Merge pull request #41937 from cheftako/changePassword

Automatic merge from submit-queue (batch tested with PRs 41937, 41151, 42092, 40269, 42135) GCE will properly regenerate basic_auth.csv on kube-apiserver start. **What this PR does / why we need it**: If basic_auth.csv does not exist we will generate it as normal. If basic_auth.csv exists we will remove the old admin password before adding the "new" one. (Turns in to a no-op if the password exists). This did not work properly before because we were replacing by key, where the key was the password. New password would not match and so not replace the old password. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #41935 **Special notes for your reviewer**: **Release note**: ```release-note ```
2025-08-17 15:50:10 +00:00 · 2017-02-28 01:24:03 -08:00 · 2017-02-28 01:24:03 -08:00 · 5981ce304a
commit 5981ce304a
parent 9690771227 d7f43a6bca
3 changed files with 16 additions and 1 deletions
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@ -201,3 +201,7 @@ ENABLE_DEFAULT_STORAGE_CLASS="${ENABLE_DEFAULT_STORAGE_CLASS:-true}"
 # TODO(dawn1107): Remove this once the flag is built into CVM image.
 # Kernel panic upon soft lockup issue
 SOFTLOCKUP_PANIC="${SOFTLOCKUP_PANIC:-false}" # true, false
+
+# Indicates if the values (eg. kube password) in metadata should be treated as
+# canonical, and therefore disk copies ought to be recreated/clobbered.
+METADATA_CLOBBERS_CONFIG=${METADATA_CLOBBERS_CONFIG:-false}
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -258,12 +258,19 @@ function create-master-pki {

 # After the first boot and on upgrade, these files exist on the master-pd
 # and should never be touched again (except perhaps an additional service
-# account, see NB below.)
+# account, see NB below.) One exception is if METADATA_CLOBBERS_CONFIG is
+# enabled. In that case the basic_auth.csv file will be rewritten to make
+# sure it matches the metadata source of truth. 
 function create-master-auth {
  echo "Creating master auth files"
  local -r auth_dir="/etc/srv/kubernetes"
  local -r basic_auth_csv="${auth_dir}/basic_auth.csv"
  if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
+    if [[ -e "${basic_auth_csv}" && "${METADATA_CLOBBERS_CONFIG:-false}" == "true" ]]; then
+      sed -i "/,${KUBE_USER},admin,system:masters$/d" "${basic_auth_csv}"
+      # The following is for the legacy form of the password line.
+      sed -i "/,${KUBE_USER},admin$/d" "${basic_auth_csv}"
+    fi
    replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters"
  fi
  local -r known_tokens_csv="${auth_dir}/known_tokens.csv"
--- a/cluster/gke/config-default.sh
+++ b/cluster/gke/config-default.sh
@ -42,3 +42,7 @@ ENABLE_L7_LOADBALANCING="${KUBE_ENABLE_L7_LOADBALANCING:-glbc}"
 ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-standalone}"

 KUBE_DELETE_NETWORK=${KUBE_DELETE_NETWORK:-false}
+
+# Indicates if the values (eg. kube password) in metadata should be treated as
+# canonical, and therefore disk copies ought to be recreated/clobbered.
+METADATA_CLOBBERS_CONFIG=true