For NewManager, the Config struct gets changed (not extended!) so that the
caller can provide a logger instead of just a logging function. Breaking the
API was chosen because it avoids having to maintain two different log calls in
various places (one for printf-style logging, one for structured logging).
RequestCertificateWithContext is an extension. It enables getting rid of
context.TODO calls.
NewFileStoreWithLogger also is an extension.
Update ValidateEndpointsCreate validation tests to use the new Origin field for more precise error comparisons. It leverage the Origin field instead of detailed error messages, improving test robustness and readability.
Co-authored-by: Tim Hockin <thockin@google.com>
Before, containers with the PostStart sleep lifecycle hook would cause
null pointer panics due to a typo in the field name being checked. This
commit fixes that.
The check also needs to be done on the oldPodSpec, rather than the
podSpec, so that existing workloads which use the zero value continue
functioning in the same way.
It was writing out IPBlock CIDRs like "192.168.0.5/4" rather than
"192.0.0.0/4".
Also, simplify a bit by basing the `cidr` and the `except` both on
podB, rather than one on podA and one on podB. (This is even
theoretically a bugfix, since it's not _required_ that podA and podB
be in the same /4.) Also reorganize the code to make the two test
cases more consistent with each other.
Replace manual error logging with cmp.Diff for more precise error comparisons, using cmpopts to ignore Origin field and support UniqueString comparison.
This change introducing a new field in Error. It would be used in testing to compare the expected errors without matching the detail strings.
Co-authored-by: Tim Hockin <thockin@google.com>
* Add Watch to controller roles
Starting from version 1.32, the client feature `WatchListClient` has been
set to `true` in `kube-controller-manager`.
(commit 06a15c5cf9)
As a result, when the `kube-controller-manager` executes the `List` method,
it utilizes `Watch`. However, there are some existing controller roles that
include `List` but do not include `Watch`. Therefore, when processes using
these controller roles execute the `List` method, `Watch` is executed first,
but due to permission errors, it falls back to `List`.
This PR adds `Watch` to the controller roles that include `List` but do not
include `Watch`.
The affected roles are as follows (prefixed with `system:controller:`):
- `cronjob-controller`
- `endpoint-controller`
- `endpointslice-controller`
- `endpointslicemirroring-controller`
- `horizontal-pod-autoscaler`
- `node-controller`
- `pod-garbage-collector`
- `storage-version-migrator-controller`
Signed-off-by: Mitsuru Kariya <mitsuru.kariya@nttdata.com>
* Fix Fixture Data
I apologize, the Fixture Data modifications were missed.
Signed-off-by: Mitsuru Kariya <mitsuru.kariya@nttdata.com>
* Add ControllerRoles Test
Added a test to check that if a controller role includes `List`, it also includes `Watch`.
Signed-off-by: Mitsuru Kariya <mitsuru.kariya@nttdata.com>
* Fix typo
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
* Add Additional Tests
Added tests to check that if NodeRules, ClusterRoles, and NamespaceRoles
include `List`, it also include `Watch`.
Signed-off-by: Mitsuru Kariya <mitsuru.kariya@nttdata.com>
---------
Signed-off-by: Mitsuru Kariya <mitsuru.kariya@nttdata.com>
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
These suppressions are necessary to make golangci-lint 1.64 pass with the
current code base. This change is meant to be backported to release
branches. On master, we may want to revert some of it together with fixing the
findings.
We cannot use limit as it would apply it before filtering, which is done
in cacher. Limit is not currently used, but let's remove it to be save,
until filtering is implemented in store.
