build(deps)!: bump the kube group with 4 updates (#366)

Updates the requirements on [kube-client](https://github.com/kube-rs/kube), [kube-core](https://github.com/kube-rs/kube), [kube-runtime](https://github.com/kube-rs/kube) and [kube](https://github.com/kube-rs/kube) to permit the latest version.

Updates `kube-client` to 0.98.0
- [Release notes](https://github.com/kube-rs/kube/releases)
- [Changelog](https://github.com/kube-rs/kube/blob/main/CHANGELOG.md)
- [Commits](kube-rs/kube@0.98.0...0.98.0)

Updates `kube-core` to 0.99.0
- [Release notes](https://github.com/kube-rs/kube/releases)
- [Changelog](https://github.com/kube-rs/kube/blob/main/CHANGELOG.md)
- [Commits](kube-rs/kube@0.98.0...0.99.0)

Updates `kube-runtime` to 0.98.0
- [Release notes](https://github.com/kube-rs/kube/releases)
- [Changelog](https://github.com/kube-rs/kube/blob/main/CHANGELOG.md)
- [Commits](kube-rs/kube@0.98.0...0.98.0)

Updates `kube` to 0.98.0
- [Release notes](https://github.com/kube-rs/kube/releases)
- [Changelog](https://github.com/kube-rs/kube/blob/main/CHANGELOG.md)
- [Commits](kube-rs/kube@0.98.0...0.98.0)

---
updated-dependencies:
- dependency-name: kube-client
  dependency-type: direct:production
  dependency-group: kube
- dependency-name: kube-core
  dependency-type: direct:production
  dependency-group: kube
- dependency-name: kube-runtime
  dependency-type: direct:production
  dependency-group: kube
- dependency-name: kube
  dependency-type: direct:production
  dependency-group: kube
...

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Oliver Gould <[email protected]>

Author: dependabot[bot]

Cargo.toml

@@ -22,11 +22,12 @@ hyper-util = { version = "0.1", default-features = false }
 
 k8s-openapi = { version = "0.24", default-features = false }
 
-kube-client = { version = "0.98", default-features = false }
-kube-core = { version = "0.98", default-features = false }
-kube-runtime = { version = "0.98", default-features = false }
-kube = { version = "0.98", default-features = false }
+kube-client = { version = "0.99", default-features = false }
+kube-core = { version = "0.99", default-features = false }
+kube-runtime = { version = "0.99", default-features = false }
+kube = { version = "0.99", default-features = false }
 
 prometheus-client = { version = "0.23.0", default-features = false }
 
 tokio = { version = "1.17.0", default-features = false }
+tokio-rustls = { version = "0.26.1", default-features = false }

deny.toml

@@ -2,8 +2,6 @@
 db-path = "~/.cargo/advisory-db"
 db-urls = ["https://github.com/rustsec/advisory-db"]
 ignore = [
-    # kube-runtime uses backoff uses instant which is unmaintained.
-    "RUSTSEC-2024-0384",
 ]
 
 [licenses]
@@ -13,6 +11,7 @@ allow = [
     "BSD-3-Clause",
     "ISC",
     "MIT",
+    "OpenSSL",
     "Unicode-3.0",
     "Zlib",
 ]

examples/Cargo.toml

@@ -11,7 +11,7 @@ release = false
 
 [features]
 default = ["rustls-tls"]
-rustls-tls = ["kubert/rustls-tls"]
+rustls-tls = ["kubert/rustls-tls-aws-lc-rs"]
 openssl-tls = ["kubert/openssl-tls", "dep:openssl"]
 
 [dependencies.kubert]
@@ -53,7 +53,7 @@ features = ["latest"]
 
 [dev-dependencies.kube]
 workspace = true
-features = ["client", "derive", "rustls-tls", "runtime"]
+features = ["client", "derive", "runtime"]
 
