vendor: update docker/cli to 8667ccd

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

vendor/github.com/docker/cli/cli/context/docker/load.go

@@ -4,7 +4,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
-	"fmt"
 	"net"
 	"net/http"
 	"os"
@@ -26,7 +25,12 @@ type EndpointMeta = context.EndpointMetaBase
 // a Docker Engine endpoint, with its tls data
 type Endpoint struct {
 	EndpointMeta
-	TLSData     *context.TLSData
+	TLSData *context.TLSData
+
+	// Deprecated: Use of encrypted TLS private keys has been deprecated, and
+	// will be removed in a future release. Golang has deprecated support for
+	// legacy PEM encryption (as specified in RFC 1423), as it is insecure by
+	// design (see https://go-review.googlesource.com/c/go/+/264159).
 	TLSPassword string
 }
 
@@ -62,16 +66,10 @@ func (c *Endpoint) tlsConfig() (*tls.Config, error) {
 		keyBytes := c.TLSData.Key
 		pemBlock, _ := pem.Decode(keyBytes)
 		if pemBlock == nil {
-			return nil, fmt.Errorf("no valid private key found")
+			return nil, errors.New("no valid private key found")
 		}
-
-		var err error
-		if x509.IsEncryptedPEMBlock(pemBlock) {
-			keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(c.TLSPassword))
-			if err != nil {
-				return nil, errors.Wrap(err, "private key is encrypted, but could not decrypt it")
-			}
-			keyBytes = pem.EncodeToMemory(&pem.Block{Type: pemBlock.Type, Bytes: keyBytes})
+		if x509.IsEncryptedPEMBlock(pemBlock) { //nolint: staticcheck // SA1019: x509.IsEncryptedPEMBlock is deprecated, and insecure by design
+			return nil, errors.New("private key is encrypted - support for encrypted private keys has been removed, see https://docs.docker.com/go/deprecated/")
 		}
 
 		x509cert, err := tls.X509KeyPair(c.TLSData.Cert, keyBytes)

vendor/github.com/docker/cli/cli/context/kubernetes/constants.go

@@ -1,6 +0,0 @@
-package kubernetes
-
-const (
-	// KubernetesEndpoint is the kubernetes endpoint name in a stored context
-	KubernetesEndpoint = "kubernetes"
-)

