Replace godep with dep

vendor/k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/clusterinfo/BUILD

@@ -0,0 +1,50 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["clusterinfo_test.go"],
+    library = ":go_default_library",
+    deps = [
+        "//pkg/api:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes/fake:go_default_library",
+        "//vendor/k8s.io/client-go/testing:go_default_library",
+    ],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["clusterinfo.go"],
+    deps = [
+        "//cmd/kubeadm/app/util/apiclient:go_default_library",
+        "//pkg/apis/rbac/v1beta1:go_default_library",
+        "//pkg/bootstrap/api:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/api/rbac/v1beta1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/clusterinfo/clusterinfo.go

@@ -0,0 +1,105 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clusterinfo
+
+import (
+	"fmt"
+
+	"k8s.io/api/core/v1"
+	rbac "k8s.io/api/rbac/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/authentication/user"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
+	rbachelper "k8s.io/kubernetes/pkg/apis/rbac/v1beta1"
+	bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
+)
+
+const (
+	// BootstrapSignerClusterRoleName sets the name for the ClusterRole that allows access to ConfigMaps in the kube-public ns
+	BootstrapSignerClusterRoleName = "kubeadm:bootstrap-signer-clusterinfo"
+)
+
+// CreateBootstrapConfigMapIfNotExists creates the kube-public ConfigMap if it doesn't exist already
+func CreateBootstrapConfigMapIfNotExists(client clientset.Interface, file string) error {
+
+	fmt.Printf("[bootstraptoken] Creating the %q ConfigMap in the %q namespace\n", bootstrapapi.ConfigMapClusterInfo, metav1.NamespacePublic)
+
+	adminConfig, err := clientcmd.LoadFromFile(file)
+	if err != nil {
+		return fmt.Errorf("failed to load admin kubeconfig [%v]", err)
+	}
+
+	adminCluster := adminConfig.Contexts[adminConfig.CurrentContext].Cluster
+	// Copy the cluster from admin.conf to the bootstrap kubeconfig, contains the CA cert and the server URL
+	bootstrapConfig := &clientcmdapi.Config{
+		Clusters: map[string]*clientcmdapi.Cluster{
+			"": adminConfig.Clusters[adminCluster],
+		},
+	}
+	bootstrapBytes, err := clientcmd.Write(*bootstrapConfig)
+	if err != nil {
+		return err
+	}
+
+	// Create or update the ConfigMap in the kube-public namespace
+	return apiclient.CreateOrUpdateConfigMap(client, &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      bootstrapapi.ConfigMapClusterInfo,
+			Namespace: metav1.NamespacePublic,
+		},
+		Data: map[string]string{
+			bootstrapapi.KubeConfigKey: string(bootstrapBytes),
+		},
+	})
+}
+
+// CreateClusterInfoRBACRules creates the RBAC rules for exposing the cluster-info ConfigMap in the kube-public namespace to unauthenticated users
+func CreateClusterInfoRBACRules(client clientset.Interface) error {
+	err := apiclient.CreateOrUpdateRole(client, &rbac.Role{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      BootstrapSignerClusterRoleName,
+			Namespace: metav1.NamespacePublic,
+		},
+		Rules: []rbac.PolicyRule{
+			rbachelper.NewRule("get").Groups("").Resources("configmaps").Names(bootstrapapi.ConfigMapClusterInfo).RuleOrDie(),
+		},
+	})
+	if err != nil {
+		return err
+	}
+
+	return apiclient.CreateOrUpdateRoleBinding(client, &rbac.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      BootstrapSignerClusterRoleName,
+			Namespace: metav1.NamespacePublic,
+		},
+		RoleRef: rbac.RoleRef{
+			APIGroup: rbac.GroupName,
+			Kind:     "Role",
+			Name:     BootstrapSignerClusterRoleName,
+		},
+		Subjects: []rbac.Subject{
+			{
+				Kind: rbac.UserKind,
+				Name: user.Anonymous,
+			},
+		},
+	})
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/clusterinfo/clusterinfo_test.go

