Switch to github.com/golang/dep for vendoring

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/BUILD

@@ -0,0 +1,41 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "authentication.go",
+        "authorization.go",
+        "cloudprovider.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api/v1:go_default_library",
+        "//pkg/cloudprovider:go_default_library",
+        "//pkg/controller/informers:go_default_library",
+        "//pkg/genericapiserver:go_default_library",
+        "//pkg/genericapiserver/options:go_default_library",
+        "//pkg/kubeapiserver/authenticator:go_default_library",
+        "//pkg/kubeapiserver/authorizer:go_default_library",
+        "//vendor:github.com/spf13/pflag",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go

@@ -0,0 +1,318 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/spf13/pflag"
+
+	"k8s.io/kubernetes/pkg/genericapiserver"
+	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
+	"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
+)
+
+type BuiltInAuthenticationOptions struct {
+	Anonymous       *AnonymousAuthenticationOptions
+	AnyToken        *AnyTokenAuthenticationOptions
+	ClientCert      *genericoptions.ClientCertAuthenticationOptions
+	Keystone        *KeystoneAuthenticationOptions
+	OIDC            *OIDCAuthenticationOptions
+	PasswordFile    *PasswordFileAuthenticationOptions
+	RequestHeader   *genericoptions.RequestHeaderAuthenticationOptions
+	ServiceAccounts *ServiceAccountAuthenticationOptions
+	TokenFile       *TokenFileAuthenticationOptions
+	WebHook         *WebHookAuthenticationOptions
+}
+
+type AnyTokenAuthenticationOptions struct {
+	Allow bool
+}
+
+type AnonymousAuthenticationOptions struct {
+	Allow bool
+}
+
+type KeystoneAuthenticationOptions struct {
+	URL    string
+	CAFile string
+}
+
+type OIDCAuthenticationOptions struct {
+	CAFile        string
+	ClientID      string
+	IssuerURL     string
+	UsernameClaim string
+	GroupsClaim   string
+}
+
+type PasswordFileAuthenticationOptions struct {
+	BasicAuthFile string
+}
+
+type ServiceAccountAuthenticationOptions struct {
+	KeyFiles []string
+	Lookup   bool
+}
+
+type TokenFileAuthenticationOptions struct {
+	TokenFile string
+}
+
+type WebHookAuthenticationOptions struct {
+	ConfigFile string
+	CacheTTL   time.Duration
+}
+
+func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
+	return &BuiltInAuthenticationOptions{}
+}
+
+func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
+	return s.
+		WithAnyonymous().
+		WithAnyToken().
+		WithClientCert().
+		WithKeystone().
+		WithOIDC().
+		WithPasswordFile().
+		WithRequestHeader().
+		WithServiceAccounts().
+		WithTokenFile().
+		WithWebHook()
+}
+
+func (s *BuiltInAuthenticationOptions) WithAnyonymous() *BuiltInAuthenticationOptions {
+	s.Anonymous = &AnonymousAuthenticationOptions{Allow: true}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithAnyToken() *BuiltInAuthenticationOptions {
+	s.AnyToken = &AnyTokenAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions {
+	s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithKeystone() *BuiltInAuthenticationOptions {
+	s.Keystone = &KeystoneAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions {
+	s.OIDC = &OIDCAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithPasswordFile() *BuiltInAuthenticationOptions {
+	s.PasswordFile = &PasswordFileAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions {
+	s.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions {
+	s.ServiceAccounts = &ServiceAccountAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions {
+	s.TokenFile = &TokenFileAuthenticationOptions{}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions {
+	s.WebHook = &WebHookAuthenticationOptions{
+		CacheTTL: 2 * time.Minute,
+	}
+	return s
+}
+
+func (s *BuiltInAuthenticationOptions) Validate() []error {
+	allErrors := []error{}
+	return allErrors
+}
+
+func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
+	if s.Anonymous != nil {
+		fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
+			"Enables anonymous requests to the secure port of the API server. "+
+			"Requests that are not rejected by another authentication method are treated as anonymous requests. "+
+			"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.")
