Merge pull request #8117 from jlamillan/jlamillan/oci_sdk_65.90

Upgrade OCI provider SDK to v65.90.0. Required for Go 1.24.

Author: k8s-ci-robot

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/gofrs/flock/README.md

@@ -21,7 +21,7 @@ go get -u github.com/gofrs/flock
 
 ## Usage
 ```Go
-import "github.com/gofrs/flock"
+import "k8s.io/autoscaler/cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/gofrs/flock"
 
 fileLock := flock.New("/var/lock/go-lock.lock")
 

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/certificate_retriever.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/configuration.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/dispatcher_modifier.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/federation_client.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 // Package auth provides supporting functions and structs for authentication
@@ -203,6 +203,13 @@ func newAuthClient(region common.Region, provider common.KeyProvider) *common.Ba
 		client.Host = region.Endpoint("auth")
 	}
 	client.BasePath = "v1/x509"
+
+	if common.GlobalAuthClientCircuitBreakerSetting != nil {
+		client.Configuration.CircuitBreaker = common.NewCircuitBreaker(common.GlobalAuthClientCircuitBreakerSetting)
+	} else if !common.IsEnvVarFalse("OCI_SDK_AUTH_CLIENT_CIRCUIT_BREAKER_ENABLED") {
+		common.Logf("Configuring DefaultAuthClientCircuitBreakerSetting for federation client")
+		client.Configuration.CircuitBreaker = common.NewCircuitBreaker(common.DefaultAuthClientCircuitBreakerSetting())
+	}
 	return &client
 }
 
@@ -288,7 +295,7 @@ func (c *x509FederationClient) getSecurityToken() (securityToken, error) {
 	var httpResponse *http.Response
 	defer common.CloseBodyIfValid(httpResponse)
 
-	for retry := 0; retry < 5; retry++ {
+	for retry := 0; retry < 3; retry++ {
 		request := c.makeX509FederationRequest()
 
 		if httpRequest, err = common.MakeDefaultHTTPRequestWithTaggedStruct(http.MethodPost, "", request); err != nil {
@@ -298,7 +305,10 @@ func (c *x509FederationClient) getSecurityToken() (securityToken, error) {
 		if httpResponse, err = c.authClient.Call(context.Background(), &httpRequest); err == nil {
 			break
 		}
-
+		// Don't retry on 4xx errors
+		if httpResponse != nil && httpResponse.StatusCode >= 400 && httpResponse.StatusCode <= 499 {
+			return nil, fmt.Errorf("error %s returned by auth service: %s", httpResponse.Status, err.Error())
+		}
 		nextDuration := time.Duration(1000.0*(math.Pow(2.0, float64(retry)))) * time.Millisecond
 		time.Sleep(nextDuration)
 	}

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/federation_client_oke_workload_identity.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth
@@ -125,8 +125,14 @@ func (c *x509FederationClientForOkeWorkloadIdentity) getSecurityToken() (securit
 
 	statusCode := response.StatusCode
 	if statusCode != http.StatusOK {
-		return nil, fmt.Errorf("failed to get a RPST token from Proxymux: URL: %s, Status: %s, Message: %s",
-			c.proxymuxEndpoint, response.Status, body.String())
+		if statusCode == http.StatusForbidden {
+			return nil, fmt.Errorf("please ensure the cluster type is enhanced: Status: %s, Message: %s",
+				response.Status, body.String())
+		} else {
+			return nil, fmt.Errorf("failed to get a RPST token from Proxymux: URL: %s, Status: %s, Message: %s",
+				c.proxymuxEndpoint, response.Status, body.String())
+		}
+
 	}
 
 	if _, err = body.ReadFrom(response.Body); err != nil {

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/instance_principal_delegation_token_provider.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/instance_principal_key_provider.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth
@@ -7,9 +7,9 @@ import (
 	"bytes"
 	"crypto/rsa"
 	"fmt"
+	"math/rand"
 	"net/http"
 	"os"
-	"strings"
 	"time"
 
 	"k8s.io/autoscaler/cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common"
@@ -18,7 +18,6 @@ import (
 const (
 	defaultMetadataBaseURL      = `http://169.254.169.254/opc/v2`
 	metadataBaseURLEnvVar       = `OCI_METADATA_BASE_URL`
-	metadataFallbackURL         = `http://169.254.169.254/opc/v1`
 	regionPath                  = `/instance/region`
