Merge branch 'main' into bugfix/json-patch-version

.github/workflows/clippy.yml

@@ -14,6 +14,6 @@ jobs:
       - uses: dtolnay/rust-toolchain@nightly
         with:
           components: clippy
-      - uses: clechasseur/rs-clippy-check@v3
+      - uses: clechasseur/rs-clippy-check@v4
         with:
           args: --workspace

Cargo.toml

@@ -37,7 +37,7 @@ assert-json-diff = "2.0.2"
 async-broadcast = "0.7.0"
 async-stream = "0.3.5"
 async-trait = "0.1.64"
-backoff = "0.4.0"
+backon = "1.3"
 base64 = "0.22.1"
 bytes = "1.1.0"
 chrono = { version = "0.4.34", default-features = false }
@@ -68,9 +68,8 @@ pem = "3.0.1"
 pin-project = "1.0.4"
 proc-macro2 = "1.0.29"
 quote = "1.0.10"
-rand = "0.8.3"
+rand = "0.9.0"
 rustls = { version = "0.23.16", default-features = false }
-rustls-pemfile = "2.0.0"
 schemars = "0.8.6"
 secrecy = "0.10.2"
 serde = "1.0.130"

deny.toml

@@ -97,3 +97,17 @@ name = "thiserror-impl"
 name = "security-framework"
 [[bans.skip]]
 name = "core-foundation"
+
+# currently tungstenite hasn't upgraded rand to 0.9 yet, all these are related
+[[bans.skip]]
+name = "rand"
+[[bans.skip]]
+name = "rand_core"
+[[bans.skip]]
+name = "rand_chacha"
+[[bans.skip]]
+name = "getrandom"
+[[bans.skip]]
+name = "wasi"
+[[bans.skip]]
+name = "zerocopy"

examples/Cargo.toml

@@ -24,7 +24,7 @@ latest = ["k8s-openapi/latest"]
 [dev-dependencies]
 tokio-util.workspace = true
 assert-json-diff.workspace = true
-garde = { version = "0.21.0", default-features = false, features = ["derive"] }
+garde = { version = "0.22.0", default-features = false, features = ["derive"] }
 anyhow.workspace = true
 futures = { workspace = true, features = ["async-await"] }
 jsonpath-rust.workspace = true
@@ -52,7 +52,7 @@ tower-http = { workspace = true, features = ["trace", "decompression-gzip"] }
 hyper = { workspace = true, features = ["client", "http1"] }
 hyper-util = { workspace = true, features = ["client-legacy", "http1", "tokio"] }
 thiserror.workspace = true
-backoff.workspace = true
+backon.workspace = true
 clap = { version = "4.0", default-features = false, features = ["std", "cargo", "derive"] }
 edit = "0.1.3"
 tokio-stream = { version = "0.1.9", features = ["net"] }

examples/crd_api.rs

@@ -19,7 +19,10 @@ use kube::{
 #[derive(CustomResource, Deserialize, Serialize, Clone, Debug, Validate, JsonSchema)]
 #[kube(group = "clux.dev", version = "v1", kind = "Foo", namespaced)]
 #[kube(status = "FooStatus")]
-#[kube(scale = r#"{"specReplicasPath":".spec.replicas", "statusReplicasPath":".status.replicas"}"#)]
+#[kube(scale(
+    spec_replicas_path = ".spec.replicas",
+    status_replicas_path = ".status.replicas"
+))]
 #[kube(printcolumn = r#"{"name":"Team", "jsonPath": ".spec.metadata.team", "type": "string"}"#)]
 pub struct FooSpec {
     #[schemars(length(min = 3))]

examples/crd_derive.rs

@@ -22,7 +22,10 @@ use serde::{Deserialize, Serialize};
     derive = "PartialEq",
     derive = "Default",
     shortname = "f",
-    scale = r#"{"specReplicasPath":".spec.replicas", "statusReplicasPath":".status.replicas"}"#,
+    scale(
+        spec_replicas_path = ".spec.replicas",
+        status_replicas_path = ".status.replicas"
+    ),
     printcolumn = r#"{"name":"Spec", "type":"string", "description":"name of foo", "jsonPath":".spec.name"}"#,
     selectable = "spec.name"
 )]

kube-client/Cargo.toml

@@ -13,11 +13,11 @@ categories = ["web-programming::http-client", "network-programming", "api-bindin
 
