const BootstrapUser … // RetrieveValidatedConfigInfo connects to the API Server and tries to fetch the cluster-info ConfigMap // It then makes sure it can trust the API Server by looking at the JWS-signed tokens and (if CACertHashes is not empty) // validating the cluster CA against a set of pinned public keys func RetrieveValidatedConfigInfo(dryRunClient clientset.Interface, cfg *kubeadmapi.Discovery, timeout time.Duration) (*clientcmdapi.Config, error) { … } // retrieveValidatedConfigInfo is a private implementation of RetrieveValidatedConfigInfo. // It accepts an optional clientset that can be used for testing purposes. func retrieveValidatedConfigInfo(client clientset.Interface, cfg *kubeadmapi.Discovery, interval, timeout time.Duration, isDryRun, isTesting bool) (*clientcmdapi.Config, error) { … } // BuildInsecureBootstrapKubeConfig makes a kubeconfig object that connects insecurely to the API Server for bootstrapping purposes func BuildInsecureBootstrapKubeConfig(endpoint string) *clientcmdapi.Config { … } // buildSecureBootstrapKubeConfig makes a kubeconfig object that connects securely to the API Server for bootstrapping purposes (validating with the specified CA) func buildSecureBootstrapKubeConfig(endpoint string, caCert []byte, clustername string) *clientcmdapi.Config { … } // validateClusterInfoToken validates that the JWS token present in the cluster info ConfigMap is valid func validateClusterInfoToken(insecureClusterInfo *v1.ConfigMap, token *bootstraptokenv1.BootstrapTokenString) ([]byte, error) { … } // validateClusterCA validates the cluster CA found in the insecure kubeconfig func validateClusterCA(insecureConfig *clientcmdapi.Config, pubKeyPins *pubkeypin.Set) ([]byte, error) { … } // getClusterInfo requests the cluster-info ConfigMap with the provided client. func getClusterInfo(client clientset.Interface, cfg *kubeadmapi.Discovery, interval, duration time.Duration, dryRun bool) (*v1.ConfigMap, error) { … } // mutateTokenDiscoveryForDryRun mutates the JoinConfiguration.Discovery so that it includes a dry-run token // CA cert hash and fake API server endpoint to comply with the fake "cluster-info" ConfigMap // that this reactor returns. The information here should be in sync with what the GetClusterInfoReactor() // dry-run reactor does. func mutateTokenDiscoveryForDryRun(cfg *kubeadmapi.Discovery) { … }