vendor/github.com/docker/cli/cli/context/kubernetes/load.go

@@ -1,146 +0,0 @@
-package kubernetes
-
-import (
-	"os"
-	"path/filepath"
-
-	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/context"
-	"github.com/docker/cli/cli/context/store"
-	api "github.com/docker/compose-on-kubernetes/api"
-	"github.com/docker/docker/pkg/homedir"
-	"github.com/pkg/errors"
-	"k8s.io/client-go/tools/clientcmd"
-	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-)
-
-// EndpointMeta is a typed wrapper around a context-store generic endpoint describing
-// a Kubernetes endpoint, without TLS data
-type EndpointMeta struct {
-	context.EndpointMetaBase
-	DefaultNamespace string                           `json:",omitempty"`
-	AuthProvider     *clientcmdapi.AuthProviderConfig `json:",omitempty"`
-	Exec             *clientcmdapi.ExecConfig         `json:",omitempty"`
-	UsernamePassword *UsernamePassword                `json:"usernamePassword,omitempty"`
-}
-
-// UsernamePassword contains username/password auth info
-type UsernamePassword struct {
-	Username string `json:"username,omitempty"`
-	Password string `json:"password,omitempty"`
-}
-
-var _ command.EndpointDefaultResolver = &EndpointMeta{}
-
-// Endpoint is a typed wrapper around a context-store generic endpoint describing
-// a Kubernetes endpoint, with TLS data
-type Endpoint struct {
-	EndpointMeta
-	TLSData *context.TLSData
-}
-
-func init() {
-	command.RegisterDefaultStoreEndpoints(
-		store.EndpointTypeGetter(KubernetesEndpoint, func() interface{} { return &EndpointMeta{} }),
-	)
-}
-
-// WithTLSData loads TLS materials for the endpoint
-func (c *EndpointMeta) WithTLSData(s store.Reader, contextName string) (Endpoint, error) {
-	tlsData, err := context.LoadTLSData(s, contextName, KubernetesEndpoint)
-	if err != nil {
-		return Endpoint{}, err
-	}
-	return Endpoint{
-		EndpointMeta: *c,
-		TLSData:      tlsData,
-	}, nil
-}
-
-// KubernetesConfig creates the kubernetes client config from the endpoint
-func (c *Endpoint) KubernetesConfig() clientcmd.ClientConfig {
-	cfg := clientcmdapi.NewConfig()
-	cluster := clientcmdapi.NewCluster()
-	cluster.Server = c.Host
-	cluster.InsecureSkipTLSVerify = c.SkipTLSVerify
-	authInfo := clientcmdapi.NewAuthInfo()
-	if c.TLSData != nil {
-		cluster.CertificateAuthorityData = c.TLSData.CA
-		authInfo.ClientCertificateData = c.TLSData.Cert
-		authInfo.ClientKeyData = c.TLSData.Key
-	}
-	if c.UsernamePassword != nil {
-		authInfo.Username = c.UsernamePassword.Username
-		authInfo.Password = c.UsernamePassword.Password
-	}
-	authInfo.AuthProvider = c.AuthProvider
-	authInfo.Exec = c.Exec
-	cfg.Clusters["cluster"] = cluster
-	cfg.AuthInfos["authInfo"] = authInfo
-	ctx := clientcmdapi.NewContext()
-	ctx.AuthInfo = "authInfo"
-	ctx.Cluster = "cluster"
-	ctx.Namespace = c.DefaultNamespace
-	cfg.Contexts["context"] = ctx
-	cfg.CurrentContext = "context"
-	return clientcmd.NewDefaultClientConfig(*cfg, &clientcmd.ConfigOverrides{})
-}
-
-// ResolveDefault returns endpoint metadata for the default Kubernetes
-// endpoint, which is derived from the env-based kubeconfig.
-func (c *EndpointMeta) ResolveDefault(stackOrchestrator command.Orchestrator) (interface{}, *store.EndpointTLSData, error) {
-	kubeconfig := os.Getenv("KUBECONFIG")
-	if kubeconfig == "" {
-		kubeconfig = filepath.Join(homedir.Get(), ".kube/config")
-	}
-	kubeEP, err := FromKubeConfig(kubeconfig, "", "")
-	if err != nil {
-		if stackOrchestrator == command.OrchestratorKubernetes || stackOrchestrator == command.OrchestratorAll {
-			return nil, nil, errors.Wrapf(err, "default orchestrator is %s but unable to resolve kubernetes endpoint", stackOrchestrator)
-		}
-
-		// We deliberately quash the error here, returning nil
-		// for the first argument is sufficient to indicate we weren't able to
-		// provide a default
-		return nil, nil, nil
-	}
-
-	var tls *store.EndpointTLSData
-	if kubeEP.TLSData != nil {
-		tls = kubeEP.TLSData.ToStoreTLSData()
-	}
-	return kubeEP.EndpointMeta, tls, nil
-}
-
-// EndpointFromContext extracts kubernetes endpoint info from current context
-func EndpointFromContext(metadata store.Metadata) *EndpointMeta {
-	ep, ok := metadata.Endpoints[KubernetesEndpoint]
-	if !ok {
-		return nil
-	}
-	typed, ok := ep.(EndpointMeta)
-	if !ok {
-		return nil
-	}
-	return &typed
-}
-
-// ConfigFromContext resolves a kubernetes client config for the specified context.
-// If kubeconfigOverride is specified, use this config file instead of the context defaults.ConfigFromContext
-// if command.ContextDockerHost is specified as the context name, fallsback to the default user's kubeconfig file
-func ConfigFromContext(name string, s store.Reader) (clientcmd.ClientConfig, error) {
-	ctxMeta, err := s.GetMetadata(name)
-	if err != nil {
-		return nil, err
-	}
-	epMeta := EndpointFromContext(ctxMeta)
-	if epMeta != nil {
-		ep, err := epMeta.WithTLSData(s, name)
-		if err != nil {
-			return nil, err
-		}
-		return ep.KubernetesConfig(), nil
-	}
-	// context has no kubernetes endpoint
-	return api.NewKubernetesConfig(""), nil
-}

