From 8fefc4ff38c5b35ab1b6079c8d5d1a7eddca5797 Mon Sep 17 00:00:00 2001
From: "Dr. Stefan Schimanski" <stefan.schimanski@gmail.com>
Date: Thu, 8 Dec 2016 15:18:14 +0100
Subject: [PATCH 1/3] Do not use cfssl in Docker, but directly

---
 hack/local-up-cluster.sh | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
index 0d4752070222..f12cf49bfc89 100755
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -147,6 +147,14 @@ function test_docker {
     fi
 }
 
+function test_cfssl_installed {
+    if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
+      echo "Failed to successfully run 'cfssl', please verify that cfssl and cfssljson are in \$PATH."
+      echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
+      exit 1
+    fi
+}
+
 function test_rkt {
     if [[ -n "${RKT_PATH}" ]]; then
       ${RKT_PATH} list 2> /dev/null 1> /dev/null
@@ -359,11 +367,12 @@ function create_client_certkey {
         SEP=","
         shift 1
     done
-    echo "{\"CN\":\"${CN}\",\"names\":[${NAMES}],\"hosts\":[\"\"],\"key\":{\"algo\":\"rsa\",\"size\":2048}}" | docker run -i  --entrypoint /bin/bash -v "${CERT_DIR}:/certs" -w /certs cfssl/cfssl:latest -ec "cfssl gencert -ca=${CA}.crt -ca-key=${CA}.key -config=client-ca-config.json - | cfssljson -bare client-${ID}"
     ${CONTROLPLANE_SUDO} /bin/bash -e <<EOF
-    mv "${CERT_DIR}/client-${ID}-key.pem" "${CERT_DIR}/client-${ID}.key"
-    mv "${CERT_DIR}/client-${ID}.pem" "${CERT_DIR}/client-${ID}.crt"
-    rm -f "${CERT_DIR}/client-${ID}.csr"
+    cd ${CERT_DIR}
+    echo '{"CN":"${CN}","names":[${NAMES}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=${CA}.crt -ca-key=${CA}.key -config=client-ca-config.json - | cfssljson -bare client-${ID}
+    mv "client-${ID}-key.pem" "client-${ID}.key"
+    mv "client-${ID}.pem" "client-${ID}.crt"
+    rm -f "client-${ID}.csr"
 EOF
 }
 
@@ -796,6 +805,7 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then
 fi
 
 test_openssl_installed
+test_cfssl_installed
 
 ### IF the user didn't supply an output/ for the build... Then we detect.
 if [ "$GO_OUT" == "" ]; then

From cdc2d4c09c42e9c8c1ac144ba59f792d57f0cc35 Mon Sep 17 00:00:00 2001
From: "Dr. Stefan Schimanski" <stefan.schimanski@gmail.com>
Date: Thu, 8 Dec 2016 15:18:27 +0100
Subject: [PATCH 2/3] Fix startup of discovery server

---
 hack/local-up-cluster.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
index f12cf49bfc89..7ba9b7b71fed 100755
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -528,7 +528,7 @@ function start_discovery {
     DISCOVERY_SERVER_LOG=/tmp/kubernetes-discovery.log
     ${CONTROLPLANE_SUDO} "${GO_OUT}/kubernetes-discovery" \
       --cert-dir="${CERT_DIR}" \
-      --client-ca-file="${CERT_DIR}/client-ca-bundle.crt" \
+      --client-ca-file="${CERT_DIR}/client-ca.crt" \
       --authentication-kubeconfig="${CERT_DIR}/discovery-auth.kubeconfig" \
       --authorization-kubeconfig="${CERT_DIR}/discovery-auth.kubeconfig" \
       --requestheader-username-headers=X-Remote-User \

From 983fc20eba9f2621e505e96a5caf35cbe95f9e79 Mon Sep 17 00:00:00 2001
From: xilabao <chenr.fnst@cn.fujitsu.com>
Date: Thu, 8 Dec 2016 13:16:19 +0800
Subject: [PATCH 3/3] Be more defensive during kubernetes discovery server
 start

---
 hack/local-up-cluster.sh | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
index 7ba9b7b71fed..3bfa19bb4be0 100755
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -523,7 +523,17 @@ function start_discovery {
     write_client_kubeconfig discovery-auth
 
     # grant permission to run delegated authentication and authorization checks
-    kubectl create clusterrolebinding discovery:system:auth-delegator --clusterrole=system:auth-delegator --user=system:discovery-auth
+    if [[ "${ENABLE_RBAC}" = true ]]; then
+        ${KUBECTL} ${AUTH_ARGS} create clusterrolebinding discovery:system:auth-delegator --clusterrole=system:auth-delegator --user=system:discovery-auth
+    fi
+
+    curl --silent -k -g $API_HOST:$DISCOVERY_SECURE_PORT
+    if [ ! $? -eq 0 ]; then
+        echo "Kubernetes Discovery secure port is free, proceeding..."
+    else
+        echo "ERROR starting Kubernetes Discovery, exiting. Some process on $API_HOST is serving already on $DISCOVERY_SECURE_PORT"
+        return
+    fi
 
     DISCOVERY_SERVER_LOG=/tmp/kubernetes-discovery.log
     ${CONTROLPLANE_SUDO} "${GO_OUT}/kubernetes-discovery" \
@@ -758,6 +768,7 @@ Logs:
   ${CTLRMGR_LOG:-}
   ${PROXY_LOG:-}
   ${SCHEDULER_LOG:-}
+  ${DISCOVERY_SERVER_LOG:-}
 EOF
 fi