Update osbuild/images to v0.79.0

Signed-off-by: Tomáš Hozza <thozza@redhat.com>
2024-08-20 13:56:53 +02:00 · 2024-08-20 13:56:53 +02:00 · 62d8ad4efe
commit 62d8ad4efe
parent 9fcbcdb5dc
340 changed files with 15526 additions and 2999 deletions
--- a/vendor/cloud.google.com/go/auth/CHANGES.md
+++ b/vendor/cloud.google.com/go/auth/CHANGES.md
@ -1,5 +1,19 @@
 # Changelog

+## [0.9.0](https://github.com/googleapis/google-cloud-go/compare/auth/v0.8.1...auth/v0.9.0) (2024-08-16)
+
+
+### Features
+
+* **auth:** Auth library can talk to S2A over mTLS ([#10634](https://github.com/googleapis/google-cloud-go/issues/10634)) ([5250a13](https://github.com/googleapis/google-cloud-go/commit/5250a13ec95b8d4eefbe0158f82857ff2189cb45))
+
+## [0.8.1](https://github.com/googleapis/google-cloud-go/compare/auth/v0.8.0...auth/v0.8.1) (2024-08-13)
+
+
+### Bug Fixes
+
+* **auth:** Make default client creation more lenient ([#10669](https://github.com/googleapis/google-cloud-go/issues/10669)) ([1afb9ee](https://github.com/googleapis/google-cloud-go/commit/1afb9ee1ee9de9810722800018133304a0ca34d1)), refs [#10638](https://github.com/googleapis/google-cloud-go/issues/10638)
+
 ## [0.8.0](https://github.com/googleapis/google-cloud-go/compare/auth/v0.7.3...auth/v0.8.0) (2024-08-07)


--- a/vendor/cloud.google.com/go/auth/auth.go
+++ b/vendor/cloud.google.com/go/auth/auth.go
@ -493,7 +493,7 @@ func (o *Options2LO) client() *http.Client {
 	if o.Client != nil {
 		return o.Client
 	}
-	return internal.CloneDefaultClient()
+	return internal.DefaultClient()
 }

 func (o *Options2LO) validate() error {
--- a/vendor/cloud.google.com/go/auth/credentials/detect.go
+++ b/vendor/cloud.google.com/go/auth/credentials/detect.go
@ -190,7 +190,7 @@ func (o *DetectOptions) client() *http.Client {
 	if o.Client != nil {
 		return o.Client
 	}
-	return internal.CloneDefaultClient()
+	return internal.DefaultClient()
 }

 func readCredentialsFile(filename string, opts *DetectOptions) (*auth.Credentials, error) {
--- a/vendor/cloud.google.com/go/auth/internal/internal.go
+++ b/vendor/cloud.google.com/go/auth/internal/internal.go
@ -46,10 +46,24 @@ const (
 	DefaultUniverseDomain = "googleapis.com"
 )

-// CloneDefaultClient returns a [http.Client] with some good defaults.
-func CloneDefaultClient() *http.Client {
+type clonableTransport interface {
+	Clone() *http.Transport
+}
+
+// DefaultClient returns an [http.Client] with some defaults set. If
+// the current [http.DefaultTransport] is a [clonableTransport], as
+// is the case for an [*http.Transport], the clone will be used.
+// Otherwise the [http.DefaultTransport] is used directly.
+func DefaultClient() *http.Client {
+	if transport, ok := http.DefaultTransport.(clonableTransport); ok {
+		return &http.Client{
+			Transport: transport.Clone(),
+			Timeout:   30 * time.Second,
+		}
+	}
+
 	return &http.Client{
-		Transport: http.DefaultTransport.(*http.Transport).Clone(),
+		Transport: http.DefaultTransport,
 		Timeout:   30 * time.Second,
 	}
 }
--- a/vendor/cloud.google.com/go/auth/internal/transport/cba.go
+++ b/vendor/cloud.google.com/go/auth/internal/transport/cba.go
@ -17,7 +17,9 @@ package transport
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
+	"log"
 	"net"
 	"net/http"
 	"net/url"
@ -44,10 +46,12 @@ const (
 	googleAPIUseMTLSOld    = "GOOGLE_API_USE_MTLS"

 	universeDomainPlaceholder = "UNIVERSE_DOMAIN"
+
+	mtlsMDSRoot = "/run/google-mds-mtls/root.crt"
+	mtlsMDSKey  = "/run/google-mds-mtls/client.key"
 )

 var (
-	mdsMTLSAutoConfigSource     mtlsConfigSource
 	errUniverseNotSupportedMTLS = errors.New("mTLS is not supported in any universe other than googleapis.com")
 )

