From 857690baf5e69f515199f09f9d059c2e8166e7a9 Mon Sep 17 00:00:00 2001
From: Mike Danese <mikedanese@google.com>
Date: Thu, 22 Feb 2018 12:14:36 -0800
Subject: [PATCH] gce: add support for enabling TokenRequest feature

---
 cluster/gce/config-default.sh       | 6 ++++++
 cluster/gce/config-test.sh          | 6 ++++++
 cluster/gce/gci/configure-helper.sh | 5 +++++
 cluster/gce/util.sh                 | 6 ++++++
 4 files changed, 23 insertions(+)

diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
index 0a9f5e523cb..ce793a444f0 100755
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@@ -399,3 +399,9 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}"
 # The number of services that are allowed to sync concurrently. Will be passed
 # into kube-controller-manager via `--concurrent-service-syncs`
 CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}"
+
+if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
+  FEATURE_GATES="${FEATURE_GATES},TokenRequest=true"
+  SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}"
+  SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc"
+fi
diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh
index 05c94256901..fa62c28b48c 100755
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@@ -442,3 +442,9 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}"
 # The number of services that are allowed to sync concurrently. Will be passed
 # into kube-controller-manager via `--concurrent-service-syncs`
 CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}"
+
+if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
+  FEATURE_GATES="${FEATURE_GATES},TokenRequest=true"
+  SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}"
+  SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc"
+fi
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 6b61dc218c2..a580e5164b6 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1466,6 +1466,11 @@ function start-kube-apiserver {
   if [[ -n "${ETCD_QUORUM_READ:-}" ]]; then
     params+=" --etcd-quorum-read=${ETCD_QUORUM_READ}"
   fi
+  if [[ -n "${SERVICEACCOUNT_ISSUER:-}" ]]; then
+    params+=" --service-account-issuer=${SERVICEACCOUNT_ISSUER}"
+    params+=" --service-account-signing-key-file=${SERVICEACCOUNT_KEY_PATH}"
+    params+=" --service-account-api-audiences=${SERVICEACCOUNT_API_AUDIENCES}"
+  fi
 
   local audit_policy_config_mount=""
   local audit_policy_config_volume=""
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index e7d87893623..0b71822683b 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -819,6 +819,12 @@ ETCD_CA_CERT: $(yaml-quote ${ETCD_CA_CERT_BASE64:-})
 ETCD_PEER_KEY: $(yaml-quote ${ETCD_PEER_KEY_BASE64:-})
 ETCD_PEER_CERT: $(yaml-quote ${ETCD_PEER_CERT_BASE64:-})
 EOF
+    if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
+      cat >>$file <<EOF
+SERVICEACCOUNT_ISSUER: $(yaml-quote ${SERVICEACCOUNT_ISSUER:-})
+SERVICEACCOUNT_API_AUDIENCES: $(yaml-quote ${SERVICEACCOUNT_API_AUDIENCES:-})
+EOF
+    fi
     # KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout
     # flag
     if [ -n "${KUBE_APISERVER_REQUEST_TIMEOUT_SEC:-}" ]; then