plugin/kubernetes: Enable protobuf, Update client api package (#1114)

* vendor

* code

vendor/k8s.io/client-go/util/cert/BUILD

@@ -0,0 +1,30 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["csr_test.go"],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "cert.go",
+        "csr.go",
+        "io.go",
+        "pem.go",
+    ],
+    data = [
+        "testdata/dontUseThisKey.pem",
+    ],
+    tags = ["automanaged"],
+)

vendor/k8s.io/client-go/util/cert/cert.go

@@ -0,0 +1,215 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	cryptorand "crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"math"
+	"math/big"
+	"net"
+	"time"
+)
+
+const (
+	rsaKeySize   = 2048
+	duration365d = time.Hour * 24 * 365
+)
+
+// Config containes the basic fields required for creating a certificate
+type Config struct {
+	CommonName   string
+	Organization []string
+	AltNames     AltNames
+	Usages       []x509.ExtKeyUsage
+}
+
+// AltNames contains the domain names and IP addresses that will be added
+// to the API Server's x509 certificate SubAltNames field. The values will
+// be passed directly to the x509.Certificate object.
+type AltNames struct {
+	DNSNames []string
+	IPs      []net.IP
+}
+
+// NewPrivateKey creates an RSA private key
+func NewPrivateKey() (*rsa.PrivateKey, error) {
+	return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
+}
+
+// NewSelfSignedCACert creates a CA certificate
+func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, error) {
+	now := time.Now()
+	tmpl := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName:   cfg.CommonName,
+			Organization: cfg.Organization,
+		},
+		NotBefore:             now.UTC(),
+		NotAfter:              now.Add(duration365d * 10).UTC(),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+		IsCA: true,
+	}
+
+	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		return nil, err
+	}
+	return x509.ParseCertificate(certDERBytes)
+}
+
+// NewSignedCert creates a signed certificate using the given CA certificate and key
+func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, error) {
+	serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+	if len(cfg.CommonName) == 0 {
+		return nil, errors.New("must specify a CommonName")
+	}
+	if len(cfg.Usages) == 0 {
+		return nil, errors.New("must specify at least one ExtKeyUsage")
+	}
+
+	certTmpl := x509.Certificate{
+		Subject: pkix.Name{
+			CommonName:   cfg.CommonName,
+			Organization: cfg.Organization,
+		},
+		DNSNames:     cfg.AltNames.DNSNames,
+		IPAddresses:  cfg.AltNames.IPs,
+		SerialNumber: serial,
+		NotBefore:    caCert.NotBefore,
+		NotAfter:     time.Now().Add(duration365d).UTC(),
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  cfg.Usages,
+	}
+	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
+	if err != nil {
+		return nil, err
+	}
+	return x509.ParseCertificate(certDERBytes)
+}
+
+// MakeEllipticPrivateKeyPEM creates an ECDSA private key
+func MakeEllipticPrivateKeyPEM() ([]byte, error) {
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
+	if err != nil {
+		return nil, err
+	}
+
+	derBytes, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	privateKeyPemBlock := &pem.Block{
+		Type:  ECPrivateKeyBlockType,
+		Bytes: derBytes,
+	}
+	return pem.EncodeToMemory(privateKeyPemBlock), nil
+}
+
+// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host.
+// Host may be an IP or a DNS name
+// You may also specify additional subject alt names (either ip or dns names) for the certificate
+func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
+	priv, err := rsa.GenerateKey(cryptorand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour * 24 * 365),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IsCA: true,
+	}
+
+	if ip := net.ParseIP(host); ip != nil {
+		template.IPAddresses = append(template.IPAddresses, ip)
+	} else {
+		template.DNSNames = append(template.DNSNames, host)
+	}
+
+	template.IPAddresses = append(template.IPAddresses, alternateIPs...)
+	template.DNSNames = append(template.DNSNames, alternateDNS...)
+
+	derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Generate cert
+	certBuffer := bytes.Buffer{}
+	if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil {
+		return nil, nil, err
+	}
+
+	// Generate key
+	keyBuffer := bytes.Buffer{}
+	if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
+		return nil, nil, err
+	}
+
+	return certBuffer.Bytes(), keyBuffer.Bytes(), nil
+}
+
+// FormatBytesCert receives byte array certificate and formats in human-readable format
+func FormatBytesCert(cert []byte) (string, error) {
+	block, _ := pem.Decode(cert)
+	c, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse certificate [%v]", err)
+	}
+	return FormatCert(c), nil
+}
+
+// FormatCert receives certificate and formats in human-readable format
+func FormatCert(c *x509.Certificate) string {
+	var ips []string
+	for _, ip := range c.IPAddresses {
+		ips = append(ips, ip.String())
+	}
+	altNames := append(ips, c.DNSNames...)
+	res := fmt.Sprintf(
+		"Issuer: CN=%s | Subject: CN=%s | CA: %t\n",
+		c.Issuer.CommonName, c.Subject.CommonName, c.IsCA,
+	)
+	res += fmt.Sprintf("Not before: %s Not After: %s", c.NotBefore, c.NotAfter)
+	if len(altNames) > 0 {
+		res += fmt.Sprintf("\nAlternate Names: %v", altNames)
+	}
+	return res
+}

