Merge pull request #39871 from liggitt/bash-vars

Automatic merge from submit-queue (batch tested with PRs 38427, 39896, 39889, 39871, 39895)

Conditionally write token file entries

Fixes #39863

We have a bigger problem with not knowing what is calling these functions, but this will at least tolerate callers that are not setting the envvars we expect

cluster/gce/container-linux/configure-helper.sh

@@ -157,10 +157,18 @@ function create-master-auth {
     replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters"
   fi
   local -r known_tokens_csv="${auth_dir}/known_tokens.csv"
-  replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}"             "admin,admin,system:masters"
+  if [[ -n "${KUBE_BEARER_TOKEN:-}" ]]; then
-  replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}" "system:kube-controller-manager,uid:system:kube-controller-manager"
+    replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN},"             "admin,admin,system:masters"
-  replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN}"                 "system:node:node-name,uid:kubelet,system:nodes"
+  fi
-  replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN}"              "system:kube-proxy,uid:kube_proxy"
+  if [[ -n "${KUBE_CONTROLLER_MANAGER_TOKEN:-}" ]]; then
+    replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager"
+  fi
+  if [[ -n "${KUBELET_TOKEN:-}" ]]; then
+    replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN},"                 "system:node:node-name,uid:kubelet,system:nodes"
+  fi
+  if [[ -n "${KUBE_PROXY_TOKEN:-}" ]]; then
+    replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN},"              "system:kube-proxy,uid:kube_proxy"
+  fi
   local use_cloud_config="false"
   cat <<EOF >/etc/gce.conf
 [global]

cluster/gce/gci/configure-helper.sh

@@ -224,10 +224,18 @@ function create-master-auth {
     replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters"
   fi
   local -r known_tokens_csv="${auth_dir}/known_tokens.csv"
-  replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN},"             "admin,admin,system:masters"
+  if [[ -n "${KUBE_BEARER_TOKEN:-}" ]]; then
-  replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager"
+    replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN},"             "admin,admin,system:masters"
-  replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN},"                 "system:node:node-name,uid:kubelet,system:nodes"
+  fi
-  replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN},"              "system:kube-proxy,uid:kube_proxy"
+  if [[ -n "${KUBE_CONTROLLER_MANAGER_TOKEN:-}" ]]; then
+    replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager"
+  fi
+  if [[ -n "${KUBELET_TOKEN:-}" ]]; then
+    replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN},"                 "system:node:node-name,uid:kubelet,system:nodes"
+  fi
+  if [[ -n "${KUBE_PROXY_TOKEN:-}" ]]; then
+    replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN},"              "system:kube-proxy,uid:kube_proxy"
+  fi
   local use_cloud_config="false"
   cat <<EOF >/etc/gce.conf
 [global]