Bump k8s.io/client-go to v0.22.1

Single change is propagating context across all functions in order to
reach k8s client api. Bump Go version to 1.16 due to io/fs import that
got introduced only at this version.

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        go: ["1.14", "1.15"]
+        go: ["1.16", "1.17"]
         os: [macos-latest, windows-latest, ubuntu-latest]
     steps:
 
@@ -45,6 +45,12 @@ jobs:
         curl -sLf https://github.com/bitnami/kubecfg/releases/download/v0.16.0/kubecfg-linux-amd64 >~/bin/kubecfg
         chmod +x ~/bin/kubecfg
 
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v2
+      with:
+        go-version: ^1.17
+      id: go
+
     - name: Docker build
       run: |
         export PATH=~/bin:$PATH
@@ -71,7 +77,7 @@ jobs:
     needs: container
     strategy:
       matrix:
-        k8s: ["1.16.13", "1.17.11", "1.20.4"]
+        k8s: ["1.16.13", "1.17.11", "1.20.4", "1.22.5"]
     env:
       MINIKUBE_WANTUPDATENOTIFICATION: "false"
       MINIKUBE_WANTREPORTERRORPROMPT: "false"
@@ -82,7 +88,7 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@v2
       with:
-        go-version: ^1.15
+        go-version: ^1.16
       id: go
 
     - name: Set up Ginkgo

cmd/controller/controller.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"crypto/rsa"
 	"encoding/json"
 	"fmt"
@@ -65,7 +66,7 @@ type Controller struct {
 	updateStatus  bool // feature flag that enables updating the status subresource.
 }
 
-func unseal(sclient v1.SecretsGetter, codecs runtimeserializer.CodecFactory, keyRegistry *KeyRegistry, ssecret *ssv1alpha1.SealedSecret) error {
+func unseal(ctx context.Context, sclient v1.SecretsGetter, codecs runtimeserializer.CodecFactory, keyRegistry *KeyRegistry, ssecret *ssv1alpha1.SealedSecret) error {
 	// Important: Be careful not to reveal the namespace/name of
 	// the *decrypted* Secret (or any other detail) in error/log
 	// messages.
@@ -79,9 +80,9 @@ func unseal(sclient v1.SecretsGetter, codecs runtimeserializer.CodecFactory, key
 		return err
 	}
 
-	_, err = sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Create(secret)
+	_, err = sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Create(ctx, secret, metav1.CreateOptions{})
 	if err != nil && errors.IsAlreadyExists(err) {
-		_, err = sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Update(secret)
+		_, err = sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Update(ctx, secret, metav1.UpdateOptions{})
 	}
 	if err != nil {
 		// TODO: requeue?
@@ -169,25 +170,27 @@ func (c *Controller) Run(stopCh <-chan struct{}) {
 		return
 	}
 
-	wait.Until(c.runWorker, time.Second, stopCh)
+	wait.Until(func() {
+		c.runWorker(context.Background())
+	}, time.Second, stopCh)
 
 	log.Printf("Shutting down controller")
 }
 
-func (c *Controller) runWorker() {
-	for c.processNextItem() {
+func (c *Controller) runWorker(ctx context.Context) {
+	for c.processNextItem(ctx) {
 		// continue looping
 	}
 }
 
-func (c *Controller) processNextItem() bool {
+func (c *Controller) processNextItem(ctx context.Context) bool {
 	key, quit := c.queue.Get()
 	if quit {
 		return false
 	}
 
 	defer c.queue.Done(key)
-	err := c.unseal(key.(string))
+	err := c.unseal(ctx, key.(string))
 	if err == nil {
 		// No error, reset the ratelimit counters
 		c.queue.Forget(key)
@@ -204,7 +207,7 @@ func (c *Controller) processNextItem() bool {
 	return true
 }
 
-func (c *Controller) unseal(key string) (unsealErr error) {
+func (c *Controller) unseal(ctx context.Context, key string) (unsealErr error) {
 	unsealRequestsTotal.Inc()
 	obj, exists, err := c.informer.GetIndexer().GetByKey(key)
 	if err != nil {
@@ -224,7 +227,7 @@ func (c *Controller) unseal(key string) (unsealErr error) {
 			if err != nil {
 				return err
 			}
-			err = c.sclient.Secrets(ns).Delete(name, &metav1.DeleteOptions{})
+			err = c.sclient.Secrets(ns).Delete(ctx, name, metav1.DeleteOptions{})
 			if err != nil && !errors.IsNotFound(err) {
 				return err
 			}
@@ -256,9 +259,9 @@ func (c *Controller) unseal(key string) (unsealErr error) {
 		return err
 	}
 
