like
-[sample-apiserver](https://github.com/kubernetes/sample-apiserver),
+the code development is still done in the staging area.
+
+Since Kubernetes `v1.8.0`, when syncing the code from the staging area,
+we also sync the Kubernetes version tags to client-go, prefixed with
+`kubernetes-`. From Kubernetes `v1.17.0`, we also create matching semver
+`v0.x.y` tags for each `v1.x.y` Kubernetes release.
+
+For example, if you check out the `kubernetes-1.17.0` or the `v0.17.0` tag in
+client-go, the code you get is exactly the same as if you check out the `v1.17.0`
+tag in Kubernetes, and change directory to `staging/src/k8s.io/client-go`.
+
+The purpose is to let users quickly find matching commits among published repos,
+like [sample-apiserver](https://github.com/kubernetes/sample-apiserver),
 [apiextension-apiserver](https://github.com/kubernetes/apiextensions-apiserver),
 etc. The Kubernetes version tag does NOT claim any backwards compatibility
 guarantees for client-go. Please check the [semantic versions](#versioning) if
@@ -179,7 +172,7 @@ you care about backwards compatibility.
 Use go1.11+ and fetch the desired version using the `go get` command. For example:
 
 ```
-go get k8s.io/client-go@kubernetes-1.15.3
+go get k8s.io/client-go@v0.17.0
 ```
 
 See [INSTALL.md](/INSTALL.md) for detailed instructions.

go.mod

@@ -2,7 +2,7 @@
 
 module k8s.io/client-go
 
-go 1.12
+go 1.13
 
 require (
 	cloud.google.com/go v0.38.0 // indirect
@@ -28,8 +28,8 @@ require (
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 	golang.org/x/time v0.0.0-20190308202827-9d24e82272b4
 	google.golang.org/appengine v1.5.0 // indirect
-	k8s.io/api v0.17.1
-	k8s.io/apimachinery v0.17.1
+	k8s.io/api v0.18.0-alpha.1
+	k8s.io/apimachinery v0.18.0-alpha.1
 	k8s.io/klog v1.0.0
 	k8s.io/utils v0.0.0-20191114184206-e782cd3c129f
 	sigs.k8s.io/yaml v1.1.0
@@ -38,6 +38,6 @@ require (
 replace (
 	golang.org/x/sys => golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a // pinned to release-branch.go1.13
 	golang.org/x/tools => golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7 // pinned to release-branch.go1.13
-	k8s.io/api => k8s.io/api v0.17.1
-	k8s.io/apimachinery => k8s.io/apimachinery v0.17.1
+	k8s.io/api => k8s.io/api v0.18.0-alpha.1
+	k8s.io/apimachinery => k8s.io/apimachinery v0.18.0-alpha.1
 )

go.sum

@@ -193,8 +193,8 @@ gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.17.1/go.mod h1:zxiAc5y8Ngn4fmhWUtSxuUlkfz1ixT7j9wESokELzOg=
-k8s.io/apimachinery v0.17.1/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
+k8s.io/api v0.18.0-alpha.1/go.mod h1:X82bXHlVEfxpVA9rO5PMaSOdQ+VdlSjT9A2Tl/CWL4A=
+k8s.io/apimachinery v0.18.0-alpha.1/go.mod h1:Ng1IY8TS7sC44KJxT/WUR6qFRfWwahYYYpNXyYRKOCY=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=

listers/apps/v1/deployment_expansion.go

@@ -1,70 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"fmt"
-
-	apps "k8s.io/api/apps/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-)
-
-// DeploymentListerExpansion allows custom methods to be added to
-// DeploymentLister.
-type DeploymentListerExpansion interface {
-	GetDeploymentsForReplicaSet(rs *apps.ReplicaSet) ([]*apps.Deployment, error)
-}
-
-// DeploymentNamespaceListerExpansion allows custom methods to be added to
-// DeploymentNamespaceLister.
-type DeploymentNamespaceListerExpansion interface{}
-
-// GetDeploymentsForReplicaSet returns a list of Deployments that potentially
-// match a ReplicaSet. Only the one specified in the ReplicaSet's ControllerRef
-// will actually manage it.
-// Returns an error only if no matching Deployments are found.
-func (s *deploymentLister) GetDeploymentsForReplicaSet(rs *apps.ReplicaSet) ([]*apps.Deployment, error) {
-	if len(rs.Labels) == 0 {
-		return nil, fmt.Errorf("no deployments found for ReplicaSet %v because it has no labels", rs.Name)
-	}
-
-	// TODO: MODIFY THIS METHOD so that it checks for the podTemplateSpecHash label
-	dList, err := s.Deployments(rs.Namespace).List(labels.Everything())
-	if err != nil {
-		return nil, err
-	}
-
-	var deployments []*apps.Deployment
-	for _, d := range dList {
-		selector, err := metav1.LabelSelectorAsSelector(d.Spec.Selector)
-		if err != nil {
-			return nil, fmt.Errorf("invalid label selector: %v", err)
-		}
-		// If a deployment with a nil or empty selector creeps in, it should match nothing, not everything.
-		if selector.Empty() || !selector.Matches(labels.Set(rs.Labels)) {
-			continue
-		}
-		deployments = append(deployments, d)
-	}
-
-	if len(deployments) == 0 {
-		return nil, fmt.Errorf("could not find deployments set for ReplicaSet %s in namespace %s with labels: %v", rs.Name, rs.Namespace, rs.Labels)
-	}
-
-	return deployments, nil
-}

listers/apps/v1/expansion_generated.go

@@ -25,3 +25,11 @@ type ControllerRevisionListerExpansion interface{}
 // ControllerRevisionNamespaceListerExpansion allows custom methods to be added to
 // ControllerRevisionNamespaceLister.
 type ControllerRevisionNamespaceListerExpansion interface{}
+
+// DeploymentListerExpansion allows custom methods to be added to
+// DeploymentLister.
+type DeploymentListerExpansion interface{}
+
+// DeploymentNamespaceListerExpansion allows custom methods to be added to
+// DeploymentNamespaceLister.
+type DeploymentNamespaceListerExpansion interface{}

listers/apps/v1beta2/deployment_expansion.go

@@ -1,70 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1beta2
-
-import (
-	"fmt"
-
-	apps "k8s.io/api/apps/v1beta2"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-)
-
-// DeploymentListerExpansion allows custom methods to be added to
-// DeploymentLister.
-type DeploymentListerExpansion interface {
-	GetDeploymentsForReplicaSet(rs *apps.ReplicaSet) ([]*apps.Deployment, error)
-}
-
-// DeploymentNamespaceListerExpansion allows custom methods to be added to
-// DeploymentNamespaceLister.
-type DeploymentNamespaceListerExpansion interface{}
-
-// GetDeploymentsForReplicaSet returns a list of Deployments that potentially
-// match a ReplicaSet. Only the one specified in the ReplicaSet's ControllerRef
-// will actually manage it.
-// Returns an error only if no matching Deployments are found.
-func (s *deploymentLister) GetDeploymentsForReplicaSet(rs *apps.ReplicaSet) ([]*apps.Deployment, error) {
-	if len(rs.Labels) == 0 {
-		return nil, fmt.Errorf("no deployments found for ReplicaSet %v because it has no labels", rs.Name)
-	}
-
-	// TODO: MODIFY THIS METHOD so that it checks for the podTemplateSpecHash label
-	dList, err := s.Deployments(rs.Namespace).List(labels.Everything())
-	if err != nil {
-		return nil, err
-	}
-
-	var deployments []*apps.Deployment
-	for _, d := range dList {
-		selector, err := metav1.LabelSelectorAsSelector(d.Spec.Selector)
-		if err != nil {
-			return nil, fmt.Errorf("invalid label selector: %v", err)
-		}
-		// If a deployment with a nil or empty selector creeps in, it should match nothing, not everything.
-		if selector.Empty() || !selector.Matches(labels.Set(rs.Labels)) {
-			continue
-		}
-		deployments = append(deployments, d)
-	}
-
-	if len(deployments) == 0 {
-		return nil, fmt.Errorf("could not find deployments set for ReplicaSet %s in namespace %s with labels: %v", rs.Name, rs.Namespace, rs.Labels)
-	}
-
-	return deployments, nil
-}

