vendor updates

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/BUILD

@@ -27,6 +27,8 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/net:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
         "//vendor/k8s.io/client-go/kubernetes/scheme:go_default_library",
     ],
 )
@@ -40,8 +42,7 @@ go_test(
         "template_test.go",
         "version_test.go",
     ],
-    importpath = "k8s.io/kubernetes/cmd/kubeadm/app/util",
-    library = ":go_default_library",
+    embed = [":go_default_library"],
     deps = [
         "//cmd/kubeadm/app/apis/kubeadm:go_default_library",
         "//cmd/kubeadm/app/preflight:go_default_library",
@@ -60,6 +61,7 @@ filegroup(
     srcs = [
         ":package-srcs",
         "//cmd/kubeadm/app/util/apiclient:all-srcs",
+        "//cmd/kubeadm/app/util/audit:all-srcs",
         "//cmd/kubeadm/app/util/config:all-srcs",
         "//cmd/kubeadm/app/util/dryrun:all-srcs",
         "//cmd/kubeadm/app/util/kubeconfig:all-srcs",

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/BUILD

@@ -20,7 +20,7 @@ go_library(
         "//cmd/kubeadm/app/constants:go_default_library",
         "//cmd/kubeadm/app/util:go_default_library",
         "//pkg/registry/core/service/ipallocator:go_default_library",
-        "//vendor/k8s.io/api/apps/v1beta2:go_default_library",
+        "//vendor/k8s.io/api/apps/v1:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/api/rbac/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
@@ -28,6 +28,7 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/net:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
         "//vendor/k8s.io/client-go/dynamic:go_default_library",
         "//vendor/k8s.io/client-go/kubernetes:go_default_library",
@@ -58,8 +59,7 @@ go_test(
         "dryrunclient_test.go",
         "init_dryrun_test.go",
     ],
-    importpath = "k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient",
-    library = ":go_default_library",
+    embed = [":go_default_library"],
     deps = [
         "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/api/rbac/v1:go_default_library",

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/clientbacked_dryrun.go

@@ -23,7 +23,6 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	kuberuntime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/dynamic"
 	clientset "k8s.io/client-go/kubernetes"
 	clientsetscheme "k8s.io/client-go/kubernetes/scheme"
@@ -148,7 +147,7 @@ func decodeUnversionedIntoAPIObject(action core.Action, unversionedObj runtime.O
 	if err != nil {
 		return nil, err
 	}
-	newObj, err := kuberuntime.Decode(clientsetscheme.Codecs.UniversalDecoder(action.GetResource().GroupVersion()), objBytes)
+	newObj, err := runtime.Decode(clientsetscheme.Codecs.UniversalDecoder(action.GetResource().GroupVersion()), objBytes)
 	if err != nil {
 		return nil, err
 	}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/dryrunclient.go

@@ -85,10 +85,10 @@ func NewDryRunClient(drg DryRunGetter, w io.Writer) clientset.Interface {
 // This client doesn't apply changes to the backend. The client gets GET/LIST values from the DryRunGetter implementation.
 // This client logs all I/O to the writer w in YAML format
 func NewDryRunClientWithOpts(opts DryRunClientOptions) clientset.Interface {
-	// Build a chain of reactors to act like a normal clientset; but log everything's that happening and don't change any state
+	// Build a chain of reactors to act like a normal clientset; but log everything that is happening and don't change any state
 	client := fakeclientset.NewSimpleClientset()
 
-	// Build the chain of reactors. Order matters; first item here will be invoked first on match, then the second one will be evaluted, etc.
+	// Build the chain of reactors. Order matters; first item here will be invoked first on match, then the second one will be evaluated, etc.
 	defaultReactorChain := []core.Reactor{
 		// Log everything that happens. Default the object if it's about to be created/updated so that the logged object is representative.
 		&core.SimpleReactor{
@@ -223,7 +223,7 @@ func logDryRunAction(action core.Action, w io.Writer, marshalFunc MarshalFunc) {
 
 	patchAction, ok := action.(core.PatchAction)
 	if ok {
-		// Replace all occurences of \" with a simple " when printing
+		// Replace all occurrences of \" with a simple " when printing
 		fmt.Fprintf(w, "[dryrun] Attached patch:\n\t%s\n", strings.Replace(string(patchAction.GetPatch()), `\"`, `"`, -1))
 	}
 }