-	secret, err := c.sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Get(newSecret.GetObjectMeta().GetName(), metav1.GetOptions{})
+	secret, err := c.sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Get(ctx, newSecret.GetObjectMeta().GetName(), metav1.GetOptions{})
 	if errors.IsNotFound(err) {
-		secret, err = c.sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Create(newSecret)
+		secret, err = c.sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Create(ctx, newSecret, metav1.CreateOptions{})
 	}
 	if err != nil {
 		c.recorder.Event(ssecret, corev1.EventTypeWarning, ErrUpdateFailed, err.Error())
@@ -283,7 +286,7 @@ func (c *Controller) unseal(key string) (unsealErr error) {
 	secret.ObjectMeta.Labels = newSecret.ObjectMeta.Labels
 
 	if !apiequality.Semantic.DeepEqual(origSecret, secret) {
-		secret, err = c.sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Update(secret)
+		secret, err = c.sclient.Secrets(ssecret.GetObjectMeta().GetNamespace()).Update(ctx, secret, metav1.UpdateOptions{})
 		if err != nil {
 			c.recorder.Event(ssecret, corev1.EventTypeWarning, ErrUpdateFailed, err.Error())
 			unsealErrorsTotal.WithLabelValues("update", ssecret.GetNamespace()).Inc()
@@ -346,8 +349,8 @@ func updateSealedSecretsStatusConditions(st *ssv1alpha1.SealedSecretStatus, unse
 	}
 }
 
-func (c *Controller) updateSecret(newSecret *corev1.Secret) (*corev1.Secret, error) {
-	existingSecret, err := c.sclient.Secrets(newSecret.GetObjectMeta().GetNamespace()).Get(newSecret.GetObjectMeta().GetName(), metav1.GetOptions{})
+func (c *Controller) updateSecret(ctx context.Context, newSecret *corev1.Secret) (*corev1.Secret, error) {
+	existingSecret, err := c.sclient.Secrets(newSecret.GetObjectMeta().GetNamespace()).Get(ctx, newSecret.GetObjectMeta().GetName(), metav1.GetOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to read existing secret: %s", err)
 	}

cmd/controller/keyregistry.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
@@ -46,13 +47,13 @@ func NewKeyRegistry(client kubernetes.Interface, namespace, keyPrefix, keyLabel
 	}
 }
 
-func (kr *KeyRegistry) generateKey() (string, error) {
+func (kr *KeyRegistry) generateKey(ctx context.Context) (string, error) {
 	key, cert, err := generatePrivateKeyAndCert(kr.keysize)
 	if err != nil {
 		return "", err
 	}
 	certs := []*x509.Certificate{cert}
-	generatedName, err := writeKey(kr.client, key, certs, kr.namespace, kr.keyLabel, kr.keyPrefix)
+	generatedName, err := writeKey(ctx, kr.client, key, certs, kr.namespace, kr.keyLabel, kr.keyPrefix)
 	if err != nil {
 		return "", err
 	}

cmd/controller/keys.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
@@ -50,7 +51,7 @@ func writeKeyWithCreationTime(t metav1.Time) writeKeyOpt {
 	return func(opts *writeKeyOpts) { opts.creationTime = t }
 }
 
-func writeKey(client kubernetes.Interface, key *rsa.PrivateKey, certs []*x509.Certificate, namespace, label, prefix string, optSetters ...writeKeyOpt) (string, error) {
+func writeKey(ctx context.Context, client kubernetes.Interface, key *rsa.PrivateKey, certs []*x509.Certificate, namespace, label, prefix string, optSetters ...writeKeyOpt) (string, error) {
 	var opts writeKeyOpts
 	for _, o := range optSetters {
 		o(&opts)
@@ -76,7 +77,7 @@ func writeKey(client kubernetes.Interface, key *rsa.PrivateKey, certs []*x509.Ce
 		Type: v1.SecretTypeTLS,
 	}
 
