Merge branch 'main' into predicate-stabilise

Signed-off-by: Eirik A <[email protected]>

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/rust:1.75.0-bullseye
+FROM docker.io/rust:1.77.2-bullseye
 
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt update && apt upgrade -y
@@ -44,16 +44,16 @@ RUN scurl https://raw.githubusercontent.com/rancher/k3d/main/install.sh \
 RUN rustup component add clippy rls rust-src rustfmt
 
 # Install cargo-deny
-ARG CARGO_DENY_VERSION=0.11.4
+ARG CARGO_DENY_VERSION=0.16.1
 RUN scurl "https://github.com/EmbarkStudios/cargo-deny/releases/download/${CARGO_DENY_VERSION}/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl.tar.gz" \
     | tar zvxf - --strip-components=1 -C $HOME/bin "cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl/cargo-deny"
 
 # Install cargo-tarpaulin
-ARG CARGO_TARPAULIN_VERSION=0.20.0
-RUN scurl "https://github.com/xd009642/tarpaulin/releases/download/${CARGO_TARPAULIN_VERSION}/cargo-tarpaulin-${CARGO_TARPAULIN_VERSION}-travis.tar.gz" \
+ARG CARGO_TARPAULIN_VERSION=0.31.2
+RUN scurl "https://github.com/xd009642/tarpaulin/releases/download/${CARGO_TARPAULIN_VERSION}/cargo-tarpaulin-x86_64-unknown-linux-musl.tar.gz" \
     | tar xzvf - -C $HOME/bin
 
-ARG JUST_VERSION=1.1.3
+ARG JUST_VERSION=1.35.0
 RUN scurl https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz \
     | tar xzvf - -C $HOME/bin
 

.github/workflows/ci.yml

@@ -140,7 +140,7 @@ jobs:
       fail-fast: false
       matrix:
         # Run these tests against older clusters as well
-        k8s: [v1.25, v1.29]
+        k8s: [v1.26, v1.30]
     steps:
       - uses: actions/checkout@v4
       - uses: actions-rs/toolchain@v1
@@ -214,7 +214,7 @@ jobs:
 
       - uses: nolar/setup-k3d-k3s@v1
         with:
-          version: v1.25
+          version: v1.26
           # k3d-kube
           k3d-name: kube
           # Used to avoid rate limits when fetching the releases from k3s repo.

.github/workflows/coverage.yml

@@ -25,7 +25,7 @@ jobs:
           tool: [email protected]
       - uses: nolar/setup-k3d-k3s@v1
         with:
-          version: v1.25
+          version: v1.26
           # k3d-kube
           k3d-name: kube
           # Used to avoid rate limits when fetching the releases from k3s repo.

CHANGELOG.md

@@ -5,8 +5,23 @@
 <!-- next-header -->
 UNRELEASED
 ===================
- * see https://github.com/kube-rs/kube/compare/0.94.2...main
+ * see https://github.com/kube-rs/kube/compare/0.95.0...main
 
+[0.95.0](https://github.com/kube-rs/kube/releases/tag/0.95.0) / 2024-09-16
+===================
+<!-- Release notes generated using configuration in .github/release.yml at 0.95.0 -->
+## Kubernetes `v1_31` support via `k8s-openapi` [0.23](https://github.com/Arnavion/k8s-openapi/releases/tag/v0.23.0)
+Please [upgrade k8s-openapi along with kube](https://kube.rs/upgrading/) to avoid conflicts.
+
+New minimum versions: [MSRV](https://kube.rs/rust-version/) 1.77.2, [MK8SV](https://kube.rs/kubernetes-version/): 1.26
+
+## What's Changed
+### Changed
+* Update tokio-tungstenite requirement from 0.23.0 to 0.24.0 by @dependabot in https://github.com/kube-rs/kube/pull/1579
+* Bump `k8s-openapi` to 0.23 for Kubernetes 1.31 support by @clux in https://github.com/kube-rs/kube/pull/1581
+
+
+**Full Changelog**: https://github.com/kube-rs/kube/compare/0.94.2...0.95.0
 [0.94.2](https://github.com/kube-rs/kube/releases/tag/0.94.2) / 2024-09-13
 ===================
 <!-- Release notes generated using configuration in .github/release.yml at 0.94.2 -->