 	leafCertificatePath         = `/identity/cert.pem`
 	leafCertificateKeyPath      = `/identity/key.pem`
@@ -106,19 +105,19 @@ func newInstancePrincipalKeyProvider(modifier func(common.HTTPRequestDispatcher)
 func getRegionForFederationClient(dispatcher common.HTTPRequestDispatcher, url string) (r common.Region, err error) {
 	var body bytes.Buffer
 	var statusCode int
-	MaxRetriesFederationClient := 3
+	MaxRetriesFederationClient := 8
 	for currTry := 0; currTry < MaxRetriesFederationClient; currTry++ {
 		body, statusCode, err = httpGet(dispatcher, url)
 		if err == nil && statusCode == 200 {
 			return common.StringToRegion(body.String()), nil
 		}
 		common.Logf("Error in getting region from url: %s, Status code: %v, Error: %s", url, statusCode, err.Error())
-		if statusCode == 404 && strings.Compare(url, getMetadataBaseURL()+regionPath) == 0 {
-			common.Logf("Falling back to http://169.254.169.254/opc/v1 to try again...\n")
-			updateX509CertRetrieverURLParas(metadataFallbackURL)
-			url = regionURL
+		nextDuration := time.Duration(float64(int(1)<<currTry)+rand.Float64()) * time.Second
+		if nextDuration > 30*time.Second {
+			nextDuration = 30*time.Second + time.Duration(rand.Float64())*time.Second
 		}
-		time.Sleep(1 * time.Second)
+		common.Logf("Retrying for getRegionForFederationClinet function, current retry count is:%v, sleep after %v", currTry+1, nextDuration)
+		time.Sleep(nextDuration)
 	}
 	return
 }

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/jwt.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/resource_principal_delegation_token_provider.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/resource_principal_key_provider.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/resource_principal_token_path_provider.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/resource_principals_v1.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/resource_principals_v3.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/auth/utils.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package auth

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/circuit_breaker.go

@@ -1,10 +1,11 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package common
 
 import (
 	"fmt"
+	"math/rand"
 	"net/http"
 	"os"
 	"strconv"
@@ -29,6 +30,16 @@ const (
 	DefaultCircuitBreakerServiceName string = ""
 	// DefaultCircuitBreakerHistoryCount is the default count of failed response history in circuit breaker
 	DefaultCircuitBreakerHistoryCount int = 5
+	// MinAuthClientCircuitBreakerResetTimeout is the min value of openStateWindow, which is the wait time before setting the breaker to halfOpen state from open state
+	MinAuthClientCircuitBreakerResetTimeout = 30
+	// MaxAuthClientCircuitBreakerResetTimeout is the max value of openStateWindow, which is the wait time before setting the breaker to halfOpen state from open state
+	MaxAuthClientCircuitBreakerResetTimeout = 49
+	// AuthClientCircuitBreakerName is the default circuit breaker name for the DefaultAuthClientCircuitBreakerSetting
+	AuthClientCircuitBreakerName = "FederationClientCircuitBreaker"
+	// AuthClientCircuitBreakerDefaultFailureThreshold is the default requests failure rate for the DefaultAuthClientCircuitBreakerSetting
+	AuthClientCircuitBreakerDefaultFailureThreshold float64 = 0.65
+	// AuthClientCircuitBreakerDefaultMinimumRequests is the default value of minimumRequests in closed status
+	AuthClientCircuitBreakerDefaultMinimumRequests uint32 = 3
 )
 
 // CircuitBreakerSetting wraps all exposed configurable params of circuit breaker
@@ -213,7 +224,7 @@ func NewCircuitBreakerSettingWithOptions(opts ...CircuitBreakerOption) *CircuitB
 	for _, opt := range opts {
 		opt(cbst)
 	}
-	if defaultLogger.LogLevel() == verboseLogging {
+	if defaultLogger != nil && defaultLogger.LogLevel() == verboseLogging {
 		Debugf("Circuit Breaker setting: %s\n", cbst.String())
 	}
 
@@ -383,3 +394,17 @@ func ConfigCircuitBreakerFromGlobalVar(baseClient *BaseClient) {
 		baseClient.Configuration.CircuitBreaker = NewCircuitBreaker(GlobalCircuitBreakerSetting)
 	}
 }
+
+// DefaultAuthClientCircuitBreakerSetting returns the default circuit breaker setting for the Auth Client
