Remove the bootstrap token logic from the cluster registry.

kubernetes-retired · Jan 17, 2018 · 511009d · 511009d
1 parent c6063c5
commit 511009d
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 45 deletions.
diff --git a/pkg/clusterregistry/authenticator/config.go b/pkg/clusterregistry/authenticator/config.go
@@ -57,10 +57,6 @@ type Config struct {
 	// BasicAuthFile is a path to a file that contains username/password pairs.
 	BasicAuthFile string
 
-	// BootstrapToken determines whether or not to enable authentication via
-	// BootstrapTokenAuthenticator.
-	BootstrapToken bool
-
 	// ClientCAFile is a path to a certificate that can be used to validate
 	// client certificates.
 	ClientCAFile string
@@ -85,10 +81,6 @@ type Config struct {
 	// RequestHeaderConfig contains information about authenticating via request
 	// headers.
 	RequestHeaderConfig *authenticatorfactory.RequestHeaderConfig
-
-	// BootstrapTokenAuthenticator is a token authenticator specifically for tokens
-	// used to bootstrap a cluster registry.
-	BootstrapTokenAuthenticator authenticator.Token
 }
 
 // New returns an authenticator.Request or an error that supports the standard
@@ -142,13 +134,6 @@ func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, er
 		tokenAuthenticators = append(tokenAuthenticators, tokenAuth)
 	}
 
-	if config.BootstrapToken {
-		if config.BootstrapTokenAuthenticator != nil {
-			// TODO: This can sometimes be nil because of
-			tokenAuthenticators = append(tokenAuthenticators, config.BootstrapTokenAuthenticator)
-		}
-	}
-
 	if len(config.WebhookTokenAuthnConfigFile) > 0 {
 		webhookTokenAuth, err := newWebhookTokenAuthenticator(config.WebhookTokenAuthnConfigFile, config.WebhookTokenAuthnCacheTTL)
 		if err != nil {

diff --git a/pkg/clusterregistry/options/authentication.go b/pkg/clusterregistry/options/authentication.go
@@ -29,12 +29,11 @@ import (
 )
 
 type StandaloneAuthenticationOptions struct {
-	Anonymous      *AnonymousAuthenticationOptions
-	BootstrapToken *BootstrapTokenAuthenticationOptions
-	ClientCert     *genericoptions.ClientCertAuthenticationOptions
-	PasswordFile   *PasswordFileAuthenticationOptions
-	TokenFile      *TokenFileAuthenticationOptions
-	WebHook        *WebHookAuthenticationOptions
+	Anonymous    *AnonymousAuthenticationOptions
+	ClientCert   *genericoptions.ClientCertAuthenticationOptions
+	PasswordFile *PasswordFileAuthenticationOptions
+	TokenFile    *TokenFileAuthenticationOptions
+	WebHook      *WebHookAuthenticationOptions
 
 	TokenSuccessCacheTTL time.Duration
 	TokenFailureCacheTTL time.Duration
@@ -44,10 +43,6 @@ type AnonymousAuthenticationOptions struct {
 	Allow bool
 }
 
-type BootstrapTokenAuthenticationOptions struct {
-	Enable bool
-}
-
 type PasswordFileAuthenticationOptions struct {
 	BasicAuthFile string
 }
@@ -71,7 +66,6 @@ func NewStandaloneAuthenticationOptions() *StandaloneAuthenticationOptions {
 func (s *StandaloneAuthenticationOptions) WithAll() *StandaloneAuthenticationOptions {
 	return s.
 		WithAnonymous().
-		WithBootstrapToken().
 		WithClientCert().
 		WithPasswordFile().
 		WithTokenFile().
@@ -83,11 +77,6 @@ func (s *StandaloneAuthenticationOptions) WithAnonymous() *StandaloneAuthenticat
 	return s
 }
 
-func (s *StandaloneAuthenticationOptions) WithBootstrapToken() *StandaloneAuthenticationOptions {
-	s.BootstrapToken = &BootstrapTokenAuthenticationOptions{}
-	return s
-}
-
 func (s *StandaloneAuthenticationOptions) WithClientCert() *StandaloneAuthenticationOptions {
 	s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{}
 	return s
@@ -123,16 +112,6 @@ func (s *StandaloneAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 			"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.")
 	}
 
-	if s.BootstrapToken != nil {
-		fs.BoolVar(&s.BootstrapToken.Enable, "experimental-bootstrap-token-auth", s.BootstrapToken.Enable, ""+
-			"Deprecated (use --enable-bootstrap-token-auth).")
-		fs.MarkDeprecated("experimental-bootstrap-token-auth", "use --enable-bootstrap-token-auth instead.")
-
-		fs.BoolVar(&s.BootstrapToken.Enable, "enable-bootstrap-token-auth", s.BootstrapToken.Enable, ""+
-			"Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' "+
-			"namespace to be used for TLS bootstrapping authentication.")
-	}
-
 	if s.ClientCert != nil {
 		s.ClientCert.AddFlags(fs)
 	}
@@ -191,10 +170,6 @@ func (s *StandaloneAuthenticationOptions) toAuthenticationConfig() authenticator
 		ret.Anonymous = s.Anonymous.Allow
 	}
 
-	if s.BootstrapToken != nil {
-		ret.BootstrapToken = s.BootstrapToken.Enable
-	}
-
 	if s.ClientCert != nil {
 		ret.ClientCAFile = s.ClientCert.ClientCA
 	}