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/idempotency.go

@@ -19,7 +19,7 @@ package apiclient
 import (
 	"fmt"
 
-	apps "k8s.io/api/apps/v1beta2"
+	apps "k8s.io/api/apps/v1"
 	"k8s.io/api/core/v1"
 	rbac "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -72,12 +72,12 @@ func CreateOrUpdateServiceAccount(client clientset.Interface, sa *v1.ServiceAcco
 
 // CreateOrUpdateDeployment creates a Deployment if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
 func CreateOrUpdateDeployment(client clientset.Interface, deploy *apps.Deployment) error {
-	if _, err := client.AppsV1beta2().Deployments(deploy.ObjectMeta.Namespace).Create(deploy); err != nil {
+	if _, err := client.AppsV1().Deployments(deploy.ObjectMeta.Namespace).Create(deploy); err != nil {
 		if !apierrors.IsAlreadyExists(err) {
 			return fmt.Errorf("unable to create deployment: %v", err)
 		}
 
-		if _, err := client.AppsV1beta2().Deployments(deploy.ObjectMeta.Namespace).Update(deploy); err != nil {
+		if _, err := client.AppsV1().Deployments(deploy.ObjectMeta.Namespace).Update(deploy); err != nil {
 			return fmt.Errorf("unable to update deployment: %v", err)
 		}
 	}
@@ -86,12 +86,12 @@ func CreateOrUpdateDeployment(client clientset.Interface, deploy *apps.Deploymen
 
 // CreateOrUpdateDaemonSet creates a DaemonSet if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
 func CreateOrUpdateDaemonSet(client clientset.Interface, ds *apps.DaemonSet) error {
-	if _, err := client.AppsV1beta2().DaemonSets(ds.ObjectMeta.Namespace).Create(ds); err != nil {
+	if _, err := client.AppsV1().DaemonSets(ds.ObjectMeta.Namespace).Create(ds); err != nil {
 		if !apierrors.IsAlreadyExists(err) {
 			return fmt.Errorf("unable to create daemonset: %v", err)
 		}
 
-		if _, err := client.AppsV1beta2().DaemonSets(ds.ObjectMeta.Namespace).Update(ds); err != nil {
+		if _, err := client.AppsV1().DaemonSets(ds.ObjectMeta.Namespace).Update(ds); err != nil {
 			return fmt.Errorf("unable to update daemonset: %v", err)
 		}
 	}
@@ -104,7 +104,7 @@ func DeleteDaemonSetForeground(client clientset.Interface, namespace, name strin
 	deleteOptions := &metav1.DeleteOptions{
 		PropagationPolicy: &foregroundDelete,
 	}
-	return client.AppsV1beta2().DaemonSets(namespace).Delete(name, deleteOptions)
+	return client.AppsV1().DaemonSets(namespace).Delete(name, deleteOptions)
 }
 
 // DeleteDeploymentForeground deletes the specified Deployment in foreground mode; i.e. it blocks until/makes sure all the managed Pods are deleted
@@ -113,7 +113,7 @@ func DeleteDeploymentForeground(client clientset.Interface, namespace, name stri
 	deleteOptions := &metav1.DeleteOptions{
 		PropagationPolicy: &foregroundDelete,
 	}
-	return client.AppsV1beta2().Deployments(namespace).Delete(name, deleteOptions)
+	return client.AppsV1().Deployments(namespace).Delete(name, deleteOptions)
 }
 
 // CreateOrUpdateRole creates a Role if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient/wait.go

@@ -27,12 +27,13 @@ import (
 	"k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	netutil "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 )
 
