Creates constants for bootstrap tokens.

Move these form core API to a separate package (pkg/bootstrap/api). This also creates the constant for the new kube-public namespace.
2025-07-31 23:37:01 +00:00 · 2017-02-09 15:43:32 -08:00 · 2017-02-09 15:43:32 -08:00 · 20e1f8ea9b
commit 20e1f8ea9b
parent 8fcbd56974
13 changed files with 120 additions and 12 deletions
--- a/cmd/kubeadm/app/cmd/BUILD
+++ b/cmd/kubeadm/app/cmd/BUILD
@ -36,6 +36,7 @@ go_library(
        "//cmd/kubeadm/app/preflight:go_default_library",
        "//cmd/kubeadm/app/util:go_default_library",
        "//pkg/api:go_default_library",
+        "//pkg/bootstrap/api:go_default_library",
        "//pkg/kubectl:go_default_library",
        "//pkg/kubectl/cmd/util:go_default_library",
        "//pkg/util/initsystem:go_default_library",
@ -48,6 +49,7 @@ go_library(
        "//vendor:k8s.io/apimachinery/pkg/runtime",
        "//vendor:k8s.io/apimachinery/pkg/util/net",
        "//vendor:k8s.io/apiserver/pkg/util/flag",
+        "//vendor:k8s.io/client-go/pkg/api",
        "//vendor:k8s.io/client-go/util/cert",
    ],
 )
--- a/cmd/kubeadm/app/cmd/token.go
+++ b/cmd/kubeadm/app/cmd/token.go
@ -29,11 +29,12 @@ import (

 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/client-go/pkg/api"
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	kubemaster "k8s.io/kubernetes/cmd/kubeadm/app/master"
 	"k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
-	"k8s.io/kubernetes/pkg/api"
+	bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
 	"k8s.io/kubernetes/pkg/kubectl"
 )

@ -164,7 +165,7 @@ func RunListTokens(out io.Writer, errW io.Writer, cmd *cobra.Command) error {

 	tokenSelector := fields.SelectorFromSet(
 		map[string]string{
-			api.SecretTypeField: string(api.SecretTypeBootstrapToken),
+			api.SecretTypeField: string(bootstrapapi.SecretTypeBootstrapToken),
 		},
 	)
 	listOptions := metav1.ListOptions{
--- a/cmd/kubeadm/app/util/BUILD
+++ b/cmd/kubeadm/app/util/BUILD
@ -21,8 +21,8 @@ go_library(
        "//cmd/kubeadm/app/apis/kubeadm:go_default_library",
        "//cmd/kubeadm/app/apis/kubeadm/v1alpha1:go_default_library",
        "//cmd/kubeadm/app/preflight:go_default_library",
-        "//pkg/api:go_default_library",
        "//pkg/api/v1:go_default_library",
+        "//pkg/bootstrap/api:go_default_library",
        "//pkg/client/clientset_generated/clientset:go_default_library",
        "//vendor:k8s.io/apimachinery/pkg/api/errors",
        "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
--- a/cmd/kubeadm/app/util/tokens.go
+++ b/cmd/kubeadm/app/util/tokens.go
@ -29,8 +29,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	kubeadmapiext "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1"
-	"k8s.io/kubernetes/pkg/api"
 	v1 "k8s.io/kubernetes/pkg/api/v1"
+	bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
 )

@ -154,7 +154,9 @@ func UpdateOrCreateToken(client *clientset.Clientset, d *kubeadmapi.TokenDiscove
 				ObjectMeta: metav1.ObjectMeta{
 					Name: secretName,
 				},
-				Type: api.SecretTypeBootstrapToken,
+				// TODO(jbeda): convert kubeadm to client-go
+				// https://github.com/kubernetes/kubeadm/issues/52
+				Type: v1.SecretType(bootstrapapi.SecretTypeBootstrapToken),
 				Data: encodeTokenSecretData(d, tokenDuration),
 			}
 			if _, err := client.Secrets(metav1.NamespaceSystem).Create(secret); err == nil {
--- a/hack/.linted_packages
+++ b/hack/.linted_packages
@ -87,6 +87,7 @@ pkg/apis/rbac/install
 pkg/apis/rbac/v1alpha1
 pkg/apis/storage/install
 pkg/apis/storage/validation
+pkg/bootstrap/api
 pkg/client/conditions
 pkg/client/informers/informers_generated/apps
 pkg/client/informers/informers_generated/apps/internalversion
--- a/pkg/BUILD
+++ b/pkg/BUILD
@ -31,6 +31,7 @@ filegroup(
        "//pkg/apis/storage:all-srcs",
        "//pkg/auth/authorizer/abac:all-srcs",
        "//pkg/auth/user:all-srcs",
+        "//pkg/bootstrap/api:all-srcs",
        "//pkg/capabilities:all-srcs",
        "//pkg/client/chaosclient:all-srcs",
        "//pkg/client/clientset_generated/clientset:all-srcs",
--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@ -189,6 +189,8 @@ const (
 	NamespaceNone string = ""
 	// NamespaceSystem is the system namespace where we place system components.
 	NamespaceSystem string = "kube-system"
+	// NamespacePublic is the namespace where we place public info (ConfigMaps)
+	NamespacePublic string = "kube-public"
 	// TerminationMessagePathDefault means the default path to capture the application termination message running in a container
 	TerminationMessagePathDefault string = "/dev/termination-log"
 )
@ -3344,9 +3346,6 @@ const (
 	// - Secret.Data["token"] - a token that identifies the service account to the API
 	SecretTypeServiceAccountToken SecretType = "kubernetes.io/service-account-token"