+	}
+
+	if s.AnyToken != nil {
+		fs.BoolVar(&s.AnyToken.Allow, "insecure-allow-any-token", s.AnyToken.Allow, ""+
+			"If set, your server will be INSECURE.  Any token will be allowed and user information will be parsed "+
+			"from the token as `username/group1,group2`")
+
+	}
+
+	if s.ClientCert != nil {
+		s.ClientCert.AddFlags(fs)
+	}
+
+	if s.Keystone != nil {
+		fs.StringVar(&s.Keystone.URL, "experimental-keystone-url", s.Keystone.URL,
+			"If passed, activates the keystone authentication plugin.")
+
+		fs.StringVar(&s.Keystone.CAFile, "experimental-keystone-ca-file", s.Keystone.CAFile, ""+
+			"If set, the Keystone server's certificate will be verified by one of the authorities "+
+			"in the experimental-keystone-ca-file, otherwise the host's root CA set will be used.")
+	}
+
+	if s.OIDC != nil {
+		fs.StringVar(&s.OIDC.IssuerURL, "oidc-issuer-url", s.OIDC.IssuerURL, ""+
+			"The URL of the OpenID issuer, only HTTPS scheme will be accepted. "+
+			"If set, it will be used to verify the OIDC JSON Web Token (JWT).")
+
+		fs.StringVar(&s.OIDC.ClientID, "oidc-client-id", s.OIDC.ClientID,
+			"The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
+
+		fs.StringVar(&s.OIDC.CAFile, "oidc-ca-file", s.OIDC.CAFile, ""+
+			"If set, the OpenID server's certificate will be verified by one of the authorities "+
+			"in the oidc-ca-file, otherwise the host's root CA set will be used.")
+
+		fs.StringVar(&s.OIDC.UsernameClaim, "oidc-username-claim", "sub", ""+
+			"The OpenID claim to use as the user name. Note that claims other than the default ('sub') "+
+			"is not guaranteed to be unique and immutable. This flag is experimental, please see "+
+			"the authentication documentation for further details.")
+
+		fs.StringVar(&s.OIDC.GroupsClaim, "oidc-groups-claim", "", ""+
+			"If provided, the name of a custom OpenID Connect claim for specifying user groups. "+
+			"The claim value is expected to be a string or array of strings. This flag is experimental, "+
+			"please see the authentication documentation for further details.")
+	}
+
+	if s.PasswordFile != nil {
+		fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
+			"If set, the file that will be used to admit requests to the secure port of the API server "+
+			"via http basic authentication.")
+	}
+
+	if s.RequestHeader != nil {
+		s.RequestHeader.AddFlags(fs)
+	}
+
+	if s.ServiceAccounts != nil {
+		fs.StringArrayVar(&s.ServiceAccounts.KeyFiles, "service-account-key-file", s.ServiceAccounts.KeyFiles, ""+
+			"File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify "+
+			"ServiceAccount tokens. If unspecified, --tls-private-key-file is used. "+
+			"The specified file can contain multiple keys, and the flag can be specified multiple times with different files.")
+
+		fs.BoolVar(&s.ServiceAccounts.Lookup, "service-account-lookup", s.ServiceAccounts.Lookup,
+			"If true, validate ServiceAccount tokens exist in etcd as part of authentication.")
+	}
+
+	if s.TokenFile != nil {
+		fs.StringVar(&s.TokenFile.TokenFile, "token-auth-file", s.TokenFile.TokenFile, ""+
+			"If set, the file that will be used to secure the secure port of the API server "+
+			"via token authentication.")
+	}
+
+	if s.WebHook != nil {
+		fs.StringVar(&s.WebHook.ConfigFile, "authentication-token-webhook-config-file", s.WebHook.ConfigFile, ""+
+			"File with webhook configuration for token authentication in kubeconfig format. "+
+			"The API server will query the remote service to determine authentication for bearer tokens.")
+
+		fs.DurationVar(&s.WebHook.CacheTTL, "authentication-token-webhook-cache-ttl", s.WebHook.CacheTTL,
+			"The duration to cache responses from the webhook token authenticator. Default is 2m.")
