Add documentation and update text fixture

docs/cli/kops_create_secret.md

@@ -16,6 +16,9 @@ Create a secret
   # Create an new ssh public key called admin.
   kops create secret sshpublickey admin -i ~/.ssh/id_rsa.pub \
   --name k8s-cluster.example.com --state s3://example.com
+  
+  kops create secret nodedockercfg -i ~/.docker/config.json \
+  --name k8s-cluster.example.com --state s3://example.com
 ```
 
 ### Options inherited from parent commands
@@ -35,5 +38,6 @@ Create a secret
 
 ### SEE ALSO
 * [kops create](kops_create.md)	 - Create a resource by command line, filename or stdin.
+* [kops create secret nodedockercfg](kops_create_secret_nodedockercfg.md)	 - Create a node docker config.
 * [kops create secret sshpublickey](kops_create_secret_sshpublickey.md)	 - Create a ssh public key.
 

docs/cli/kops_create_secret_nodedockercfg.md

@@ -0,0 +1,48 @@
+
+<!--- This file is automatically generated by make gen-cli-docs; changes should be made in the go CLI command code (under cmd/kops) -->
+
+## kops create secret nodedockercfg
+
+Create a node docker config.
+
+### Synopsis
+
+
+Create a new node docker config, and store it in the state store. Use update to update it, this command will only create a new entry.
+
+```
+kops create secret nodedockercfg
+```
+
+### Examples
+
+```
+  # Create an new node docker config.
+  kops create secret nodedockerconfig -i /path/to/docker/config.json \
+  --name k8s-cluster.example.com --state s3://example.com
+```
+
+### Options
+
+```
+  -i, -- string   Path to node docker config
+```
+
+### Options inherited from parent commands
+
+```
+      --alsologtostderr                  log to standard error as well as files
+      --config string                    config file (default is $HOME/.kops.yaml)
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory
+      --logtostderr                      log to standard error instead of files (default false)
+      --name string                      Name of cluster
+      --state string                     Location of state storage
+      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
+  -v, --v Level                          log level for V logs
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+```
+
+### SEE ALSO
+* [kops create secret](kops_create_secret.md)	 - Create a secret.
+

docs/security.md

@@ -20,6 +20,15 @@ To change the SSH public key on an existing cluster:
 * `kops update cluster --yes` to reconfigure the auto-scaling groups
 * `kops rolling-update cluster --name <clustername> --yes` to immediately roll all the machines so they have the new key (optional)
 
+## Node Docker Configuration
+
+If you are using a private registry such as quay.io, you may be familiar with the inconvenience of managing the `imagePullSecrets` for each namespace. It can also be a pain to use [Kops Hooks ](cluster_spec.md#hooks) with private images. To configure docker on all nodes with access to one or more private registries:
+
+* `kops create secret --name <clustername> nodedockercfg -i ~/.docker/config.json`
+* `kops rolling-update cluster --name <clustername> --yes` to immediately roll all the machines so they have the new key (optional)
+
+This stores the `config.json` in `/root/.docker/config.json` on all nodes so that both Kubernetes and system containers may use the registries.
+
 ## IAM roles
 
 All Pods running on your cluster have access to underlying instance IAM role.

nodeup/pkg/model/tests/kubelet/featuregates/tasks.yaml

@@ -1,4 +1,5 @@
 contents: |
   DAEMON_ARGS="--feature-gates=AllowExtTrafficLocalEndpoints=false,ExperimentalCriticalPodAnnotation=true --node-labels=kubernetes.io/role=node,node-role.kubernetes.io/node= --cni-bin-dir=/opt/cni/bin/ --cni-conf-dir=/etc/cni/net.d/ --network-plugin-dir=/opt/cni/bin/"
+  HOME="/root"
 path: /etc/sysconfig/kubelet
 type: file