Bump libs to k8s.io@v0.32.3, add codegen for k8s 1.32, and drop codegen for k8s 1.25

internal/admissionpluginconfig/admissionpluginconfig_test.go

@@ -48,7 +48,7 @@ func TestValidateAdmissionPluginNames(t *testing.T) {
 				"foobar",
 				"ValidatingAdmissionWebhook",
 			},
-			wantErr: "admission plugin names not recognized: [foobar] (each must be one of [NamespaceLifecycle MutatingAdmissionWebhook ValidatingAdmissionPolicy ValidatingAdmissionWebhook])",
+			wantErr: "admission plugin names not recognized: [foobar] (each must be one of [NamespaceLifecycle MutatingAdmissionPolicy MutatingAdmissionWebhook ValidatingAdmissionPolicy ValidatingAdmissionWebhook])",
 		},
 		{
 			name: "multiple invalid values",
@@ -61,7 +61,7 @@ func TestValidateAdmissionPluginNames(t *testing.T) {
 				"ValidatingAdmissionWebhook",
 				"foobaz",
 			},
-			wantErr: "admission plugin names not recognized: [foobat foobar foobaz] (each must be one of [NamespaceLifecycle MutatingAdmissionWebhook ValidatingAdmissionPolicy ValidatingAdmissionWebhook])",
+			wantErr: "admission plugin names not recognized: [foobat foobar foobaz] (each must be one of [NamespaceLifecycle MutatingAdmissionPolicy MutatingAdmissionWebhook ValidatingAdmissionPolicy ValidatingAdmissionWebhook])",
 		},
 	}
 

internal/concierge/apiserver/apiserver.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package apiserver
@@ -14,7 +14,7 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
-	utilversion "k8s.io/apiserver/pkg/util/version"
+	utilversion "k8s.io/component-base/version"
 
 	"go.pinniped.dev/internal/clientcertissuer"
 	"go.pinniped.dev/internal/controllerinit"

internal/concierge/impersonator/impersonator.go

@@ -44,10 +44,10 @@ import (
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	"k8s.io/apiserver/pkg/server/filters"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
-	utilversion "k8s.io/apiserver/pkg/util/version"
 	auditfake "k8s.io/apiserver/plugin/pkg/audit/fake"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/transport"
+	utilversion "k8s.io/component-base/version"
 
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/crypto/ptls"

internal/config/concierge/config_test.go

@@ -654,7 +654,7 @@ func TestFromPath(t *testing.T) {
 				  impersonationCACertificateSecret: impersonationCACertificateSecret-value
 				  impersonationSignerSecret: impersonationSignerSecret-value
 			`),
-			wantError: "validate aggregatedAPIServerDisableAdmissionPlugins: admission plugin names not recognized: [foobar foobaz] (each must be one of [NamespaceLifecycle MutatingAdmissionWebhook ValidatingAdmissionPolicy ValidatingAdmissionWebhook])",
+			wantError: "validate aggregatedAPIServerDisableAdmissionPlugins: admission plugin names not recognized: [foobar foobaz] (each must be one of [NamespaceLifecycle MutatingAdmissionPolicy MutatingAdmissionWebhook ValidatingAdmissionPolicy ValidatingAdmissionWebhook])",
 		},
 		{
 			name: "returns setAllowedCiphers errors",

internal/config/supervisor/config_test.go

@@ -368,7 +368,7 @@ func TestFromPath(t *testing.T) {
 				  defaultTLSCertificateSecret: my-secret-name
 				aggregatedAPIServerDisableAdmissionPlugins: [foobar, ValidatingAdmissionWebhook, foobaz]
 			`),
-			wantError: "validate aggregatedAPIServerDisableAdmissionPlugins: admission plugin names not recognized: [foobar foobaz] (each must be one of [NamespaceLifecycle MutatingAdmissionWebhook ValidatingAdmissionPolicy ValidatingAdmissionWebhook])",
+			wantError: "validate aggregatedAPIServerDisableAdmissionPlugins: admission plugin names not recognized: [foobar foobaz] (each must be one of [NamespaceLifecycle MutatingAdmissionPolicy MutatingAdmissionWebhook ValidatingAdmissionPolicy ValidatingAdmissionWebhook])",
 		},
 	}
 	for _, test := range tests {