+	}
+}
+
+func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.AuthenticatorConfig {
+	ret := authenticator.AuthenticatorConfig{}
+
+	if s.Anonymous != nil {
+		ret.Anonymous = s.Anonymous.Allow
+	}
+
+	if s.AnyToken != nil {
+		ret.AnyToken = s.AnyToken.Allow
+	}
+
+	if s.ClientCert != nil {
+		ret.ClientCAFile = s.ClientCert.ClientCA
+	}
+
+	if s.Keystone != nil {
+		ret.KeystoneURL = s.Keystone.URL
+		ret.KeystoneCAFile = s.Keystone.CAFile
+	}
+
+	if s.OIDC != nil {
+		ret.OIDCCAFile = s.OIDC.CAFile
+		ret.OIDCClientID = s.OIDC.ClientID
+		ret.OIDCGroupsClaim = s.OIDC.GroupsClaim
+		ret.OIDCIssuerURL = s.OIDC.IssuerURL
+		ret.OIDCUsernameClaim = s.OIDC.UsernameClaim
+	}
+
+	if s.PasswordFile != nil {
+		ret.BasicAuthFile = s.PasswordFile.BasicAuthFile
+	}
+
+	if s.RequestHeader != nil {
+		ret.RequestHeaderConfig = s.RequestHeader.ToAuthenticationRequestHeaderConfig()
+	}
+
+	if s.ServiceAccounts != nil {
+		ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
+		ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
+	}
+
+	if s.TokenFile != nil {
+		ret.TokenAuthFile = s.TokenFile.TokenFile
+	}
+
+	if s.WebHook != nil {
+		ret.WebhookTokenAuthnConfigFile = s.WebHook.ConfigFile
+		ret.WebhookTokenAuthnCacheTTL = s.WebHook.CacheTTL
+	}
+
+	return ret
+}
+
+func (o *BuiltInAuthenticationOptions) Apply(c *genericapiserver.Config) error {
+	if o == nil || o.PasswordFile == nil {
+		return nil
+	}
+
+	var err error
+	if o.ClientCert != nil {
+		c, err = c.ApplyClientCert(o.ClientCert.ClientCA)
+		if err != nil {
+			return fmt.Errorf("unable to load client CA file: %v", err)
+		}
+	}
+	if o.RequestHeader != nil {
+		c, err = c.ApplyClientCert(o.RequestHeader.ClientCAFile)
+		if err != nil {
+			return fmt.Errorf("unable to load client CA file: %v", err)
+		}
+	}
+
+	c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
+	return nil
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authorization.go

@@ -0,0 +1,93 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"strings"
+	"time"
+
+	"github.com/spf13/pflag"
+
+	"k8s.io/kubernetes/pkg/controller/informers"
+	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
+)
+
+var AuthorizationModeChoices = []string{authorizer.ModeAlwaysAllow, authorizer.ModeAlwaysDeny, authorizer.ModeABAC, authorizer.ModeWebhook, authorizer.ModeRBAC}
+
+type BuiltInAuthorizationOptions struct {
+	Mode                        string
+	PolicyFile                  string
+	WebhookConfigFile           string
+	WebhookCacheAuthorizedTTL   time.Duration
+	WebhookCacheUnauthorizedTTL time.Duration
+}
+
+func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions {
+	return &BuiltInAuthorizationOptions{
+		Mode: authorizer.ModeAlwaysAllow,
+		WebhookCacheAuthorizedTTL:   5 * time.Minute,
+		WebhookCacheUnauthorizedTTL: 30 * time.Second,
+	}
+}
+
+func (s *BuiltInAuthorizationOptions) Validate() []error {
+	allErrors := []error{}
+	return allErrors
+}
+
+func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&s.Mode, "authorization-mode", s.Mode, ""+
+		"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+
+		strings.Join(AuthorizationModeChoices, ",")+".")
+
+	fs.StringVar(&s.PolicyFile, "authorization-policy-file", s.PolicyFile, ""+
+		"File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.")