-	createdSecret, err := client.CoreV1().Secrets(namespace).Create(&secret)
+	createdSecret, err := client.CoreV1().Secrets(namespace).Create(ctx, &secret, metav1.CreateOptions{})
 	if err != nil {
 		return "", err
 	}

cmd/controller/keys_test.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
@@ -67,6 +68,7 @@ func TestReadKey(t *testing.T) {
 }
 
 func TestWriteKey(t *testing.T) {
+	ctx := context.Background()
 	rand := testRand()
 	key, err := rsa.GenerateKey(rand, 512)
 	if err != nil {
@@ -80,7 +82,7 @@ func TestWriteKey(t *testing.T) {
 
 	client := fake.NewSimpleClientset()
 
-	_, err = writeKey(client, key, []*x509.Certificate{cert}, "myns", "label", "mykey")
+	_, err = writeKey(ctx, client, key, []*x509.Certificate{cert}, "myns", "label", "mykey")
 	if err != nil {
 		t.Errorf("writeKey() failed with: %v", err)
 	}

cmd/controller/main.go

@@ -89,17 +89,17 @@ func initKeyPrefix(keyPrefix string) (string, error) {
 	return prefix, err
 }
 
-func initKeyRegistry(client kubernetes.Interface, r io.Reader, namespace, prefix, label string, keysize int) (*KeyRegistry, error) {
+func initKeyRegistry(ctx context.Context, client kubernetes.Interface, r io.Reader, namespace, prefix, label string, keysize int) (*KeyRegistry, error) {
 	log.Printf("Searching for existing private keys")
-	secretList, err := client.CoreV1().Secrets(namespace).List(metav1.ListOptions{
+	secretList, err := client.CoreV1().Secrets(namespace).List(ctx, metav1.ListOptions{
 		LabelSelector: keySelector.String(),
 	})
 	if err != nil {
 		return nil, err
 	}
 	items := secretList.Items
 
-	s, err := client.CoreV1().Secrets(namespace).Get(prefix, metav1.GetOptions{})
+	s, err := client.CoreV1().Secrets(namespace).Get(ctx, prefix, metav1.GetOptions{})
 	if !errors.IsNotFound(err) {
 		if err != nil {
 			return nil, err
@@ -142,18 +142,18 @@ func myNamespace() string {
 // Initialises the first key and starts the rotation job. returns an early trigger function.
 // A period of 0 disables automatic rotation, but manual rotation (e.g. triggered by SIGUSR1)
 // is still honoured.
-func initKeyRenewal(registry *KeyRegistry, period time.Duration, cutoffTime time.Time) (func(), error) {
+func initKeyRenewal(ctx context.Context, registry *KeyRegistry, period time.Duration, cutoffTime time.Time) (func(), error) {
 	// Create a new key if it's the first key,
 	// or if it's older than cutoff time.
 	if len(registry.keys) == 0 || registry.mostRecentKey.creationTime.Before(cutoffTime) {
-		if _, err := registry.generateKey(); err != nil {
+		if _, err := registry.generateKey(ctx); err != nil {
 			return nil, err
 		}
 	}
 
 	// wrapper function to log error thrown by generateKey function
 	keyGenFunc := func() {
-		if _, err := registry.generateKey(); err != nil {
+		if _, err := registry.generateKey(ctx); err != nil {
 			log.Printf("Failed to generate new key : %v\n", err)
 		}
 	}
@@ -188,13 +188,14 @@ func main2() error {
 	}
 
 	myNs := myNamespace()
+	ctx := context.Background()
 
 	prefix, err := initKeyPrefix(*keyPrefix)
 	if err != nil {
 		return err
 	}
 
-	keyRegistry, err := initKeyRegistry(clientset, rand.Reader, myNs, prefix, SealedSecretsKeyLabel, *keySize)
+	keyRegistry, err := initKeyRegistry(ctx, clientset, rand.Reader, myNs, prefix, SealedSecretsKeyLabel, *keySize)
 	if err != nil {
 		return err
 	}
@@ -208,7 +209,7 @@ func main2() error {
 		}
 	}
 
-	trigger, err := initKeyRenewal(keyRegistry, *keyRenewPeriod, ct)
+	trigger, err := initKeyRenewal(ctx, keyRegistry, *keyRenewPeriod, ct)
 	if err != nil {
 		return err
 	}