Preparing for v0.13 release, point pkg to release-0.13.

Gopkg.toml

@@ -53,7 +53,7 @@ required = [
 
 [[override]]
   name = "knative.dev/pkg"
-  branch = "master"
+  branch = "release-0.13"
 
 [[constraint]]
   name = "github.com/go-kivik/kivik"

vendor/knative.dev/pkg/injection/sharedmain/main.go

@@ -29,7 +29,6 @@ import (
 
 	"go.opencensus.io/stats/view"
 	"golang.org/x/sync/errgroup"
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/rest"
@@ -326,29 +325,13 @@ func WatchObservabilityConfigOrDie(ctx context.Context, cmw *configmap.InformedW
 	if _, err := kubeclient.Get(ctx).CoreV1().ConfigMaps(system.Namespace()).Get(metrics.ConfigMapName(),
 		metav1.GetOptions{}); err == nil {
 		cmw.Watch(metrics.ConfigMapName(),
-			metrics.ConfigMapWatcher(component, SecretFetcher(ctx), logger),
+			metrics.UpdateExporterFromConfigMap(component, logger),
 			profilingHandler.UpdateFromConfigMap)
 	} else if !apierrors.IsNotFound(err) {
 		logger.With(zap.Error(err)).Fatalf("Error reading ConfigMap %q", metrics.ConfigMapName())
 	}
 }
 
-// SecretFetcher provides a helper function to fetch individual Kubernetes
-// Secrets (for example, a key for client-side TLS). Note that this is not
-// intended for high-volume usage; the current use is when establishing a
-// metrics client connection in WatchObservabilityConfigOrDie.
-func SecretFetcher(ctx context.Context) metrics.SecretFetcher {
-	// NOTE: Do not use secrets.Get(ctx) here to get a SecretLister, as it will register
-	// a *global* SecretInformer and require cluster-level `secrets.list` permission,
-	// even if you scope down the Lister to a given namespace after requesting it. Instead,
-	// we package up a function from kubeclient.
-	// TODO(evankanderson): If this direct request to the apiserver on each TLS connection
-	// to the opencensus agent is too much load, switch to a cached Secret.
-	return func(name string) (*corev1.Secret, error) {
-		return kubeclient.Get(ctx).CoreV1().Secrets(system.Namespace()).Get(name, metav1.GetOptions{})
-	}
-}
-
 // ControllersAndWebhooksFromCtors returns a list of the controllers and a list
 // of the webhooks created from the given constructors.
 func ControllersAndWebhooksFromCtors(ctx context.Context,

vendor/knative.dev/pkg/metrics/README.md

@@ -94,8 +94,8 @@ statistics for a short period of time if not.
       **This is true today.**
       [Ensure this on an ongoing basis.](https://github.com/knative/pkg/issues/957)
 - [ ] Google to implement OpenCensus Agent configuration to match what they are
-      doing for Stackdriver now. (No public issue link because this should be
-      in Google's vendor-specific configuration.)
+      doing for Stackdriver now. (No public issue link because this shoud be in
+      Google's vendor-specific configuration.)
 - [ ] Document how to configure OpenCensus/OpenTelemetry Agent + Prometheus to
       achieve the current level of application visibility, and determine a
       long-term course for how to maintain this as a "bare minimum" supported

vendor/knative.dev/pkg/metrics/config.go

@@ -86,10 +86,6 @@ type metricsConfig struct {
 	// writing the metrics to the stats.RecordWithOptions interface.
 	recorder func(context.Context, []stats.Measurement, ...stats.Options) error
 
-	// secretFetcher provides access for fetching Kubernetes Secrets from an
-	// informer cache.
-	secretFetcher SecretFetcher
-
 	// ---- OpenCensus specific below ----
 	// collectorAddress is the address of the collector, if not `localhost:55678`
 	collectorAddress string
@@ -160,10 +156,6 @@ func (mc *metricsConfig) record(ctx context.Context, mss []stats.Measurement, ro
 func createMetricsConfig(ops ExporterOptions, logger *zap.SugaredLogger) (*metricsConfig, error) {
 	var mc metricsConfig
 
-	// We don't check if this is `nil` right now, because this is a transition step.
-	// Eventually, this should be a startup check.
-	mc.secretFetcher = ops.Secrets
-
 	if ops.Domain == "" {
 		return nil, errors.New("metrics domain cannot be empty")
 	}

vendor/knative.dev/pkg/metrics/exporter.go

@@ -29,10 +29,6 @@ var (
 	metricsMux         sync.RWMutex
 )
 
