Specify --anonymous-auth=false for k8s 1.5

We'll expose this option as part of RBAC, but in the meantime explicitly specify the existing behaviour.
2016-12-13 00:54:12 -05:00 · 2016-12-13 00:54:12 -05:00 · 96243ee442
parent 8b60317b3f
commit 96243ee442
4 changed files with 53 additions and 1 deletions
--- a/pkg/apis/kops/componentconfig.go
+++ b/pkg/apis/kops/componentconfig.go
@ -392,6 +392,8 @@ type KubeAPIServerConfig struct {
 	// for KubeAPIServer, concatenated with commas. ex: `--runtime-config=key1=value1,key2=value2`.
 	// Use this to enable alpha resources on kube-apiserver
 	RuntimeConfig map[string]string `json:"runtimeConfig,omitempty" flag:"runtime-config"`
+
+	AnonymousAuth *bool `json:"anonymousAuth,omitempty" flag:"anonymous-auth"`
 }

 type KubeControllerManagerConfig struct {
--- a/pkg/apis/kops/v1alpha1/componentconfig.go
+++ b/pkg/apis/kops/v1alpha1/componentconfig.go
@ -389,6 +389,8 @@ type KubeAPIServerConfig struct {
 	AllowPrivileged       *bool             `json:"allowPrivileged,omitempty" flag:"allow-privileged"`
 	APIServerCount        *int              `json:"apiServerCount,omitempty" flag:"apiserver-count"`
 	RuntimeConfig         map[string]string `json:"runtimeConfig,omitempty" flag:"runtime-config"`
+
+	AnonymousAuth *bool `json:"anonymousAuth,omitempty" flag:"anonymous-auth"`
 }

 type KubeControllerManagerConfig struct {
--- a/upup/models/config/components/kube-apiserver/_k8s_1_5/kube-apiserver.options
+++ b/upup/models/config/components/kube-apiserver/_k8s_1_5/kube-apiserver.options
@ -6,4 +6,6 @@ KubeAPIServer:
  - ServiceAccount
  - PersistentVolumeLabel
  - DefaultStorageClass
-  - ResourceQuota
+  - ResourceQuota
+  # Stick with the pre-1.5 anonymous authentication modes
+  AnonymousAuth: false
--- a/upup/pkg/fi/cloudup/populatecluster_test.go
+++ b/upup/pkg/fi/cloudup/populatecluster_test.go
@ -379,3 +379,49 @@ func TestPopulateCluster_APIServerCount(t *testing.T) {
 		t.Fatalf("Unexpected APIServerCount: %v", fi.IntValue(full.Spec.KubeAPIServer.APIServerCount))
 	}
 }
+
+func TestPopulateCluster_AnonymousAuth(t *testing.T) {
+	c := buildMinimalCluster()
+	c.Spec.KubernetesVersion = "1.5.0"
+
+	err := c.PerformAssignments()
+	if err != nil {
+		t.Fatalf("error from PerformAssignments: %v", err)
+	}
+
+	addEtcdClusters(c)
+
+	full, err := PopulateClusterSpec(c)
+	if err != nil {
+		t.Fatalf("Unexpected error from PopulateCluster: %v", err)
+	}
+
+	if full.Spec.KubeAPIServer.AnonymousAuth == nil {
+		t.Fatalf("AnonymousAuth not specified")
+	}
+
+	if fi.BoolValue(full.Spec.KubeAPIServer.AnonymousAuth) != false {
+		t.Fatalf("Unexpected AnonymousAuth: %v", fi.BoolValue(full.Spec.KubeAPIServer.AnonymousAuth))
+	}
+}
+
+func TestPopulateCluster_AnonymousAuth_14(t *testing.T) {
+	c := buildMinimalCluster()
+	c.Spec.KubernetesVersion = "1.4.0"
+
+	err := c.PerformAssignments()
+	if err != nil {
+		t.Fatalf("error from PerformAssignments: %v", err)
+	}
+
+	addEtcdClusters(c)
+
+	full, err := PopulateClusterSpec(c)
+	if err != nil {
+		t.Fatalf("Unexpected error from PopulateCluster: %v", err)
+	}
+
+	if full.Spec.KubeAPIServer.AnonymousAuth != nil {
+		t.Fatalf("AnonymousAuth is not supported in 1.4")
+	}
+}