listers/apps/v1beta2/expansion_generated.go

@@ -25,3 +25,11 @@ type ControllerRevisionListerExpansion interface{}
 // ControllerRevisionNamespaceListerExpansion allows custom methods to be added to
 // ControllerRevisionNamespaceLister.
 type ControllerRevisionNamespaceListerExpansion interface{}
+
+// DeploymentListerExpansion allows custom methods to be added to
+// DeploymentLister.
+type DeploymentListerExpansion interface{}
+
+// DeploymentNamespaceListerExpansion allows custom methods to be added to
+// DeploymentNamespaceLister.
+type DeploymentNamespaceListerExpansion interface{}

listers/core/v1/expansion_generated.go

@@ -58,6 +58,10 @@ type LimitRangeNamespaceListerExpansion interface{}
 // NamespaceLister.
 type NamespaceListerExpansion interface{}
 
+// NodeListerExpansion allows custom methods to be added to
+// NodeLister.
+type NodeListerExpansion interface{}
+
 // PersistentVolumeListerExpansion allows custom methods to be added to
 // PersistentVolumeLister.
 type PersistentVolumeListerExpansion interface{}
@@ -102,6 +106,14 @@ type SecretListerExpansion interface{}
 // SecretNamespaceLister.
 type SecretNamespaceListerExpansion interface{}
 
+// ServiceListerExpansion allows custom methods to be added to
+// ServiceLister.
+type ServiceListerExpansion interface{}
+
+// ServiceNamespaceListerExpansion allows custom methods to be added to
+// ServiceNamespaceLister.
+type ServiceNamespaceListerExpansion interface{}
+
 // ServiceAccountListerExpansion allows custom methods to be added to
 // ServiceAccountLister.
 type ServiceAccountListerExpansion interface{}

listers/core/v1/node_expansion.go

@@ -1,48 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/labels"
-)
-
-// NodeConditionPredicate is a function that indicates whether the given node's conditions meet
-// some set of criteria defined by the function.
-type NodeConditionPredicate func(node *v1.Node) bool
-
-// NodeListerExpansion allows custom methods to be added to
-// NodeLister.
-type NodeListerExpansion interface {
-	ListWithPredicate(predicate NodeConditionPredicate) ([]*v1.Node, error)
-}
-
-func (l *nodeLister) ListWithPredicate(predicate NodeConditionPredicate) ([]*v1.Node, error) {
-	nodes, err := l.List(labels.Everything())
-	if err != nil {
-		return nil, err
-	}
-
-	var filtered []*v1.Node
-	for i := range nodes {
-		if predicate(nodes[i]) {
-			filtered = append(filtered, nodes[i])
-		}
-	}
-
-	return filtered, nil
-}

listers/core/v1/service_expansion.go

@@ -1,56 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/labels"
-)
-
-// ServiceListerExpansion allows custom methods to be added to
-// ServiceLister.
-type ServiceListerExpansion interface {
-	GetPodServices(pod *v1.Pod) ([]*v1.Service, error)
-}
-
-// ServiceNamespaceListerExpansion allows custom methods to be added to
-// ServiceNamespaceLister.
-type ServiceNamespaceListerExpansion interface{}
-
-// TODO: Move this back to scheduler as a helper function that takes a Store,
-// rather than a method of ServiceLister.
-func (s *serviceLister) GetPodServices(pod *v1.Pod) ([]*v1.Service, error) {
-	allServices, err := s.Services(pod.Namespace).List(labels.Everything())
-	if err != nil {
-		return nil, err
-	}
-
-	var services []*v1.Service
-	for i := range allServices {
-		service := allServices[i]
-		if service.Spec.Selector == nil {
-			// services with nil selectors match nothing, not everything.
-			continue
-		}
-		selector := labels.Set(service.Spec.Selector).AsSelectorPreValidated()
-		if selector.Matches(labels.Set(pod.Labels)) {
-			services = append(services, service)
-		}
-	}
-
-	return services, nil
-}

listers/extensions/v1beta1/deployment_expansion.go

@@ -1,70 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1beta1
-
-import (
-	"fmt"
-
-	extensions "k8s.io/api/extensions/v1beta1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-)
-
-// DeploymentListerExpansion allows custom methods to be added to
-// DeploymentLister.
-type DeploymentListerExpansion interface {
-	GetDeploymentsForReplicaSet(rs *extensions.ReplicaSet) ([]*extensions.Deployment, error)
-}
-
-// DeploymentNamespaceListerExpansion allows custom methods to be added to
-// DeploymentNamespaceLister.
-type DeploymentNamespaceListerExpansion interface{}
-
-// GetDeploymentsForReplicaSet returns a list of Deployments that potentially
-// match a ReplicaSet. Only the one specified in the ReplicaSet's ControllerRef
-// will actually manage it.
-// Returns an error only if no matching Deployments are found.
-func (s *deploymentLister) GetDeploymentsForReplicaSet(rs *extensions.ReplicaSet) ([]*extensions.Deployment, error) {
-	if len(rs.Labels) == 0 {
-		return nil, fmt.Errorf("no deployments found for ReplicaSet %v because it has no labels", rs.Name)
-	}
-
-	// TODO: MODIFY THIS METHOD so that it checks for the podTemplateSpecHash label
-	dList, err := s.Deployments(rs.Namespace).List(labels.Everything())
-	if err != nil {
-		return nil, err
-	}
-
-	var deployments []*extensions.Deployment
-	for _, d := range dList {
-		selector, err := metav1.LabelSelectorAsSelector(d.Spec.Selector)
-		if err != nil {
-			return nil, fmt.Errorf("invalid label selector: %v", err)
-		}
-		// If a deployment with a nil or empty selector creeps in, it should match nothing, not everything.
-		if selector.Empty() || !selector.Matches(labels.Set(rs.Labels)) {
-			continue
-		}
-		deployments = append(deployments, d)
-	}
-
-	if len(deployments) == 0 {
-		return nil, fmt.Errorf("could not find deployments set for ReplicaSet %s in namespace %s with labels: %v", rs.Name, rs.Namespace, rs.Labels)
-	}
-
-	return deployments, nil
-}

listers/extensions/v1beta1/expansion_generated.go

@@ -18,6 +18,14 @@ limitations under the License.
 