-// Waiter is an interface for waiting for criterias in Kubernetes to happen
+// Waiter is an interface for waiting for criteria in Kubernetes to happen
 type Waiter interface {
 	// WaitForAPI waits for the API Server's /healthz endpoint to become "ok"
 	WaitForAPI() error
@@ -132,7 +133,8 @@ func (w *KubeWaiter) WaitForPodToDisappear(podName string) error {
 func (w *KubeWaiter) WaitForHealthyKubelet(initalTimeout time.Duration, healthzEndpoint string) error {
 	time.Sleep(initalTimeout)
 	return TryRunCommand(func() error {
-		resp, err := http.Get(healthzEndpoint)
+		client := &http.Client{Transport: netutil.SetOldTransportDefaults(&http.Transport{})}
+		resp, err := client.Get(healthzEndpoint)
 		if err != nil {
 			fmt.Printf("[kubelet-check] It seems like the kubelet isn't running or healthy.\n")
 			fmt.Printf("[kubelet-check] The HTTP call equal to 'curl -sSL %s' failed with error: %v.\n", healthzEndpoint, err)
@@ -193,7 +195,7 @@ func (w *KubeWaiter) WaitForStaticPodSingleHash(nodeName string, component strin
 }
 
 // WaitForStaticPodControlPlaneHashChange blocks until it timeouts or notices that the Mirror Pod (for the Static Pod, respectively) has changed
-// This implicitely means this function blocks until the kubelet has restarted the Static Pod in question
+// This implicitly means this function blocks until the kubelet has restarted the Static Pod in question
 func (w *KubeWaiter) WaitForStaticPodControlPlaneHashChange(nodeName, component, previousHash string) error {
 	return wait.PollImmediate(constants.APICallRetryInterval, w.timeout, func() (bool, error) {
 

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/audit/BUILD

@@ -0,0 +1,39 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["utils.go"],
+    importpath = "k8s.io/kubernetes/cmd/kubeadm/app/util/audit",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cmd/kubeadm/app/util:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes/scheme:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["utils_test.go"],
+    embed = [":go_default_library"],
+    deps = [
+        "//pkg/kubectl/scheme:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/audit/utils.go

@@ -0,0 +1,67 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package audit
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/kubernetes/cmd/kubeadm/app/util"
+)
+
+// CreateDefaultAuditLogPolicy writes the default audit log policy to disk.
+func CreateDefaultAuditLogPolicy(policyFile string) error {
+	policy := auditv1beta1.Policy{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "audit.k8s.io/v1beta1",
+			Kind:       "Policy",
+		},
+		Rules: []auditv1beta1.PolicyRule{
+			{
+				Level: auditv1beta1.LevelMetadata,
+			},
+		},
+	}
+	return writePolicyToDisk(policyFile, &policy)
+}
+
+func writePolicyToDisk(policyFile string, policy *auditv1beta1.Policy) error {
+	// creates target folder if not already exists
+	if err := os.MkdirAll(filepath.Dir(policyFile), 0700); err != nil {
+		return fmt.Errorf("failed to create directory %q: %v", filepath.Dir(policyFile), err)
+	}
+
+	// Registers auditv1beta1 with the runtime Scheme
+	auditv1beta1.AddToScheme(scheme.Scheme)
+
+	// writes the policy to disk
+	serialized, err := util.MarshalToYaml(policy, auditv1beta1.SchemeGroupVersion)
+	if err != nil {
+		return fmt.Errorf("failed to marshal audit policy to YAML: %v", err)
+	}
+
+	if err := ioutil.WriteFile(policyFile, serialized, 0600); err != nil {
+		return fmt.Errorf("failed to write audit policy to %v: %v", policyFile, err)
+	}
+
+	return nil
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/audit/utils_test.go

