Merge pull request #78044 from dekkagaijin/patch-6

Consolidate logic to ensure kubectl auth
This commit is contained in:
Kubernetes Prow Robot 2019-05-17 23:21:37 -07:00 committed by GitHub
commit 0203192970
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -588,7 +588,7 @@ function create-master-auth {
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters" append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters"
fi fi
if [[ -n "${KUBE_BOOTSTRAP_TOKEN:-}" ]]; then if [[ -n "${KUBE_BOOTSTRAP_TOKEN:-}" ]]; then
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BOOTSTRAP_TOKEN}," "system:cluster-bootstrap,uid:system:cluster-bootstrap,system:masters" append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BOOTSTRAP_TOKEN}," "gcp:kube-bootstrap,uid:gcp:kube-bootstrap,system:masters"
fi fi
if [[ -n "${KUBE_CONTROLLER_MANAGER_TOKEN:-}" ]]; then if [[ -n "${KUBE_CONTROLLER_MANAGER_TOKEN:-}" ]]; then
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager" append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager"
@ -1506,7 +1506,7 @@ function compute-master-manifest-variables {
INSECURE_PORT_MAPPING="" INSECURE_PORT_MAPPING=""
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" == "true" ]]; then if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" == "true" ]]; then
INSECURE_PORT_MAPPING="{ \"name\": \"local\", \"containerPort\": 8080, \"hostPort\": 8080}," INSECURE_PORT_MAPPING="{ \"name\": \"local\", \"containerPort\": 8080, \"hostPort\": 8080},"
fi fi
} }
# A helper function that bind mounts kubelet dirs for running mount in a chroot # A helper function that bind mounts kubelet dirs for running mount in a chroot
@ -2846,11 +2846,12 @@ function wait-till-apiserver-ready() {
done done
} }
function ensure-bootstrap-kubectl-auth { function ensure-master-bootstrap-kubectl-auth {
# Creating an authenticated kubeconfig is only necessary if the insecure port is disabled. # By default, `kubectl` uses http://localhost:8080
# If the insecure port is disabled, kubectl will need to use an admin-authenticated kubeconfig.
if [[ -n "${KUBE_BOOTSTRAP_TOKEN:-}" ]]; then if [[ -n "${KUBE_BOOTSTRAP_TOKEN:-}" ]]; then
create-kubeconfig "cluster-bootstrap" ${KUBE_BOOTSTRAP_TOKEN} create-kubeconfig "kube-bootstrap" "${KUBE_BOOTSTRAP_TOKEN}"
export KUBECONFIG=/etc/srv/kubernetes/cluster-bootstrap/kubeconfig export KUBECONFIG=/etc/srv/kubernetes/kube-bootstrap/kubeconfig
fi fi
} }
@ -2971,13 +2972,13 @@ function main() {
KUBE_CONTROLLER_MANAGER_TOKEN="$(secure_random 32)" KUBE_CONTROLLER_MANAGER_TOKEN="$(secure_random 32)"
KUBE_SCHEDULER_TOKEN="$(secure_random 32)" KUBE_SCHEDULER_TOKEN="$(secure_random 32)"
KUBE_CLUSTER_AUTOSCALER_TOKEN="$(secure_random 32)" KUBE_CLUSTER_AUTOSCALER_TOKEN="$(secure_random 32)"
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then
KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)"
fi
if [[ "${ENABLE_L7_LOADBALANCING:-}" == "glbc" ]]; then if [[ "${ENABLE_L7_LOADBALANCING:-}" == "glbc" ]]; then
GCE_GLBC_TOKEN="$(secure_random 32)" GCE_GLBC_TOKEN="$(secure_random 32)"
fi fi
ADDON_MANAGER_TOKEN="$(secure_random 32)" ADDON_MANAGER_TOKEN="$(secure_random 32)"
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then
KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)"
fi
setup-os-params setup-os-params
config-ip-firewall config-ip-firewall
@ -2990,7 +2991,7 @@ function main() {
create-node-pki create-node-pki
create-master-pki create-master-pki
create-master-auth create-master-auth
ensure-bootstrap-kubectl-auth ensure-master-bootstrap-kubectl-auth
create-master-kubelet-auth create-master-kubelet-auth
create-master-etcd-auth create-master-etcd-auth
create-master-etcd-apiserver-auth create-master-etcd-apiserver-auth