 package v1beta1
 
+// DeploymentListerExpansion allows custom methods to be added to
+// DeploymentLister.
+type DeploymentListerExpansion interface{}
+
+// DeploymentNamespaceListerExpansion allows custom methods to be added to
+// DeploymentNamespaceLister.
+type DeploymentNamespaceListerExpansion interface{}
+
 // IngressListerExpansion allows custom methods to be added to
 // IngressLister.
 type IngressListerExpansion interface{}

plugin/pkg/client/auth/azure/azure.go

@@ -287,7 +287,7 @@ func (ts *azureTokenSource) refreshToken(token *azureToken) (*azureToken, error)
 		return nil, err
 	}
 
-	oauthConfig, err := adal.NewOAuthConfigWithAPIVersion(env.ActiveDirectoryEndpoint, token.tenantID, nil)
+	oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, token.tenantID)
 	if err != nil {
 		return nil, fmt.Errorf("building the OAuth configuration for token refresh: %v", err)
 	}
@@ -344,7 +344,7 @@ func newAzureTokenSourceDeviceCode(environment azure.Environment, clientID strin
 }
 
 func (ts *azureTokenSourceDeviceCode) Token() (*azureToken, error) {
-	oauthConfig, err := adal.NewOAuthConfigWithAPIVersion(ts.environment.ActiveDirectoryEndpoint, ts.tenantID, nil)
+	oauthConfig, err := adal.NewOAuthConfig(ts.environment.ActiveDirectoryEndpoint, ts.tenantID)
 	if err != nil {
 		return nil, fmt.Errorf("building the OAuth configuration for device code authentication: %v", err)
 	}

plugin/pkg/client/auth/exec/exec.go

@@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io"
@@ -42,6 +43,7 @@ import (
 	"k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
 	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/client-go/tools/metrics"
 	"k8s.io/client-go/transport"
 	"k8s.io/client-go/util/connrotation"
 	"k8s.io/klog"
@@ -260,6 +262,7 @@ func (a *Authenticator) cert() (*tls.Certificate, error) {
 func (a *Authenticator) getCreds() (*credentials, error) {
 	a.mu.Lock()
 	defer a.mu.Unlock()
+
 	if a.cachedCreds != nil && !a.credsExpired() {
 		return a.cachedCreds, nil
 	}
@@ -267,6 +270,7 @@ func (a *Authenticator) getCreds() (*credentials, error) {
 	if err := a.refreshCredsLocked(nil); err != nil {
 		return nil, err
 	}
+
 	return a.cachedCreds, nil
 }
 
@@ -355,6 +359,17 @@ func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) err
 		if err != nil {
 			return fmt.Errorf("failed parsing client key/certificate: %v", err)
 		}
+
+		// Leaf is initialized to be nil:
+		//  https://golang.org/pkg/crypto/tls/#X509KeyPair
+		// Leaf certificate is the first certificate:
+		//  https://golang.org/pkg/crypto/tls/#Certificate
+		// Populating leaf is useful for quickly accessing the underlying x509
+		// certificate values.
+		cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
+		if err != nil {
+			return fmt.Errorf("failed parsing client leaf certificate: %v", err)
+		}
 		newCreds.cert = &cert
 	}
 
@@ -362,10 +377,20 @@ func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) err
 	a.cachedCreds = newCreds
 	// Only close all connections when TLS cert rotates. Token rotation doesn't
 	// need the extra noise.
-	if len(a.onRotateList) > 0 && oldCreds != nil && !reflect.DeepEqual(oldCreds.cert, a.cachedCreds.cert) {
+	if oldCreds != nil && !reflect.DeepEqual(oldCreds.cert, a.cachedCreds.cert) {
+		// Can be nil if the exec auth plugin only returned token auth.
+		if oldCreds.cert != nil && oldCreds.cert.Leaf != nil {
+			metrics.ClientCertRotationAge.Observe(time.Now().Sub(oldCreds.cert.Leaf.NotBefore))
+		}
 		for _, onRotate := range a.onRotateList {
 			onRotate()
 		}
 	}
+
+	expiry := time.Time{}
+	if a.cachedCreds.cert != nil && a.cachedCreds.cert.Leaf != nil {
+		expiry = a.cachedCreds.cert.Leaf.NotAfter
+	}
+	expirationMetrics.set(a, expiry)
 	return nil
 }

plugin/pkg/client/auth/exec/exec_test.go

@@ -97,6 +97,10 @@ func init() {
 	if err != nil {
 		panic(err)
 	}
+	cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
+	if err != nil {
+		panic(err)
+	}
 	validCert = &cert
 }
 
@@ -760,7 +764,7 @@ func TestConcurrentUpdateTransportConfig(t *testing.T) {
 }
 
 // genClientCert generates an x509 certificate for testing. Certificate and key
-// are returned in PEM encoding.
+// are returned in PEM encoding. The generated cert expires in 24 hours.
 func genClientCert(t *testing.T) ([]byte, []byte) {
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {

plugin/pkg/client/auth/exec/metrics.go

@@ -0,0 +1,60 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package exec
+
+import (
+	"sync"
+	"time"
+
+	"k8s.io/client-go/tools/metrics"
+)
+
+type certificateExpirationTracker struct {
+	mu        sync.RWMutex
+	m         map[*Authenticator]time.Time
+	metricSet func(*time.Time)
+}
+
+var expirationMetrics = &certificateExpirationTracker{
+	m: map[*Authenticator]time.Time{},
+	metricSet: func(e *time.Time) {
+		metrics.ClientCertExpiry.Set(e)
+	},
+}
+
+// set stores the given expiration time and updates the updates the certificate
+// expiry metric to the earliest expiration time.
+func (c *certificateExpirationTracker) set(a *Authenticator, t time.Time) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.m[a] = t
+
+	earliest := time.Time{}
+	for _, t := range c.m {
+		if t.IsZero() {
+			continue
+		}
+		if earliest.IsZero() || earliest.After(t) {
+			earliest = t
+		}
+	}
+	if earliest.IsZero() {
+		c.metricSet(nil)
+	} else {
+		c.metricSet(&earliest)
+	}
+}