Cargo.toml

@@ -14,7 +14,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.94.2"
+version = "0.95.0"
 authors = [
   "clux <[email protected]>",
   "Natalie Klestrup Röijezon <[email protected]>",
@@ -24,7 +24,7 @@ repository = "https://github.com/kube-rs/kube"
 readme = "README.md"
 license = "Apache-2.0"
 edition = "2021"
-rust-version = "1.75.0"
+rust-version = "1.77.2"
 
 [workspace.lints.rust]
 unsafe_code = "forbid"
@@ -42,7 +42,7 @@ base64 = "0.22.0"
 bytes = "1.1.0"
 chrono = { version = "0.4.34", default-features = false }
 darling = "0.20.3"
-derivative = "2.1.1"
+educe = { version = "0.6.0", default-features = false }
 either = "1.6.1"
 form_urlencoded = "1.2.0"
 futures = { version = "0.3.17", default-features = false }
@@ -52,15 +52,15 @@ http = "1.1.0"
 http-body = "1.0.0"
 http-body-util = "0.1.2"
 hyper = "1.2.0"
-hyper-util = "0.1.3"
+hyper-util = "0.1.9"
 hyper-openssl = "0.10.2"
 hyper-rustls = { version = "0.27.1", default-features = false }
 hyper-socks2 = { version = "0.9.0", default-features = false }
 hyper-timeout = "0.5.1"
 json-patch = "2.0.0"
 jsonptr = "0.4.7"
 jsonpath-rust = "0.5.0"
-k8s-openapi = { version = "0.22.0", default-features = false }
+k8s-openapi = { version = "0.23.0", default-features = false }
 openssl = "0.10.36"
 parking_lot = "0.12.0"
 pem = "3.0.1"
@@ -71,7 +71,7 @@ rand = "0.8.3"
 rustls = { version = "0.23.0", default-features = false }
 rustls-pemfile = "2.0.0"
 schemars = "0.8.6"
-secrecy = "0.8.0"
+secrecy = "0.10.2"
 serde = "1.0.130"
 serde_json = "1.0.68"
 serde-value = "0.7.0"
@@ -82,10 +82,10 @@ tempfile = "3.1.0"
 thiserror = "1.0.29"
 tokio = "1.14.0"
 tokio-test = "0.4.0"
-tokio-tungstenite = "0.23.0"
+tokio-tungstenite = "0.24.0"
 tokio-util = "0.7.0"
-tower = "0.4.13"
-tower-http = "0.5.2"
+tower = "0.5.1"
+tower-http = "0.6.1"
 tower-test = "0.4.0"
 tracing = "0.1.36"
 tracing-subscriber = "0.3.17"

README.md

@@ -1,8 +1,8 @@
 # kube-rs
 
 [![Crates.io](https://img.shields.io/crates/v/kube.svg)](https://crates.io/crates/kube)
-[![Rust 1.75](https://img.shields.io/badge/MSRV-1.75-dea584.svg)](https://github.com/rust-lang/rust/releases/tag/1.75.0)
-[![Tested against Kubernetes v1_25 and above](https://img.shields.io/badge/MK8SV-v1_25-326ce5.svg)](https://kube.rs/kubernetes-version)
+[![Rust 1.77](https://img.shields.io/badge/MSRV-1.77-dea584.svg)](https://github.com/rust-lang/rust/releases/tag/1.77.2)
+[![Tested against Kubernetes v1_26 and above](https://img.shields.io/badge/MK8SV-v1_26-326ce5.svg)](https://kube.rs/kubernetes-version)
 [![Best Practices](https://bestpractices.coreinfrastructure.org/projects/5413/badge)](https://bestpractices.coreinfrastructure.org/projects/5413)
 [![Discord chat](https://img.shields.io/discord/500028886025895936.svg?logo=discord&style=plastic)](https://discord.gg/tokio)
 
