commit d13c1c64387ca9a83bb832a3faa5c4b07268d265
author Lorenz Brun <lorenz@monogon.tech> Wed Mar 30 19:58:58 2022 +0200
committer Lorenz Brun <lorenz@monogon.tech> Tue Apr 05 10:35:29 2022 +0000
tree 0c0f534db4726e4400486aad25235e8c573d455e
parent 79a1a8f9dd49afe8e0a2364c4586b8f39525b204

treewide: switch to gomod and bump everything

This switches version resolution from fietsje to gomod and updates
all Go dependencies. It also bumps rules_go (required by gVisor) and
switches the Gazelle naming convention from go_default_xxx to the
standard Bazel convention of the default target having the package
name.

Since Kubernetes dropped upstream Bazel support and doesn't check in
all generated files I manually pregenerated the OpenAPI spec. This
should be fixed, but because of the already-huge scope of this CL
and the rebase complexity this is not in here.

Change-Id: Iec8ea613d06946882426c2f9fad5bda7e8aaf833
Reviewed-on: https://review.monogon.dev/c/monogon/+/639
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
Reviewed-by: Leopold Schabel <leo@nexantic.com>

third_party/go/patches/k8s-adopt-to-go-jose-2.3.patch

diff --git a/third_party/go/patches/k8s-adopt-to-go-jose-2.3.patch b/third_party/go/patches/k8s-adopt-to-go-jose-2.3.patch
new file mode 100644
index 0000000..9efd08a
--- /dev/null
+++ b/third_party/go/patches/k8s-adopt-to-go-jose-2.3.patch
@@ -0,0 +1,136 @@
+From a1411288423dfc4062844b9f699a30fd7cbe090d Mon Sep 17 00:00:00 2001
+From: Lorenz Brun <lorenz@monogon.tech>
+Date: Mon, 21 Mar 2022 15:20:19 +0100
+Subject: [PATCH 1/2] Adopt to API breakage in go-jose 2.3.0
+
+---
+ pkg/serviceaccount/claims_test.go          | 40 +++++++++++-----------
+ test/integration/auth/svcaccttoken_test.go |  6 ++--
+ 2 files changed, 23 insertions(+), 23 deletions(-)
+
+diff --git a/pkg/serviceaccount/claims_test.go b/pkg/serviceaccount/claims_test.go
+index 2e968f60335..a0b5a595c2f 100644
+--- a/pkg/serviceaccount/claims_test.go
++++ b/pkg/serviceaccount/claims_test.go
+@@ -85,9 +85,9 @@ func TestClaims(t *testing.T) {
+ 
+ 			sc: &jwt.Claims{
+ 				Subject:   "system:serviceaccount:myns:mysvcacct",
+-				IssuedAt:  jwt.NumericDate(1514764800),
+-				NotBefore: jwt.NumericDate(1514764800),
+-				Expiry:    jwt.NumericDate(1514764800),
++				IssuedAt:  jwt.NewNumericDate(time.Unix(1514764800, 0)),
++				NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
++				Expiry:    jwt.NewNumericDate(time.Unix(1514764800, 0)),
+ 			},
+ 			pc: &privateClaims{
+ 				Kubernetes: kubernetes{
+@@ -107,9 +107,9 @@ func TestClaims(t *testing.T) {
+ 
+ 			sc: &jwt.Claims{
+ 				Subject:   "system:serviceaccount:myns:mysvcacct",
+-				IssuedAt:  jwt.NumericDate(1514764800),
+-				NotBefore: jwt.NumericDate(1514764800),
+-				Expiry:    jwt.NumericDate(1514764800 + 100),
++				IssuedAt:  jwt.NewNumericDate(time.Unix(1514764800, 0)),
++				NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
++				Expiry:    jwt.NewNumericDate(time.Unix(1514764800+100, 0)),
+ 			},
+ 			pc: &privateClaims{
+ 				Kubernetes: kubernetes{
+@@ -130,9 +130,9 @@ func TestClaims(t *testing.T) {
+ 			sc: &jwt.Claims{
+ 				Subject:   "system:serviceaccount:myns:mysvcacct",
+ 				Audience:  []string{"1"},
+-				IssuedAt:  jwt.NumericDate(1514764800),
+-				NotBefore: jwt.NumericDate(1514764800),
+-				Expiry:    jwt.NumericDate(1514764800 + 100),
++				IssuedAt:  jwt.NewNumericDate(time.Unix(1514764800, 0)),
++				NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
++				Expiry:    jwt.NewNumericDate(time.Unix(1514764800+100, 0)),
+ 			},
+ 			pc: &privateClaims{
+ 				Kubernetes: kubernetes{
