Merge pull request #63266 from awly/exec-plugin-kubeconfig

Automatic merge from submit-queue (batch tested with PRs 63340, 63266). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. gcp: allow non-bootstrap kubeconfig **What this PR does / why we need it**: Needed for https://github.com/kubernetes/community/pull/2022 This change lets us generate a non-bootstrap kubeconfig with exec plugin for authn. The plugin does TLS bootstrapping internally. **Special notes for your reviewer**: Defaults when no new env vars are set will behave same as before this change. `KUBELET_AUTH_TYPE` should never be `tls-auth` in practice, but leaving it there just in case. **Release note**: ```release-note NONE ```
2025-07-24 20:24:09 +00:00 · 2018-05-07 15:16:14 -07:00 · 2018-05-07 15:16:14 -07:00 · c59393e9fd
commit c59393e9fd
parent 861d20bf48 77c13d6dc7
1 changed files with 26 additions and 4 deletions
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -892,8 +892,9 @@ function create-kubelet-kubeconfig() {
    echo "Must provide API server address to create Kubelet kubeconfig file!"
    exit 1
  fi
-  echo "Creating kubelet kubeconfig file"
-  cat <<EOF >/var/lib/kubelet/bootstrap-kubeconfig
+  if [[ "${CREATE_BOOTSTRAP_KUBECONFIG:-true}" == "true" ]]; then
+    echo "Creating kubelet bootstrap-kubeconfig file"
+    cat <<EOF >/var/lib/kubelet/bootstrap-kubeconfig
 apiVersion: v1
 kind: Config
 users:
@ -913,6 +914,13 @@ contexts:
  name: service-account-context
 current-context: service-account-context
 EOF
+  elif [[ "${FETCH_BOOTSTRAP_KUBECONFIG:-false}" == "true" ]]; then
+    echo "Fetching kubelet bootstrap-kubeconfig file from metadata"
+    get-metadata-value "instance/attributes/bootstrap-kubeconfig" >/var/lib/kubelet/bootstrap-kubeconfig
+  else
+    echo "Fetching kubelet kubeconfig file from metadata"
+    get-metadata-value "instance/attributes/kubeconfig" >/var/lib/kubelet/kubeconfig
+  fi
 }

 # Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY
@ -1612,7 +1620,7 @@ function start-kube-apiserver {
    params+=" --feature-gates=${FEATURE_GATES}"
  fi
  if [[ -n "${PROJECT_ID:-}" && -n "${TOKEN_URL:-}" && -n "${TOKEN_BODY:-}" && -n "${NODE_NETWORK:-}" ]]; then
-    local -r vm_external_ip=$(curl --retry 5 --retry-delay 3 ${CURL_RETRY_CONNREFUSED} --fail --silent -H 'Metadata-Flavor: Google' "http://metadata/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip")
+    local -r vm_external_ip=$(get-metadata-value "instance/network-interfaces/0/access-configs/0/external-ip")
    if [[ -n "${PROXY_SSH_USER:-}" ]]; then
      params+=" --advertise-address=${vm_external_ip}"
      params+=" --ssh-user=${PROXY_SSH_USER}"
@ -2008,6 +2016,20 @@ function download-extra-addons {
  "${curl_cmd[@]}"
 }

+# A function that fetches a GCE metadata value and echoes it out.
+#
+# $1: URL path after /computeMetadata/v1/ (without heading slash).
+function get-metadata-value {
+    curl \
+        --retry 5 \
+        --retry-delay 3 \
+        ${CURL_RETRY_CONNREFUSED} \
+        --fail \
+        --silent \
+        -H 'Metadata-Flavor: Google' \
+        "http://metadata/computeMetadata/v1/${1}"
+}
+
 # A helper function for copying manifests and setting dir/files
 # permissions.
 #
@ -2590,4 +2612,4 @@ if [[ "$#" -eq 1 && "${1}" == "--source-only" ]]; then
   :
 else
   main "${@}"
-fi
+fi