Add generated file

This PR adds generated files under pkg/client and vendor folder.

vendor/k8s.io/kubernetes/cmd/kubeadm/app/discovery/token/BUILD

@@ -0,0 +1,49 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["token.go"],
+    importpath = "k8s.io/kubernetes/cmd/kubeadm/app/discovery/token",
+    deps = [
+        "//cmd/kubeadm/app/apis/kubeadm:go_default_library",
+        "//cmd/kubeadm/app/constants:go_default_library",
+        "//cmd/kubeadm/app/util/kubeconfig:go_default_library",
+        "//cmd/kubeadm/app/util/pubkeypin:go_default_library",
+        "//pkg/controller/bootstrap:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//vendor/k8s.io/client-go/tools/bootstrap/token/api:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["token_test.go"],
+    embed = [":go_default_library"],
+    deps = [
+        "//cmd/kubeadm/app/util/kubeconfig:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/cmd/kubeadm/app/discovery/token/token.go

@@ -0,0 +1,234 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package token
+
+import (
+	"bytes"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"sync"
+	"time"
+
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	bootstrapapi "k8s.io/client-go/tools/bootstrap/token/api"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
+	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
+	kubeconfigutil "k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
+	"k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin"
+	"k8s.io/kubernetes/pkg/controller/bootstrap"
+)
+
+// BootstrapUser defines bootstrap user name
+const BootstrapUser = "token-bootstrap-client"
+
+// RetrieveValidatedClusterInfo connects to the API Server and tries to fetch the cluster-info ConfigMap
+// It then makes sure it can trust the API Server by looking at the JWS-signed tokens and (if cfg.DiscoveryTokenCACertHashes is not empty)
+// validating the cluster CA against a set of pinned public keys
+func RetrieveValidatedClusterInfo(cfg *kubeadmapi.NodeConfiguration) (*clientcmdapi.Cluster, error) {
+	token, err := kubeadmapi.NewBootstrapTokenString(cfg.DiscoveryToken)
+	if err != nil {
+		return nil, err
+	}
+
+	// Load the cfg.DiscoveryTokenCACertHashes into a pubkeypin.Set
+	pubKeyPins := pubkeypin.NewSet()
+	err = pubKeyPins.Allow(cfg.DiscoveryTokenCACertHashes...)
+	if err != nil {
+		return nil, err
+	}
+
+	// The function below runs for every endpoint, and all endpoints races with each other.
+	// The endpoint that wins the race and completes the task first gets its kubeconfig returned below
+	baseKubeConfig, err := runForEndpointsAndReturnFirst(cfg.DiscoveryTokenAPIServers, cfg.DiscoveryTimeout.Duration, func(endpoint string) (*clientcmdapi.Config, error) {
+
+		insecureBootstrapConfig := buildInsecureBootstrapKubeConfig(endpoint, cfg.ClusterName)
+		clusterName := insecureBootstrapConfig.Contexts[insecureBootstrapConfig.CurrentContext].Cluster
+
+		insecureClient, err := kubeconfigutil.ToClientSet(insecureBootstrapConfig)
+		if err != nil {
+			return nil, err
+		}
+
+		fmt.Printf("[discovery] Created cluster-info discovery client, requesting info from %q\n", insecureBootstrapConfig.Clusters[clusterName].Server)
+
+		// Make an initial insecure connection to get the cluster-info ConfigMap
+		var insecureClusterInfo *v1.ConfigMap
+		wait.PollImmediateInfinite(constants.DiscoveryRetryInterval, func() (bool, error) {
+			var err error
+			insecureClusterInfo, err = insecureClient.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
+			if err != nil {
+				fmt.Printf("[discovery] Failed to request cluster info, will try again: [%s]\n", err)