@@ -16,8 +16,8 @@ Select a version of `kube` along with the generated [k8s-openapi](https://github
 
 ```toml
 [dependencies]
-kube = { version = "0.94.2", features = ["runtime", "derive"] }
-k8s-openapi = { version = "0.22.0", features = ["latest"] }
+kube = { version = "0.95.0", features = ["runtime", "derive"] }
+k8s-openapi = { version = "0.23.0", features = ["latest"] }
 ```
 
 See [features](https://kube.rs/features/) for a quick overview of default-enabled / opt-in functionality.
@@ -43,7 +43,7 @@ For real world projects see [ADOPTERS](https://kube.rs/adopters/).
 
 ## Api
 
-The [`Api`](https://docs.rs/kube/*/kube/struct.Api.html) is what interacts with Kubernetes resources, and is generic over [`Resource`](https://docs.rs/kube/*/kube/trait.Resource.html):
+The [`Api`](https://docs.rs/kube/latest/kube/struct.Api.html) is what interacts with Kubernetes resources, and is generic over [`Resource`](https://docs.rs/kube/latest/kube/trait.Resource.html):
 
 ```rust
 use k8s_openapi::api::core::v1::Pod;
@@ -102,7 +102,7 @@ A streaming interface (similar to informers) that presents [`watcher::Event`](ht
 
 ```rust
 let api = Api::<Pod>::default_namespaced(client);
-let stream = watcher(api, Config::default()).applied_objects();
+let stream = watcher(api, Config::default()).default_backoff().applied_objects();
 ```
 
 This now gives a continual stream of events and you do not need to care about the watch having to restart, or connections dropping.
@@ -113,6 +113,7 @@ while let Some(event) = stream.try_next().await? {
 }
 ```
 
+
 Note the base items from a `watcher` stream are an abstraction above the native `WatchEvent` to allow for store buffering. If you are following along to "see what changed", you can use utilities from [`WatchStreamExt`](https://docs.rs/kube/latest/kube/runtime/trait.WatchStreamExt.html), such as `applied_objects` to get a more conventional stream.
 
 ## Reflectors
@@ -155,8 +156,8 @@ By default [rustls](https://github.com/rustls/rustls) is used for TLS, but `open
 
 ```toml
 [dependencies]
-kube = { version = "0.94.2", default-features = false, features = ["client", "openssl-tls"] }
-k8s-openapi = { version = "0.22.0", features = ["latest"] }
+kube = { version = "0.95.0", default-features = false, features = ["client", "openssl-tls"] }
+k8s-openapi = { version = "0.23.0", features = ["latest"] }
 ```
 
 This will pull in `openssl` and `hyper-openssl`. If `default-features` is left enabled, you will pull in two TLS stacks, and the default will remain as `rustls`.

deny.toml

@@ -40,6 +40,9 @@ exceptions = [
     # this is not a problem for us. See https://github.com/dtolnay/unicode-ident/pull/9/files
     # for more details.
     { allow = ["Unicode-DFS-2016"], name = "unicode-ident" },
+    # Pulled in via hyper-rustls when using the webpki-roots feature,
+    # which is off by default.
+    { allow = ["MPL-2.0"], name = "webpki-roots" },
 ]
 
 [[licenses.clarify]]
@@ -58,30 +61,22 @@ allow-git = ["https://github.com/tyrone-wu/runtime-macros.git"]
 [bans]
 multiple-versions = "deny"
 
-[[bans.skip]]
-name = "hermit-abi"
-
 [[bans.skip]]
 name = "rustls-native-certs"
 
 [[bans.skip]]
-# Needs a complicated upgrade
-name = "syn"
+# blocked on us swapping out serde_yaml
+name = "hashbrown"
 