vendor/k8s.io/client-go/util/cert/csr.go

@@ -0,0 +1,75 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+	cryptorand "crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"net"
+)
+
+// MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs.
+// All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.)
+func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error) {
+	template := &x509.CertificateRequest{
+		Subject:     *subject,
+		DNSNames:    dnsSANs,
+		IPAddresses: ipSANs,
+	}
+
+	return MakeCSRFromTemplate(privateKey, template)
+}
+
+// MakeCSRFromTemplate generates a PEM-encoded CSR using the supplied private
+// key and certificate request as a template. All key types that are
+// implemented via crypto.Signer are supported (This includes *rsa.PrivateKey
+// and *ecdsa.PrivateKey.)
+func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateRequest) ([]byte, error) {
+	t := *template
+	t.SignatureAlgorithm = sigType(privateKey)
+
+	csrDER, err := x509.CreateCertificateRequest(cryptorand.Reader, &t, privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	csrPemBlock := &pem.Block{
+		Type:  CertificateRequestBlockType,
+		Bytes: csrDER,
+	}
+
+	return pem.EncodeToMemory(csrPemBlock), nil
+}
+
+func sigType(privateKey interface{}) x509.SignatureAlgorithm {
+	// Customize the signature for RSA keys, depending on the key size
+	if privateKey, ok := privateKey.(*rsa.PrivateKey); ok {
+		keySize := privateKey.N.BitLen()
+		switch {
+		case keySize >= 4096:
+			return x509.SHA512WithRSA
+		case keySize >= 3072:
+			return x509.SHA384WithRSA
+		default:
+			return x509.SHA256WithRSA
+		}
+	}
+	return x509.UnknownSignatureAlgorithm
+}

vendor/k8s.io/client-go/util/cert/csr_test.go

@@ -0,0 +1,75 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"io/ioutil"
+	"net"
+	"testing"
+)
+
+func TestMakeCSR(t *testing.T) {
+	keyFile := "testdata/dontUseThisKey.pem"
+	subject := &pkix.Name{
+		CommonName: "kube-worker",
+	}
+	dnsSANs := []string{"localhost"}
+	ipSANs := []net.IP{net.ParseIP("127.0.0.1")}
+
+	keyData, err := ioutil.ReadFile(keyFile)
+	if err != nil {
+		t.Fatal(err)
+	}
+	key, err := ParsePrivateKeyPEM(keyData)
+	if err != nil {
+		t.Fatal(err)
+	}
+	csrPEM, err := MakeCSR(key, subject, dnsSANs, ipSANs)
+	if err != nil {
+		t.Error(err)
+	}
+	csrBlock, rest := pem.Decode(csrPEM)
+	if csrBlock == nil {
+		t.Error("Unable to decode MakeCSR result.")
+	}
+	if len(rest) != 0 {
+		t.Error("Found more than one PEM encoded block in the result.")
+	}
+	if csrBlock.Type != CertificateRequestBlockType {
+		t.Errorf("Found block type %q, wanted 'CERTIFICATE REQUEST'", csrBlock.Type)
+	}
+	csr, err := x509.ParseCertificateRequest(csrBlock.Bytes)
+	if err != nil {
+		t.Errorf("Found %v parsing MakeCSR result as a CertificateRequest.", err)
+	}
+	if csr.Subject.CommonName != subject.CommonName {
+		t.Errorf("Wanted %v, got %v", subject, csr.Subject)
+	}
+	if len(csr.DNSNames) != 1 {
+		t.Errorf("Wanted 1 DNS name in the result, got %d", len(csr.DNSNames))
+	} else if csr.DNSNames[0] != dnsSANs[0] {
+		t.Errorf("Wanted %v, got %v", dnsSANs[0], csr.DNSNames[0])
+	}
+	if len(csr.IPAddresses) != 1 {
+		t.Errorf("Wanted 1 IP address in the result, got %d", len(csr.IPAddresses))
+	} else if csr.IPAddresses[0].String() != ipSANs[0].String() {
+		t.Errorf("Wanted %v, got %v", ipSANs[0], csr.IPAddresses[0])
+	}
+}

vendor/k8s.io/client-go/util/cert/io.go

@@ -0,0 +1,150 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+// CanReadCertAndKey returns true if the certificate and key files already exists,
+// otherwise returns false. If lost one of cert and key, returns error.
+func CanReadCertAndKey(certPath, keyPath string) (bool, error) {
+	certReadable := canReadFile(certPath)
+	keyReadable := canReadFile(keyPath)
+
+	if certReadable == false && keyReadable == false {
+		return false, nil
+	}
+
+	if certReadable == false {
+		return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", certPath)
+	}
+
+	if keyReadable == false {
+		return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", keyPath)
+	}
+
+	return true, nil
+}
+
+// If the file represented by path exists and
+// readable, returns true otherwise returns false.
+func canReadFile(path string) bool {
+	f, err := os.Open(path)
+	if err != nil {
+		return false
+	}
+
+	defer f.Close()
+
+	return true
+}
+
+// WriteCert writes the pem-encoded certificate data to certPath.
+// The certificate file will be created with file mode 0644.
+// If the certificate file already exists, it will be overwritten.
+// The parent directory of the certPath will be created as needed with file mode 0755.
+func WriteCert(certPath string, data []byte) error {
+	if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil {
+		return err
+	}
+	if err := ioutil.WriteFile(certPath, data, os.FileMode(0644)); err != nil {
+		return err
+	}
+	return nil
+}
+
+// WriteKey writes the pem-encoded key data to keyPath.
+// The key file will be created with file mode 0600.
+// If the key file already exists, it will be overwritten.
+// The parent directory of the keyPath will be created as needed with file mode 0755.
+func WriteKey(keyPath string, data []byte) error {
+	if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil {
+		return err
+	}
+	if err := ioutil.WriteFile(keyPath, data, os.FileMode(0600)); err != nil {
+		return err
+	}
+	return nil
+}
+
+// LoadOrGenerateKeyFile looks for a key in the file at the given path. If it
+// can't find one, it will generate a new key and store it there.
+func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) {
+	loadedData, err := ioutil.ReadFile(keyPath)
+	if err == nil {
+		return loadedData, false, err
+	}
+	if !os.IsNotExist(err) {
+		return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err)
+	}
+
+	generatedData, err := MakeEllipticPrivateKeyPEM()
+	if err != nil {
+		return nil, false, fmt.Errorf("error generating key: %v", err)
+	}
+	if err := WriteKey(keyPath, generatedData); err != nil {
+		return nil, false, fmt.Errorf("error writing key to %s: %v", keyPath, err)
+	}
+	return generatedData, true, nil
+}
+
+// NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file.
+// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
+func NewPool(filename string) (*x509.CertPool, error) {
+	certs, err := CertsFromFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	pool := x509.NewCertPool()
+	for _, cert := range certs {
+		pool.AddCert(cert)
+	}
+	return pool, nil
+}
+
+// CertsFromFile returns the x509.Certificates contained in the given PEM-encoded file.
+// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
+func CertsFromFile(file string) ([]*x509.Certificate, error) {
+	pemBlock, err := ioutil.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+	certs, err := ParseCertsPEM(pemBlock)
+	if err != nil {
+		return nil, fmt.Errorf("error reading %s: %s", file, err)
+	}
+	return certs, nil
+}
+
+// PrivateKeyFromFile returns the private key in rsa.PrivateKey or ecdsa.PrivateKey format from a given PEM-encoded file.
+// Returns an error if the file could not be read or if the private key could not be parsed.
+func PrivateKeyFromFile(file string) (interface{}, error) {
+	pemBlock, err := ioutil.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+	key, err := ParsePrivateKeyPEM(pemBlock)
+	if err != nil {
+		return nil, fmt.Errorf("error reading %s: %v", file, err)
+	}
+	return key, nil
+}