plugin/pkg/client/auth/exec/metrics_test.go

@@ -0,0 +1,96 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package exec
+
+import (
+	"testing"
+	"time"
+)
+
+type mockExpiryGauge struct {
+	v *time.Time
+}
+
+func (m *mockExpiryGauge) Set(t *time.Time) {
+	m.v = t
+}
+
+func ptr(t time.Time) *time.Time {
+	return &t
+}
+
+func TestCertificateExpirationTracker(t *testing.T) {
+	now := time.Now()
+	mockMetric := &mockExpiryGauge{}
+
+	tracker := &certificateExpirationTracker{
+		m:         map[*Authenticator]time.Time{},
+		metricSet: mockMetric.Set,
+	}
+
+	firstAuthenticator := &Authenticator{}
+	secondAuthenticator := &Authenticator{}
+	for _, tc := range []struct {
+		desc string
+		auth *Authenticator
+		time time.Time
+		want *time.Time
+	}{
+		{
+			desc: "ttl for one authenticator",
+			auth: firstAuthenticator,
+			time: now.Add(time.Minute * 10),
+			want: ptr(now.Add(time.Minute * 10)),
+		},
+		{
+			desc: "second authenticator shorter ttl",
+			auth: secondAuthenticator,
+			time: now.Add(time.Minute * 5),
+			want: ptr(now.Add(time.Minute * 5)),
+		},
+		{
+			desc: "update shorter to be longer",
+			auth: secondAuthenticator,
+			time: now.Add(time.Minute * 15),
+			want: ptr(now.Add(time.Minute * 10)),
+		},
+		{
+			desc: "update shorter to be zero time",
+			auth: firstAuthenticator,
+			time: time.Time{},
+			want: ptr(now.Add(time.Minute * 15)),
+		},
+		{
+			desc: "update last to be zero time records nil",
+			auth: secondAuthenticator,
+			time: time.Time{},
+			want: nil,
+		},
+	} {
+		// Must run in series as the tests build off each other.
+		t.Run(tc.desc, func(t *testing.T) {
+			tracker.set(tc.auth, tc.time)
+			if mockMetric.v != nil && tc.want != nil {
+				if !mockMetric.v.Equal(*tc.want) {
+					t.Errorf("got: %s; want: %s", mockMetric.v, tc.want)
+				}
+			} else if mockMetric.v != tc.want {
+				t.Errorf("got: %s; want: %s", mockMetric.v, tc.want)
+			}
+		})
+	}
+}

plugin/pkg/client/auth/oidc/oidc.go

@@ -76,24 +76,25 @@ func newClientCache() *clientCache {
 }
 
 type cacheKey struct {
+	clusterAddress string
 	// Canonical issuer URL string of the provider.
 	issuerURL string
 	clientID  string
 }
 
-func (c *clientCache) getClient(issuer, clientID string) (*oidcAuthProvider, bool) {
+func (c *clientCache) getClient(clusterAddress, issuer, clientID string) (*oidcAuthProvider, bool) {
 	c.mu.RLock()
 	defer c.mu.RUnlock()
-	client, ok := c.cache[cacheKey{issuer, clientID}]
+	client, ok := c.cache[cacheKey{clusterAddress: clusterAddress, issuerURL: issuer, clientID: clientID}]
 	return client, ok
 }
 
 // setClient attempts to put the client in the cache but may return any clients
 // with the same keys set before. This is so there's only ever one client for a provider.
-func (c *clientCache) setClient(issuer, clientID string, client *oidcAuthProvider) *oidcAuthProvider {
+func (c *clientCache) setClient(clusterAddress, issuer, clientID string, client *oidcAuthProvider) *oidcAuthProvider {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	key := cacheKey{issuer, clientID}
+	key := cacheKey{clusterAddress: clusterAddress, issuerURL: issuer, clientID: clientID}
 
 	// If another client has already initialized a client for the given provider we want
 	// to use that client instead of the one we're trying to set. This is so all transports
@@ -107,7 +108,7 @@ func (c *clientCache) setClient(issuer, clientID string, client *oidcAuthProvide
 	return client
 }
 
-func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
+func newOIDCAuthProvider(clusterAddress string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
 	issuer := cfg[cfgIssuerUrl]
 	if issuer == "" {
 		return nil, fmt.Errorf("Must provide %s", cfgIssuerUrl)
@@ -119,7 +120,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A
 	}
 
 	// Check cache for existing provider.
-	if provider, ok := cache.getClient(issuer, clientID); ok {
+	if provider, ok := cache.getClient(clusterAddress, issuer, clientID); ok {
 		return provider, nil
 	}
 
@@ -157,7 +158,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A
 		persister: persister,
 	}
 
-	return cache.setClient(issuer, clientID, provider), nil
+	return cache.setClient(clusterAddress, issuer, clientID, provider), nil
 }
 
 type oidcAuthProvider struct {

plugin/pkg/client/auth/oidc/oidc_test.go

@@ -119,20 +119,40 @@ func TestExpired(t *testing.T) {
 func TestClientCache(t *testing.T) {
 	cache := newClientCache()
 
-	if _, ok := cache.getClient("issuer1", "id1"); ok {
+	if _, ok := cache.getClient("cluster1", "issuer1", "id1"); ok {
 		t.Fatalf("got client before putting one in the cache")
 	}
+	assertCacheLen(t, cache, 0)
 
 	cli1 := new(oidcAuthProvider)
 	cli2 := new(oidcAuthProvider)
+	cli3 := new(oidcAuthProvider)
 
-	gotcli := cache.setClient("issuer1", "id1", cli1)
+	gotcli := cache.setClient("cluster1", "issuer1", "id1", cli1)
 	if cli1 != gotcli {
 		t.Fatalf("set first client and got a different one")
 	}
+	assertCacheLen(t, cache, 1)
 
-	gotcli = cache.setClient("issuer1", "id1", cli2)
+	gotcli = cache.setClient("cluster1", "issuer1", "id1", cli2)
 	if cli1 != gotcli {
 		t.Fatalf("set a second client and didn't get the first")
 	}
+	assertCacheLen(t, cache, 1)
+
+	gotcli = cache.setClient("cluster2", "issuer1", "id1", cli3)
+	if cli1 == gotcli {
+		t.Fatalf("set a third client and got the first")
+	}
+	if cli3 != gotcli {
+		t.Fatalf("set third client and got a different one")
+	}
+	assertCacheLen(t, cache, 2)
+}
+
+func assertCacheLen(t *testing.T, cache *clientCache, length int) {
+	t.Helper()
+	if len(cache.cache) != length {
+		t.Errorf("expected cache length %d got %d", length, len(cache.cache))
+	}
 }

rest/request.go

@@ -562,7 +562,7 @@ func (r *Request) tryThrottle() error {
 	}
 
 	if latency := time.Since(now); latency > longThrottleLatency {
-		klog.V(4).Infof("Throttling request took %v, request: %s:%s", latency, r.verb, r.URL().String())
+		klog.V(3).Infof("Throttling request took %v, request: %s:%s", latency, r.verb, r.URL().String())
 	}
 
 	return err
@@ -806,19 +806,24 @@ func (r *Request) request(fn func(*http.Request, *http.Response)) error {
 			r.backoff.UpdateBackoff(r.URL(), err, resp.StatusCode)
 		}
 		if err != nil {
-			// "Connection reset by peer" is usually a transient error.
+			// "Connection reset by peer", "Connection refused" or "apiserver is shutting down" are usually a transient errors.
 			// Thus in case of "GET" operations, we simply retry it.
 			// We are not automatically retrying "write" operations, as
 			// they are not idempotent.
-			if !net.IsConnectionReset(err) || r.verb != "GET" {
+			if r.verb != "GET" {
 				return err
 			}
-			// For the purpose of retry, we set the artificial "retry-after" response.
-			// TODO: Should we clean the original response if it exists?
-			resp = &http.Response{
-				StatusCode: http.StatusInternalServerError,
-				Header:     http.Header{"Retry-After": []string{"1"}},
-				Body:       ioutil.NopCloser(bytes.NewReader([]byte{})),
+			// For connection errors and apiserver shutdown errors retry.
+			if net.IsConnectionReset(err) || net.IsConnectionRefused(err) {
+				// For the purpose of retry, we set the artificial "retry-after" response.
+				// TODO: Should we clean the original response if it exists?
+				resp = &http.Response{
+					StatusCode: http.StatusInternalServerError,
+					Header:     http.Header{"Retry-After": []string{"1"}},
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte{})),
+				}
+			} else {
+				return err
 			}
 		}
 