@@ -0,0 +1,113 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clusterinfo
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+	"text/template"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	clientsetfake "k8s.io/client-go/kubernetes/fake"
+	core "k8s.io/client-go/testing"
+	"k8s.io/kubernetes/pkg/api"
+)
+
+var testConfigTempl = template.Must(template.New("test").Parse(`apiVersion: v1
+clusters:
+- cluster:
+    server: {{.Server}}
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: kubernetes-admin
+  name: kubernetes-admin@kubernetes
+current-context: kubernetes-admin@kubernetes
+kind: Config
+preferences: {}
+users:
+- name: kubernetes-admin`))
+
+func TestCreateBootstrapConfigMapIfNotExists(t *testing.T) {
+	tests := []struct {
+		name      string
+		createErr error
+		updateErr error
+		expectErr bool
+	}{
+		{
+			"successful case should have no error",
+			nil,
+			nil,
+			false,
+		},
+		{
+			"if both create and update errors, return error",
+			apierrors.NewAlreadyExists(api.Resource("configmaps"), "test"),
+			apierrors.NewUnauthorized("go away!"),
+			true,
+		},
+		{
+			"unexpected error should be returned",
+			apierrors.NewUnauthorized("go away!"),
+			nil,
+			true,
+		},
+	}
+
+	servers := []struct {
+		Server string
+	}{
+		{Server: "https://10.128.0.6:6443"},
+		{Server: "https://[2001:db8::6]:3446"},
+	}
+
+	for _, server := range servers {
+		file, err := ioutil.TempFile("", "")
+		if err != nil {
+			t.Fatalf("could not create tempfile: %v", err)
+		}
+		defer os.Remove(file.Name())
+
+		if err := testConfigTempl.Execute(file, server); err != nil {
+			t.Fatalf("could not write to tempfile: %v", err)
+		}
+
+		if err := file.Close(); err != nil {
+			t.Fatalf("could not close tempfile: %v", err)
+		}
+
+		for _, tc := range tests {
+			client := clientsetfake.NewSimpleClientset()
+			if tc.createErr != nil {
+				client.PrependReactor("create", "configmaps", func(action core.Action) (bool, runtime.Object, error) {
+					return true, nil, tc.createErr
+				})
+			}
+
+			err := CreateBootstrapConfigMapIfNotExists(client, file.Name())
+			if tc.expectErr && err == nil {
+				t.Errorf("CreateBootstrapConfigMapIfNotExists(%s) wanted error, got nil", tc.name)
+			} else if !tc.expectErr && err != nil {
+				t.Errorf("CreateBootstrapConfigMapIfNotExists(%s) returned unexpected error: %v", tc.name, err)
+			}
+		}
+	}
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node/BUILD

@@ -0,0 +1,48 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["token_test.go"],
+    library = ":go_default_library",
+    deps = ["//cmd/kubeadm/app/apis/kubeadm:go_default_library"],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "tlsbootstrap.go",
+        "token.go",
+    ],
+    deps = [
+        "//cmd/kubeadm/app/constants:go_default_library",
+        "//cmd/kubeadm/app/util/apiclient:go_default_library",
+        "//cmd/kubeadm/app/util/token:go_default_library",
+        "//pkg/apis/rbac/v1beta1:go_default_library",
+        "//pkg/bootstrap/api:go_default_library",
+        "//pkg/util/version:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/api/rbac/v1beta1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go

