Refactor master vs node kube-env and salt auth

[mbforbes]

Done for #7938 (as part of work on #6088)

+cc @roberthbailey

[mbforbes]

Running e2es, so don't merge yet.

[roberthbailey]

For reboots, you should put a guard around this like we do for the master auth, e.g. if [[ ! -e "${kubelet_auth_file}" ]]; then ... fi

[mbforbes]

Done. I figured I'd leave it because it seems idempotent, but I guess no reason to do it twice.

Actually, maybe that's a good question: do we actually want to re-do it every time, if it would be idempotent if it's the same, but allow it to be changed if the config does change?

Also, used single [ and ] to match what's been done in the master function, but happy to change them all to double if you'd prefer.

[roberthbailey]

A few nits, otherwise LGTM.

[roberthbailey]

@mbforbes I have a few commits in flight that are touching this same bit of code (creating auth bits for the master and nodes). I think this one should go in first, so can you address comments and re-ping when it's ready for review?

[mbforbes]

@roberthbailey should be ready for review again. Sorry for the delay—I was working on other stuff today as e2es were busted so I couldn't test this :-/

[mbforbes]

With that said, still haven't gotten to run e2es; I can do this tomorrow morning.

[roberthbailey]

LGTM assuming e2es pass.

[vmarmol]

/cc @dchen1107 @bakins we probably need to replicate this in the CoreOS setup

[mbforbes]

Found bugs and changed an if—ran e2es and they pass. Ping @zmerlynn

[bakins]

This should be fine on CoreOS on GCE. Running through tests to confirm.

[bakins]

I think we need to change https://github.com/GoogleCloudPlatform/kubernetes/blob/2f2816368f667bb81e6f59f910b0353604a6ccda/cluster/gce/coreos/node.yaml#L20 to use KUBELET_TOKEN. testing.

[bakins]

Confirmed that we need to change to using KUBLET_TOKEN in node.xml. Tests run with CoreOS as minion with this:

diff --git a/cluster/gce/coreos/node.yaml b/cluster/gce/coreos/node.yaml
index 884074f..97daf77 100644
--- a/cluster/gce/coreos/node.yaml
+++ b/cluster/gce/coreos/node.yaml
@@ -17,7 +17,7 @@ write_files:
       source /etc/kube-env

       /usr/bin/mkdir -p /var/lib/kubelet
-      /bin/echo  {\"BearerToken\": \"${KUBE_BEARER_TOKEN}\", \"Insecure\": true } > /var/lib/kubelet/kubernetes_auth
+      /bin/echo  {\"BearerToken\": \"${KUBELET_TOKEN}\", \"Insecure\": true } > /var/lib/kubelet/kubernetes_auth
   - path: /run/config-kube-proxy.sh
     permissions: "0755"
     content: |

[mbforbes]

@bakins huge thanks for checking this and giving the fix! I've made the change you wrote to gce/coreos/node.yaml and squashed into my first commit. I assume by "tests run" you mean "tests pass?"

@roberthbailey I think this is good

[bakins]

@mbforbes Yes, tests pass. Sorry for being unclear :) Thanks!

[zmerlynn]

LGTM