vendor/k8s.io/client-go/util/cert/pem.go

@@ -0,0 +1,138 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+)
+
+const (
+	// ECPrivateKeyBlockType is a possible value for pem.Block.Type.
+	ECPrivateKeyBlockType = "EC PRIVATE KEY"
+	// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
+	RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
+	// CertificateBlockType is a possible value for pem.Block.Type.
+	CertificateBlockType = "CERTIFICATE"
+	// CertificateRequestBlockType is a possible value for pem.Block.Type.
+	CertificateRequestBlockType = "CERTIFICATE REQUEST"
+	// PrivateKeyBlockType is a possible value for pem.Block.Type.
+	PrivateKeyBlockType = "PRIVATE KEY"
+	// PublicKeyBlockType is a possible value for pem.Block.Type.
+	PublicKeyBlockType = "PUBLIC KEY"
+)
+
+// EncodePublicKeyPEM returns PEM-endcode public data
+func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
+	der, err := x509.MarshalPKIXPublicKey(key)
+	if err != nil {
+		return []byte{}, err
+	}
+	block := pem.Block{
+		Type:  PublicKeyBlockType,
+		Bytes: der,
+	}
+	return pem.EncodeToMemory(&block), nil
+}
+
+// EncodePrivateKeyPEM returns PEM-encoded private key data
+func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
+	block := pem.Block{
+		Type:  RSAPrivateKeyBlockType,
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	}
+	return pem.EncodeToMemory(&block)
+}
+
+// EncodeCertPEM returns PEM-endcoded certificate data
+func EncodeCertPEM(cert *x509.Certificate) []byte {
+	block := pem.Block{
+		Type:  CertificateBlockType,
+		Bytes: cert.Raw,
+	}
+	return pem.EncodeToMemory(&block)
+}
+
+// ParsePrivateKeyPEM returns a private key parsed from a PEM block in the supplied data.
+// Recognizes PEM blocks for "EC PRIVATE KEY", "RSA PRIVATE KEY", or "PRIVATE KEY"
+func ParsePrivateKeyPEM(keyData []byte) (interface{}, error) {
+	var privateKeyPemBlock *pem.Block
+	for {
+		privateKeyPemBlock, keyData = pem.Decode(keyData)
+		if privateKeyPemBlock == nil {
+			break
+		}
+
+		switch privateKeyPemBlock.Type {
+		case ECPrivateKeyBlockType:
+			// ECDSA Private Key in ASN.1 format
+			if key, err := x509.ParseECPrivateKey(privateKeyPemBlock.Bytes); err == nil {
+				return key, nil
+			}
+		case RSAPrivateKeyBlockType:
+			// RSA Private Key in PKCS#1 format
+			if key, err := x509.ParsePKCS1PrivateKey(privateKeyPemBlock.Bytes); err == nil {
+				return key, nil
+			}
+		case PrivateKeyBlockType:
+			// RSA or ECDSA Private Key in unencrypted PKCS#8 format
+			if key, err := x509.ParsePKCS8PrivateKey(privateKeyPemBlock.Bytes); err == nil {
+				return key, nil
+			}
+		}
+
+		// tolerate non-key PEM blocks for compatibility with things like "EC PARAMETERS" blocks
+		// originally, only the first PEM block was parsed and expected to be a key block
+	}
+
+	// we read all the PEM blocks and didn't recognize one
+	return nil, fmt.Errorf("data does not contain a valid RSA or ECDSA private key")
+}
+
+// ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array
+// Returns an error if a certificate could not be parsed, or if the data does not contain any certificates
+func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) {
+	ok := false
+	certs := []*x509.Certificate{}
+	for len(pemCerts) > 0 {
+		var block *pem.Block
+		block, pemCerts = pem.Decode(pemCerts)
+		if block == nil {
+			break
+		}
+		// Only use PEM "CERTIFICATE" blocks without extra headers
+		if block.Type != CertificateBlockType || len(block.Headers) != 0 {
+			continue
+		}
+
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return certs, err
+		}
+
+		certs = append(certs, cert)
+		ok = true
+	}
+
+	if !ok {
+		return certs, errors.New("could not read any certificates")
+	}
+	return certs, nil
+}