tools/cache/reflector.go

@@ -74,6 +74,9 @@ type Reflector struct {
 	// observed when doing a sync with the underlying store
 	// it is thread safe, but not synchronized with the underlying store
 	lastSyncResourceVersion string
+	// isLastSyncResourceVersionGone is true if the previous list or watch request with lastSyncResourceVersion
+	// failed with an HTTP 410 (Gone) status code.
+	isLastSyncResourceVersionGone bool
 	// lastSyncResourceVersionMutex guards read/write access to lastSyncResourceVersion
 	lastSyncResourceVersionMutex sync.RWMutex
 	// WatchListPageSize is the requested chunk size of initial and resync watch lists.
@@ -185,10 +188,7 @@ func (r *Reflector) ListAndWatch(stopCh <-chan struct{}) error {
 	klog.V(3).Infof("Listing and watching %v from %s", r.expectedTypeName, r.name)
 	var resourceVersion string
 
-	// Explicitly set "0" as resource version - it's fine for the List()
-	// to be served from cache and potentially be delayed relative to
-	// etcd contents. Reflector framework will catch up via Watch() eventually.
-	options := metav1.ListOptions{ResourceVersion: "0"}
+	options := metav1.ListOptions{ResourceVersion: r.relistResourceVersion()}
 
 	if err := func() error {
 		initTrace := trace.New("Reflector ListAndWatch", trace.Field{"name", r.name})
@@ -211,8 +211,17 @@ func (r *Reflector) ListAndWatch(stopCh <-chan struct{}) error {
 			if r.WatchListPageSize != 0 {
 				pager.PageSize = r.WatchListPageSize
 			}
-			// Pager falls back to full list if paginated list calls fail due to an "Expired" error.
+
 			list, err = pager.List(context.Background(), options)
+			if isExpiredError(err) {
+				r.setIsLastSyncResourceVersionExpired(true)
+				// Retry immediately if the resource version used to list is expired.
+				// The pager already falls back to full list if paginated list calls fail due to an "Expired" error on
+				// continuation pages, but the pager might not be enabled, or the full list might fail because the
+				// resource version it is listing at is expired, so we need to fallback to resourceVersion="" in all
+				// to recover and ensure the reflector makes forward progress.
+				list, err = pager.List(context.Background(), metav1.ListOptions{ResourceVersion: r.relistResourceVersion()})
+			}
 			close(listCh)
 		}()
 		select {
@@ -225,6 +234,7 @@ func (r *Reflector) ListAndWatch(stopCh <-chan struct{}) error {
 		if err != nil {
 			return fmt.Errorf("%s: Failed to list %v: %v", r.name, r.expectedTypeName, err)
 		}
+		r.setIsLastSyncResourceVersionExpired(false) // list was successful
 		initTrace.Step("Objects listed")
 		listMetaInterface, err := meta.ListAccessor(list)
 		if err != nil {
@@ -298,10 +308,13 @@ func (r *Reflector) ListAndWatch(stopCh <-chan struct{}) error {
 
 		w, err := r.listerWatcher.Watch(options)
 		if err != nil {
-			switch err {
-			case io.EOF:
+			switch {
+			case isExpiredError(err):
+				r.setIsLastSyncResourceVersionExpired(true)
+				klog.V(4).Infof("%s: watch of %v closed with: %v", r.name, r.expectedTypeName, err)
+			case err == io.EOF:
 				// watch closed normally
-			case io.ErrUnexpectedEOF:
+			case err == io.ErrUnexpectedEOF:
 				klog.V(1).Infof("%s: Watch for %v closed with unexpected EOF: %v", r.name, r.expectedTypeName, err)
 			default:
 				utilruntime.HandleError(fmt.Errorf("%s: Failed to watch %v: %v", r.name, r.expectedTypeName, err))
@@ -320,7 +333,8 @@ func (r *Reflector) ListAndWatch(stopCh <-chan struct{}) error {
 		if err := r.watchHandler(w, &resourceVersion, resyncerrc, stopCh); err != nil {
 			if err != errorStopRequested {
 				switch {
-				case apierrs.IsResourceExpired(err):
+				case isExpiredError(err):
+					r.setIsLastSyncResourceVersionExpired(true)
 					klog.V(4).Infof("%s: watch of %v ended with: %v", r.name, r.expectedTypeName, err)
 				default:
 					klog.Warningf("%s: watch of %v ended with: %v", r.name, r.expectedTypeName, err)
@@ -432,3 +446,42 @@ func (r *Reflector) setLastSyncResourceVersion(v string) {
 	defer r.lastSyncResourceVersionMutex.Unlock()
 	r.lastSyncResourceVersion = v
 }
+
+// relistResourceVersion determines the resource version the reflector should list or relist from.
+// Returns either the lastSyncResourceVersion so that this reflector will relist with a resource
+// versions no older than has already been observed in relist results or watch events, or, if the last relist resulted
+// in an HTTP 410 (Gone) status code, returns "" so that the relist will use the latest resource version available in
+// etcd via a quorum read.
+func (r *Reflector) relistResourceVersion() string {
+	r.lastSyncResourceVersionMutex.RLock()
+	defer r.lastSyncResourceVersionMutex.RUnlock()
+
+	if r.isLastSyncResourceVersionGone {
+		// Since this reflector makes paginated list requests, and all paginated list requests skip the watch cache
+		// if the lastSyncResourceVersion is expired, we set ResourceVersion="" and list again to re-establish reflector
+		// to the latest available ResourceVersion, using a consistent read from etcd.
+		return ""
+	}
+	if r.lastSyncResourceVersion == "" {
+		// For performance reasons, initial list performed by reflector uses "0" as resource version to allow it to
+		// be served from the watch cache if it is enabled.
+		return "0"
+	}
+	return r.lastSyncResourceVersion
+}
+
+// setIsLastSyncResourceVersionExpired sets if the last list or watch request with lastSyncResourceVersion returned a
+// expired error: HTTP 410 (Gone) Status Code.
+func (r *Reflector) setIsLastSyncResourceVersionExpired(isExpired bool) {
+	r.lastSyncResourceVersionMutex.Lock()
+	defer r.lastSyncResourceVersionMutex.Unlock()
+	r.isLastSyncResourceVersionGone = isExpired
+}
+
+func isExpiredError(err error) bool {
+	// In Kubernetes 1.17 and earlier, the api server returns both apierrs.StatusReasonExpired and
+	// apierrs.StatusReasonGone for HTTP 410 (Gone) status code responses. In 1.18 the kube server is more consistent
+	// and always returns apierrs.StatusReasonExpired. For backward compatibility we can only remove the apierrs.IsGone
+	// check when we fully drop support for Kubernetes 1.17 servers from reflectors.
+	return apierrs.IsResourceExpired(err) || apierrs.IsGone(err)
+}

tools/cache/reflector_test.go

@@ -26,6 +26,7 @@ import (
 	"time"
 
 	"k8s.io/api/core/v1"
+	apierrs "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -434,6 +435,197 @@ func TestReflectorWatchListPageSize(t *testing.T) {
 	}
 }
 