 [dev-dependencies.tokio]
 workspace = true

kubert/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "kubert"
-version = "0.23.1"
+version = "0.24.0"
 edition = "2021"
 license = "Apache-2.0"
 description = "Kubernetes runtime helpers. Based on kube-rs."
@@ -15,6 +15,18 @@ rustls-tls = [
     "dep:tokio-rustls",
     "kube-client?/rustls-tls",
 ]
+rustls-tls-aws-lc-rs = [
+    "rustls-tls",
+    "tokio-rustls/aws-lc-rs",
+    "kube-client?/aws-lc-rs",
+    "kube-client?/rustls-tls",
+]
+rustls-tls-ring = [
+    "rustls-tls",
+    "tokio-rustls/ring",
+    "kube-client?/ring",
+    "kube-client?/rustls-tls",
+]
 openssl-tls = [
     "dep:hyper-openssl",
     "dep:once_cell",
@@ -76,7 +88,7 @@ initialized = [
     "tokio/sync",
 ]
 lease = [
-    "dep:backoff",
+    "dep:backon",
     "dep:chrono",
     "dep:futures-util",
     "dep:hyper",
@@ -183,7 +195,7 @@ unexpected_cfgs = { level = "warn", check-cfg = ['cfg(tokio_unstable)'] }
 
 [dependencies]
 ahash = { version = "0.8", optional = true }
-backoff = { version = "0.4", features = ["tokio"], optional = true }
+backon = { version = "1", optional = true, features = ["tokio-sleep"] }
 bytes = { version = "1", optional = true }
 drain = { version = "0.2.1", optional = true, default-features = false }
 chrono = { version = "0.4", optional = true, default-features = false }
@@ -204,7 +216,7 @@ serde_json = { version = "1", optional = true }
 sha2 = { version = "0.10", optional = true }
 thiserror = { version = "2", optional = true }
 tokio = { workspace = true, optional = false, default-features = false }
-tokio-rustls = { version = "0.26.1", optional = true, default-features = false }
+tokio-rustls = { workspace = true, optional = true }
 tokio-openssl = { version = "0.6.3", optional = true }
 tokio-util = { version = "0.7", optional = true, default-features = false }
 tower-http = { version = "0.6.0", optional = true, default-features = false }
@@ -253,6 +265,7 @@ features = ["rt"]
 # === Dev ===
 
 [dev-dependencies]
+tokio-rustls = { workspace = true, features = ["aws-lc-rs"] }
 kube = { workspace = true, features = ["runtime"] }
 rcgen = { version = "0.13.0" }
 tempfile = "3.8"

kubert/src/lease.rs

@@ -7,7 +7,6 @@
 //! [`LeaseManager`] interacts with a [`coordv1::Lease`] resource to ensure that
 //! only a single claimant owns the lease at a time.
 
-use futures_util::TryFutureExt;
 use k8s_openapi::{api::coordination::v1 as coordv1, apimachinery::pkg::apis::meta::v1 as metav1};
 use std::{borrow::Cow, sync::Arc};
 use tokio::time::{self, Duration};
@@ -161,7 +160,7 @@ impl Claim {
 impl LeaseManager {
     pub(crate) const DEFAULT_FIELD_MANAGER: &'static str = "kubert";
     const DEFAULT_MIN_BACKOFF: Duration = Duration::from_millis(5);
-    const DEFAULT_BACKOFF_JITTER: f64 = 0.5; // up to 50% of the backoff duration
+    const DEFAULT_BACKOFF_JITTER: f32 = 0.5; // up to 50% of the backoff duration
     const API_TIMEOUT: Duration = Duration::from_secs(10);
 
     /// Initialize a lease's state from the Kubernetes API.
@@ -371,10 +370,12 @@ impl LeaseManager {
         let claimant = claimant.to_string();
         let mut claim = self.ensure_claimed(&claimant, &params).await?;
         let (tx, rx) = tokio::sync::watch::channel(claim.clone());
-        let mut new_backoff = backoff::ExponentialBackoffBuilder::default();
+
+        use backon::Retryable;
+        let new_backoff = backon::ExponentialBuilder::default();
         new_backoff
-            .with_initial_interval(Self::DEFAULT_MIN_BACKOFF)
-            .with_randomization_factor(Self::DEFAULT_BACKOFF_JITTER);
+            .with_min_delay(Self::DEFAULT_MIN_BACKOFF)
+            .with_factor(Self::DEFAULT_BACKOFF_JITTER);
 
         let task = tokio::spawn(async move {
             loop {
@@ -395,31 +396,22 @@ impl LeaseManager {
                 }
 