vendor/k8s.io/client-go/util/flowcontrol/BUILD

@@ -0,0 +1,34 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = [
+        "backoff_test.go",
+        "throttle_test.go",
+    ],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+    deps = ["//vendor/k8s.io/apimachinery/pkg/util/clock:go_default_library"],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "backoff.go",
+        "throttle.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//vendor/github.com/juju/ratelimit:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/clock:go_default_library",
+        "//vendor/k8s.io/client-go/util/integer:go_default_library",
+    ],
+)

vendor/k8s.io/client-go/util/flowcontrol/backoff.go

@@ -0,0 +1,149 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flowcontrol
+
+import (
+	"sync"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/clock"
+	"k8s.io/client-go/util/integer"
+)
+
+type backoffEntry struct {
+	backoff    time.Duration
+	lastUpdate time.Time
+}
+
+type Backoff struct {
+	sync.Mutex
+	Clock           clock.Clock
+	defaultDuration time.Duration
+	maxDuration     time.Duration
+	perItemBackoff  map[string]*backoffEntry
+}
+
+func NewFakeBackOff(initial, max time.Duration, tc *clock.FakeClock) *Backoff {
+	return &Backoff{
+		perItemBackoff:  map[string]*backoffEntry{},
+		Clock:           tc,
+		defaultDuration: initial,
+		maxDuration:     max,
+	}
+}
+
+func NewBackOff(initial, max time.Duration) *Backoff {
+	return &Backoff{
+		perItemBackoff:  map[string]*backoffEntry{},
+		Clock:           clock.RealClock{},
+		defaultDuration: initial,
+		maxDuration:     max,
+	}
+}
+
+// Get the current backoff Duration
+func (p *Backoff) Get(id string) time.Duration {
+	p.Lock()
+	defer p.Unlock()
+	var delay time.Duration
+	entry, ok := p.perItemBackoff[id]
+	if ok {
+		delay = entry.backoff
+	}
+	return delay
+}
+
+// move backoff to the next mark, capping at maxDuration
+func (p *Backoff) Next(id string, eventTime time.Time) {
+	p.Lock()
+	defer p.Unlock()
+	entry, ok := p.perItemBackoff[id]
+	if !ok || hasExpired(eventTime, entry.lastUpdate, p.maxDuration) {
+		entry = p.initEntryUnsafe(id)
+	} else {
+		delay := entry.backoff * 2 // exponential
+		entry.backoff = time.Duration(integer.Int64Min(int64(delay), int64(p.maxDuration)))
+	}
+	entry.lastUpdate = p.Clock.Now()
+}
+
+// Reset forces clearing of all backoff data for a given key.
+func (p *Backoff) Reset(id string) {
+	p.Lock()
+	defer p.Unlock()
+	delete(p.perItemBackoff, id)
+}
+
+// Returns True if the elapsed time since eventTime is smaller than the current backoff window
+func (p *Backoff) IsInBackOffSince(id string, eventTime time.Time) bool {
+	p.Lock()
+	defer p.Unlock()
+	entry, ok := p.perItemBackoff[id]
+	if !ok {
+		return false
+	}
+	if hasExpired(eventTime, entry.lastUpdate, p.maxDuration) {
+		return false
+	}
+	return p.Clock.Now().Sub(eventTime) < entry.backoff
+}
+
+// Returns True if time since lastupdate is less than the current backoff window.
+func (p *Backoff) IsInBackOffSinceUpdate(id string, eventTime time.Time) bool {
+	p.Lock()
+	defer p.Unlock()
+	entry, ok := p.perItemBackoff[id]
+	if !ok {
+		return false
+	}
+	if hasExpired(eventTime, entry.lastUpdate, p.maxDuration) {
+		return false
+	}
+	return eventTime.Sub(entry.lastUpdate) < entry.backoff
+}
+
+// Garbage collect records that have aged past maxDuration. Backoff users are expected
+// to invoke this periodically.
+func (p *Backoff) GC() {
+	p.Lock()
+	defer p.Unlock()
+	now := p.Clock.Now()
+	for id, entry := range p.perItemBackoff {
+		if now.Sub(entry.lastUpdate) > p.maxDuration*2 {
+			// GC when entry has not been updated for 2*maxDuration
+			delete(p.perItemBackoff, id)
+		}
+	}
+}
+
+func (p *Backoff) DeleteEntry(id string) {
+	p.Lock()
+	defer p.Unlock()
+	delete(p.perItemBackoff, id)
+}
+
+// Take a lock on *Backoff, before calling initEntryUnsafe
+func (p *Backoff) initEntryUnsafe(id string) *backoffEntry {
+	entry := &backoffEntry{backoff: p.defaultDuration}
+	p.perItemBackoff[id] = entry
+	return entry
+}
+
+// After 2*maxDuration we restart the backoff factor to the beginning
+func hasExpired(eventTime time.Time, lastUpdate time.Time, maxDuration time.Duration) bool {
+	return eventTime.Sub(lastUpdate) > maxDuration*2 // consider stable if it's ok for twice the maxDuration
+}