vendor/github.com/docker/cli/cli/context/kubernetes/save.go

@@ -1,69 +0,0 @@
-package kubernetes
-
-import (
-	"io/ioutil"
-
-	"github.com/docker/cli/cli/context"
-	"k8s.io/client-go/tools/clientcmd"
-	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-)
-
-// FromKubeConfig creates a Kubernetes endpoint from a Kubeconfig file
-func FromKubeConfig(kubeconfig, kubeContext, namespaceOverride string) (Endpoint, error) {
-	cfg := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
-		&clientcmd.ClientConfigLoadingRules{ExplicitPath: kubeconfig},
-		&clientcmd.ConfigOverrides{CurrentContext: kubeContext, Context: clientcmdapi.Context{Namespace: namespaceOverride}})
-	ns, _, err := cfg.Namespace()
-	if err != nil {
-		return Endpoint{}, err
-	}
-	clientcfg, err := cfg.ClientConfig()
-	if err != nil {
-		return Endpoint{}, err
-	}
-	var ca, key, cert []byte
-	if ca, err = readFileOrDefault(clientcfg.CAFile, clientcfg.CAData); err != nil {
-		return Endpoint{}, err
-	}
-	if key, err = readFileOrDefault(clientcfg.KeyFile, clientcfg.KeyData); err != nil {
-		return Endpoint{}, err
-	}
-	if cert, err = readFileOrDefault(clientcfg.CertFile, clientcfg.CertData); err != nil {
-		return Endpoint{}, err
-	}
-	var tlsData *context.TLSData
-	if ca != nil || cert != nil || key != nil {
-		tlsData = &context.TLSData{
-			CA:   ca,
-			Cert: cert,
-			Key:  key,
-		}
-	}
-	var usernamePassword *UsernamePassword
-	if clientcfg.Username != "" || clientcfg.Password != "" {
-		usernamePassword = &UsernamePassword{
-			Username: clientcfg.Username,
-			Password: clientcfg.Password,
-		}
-	}
-	return Endpoint{
-		EndpointMeta: EndpointMeta{
-			EndpointMetaBase: context.EndpointMetaBase{
-				Host:          clientcfg.Host,
-				SkipTLSVerify: clientcfg.Insecure,
-			},
-			DefaultNamespace: ns,
-			AuthProvider:     clientcfg.AuthProvider,
-			Exec:             clientcfg.ExecProvider,
-			UsernamePassword: usernamePassword,
-		},
-		TLSData: tlsData,
-	}, nil
-}
-
-func readFileOrDefault(path string, defaultValue []byte) ([]byte, error) {
-	if path != "" {
-		return ioutil.ReadFile(path)
-	}
-	return defaultValue, nil
-}

vendor/github.com/docker/cli/cli/context/store/doc.go

@@ -12,11 +12,9 @@
 //   - tls/
 //     - <context id>/endpoint1/: directory containing TLS data for the endpoint1 in the corresponding context
 //
-// The context store itself has absolutely no knowledge about what a docker or a kubernetes endpoint should contain in term of metadata or TLS config.
+// The context store itself has absolutely no knowledge about what a docker endpoint should contain in term of metadata or TLS config.
 // Client code is responsible for generating and parsing endpoint metadata and TLS files.
-// The multi-endpoints approach of this package allows to combine many different endpoints in the same "context" (e.g., the Docker CLI
-// is able for a single context to define both a docker endpoint and a Kubernetes endpoint for the same cluster, and also specify which
-// orchestrator to use by default when deploying a compose stack on this cluster).
+// The multi-endpoints approach of this package allows to combine many different endpoints in the same "context".
 //
 // Context IDs are actually SHA256 hashes of the context name, and are there only to avoid dealing with special characters in context names.
 package store

vendor/github.com/docker/cli/cli/context/store/metadatastore.go

@@ -3,7 +3,6 @@ package store
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -35,7 +34,7 @@ func (s *metadataStore) createOrUpdate(meta Metadata) error {
 	if err != nil {
 		return err
 	}
-	return ioutil.WriteFile(filepath.Join(contextDir, metaFile), bytes, 0644)
+	return os.WriteFile(filepath.Join(contextDir, metaFile), bytes, 0644)
 }
 
 func parseTypedOrMap(payload []byte, getter TypeGetter) (interface{}, error) {
@@ -58,7 +57,7 @@ func parseTypedOrMap(payload []byte, getter TypeGetter) (interface{}, error) {
 
 func (s *metadataStore) get(id contextdir) (Metadata, error) {
 	contextDir := s.contextDir(id)
-	bytes, err := ioutil.ReadFile(filepath.Join(contextDir, metaFile))
+	bytes, err := os.ReadFile(filepath.Join(contextDir, metaFile))
 	if err != nil {
 		return Metadata{}, convertContextDoesNotExist(err)
 	}
@@ -117,7 +116,7 @@ func isContextDir(path string) bool {
 }
 
 func listRecursivelyMetadataDirs(root string) ([]string, error) {
-	fis, err := ioutil.ReadDir(root)
+	fis, err := os.ReadDir(root)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/docker/cli/cli/context/store/store.go

