policy: update to kube-rs v0.85 and friends

deny.toml

@@ -56,15 +56,21 @@ wildcards = "allow"
 highlight = "all"
 deny = []
 skip = [
-    # Waiting on h2, tonic, etc
-    { name = "tokio-util", version = "0.6" },
     # `rustls-pemfile` and `k8s-openapi` depend on versions of `base64` that
     # have diverged significantly.
     { name = "base64" },
     # `metrics` depends on an old versoin of `ahash`.
     { name = "ahash", version = "0.7" },
     # syn v2 has been released and some libraries are slower to adopt it
     { name = "syn", version = "1.0" },
+    # `tower-http` (a transitive dep via `kubert`) depends on v2.x of `bitflags`,
+    # while pretty much the entire rest of the world is still on v1.x
+    { name = "bitflags", version = "1.0" },
+]
+skip-tree = [
+    # `serde_json` and `h2` depend on diverged versions of `indexmap` (2.0.x and
+    # 1.9.x, respectively)
+    { name = "indexmap" },
 ]
 
 [sources]

policy-controller/Cargo.toml

@@ -17,8 +17,8 @@ anyhow = "1"
 async-trait = "0.1"
 drain = "0.1"
 futures = { version = "0.3", default-features = false }
-k8s-gateway-api = "0.11"
-k8s-openapi = { version = "0.17", features = ["v1_20"] }
+k8s-gateway-api = "0.13"
+k8s-openapi = { version = "0.19", features = ["v1_20"] }
 hyper = { version = "0.14", features = ["http1", "http2", "runtime", "server"] }
 ipnet = { version = "2", default-features = false }
 linkerd-policy-controller-core = { path = "./core" }
@@ -40,14 +40,14 @@ default-features = false
 features = ["derive", "env", "std"]
 
 [dependencies.kube]
-version = "0.80"
+version = "0.85"
 default-features = false
 features = ["admission", "derive"]
 
 [dependencies.kubert]
-version = "0.16"
+version = "0.18"
 default-features = false
-features = ["clap", "index", "lease", "metrics", "runtime", "server"]
+features = ["clap", "index", "lease", "metrics", "runtime", "server", "rustls-tls"]
 
 [dependencies.tokio]
 version = "1"

policy-controller/k8s/api/Cargo.toml

@@ -6,11 +6,11 @@ license = "Apache-2.0"
 publish = false
 
 [dependencies]
-k8s-openapi = { version = "0.17", default-features = false, features = [
+k8s-openapi = { version = "0.19", default-features = false, features = [
     "v1_20",
 ] }
-k8s-gateway-api = "0.11"
-kube = { version = "0.80", default-features = false, features = [
+k8s-gateway-api = "0.13"
+kube = { version = "0.85", default-features = false, features = [
     "client",
     "derive",
     "runtime",
@@ -19,7 +19,7 @@ ipnet = { version = "2.7", features = ["json"] }
 schemars = "0.8"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-serde_yaml = "0.8"
+serde_yaml = "0.9"
 thiserror = "1"
 tokio = { version = "1", features = ["time"] }
 tracing = "0.1"

policy-controller/k8s/index/Cargo.toml

@@ -10,8 +10,13 @@ ahash = "0.8"
 anyhow = "1"
 futures = { version = "0.3", default-features = false }
 http = "0.2"
-k8s-gateway-api = "0.11"
-kubert = { version = "0.16", default-features = false, features = ["index"] }
+k8s-gateway-api = "0.13"
+kube = { version = "0.85", default-features = false, features = [
+    "client",
+    "derive",
+    "runtime",
+] }
+kubert = { version = "0.18", default-features = false, features = ["index"] }
 linkerd-policy-controller-core = { path = "../../core" }
 linkerd-policy-controller-k8s-api = { path = "../api" }
 parking_lot = "0.12"

policy-controller/k8s/index/src/inbound/http_route.rs

@@ -227,6 +227,9 @@ impl RouteBinding {
                 Filter::RequestRedirect(filter)
             }
 
+            api::HttpRouteFilter::ResponseHeaderModifier { .. } => {
+                bail!("ResponseHeaderModifier filter is not supported in Linkerd 2.13")
+            }
             api::HttpRouteFilter::RequestMirror { .. } => {
                 bail!("RequestMirror filter is not supported")
             }

policy-controller/k8s/status/Cargo.toml

@@ -10,7 +10,7 @@ ahash = "0.8"
 anyhow = "1"
 # Fix for https://github.com/chronotope/chrono/issues/602
 chrono = { version = "0.4.24", default-features = false, features = ["clock"] }
-kubert = { version = "0.16", default-features = false, features = [
+kubert = { version = "0.18", default-features = false, features = [
     "index",
     "lease",
 ] }

policy-controller/src/main.rs

@@ -6,7 +6,7 @@ use clap::Parser;
 use futures::prelude::*;
 use k8s::{api::apps::v1::Deployment, Client, ObjectMeta, Resource};
 use k8s_openapi::api::coordination::v1 as coordv1;
-use kube::api::{ListParams, PatchParams};
+use kube::{api::PatchParams, runtime::watcher};
 use kubert::LeaseManager;
 use linkerd_policy_controller::{
     grpc, inbound, index_list::IndexList, k8s, outbound, Admission, ClusterInfo, DefaultPolicy,
@@ -167,13 +167,13 @@ async fn main() -> Result<()> {
 
     // Spawn resource watches.
 