@@ -0,0 +1,106 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package node
+
+import (
+	"fmt"
+
+	rbac "k8s.io/api/rbac/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
+	"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
+	rbachelper "k8s.io/kubernetes/pkg/apis/rbac/v1beta1"
+	"k8s.io/kubernetes/pkg/util/version"
+)
+
+const (
+	// NodeBootstrapperClusterRoleName defines the name of the auto-bootstrapped ClusterRole for letting someone post a CSR
+	// TODO: This value should be defined in an other, generic authz package instead of here
+	NodeBootstrapperClusterRoleName = "system:node-bootstrapper"
+	// NodeKubeletBootstrap defines the name of the ClusterRoleBinding that lets kubelets post CSRs
+	NodeKubeletBootstrap = "kubeadm:kubelet-bootstrap"
+
+	// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR
+	// TODO: This value should be defined in an other, generic authz package instead of here
+	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
+	// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs
+	NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap"
+)
+
+// AllowBootstrapTokensToPostCSRs creates RBAC rules in a way the makes Node Bootstrap Tokens able to post CSRs
+func AllowBootstrapTokensToPostCSRs(client clientset.Interface, k8sVersion *version.Version) error {
+
+	fmt.Println("[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials")
+
+	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: NodeKubeletBootstrap,
+		},
+		RoleRef: rbac.RoleRef{
+			APIGroup: rbac.GroupName,
+			Kind:     "ClusterRole",
+			Name:     NodeBootstrapperClusterRoleName,
+		},
+		Subjects: []rbac.Subject{
+			{
+				Kind: rbac.GroupKind,
+				Name: constants.GetNodeBootstrapTokenAuthGroup(k8sVersion),
+			},
+		},
+	})
+}
+
+// AutoApproveNodeBootstrapTokens creates RBAC rules in a way that makes Node Bootstrap Tokens' CSR auto-approved by the csrapprover controller
+func AutoApproveNodeBootstrapTokens(client clientset.Interface, k8sVersion *version.Version) error {
+
+	fmt.Println("[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token")
+
+	// TODO: When the v1.9 cycle starts (targeting v1.9 at HEAD) and v1.8.0 is the minimum supported version, we can remove this function as the ClusterRole will always exist
+	if k8sVersion.LessThan(constants.MinimumCSRAutoApprovalClusterRolesVersion) {
+
+		err := apiclient.CreateOrUpdateClusterRole(client, &rbac.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: CSRAutoApprovalClusterRoleName,
+			},
+			Rules: []rbac.PolicyRule{
+				rbachelper.NewRule("create").Groups("certificates.k8s.io").Resources("certificatesigningrequests/nodeclient").RuleOrDie(),
+			},
+		})
+		if err != nil {
+			return err
+		}
+	}
+
+	// Always create this kubeadm-specific binding though
+	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: NodeAutoApproveBootstrapClusterRoleBinding,
+		},
+		RoleRef: rbac.RoleRef{
+			APIGroup: rbac.GroupName,
+			Kind:     "ClusterRole",
+			Name:     CSRAutoApprovalClusterRoleName,
+		},
+		Subjects: []rbac.Subject{
+			{
+				Kind: "Group",
+				Name: constants.GetNodeBootstrapTokenAuthGroup(k8sVersion),
+			},
+		},
+	})
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node/token.go

