stop create secrets for dns, it uses the kube-system service account now

2025-07-30 15:05:27 +00:00 · 2016-03-29 14:27:28 -07:00 · 2016-03-29 14:27:28 -07:00 · 0a821a473d
commit 0a821a473d
parent 0d0eb0119e
4 changed files with 2 additions and 93 deletions
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@ -585,7 +585,7 @@ function create-salt-master-auth() {
    # NB: If this list ever changes, this script actually has to
    # change to detect the existence of this file, kill any deleted
    # old tokens and add any new tokens (to handle the upgrade case).
-    local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
+    local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring")
    for account in "${service_accounts[@]}"; do
      token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
      echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}"
--- a/cluster/gce/coreos/configure-node.sh
+++ b/cluster/gce/coreos/configure-node.sh
@ -256,7 +256,7 @@ function create-salt-master-auth() {
    # NB: If this list ever changes, this script actually has to
    # change to detect the existence of this file, kill any deleted
    # old tokens and add any new tokens (to handle the upgrade case).
-    local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
+    local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring")
    for account in "${service_accounts[@]}"; do
      token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
      echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}"
--- a/cluster/gce/trusty/configure-helper.sh
+++ b/cluster/gce/trusty/configure-helper.sh
@ -309,7 +309,6 @@ create_master_auth() {
    add_token_entry "system:controller_manager" "${known_tokens_csv}"
    add_token_entry "system:logging" "${known_tokens_csv}"
    add_token_entry "system:monitoring" "${known_tokens_csv}"
-    add_token_entry "system:dns" "${known_tokens_csv}"
  fi

  if [ -n "${PROJECT_ID:-}" ] && [ -n "${TOKEN_URL:-}" ] && [ -n "${TOKEN_BODY:-}" ] && [ -n "${NODE_NETWORK:-}" ]; then
--- a/cluster/saltbase/salt/kube-addons/kube-addons.sh
+++ b/cluster/saltbase/salt/kube-addons/kube-addons.sh
@ -22,7 +22,6 @@ KUBECTL=${KUBECTL_BIN:-/usr/local/bin/kubectl}
 ADDON_CHECK_INTERVAL_SEC=${TEST_ADDON_CHECK_INTERVAL_SEC:-600}

 SYSTEM_NAMESPACE=kube-system
-token_dir=${TOKEN_DIR:-/srv/kubernetes}
 trusty_master=${TRUSTY_MASTER:-false}

 function ensure_python() {
@ -35,72 +34,6 @@ function ensure_python() {
  fi
 }

-function create-kubeconfig-secret() {
-  local -r token=$1
-  local -r username=$2
-  local -r server=$3
-  local -r safe_username=$(tr -s ':_' '--' <<< "${username}")
-
-  # Make a kubeconfig file with the token.
-  if [[ ! -z "${CA_CERT:-}" ]]; then
-    # If the CA cert is available, put it into the secret rather than using
-    # insecure-skip-tls-verify.
-    read -r -d '' kubeconfig <<EOF
-apiVersion: v1
-kind: Config
-users:
- name: ${username}
-  user:
-    token: ${token}
-clusters:
- name: local
-  cluster:
-     server: ${server}
-     certificate-authority-data: ${CA_CERT}
-contexts:
- context:
-    cluster: local
-    user: ${username}
-    namespace: ${SYSTEM_NAMESPACE} 
-  name: service-account-context
-current-context: service-account-context
-EOF
-  else
-    read -r -d '' kubeconfig <<EOF
-apiVersion: v1
-kind: Config
-users:
- name: ${username}
-  user:
-    token: ${token}
-clusters:
- name: local
-  cluster:
-     server: ${server}
-     insecure-skip-tls-verify: true
-contexts:
- context:
-    cluster: local
-    user: ${username}
-    namespace: ${SYSTEM_NAMESPACE}
-  name: service-account-context
-current-context: service-account-context
-EOF
-  fi
-
-  local -r kubeconfig_base64=$(echo "${kubeconfig}" | base64 -w0)
-  read -r -d '' secretyaml <<EOF
-apiVersion: v1
-data:
-  kubeconfig: ${kubeconfig_base64}
-kind: Secret
-metadata:
-  name: token-${safe_username}
-type: Opaque
-EOF
-  create-resource-from-string "${secretyaml}" 100 10 "Secret-for-token-for-user-${username}" "${SYSTEM_NAMESPACE}" &
-}
-
 # $1 filename of addon to start.
 # $2 count of tries to start the addon.
 # $3 delay in seconds between two consecutive tries
@ -196,29 +129,6 @@ done

 echo "== default service account in the ${SYSTEM_NAMESPACE} namespace has token ${token_found} =="

-# Generate secrets for "internal service accounts".
-# TODO(etune): move to a completely yaml/object based
-# workflow so that service accounts can be created
-# at the same time as the services that use them.
-# NOTE: needs to run as root to read this file.
-# Read each line in the csv file of tokens.
-# Expect errors when the script is started again.
-# NOTE: secrets are created asynchronously, in background.
-while read line; do
-  # Split each line into the token and username.
-  IFS=',' read -a parts <<< "${line}"
-  token=${parts[0]}
-  username=${parts[1]}
-  # DNS is special, since it's necessary for cluster bootstrapping.
-  if [[ "${username}" == "system:dns" ]] && [[ ! -z "${KUBERNETES_MASTER_NAME:-}" ]]; then
-    create-kubeconfig-secret "${token}" "${username}" "https://${KUBERNETES_MASTER_NAME}"
-  else
-    # Set the server to https://kubernetes. Pods/components that
-    # do not have DNS available will have to override the server.
-    create-kubeconfig-secret "${token}" "${username}" "https://kubernetes.default"
-  fi
-done < "${token_dir}/known_tokens.csv"
-
 # Create admission_control objects if defined before any other addon services. If the limits
 # are defined in a namespace other than default, we should still create the limits for the
 # default namespace.