+// TestReflectorResyncWithResourceVersion ensures that a reflector keeps track of the ResourceVersion and sends
+// it in relist requests to prevent the reflector from traveling back in time if the relist is to a api-server or
+// etcd that is partitioned and serving older data than the reflector has already processed.
+func TestReflectorResyncWithResourceVersion(t *testing.T) {
+	stopCh := make(chan struct{})
+	s := NewStore(MetaNamespaceKeyFunc)
+	listCallRVs := []string{}
+
+	lw := &testLW{
+		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+			// Stop once the reflector begins watching since we're only interested in the list.
+			close(stopCh)
+			fw := watch.NewFake()
+			return fw, nil
+		},
+		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
+			listCallRVs = append(listCallRVs, options.ResourceVersion)
+			pods := make([]v1.Pod, 8)
+			for i := 0; i < 8; i++ {
+				pods[i] = v1.Pod{ObjectMeta: metav1.ObjectMeta{Name: fmt.Sprintf("pod-%d", i), ResourceVersion: fmt.Sprintf("%d", i)}}
+			}
+			switch options.ResourceVersion {
+			case "0":
+				return &v1.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "10"}, Items: pods[0:4]}, nil
+			case "10":
+				return &v1.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "11"}, Items: pods[0:8]}, nil
+			default:
+				t.Fatalf("Unrecognized ResourceVersion: %s", options.ResourceVersion)
+			}
+			return nil, nil
+		},
+	}
+	r := NewReflector(lw, &v1.Pod{}, s, 0)
+
+	// Initial list should use RV=0
+	r.ListAndWatch(stopCh)
+
+	results := s.List()
+	if len(results) != 4 {
+		t.Errorf("Expected 4 results, got %d", len(results))
+	}
+
+	// relist should use lastSyncResourceVersions (RV=10)
+	stopCh = make(chan struct{})
+	r.ListAndWatch(stopCh)
+
+	results = s.List()
+	if len(results) != 8 {
+		t.Errorf("Expected 8 results, got %d", len(results))
+	}
+
+	expectedRVs := []string{"0", "10"}
+	if !reflect.DeepEqual(listCallRVs, expectedRVs) {
+		t.Errorf("Expected series of list calls with resource versiosn of %v but got: %v", expectedRVs, listCallRVs)
+	}
+}
+
+// TestReflectorExpiredExactResourceVersion tests that a reflector handles the behavior of kubernetes 1.16 an earlier
+// where if the exact ResourceVersion requested is not available for a List request for a non-zero ResourceVersion,
+// an "Expired" error is returned if the ResourceVersion has expired (etcd has compacted it).
+// (In kubernetes 1.17, or when the watch cache is enabled, the List will instead return the list that is no older than
+// the requested ResourceVersion).
+func TestReflectorExpiredExactResourceVersion(t *testing.T) {
+	stopCh := make(chan struct{})
+	s := NewStore(MetaNamespaceKeyFunc)
+	listCallRVs := []string{}
+
+	lw := &testLW{
+		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+			// Stop once the reflector begins watching since we're only interested in the list.
+			close(stopCh)
+			fw := watch.NewFake()
+			return fw, nil
+		},
+		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
+			listCallRVs = append(listCallRVs, options.ResourceVersion)
+			pods := make([]v1.Pod, 8)
+			for i := 0; i < 8; i++ {
+				pods[i] = v1.Pod{ObjectMeta: metav1.ObjectMeta{Name: fmt.Sprintf("pod-%d", i), ResourceVersion: fmt.Sprintf("%d", i)}}
+			}
+			switch options.ResourceVersion {
+			case "0":
+				return &v1.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "10"}, Items: pods[0:4]}, nil
+			case "10":
+				// When watch cache is disabled, if the exact ResourceVersion requested is not available, a "Expired" error is returned.
+				return nil, apierrs.NewResourceExpired("The resourceVersion for the provided watch is too old.")
+			case "":
+				return &v1.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "11"}, Items: pods[0:8]}, nil
+			default:
+				t.Fatalf("Unrecognized ResourceVersion: %s", options.ResourceVersion)
+			}
+			return nil, nil
+		},
+	}
+	r := NewReflector(lw, &v1.Pod{}, s, 0)
+
+	// Initial list should use RV=0
+	r.ListAndWatch(stopCh)
+
+	results := s.List()
+	if len(results) != 4 {
+		t.Errorf("Expected 4 results, got %d", len(results))
+	}
+
+	// relist should use lastSyncResourceVersions (RV=10) and since RV=10 is expired, it should retry with RV="".
+	stopCh = make(chan struct{})
+	r.ListAndWatch(stopCh)
+
+	results = s.List()
+	if len(results) != 8 {
+		t.Errorf("Expected 8 results, got %d", len(results))
+	}
+
+	expectedRVs := []string{"0", "10", ""}
+	if !reflect.DeepEqual(listCallRVs, expectedRVs) {
+		t.Errorf("Expected series of list calls with resource versiosn of %v but got: %v", expectedRVs, listCallRVs)
+	}
+}
+
+func TestReflectorFullListIfExpired(t *testing.T) {
+	stopCh := make(chan struct{})
+	s := NewStore(MetaNamespaceKeyFunc)
+	listCallRVs := []string{}
+
+	lw := &testLW{
+		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+			// Stop once the reflector begins watching since we're only interested in the list.
+			close(stopCh)
+			fw := watch.NewFake()
+			return fw, nil
+		},
+		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
+			listCallRVs = append(listCallRVs, options.ResourceVersion)
+			pods := make([]v1.Pod, 8)
+			for i := 0; i < 8; i++ {
+				pods[i] = v1.Pod{ObjectMeta: metav1.ObjectMeta{Name: fmt.Sprintf("pod-%d", i), ResourceVersion: fmt.Sprintf("%d", i)}}
+			}
+			rvContinueLimit := func(rv, c string, l int64) metav1.ListOptions {
+				return metav1.ListOptions{ResourceVersion: rv, Continue: c, Limit: l}
+			}
+			switch rvContinueLimit(options.ResourceVersion, options.Continue, options.Limit) {
+			// initial limited list
+			case rvContinueLimit("0", "", 4):
+				return &v1.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "10"}, Items: pods[0:4]}, nil
+			// first page of the rv=10 list
+			case rvContinueLimit("10", "", 4):
+				return &v1.PodList{ListMeta: metav1.ListMeta{Continue: "C1", ResourceVersion: "11"}, Items: pods[0:4]}, nil
+			// second page of the above list
+			case rvContinueLimit("", "C1", 4):
+				return nil, apierrs.NewResourceExpired("The resourceVersion for the provided watch is too old.")
+			// rv=10 unlimited list
+			case rvContinueLimit("10", "", 0):
+				return &v1.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "11"}, Items: pods[0:8]}, nil
+			default:
+				err := fmt.Errorf("unexpected list options: %#v", options)
+				t.Error(err)
+				return nil, err
+			}
+			return nil, nil
+		},
+	}
+	r := NewReflector(lw, &v1.Pod{}, s, 0)
+	r.WatchListPageSize = 4
+
+	// Initial list should use RV=0
+	if err := r.ListAndWatch(stopCh); err != nil {
+		t.Fatal(err)
+	}
+
+	results := s.List()
+	if len(results) != 4 {
+		t.Errorf("Expected 4 results, got %d", len(results))
+	}
+
+	// relist should use lastSyncResourceVersions (RV=10) and since second page of that expired, it should full list with RV=10
+	stopCh = make(chan struct{})
+	if err := r.ListAndWatch(stopCh); err != nil {
+		t.Fatal(err)
+	}
+
+	results = s.List()
+	if len(results) != 8 {
+		t.Errorf("Expected 8 results, got %d", len(results))
+	}
+
+	expectedRVs := []string{"0", "10", "", "10"}
+	if !reflect.DeepEqual(listCallRVs, expectedRVs) {
+		t.Errorf("Expected series of list calls with resource versiosn of %#v but got: %#v", expectedRVs, listCallRVs)
+	}
+}
+
 func TestReflectorSetExpectedType(t *testing.T) {
 	obj := &unstructured.Unstructured{}
 	gvk := schema.GroupVersionKind{