vendor/k8s.io/client-go/util/flowcontrol/backoff_test.go

@@ -0,0 +1,195 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flowcontrol
+
+import (
+	"testing"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/clock"
+)
+
+func TestSlowBackoff(t *testing.T) {
+	id := "_idSlow"
+	tc := clock.NewFakeClock(time.Now())
+	step := time.Second
+	maxDuration := 50 * step
+
+	b := NewFakeBackOff(step, maxDuration, tc)
+	cases := []time.Duration{0, 1, 2, 4, 8, 16, 32, 50, 50, 50}
+	for ix, c := range cases {
+		tc.Step(step)
+		w := b.Get(id)
+		if w != c*step {
+			t.Errorf("input: '%d': expected %s, got %s", ix, c*step, w)
+		}
+		b.Next(id, tc.Now())
+	}
+
+	//Now confirm that the Reset cancels backoff.
+	b.Next(id, tc.Now())
+	b.Reset(id)
+	if b.Get(id) != 0 {
+		t.Errorf("Reset didn't clear the backoff.")
+	}
+
+}
+
+func TestBackoffReset(t *testing.T) {
+	id := "_idReset"
+	tc := clock.NewFakeClock(time.Now())
+	step := time.Second
+	maxDuration := step * 5
+	b := NewFakeBackOff(step, maxDuration, tc)
+	startTime := tc.Now()
+
+	// get to backoff = maxDuration
+	for i := 0; i <= int(maxDuration/step); i++ {
+		tc.Step(step)
+		b.Next(id, tc.Now())
+	}
+
+	// backoff should be capped at maxDuration
+	if !b.IsInBackOffSince(id, tc.Now()) {
+		t.Errorf("expected to be in Backoff got %s", b.Get(id))
+	}
+
+	lastUpdate := tc.Now()
+	tc.Step(2*maxDuration + step) // time += 11s, 11 > 2*maxDuration
+	if b.IsInBackOffSince(id, lastUpdate) {
+		t.Errorf("expected to not be in Backoff after reset (start=%s, now=%s, lastUpdate=%s), got %s", startTime, tc.Now(), lastUpdate, b.Get(id))
+	}
+}
+
+func TestBackoffHightWaterMark(t *testing.T) {
+	id := "_idHiWaterMark"
+	tc := clock.NewFakeClock(time.Now())
+	step := time.Second
+	maxDuration := 5 * step
+	b := NewFakeBackOff(step, maxDuration, tc)
+
+	// get to backoff = maxDuration
+	for i := 0; i <= int(maxDuration/step); i++ {
+		tc.Step(step)
+		b.Next(id, tc.Now())
+	}
+
+	// backoff high watermark expires after 2*maxDuration
+	tc.Step(maxDuration + step)
+	b.Next(id, tc.Now())
+
+	if b.Get(id) != maxDuration {
+		t.Errorf("expected Backoff to stay at high watermark %s got %s", maxDuration, b.Get(id))
+	}
+}
+
+func TestBackoffGC(t *testing.T) {
+	id := "_idGC"
+	tc := clock.NewFakeClock(time.Now())
+	step := time.Second
+	maxDuration := 5 * step
+
+	b := NewFakeBackOff(step, maxDuration, tc)
+
+	for i := 0; i <= int(maxDuration/step); i++ {
+		tc.Step(step)
+		b.Next(id, tc.Now())
+	}
+	lastUpdate := tc.Now()
+	tc.Step(maxDuration + step)
+	b.GC()
+	_, found := b.perItemBackoff[id]
+	if !found {
+		t.Errorf("expected GC to skip entry, elapsed time=%s maxDuration=%s", tc.Now().Sub(lastUpdate), maxDuration)
+	}
+
+	tc.Step(maxDuration + step)
+	b.GC()
+	r, found := b.perItemBackoff[id]
+	if found {
+		t.Errorf("expected GC of entry after %s got entry %v", tc.Now().Sub(lastUpdate), r)
+	}
+}
+
+func TestIsInBackOffSinceUpdate(t *testing.T) {
+	id := "_idIsInBackOffSinceUpdate"
+	tc := clock.NewFakeClock(time.Now())
+	step := time.Second
+	maxDuration := 10 * step
+	b := NewFakeBackOff(step, maxDuration, tc)
+	startTime := tc.Now()
+
+	cases := []struct {
+		tick      time.Duration
+		inBackOff bool
+		value     int
+	}{
+		{tick: 0, inBackOff: false, value: 0},
+		{tick: 1, inBackOff: false, value: 1},
+		{tick: 2, inBackOff: true, value: 2},
+		{tick: 3, inBackOff: false, value: 2},
+		{tick: 4, inBackOff: true, value: 4},
+		{tick: 5, inBackOff: true, value: 4},
+		{tick: 6, inBackOff: true, value: 4},
+		{tick: 7, inBackOff: false, value: 4},
+		{tick: 8, inBackOff: true, value: 8},
+		{tick: 9, inBackOff: true, value: 8},
+		{tick: 10, inBackOff: true, value: 8},
+		{tick: 11, inBackOff: true, value: 8},
+		{tick: 12, inBackOff: true, value: 8},
+		{tick: 13, inBackOff: true, value: 8},
+		{tick: 14, inBackOff: true, value: 8},
+		{tick: 15, inBackOff: false, value: 8},
+		{tick: 16, inBackOff: true, value: 10},
+		{tick: 17, inBackOff: true, value: 10},
+		{tick: 18, inBackOff: true, value: 10},
+		{tick: 19, inBackOff: true, value: 10},
+		{tick: 20, inBackOff: true, value: 10},
+		{tick: 21, inBackOff: true, value: 10},
+		{tick: 22, inBackOff: true, value: 10},
+		{tick: 23, inBackOff: true, value: 10},
+		{tick: 24, inBackOff: true, value: 10},
+		{tick: 25, inBackOff: false, value: 10},
+		{tick: 26, inBackOff: true, value: 10},
+		{tick: 27, inBackOff: true, value: 10},
+		{tick: 28, inBackOff: true, value: 10},
+		{tick: 29, inBackOff: true, value: 10},
+		{tick: 30, inBackOff: true, value: 10},
+		{tick: 31, inBackOff: true, value: 10},
+		{tick: 32, inBackOff: true, value: 10},
+		{tick: 33, inBackOff: true, value: 10},
+		{tick: 34, inBackOff: true, value: 10},
+		{tick: 35, inBackOff: false, value: 10},
+		{tick: 56, inBackOff: false, value: 0},
+		{tick: 57, inBackOff: false, value: 1},
+	}
+
+	for _, c := range cases {
+		tc.SetTime(startTime.Add(c.tick * step))
+		if c.inBackOff != b.IsInBackOffSinceUpdate(id, tc.Now()) {
+			t.Errorf("expected IsInBackOffSinceUpdate %v got %v at tick %s", c.inBackOff, b.IsInBackOffSinceUpdate(id, tc.Now()), c.tick*step)
+		}
+
+		if c.inBackOff && (time.Duration(c.value)*step != b.Get(id)) {
+			t.Errorf("expected backoff value=%s got %s at tick %s", time.Duration(c.value)*step, b.Get(id), c.tick*step)
+		}
+
+		if !c.inBackOff {
+			b.Next(id, tc.Now())
+		}
+	}
+}