@@ -0,0 +1,112 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package node
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientset "k8s.io/client-go/kubernetes"
+	tokenutil "k8s.io/kubernetes/cmd/kubeadm/app/util/token"
+	bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
+)
+
+const tokenCreateRetries = 5
+
+// TODO(mattmoyer): Move CreateNewToken, UpdateOrCreateToken and encodeTokenSecretData out of this package to client-go for a generic abstraction and client for a Bootstrap Token
+
+// CreateNewToken tries to create a token and fails if one with the same ID already exists
+func CreateNewToken(client clientset.Interface, token string, tokenDuration time.Duration, usages []string, extraGroups []string, description string) error {
+	return UpdateOrCreateToken(client, token, true, tokenDuration, usages, extraGroups, description)
+}
+
+// UpdateOrCreateToken attempts to update a token with the given ID, or create if it does not already exist.
+func UpdateOrCreateToken(client clientset.Interface, token string, failIfExists bool, tokenDuration time.Duration, usages []string, extraGroups []string, description string) error {
+	tokenID, tokenSecret, err := tokenutil.ParseToken(token)
+	if err != nil {
+		return err
+	}
+	secretName := fmt.Sprintf("%s%s", bootstrapapi.BootstrapTokenSecretPrefix, tokenID)
+	var lastErr error
+	for i := 0; i < tokenCreateRetries; i++ {
+		secret, err := client.CoreV1().Secrets(metav1.NamespaceSystem).Get(secretName, metav1.GetOptions{})
+		if err == nil {
+			if failIfExists {
+				return fmt.Errorf("a token with id %q already exists", tokenID)
+			}
+			// Secret with this ID already exists, update it:
+			secret.Data = encodeTokenSecretData(tokenID, tokenSecret, tokenDuration, usages, extraGroups, description)
+			if _, err := client.CoreV1().Secrets(metav1.NamespaceSystem).Update(secret); err == nil {
+				return nil
+			}
+			lastErr = err
+			continue
+		}
+
+		// Secret does not already exist:
+		if apierrors.IsNotFound(err) {
+			secret = &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: secretName,
+				},
+				Type: v1.SecretType(bootstrapapi.SecretTypeBootstrapToken),
+				Data: encodeTokenSecretData(tokenID, tokenSecret, tokenDuration, usages, extraGroups, description),
+			}
+			if _, err := client.CoreV1().Secrets(metav1.NamespaceSystem).Create(secret); err == nil {
+				return nil
+			}
+			lastErr = err
+			continue
+		}
+
+	}
+	return fmt.Errorf(
+		"unable to create bootstrap token after %d attempts [%v]",
+		tokenCreateRetries,
+		lastErr,
+	)
+}
+
+// encodeTokenSecretData takes the token discovery object and an optional duration and returns the .Data for the Secret
+func encodeTokenSecretData(tokenID, tokenSecret string, duration time.Duration, usages []string, extraGroups []string, description string) map[string][]byte {
+	data := map[string][]byte{
+		bootstrapapi.BootstrapTokenIDKey:     []byte(tokenID),
+		bootstrapapi.BootstrapTokenSecretKey: []byte(tokenSecret),
+	}
+
+	if len(extraGroups) > 0 {
+		data[bootstrapapi.BootstrapTokenExtraGroupsKey] = []byte(strings.Join(extraGroups, ","))
+	}
+
+	if duration > 0 {
+		// Get the current time, add the specified duration, and format it accordingly
+		durationString := time.Now().Add(duration).Format(time.RFC3339)
+		data[bootstrapapi.BootstrapTokenExpirationKey] = []byte(durationString)
+	}
+	if len(description) > 0 {
+		data[bootstrapapi.BootstrapTokenDescriptionKey] = []byte(description)
+	}
+	for _, usage := range usages {
+		// TODO: Validate the usage string here before
+		data[bootstrapapi.BootstrapTokenUsagePrefix+usage] = []byte("true")
+	}
+	return data
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node/token_test.go

@@ -0,0 +1,59 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package node
+
+import (
+	"bytes"
+	"testing"
+	"time"
+
+	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
+)
+
+func TestEncodeTokenSecretData(t *testing.T) {
+	var tests = []struct {
+		token *kubeadmapi.TokenDiscovery
+		t     time.Duration
+	}{
+		{token: &kubeadmapi.TokenDiscovery{ID: "foo", Secret: "bar"}},                 // should use default
+		{token: &kubeadmapi.TokenDiscovery{ID: "foo", Secret: "bar"}, t: time.Second}, // should use default
+	}
+	for _, rt := range tests {
+		actual := encodeTokenSecretData(rt.token.ID, rt.token.Secret, rt.t, []string{}, []string{}, "")
+		if !bytes.Equal(actual["token-id"], []byte(rt.token.ID)) {
+			t.Errorf(
+				"failed EncodeTokenSecretData:\n\texpected: %s\n\t  actual: %s",
+				rt.token.ID,
+				actual["token-id"],
+			)
+		}
+		if !bytes.Equal(actual["token-secret"], []byte(rt.token.Secret)) {
+			t.Errorf(
+				"failed EncodeTokenSecretData:\n\texpected: %s\n\t  actual: %s",
+				rt.token.Secret,
+				actual["token-secret"],
+			)
+		}
+		if rt.t > 0 {
+			if actual["expiration"] == nil {
+				t.Errorf(
+					"failed EncodeTokenSecretData, duration was not added to time",
+				)
+			}
+		}
+	}
+}