                 // Update the claim and broadcast it to all receivers.
-                let backoff = new_backoff.with_max_interval(grace).build();
-                claim = backoff::future::retry(backoff, || {
-                    self.ensure_claimed(&claimant, &params).map_err(|err| match err {
-                        err @ Error::Api(kube_client::Error::Auth(_))
-                        | err @ Error::Api(kube_client::Error::Discovery(_))
-                        | err @ Error::Api(kube_client::Error::BuildRequest(_)) => {
-                            backoff::Error::Permanent(err)
-                        },
-                        err @ Error::Api(kube_client::Error::InferConfig(_)) => {
+                let backoff = new_backoff.with_max_delay(grace);
+                claim = (|| async { self.ensure_claimed(&claimant, &params).await })
+                    .retry(backoff)
+                    .when(|err| match err {
+                        Error::Api(kube_client::Error::Auth(_))
+                        | Error::Api(kube_client::Error::Discovery(_))
+                        | Error::Api(kube_client::Error::BuildRequest(_)) => false,
+                        Error::Api(kube_client::Error::InferConfig(_)) => {
                             debug_assert!(false, "InferConfig errors should only be returned when constructing a new client");
-                            backoff::Error::Permanent(err)
+                            false
                         },
                         // Retry any other API request errors.
-                        err => {
-                            tracing::debug!(error = %err, "Error claiming lease, retrying...");
-                            backoff::Error::Transient {
-                                err,
-                                // Allow the backoff implementation to select how
-                                // long to wait before retrying.
-                                retry_after: None,
-                            }
-                        }
+                        _ => true,
                     })
-                })
-                .await?;
+                    .notify(|error, sleep| tracing::debug!(%error, ?sleep, "Error claiming lease, retrying..."))
+                    .await?;
                 if tx.send(claim.clone()).is_err() {
                     // All receivers have been dropped.
                     break;

kubert/src/lib.rs

@@ -119,6 +119,9 @@ pub mod requeue;
 #[cfg_attr(docsrs, doc(cfg(feature = "runtime")))]
 pub mod runtime;
 
+#[cfg(feature = "rustls-tls")]
+pub use tokio_rustls::rustls;
+
 #[cfg(feature = "server")]
 #[cfg_attr(docsrs, doc(cfg(feature = "server")))]
 pub mod server;

kubert/src/server/tests.rs

@@ -33,6 +33,9 @@ fn gen_keys() -> (TempDir, TlsPaths) {
 #[cfg(feature = "rustls-tls")]
 #[tokio::test]
 async fn load_tls_rustls() {
+    tokio_rustls::rustls::crypto::aws_lc_rs::default_provider()
+        .install_default()
+        .expect("installing aws-lc-rs provider must succeed");
     let (_tempdir, TlsPaths { key, certs }) = gen_keys();
     match super::tls_rustls::load_tls(&key, &certs).await {
         Ok(_) => println!("load_tls: success!"),

kubert/src/server/tls_rustls.rs

@@ -13,6 +13,15 @@ pub(in crate::server) async fn load_tls(
     pk: &TlsKeyPath,
     crts: &TlsCertPath,
 ) -> Result<TlsAcceptor, Error> {
+    if tokio_rustls::rustls::crypto::CryptoProvider::get_default().is_none() {
+        // The only error here is if it's been initialized in between: we can ignore it
+        // since our semantic is only to set the default value if it does not exist.
+        #[cfg(feature = "rustls-tls-aws-lc-rs")]
+        let _ = tokio_rustls::rustls::crypto::aws_lc_rs::default_provider().install_default();
+        #[cfg(feature = "rustls-tls-ring")]
+        let _ = tokio_rustls::rustls::crypto::ring::default_provider().install_default();
+    }
+
     let key = load_private_key(pk).await.map_err(Error::TlsKeyReadError)?;
     let certs = load_certs(crts).await.map_err(Error::TlsCertsReadError)?;
     let mut cfg = rustls::ServerConfig::builder()