vendor/k8s.io/client-go/util/flowcontrol/throttle.go

@@ -0,0 +1,148 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flowcontrol
+
+import (
+	"sync"
+
+	"github.com/juju/ratelimit"
+)
+
+type RateLimiter interface {
+	// TryAccept returns true if a token is taken immediately. Otherwise,
+	// it returns false.
+	TryAccept() bool
+	// Accept returns once a token becomes available.
+	Accept()
+	// Stop stops the rate limiter, subsequent calls to CanAccept will return false
+	Stop()
+	// Saturation returns a percentage number which describes how saturated
+	// this rate limiter is.
+	// Usually we use token bucket rate limiter. In that case,
+	// 1.0 means no tokens are available; 0.0 means we have a full bucket of tokens to use.
+	Saturation() float64
+	// QPS returns QPS of this rate limiter
+	QPS() float32
+}
+
+type tokenBucketRateLimiter struct {
+	limiter *ratelimit.Bucket
+	qps     float32
+}
+
+// NewTokenBucketRateLimiter creates a rate limiter which implements a token bucket approach.
+// The rate limiter allows bursts of up to 'burst' to exceed the QPS, while still maintaining a
+// smoothed qps rate of 'qps'.
+// The bucket is initially filled with 'burst' tokens, and refills at a rate of 'qps'.
+// The maximum number of tokens in the bucket is capped at 'burst'.
+func NewTokenBucketRateLimiter(qps float32, burst int) RateLimiter {
+	limiter := ratelimit.NewBucketWithRate(float64(qps), int64(burst))
+	return newTokenBucketRateLimiter(limiter, qps)
+}
+
+// An injectable, mockable clock interface.
+type Clock interface {
+	ratelimit.Clock
+}
+
+// NewTokenBucketRateLimiterWithClock is identical to NewTokenBucketRateLimiter
+// but allows an injectable clock, for testing.
+func NewTokenBucketRateLimiterWithClock(qps float32, burst int, clock Clock) RateLimiter {
+	limiter := ratelimit.NewBucketWithRateAndClock(float64(qps), int64(burst), clock)
+	return newTokenBucketRateLimiter(limiter, qps)
+}
+
+func newTokenBucketRateLimiter(limiter *ratelimit.Bucket, qps float32) RateLimiter {
+	return &tokenBucketRateLimiter{
+		limiter: limiter,
+		qps:     qps,
+	}
+}
+
+func (t *tokenBucketRateLimiter) TryAccept() bool {
+	return t.limiter.TakeAvailable(1) == 1
+}
+
+func (t *tokenBucketRateLimiter) Saturation() float64 {
+	capacity := t.limiter.Capacity()
+	avail := t.limiter.Available()
+	return float64(capacity-avail) / float64(capacity)
+}
+
+// Accept will block until a token becomes available
+func (t *tokenBucketRateLimiter) Accept() {
+	t.limiter.Wait(1)
+}
+
+func (t *tokenBucketRateLimiter) Stop() {
+}
+
+func (t *tokenBucketRateLimiter) QPS() float32 {
+	return t.qps
+}
+
+type fakeAlwaysRateLimiter struct{}
+
+func NewFakeAlwaysRateLimiter() RateLimiter {
+	return &fakeAlwaysRateLimiter{}
+}
+
+func (t *fakeAlwaysRateLimiter) TryAccept() bool {
+	return true
+}
+
+func (t *fakeAlwaysRateLimiter) Saturation() float64 {
+	return 0
+}
+
+func (t *fakeAlwaysRateLimiter) Stop() {}
+
+func (t *fakeAlwaysRateLimiter) Accept() {}
+
+func (t *fakeAlwaysRateLimiter) QPS() float32 {
+	return 1
+}
+
+type fakeNeverRateLimiter struct {
+	wg sync.WaitGroup
+}
+
+func NewFakeNeverRateLimiter() RateLimiter {
+	rl := fakeNeverRateLimiter{}
+	rl.wg.Add(1)
+	return &rl
+}
+
+func (t *fakeNeverRateLimiter) TryAccept() bool {
+	return false
+}
+
+func (t *fakeNeverRateLimiter) Saturation() float64 {
+	return 1
+}
+
+func (t *fakeNeverRateLimiter) Stop() {
+	t.wg.Done()
+}
+
+func (t *fakeNeverRateLimiter) Accept() {
+	t.wg.Wait()
+}
+
+func (t *fakeNeverRateLimiter) QPS() float32 {
+	return 1
+}

