From f3611a6264f7c814ff55b8c9ba12f05054541095 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Thu, 8 Nov 2018 20:36:53 -0800 Subject: [PATCH] always enable TokenRequest in GCE kube-up.sh --- cluster/gce/config-default.sh | 6 +----- cluster/gce/config-test.sh | 6 +----- cluster/gce/gci/apiserver_manifest_test.go | 2 ++ cluster/gce/gci/configure-helper.sh | 8 +++----- cluster/gce/util.sh | 5 ----- 5 files changed, 7 insertions(+), 20 deletions(-) diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 671c1a5db7..cadaafc0dd 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -455,11 +455,7 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}" # into kube-controller-manager via `--concurrent-service-syncs` CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}" -if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then - FEATURE_GATES="${FEATURE_GATES},TokenRequest=true" - SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}" - SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc" -fi +SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}" # Optional: Enable Node termination Handler for Preemptible and GPU VMs. # https://github.com/GoogleCloudPlatform/k8s-node-termination-handler diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index c9ce3694c5..caf16359e5 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -470,11 +470,7 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}" # into kube-controller-manager via `--concurrent-service-syncs` CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}" -if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then - FEATURE_GATES="${FEATURE_GATES},TokenRequest=true" - SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}" - SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc" -fi +SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}" # Optional: Enable Node termination Handler for Preemptible and GPU VMs. # https://github.com/GoogleCloudPlatform/k8s-node-termination-handler diff --git a/cluster/gce/gci/apiserver_manifest_test.go b/cluster/gce/gci/apiserver_manifest_test.go index 2b430bd429..db327771b3 100644 --- a/cluster/gce/gci/apiserver_manifest_test.go +++ b/cluster/gce/gci/apiserver_manifest_test.go @@ -55,6 +55,8 @@ readonly ETC_MANIFESTS=${KUBE_HOME}/etc/kubernetes/manifests readonly KUBE_API_SERVER_DOCKER_TAG=v1.11.0-alpha.0.1808_3c7452dc11645d-dirty readonly LOG_OWNER_USER=$(id -un) readonly LOG_OWNER_GROUP=$(id -gn) +readonly SERVICEACCOUNT_ISSUER=https://foo.bar.baz +readonly SERVICEACCOUNT_KEY_PATH=/foo/bar/baz.key {{if .EncryptionProviderConfig}} ENCRYPTION_PROVIDER_CONFIG={{.EncryptionProviderConfig}} {{end}} diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index f57f0ba6b6..c8cda248a5 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1570,11 +1570,9 @@ function start-kube-apiserver { if [[ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]]; then params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" fi - if [[ -n "${SERVICEACCOUNT_ISSUER:-}" ]]; then - params+=" --service-account-issuer=${SERVICEACCOUNT_ISSUER}" - params+=" --service-account-signing-key-file=${SERVICEACCOUNT_KEY_PATH}" - params+=" --service-account-api-audiences=${SERVICEACCOUNT_API_AUDIENCES}" - fi + params+=" --service-account-issuer=${SERVICEACCOUNT_ISSUER}" + params+=" --service-account-api-audiences=${SERVICEACCOUNT_ISSUER}" + params+=" --service-account-signing-key-file=${SERVICEACCOUNT_KEY_PATH}" local audit_policy_config_mount="" local audit_policy_config_volume="" diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 0f6af3a2c7..b7811bcf7d 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -1008,13 +1008,8 @@ ETCD_CA_CERT: $(yaml-quote ${ETCD_CA_CERT_BASE64:-}) ETCD_PEER_KEY: $(yaml-quote ${ETCD_PEER_KEY_BASE64:-}) ETCD_PEER_CERT: $(yaml-quote ${ETCD_PEER_CERT_BASE64:-}) ENCRYPTION_PROVIDER_CONFIG: $(yaml-quote ${ENCRYPTION_PROVIDER_CONFIG:-}) -EOF - if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then - cat >>$file <