@@ -9,7 +9,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"path"
 	"path/filepath"
@@ -349,7 +348,7 @@ func importTar(name string, s Writer, reader io.Reader) error {
 			return errors.Wrap(err, hdr.Name)
 		}
 		if hdr.Name == metaFile {
-			data, err := ioutil.ReadAll(tr)
+			data, err := io.ReadAll(tr)
 			if err != nil {
 				return err
 			}
@@ -362,7 +361,7 @@ func importTar(name string, s Writer, reader io.Reader) error {
 			}
 			importedMetaFile = true
 		} else if strings.HasPrefix(hdr.Name, "tls/") {
-			data, err := ioutil.ReadAll(tr)
+			data, err := io.ReadAll(tr)
 			if err != nil {
 				return err
 			}
@@ -378,7 +377,7 @@ func importTar(name string, s Writer, reader io.Reader) error {
 }
 
 func importZip(name string, s Writer, reader io.Reader) error {
-	body, err := ioutil.ReadAll(&LimitedReader{R: reader, N: maxAllowedFileSizeToImport})
+	body, err := io.ReadAll(&LimitedReader{R: reader, N: maxAllowedFileSizeToImport})
 	if err != nil {
 		return err
 	}
@@ -406,7 +405,7 @@ func importZip(name string, s Writer, reader io.Reader) error {
 				return err
 			}
 
-			data, err := ioutil.ReadAll(&LimitedReader{R: f, N: maxAllowedFileSizeToImport})
+			data, err := io.ReadAll(&LimitedReader{R: f, N: maxAllowedFileSizeToImport})
 			defer f.Close()
 			if err != nil {
 				return err
@@ -424,7 +423,7 @@ func importZip(name string, s Writer, reader io.Reader) error {
 			if err != nil {
 				return err
 			}
-			data, err := ioutil.ReadAll(f)
+			data, err := io.ReadAll(f)
 			defer f.Close()
 			if err != nil {
 				return err

vendor/github.com/docker/cli/cli/context/store/tlsstore.go

@@ -1,7 +1,6 @@
 package store
 
 import (
-	"io/ioutil"
 	"os"
 	"path/filepath"
 )
@@ -33,18 +32,18 @@ func (s *tlsStore) createOrUpdate(contextID contextdir, endpointName, filename s
 	if err := os.MkdirAll(epdir, 0700); err != nil {
 		return err
 	}
-	return ioutil.WriteFile(s.filePath(contextID, endpointName, filename), data, 0600)
+	return os.WriteFile(s.filePath(contextID, endpointName, filename), data, 0600)
 }
 
 func (s *tlsStore) getData(contextID contextdir, endpointName, filename string) ([]byte, error) {
-	data, err := ioutil.ReadFile(s.filePath(contextID, endpointName, filename))
+	data, err := os.ReadFile(s.filePath(contextID, endpointName, filename))
 	if err != nil {
 		return nil, convertTLSDataDoesNotExist(endpointName, filename, err)
 	}
 	return data, nil
 }
 
-func (s *tlsStore) remove(contextID contextdir, endpointName, filename string) error {
+func (s *tlsStore) remove(contextID contextdir, endpointName, filename string) error { // nolint:unused
 	err := os.Remove(s.filePath(contextID, endpointName, filename))
 	if os.IsNotExist(err) {
 		return nil
@@ -61,7 +60,7 @@ func (s *tlsStore) removeAllContextData(contextID contextdir) error {
 }
 
 func (s *tlsStore) listContextData(contextID contextdir) (map[string]EndpointFiles, error) {
-	epFSs, err := ioutil.ReadDir(s.contextDir(contextID))
+	epFSs, err := os.ReadDir(s.contextDir(contextID))
 	if err != nil {
 		if os.IsNotExist(err) {
 			return map[string]EndpointFiles{}, nil
@@ -72,7 +71,7 @@ func (s *tlsStore) listContextData(contextID contextdir) (map[string]EndpointFil
 	for _, epFS := range epFSs {
 		if epFS.IsDir() {
 			epDir := s.endpointDir(contextID, epFS.Name())
-			fss, err := ioutil.ReadDir(epDir)
+			fss, err := os.ReadDir(epDir)
 			if err != nil {
 				return nil, err
 			}

vendor/github.com/docker/cli/cli/context/tlsdata.go

@@ -1,7 +1,7 @@
 package context
 
 import (
-	"io/ioutil"
+	"os"
 
 	"github.com/docker/cli/cli/context/store"
 	"github.com/pkg/errors"
@@ -77,17 +77,17 @@ func TLSDataFromFiles(caPath, certPath, keyPath string) (*TLSData, error) {
 		err           error
 	)
 	if caPath != "" {
-		if ca, err = ioutil.ReadFile(caPath); err != nil {
+		if ca, err = os.ReadFile(caPath); err != nil {
 			return nil, err
 		}
 	}
 	if certPath != "" {
-		if cert, err = ioutil.ReadFile(certPath); err != nil {
+		if cert, err = os.ReadFile(certPath); err != nil {
 			return nil, err
 		}
 	}
 	if keyPath != "" {
-		if key, err = ioutil.ReadFile(keyPath); err != nil {
+		if key, err = os.ReadFile(keyPath); err != nil {
 			return nil, err
 		}
 	}