+@@ -152,9 +152,9 @@ func TestClaims(t *testing.T) {
+ 			sc: &jwt.Claims{
+ 				Subject:   "system:serviceaccount:myns:mysvcacct",
+ 				Audience:  []string{"1", "2"},
+-				IssuedAt:  jwt.NumericDate(1514764800),
+-				NotBefore: jwt.NumericDate(1514764800),
+-				Expiry:    jwt.NumericDate(1514764800 + 100),
++				IssuedAt:  jwt.NewNumericDate(time.Unix(1514764800, 0)),
++				NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
++				Expiry:    jwt.NewNumericDate(time.Unix(1514764800+100, 0)),
+ 			},
+ 			pc: &privateClaims{
+ 				Kubernetes: kubernetes{
+@@ -175,16 +175,16 @@ func TestClaims(t *testing.T) {
+ 
+ 			sc: &jwt.Claims{
+ 				Subject:   "system:serviceaccount:myns:mysvcacct",
+-				IssuedAt:  jwt.NumericDate(1514764800),
+-				NotBefore: jwt.NumericDate(1514764800),
+-				Expiry:    jwt.NumericDate(1514764800 + 60*60*24),
++				IssuedAt:  jwt.NewNumericDate(time.Unix(1514764800, 0)),
++				NotBefore: jwt.NewNumericDate(time.Unix(1514764800, 0)),
++				Expiry:    jwt.NewNumericDate(time.Unix(1514764800+60*60*24, 0)),
+ 			},
+ 			pc: &privateClaims{
+ 				Kubernetes: kubernetes{
+ 					Namespace: "myns",
+ 					Svcacct:   ref{Name: "mysvcacct", UID: "mysvcacct-uid"},
+ 					Pod:       &ref{Name: "mypod", UID: "mypod-uid"},
+-					WarnAfter: jwt.NumericDate(1514764800 + 60*60),
++					WarnAfter: jwt.NewNumericDate(time.Unix(1514764800+60*60, 0)),
+ 				},
+ 			},
+ 		},
+@@ -223,8 +223,8 @@ type claimTestCase struct {
+ 	name      string
+ 	getter    ServiceAccountTokenGetter
+ 	private   *privateClaims
+-	expiry    jwt.NumericDate
+-	notBefore jwt.NumericDate
++	expiry    *jwt.NumericDate
++	notBefore *jwt.NumericDate
+ 	expectErr string
+ }
+ 
+@@ -365,8 +365,8 @@ func TestValidatePrivateClaims(t *testing.T) {
+ 	for _, tc := range testcases {
+ 		t.Run(tc.name, func(t *testing.T) {
+ 			v := &validator{tc.getter}
+-			expiry := jwt.NumericDate(nowUnix)
+-			if tc.expiry != 0 {
++			expiry := jwt.NewNumericDate(time.Unix(nowUnix, 0))
++			if tc.expiry != nil {
+ 				expiry = tc.expiry
+ 			}
+ 			_, err := v.Validate(context.Background(), "", &jwt.Claims{Expiry: expiry, NotBefore: tc.notBefore}, tc.private)
+diff --git a/test/integration/auth/svcaccttoken_test.go b/test/integration/auth/svcaccttoken_test.go
+index da50bf4736e..5311b6c90c3 100644
+--- a/test/integration/auth/svcaccttoken_test.go
++++ b/test/integration/auth/svcaccttoken_test.go
+@@ -421,16 +421,16 @@ func TestServiceAccountTokenCreate(t *testing.T) {
+ 			t.Fatalf("error parsing warnafter: %v", err)
+ 		}
+ 
+-		if exp < int64(actualExpiry)-leeway || exp > int64(actualExpiry)+leeway {
++		if exp < int64(*actualExpiry)-leeway || exp > int64(*actualExpiry)+leeway {
+ 			t.Errorf("unexpected token exp %d, should within range of %d +- %d seconds", exp, actualExpiry, leeway)
+ 		}
+-		if warnafter < int64(assumedExpiry)-leeway || warnafter > int64(assumedExpiry)+leeway {
++		if warnafter < int64(*assumedExpiry)-leeway || warnafter > int64(*assumedExpiry)+leeway {
+ 			t.Errorf("unexpected token warnafter %d, should within range of %d +- %d seconds", warnafter, assumedExpiry, leeway)
+ 		}
+ 
+ 		checkExpiration(t, treq, requestExp)
+ 		expStatus := treq.Status.ExpirationTimestamp.Time.Unix()
+-		if expStatus < int64(assumedExpiry)-leeway || warnafter > int64(assumedExpiry)+leeway {
++		if expStatus < int64(*assumedExpiry)-leeway || warnafter > int64(*assumedExpiry)+leeway {
+ 			t.Errorf("unexpected expiration returned in tokenrequest status %d, should within range of %d +- %d seconds", expStatus, assumedExpiry, leeway)
+ 		}
+ 	})
+-- 
+2.25.1
+