Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
fix typos: remove duplicated word in comments
**What this PR does / why we need it**: Remove the duplicated word `the` in comments
**Which issue this PR fixes** : fixes #
**Special notes for your reviewer**:
```release-note
NONE
```
This change adds the `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join` and corresponding fields on the kubeadm NodeConfiguration struct. These flags configure enhanced TLS validation for token-based discovery.
The enhanced TLS validation works by pinning the public key hashes of the cluster CA. This is done by connecting to the `cluster-info` endpoint initially using an unvalidated/unsafe TLS connection. After the cluster info has been loaded, parsed, and validated with the existing symmetric signature/MAC scheme, the root CA is validated against the pinned public key set. A second request is made using validated/safe TLS using the newly-known CA and the result is validated to make sure the same `cluster-info` was returned from both requests.
This validation prevents a class of attacks where a leaked bootstrap token (such as from a compromised worker node) allows an attacker to impersonate the API server.
This change also update `kubeadm init` to print the correct `--discovery-token-ca-cert-hash` flag in the example `kubeadm join` command it prints at the end of initialization.
- Factor out token constants to kubeadmconstants.
- Move cmd/kubeadm/app/util/{,token/}tokens.go
- Use the token-id, token-secret, etc constants provided by the bootstrapapi package
- Move cmd/kubeadm/app/master/tokens.go to cmd/kubeadm/app/phases/token/csv.go
This refactor basically makes it possible to hook up kubeadm to the BootstrapSigner controller later on
Automatic merge from submit-queue
Implemented file and HTTPS based discovery for kubeadm
**What this PR does / why we need it**:
This PR implements both file and HTTPS based discovery for `kubeadm`.
**Which issue this PR fixes**:
fixes https://github.com/kubernetes/kubeadm/issues/93
fixes https://github.com/kubernetes/kubeadm/issues/94
**Special notes for your reviewer**:
I'd like to add some tests but 'm sure `kubeconfig` loading is already covered by other tests in `clientcmd` package.
/cc @luxas @pipejakob
Gavin