always enable TokenRequest in GCE kube-up.sh

2018-11-08 20:36:53 -08:00 · 2018-11-08 20:36:53 -08:00 · f3611a6264
parent 7712766daf
commit f3611a6264
5 changed files with 7 additions and 20 deletions
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@ -455,11 +455,7 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}"
 # into kube-controller-manager via `--concurrent-service-syncs`
 CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}"
 if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
  FEATURE_GATES="${FEATURE_GATES},TokenRequest=true"
 SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}"
  SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc"
 fi
 # Optional: Enable Node termination Handler for Preemptible and GPU VMs.
 # https://github.com/GoogleCloudPlatform/k8s-node-termination-handler
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@ -470,11 +470,7 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}"
 # into kube-controller-manager via `--concurrent-service-syncs`
 CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}"
 if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
  FEATURE_GATES="${FEATURE_GATES},TokenRequest=true"
 SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}"
  SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc"
 fi
 # Optional: Enable Node termination Handler for Preemptible and GPU VMs.
 # https://github.com/GoogleCloudPlatform/k8s-node-termination-handler
--- a/cluster/gce/gci/apiserver_manifest_test.go
+++ b/cluster/gce/gci/apiserver_manifest_test.go
@ -55,6 +55,8 @@ readonly ETC_MANIFESTS=${KUBE_HOME}/etc/kubernetes/manifests
 readonly KUBE_API_SERVER_DOCKER_TAG=v1.11.0-alpha.0.1808_3c7452dc11645d-dirty
 readonly LOG_OWNER_USER=$(id -un)
 readonly LOG_OWNER_GROUP=$(id -gn)
 readonly SERVICEACCOUNT_ISSUER=https://foo.bar.baz
 readonly SERVICEACCOUNT_KEY_PATH=/foo/bar/baz.key
 {{if .EncryptionProviderConfig}}
 ENCRYPTION_PROVIDER_CONFIG={{.EncryptionProviderConfig}}
 {{end}}
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -1570,11 +1570,9 @@ function start-kube-apiserver {
  if [[ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]]; then
    params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
  fi
  if [[ -n "${SERVICEACCOUNT_ISSUER:-}" ]]; then
  params+=" --service-account-issuer=${SERVICEACCOUNT_ISSUER}"
  params+=" --service-account-api-audiences=${SERVICEACCOUNT_ISSUER}"
  params+=" --service-account-signing-key-file=${SERVICEACCOUNT_KEY_PATH}"
    params+=" --service-account-api-audiences=${SERVICEACCOUNT_API_AUDIENCES}"
  fi
  local audit_policy_config_mount=""
  local audit_policy_config_volume=""
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@ -1008,13 +1008,8 @@ ETCD_CA_CERT: $(yaml-quote ${ETCD_CA_CERT_BASE64:-})
 ETCD_PEER_KEY: $(yaml-quote ${ETCD_PEER_KEY_BASE64:-})
 ETCD_PEER_CERT: $(yaml-quote ${ETCD_PEER_CERT_BASE64:-})
 ENCRYPTION_PROVIDER_CONFIG: $(yaml-quote ${ENCRYPTION_PROVIDER_CONFIG:-})
 EOF
    if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
      cat >>$file <<EOF
 SERVICEACCOUNT_ISSUER: $(yaml-quote ${SERVICEACCOUNT_ISSUER:-})
 SERVICEACCOUNT_API_AUDIENCES: $(yaml-quote ${SERVICEACCOUNT_API_AUDIENCES:-})
 EOF
    fi
    # KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout
    # flag
    if [ -n "${KUBE_APISERVER_REQUEST_TIMEOUT_SEC:-}" ]; then