From ff4c372eaaa8ee1705bf5f0fcb380bd1675ef651 Mon Sep 17 00:00:00 2001
From: Jake Sanders <jsand@google.com>
Date: Mon, 6 May 2019 19:21:21 -0700
Subject: [PATCH] ensure that kubectl works when the master insecure port is
 disabled

---
 cluster/gce/gci/configure-helper.sh | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index b573460310b..6ff75644f0c 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -579,6 +579,9 @@ function create-master-auth {
   if [[ -n "${KUBE_BEARER_TOKEN:-}" ]]; then
     append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN},"             "admin,admin,system:masters"
   fi
+  if [[ -n "${KUBE_BOOTSTRAP_TOKEN:-}" ]]; then
+    append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BOOTSTRAP_TOKEN},"          "system:cluster-bootstrap,uid:system:cluster-bootstrap,system:masters"
+  fi
   if [[ -n "${KUBE_CONTROLLER_MANAGER_TOKEN:-}" ]]; then
     append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager"
   fi
@@ -2825,6 +2828,14 @@ function wait-till-apiserver-ready() {
   done
 }
 
+function ensure-bootstrap-kubectl-auth {
+  # Creating an authenticated kubeconfig is only necessary if the insecure port is disabled.
+  if [[ -n "${KUBE_BOOTSTRAP_TOKEN}" ]]; then
+    create-kubeconfig "cluster-bootstrap" ${KUBE_BOOTSTRAP_TOKEN}
+    export KUBECONFIG=/etc/srv/kubernetes/cluster-bootstrap/kubeconfig
+  fi
+}
+
 ########### Main Function ###########
 function main() {
   echo "Start to configure instance for kubernetes"
@@ -2872,10 +2883,12 @@ function main() {
     fi
   fi
 
-  # generate the controller manager, scheduler and cluster autoscaler tokens here since they are only used on the master.
   KUBE_CONTROLLER_MANAGER_TOKEN="$(secure_random 32)"
   KUBE_SCHEDULER_TOKEN="$(secure_random 32)"
   KUBE_CLUSTER_AUTOSCALER_TOKEN="$(secure_random 32)"
+  if [[ "${ENABLE_APISERVER_INSECURE_PORT:-true}" != "true" ]]; then
+    KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)"
+  fi
   if [[ "${ENABLE_L7_LOADBALANCING:-}" == "glbc" ]]; then
     GCE_GLBC_TOKEN="$(secure_random 32)"
   fi
@@ -2892,6 +2905,7 @@ function main() {
     create-node-pki
     create-master-pki
     create-master-auth
+    ensure-bootstrap-kubectl-auth
     create-master-kubelet-auth
     create-master-etcd-auth
     create-master-etcd-apiserver-auth