stop creating secrets for dns, it uses the kube-system service account now

cluster/gce/configure-vm.sh

@@ -585,7 +585,7 @@ function create-salt-master-auth() {
     # NB: If this list ever changes, this script actually has to
     # change to detect the existence of this file, kill any deleted
     # old tokens and add any new tokens (to handle the upgrade case).
-    local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
+    local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring")
     for account in "${service_accounts[@]}"; do
       token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
       echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}"

cluster/gce/coreos/configure-node.sh

@@ -256,7 +256,7 @@ function create-salt-master-auth() {
     # NB: If this list ever changes, this script actually has to
     # change to detect the existence of this file, kill any deleted
     # old tokens and add any new tokens (to handle the upgrade case).
-    local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
+    local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring")
     for account in "${service_accounts[@]}"; do
       token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
       echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}"

cluster/gce/trusty/configure-helper.sh

@@ -309,7 +309,6 @@ create_master_auth() {
     add_token_entry "system:controller_manager" "${known_tokens_csv}"
     add_token_entry "system:logging" "${known_tokens_csv}"
     add_token_entry "system:monitoring" "${known_tokens_csv}"
-    add_token_entry "system:dns" "${known_tokens_csv}"
   fi
 
   if [ -n "${PROJECT_ID:-}" ] && [ -n "${TOKEN_URL:-}" ] && [ -n "${TOKEN_BODY:-}" ] && [ -n "${NODE_NETWORK:-}" ]; then

cluster/saltbase/salt/kube-addons/kube-addons.sh

@@ -22,7 +22,6 @@ KUBECTL=${KUBECTL_BIN:-/usr/local/bin/kubectl}
 ADDON_CHECK_INTERVAL_SEC=${TEST_ADDON_CHECK_INTERVAL_SEC:-600}
 
 SYSTEM_NAMESPACE=kube-system
-token_dir=${TOKEN_DIR:-/srv/kubernetes}
 trusty_master=${TRUSTY_MASTER:-false}
 
 function ensure_python() {
@@ -35,72 +34,6 @@ function ensure_python() {
   fi
 }
 
-function create-kubeconfig-secret() {
-  local -r token=$1
-  local -r username=$2
-  local -r server=$3
-  local -r safe_username=$(tr -s ':_' '--' <<< "${username}")
-
-  # Make a kubeconfig file with the token.
-  if [[ ! -z "${CA_CERT:-}" ]]; then
-    # If the CA cert is available, put it into the secret rather than using
-    # insecure-skip-tls-verify.
-    read -r -d '' kubeconfig <<EOF
-apiVersion: v1
-kind: Config
-users:
-- name: ${username}
-  user:
-    token: ${token}
-clusters:
-- name: local
-  cluster:
-     server: ${server}
-     certificate-authority-data: ${CA_CERT}
-contexts:
-- context:
-    cluster: local
-    user: ${username}
-    namespace: ${SYSTEM_NAMESPACE} 
-  name: service-account-context
-current-context: service-account-context
-EOF
-  else
-    read -r -d '' kubeconfig <<EOF
-apiVersion: v1
-kind: Config
-users:
-- name: ${username}
-  user:
-    token: ${token}
-clusters:
-- name: local
-  cluster:
-     server: ${server}
-     insecure-skip-tls-verify: true
-contexts:
-- context:
-    cluster: local
-    user: ${username}
-    namespace: ${SYSTEM_NAMESPACE}
-  name: service-account-context
-current-context: service-account-context
-EOF
-  fi
-
-  local -r kubeconfig_base64=$(echo "${kubeconfig}" | base64 -w0)
-  read -r -d '' secretyaml <<EOF
-apiVersion: v1
-data:
-  kubeconfig: ${kubeconfig_base64}
-kind: Secret
-metadata:
-  name: token-${safe_username}
-type: Opaque
-EOF
-  create-resource-from-string "${secretyaml}" 100 10 "Secret-for-token-for-user-${username}" "${SYSTEM_NAMESPACE}" &
-}
-
 # $1 filename of addon to start.
 # $2 count of tries to start the addon.
 # $3 delay in seconds between two consecutive tries
@@ -196,29 +129,6 @@ done
 
 echo "== default service account in the ${SYSTEM_NAMESPACE} namespace has token ${token_found} =="
 
-# Generate secrets for "internal service accounts".
-# TODO(etune): move to a completely yaml/object based
-# workflow so that service accounts can be created
-# at the same time as the services that use them.
-# NOTE: needs to run as root to read this file.
-# Read each line in the csv file of tokens.
-# Expect errors when the script is started again.
-# NOTE: secrets are created asynchronously, in background.
-while read line; do
-  # Split each line into the token and username.
-  IFS=',' read -a parts <<< "${line}"
-  token=${parts[0]}
-  username=${parts[1]}
-  # DNS is special, since it's necessary for cluster bootstrapping.
-  if [[ "${username}" == "system:dns" ]] && [[ ! -z "${KUBERNETES_MASTER_NAME:-}" ]]; then
-    create-kubeconfig-secret "${token}" "${username}" "https://${KUBERNETES_MASTER_NAME}"
-  else
-    # Set the server to https://kubernetes. Pods/components that
-    # do not have DNS available will have to override the server.
-    create-kubeconfig-secret "${token}" "${username}" "https://kubernetes.default"
-  fi
-done < "${token_dir}/known_tokens.csv"
-
 # Create admission_control objects if defined before any other addon services. If the limits
 # are defined in a namespace other than default, we should still create the limits for the
 # default namespace.