-    let pods =
-        runtime.watch_all::<k8s::Pod>(ListParams::default().labels("linkerd.io/control-plane-ns"));
+    let pods = runtime
+        .watch_all::<k8s::Pod>(watcher::Config::default().labels("linkerd.io/control-plane-ns"));
     tokio::spawn(
         kubert::index::namespaced(inbound_index.clone(), pods).instrument(info_span!("pods")),
     );
 
-    let servers = runtime.watch_all::<k8s::policy::Server>(ListParams::default());
+    let servers = runtime.watch_all::<k8s::policy::Server>(watcher::Config::default());
     let servers_indexes = IndexList::new(inbound_index.clone())
         .push(status_index.clone())
         .shared();
@@ -182,34 +182,34 @@ async fn main() -> Result<()> {
     );
 
     let server_authzs =
-        runtime.watch_all::<k8s::policy::ServerAuthorization>(ListParams::default());
+        runtime.watch_all::<k8s::policy::ServerAuthorization>(watcher::Config::default());
     tokio::spawn(
         kubert::index::namespaced(inbound_index.clone(), server_authzs)
             .instrument(info_span!("serverauthorizations")),
     );
 
     let authz_policies =
-        runtime.watch_all::<k8s::policy::AuthorizationPolicy>(ListParams::default());
+        runtime.watch_all::<k8s::policy::AuthorizationPolicy>(watcher::Config::default());
     tokio::spawn(
         kubert::index::namespaced(inbound_index.clone(), authz_policies)
             .instrument(info_span!("authorizationpolicies")),
     );
 
     let mtls_authns =
-        runtime.watch_all::<k8s::policy::MeshTLSAuthentication>(ListParams::default());
+        runtime.watch_all::<k8s::policy::MeshTLSAuthentication>(watcher::Config::default());
     tokio::spawn(
         kubert::index::namespaced(inbound_index.clone(), mtls_authns)
             .instrument(info_span!("meshtlsauthentications")),
     );
 
     let network_authns =
-        runtime.watch_all::<k8s::policy::NetworkAuthentication>(ListParams::default());
+        runtime.watch_all::<k8s::policy::NetworkAuthentication>(watcher::Config::default());
     tokio::spawn(
         kubert::index::namespaced(inbound_index.clone(), network_authns)
             .instrument(info_span!("networkauthentications")),
     );
 
-    let http_routes = runtime.watch_all::<k8s::policy::HttpRoute>(ListParams::default());
+    let http_routes = runtime.watch_all::<k8s::policy::HttpRoute>(watcher::Config::default());
     let http_routes_indexes = IndexList::new(inbound_index.clone())
         .push(outbound_index.clone())
         .push(status_index.clone())
@@ -219,7 +219,7 @@ async fn main() -> Result<()> {
             .instrument(info_span!("httproutes")),
     );
 
-    let services = runtime.watch_all::<k8s::Service>(ListParams::default());
+    let services = runtime.watch_all::<k8s::Service>(watcher::Config::default());
     let services_indexes = IndexList::new(outbound_index.clone())
         .push(status_index.clone())
         .shared();

policy-test/Cargo.toml

@@ -10,8 +10,8 @@ anyhow = "1"
 hyper = { version = "0.14", features = ["client", "http2"] }
 futures = { version = "0.3", default-features = false }
 ipnet = "2"
-k8s-gateway-api = "0.11"
-k8s-openapi = { version = "0.17", features = ["v1_20"] }
+k8s-gateway-api = "0.13"
+k8s-openapi = { version = "0.19", features = ["v1_20"] }
 linkerd-policy-controller-core = { path = "../policy-controller/core" }
 linkerd-policy-controller-k8s-api = { path = "../policy-controller/k8s/api" }
 maplit = "1"
@@ -25,7 +25,7 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 
 [dependencies.kube]
-version = "0.80"
+version = "0.85"
 default-features = false
 features = ["client", "openssl-tls", "runtime", "ws"]
 

policy-test/src/lib.rs

@@ -392,7 +392,7 @@ async fn await_service_account(client: &kube::Client, ns: &str, name: &str) {
     tokio::pin! {
         let sas = kube::runtime::watcher(
             kube::Api::<k8s::ServiceAccount>::namespaced(client.clone(), ns),
-            kube::api::ListParams::default(),
+            Default::default(),
         );
     }
     loop {