@ -120,7 +124,20 @@ func GetGRPCTransportCredsAndEndpoint(opts *Options) (credentials.TransportCrede
 	defaultTransportCreds := credentials.NewTLS(&tls.Config{
 		GetClientCertificate: config.clientCertSource,
 	})
-	if config.s2aAddress == "" {
+
+	var s2aAddr string
+	var transportCredsForS2A credentials.TransportCredentials
+
+	if config.mtlsS2AAddress != "" {
+		s2aAddr = config.mtlsS2AAddress
+		transportCredsForS2A, err = loadMTLSMDSTransportCreds(mtlsMDSRoot, mtlsMDSKey)
+		if err != nil {
+			log.Printf("Loading MTLS MDS credentials failed: %v", err)
+			return defaultTransportCreds, config.endpoint, nil
+		}
+	} else if config.s2aAddress != "" {
+		s2aAddr = config.s2aAddress
+	} else {
 		return defaultTransportCreds, config.endpoint, nil
 	}

@ -133,8 +150,9 @@ func GetGRPCTransportCredsAndEndpoint(opts *Options) (credentials.TransportCrede
 	}

 	s2aTransportCreds, err := s2a.NewClientCreds(&s2a.ClientOptions{
-		S2AAddress:   config.s2aAddress,
-		FallbackOpts: fallbackOpts,
+		S2AAddress:     s2aAddr,
+		TransportCreds: transportCredsForS2A,
+		FallbackOpts:   fallbackOpts,
 	})
 	if err != nil {
 		// Use default if we cannot initialize S2A client transport credentials.
@ -151,7 +169,19 @@ func GetHTTPTransportConfig(opts *Options) (cert.Provider, func(context.Context,
 		return nil, nil, err
 	}

-	if config.s2aAddress == "" {
+	var s2aAddr string
+	var transportCredsForS2A credentials.TransportCredentials
+
+	if config.mtlsS2AAddress != "" {
+		s2aAddr = config.mtlsS2AAddress
+		transportCredsForS2A, err = loadMTLSMDSTransportCreds(mtlsMDSRoot, mtlsMDSKey)
+		if err != nil {
+			log.Printf("Loading MTLS MDS credentials failed: %v", err)
+			return config.clientCertSource, nil, nil
+		}
+	} else if config.s2aAddress != "" {
+		s2aAddr = config.s2aAddress
+	} else {
 		return config.clientCertSource, nil, nil
 	}

@ -169,12 +199,38 @@ func GetHTTPTransportConfig(opts *Options) (cert.Provider, func(context.Context,
 	}

 	dialTLSContextFunc := s2a.NewS2ADialTLSContextFunc(&s2a.ClientOptions{
-		S2AAddress:   config.s2aAddress,
-		FallbackOpts: fallbackOpts,
+		S2AAddress:     s2aAddr,
+		TransportCreds: transportCredsForS2A,
+		FallbackOpts:   fallbackOpts,
 	})
 	return nil, dialTLSContextFunc, nil
 }

+func loadMTLSMDSTransportCreds(mtlsMDSRootFile, mtlsMDSKeyFile string) (credentials.TransportCredentials, error) {
+	rootPEM, err := os.ReadFile(mtlsMDSRootFile)
+	if err != nil {
+		return nil, err
+	}
+	caCertPool := x509.NewCertPool()
+	ok := caCertPool.AppendCertsFromPEM(rootPEM)
+	if !ok {
+		return nil, errors.New("failed to load MTLS MDS root certificate")
+	}
+	// The mTLS MDS credentials are formatted as the concatenation of a PEM-encoded certificate chain
+	// followed by a PEM-encoded private key. For this reason, the concatenation is passed in to the
+	// tls.X509KeyPair function as both the certificate chain and private key arguments.
+	cert, err := tls.LoadX509KeyPair(mtlsMDSKeyFile, mtlsMDSKeyFile)
+	if err != nil {
+		return nil, err
+	}
+	tlsConfig := tls.Config{
+		RootCAs:      caCertPool,
+		Certificates: []tls.Certificate{cert},
+		MinVersion:   tls.VersionTLS13,
+	}
+	return credentials.NewTLS(&tlsConfig), nil
+}
+
 func getTransportConfig(opts *Options) (*transportConfig, error) {
 	clientCertSource, err := GetClientCertificateProvider(opts)
 	if err != nil {
@ -196,17 +252,17 @@ func getTransportConfig(opts *Options) (*transportConfig, error) {
 		return nil, errUniverseNotSupportedMTLS
 	}