+				return false, nil
+			}
+			return true, nil
+		})
+
+		// Validate the MAC on the kubeconfig from the ConfigMap and load it
+		insecureKubeconfigString, ok := insecureClusterInfo.Data[bootstrapapi.KubeConfigKey]
+		if !ok || len(insecureKubeconfigString) == 0 {
+			return nil, fmt.Errorf("there is no %s key in the %s ConfigMap. This API Server isn't set up for token bootstrapping, can't connect", bootstrapapi.KubeConfigKey, bootstrapapi.ConfigMapClusterInfo)
+		}
+		detachedJWSToken, ok := insecureClusterInfo.Data[bootstrapapi.JWSSignatureKeyPrefix+token.ID]
+		if !ok || len(detachedJWSToken) == 0 {
+			return nil, fmt.Errorf("token id %q is invalid for this cluster or it has expired. Use \"kubeadm token create\" on the master node to creating a new valid token", token.ID)
+		}
+		if !bootstrap.DetachedTokenIsValid(detachedJWSToken, insecureKubeconfigString, token.ID, token.Secret) {
+			return nil, fmt.Errorf("failed to verify JWS signature of received cluster info object, can't trust this API Server")
+		}
+		insecureKubeconfigBytes := []byte(insecureKubeconfigString)
+		insecureConfig, err := clientcmd.Load(insecureKubeconfigBytes)
+		if err != nil {
+			return nil, fmt.Errorf("couldn't parse the kubeconfig file in the %s configmap: %v", bootstrapapi.ConfigMapClusterInfo, err)
+		}
+
+		// If no TLS root CA pinning was specified, we're done
+		if pubKeyPins.Empty() {
+			fmt.Printf("[discovery] Cluster info signature and contents are valid and no TLS pinning was specified, will use API Server %q\n", endpoint)
+			return insecureConfig, nil
+		}
+
+		// Load the cluster CA from the Config
+		if len(insecureConfig.Clusters) != 1 {
+			return nil, fmt.Errorf("expected the kubeconfig file in the %s configmap to have a single cluster, but it had %d", bootstrapapi.ConfigMapClusterInfo, len(insecureConfig.Clusters))
+		}
+		var clusterCABytes []byte
+		for _, cluster := range insecureConfig.Clusters {
+			clusterCABytes = cluster.CertificateAuthorityData
+		}
+		clusterCA, err := parsePEMCert(clusterCABytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse cluster CA from the %s configmap: %v", bootstrapapi.ConfigMapClusterInfo, err)
+
+		}
+
+		// Validate the cluster CA public key against the pinned set
+		err = pubKeyPins.Check(clusterCA)
+		if err != nil {
+			return nil, fmt.Errorf("cluster CA found in %s configmap is invalid: %v", bootstrapapi.ConfigMapClusterInfo, err)
+		}
+
+		// Now that we know the proported cluster CA, connect back a second time validating with that CA
+		secureBootstrapConfig := buildSecureBootstrapKubeConfig(endpoint, clusterCABytes, clusterName)
+		secureClient, err := kubeconfigutil.ToClientSet(secureBootstrapConfig)
+		if err != nil {
+			return nil, err
+		}
+
+		fmt.Printf("[discovery] Requesting info from %q again to validate TLS against the pinned public key\n", insecureBootstrapConfig.Clusters[clusterName].Server)
+		var secureClusterInfo *v1.ConfigMap
+		wait.PollImmediateInfinite(constants.DiscoveryRetryInterval, func() (bool, error) {
+			var err error
+			secureClusterInfo, err = secureClient.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
+			if err != nil {
+				fmt.Printf("[discovery] Failed to request cluster info, will try again: [%s]\n", err)
+				return false, nil
+			}
+			return true, nil
+		})
+
+		// Pull the kubeconfig from the securely-obtained ConfigMap and validate that it's the same as what we found the first time
+		secureKubeconfigBytes := []byte(secureClusterInfo.Data[bootstrapapi.KubeConfigKey])
+		if !bytes.Equal(secureKubeconfigBytes, insecureKubeconfigBytes) {