+
+	fs.StringVar(&s.WebhookConfigFile, "authorization-webhook-config-file", s.WebhookConfigFile, ""+
+		"File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "+
+		"The API server will query the remote service to determine access on the API server's secure port.")
+
+	fs.DurationVar(&s.WebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl",
+		s.WebhookCacheAuthorizedTTL,
+		"The duration to cache 'authorized' responses from the webhook authorizer. Default is 5m.")
+
+	fs.DurationVar(&s.WebhookCacheUnauthorizedTTL,
+		"authorization-webhook-cache-unauthorized-ttl", s.WebhookCacheUnauthorizedTTL,
+		"The duration to cache 'unauthorized' responses from the webhook authorizer. Default is 30s.")
+
+	fs.String("authorization-rbac-super-user", "", ""+
+		"If specified, a username which avoids RBAC authorization checks and role binding "+
+		"privilege escalation checks, to be used with --authorization-mode=RBAC.")
+	fs.MarkDeprecated("authorization-rbac-super-user", "Removed during alpha to beta.  The 'system:masters' group has privileged access.")
+
+}
+
+func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory) authorizer.AuthorizationConfig {
+	modes := []string{}
+	if len(s.Mode) > 0 {
+		modes = strings.Split(s.Mode, ",")
+	}
+
+	return authorizer.AuthorizationConfig{
+		AuthorizationModes:          modes,
+		PolicyFile:                  s.PolicyFile,
+		WebhookConfigFile:           s.WebhookConfigFile,
+		WebhookCacheAuthorizedTTL:   s.WebhookCacheAuthorizedTTL,
+		WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL,
+		InformerFactory:             informerFactory,
+	}
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/cloudprovider.go

@@ -0,0 +1,88 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/pflag"
+
+	"k8s.io/kubernetes/pkg/api/v1"
+	"k8s.io/kubernetes/pkg/cloudprovider"
+	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
+)
+
+type CloudProviderOptions struct {
+	CloudConfigFile string
+	CloudProvider   string
+}
+
+func NewCloudProviderOptions() *CloudProviderOptions {
+	return &CloudProviderOptions{}
+}
+
+func (s *CloudProviderOptions) Validate() []error {
+	allErrors := []error{}
+	return allErrors
+}
+
+func (s *CloudProviderOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&s.CloudProvider, "cloud-provider", s.CloudProvider,
+		"The provider for cloud services. Empty string for no provider.")
+
+	fs.StringVar(&s.CloudConfigFile, "cloud-config", s.CloudConfigFile,
+		"The path to the cloud provider configuration file. Empty string for no configuration file.")
+}
+
+func (s *CloudProviderOptions) DefaultExternalHost(genericoptions *genericoptions.ServerRunOptions) error {
+	if len(genericoptions.ExternalHost) != 0 {
+		return nil
+	}
+
+	// TODO: extend for other providers
+	if s.CloudProvider == "gce" || s.CloudProvider == "aws" {
+		cloud, err := cloudprovider.InitCloudProvider(s.CloudProvider, s.CloudConfigFile)
+		if err != nil {
+			return fmt.Errorf("%q cloud provider could not be initialized: %v", s.CloudProvider, err)
+		}
+		instances, supported := cloud.Instances()
+		if !supported {
+			return fmt.Errorf("%q cloud provider has no instances", s.CloudProvider)
+		}
+		hostname, err := os.Hostname()
+		if err != nil {
+			return fmt.Errorf("failed to get hostname: %v", err)
+		}
+		nodeName, err := instances.CurrentNodeName(hostname)
+		if err != nil {
+			return fmt.Errorf("failed to get NodeName from %q cloud provider: %v", s.CloudProvider, err)
+		}
+		addrs, err := instances.NodeAddresses(nodeName)
+		if err != nil {
+			return fmt.Errorf("failed to get external host address from %q cloud provider: %v", s.CloudProvider, err)
+		} else {
+			for _, addr := range addrs {
+				if addr.Type == v1.NodeExternalIP {
+					genericoptions.ExternalHost = addr.Address
+				}
+			}
+		}
+	}
+
+	return nil
+}