 [[bans.skip]]
-# waiting for pem to bump base64
-# https://github.com/jcreekmore/pem-rs/blob/master/Cargo.toml#L16
+# base64 did some annoying breaking changes
 name = "base64"
 
 [[bans.skip]]
 # latest via openssl->hyper-openssl (we have latest)
 # newer via tower-http (we have latest)
 name = "bitflags"
 
-[[bans.skip]]
-# deep in dependency tree, only dual use via dev dependency
-name = "redox_syscall"
-
 [[bans.skip-tree]]
 name = "windows-sys"
 

e2e/Cargo.toml

@@ -19,15 +19,15 @@ path = "boot.rs"
 
 [features]
 latest = ["k8s-openapi/latest"]
-mk8sv = ["k8s-openapi/v1_25"]
+mk8sv = ["k8s-openapi/v1_26"]
 rustls = ["kube/rustls-tls"]
 openssl = ["kube/openssl-tls"]
 
 [dependencies]
 anyhow.workspace = true
 tracing.workspace = true
 tracing-subscriber.workspace = true
-kube = { path = "../kube", version = "^0.94.2", default-features = false, features = ["client", "runtime", "ws", "admission", "gzip"] }
+kube = { path = "../kube", version = "^0.95.0", default-features = false, features = ["client", "runtime", "ws", "admission", "gzip"] }
 k8s-openapi.workspace = true
 serde_json.workspace = true
 tokio = { workspace = true, features = ["full"] }

examples/Cargo.toml

@@ -29,8 +29,8 @@ anyhow.workspace = true
 futures = { workspace = true, features = ["async-await"] }
 jsonpath-rust.workspace = true
 jsonptr.workspace = true
-kube = { path = "../kube", version = "^0.94.2", default-features = false, features = ["admission"] }
-kube-derive = { path = "../kube-derive", version = "^0.94.2", default-features = false } # only needed to opt out of schema
+kube = { path = "../kube", version = "^0.95.0", default-features = false, features = ["admission"] }
+kube-derive = { path = "../kube-derive", version = "^0.95.0", default-features = false } # only needed to opt out of schema
 k8s-openapi.workspace = true
 serde = { workspace = true, features = ["derive"] }
 serde_json.workspace = true

examples/custom_client.rs

@@ -1,6 +1,7 @@
 use hyper_util::rt::TokioExecutor;
 // Minimal custom client example.
 use k8s_openapi::api::core::v1::Pod;
+use tower::BoxError;
 use tracing::*;
 
 use kube::{client::ConfigExt, Api, Client, Config, ResourceExt};
@@ -15,6 +16,7 @@ async fn main() -> anyhow::Result<()> {
     let service = tower::ServiceBuilder::new()
         .layer(config.base_uri_layer())
         .option_layer(config.auth_layer()?)
+        .map_err(BoxError::from)
         .service(hyper_util::client::legacy::Client::builder(TokioExecutor::new()).build(https));
     let client = Client::new(service, config.default_namespace);
 

examples/custom_client_trace.rs

@@ -4,7 +4,7 @@ use hyper::body::Incoming;
 use hyper_util::rt::TokioExecutor;
 use k8s_openapi::api::core::v1::Pod;
 use std::time::Duration;
-use tower::ServiceBuilder;
+use tower::{BoxError, ServiceBuilder};
 use tower_http::{decompression::DecompressionLayer, trace::TraceLayer};
 use tracing::{Span, *};
 