tools/clientcmd/api/v1/conversion.go

@@ -31,9 +31,6 @@ func Convert_Slice_v1_NamedCluster_To_Map_string_To_Pointer_api_Cluster(in *[]Na
 		if err := Convert_v1_Cluster_To_api_Cluster(&curr.Cluster, newCluster, s); err != nil {
 			return err
 		}
-		if *out == nil {
-			*out = make(map[string]*api.Cluster)
-		}
 		if (*out)[curr.Name] == nil {
 			(*out)[curr.Name] = newCluster
 		} else {
@@ -68,9 +65,6 @@ func Convert_Slice_v1_NamedAuthInfo_To_Map_string_To_Pointer_api_AuthInfo(in *[]
 		if err := Convert_v1_AuthInfo_To_api_AuthInfo(&curr.AuthInfo, newAuthInfo, s); err != nil {
 			return err
 		}
-		if *out == nil {
-			*out = make(map[string]*api.AuthInfo)
-		}
 		if (*out)[curr.Name] == nil {
 			(*out)[curr.Name] = newAuthInfo
 		} else {
@@ -105,9 +99,6 @@ func Convert_Slice_v1_NamedContext_To_Map_string_To_Pointer_api_Context(in *[]Na
 		if err := Convert_v1_Context_To_api_Context(&curr.Context, newContext, s); err != nil {
 			return err
 		}
-		if *out == nil {
-			*out = make(map[string]*api.Context)
-		}
 		if (*out)[curr.Name] == nil {
 			(*out)[curr.Name] = newContext
 		} else {
@@ -142,9 +133,6 @@ func Convert_Slice_v1_NamedExtension_To_Map_string_To_runtime_Object(in *[]Named
 		if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&curr.Extension, &newExtension, s); err != nil {
 			return err
 		}
-		if *out == nil {
-			*out = make(map[string]runtime.Object)
-		}
 		if (*out)[curr.Name] == nil {
 			(*out)[curr.Name] = newExtension
 		} else {

tools/clientcmd/loader_test.go

@@ -17,6 +17,7 @@ limitations under the License.
 package clientcmd
 
 import (
+	"bytes"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -29,6 +30,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/diff"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	clientcmdlatest "k8s.io/client-go/tools/clientcmd/api/latest"
 )
@@ -78,32 +80,6 @@ var (
 	}
 )
 
-func TestNilOutMap(t *testing.T) {
-	var fakeKubeconfigData = `apiVersion: v1
-kind: Config
-clusters:
-- cluster:
-    certificate-authority-data: UEhPTlkK
-    server: https://1.1.1.1
-  name: production
-contexts:
-- context:
-    cluster: production
-    user: production
-  name: production
-current-context: production
-users:
-- name: production
-  user:
-    auth-provider:
-      name: gcp`
-
-	_, _, err := clientcmdlatest.Codec.Decode([]byte(fakeKubeconfigData), nil, nil)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-}
-
 func TestNonExistentCommandLineFile(t *testing.T) {
 	loadingRules := ClientConfigLoadingRules{
 		ExplicitPath: "bogus_file",
@@ -201,6 +177,56 @@ func TestConflictingCurrentContext(t *testing.T) {
 	}
 }
 
+func TestEncodeYAML(t *testing.T) {
+	config := clientcmdapi.Config{
+		CurrentContext: "any-context-value",
+		Contexts: map[string]*clientcmdapi.Context{
+			"433e40": {
+				Cluster: "433e40",
+			},
+		},
+		Clusters: map[string]*clientcmdapi.Cluster{
+			"0": {
+				Server: "https://localhost:1234",
+			},
+			"1": {
+				Server: "https://localhost:1234",
+			},
+			"433e40": {
+				Server: "https://localhost:1234",
+			},
+		},
+	}
+	data, err := Write(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expected := []byte(`apiVersion: v1
+clusters:
+- cluster:
+    server: https://localhost:1234
+  name: "0"
+- cluster:
+    server: https://localhost:1234
+  name: "1"
+- cluster:
+    server: https://localhost:1234
+  name: "433e40"
+contexts:
+- context:
+    cluster: "433e40"
+    user: ""
+  name: "433e40"
+current-context: any-context-value
+kind: Config
+preferences: {}
+users: null
+`)
+	if !bytes.Equal(expected, data) {
+		t.Error(diff.ObjectReflectDiff(string(expected), string(data)))
+	}
+}
+
 func TestLoadingEmptyMaps(t *testing.T) {
 	configFile, _ := ioutil.TempFile("", "")
 	defer os.Remove(configFile.Name())

tools/metrics/metrics.go

@@ -26,6 +26,16 @@ import (
 
 var registerMetrics sync.Once
 
+// DurationMetric is a measurement of some amount of time.
+type DurationMetric interface {
+	Observe(duration time.Duration)
+}
+
+// ExpiryMetric sets some time of expiry. If nil, assume not relevant.
+type ExpiryMetric interface {
+	Set(expiry *time.Time)
+}
+
 // LatencyMetric observes client latency partitioned by verb and url.
 type LatencyMetric interface {
 	Observe(verb string, u url.URL, latency time.Duration)
@@ -37,21 +47,51 @@ type ResultMetric interface {
 }
 
 var (
+	// ClientCertExpiry is the expiry time of a client certificate
+	ClientCertExpiry ExpiryMetric = noopExpiry{}
+	// ClientCertRotationAge is the age of a certificate that has just been rotated.
+	ClientCertRotationAge DurationMetric = noopDuration{}
 	// RequestLatency is the latency metric that rest clients will update.
 	RequestLatency LatencyMetric = noopLatency{}
 	// RequestResult is the result metric that rest clients will update.
 	RequestResult ResultMetric = noopResult{}
 )
 
+// RegisterOpts contains all the metrics to register. Metrics may be nil.
+type RegisterOpts struct {
+	ClientCertExpiry      ExpiryMetric
+	ClientCertRotationAge DurationMetric
+	RequestLatency        LatencyMetric
+	RequestResult         ResultMetric
+}
+
 // Register registers metrics for the rest client to use. This can
 // only be called once.
-func Register(lm LatencyMetric, rm ResultMetric) {
+func Register(opts RegisterOpts) {
 	registerMetrics.Do(func() {
-		RequestLatency = lm
-		RequestResult = rm
+		if opts.ClientCertExpiry != nil {
+			ClientCertExpiry = opts.ClientCertExpiry
+		}
+		if opts.ClientCertRotationAge != nil {
+			ClientCertRotationAge = opts.ClientCertRotationAge
+		}
+		if opts.RequestLatency != nil {
+			RequestLatency = opts.RequestLatency
+		}
+		if opts.RequestResult != nil {
+			RequestResult = opts.RequestResult
+		}
 	})
 }
 