+			return nil, fmt.Errorf("the second kubeconfig from the %s configmap (using validated TLS) was different from the first", bootstrapapi.ConfigMapClusterInfo)
+		}
+
+		secureKubeconfig, err := clientcmd.Load(secureKubeconfigBytes)
+		if err != nil {
+			return nil, fmt.Errorf("couldn't parse the kubeconfig file in the %s configmap: %v", bootstrapapi.ConfigMapClusterInfo, err)
+		}
+
+		fmt.Printf("[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server %q\n", endpoint)
+		return secureKubeconfig, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return kubeconfigutil.GetClusterFromKubeConfig(baseKubeConfig), nil
+}
+
+// buildInsecureBootstrapKubeConfig makes a KubeConfig object that connects insecurely to the API Server for bootstrapping purposes
+func buildInsecureBootstrapKubeConfig(endpoint, clustername string) *clientcmdapi.Config {
+	masterEndpoint := fmt.Sprintf("https://%s", endpoint)
+	bootstrapConfig := kubeconfigutil.CreateBasic(masterEndpoint, clustername, BootstrapUser, []byte{})
+	bootstrapConfig.Clusters[clustername].InsecureSkipTLSVerify = true
+	return bootstrapConfig
+}
+
+// buildSecureBootstrapKubeConfig makes a KubeConfig object that connects securely to the API Server for bootstrapping purposes (validating with the specified CA)
+func buildSecureBootstrapKubeConfig(endpoint string, caCert []byte, clustername string) *clientcmdapi.Config {
+	masterEndpoint := fmt.Sprintf("https://%s", endpoint)
+	bootstrapConfig := kubeconfigutil.CreateBasic(masterEndpoint, clustername, BootstrapUser, caCert)
+	return bootstrapConfig
+}
+
+// runForEndpointsAndReturnFirst loops the endpoints slice and let's the endpoints race for connecting to the master
+func runForEndpointsAndReturnFirst(endpoints []string, discoveryTimeout time.Duration, fetchKubeConfigFunc func(string) (*clientcmdapi.Config, error)) (*clientcmdapi.Config, error) {
+	stopChan := make(chan struct{})
+	var resultingKubeConfig *clientcmdapi.Config
+	var once sync.Once
+	var wg sync.WaitGroup
+	for _, endpoint := range endpoints {
+		wg.Add(1)
+		go func(apiEndpoint string) {
+			defer wg.Done()
+			wait.Until(func() {
+				fmt.Printf("[discovery] Trying to connect to API Server %q\n", apiEndpoint)
+				cfg, err := fetchKubeConfigFunc(apiEndpoint)
+				if err != nil {
+					fmt.Printf("[discovery] Failed to connect to API Server %q: %v\n", apiEndpoint, err)
+					return
+				}
+				fmt.Printf("[discovery] Successfully established connection with API Server %q\n", apiEndpoint)
+
+				// connection established, stop all wait threads
+				once.Do(func() {
+					close(stopChan)
+					resultingKubeConfig = cfg
+				})
+			}, constants.DiscoveryRetryInterval, stopChan)
+		}(endpoint)
+	}
+	select {
+	case <-time.After(discoveryTimeout):
+		close(stopChan)
+		err := fmt.Errorf("abort connecting to API servers after timeout of %v", discoveryTimeout)
+		fmt.Printf("[discovery] %v\n", err)
+		wg.Wait()
+		return nil, err
+	case <-stopChan:
+		wg.Wait()
+		return resultingKubeConfig, nil
+	}
+}
+
+// parsePEMCert decodes a PEM-formatted certificate and returns it as an x509.Certificate
+func parsePEMCert(certData []byte) (*x509.Certificate, error) {
+	pemBlock, trailingData := pem.Decode(certData)
+	if pemBlock == nil {
+		return nil, fmt.Errorf("invalid PEM data")
+	}
+	if len(trailingData) != 0 {
+		return nil, fmt.Errorf("trailing data after first PEM block")
+	}
+	return x509.ParseCertificate(pemBlock.Bytes)
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/discovery/token/token_test.go

@@ -0,0 +1,118 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package token
+
+import (
+	"strconv"
+	"testing"
+	"time"
+