vendor/k8s.io/client-go/util/flowcontrol/throttle_test.go

@@ -0,0 +1,177 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flowcontrol
+
+import (
+	"math"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestMultithreadedThrottling(t *testing.T) {
+	// Bucket with 100QPS and no burst
+	r := NewTokenBucketRateLimiter(100, 1)
+
+	// channel to collect 100 tokens
+	taken := make(chan bool, 100)
+
+	// Set up goroutines to hammer the throttler
+	startCh := make(chan bool)
+	endCh := make(chan bool)
+	for i := 0; i < 10; i++ {
+		go func() {
+			// wait for the starting signal
+			<-startCh
+			for {
+				// get a token
+				r.Accept()
+				select {
+				// try to add it to the taken channel
+				case taken <- true:
+					continue
+				// if taken is full, notify and return
+				default:
+					endCh <- true
+					return
+				}
+			}
+		}()
+	}
+
+	// record wall time
+	startTime := time.Now()
+	// take the initial capacity so all tokens are the result of refill
+	r.Accept()
+	// start the thundering herd
+	close(startCh)
+	// wait for the first signal that we collected 100 tokens
+	<-endCh
+	// record wall time
+	endTime := time.Now()
+
+	// tolerate a 1% clock change because these things happen
+	if duration := endTime.Sub(startTime); duration < (time.Second * 99 / 100) {
+		// We shouldn't be able to get 100 tokens out of the bucket in less than 1 second of wall clock time, no matter what
+		t.Errorf("Expected it to take at least 1 second to get 100 tokens, took %v", duration)
+	} else {
+		t.Logf("Took %v to get 100 tokens", duration)
+	}
+}
+
+func TestBasicThrottle(t *testing.T) {
+	r := NewTokenBucketRateLimiter(1, 3)
+	for i := 0; i < 3; i++ {
+		if !r.TryAccept() {
+			t.Error("unexpected false accept")
+		}
+	}
+	if r.TryAccept() {
+		t.Error("unexpected true accept")
+	}
+}
+
+func TestIncrementThrottle(t *testing.T) {
+	r := NewTokenBucketRateLimiter(1, 1)
+	if !r.TryAccept() {
+		t.Error("unexpected false accept")
+	}
+	if r.TryAccept() {
+		t.Error("unexpected true accept")
+	}
+
+	// Allow to refill
+	time.Sleep(2 * time.Second)
+
+	if !r.TryAccept() {
+		t.Error("unexpected false accept")
+	}
+}
+
+func TestThrottle(t *testing.T) {
+	r := NewTokenBucketRateLimiter(10, 5)
+
+	// Should consume 5 tokens immediately, then
+	// the remaining 11 should take at least 1 second (0.1s each)
+	expectedFinish := time.Now().Add(time.Second * 1)
+	for i := 0; i < 16; i++ {
+		r.Accept()
+	}
+	if time.Now().Before(expectedFinish) {
+		t.Error("rate limit was not respected, finished too early")
+	}
+}
+
+func TestRateLimiterSaturation(t *testing.T) {
+	const e = 0.000001
+	tests := []struct {
+		capacity int
+		take     int
+
+		expectedSaturation float64
+	}{
+		{1, 1, 1},
+		{10, 3, 0.3},
+	}
+	for i, tt := range tests {
+		rl := NewTokenBucketRateLimiter(1, tt.capacity)
+		for i := 0; i < tt.take; i++ {
+			rl.Accept()
+		}
+		if math.Abs(rl.Saturation()-tt.expectedSaturation) > e {
+			t.Fatalf("#%d: Saturation rate difference isn't within tolerable range\n want=%f, get=%f",
+				i, tt.expectedSaturation, rl.Saturation())
+		}
+	}
+}
+
+func TestAlwaysFake(t *testing.T) {
+	rl := NewFakeAlwaysRateLimiter()
+	if !rl.TryAccept() {
+		t.Error("TryAccept in AlwaysFake should return true.")
+	}
+	// If this will block the test will timeout
+	rl.Accept()
+}
+
+func TestNeverFake(t *testing.T) {
+	rl := NewFakeNeverRateLimiter()
+	if rl.TryAccept() {
+		t.Error("TryAccept in NeverFake should return false.")
+	}
+
+	finished := false
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		rl.Accept()
+		finished = true
+		wg.Done()
+	}()
+
+	// Wait some time to make sure it never finished.
+	time.Sleep(time.Second)
+	if finished {
+		t.Error("Accept should block forever in NeverFake.")
+	}
+
+	rl.Stop()
+	wg.Wait()
+	if !finished {
+		t.Error("Stop should make Accept unblock in NeverFake.")
+	}
+}

vendor/k8s.io/client-go/util/homedir/BUILD

@@ -0,0 +1,14 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["homedir.go"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/client-go/util/homedir/homedir.go

@@ -0,0 +1,47 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package homedir
+
+import (
+	"os"
+	"runtime"
+)
+
+// HomeDir returns the home directory for the current user
+func HomeDir() string {
+	if runtime.GOOS == "windows" {
+
+		// First prefer the HOME environmental variable
+		if home := os.Getenv("HOME"); len(home) > 0 {
+			if _, err := os.Stat(home); err == nil {
+				return home
+			}
+		}
+		if homeDrive, homePath := os.Getenv("HOMEDRIVE"), os.Getenv("HOMEPATH"); len(homeDrive) > 0 && len(homePath) > 0 {
+			homeDir := homeDrive + homePath
+			if _, err := os.Stat(homeDir); err == nil {
+				return homeDir
+			}
+		}
+		if userProfile := os.Getenv("USERPROFILE"); len(userProfile) > 0 {
+			if _, err := os.Stat(userProfile); err == nil {
+				return userProfile
+			}
+		}
+	}
+	return os.Getenv("HOME")
+}

vendor/k8s.io/client-go/util/integer/BUILD

@@ -0,0 +1,22 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["integer_test.go"],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["integer.go"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/client-go/util/integer/integer.go