 [features]
 default = ["client"]
-rustls-tls = ["rustls", "rustls-pemfile", "hyper-rustls", "hyper-http-proxy?/rustls-tls-native-roots"]
+rustls-tls = ["rustls", "hyper-rustls", "hyper-http-proxy?/rustls-tls-native-roots"]
 webpki-roots = ["hyper-rustls/webpki-roots"]
 aws-lc-rs = ["rustls?/aws-lc-rs"]
 openssl-tls = ["openssl", "hyper-openssl"]
-ws = ["client", "tokio-tungstenite", "rand", "kube-core/ws", "tokio/macros"]
+ws = ["client", "tokio-tungstenite", "kube-core/ws", "tokio/macros"]
 kubelet-debug = ["ws", "kube-core/kubelet-debug"]
 oauth = ["client", "tame-oauth"]
 oidc = ["client", "form_urlencoded"]
@@ -57,7 +57,6 @@ futures = { workspace = true, optional = true, features = ["std"] }
 pem = { workspace = true, optional = true }
 openssl = { workspace = true, optional = true }
 rustls = { workspace = true, optional = true }
-rustls-pemfile = { workspace = true, optional = true }
 bytes = { workspace = true, optional = true }
 tokio = { workspace = true, features = ["time", "signal", "sync"], optional = true }
 kube-core = { path = "../kube-core", version = "=0.98.0" }
@@ -73,7 +72,6 @@ tower = { workspace = true, features = ["buffer", "filter", "util"], optional =
 tower-http = { workspace = true, features = ["auth", "map-response-body", "trace"], optional = true }
 hyper-timeout = { workspace = true, optional = true }
 tame-oauth = { workspace = true, features = ["gcp"], optional = true }
-rand = { workspace = true, optional = true }
 secrecy = { workspace = true }
 tracing = { workspace = true, features = ["log"], optional = true }
 hyper-openssl = { workspace = true, features = ["client-legacy"], optional = true }

kube-client/src/client/mod.rs

@@ -206,7 +206,7 @@ impl Client {
             http::header::SEC_WEBSOCKET_VERSION,
             HeaderValue::from_static("13"),
         );
-        let key = upgrade::sec_websocket_key();
+        let key = tokio_tungstenite::tungstenite::handshake::client::generate_key();
         parts.headers.insert(
             http::header::SEC_WEBSOCKET_KEY,
             key.parse().expect("valid header value"),

kube-client/src/client/tls.rs

@@ -14,7 +14,7 @@ pub mod rustls_tls {
     pub enum Error {
         /// Identity PEM is invalid
         #[error("identity PEM is invalid: {0}")]
-        InvalidIdentityPem(#[source] std::io::Error),
+        InvalidIdentityPem(#[source] rustls::pki_types::pem::Error),
 
         /// Identity PEM is missing a private key: the key must be PKCS8 or RSA/PKCS1
         #[error("identity PEM is missing a private key: the key must be PKCS8 or RSA/PKCS1")]
@@ -96,22 +96,19 @@ pub mod rustls_tls {
     }
 
     fn client_auth(data: &[u8]) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), Error> {
-        use rustls_pemfile::Item;
+        use rustls::pki_types::pem::{self, SectionKind};
 
         let mut cert_chain = Vec::new();
         let mut pkcs8_key = None;
         let mut pkcs1_key = None;
         let mut sec1_key = None;
         let mut reader = std::io::Cursor::new(data);
-        for item in rustls_pemfile::read_all(&mut reader)
-            .collect::<Result<Vec<_>, _>>()
-            .map_err(Error::InvalidIdentityPem)?
-        {
-            match item {
-                Item::X509Certificate(cert) => cert_chain.push(cert),
-                Item::Pkcs8Key(key) => pkcs8_key = Some(PrivateKeyDer::Pkcs8(key)),
-                Item::Pkcs1Key(key) => pkcs1_key = Some(PrivateKeyDer::from(key)),
-                Item::Sec1Key(key) => sec1_key = Some(PrivateKeyDer::from(key)),
+        while let Some((kind, der)) = pem::from_buf(&mut reader).map_err(Error::InvalidIdentityPem)? {
+            match kind {
+                SectionKind::Certificate => cert_chain.push(der.into()),
+                SectionKind::PrivateKey => pkcs8_key = Some(PrivateKeyDer::Pkcs8(der.into())),
+                SectionKind::RsaPrivateKey => pkcs1_key = Some(PrivateKeyDer::Pkcs1(der.into())),
+                SectionKind::EcPrivateKey => sec1_key = Some(PrivateKeyDer::Sec1(der.into())),
                 _ => return Err(Error::UnknownPrivateKeyFormat),
             }
         }

kube-client/src/client/upgrade.rs

@@ -86,11 +86,3 @@ pub fn verify_response(res: &Response<Body>, key: &str) -> Result<(), UpgradeCon
 
     Ok(())
 }
-
-/// Generate a random key for the `Sec-WebSocket-Key` header.
-/// This must be nonce consisting of a randomly selected 16-byte value in base64.
-pub fn sec_websocket_key() -> String {
-    use base64::Engine;
-    let r: [u8; 16] = rand::random();
-    base64::engine::general_purpose::STANDARD.encode(r)
-}

kube-derive/Cargo.toml

@@ -18,6 +18,7 @@ workspace = true
 proc-macro2.workspace = true
 quote.workspace = true
 syn = { workspace = true, features = ["extra-traits"] }
+serde = { workspace = true, features = ["derive"] }
 serde_json.workspace = true
 darling.workspace = true