@@ -54,6 +54,7 @@ async fn main() -> anyhow::Result<()> {
                     tracing::debug!("finished in {}ms", latency.as_millis())
                 }),
         )
+        .map_err(BoxError::from)
         .service(hyper_util::client::legacy::Client::builder(TokioExecutor::new()).build(https));
 
     let client = Client::new(service, config.default_namespace);

kube-client/Cargo.toml

@@ -14,6 +14,7 @@ categories = ["web-programming::http-client", "network-programming", "api-bindin
 [features]
 default = ["client"]
 rustls-tls = ["rustls", "rustls-pemfile", "hyper-rustls", "hyper-http-proxy?/rustls-tls-native-roots"]
+webpki-roots = ["hyper-rustls/webpki-roots"]
 aws-lc-rs = ["rustls?/aws-lc-rs"]
 openssl-tls = ["openssl", "hyper-openssl"]
 ws = ["client", "tokio-tungstenite", "rand", "kube-core/ws", "tokio/macros"]
@@ -59,7 +60,7 @@ rustls = { workspace = true, optional = true }
 rustls-pemfile = { workspace = true, optional = true }
 bytes = { workspace = true, optional = true }
 tokio = { workspace = true, features = ["time", "signal", "sync"], optional = true }
-kube-core = { path = "../kube-core", version = "=0.94.2" }
+kube-core = { path = "../kube-core", version = "=0.95.0" }
 jsonpath-rust = { workspace = true, optional = true }
 tokio-util = { workspace = true, features = ["io", "codec"], optional = true }
 hyper = { workspace = true, features = ["client", "http1"], optional = true }
@@ -73,7 +74,7 @@ tower-http = { workspace = true, features = ["auth", "map-response-body", "trace
 hyper-timeout = { workspace = true, optional = true }
 tame-oauth = { workspace = true, features = ["gcp"], optional = true }
 rand = { workspace = true, optional = true }
-secrecy = { workspace = true, features = ["alloc", "serde"] }
+secrecy = { workspace = true }
 tracing = { workspace = true, features = ["log"], optional = true }
 hyper-openssl = { workspace = true, features = ["client-legacy"], optional = true }
 form_urlencoded = { workspace = true, optional = true }

kube-client/src/api/mod.rs

@@ -11,14 +11,9 @@ use std::fmt::Debug;
 mod subresource;
 #[cfg(feature = "ws")]
 #[cfg_attr(docsrs, doc(cfg(feature = "ws")))]
-pub use subresource::{Attach, AttachParams, Execute, Portforward};
+pub use subresource::{Attach, AttachParams, Ephemeral, Execute, Portforward};
 pub use subresource::{Evict, EvictParams, Log, LogParams, ScaleSpec, ScaleStatus};
 
-// Ephemeral containers were stabilized in Kubernetes 1.25.
-k8s_openapi::k8s_if_ge_1_25! {
-    pub use subresource::Ephemeral;
-}
-
 mod util;
 
 pub mod entry;

kube-client/src/client/auth/mod.rs

@@ -144,7 +144,7 @@ impl TokenFile {
 
     /// Get the cached token. Returns `None` if it's expiring.
     fn cached_token(&self) -> Option<&str> {
-        (!self.is_expiring()).then(|| self.token.expose_secret().as_ref())
+        (!self.is_expiring()).then(|| self.token.expose_secret())
     }
 
     /// Get a token. Reloads from file if the cached token is expiring.

kube-client/src/client/auth/oauth.rs

@@ -118,13 +118,19 @@ impl Gcp {
                 // Current TLS feature precedence when more than one are set:
                 // 1. rustls-tls
                 // 2. openssl-tls
-                #[cfg(feature = "rustls-tls")]
+                #[cfg(all(feature = "rustls-tls", not(feature = "webpki-roots")))]
                 let https = hyper_rustls::HttpsConnectorBuilder::new()
                     .with_native_roots()
                     .map_err(Error::NoValidNativeRootCA)?
                     .https_only()
                     .enable_http1()
                     .build();
+                #[cfg(all(feature = "rustls-tls", feature = "webpki-roots"))]
+                let https = hyper_rustls::HttpsConnectorBuilder::new()
+                    .with_webpki_roots()
+                    .https_only()
+                    .enable_http1()
+                    .build();
                 #[cfg(all(not(feature = "rustls-tls"), feature = "openssl-tls"))]
                 let https =
                     hyper_openssl::HttpsConnector::new().map_err(Error::CreateOpensslHttpsConnector)?;