@@ -0,0 +1,61 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package audit
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1"
+	"k8s.io/kubernetes/pkg/kubectl/scheme"
+)
+
+func cleanup(t *testing.T, path string) {
+	err := os.RemoveAll(path)
+	if err != nil {
+		t.Fatalf("Failed to clean up %v: %v", path, err)
+	}
+}
+
+func TestCreateDefaultAuditLogPolicy(t *testing.T) {
+	// make a tempdir
+	tempDir, err := ioutil.TempDir("/tmp", "audit-test")
+	if err != nil {
+		t.Fatalf("could not create a tempdir: %v", err)
+	}
+	defer cleanup(t, tempDir)
+	auditPolicyFile := filepath.Join(tempDir, "test.yaml")
+	if err = CreateDefaultAuditLogPolicy(auditPolicyFile); err != nil {
+		t.Fatalf("failed to create audit log policy: %v", err)
+	}
+	// turn the audit log back into a policy
+	policyBytes, err := ioutil.ReadFile(auditPolicyFile)
+	if err != nil {
+		t.Fatalf("failed to read %v: %v", auditPolicyFile, err)
+	}
+	policy := auditv1beta1.Policy{}
+	err = runtime.DecodeInto(scheme.Codecs.UniversalDecoder(), policyBytes, &policy)
+	if err != nil {
+		t.Fatalf("failed to decode written policy: %v", err)
+	}
+	if policy.Kind != "Policy" {
+		t.Fatalf("did not decode policy properly")
+	}
+}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/config/BUILD

@@ -28,8 +28,7 @@ go_library(
 go_test(
     name = "go_default_test",
     srcs = ["masterconfig_test.go"],
-    importpath = "k8s.io/kubernetes/cmd/kubeadm/app/util/config",
-    library = ":go_default_library",
+    embed = [":go_default_library"],
 )
 
 filegroup(

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/config/masterconfig.go

@@ -34,7 +34,7 @@ import (
 	"k8s.io/kubernetes/pkg/util/version"
 )
 
-// SetInitDynamicDefaults checks and sets conifugration values for Master node
+// SetInitDynamicDefaults checks and sets configuration values for Master node
 func SetInitDynamicDefaults(cfg *kubeadmapi.MasterConfiguration) error {
 
 	// Choose the right address for the API Server to advertise. If the advertise address is localhost or 0.0.0.0, the default interface's IP address is used

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/endpoint.go

@@ -21,12 +21,14 @@ import (
 	"net"
 	"strconv"
 
+	"k8s.io/apimachinery/pkg/util/validation"
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 )
 
 // GetMasterEndpoint returns a properly formatted Master Endpoint
 // or passes the error from GetMasterHostPort.
 func GetMasterEndpoint(cfg *kubeadmapi.MasterConfiguration) (string, error) {
+
 	hostPort, err := GetMasterHostPort(cfg)
 	if err != nil {
 		return "", err
@@ -37,15 +39,25 @@ func GetMasterEndpoint(cfg *kubeadmapi.MasterConfiguration) (string, error) {
 // GetMasterHostPort returns a properly formatted Master IP/port pair or error
 // if the IP address can not be parsed or port is outside the valid TCP range.
 func GetMasterHostPort(cfg *kubeadmapi.MasterConfiguration) (string, error) {
-	masterIP := net.ParseIP(cfg.API.AdvertiseAddress)
-	if masterIP == nil {
-		return "", fmt.Errorf("error parsing address %s", cfg.API.AdvertiseAddress)
+	var masterIP string
+	if len(cfg.API.ControlPlaneEndpoint) > 0 {
+		errs := validation.IsDNS1123Subdomain(cfg.API.ControlPlaneEndpoint)
+		if len(errs) > 0 {
+			return "", fmt.Errorf("error parsing `ControlPlaneEndpoint` to valid dns subdomain with errors: %s", errs)
+		}
+		masterIP = cfg.API.ControlPlaneEndpoint
+	} else {
+		ip := net.ParseIP(cfg.API.AdvertiseAddress)
+		if ip == nil {
+			return "", fmt.Errorf("error parsing address %s", cfg.API.AdvertiseAddress)
+		}
+		masterIP = ip.String()
 	}
 
 	if cfg.API.BindPort < 0 || cfg.API.BindPort > 65535 {
 		return "", fmt.Errorf("api server port must be between 0 and 65535")
 	}
 
-	hostPort := net.JoinHostPort(masterIP.String(), strconv.Itoa(int(cfg.API.BindPort)))
+	hostPort := net.JoinHostPort(masterIP, strconv.Itoa(int(cfg.API.BindPort)))
 	return hostPort, nil
 }