internal/pversion/version_test.go

@@ -1,4 +1,4 @@
-// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package pversion
@@ -11,7 +11,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
-	utilversion "k8s.io/apiserver/pkg/util/version"
+	utilversion "k8s.io/component-base/version"
 )
 
 func TestGet(t *testing.T) {

internal/registry/credentialrequest/rest.go

@@ -236,16 +236,30 @@ func validateRequest(ctx context.Context, obj runtime.Object, createValidation r
 }
 
 func validateUserInfo(userInfo user.Info) error {
-	switch {
-	case len(userInfo.GetName()) == 0:
+	if len(userInfo.GetName()) == 0 {
 		return errors.New("empty username is not allowed")
-	case len(userInfo.GetUID()) != 0:
-		return errors.New("UIDs are not supported") // certs cannot assert UID
-	case len(userInfo.GetExtra()) != 0:
-		return errors.New("extras are not supported") // certs cannot assert extra
-	default:
+	}
+
+	// certs cannot assert UID
+	if len(userInfo.GetUID()) != 0 {
+		return errors.New("UIDs are not supported")
+	}
+
+	// certs cannot assert extras, but starting in K8s 1.32 the authenticator will always provide this information
+	if len(userInfo.GetExtra()) == 0 { // it's ok for this to be empty...
 		return nil
 	}
+
+	// ... but if it's not empty, should have only exactly this one key.
+	if len(userInfo.GetExtra()) > 1 {
+		return errors.New("extra may have only one key 'authentication.kubernetes.io/credential-id'")
+	}
+
+	_, ok := userInfo.GetExtra()["authentication.kubernetes.io/credential-id"]
+	if !ok {
+		return errors.New("extra may have only one key 'authentication.kubernetes.io/credential-id'")
+	}
+	return nil
 }
 
 func authenticationFailedResponse() *loginapi.TokenCredentialRequest {

internal/registry/credentialrequest/rest_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package credentialrequest
@@ -359,7 +359,7 @@ func TestCreate(t *testing.T) {
 						"name":     "fake-authenticator-name",
 					},
 					"reason":              "unsupported value in userInfo returned by authenticator",
-					"err":                 "extras are not supported",
+					"err":                 "extra may have only one key 'authentication.kubernetes.io/credential-id'",
 					"userInfoExtrasCount": float64(1),
 					"personalInfo": map[string]any{
 						"userInfoName": "test-user",
@@ -369,6 +369,113 @@ func TestCreate(t *testing.T) {
 			}
 		})
 
