Merge pull request #60249 from mikedanese/id-gce

Automatic merge from submit-queue (batch tested with PRs 53689, 56880, 55856, 59289, 60249). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. gce: add support for enabling TokenRequest feature ref #58790 ```release-note NONE ```
2018-02-28 00:00:40 -08:00 · 2018-02-28 00:00:40 -08:00 · cd78e999f9
parent aa13f3fa2a 857690baf5
commit cd78e999f9
4 changed files with 23 additions and 0 deletions
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@ -399,3 +399,9 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}"
 # The number of services that are allowed to sync concurrently. Will be passed
 # into kube-controller-manager via `--concurrent-service-syncs`
 CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}"
+
+if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
+  FEATURE_GATES="${FEATURE_GATES},TokenRequest=true"
+  SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}"
+  SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc"
+fi
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@ -442,3 +442,9 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}"
 # The number of services that are allowed to sync concurrently. Will be passed
 # into kube-controller-manager via `--concurrent-service-syncs`
 CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}"
+
+if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
+  FEATURE_GATES="${FEATURE_GATES},TokenRequest=true"
+  SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}"
+  SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc"
+fi
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -1466,6 +1466,11 @@ function start-kube-apiserver {
  if [[ -n "${ETCD_QUORUM_READ:-}" ]]; then
    params+=" --etcd-quorum-read=${ETCD_QUORUM_READ}"
  fi
+  if [[ -n "${SERVICEACCOUNT_ISSUER:-}" ]]; then
+    params+=" --service-account-issuer=${SERVICEACCOUNT_ISSUER}"
+    params+=" --service-account-signing-key-file=${SERVICEACCOUNT_KEY_PATH}"
+    params+=" --service-account-api-audiences=${SERVICEACCOUNT_API_AUDIENCES}"
+  fi

  local audit_policy_config_mount=""
  local audit_policy_config_volume=""
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@ -819,6 +819,12 @@ ETCD_CA_CERT: $(yaml-quote ${ETCD_CA_CERT_BASE64:-})
 ETCD_PEER_KEY: $(yaml-quote ${ETCD_PEER_KEY_BASE64:-})
 ETCD_PEER_CERT: $(yaml-quote ${ETCD_PEER_CERT_BASE64:-})
 EOF
+    if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
+      cat >>$file <<EOF
+SERVICEACCOUNT_ISSUER: $(yaml-quote ${SERVICEACCOUNT_ISSUER:-})
+SERVICEACCOUNT_API_AUDIENCES: $(yaml-quote ${SERVICEACCOUNT_API_AUDIENCES:-})
+EOF
+    fi
    # KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout
    # flag
    if [ -n "${KUBE_APISERVER_REQUEST_TIMEOUT_SEC:-}" ]; then