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+	kubeconfigutil "k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
+)
+
+// testCertPEM is a simple self-signed test certificate issued with the openssl CLI:
+// openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -keyout /dev/null -out test.crt
+const testCertPEM = `
+-----BEGIN CERTIFICATE-----
+MIIDRDCCAiygAwIBAgIJAJgVaCXvC6HkMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV
+BAMTFGt1YmVhZG0ta2V5cGlucy10ZXN0MCAXDTE3MDcwNTE3NDMxMFoYDzIxMTcw
+NjExMTc0MzEwWjAfMR0wGwYDVQQDExRrdWJlYWRtLWtleXBpbnMtdGVzdDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0ba8mHU9UtYlzM1Own2Fk/XGjR
+J4uJQvSeGLtz1hID1IA0dLwruvgLCPadXEOw/f/IWIWcmT+ZmvIHZKa/woq2iHi5
++HLhXs7aG4tjKGLYhag1hLjBI7icqV7ovkjdGAt9pWkxEzhIYClFMXDjKpMSynu+
+YX6nZ9tic1cOkHmx2yiZdMkuriRQnpTOa7bb03OC1VfGl7gHlOAIYaj4539WCOr8
++ACTUMJUFEHcRZ2o8a/v6F9GMK+7SC8SJUI+GuroXqlMAdhEv4lX5Co52enYaClN
++D9FJLRpBv2YfiCQdJRaiTvCBSxEFz6BN+PtP5l2Hs703ZWEkOqCByM6HV8CAwEA
+AaOBgDB+MB0GA1UdDgQWBBRQgUX8MhK2rWBWQiPHWcKzoWDH5DBPBgNVHSMESDBG
+gBRQgUX8MhK2rWBWQiPHWcKzoWDH5KEjpCEwHzEdMBsGA1UEAxMUa3ViZWFkbS1r
+ZXlwaW5zLXRlc3SCCQCYFWgl7wuh5DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+BQUAA4IBAQCaAUif7Pfx3X0F08cxhx8/Hdx4jcJw6MCq6iq6rsXM32ge43t8OHKC
+pJW08dk58a3O1YQSMMvD6GJDAiAfXzfwcwY6j258b1ZlI9Ag0VokvhMl/XfdCsdh
+AWImnL1t4hvU5jLaImUUMlYxMcSfHBGAm7WJIZ2LdEfg6YWfZh+WGbg1W7uxLxk6
+y4h5rWdNnzBHWAGf7zJ0oEDV6W6RSwNXtC0JNnLaeIUm/6xdSddJlQPwUv8YH4jX
+c1vuFqTnJBPcb7W//R/GI2Paicm1cmns9NLnPR35exHxFTy+D1yxmGokpoPMdife
+aH+sfuxT8xeTPb3kjzF9eJTlnEquUDLM
+-----END CERTIFICATE-----`
+
+func TestRunForEndpointsAndReturnFirst(t *testing.T) {
+	tests := []struct {
+		endpoints        []string
+		expectedEndpoint string
+	}{
+		{
+			endpoints:        []string{"1", "2", "3"},
+			expectedEndpoint: "1",
+		},
+		{
+			endpoints:        []string{"6", "5"},
+			expectedEndpoint: "5",
+		},
+		{
+			endpoints:        []string{"10", "4"},
+			expectedEndpoint: "4",
+		},
+	}
+	for _, rt := range tests {
+		returnKubeConfig, err := runForEndpointsAndReturnFirst(rt.endpoints, 5*time.Minute, func(endpoint string) (*clientcmdapi.Config, error) {
+			timeout, _ := strconv.Atoi(endpoint)
+			time.Sleep(time.Second * time.Duration(timeout))
+			return kubeconfigutil.CreateBasic(endpoint, "foo", "foo", []byte{}), nil
+		})
+		if err != nil {
+			t.Errorf("unexpected error: %v for endpoint %s", err, rt.expectedEndpoint)
+		}
+		endpoint := returnKubeConfig.Clusters[returnKubeConfig.Contexts[returnKubeConfig.CurrentContext].Cluster].Server
+		if endpoint != rt.expectedEndpoint {
+			t.Errorf(
+				"failed TestRunForEndpointsAndReturnFirst:\n\texpected: %s\n\t  actual: %s",
+				endpoint,
+				rt.expectedEndpoint,
+			)
+		}
+	}
+}
+
+func TestParsePEMCert(t *testing.T) {
+	for _, testCase := range []struct {
+		name        string
+		input       []byte
+		expectValid bool
+	}{
+		{"invalid certificate data", []byte{0}, false},
+		{"certificate with junk appended", []byte(testCertPEM + "\nABC"), false},
+		{"multiple certificates", []byte(testCertPEM + "\n" + testCertPEM), false},
+		{"valid", []byte(testCertPEM), true},
+	} {
+		cert, err := parsePEMCert(testCase.input)
+		if testCase.expectValid {
+			if err != nil {
+				t.Errorf("failed TestParsePEMCert(%s): unexpected error %v", testCase.name, err)
+			}
+			if cert == nil {
+				t.Errorf("failed TestParsePEMCert(%s): returned nil", testCase.name)
+			}
+		} else {
+			if err == nil {
+				t.Errorf("failed TestParsePEMCert(%s): expected an error", testCase.name)
+			}
+			if cert != nil {
+				t.Errorf("failed TestParsePEMCert(%s): expected not to get a certificate back, but got one", testCase.name)
+			}
+		}
+	}
+}