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/endpoint_test.go

@@ -29,6 +29,40 @@ func TestGetMasterEndpoint(t *testing.T) {
 		endpoint string
 		expected bool
 	}{
+		{
+			name: "bad controlplane endpooint dns",
+			cfg: &kubeadmapi.MasterConfiguration{
+				API: kubeadmapi.API{
+					ControlPlaneEndpoint: "bad!!cp.k8s.io",
+					BindPort:             1234,
+				},
+			},
+			endpoint: "https://cp.k8s.io:1234",
+			expected: false,
+		},
+		{
+			name: "both DNS and IP passed",
+			cfg: &kubeadmapi.MasterConfiguration{
+				API: kubeadmapi.API{
+					AdvertiseAddress:     "1.2.3.4",
+					ControlPlaneEndpoint: "cp.k8s.io",
+					BindPort:             1234,
+				},
+			},
+			endpoint: "https://cp.k8s.io:1234",
+			expected: true,
+		},
+		{
+			name: "valid DNS endpoint",
+			cfg: &kubeadmapi.MasterConfiguration{
+				API: kubeadmapi.API{
+					ControlPlaneEndpoint: "cp.k8s.io",
+					BindPort:             1234,
+				},
+			},
+			endpoint: "https://cp.k8s.io:1234",
+			expected: true,
+		},
 		{
 			name: "valid IPv4 endpoint",
 			cfg: &kubeadmapi.MasterConfiguration{

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig/BUILD

@@ -9,8 +9,7 @@ load(
 go_test(
     name = "go_default_test",
     srcs = ["kubeconfig_test.go"],
-    importpath = "k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig",
-    library = ":go_default_library",
+    embed = [":go_default_library"],
 )
 
 go_library(

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/marshal.go

@@ -18,7 +18,6 @@ package util
 
 import (
 	"fmt"
-	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -42,18 +41,3 @@ func MarshalToYamlForCodecs(obj runtime.Object, gv schema.GroupVersion, codecs s
 	encoder := codecs.EncoderForVersion(info.Serializer, gv)
 	return runtime.Encode(encoder, obj)
 }
-
-// MarshalToYamlForCodecsWithShift adds spaces in front of each line so the indents line up
-// correctly in the manifest
-func MarshalToYamlForCodecsWithShift(obj runtime.Object, gv schema.GroupVersion, codecs serializer.CodecFactory) (string, error) {
-	serial, err := MarshalToYamlForCodecs(obj, gv, codecs)
-	if err != nil {
-		return "", err
-	}
-	lines := strings.Split(string(serial), "\n")
-	var newSerial string
-	for _, line := range lines {
-		newSerial = newSerial + "    " + line + "\n"
-	}
-	return newSerial, err
-}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin/BUILD

@@ -9,8 +9,7 @@ load(
 go_test(
     name = "go_default_test",
     srcs = ["pubkeypin_test.go"],
-    importpath = "k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin",
-    library = ":go_default_library",
+    embed = [":go_default_library"],
 )
 
 go_library(

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod/BUILD

@@ -9,11 +9,11 @@ load(
 go_test(
     name = "go_default_test",
     srcs = ["utils_test.go"],
-    importpath = "k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod",
-    library = ":go_default_library",
+    embed = [":go_default_library"],
     deps = [
         "//cmd/kubeadm/app/apis/kubeadm:go_default_library",
         "//cmd/kubeadm/app/constants:go_default_library",
+        "//cmd/kubeadm/app/features:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
@@ -27,6 +27,7 @@ go_library(
     deps = [
         "//cmd/kubeadm/app/apis/kubeadm:go_default_library",
         "//cmd/kubeadm/app/constants:go_default_library",
+        "//cmd/kubeadm/app/features:go_default_library",
         "//cmd/kubeadm/app/util:go_default_library",
         "//pkg/kubelet/types:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod/utils.go

@@ -29,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/kubernetes/cmd/kubeadm/app/features"
 
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
@@ -172,7 +173,7 @@ func WriteStaticPodToDisk(componentName, manifestDir string, pod v1.Pod) error {
 
 	filename := kubeadmconstants.GetStaticPodFilepath(componentName, manifestDir)
 
