Merge pull request #51824 from ihmccreery/oss-mdc

Automatic merge from submit-queue (batch tested with PRs 51824, 50476, 52451, 52009, 52237) Allow metadata firewall & proxy on in GCE, off by default **What this PR does / why we need it**: Add necessary variables in kube-env to allow a user to turn on metadata firewall and proxy for K8s on GCE. Ref #8867. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: **Special notes for your reviewer**: **Release note**: ```release-note GCE users can enable the metadata firewall and metadata proxy with KUBE_FIREWALL_METADATA_SERVER and ENABLE_METADATA_PROXY, respectively. ```
2017-09-15 01:07:58 -07:00 · 2017-09-15 01:07:58 -07:00 · b3e641d7f3
parent 9d8c11924f 6930f5ac31
commit b3e641d7f3
3 changed files with 17 additions and 6 deletions
--- a/cluster/common.sh
+++ b/cluster/common.sh
@ -750,6 +750,16 @@ EOF
  if [ -n "${ENABLE_CUSTOM_METRICS:-}" ]; then
    cat >>$file <<EOF
 ENABLE_CUSTOM_METRICS: $(yaml-quote ${ENABLE_CUSTOM_METRICS})
+EOF
+  fi
+  if [ -n "${ENABLE_METADATA_PROXY:-}" ]; then
+    cat >>$file <<EOF
+ENABLE_METADATA_PROXY: $(yaml-quote ${ENABLE_METADATA_PROXY})
+EOF
+  fi
+  if [ -n "${KUBE_FIREWALL_METADATA_SERVER:-}" ]; then
+    cat >>$file <<EOF
+KUBE_FIREWALL_METADATA_SERVER: $(yaml-quote ${KUBE_FIREWALL_METADATA_SERVER})
 EOF
  fi
  if [ -n "${FEATURE_GATES:-}" ]; then
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@ -146,9 +146,11 @@ if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then
 	NODE_LABELS="${NODE_LABELS},projectcalico.org/ds-ready=true"
 fi

-# Turn the simple metadata proxy on by default.
-ENABLE_METADATA_PROXY="${ENABLE_METADATA_PROXY:-simple}"
-if [[ ${ENABLE_METADATA_PROXY} != "false" ]]; then
+# Currently, ENABLE_METADATA_PROXY supports only "simple".  In the future, we
+# may add other options.
+ENABLE_METADATA_PROXY="${ENABLE_METADATA_PROXY:-}"
+# Apply the right node label if metadata proxy is on.
+if [[ ${ENABLE_METADATA_PROXY:-} == "simple" ]]; then
        NODE_LABELS="${NODE_LABELS},beta.kubernetes.io/metadata-proxy-ready=true"
 fi

--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@ -199,9 +199,8 @@ if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then
 	NODE_LABELS="$NODE_LABELS,projectcalico.org/ds-ready=true"
 fi

-# Turn the simple metadata proxy on by default.
-ENABLE_METADATA_PROXY="${ENABLE_METADATA_PROXY:-simple}"
-if [[ ${ENABLE_METADATA_PROXY} != "false" ]]; then
+# Apply the right node label if metadata proxy is on.
+if [[ ${ENABLE_METADATA_PROXY:-} == "simple" ]]; then
        NODE_LABELS="${NODE_LABELS},beta.kubernetes.io/metadata-proxy-ready=true"
 fi