-	// SecretTypeBootstrapToken is the key for tokens used by kubeadm to validate cluster info during discovery.
-	SecretTypeBootstrapToken = "bootstrap.kubernetes.io/token"
-
 	// ServiceAccountNameKey is the key of the required annotation for SecretTypeServiceAccountToken secrets
 	ServiceAccountNameKey = "kubernetes.io/service-account.name"
 	// ServiceAccountUIDKey is the key of the required annotation for SecretTypeServiceAccountToken secrets
--- a/pkg/bootstrap/api/BUILD
+++ b/pkg/bootstrap/api/BUILD
@ -0,0 +1,31 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "doc.go",
+        "types.go",
+    ],
+    tags = ["automanaged"],
+    deps = ["//vendor:k8s.io/client-go/pkg/api/v1"],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
--- a/pkg/bootstrap/api/doc.go
+++ b/pkg/bootstrap/api/doc.go
@ -0,0 +1,20 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package api (pkg/bootstrap/api) contains constants and types needed for
+// bootstrap tokens as maintained by the BootstrapSigner and TokenCleaner
+// controllers (in pkg/controller/bootstrap)
+package api // import "k8s.io/kubernetes/pkg/bootstrap/api"
--- a/pkg/bootstrap/api/types.go
+++ b/pkg/bootstrap/api/types.go
@ -0,0 +1,48 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+import (
+	"k8s.io/client-go/pkg/api/v1"
+)
+
+const (
+	// SecretTypeBootstrapToken is used during the automated bootstrap process (first
+	// implemented by kubeadm). It stores tokens that are used to sign well known
+	// ConfigMaps. They may also eventually be used for authentication.
+	SecretTypeBootstrapToken v1.SecretType = "bootstrap.kubernetes.io/token"
+
+	// BootstrapTokenIDKey is the id of this token. This can be transmitted in the
+	// clear and encoded in the name of the secret. It should be a random 6
+	// character string. Required
+	BootstrapTokenIDKey = "token-id"
+
+	// BootstrapTokenSecretKey is the actual secret. Typically this is a random 16
+	// character string. Required.
+	BootstrapTokenSecretKey = "token-secret"
+
+	// BootstrapTokenExpirationKey is when this token should be expired and no
+	// longer used. A controller will delete this resource after this time. This
+	// is an absolute UTC time using RFC3339. If this cannot be parsed, the token
+	// should be considered invalid. Optional.
+	BootstrapTokenExpirationKey = "expiration"
+
+	// BootstrapTokenUsageSigningKey signals that this token should be used to
+	// sign configs as part of the bootstrap process. Value must be "true". Any
+	// other value is assumed to be false. Optional.
+	BootstrapTokenUsageSigningKey = "usage-bootstrap-signing"
+)
--- a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
@ -73,7 +73,7 @@ type ListMeta struct {

 // These are internal finalizer values for Kubernetes-like APIs, must be qualified name unless defined here
 const (
-	FinalizerOrphan     string        = "orphan"
+	FinalizerOrphan string = "orphan"
 )

 // ObjectMeta is metadata that all persisted resources must have, which includes all objects
@ -233,6 +233,8 @@ const (
 	NamespaceNone string = ""
 	// NamespaceSystem is the system namespace where we place system components.
 	NamespaceSystem string = "kube-system"
+	// NamespacePublic is the namespace where we place public info (ConfigMaps)
+	NamespacePublic string = "kube-public"
 )

 // OwnerReference contains enough information to let you identify an owning
--- a/staging/src/k8s.io/client-go/_vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
+++ b/staging/src/k8s.io/client-go/_vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
@ -228,6 +228,8 @@ const (
 	NamespaceNone string = ""
 	// NamespaceSystem is the system namespace where we place system components.
 	NamespaceSystem string = "kube-system"
+	// NamespacePublic is the namespace where we place public info (ConfigMaps)
+	NamespacePublic string = "kube-public"
 )

 // OwnerReference contains enough information to let you identify an owning
--- a/staging/src/k8s.io/client-go/pkg/api/types.go
+++ b/staging/src/k8s.io/client-go/pkg/api/types.go
@ -189,6 +189,8 @@ const (
 	NamespaceNone string = ""
 	// NamespaceSystem is the system namespace where we place system components.
 	NamespaceSystem string = "kube-system"
+	// NamespacePublic is the namespace where we place public info (ConfigMaps)
+	NamespacePublic string = "kube-public"
 	// TerminationMessagePathDefault means the default path to capture the application termination message running in a container
 	TerminationMessagePathDefault string = "/dev/termination-log"
 )
@ -3344,9 +3346,6 @@ const (
 	// - Secret.Data["token"] - a token that identifies the service account to the API
 	SecretTypeServiceAccountToken SecretType = "kubernetes.io/service-account-token"

-	// SecretTypeBootstrapToken is the key for tokens used by kubeadm to validate cluster info during discovery.
-	SecretTypeBootstrapToken = "bootstrap.kubernetes.io/token"
-
 	// ServiceAccountNameKey is the key of the required annotation for SecretTypeServiceAccountToken secrets
 	ServiceAccountNameKey = "kubernetes.io/service-account.name"
 	// ServiceAccountUIDKey is the key of the required annotation for SecretTypeServiceAccountToken secrets