-	s2aMTLSEndpoint := opts.DefaultMTLSEndpoint
-
 	s2aAddress := GetS2AAddress()
-	if s2aAddress == "" {
+	mtlsS2AAddress := GetMTLSS2AAddress()
+	if s2aAddress == "" && mtlsS2AAddress == "" {
 		return &defaultTransportConfig, nil
 	}
 	return &transportConfig{
 		clientCertSource: clientCertSource,
 		endpoint:         endpoint,
 		s2aAddress:       s2aAddress,
-		s2aMTLSEndpoint:  s2aMTLSEndpoint,
+		mtlsS2AAddress:   mtlsS2AAddress,
+		s2aMTLSEndpoint:  opts.DefaultMTLSEndpoint,
 	}, nil
 }

@ -241,8 +297,10 @@ type transportConfig struct {
 	clientCertSource cert.Provider
 	// The corresponding endpoint to use based on client certificate source.
 	endpoint string
-	// The S2A address if it can be used, otherwise an empty string.
+	// The plaintext S2A address if it can be used, otherwise an empty string.
 	s2aAddress string
+	// The MTLS S2A address if it can be used, otherwise an empty string.
+	mtlsS2AAddress string
 	// The MTLS endpoint to use with S2A.
 	s2aMTLSEndpoint string
 }
--- a/vendor/cloud.google.com/go/auth/internal/transport/s2a.go
+++ b/vendor/cloud.google.com/go/auth/internal/transport/s2a.go
@ -16,11 +16,11 @@ package transport

 import (
 	"encoding/json"
+	"fmt"
 	"log"
 	"os"
 	"strconv"
 	"sync"
-	"time"

 	"cloud.google.com/go/auth/internal/transport/cert"
 	"cloud.google.com/go/compute/metadata"
@ -31,41 +31,38 @@ const (
 )

 var (
-	// The period an MTLS config can be reused before needing refresh.
-	configExpiry = time.Hour
+	mtlsConfiguration *mtlsConfig

-	// mdsMTLSAutoConfigSource is an instance of reuseMTLSConfigSource, with metadataMTLSAutoConfig as its config source.
 	mtlsOnce sync.Once
 )

 // GetS2AAddress returns the S2A address to be reached via plaintext connection.
 // Returns empty string if not set or invalid.
 func GetS2AAddress() string {
-	c, err := getMetadataMTLSAutoConfig().Config()
-	if err != nil {
+	getMetadataMTLSAutoConfig()
+	if !mtlsConfiguration.valid() {
 		return ""
 	}
-	if !c.Valid() {
-		return ""
-	}
-	return c.S2A.PlaintextAddress
+	return mtlsConfiguration.S2A.PlaintextAddress
 }

-type mtlsConfigSource interface {
-	Config() (*mtlsConfig, error)
+// GetMTLSS2AAddress returns the S2A address to be reached via MTLS connection.
+// Returns empty string if not set or invalid.
+func GetMTLSS2AAddress() string {
+	getMetadataMTLSAutoConfig()
+	if !mtlsConfiguration.valid() {
+		return ""
+	}
+	return mtlsConfiguration.S2A.MTLSAddress
 }

 // mtlsConfig contains the configuration for establishing MTLS connections with Google APIs.
 type mtlsConfig struct {
-	S2A    *s2aAddresses `json:"s2a"`
-	Expiry time.Time
+	S2A *s2aAddresses `json:"s2a"`
 }

-func (c *mtlsConfig) Valid() bool {
-	return c != nil && c.S2A != nil && !c.expired()
-}
-func (c *mtlsConfig) expired() bool {
-	return c.Expiry.Before(time.Now())
+func (c *mtlsConfig) valid() bool {
+	return c != nil && c.S2A != nil
 }

 // s2aAddresses contains the plaintext and/or MTLS S2A addresses.
@ -76,80 +73,36 @@ type s2aAddresses struct {
 	MTLSAddress string `json:"mtls_address"`
 }

