Handle auth files with BearerToken sections.

cluster/gce/util.sh

@@ -193,7 +193,8 @@ function get-password {
   KUBE_USER=admin
   KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
 
-  # Store password for reuse.
+  # Remove this code, since in all use cases I can see, we are overwriting this
+  # at cluster creation time.
   cat << EOF > "$file"
 {
   "User": "$KUBE_USER",
@@ -203,6 +204,20 @@ EOF
   chmod 0600 "$file"
 }
 
+# Generate authentication token for admin user. Will
+# read from $HOME/.kubernetes_auth if available.
+#
+# Vars set:
+#   KUBE_ADMIN_TOKEN
+function get-admin-token {
+  local file="$HOME/.kubernetes_auth"
+  if [[ -r "$file" ]]; then
+    KUBE_ADMIN_TOKEN=$(cat "$file" | python -c 'import json,sys;print json.load(sys.stdin)["BearerToken"]')
+    return
+  fi
+  KUBE_ADMIN_TOKEN=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(32))')
+}
+
 # Instantiate a kubernetes cluster
 #
 # Assumed vars
@@ -375,6 +390,8 @@ function kube-up {
   local kube_key=".kubecfg.key"
   local ca_cert=".kubernetes.ca.crt"
 
+  # TODO: generate ADMIN (and KUBELET) tokens and put those in the master's
+  # config file.  Distribute the same way the htpasswd is done.
   (umask 077
    gcutil ssh "${MASTER_NAME}" sudo cat /usr/share/nginx/kubecfg.crt >"${HOME}/${kube_cert}" 2>/dev/null
    gcutil ssh "${MASTER_NAME}" sudo cat /usr/share/nginx/kubecfg.key >"${HOME}/${kube_key}" 2>/dev/null
@@ -386,7 +403,8 @@ function kube-up {
   "Password": "$KUBE_PASSWORD",
   "CAFile": "$HOME/$ca_cert",
   "CertFile": "$HOME/$kube_cert",
-  "KeyFile": "$HOME/$kube_key"
+  "KeyFile": "$HOME/$kube_key",
+  "BearerToken": "$KUBE_ADMIN_TOKEN"
 }
 EOF
 

cmd/e2e/e2e.go

@@ -88,6 +88,7 @@ func loadClientOrDie() *client.Client {
 	config.CAFile = auth.CAFile
 	config.CertFile = auth.CertFile
 	config.KeyFile = auth.KeyFile
+	config.BearerToken = auth.BearerToken
 	if auth.Insecure != nil {
 		config.Insecure = *auth.Insecure
 	}

cmd/kubecfg/kubecfg.go

@@ -216,6 +216,9 @@ func main() {
 		if auth.KeyFile != "" {
 			clientConfig.KeyFile = auth.KeyFile
 		}
+		if auth.BearerToken != "" {
+			clientConfig.BearerToken = auth.BearerToken
+		}
 		if auth.Insecure != nil {
 			clientConfig.Insecure = *auth.Insecure
 		}

pkg/kubecfg/kubecfg.go

@@ -52,12 +52,13 @@ func promptForString(field string, r io.Reader) string {
 }
 
 type AuthInfo struct {
-	User     string
-	Password string
-	CAFile   string
-	CertFile string
-	KeyFile  string
-	Insecure *bool
+	User        string
+	Password    string
+	CAFile      string
+	CertFile    string
+	KeyFile     string
+	BearerToken string
+	Insecure    *bool
 }
 
 type NamespaceInfo struct {

pkg/kubectl/cmd/cmd.go

@@ -171,6 +171,7 @@ func getKubeClient(cmd *cobra.Command) *client.Client {
 		config.CAFile = firstNonEmptyString(getFlagString(cmd, "certificate-authority"), authInfo.CAFile)
 		config.CertFile = firstNonEmptyString(getFlagString(cmd, "client-certificate"), authInfo.CertFile)
 		config.KeyFile = firstNonEmptyString(getFlagString(cmd, "client-key"), authInfo.KeyFile)
+		config.BearerToken = authInfo.BearerToken
 		// For config.Insecure, the command line ALWAYS overrides the authInfo
 		// file, regardless of its setting.
 		if insecureFlag := getFlagBoolPtr(cmd, "insecure-skip-tls-verify"); insecureFlag != nil {

pkg/kubectl/kubectl.go

@@ -59,12 +59,13 @@ func GetKubeClient(config *client.Config, matchVersion bool) (*client.Client, er
 }
 
 type AuthInfo struct {
-	User     string
-	Password string
-	CAFile   string
-	CertFile string
-	KeyFile  string
-	Insecure *bool
+	User        string
+	Password    string
+	CAFile      string
+	CertFile    string
+	KeyFile     string
+	BearerToken string
+	Insecure    *bool
 }
 
 // LoadAuthInfo parses an AuthInfo object from a file path. It prompts user and creates file if it doesn't exist.