+type noopDuration struct{}
+
+func (noopDuration) Observe(time.Duration) {}
+
+type noopExpiry struct{}
+
+func (noopExpiry) Set(*time.Time) {}
+
 type noopLatency struct{}
 
 func (noopLatency) Observe(string, url.URL, time.Duration) {}

util/certificate/certificate_manager.go

@@ -112,18 +112,15 @@ type Config struct {
 	// initialized using a generic, multi-use cert/key pair which will be
 	// quickly replaced with a unique cert/key pair.
 	BootstrapKeyPEM []byte
-	// CertificateExpiration will record a metric that shows the remaining
-	// lifetime of the certificate. This metric is a gauge because only the
-	// current cert expiry time is really useful. Reading this metric at any
-	// time simply gives the next expiration date, no need to keep some
-	// history (histogram) of all previous expiry dates.
-	CertificateExpiration Gauge
 	// CertificateRotation will record a metric showing the time in seconds
 	// that certificates lived before being rotated. This metric is a histogram
 	// because there is value in keeping a history of rotation cadences. It
 	// allows one to setup monitoring and alerting of unexpected rotation
 	// behavior and track trends in rotation frequency.
 	CertificateRotation Histogram
+	// CertifcateRenewFailure will record a metric that keeps track of
+	// certificate renewal failures.
+	CertificateRenewFailure Counter
 }
 
 // Store is responsible for getting and updating the current certificate.
@@ -154,6 +151,11 @@ type Histogram interface {
 	Observe(float64)
 }
 
+// Counter will wrap a counter with labels
+type Counter interface {
+	Inc()
+}
+
 // NoCertKeyError indicates there is no cert/key currently available.
 type NoCertKeyError string
 
@@ -177,8 +179,8 @@ type manager struct {
 
 	certStore Store
 
-	certificateExpiration Gauge
-	certificateRotation   Histogram
+	certificateRotation     Histogram
+	certificateRenewFailure Counter
 
 	// the following variables must only be accessed under certAccessLock
 	certAccessLock sync.RWMutex
@@ -213,17 +215,17 @@ func NewManager(config *Config) (Manager, error) {
 	}
 
 	m := manager{
-		stopCh:                make(chan struct{}),
-		clientFn:              config.ClientFn,
-		getTemplate:           getTemplate,
-		dynamicTemplate:       config.GetTemplate != nil,
-		usages:                config.Usages,
-		certStore:             config.CertificateStore,
-		cert:                  cert,
-		forceRotation:         forceRotation,
-		certificateExpiration: config.CertificateExpiration,
-		certificateRotation:   config.CertificateRotation,
-		now:                   time.Now,
+		stopCh:                  make(chan struct{}),
+		clientFn:                config.ClientFn,
+		getTemplate:             getTemplate,
+		dynamicTemplate:         config.GetTemplate != nil,
+		usages:                  config.Usages,
+		certStore:               config.CertificateStore,
+		cert:                    cert,
+		forceRotation:           forceRotation,
+		certificateRotation:     config.CertificateRotation,
+		certificateRenewFailure: config.CertificateRenewFailure,
+		now:                     time.Now,
 	}
 
 	return &m, nil
@@ -404,6 +406,9 @@ func (m *manager) rotateCerts() (bool, error) {
 	template, csrPEM, keyPEM, privateKey, err := m.generateCSR()
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("Unable to generate a certificate signing request: %v", err))
+		if m.certificateRenewFailure != nil {
+			m.certificateRenewFailure.Inc()
+		}
 		return false, nil
 	}
 
@@ -411,6 +416,9 @@ func (m *manager) rotateCerts() (bool, error) {
 	client, err := m.getClient()
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("Unable to load a client to request certificates: %v", err))
+		if m.certificateRenewFailure != nil {
+			m.certificateRenewFailure.Inc()
+		}
 		return false, nil
 	}
 
@@ -419,6 +427,9 @@ func (m *manager) rotateCerts() (bool, error) {
 	req, err := csr.RequestCertificate(client, csrPEM, "", m.usages, privateKey)
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("Failed while requesting a signed certificate from the master: %v", err))
+		if m.certificateRenewFailure != nil {
+			m.certificateRenewFailure.Inc()
+		}
 		return false, m.updateServerError(err)
 	}
 
@@ -433,12 +444,18 @@ func (m *manager) rotateCerts() (bool, error) {
 	crtPEM, err := csr.WaitForCertificate(ctx, client, req)
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("certificate request was not signed: %v", err))
+		if m.certificateRenewFailure != nil {
+			m.certificateRenewFailure.Inc()
+		}
 		return false, nil
 	}
 
 	cert, err := m.certStore.Update(crtPEM, keyPEM)
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("Unable to store the new cert/key pair: %v", err))
+		if m.certificateRenewFailure != nil {
+			m.certificateRenewFailure.Inc()
+		}
 		return false, nil
 	}
 
@@ -529,9 +546,6 @@ func (m *manager) nextRotationDeadline() time.Time {
 	deadline := m.cert.Leaf.NotBefore.Add(jitteryDuration(totalDuration))
 
 	klog.V(2).Infof("Certificate expiration is %v, rotation deadline is %v", notAfter, deadline)
-	if m.certificateExpiration != nil {
-		m.certificateExpiration.Set(float64(notAfter.Unix()))
-	}
 	return deadline
 }
 

util/certificate/certificate_manager_test.go

@@ -200,7 +200,6 @@ func TestSetRotationDeadline(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			g := metricMock{}
 			m := manager{
 				cert: &tls.Certificate{
 					Leaf: &x509.Certificate{
@@ -208,10 +207,9 @@ func TestSetRotationDeadline(t *testing.T) {
 						NotAfter:  tc.notAfter,
 					},
 				},
-				getTemplate:           func() *x509.CertificateRequest { return &x509.CertificateRequest{} },
-				usages:                []certificates.KeyUsage{},
-				certificateExpiration: &g,
-				now:                   func() time.Time { return now },
+				getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} },
+				usages:      []certificates.KeyUsage{},
+				now:         func() time.Time { return now },
 			}
 			jitteryDuration = func(float64) time.Duration { return time.Duration(float64(tc.notAfter.Sub(tc.notBefore)) * 0.7) }
 			lowerBound := tc.notBefore.Add(time.Duration(float64(tc.notAfter.Sub(tc.notBefore)) * 0.7))
@@ -225,12 +223,6 @@ func TestSetRotationDeadline(t *testing.T) {
 					deadline,
 					lowerBound)
 			}
-			if g.calls != 1 {
-				t.Errorf("%d metrics were recorded, wanted %d", g.calls, 1)
-			}
-			if g.lastValue != float64(tc.notAfter.Unix()) {
-				t.Errorf("%f value for metric was recorded, wanted %d", g.lastValue, tc.notAfter.Unix())
-			}
 		})
 	}
 }