-// SecretFetcher is a function (extracted from SecretNamespaceLister) for fetching
-// a specific Secret. This avoids requiring global or namespace list in controllers.
-type SecretFetcher func(string) (*corev1.Secret, error)
-
 type flushable interface {
 	// Flush waits for metrics to be uploaded.
 	Flush()
@@ -69,29 +65,17 @@ type ExporterOptions struct {
 	// See https://github.com/knative/serving/blob/master/config/config-observability.yaml
 	// for details.
 	ConfigMap map[string]string
-
-	// A lister for Secrets to allow dynamic configuration of outgoing TLS client cert.
-	Secrets SecretFetcher `json:"-"`
 }
 
 // UpdateExporterFromConfigMap returns a helper func that can be used to update the exporter
 // when a config map is updated.
-// DEPRECATED: Callers should migrate to ConfigMapWatcher.
 func UpdateExporterFromConfigMap(component string, logger *zap.SugaredLogger) func(configMap *corev1.ConfigMap) {
-	return ConfigMapWatcher(component, nil, logger)
-}
-
-// ConfigMapWatcher returns a helper func which updates the exporter configuration based on
-// values in the supplied ConfigMap. This method captures a corev1.SecretLister which is used
-// to configure mTLS with the opencensus agent.
-func ConfigMapWatcher(component string, secrets SecretFetcher, logger *zap.SugaredLogger) func(*corev1.ConfigMap) {
 	domain := Domain()
 	return func(configMap *corev1.ConfigMap) {
 		UpdateExporter(ExporterOptions{
 			Domain:    domain,
 			Component: component,
 			ConfigMap: configMap.Data,
-			Secrets:   secrets,
 		}, logger)
 	}
 }

vendor/knative.dev/pkg/metrics/opencensus_exporter.go

@@ -14,24 +14,17 @@ limitations under the License.
 package metrics
 
 import (
-	"crypto/tls"
-	"fmt"
-
 	"contrib.go.opencensus.io/exporter/ocagent"
 	"go.opencensus.io/stats/view"
 	"go.uber.org/zap"
-	"google.golang.org/grpc/credentials"
-	"k8s.io/apimachinery/pkg/api/errors"
 )
 
 func newOpenCensusExporter(config *metricsConfig, logger *zap.SugaredLogger) (view.Exporter, error) {
 	opts := []ocagent.ExporterOption{ocagent.WithServiceName(config.component)}
 	if config.collectorAddress != "" {
 		opts = append(opts, ocagent.WithAddress(config.collectorAddress))
 	}
-	if config.requireSecure {
-		opts = append(opts, ocagent.WithTLSCredentials(credentialFetcher(config.component, config.secretFetcher, logger)))
-	} else {
+	if !config.requireSecure {
 		opts = append(opts, ocagent.WithInsecure())
 	}
 	e, err := ocagent.NewExporter(opts...)
@@ -43,36 +36,3 @@ func newOpenCensusExporter(config *metricsConfig, logger *zap.SugaredLogger) (vi
 	view.RegisterExporter(e)
 	return e, nil
 }
-
-// credentialFetcher attempts to locate a secret containing TLS credentials
-// for communicating with the OpenCensus Agent. To do this, it first looks
-// for a secret named "<component>-opencensus", then for a generic
-// "opencensus" secret.
-func credentialFetcher(component string, lister SecretFetcher, logger *zap.SugaredLogger) credentials.TransportCredentials {
-	if lister == nil {
-		logger.Errorf("No secret lister provided for component %q; cannot use requireSecure=true", component)
-		return nil
-	}
-	return credentials.NewTLS(&tls.Config{
-		GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
-			// We ignore the CertificateRequestInfo for now, and hand back a single fixed certificate.
-			// TODO(evankanderson): maybe do something SPIFFE-ier?
-			cert, err := certificateFetcher(component+"-opencensus", lister)
-			if errors.IsNotFound(err) {
-				cert, err = certificateFetcher("opencensus", lister)
-			}
-			if err != nil {
-				return nil, fmt.Errorf("Unable to fetch opencensus secret for %q, cannot use requireSecure=true: %+v", component, err)
-			}
-			return &cert, err
-		},
-	})
-}
-
-func certificateFetcher(secretName string, lister SecretFetcher) (tls.Certificate, error) {
-	secret, err := lister(secretName)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	return tls.X509KeyPair(secret.Data["client-cert.pem"], secret.Data["client-key.pem"])
-}