-// getMetadataMTLSAutoConfig returns mdsMTLSAutoConfigSource, which is backed by config from MDS with auto-refresh.
-func getMetadataMTLSAutoConfig() mtlsConfigSource {
+func getMetadataMTLSAutoConfig() {
+	var err error
 	mtlsOnce.Do(func() {
-		mdsMTLSAutoConfigSource = &reuseMTLSConfigSource{
-			src: &metadataMTLSAutoConfig{},
+		mtlsConfiguration, err = queryConfig()
+		if err != nil {
+			log.Printf("Getting MTLS config failed: %v", err)
 		}
 	})
-	return mdsMTLSAutoConfigSource
 }

-// reuseMTLSConfigSource caches a valid version of mtlsConfig, and uses `src` to refresh upon config expiry.
-// It implements the mtlsConfigSource interface, so calling Config() on it returns an mtlsConfig.
-type reuseMTLSConfigSource struct {
-	src    mtlsConfigSource // src.Config() is called when config is expired
-	mu     sync.Mutex       // mutex guards config
-	config *mtlsConfig      // cached config
-}
-
-func (cs *reuseMTLSConfigSource) Config() (*mtlsConfig, error) {
-	cs.mu.Lock()
-	defer cs.mu.Unlock()
-
-	if cs.config.Valid() {
-		return cs.config, nil
-	}
-	c, err := cs.src.Config()
-	if err != nil {
-		return nil, err
-	}
-	cs.config = c
-	return c, nil
-}
-
-// metadataMTLSAutoConfig is an implementation of the interface mtlsConfigSource
-// It has the logic to query MDS and return an mtlsConfig
-type metadataMTLSAutoConfig struct{}
-
 var httpGetMetadataMTLSConfig = func() (string, error) {
 	return metadata.Get(configEndpointSuffix)
 }

-func (cs *metadataMTLSAutoConfig) Config() (*mtlsConfig, error) {
+func queryConfig() (*mtlsConfig, error) {
 	resp, err := httpGetMetadataMTLSConfig()
 	if err != nil {
-		log.Printf("querying MTLS config from MDS endpoint failed: %v", err)
-		return defaultMTLSConfig(), nil
+		return nil, fmt.Errorf("querying MTLS config from MDS endpoint failed: %w", err)
 	}
 	var config mtlsConfig
 	err = json.Unmarshal([]byte(resp), &config)
 	if err != nil {
-		log.Printf("unmarshalling MTLS config from MDS endpoint failed: %v", err)
-		return defaultMTLSConfig(), nil
+		return nil, fmt.Errorf("unmarshalling MTLS config from MDS endpoint failed: %w", err)
 	}
-
 	if config.S2A == nil {
-		log.Printf("returned MTLS config from MDS endpoint is invalid: %v", config)
-		return defaultMTLSConfig(), nil
+		return nil, fmt.Errorf("returned MTLS config from MDS endpoint is invalid: %v", config)
 	}
-
-	// set new expiry
-	config.Expiry = time.Now().Add(configExpiry)
 	return &config, nil
 }

-func defaultMTLSConfig() *mtlsConfig {
-	return &mtlsConfig{
-		S2A: &s2aAddresses{
-			PlaintextAddress: "",
-			MTLSAddress:      "",
-		},
-		Expiry: time.Now().Add(configExpiry),
-	}
-}
-
 func shouldUseS2A(clientCertSource cert.Provider, opts *Options) bool {
 	// If client cert is found, use that over S2A.
 	if clientCertSource != nil {
--- a/vendor/cloud.google.com/go/auth/oauth2adapt/CHANGES.md
+++ b/vendor/cloud.google.com/go/auth/oauth2adapt/CHANGES.md
@ -1,5 +1,12 @@
 # Changelog

+## [0.2.4](https://github.com/googleapis/google-cloud-go/compare/auth/oauth2adapt/v0.2.3...auth/oauth2adapt/v0.2.4) (2024-08-08)
+
+
+### Bug Fixes
+
+* **auth/oauth2adapt:** Update dependencies ([257c40b](https://github.com/googleapis/google-cloud-go/commit/257c40bd6d7e59730017cf32bda8823d7a232758))
+
 ## [0.2.3](https://github.com/googleapis/google-cloud-go/compare/auth/oauth2adapt/v0.2.2...auth/oauth2adapt/v0.2.3) (2024-07-10)


--- a/vendor/cloud.google.com/go/auth/threelegged.go
+++ b/vendor/cloud.google.com/go/auth/threelegged.go
@ -128,7 +128,7 @@ func (o *Options3LO) client() *http.Client {
 	if o.Client != nil {
 		return o.Client
 	}
-	return internal.CloneDefaultClient()
+	return internal.DefaultClient()
 }

 // authCodeURL returns a URL that points to a OAuth2 consent page.