+func DefaultAuthClientCircuitBreakerSetting() *CircuitBreakerSetting {
+	return NewCircuitBreakerSettingWithOptions(
+		WithOpenStateWindow(time.Duration(rand.Intn(MaxAuthClientCircuitBreakerResetTimeout+1-MinAuthClientCircuitBreakerResetTimeout)+MinAuthClientCircuitBreakerResetTimeout)*time.Second),
+		WithName(AuthClientCircuitBreakerName),
+		WithFailureRateThreshold(AuthClientCircuitBreakerDefaultFailureThreshold),
+		WithMinimumRequests(AuthClientCircuitBreakerDefaultMinimumRequests),
+	)
+}
+
+// GlobalAuthClientCircuitBreakerSetting is global level circuit breaker setting for the Auth Client
+// than client level circuit breaker
+var GlobalAuthClientCircuitBreakerSetting *CircuitBreakerSetting = nil

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/client.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 // Package common provides supporting functions and structs used by service packages

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/common.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package common

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/configuration.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package common

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/errors.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package common
@@ -25,7 +25,7 @@ type ServiceError interface {
 	GetMessage() string
 
 	// A short error code that defines the error, meant for programmatic parsing.
-	// See https://docs.cloud.oracle.com/Content/API/References/apierrors.htm
+	// See https://docs.oracle.com/iaas/Content/API/References/apierrors.htm
 	GetCode() string
 
 	// Unique Oracle-assigned identifier for the request.

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/eventual_consistency.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 package common

cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/oracle/oci-go-sdk/v65/common/helpers.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates.  All rights reserved.
+// Copyright (c) 2016, 2018, 2025, Oracle and/or its affiliates.  All rights reserved.
 // This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
 
 //lint:file-ignore SA1019 older versions of staticcheck (those compatible with Golang 1.17) falsely flag x509.IsEncryptedPEMBlock and x509.DecryptPEMBlock.
@@ -10,13 +10,16 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"net/textproto"
 	"os"
 	"reflect"
 	"strconv"
 	"strings"
 	"time"
+
+	"k8s.io/autoscaler/cluster-autoscaler/cloudprovider/oci/vendor-internal/github.com/youmark/pkcs8"
 )
 
 // String returns a pointer to the provided string
@@ -222,24 +225,30 @@ func PrivateKeyFromBytes(pemData []byte, password *string) (key *rsa.PrivateKey,
 // PrivateKeyFromBytesWithPassword is a helper function that will produce a RSA private
 // key from bytes and a password.
 func PrivateKeyFromBytesWithPassword(pemData, password []byte) (key *rsa.PrivateKey, e error) {
-	if pemBlock, _ := pem.Decode(pemData); pemBlock != nil {
-		decrypted := pemBlock.Bytes
-		if x509.IsEncryptedPEMBlock(pemBlock) {
-			if password == nil {
-				e = fmt.Errorf("private key password is required for encrypted private keys")
-				return
-			}
-			if decrypted, e = x509.DecryptPEMBlock(pemBlock, password); e != nil {
-				return
-			}
-		}
-
-		key, e = parsePKCSPrivateKey(decrypted)
-
-	} else {
+	pemBlock, _ := pem.Decode(pemData)
+	if pemBlock == nil {
 		e = fmt.Errorf("PEM data was not found in buffer")
 		return
 	}
+
+	decrypted := pemBlock.Bytes
+	// Support for encrypted PKCS8 format, this format can not be handled by x509.IsEncryptedPEMBlock func
+	if key, e = pkcs8.ParsePKCS8PrivateKeyRSA(pemBlock.Bytes, password); key != nil {
+		return
+	}
+	// if pemBlock.Type == "ENCRYPTED PRIVATE KEY" {
+	// 	return pkcs8.ParsePKCS8PrivateKeyRSA(pemData, password)
+	// }
+	if x509.IsEncryptedPEMBlock(pemBlock) {
+		if password == nil {
+			return nil, errors.New("private key password is required for encrypted private keys")
+		}
+
+		if decrypted, e = x509.DecryptPEMBlock(pemBlock, password); e != nil {
+			return
+		}
+	}
+	key, e = parsePKCSPrivateKey(decrypted)
 	return
 }