Skip to content

Commit ff4c372

Browse files
author
Jake Sanders
committed
ensure that kubectl works when the master insecure port is disabled
1 parent 9f1b04f commit ff4c372

File tree

1 file changed

+15
-1
lines changed

1 file changed

+15
-1
lines changed

cluster/gce/gci/configure-helper.sh

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -579,6 +579,9 @@ function create-master-auth {
579579
if [[ -n "${KUBE_BEARER_TOKEN:-}" ]]; then
580580
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters"
581581
fi
582+
if [[ -n "${KUBE_BOOTSTRAP_TOKEN:-}" ]]; then
583+
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BOOTSTRAP_TOKEN}," "system:cluster-bootstrap,uid:system:cluster-bootstrap,system:masters"
584+
fi
582585
if [[ -n "${KUBE_CONTROLLER_MANAGER_TOKEN:-}" ]]; then
583586
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager"
584587
fi
@@ -2825,6 +2828,14 @@ function wait-till-apiserver-ready() {
28252828
done
28262829
}
28272830

2831+
function ensure-bootstrap-kubectl-auth {
2832+
# Creating an authenticated kubeconfig is only necessary if the insecure port is disabled.
2833+
if [[ -n "${KUBE_BOOTSTRAP_TOKEN}" ]]; then
2834+
create-kubeconfig "cluster-bootstrap" ${KUBE_BOOTSTRAP_TOKEN}
2835+
export KUBECONFIG=/etc/srv/kubernetes/cluster-bootstrap/kubeconfig
2836+
fi
2837+
}
2838+
28282839
########### Main Function ###########
28292840
function main() {
28302841
echo "Start to configure instance for kubernetes"
@@ -2872,10 +2883,12 @@ function main() {
28722883
fi
28732884
fi
28742885

2875-
# generate the controller manager, scheduler and cluster autoscaler tokens here since they are only used on the master.
28762886
KUBE_CONTROLLER_MANAGER_TOKEN="$(secure_random 32)"
28772887
KUBE_SCHEDULER_TOKEN="$(secure_random 32)"
28782888
KUBE_CLUSTER_AUTOSCALER_TOKEN="$(secure_random 32)"
2889+
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-true}" != "true" ]]; then
2890+
KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)"
2891+
fi
28792892
if [[ "${ENABLE_L7_LOADBALANCING:-}" == "glbc" ]]; then
28802893
GCE_GLBC_TOKEN="$(secure_random 32)"
28812894
fi
@@ -2892,6 +2905,7 @@ function main() {
28922905
create-node-pki
28932906
create-master-pki
28942907
create-master-auth
2908+
ensure-bootstrap-kubectl-auth
28952909
create-master-kubelet-auth
28962910
create-master-etcd-auth
28972911
create-master-etcd-apiserver-auth

0 commit comments

Comments
 (0)