@@ -0,0 +1,67 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package integer
+
+func IntMax(a, b int) int {
+	if b > a {
+		return b
+	}
+	return a
+}
+
+func IntMin(a, b int) int {
+	if b < a {
+		return b
+	}
+	return a
+}
+
+func Int32Max(a, b int32) int32 {
+	if b > a {
+		return b
+	}
+	return a
+}
+
+func Int32Min(a, b int32) int32 {
+	if b < a {
+		return b
+	}
+	return a
+}
+
+func Int64Max(a, b int64) int64 {
+	if b > a {
+		return b
+	}
+	return a
+}
+
+func Int64Min(a, b int64) int64 {
+	if b < a {
+		return b
+	}
+	return a
+}
+
+// RoundToInt32 rounds floats into integer numbers.
+func RoundToInt32(a float64) int32 {
+	if a < 0 {
+		return int32(a - 0.5)
+	}
+	return int32(a + 0.5)
+}

vendor/k8s.io/client-go/util/integer/integer_test.go

@@ -0,0 +1,244 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package integer
+
+import "testing"
+
+func TestIntMax(t *testing.T) {
+	tests := []struct {
+		nums        []int
+		expectedMax int
+	}{
+		{
+			nums:        []int{-1, 0},
+			expectedMax: 0,
+		},
+		{
+			nums:        []int{-1, -2},
+			expectedMax: -1,
+		},
+		{
+			nums:        []int{0, 1},
+			expectedMax: 1,
+		},
+		{
+			nums:        []int{1, 2},
+			expectedMax: 2,
+		},
+	}
+
+	for i, test := range tests {
+		t.Logf("executing scenario %d", i)
+		if max := IntMax(test.nums[0], test.nums[1]); max != test.expectedMax {
+			t.Errorf("expected %v,  got %v", test.expectedMax, max)
+		}
+	}
+}
+
+func TestIntMin(t *testing.T) {
+	tests := []struct {
+		nums        []int
+		expectedMin int
+	}{
+		{
+			nums:        []int{-1, 0},
+			expectedMin: -1,
+		},
+		{
+			nums:        []int{-1, -2},
+			expectedMin: -2,
+		},
+		{
+			nums:        []int{0, 1},
+			expectedMin: 0,
+		},
+		{
+			nums:        []int{1, 2},
+			expectedMin: 1,
+		},
+	}
+
+	for i, test := range tests {
+		t.Logf("executing scenario %d", i)
+		if min := IntMin(test.nums[0], test.nums[1]); min != test.expectedMin {
+			t.Errorf("expected %v,  got %v", test.expectedMin, min)
+		}
+	}
+}
+
+func TestInt32Max(t *testing.T) {
+	tests := []struct {
+		nums        []int32
+		expectedMax int32
+	}{
+		{
+			nums:        []int32{-1, 0},
+			expectedMax: 0,
+		},
+		{
+			nums:        []int32{-1, -2},
+			expectedMax: -1,
+		},
+		{
+			nums:        []int32{0, 1},
+			expectedMax: 1,
+		},
+		{
+			nums:        []int32{1, 2},
+			expectedMax: 2,
+		},
+	}
+
+	for i, test := range tests {
+		t.Logf("executing scenario %d", i)
+		if max := Int32Max(test.nums[0], test.nums[1]); max != test.expectedMax {
+			t.Errorf("expected %v,  got %v", test.expectedMax, max)
+		}
+	}
+}
+
+func TestInt32Min(t *testing.T) {
+	tests := []struct {
+		nums        []int32
+		expectedMin int32
+	}{
+		{
+			nums:        []int32{-1, 0},
+			expectedMin: -1,
+		},
+		{
+			nums:        []int32{-1, -2},
+			expectedMin: -2,
+		},
+		{
+			nums:        []int32{0, 1},
+			expectedMin: 0,
+		},
+		{
+			nums:        []int32{1, 2},
+			expectedMin: 1,
+		},
+	}
+
+	for i, test := range tests {
+		t.Logf("executing scenario %d", i)
+		if min := Int32Min(test.nums[0], test.nums[1]); min != test.expectedMin {
+			t.Errorf("expected %v,  got %v", test.expectedMin, min)
+		}
+	}
+}
+
+func TestInt64Max(t *testing.T) {
+	tests := []struct {
+		nums        []int64
+		expectedMax int64
+	}{
+		{
+			nums:        []int64{-1, 0},
+			expectedMax: 0,
+		},
+		{
+			nums:        []int64{-1, -2},
+			expectedMax: -1,
+		},
+		{
+			nums:        []int64{0, 1},
+			expectedMax: 1,
+		},
+		{
+			nums:        []int64{1, 2},
+			expectedMax: 2,
+		},
+	}
+
+	for i, test := range tests {
+		t.Logf("executing scenario %d", i)
+		if max := Int64Max(test.nums[0], test.nums[1]); max != test.expectedMax {
+			t.Errorf("expected %v,  got %v", test.expectedMax, max)
+		}
+	}
+}
+
+func TestInt64Min(t *testing.T) {
+	tests := []struct {
+		nums        []int64
+		expectedMin int64
+	}{
+		{
+			nums:        []int64{-1, 0},
+			expectedMin: -1,
+		},
+		{
+			nums:        []int64{-1, -2},
+			expectedMin: -2,
+		},
+		{
+			nums:        []int64{0, 1},
+			expectedMin: 0,
+		},
+		{
+			nums:        []int64{1, 2},
+			expectedMin: 1,
+		},
+	}
+
+	for i, test := range tests {
+		t.Logf("executing scenario %d", i)
+		if min := Int64Min(test.nums[0], test.nums[1]); min != test.expectedMin {
+			t.Errorf("expected %v,  got %v", test.expectedMin, min)
+		}
+	}
+}
+
+func TestRoundToInt32(t *testing.T) {
+	tests := []struct {
+		num float64
+		exp int32
+	}{
+		{
+			num: 5.5,
+			exp: 6,
+		},
+		{
+			num: -3.7,
+			exp: -4,
+		},
+		{
+			num: 3.49,
+			exp: 3,
+		},
+		{
+			num: -7.9,
+			exp: -8,
+		},
+		{
+			num: -4.499999,
+			exp: -4,
+		},
+		{
+			num: 0,
+			exp: 0,
+		},
+	}
+
+	for i, test := range tests {
+		t.Logf("executing scenario %d", i)
+		if got := RoundToInt32(test.num); got != test.exp {
+			t.Errorf("expected %d, got %d", test.exp, got)
+		}
+	}
+}