-	if err := ioutil.WriteFile(filename, serialized, 0700); err != nil {
+	if err := ioutil.WriteFile(filename, serialized, 0600); err != nil {
 		return fmt.Errorf("failed to write static pod manifest file for %q (%q): %v", componentName, filename, err)
 	}
 
@@ -184,7 +185,16 @@ func WriteStaticPodToDisk(componentName, manifestDir string, pod v1.Pod) error {
 func GetProbeAddress(cfg *kubeadmapi.MasterConfiguration, componentName string) string {
 	switch {
 	case componentName == kubeadmconstants.KubeAPIServer:
-		if cfg.API.AdvertiseAddress != "" {
+		// In the case of a self-hosted deployment, the initial host on which kubeadm --init is run,
+		// will generate a DaemonSet with a nodeSelector such that all nodes with the label
+		// node-role.kubernetes.io/master='' will have the API server deployed to it. Since the init
+		// is run only once on an initial host, the API advertise address will be invalid for any
+		// future hosts that do not have the same address. Furthermore, since liveness and readiness
+		// probes do not support the Downward API we cannot dynamically set the advertise address to
+		// the node's IP. The only option then is to use localhost.
+		if features.Enabled(cfg.FeatureGates, features.SelfHosting) {
+			return "127.0.0.1"
+		} else if cfg.API.AdvertiseAddress != "" {
 			return cfg.API.AdvertiseAddress
 		}
 	case componentName == kubeadmconstants.KubeControllerManager:

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod/utils_test.go

@@ -24,6 +24,7 @@ import (
 	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/kubernetes/cmd/kubeadm/app/features"
 
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
@@ -61,6 +62,22 @@ func TestComponentProbe(t *testing.T) {
 			scheme:    v1.URISchemeHTTP,
 			expected:  "127.0.0.1",
 		},
+		{
+			name: "default apiserver advertise address with http",
+			cfg: &kubeadmapi.MasterConfiguration{
+				API: kubeadmapi.API{
+					AdvertiseAddress: "1.2.3.4",
+				},
+				FeatureGates: map[string]bool{
+					features.SelfHosting: true,
+				},
+			},
+			component: kubeadmconstants.KubeAPIServer,
+			port:      1,
+			path:      "foo",
+			scheme:    v1.URISchemeHTTP,
+			expected:  "127.0.0.1",
+		},
 		{
 			name: "default apiserver advertise address with https",
 			cfg: &kubeadmapi.MasterConfiguration{

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/template_test.go

@@ -21,9 +21,9 @@ import (
 )
 
 const (
-	validTmpl    = "image: {{ .ImageRepository }}/pause-{{ .Arch }}:3.0"
-	validTmplOut = "image: gcr.io/google_containers/pause-amd64:3.0"
-	doNothing    = "image: gcr.io/google_containers/pause-amd64:3.0"
+	validTmpl    = "image: {{ .ImageRepository }}/pause-{{ .Arch }}:3.1"
+	validTmplOut = "image: k8s.gcr.io/pause-amd64:3.1"
+	doNothing    = "image: k8s.gcr.io/pause-amd64:3.1"
 	invalidTmpl1 = "{{ .baz }/d}"
 	invalidTmpl2 = "{{ !foobar }}"
 )
@@ -39,7 +39,7 @@ func TestParseTemplate(t *testing.T) {
 		{
 			template: validTmpl,
 			data: struct{ ImageRepository, Arch string }{
-				ImageRepository: "gcr.io/google_containers",
+				ImageRepository: "k8s.gcr.io",
 				Arch:            "amd64",
 			},
 			output:      validTmplOut,
@@ -49,7 +49,7 @@ func TestParseTemplate(t *testing.T) {
 		{
 			template: doNothing,
 			data: struct{ ImageRepository, Arch string }{
-				ImageRepository: "gcr.io/google_containers",
+				ImageRepository: "k8s.gcr.io",
 				Arch:            "amd64",
 			},
 			output:      doNothing,