+		it("CreateSucceedsWithAnUnauthenticatedStatusWhenWebhookReturnsAUserWithTooManyExtra", func() {
+			req := validCredentialRequest()
+
+			requestAuthenticator := mockcredentialrequest.NewMockTokenCredentialRequestAuthenticator(ctrl)
+			requestAuthenticator.EXPECT().AuthenticateTokenCredentialRequest(gomock.Any(), req).
+				Return(&user.DefaultInfo{
+					Name:   "test-user",
+					Groups: []string{"test-group-1", "test-group-2"},
+					Extra: map[string][]string{
+						"test-key": {"test-val-1", "test-val-2"},
+						"authentication.kubernetes.io/credential-id": {"some-value"},
+					},
+				}, nil)
+
+			storage := NewREST(requestAuthenticator, nil, schema.GroupResource{}, auditLogger)
+
+			response, err := callCreate(storage, req)
+
+			requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
+
+			wantAuditLog = []testutil.WantedAuditLog{
+				testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{
+					"auditID": "fake-audit-id",
+					"tokenID": tokenToHash(req.Spec.Token),
+				}),
+				testutil.WantAuditLog("TokenCredentialRequest Unsupported UserInfo", map[string]any{
+					"auditID": "fake-audit-id",
+					"authenticator": map[string]any{
+						"apiGroup": "fake-api-group.com",
+						"kind":     "FakeAuthenticatorKind",
+						"name":     "fake-authenticator-name",
+					},
+					"reason":              "unsupported value in userInfo returned by authenticator",
+					"err":                 "extra may have only one key 'authentication.kubernetes.io/credential-id'",
+					"userInfoExtrasCount": float64(2),
+					"personalInfo": map[string]any{
+						"userInfoName": "test-user",
+						"userInfoUID":  "",
+					},
+				}),
+			}
+		})
+
+		it("CreateSucceedsWhenWebhookReturnsAUserWithValidExtra", func() {
+			req := validCredentialRequest()
+
+			requestAuthenticator := mockcredentialrequest.NewMockTokenCredentialRequestAuthenticator(ctrl)
+			requestAuthenticator.EXPECT().AuthenticateTokenCredentialRequest(gomock.Any(), req).
+				Return(&user.DefaultInfo{
+					Name:   "test-user",
+					Groups: []string{"test-group-1", "test-group-2"},
+					Extra:  map[string][]string{"authentication.kubernetes.io/credential-id": {"test-val-1", "test-val-2"}},
+				}, nil)
+
+			clientCertIssuer := mockissuer.NewMockClientCertIssuer(ctrl)
+			clientCertIssuer.EXPECT().IssueClientCertPEM(
+				"test-user",
+				[]string{"test-group-1", "test-group-2"},
+				5*time.Minute,
+			).Return(&cert.PEM{
+				CertPEM:   []byte("test-cert"),
+				KeyPEM:    []byte("test-key"),
+				NotBefore: fakeNow.Add(-5 * time.Minute),
+				NotAfter:  fakeNow.Add(5 * time.Minute),
+			}, nil)
+
+			storage := NewREST(requestAuthenticator, clientCertIssuer, schema.GroupResource{}, auditLogger)
+
+			response, err := callCreate(storage, req)
+
+			r.NoError(err)
+			r.IsType(&loginapi.TokenCredentialRequest{}, response)
+
+			r.Equal(response, &loginapi.TokenCredentialRequest{
+				Status: loginapi.TokenCredentialRequestStatus{
+					Credential: &loginapi.ClusterCredential{
+						ExpirationTimestamp:   metav1.NewTime(fakeNow.Add(5 * time.Minute).UTC()),
+						ClientCertificateData: "test-cert",
+						ClientKeyData:         "test-key",
+					},
+				},
+			})
+
+			wantAuditLog = []testutil.WantedAuditLog{
+				testutil.WantAuditLog("TokenCredentialRequest Token Received", map[string]any{
+					"auditID": "fake-audit-id",
+					"tokenID": tokenToHash(req.Spec.Token),
+				}),
+				testutil.WantAuditLog("TokenCredentialRequest Authenticated User", map[string]any{
+					"auditID": "fake-audit-id",
+					"authenticator": map[string]any{
+						"apiGroup": "fake-api-group.com",
+						"kind":     "FakeAuthenticatorKind",
+						"name":     "fake-authenticator-name",
+					},
+					"issuedClientCert": map[string]any{
+						"notBefore": "2024-09-12T04:20:56Z", // this is fakeNow - 5 minutes in UTC
+						"notAfter":  "2024-09-12T04:30:56Z", // this is fakeNow + 5 minutes in UTC
+					},
+					"personalInfo": map[string]any{
+						"username": "test-user",
+						"groups":   []any{"test-group-1", "test-group-2"},
+					},
+				}),
+			}
+		})
+
 		it("CreateFailsWhenGivenTheWrongInputType", func() {
 			notACredentialRequest := runtime.Unknown{}
 			response, err := NewREST(nil, nil, schema.GroupResource{}, auditLogger).Create(

internal/supervisor/apiserver/apiserver.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package apiserver
@@ -16,8 +16,8 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
-	utilversion "k8s.io/apiserver/pkg/util/version"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
+	utilversion "k8s.io/component-base/version"
 
 	configv1alpha1clientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
 	"go.pinniped.dev/internal/controllerinit"