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/token/BUILD

@@ -9,8 +9,7 @@ load(
 go_test(
     name = "go_default_test",
     srcs = ["tokens_test.go"],
-    importpath = "k8s.io/kubernetes/cmd/kubeadm/app/util/token",
-    library = ":go_default_library",
+    embed = [":go_default_library"],
     deps = ["//cmd/kubeadm/app/apis/kubeadm:go_default_library"],
 )
 

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/token/tokens.go

@@ -17,8 +17,8 @@ limitations under the License.
 package token
 
 import (
+	"bufio"
 	"crypto/rand"
-	"encoding/hex"
 	"fmt"
 	"regexp"
 
@@ -27,9 +27,9 @@ import (
 
 const (
 	// TokenIDBytes defines a number of bytes used for a token id
-	TokenIDBytes = 3
+	TokenIDBytes = 6
 	// TokenSecretBytes defines a number of bytes used for a secret
-	TokenSecretBytes = 8
+	TokenSecretBytes = 16
 )
 
 var (
@@ -43,13 +43,35 @@ var (
 	TokenRegexp = regexp.MustCompile(TokenRegexpString)
 )
 
+const validBootstrapTokenChars = "0123456789abcdefghijklmnopqrstuvwxyz"
+
 func randBytes(length int) (string, error) {
-	b := make([]byte, length)
-	_, err := rand.Read(b)
-	if err != nil {
-		return "", err
+	// len("0123456789abcdefghijklmnopqrstuvwxyz") = 36 which doesn't evenly divide
+	// the possible values of a byte: 256 mod 36 = 4. Discard any random bytes we
+	// read that are >= 252 so the bytes we evenly divide the character set.
+	const maxByteValue = 252
+
+	var (
+		b     byte
+		err   error
+		token = make([]byte, length)
+	)
+
+	reader := bufio.NewReaderSize(rand.Reader, length*2)
+	for i := range token {
+		for {
+			if b, err = reader.ReadByte(); err != nil {
+				return "", err
+			}
+			if b < maxByteValue {
+				break
+			}
+		}
+
+		token[i] = validBootstrapTokenChars[int(b)%len(validBootstrapTokenChars)]
 	}
-	return hex.EncodeToString(b), nil
+
+	return string(token), nil
 }
 
 // GenerateToken generates a new token with a token ID that is valid as a

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/token/tokens_test.go

@@ -147,8 +147,8 @@ func TestRandBytes(t *testing.T) {
 		if err != nil {
 			t.Errorf("failed randBytes: %v", err)
 		}
-		if len(actual) != rt*2 {
-			t.Errorf("failed randBytes:\n\texpected: %d\n\t  actual: %d\n", rt*2, len(actual))
+		if len(actual) != rt {
+			t.Errorf("failed randBytes:\n\texpected: %d\n\t  actual: %d\n", rt, len(actual))
 		}
 	}
 }

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/version.go

@@ -22,6 +22,8 @@ import (
 	"net/http"
 	"regexp"
 	"strings"
+
+	netutil "k8s.io/apimachinery/pkg/util/net"
 )
 
 var (
@@ -131,7 +133,8 @@ func splitVersion(version string) (string, string, error) {
 
 // Internal helper: return content of URL
 func fetchFromURL(url string) (string, error) {
-	resp, err := http.Get(url)
+	client := &http.Client{Transport: netutil.SetOldTransportDefaults(&http.Transport{})}
+	resp, err := client.Get(url)
 	if err != nil {
 		return "", fmt.Errorf("unable to get URL %q: %s", url, err.Error())
 	}

vendor/k8s.io/kubernetes/cmd/kubeadm/app/util/version_test.go

@@ -187,7 +187,7 @@ func TestSplitVersion(t *testing.T) {
 		// unknown area, not valid input.
 		{"unknown/latest-1", "", "", false},
 	}
-	// kubeReleaseBucketURL can be overriden during network tests, thus ensure
+	// kubeReleaseBucketURL can be overridden during network tests, thus ensure
 	// it will contain value corresponding to expected outcome for this unit test
 	kubeReleaseBucketURL = "https://dl.k8s.io"