Automatic merge from submit-queue (batch tested with PRs 38101, 41431, 39606, 41569, 41509)
kubeadm: Reorder the token packages more logically
**What this PR does / why we need it**:
In order to be able to implement https://github.com/kubernetes/kubernetes/pull/41417, the token functionality (which now is spread across the codebase), should be in two places: a generic token functions library, which in the future _may_ [move into client-go](https://github.com/kubernetes/kubernetes/pull/41281#discussion_r101357106) in some form, and a package for the token handling against the api server.
This commit has no large functional changes.
```
kubeadm: Aggregate the token functionality in sane packages.
- Factor out token constants to kubeadmconstants.
- Move cmd/kubeadm/app/util/{,token/}tokens.go
- Use the token-id, token-secret, etc constants provided by the bootstrapapi package
- Move cmd/kubeadm/app/master/tokens.go to cmd/kubeadm/app/phases/token/csv.go
This refactor basically makes it possible to hook up kubeadm to the BootstrapSigner controller later on
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@mikedanese @pires @errordeveloper @dmmcquay @jbeda @GheRivero
Automatic merge from submit-queue (batch tested with PRs 41505, 41484, 41544, 41514, 41022)
add front proxy to kubeadm created kube-apiservers
The front proxy authenticator configuration has been in a release or two. It allows a front proxy (secured by mutual TLS auth) to provide user information for a request. The kube-aggregator uses this to securely terminate authentication (has to terminate TLS and thus client-certs) and communicate user info to backing API servers.
Since the kube-apiserver always verifies the front-proxy via a client certificate, this isn't open for abuse unless you already have access to either the signing key or client cert which kubeadm creates locally. If you got there, you already owned the box. Therefore, this adds the authenticator unconditionally.
@luxas Are there e2e tests for `kubeadm`?
@liggitt @kubernetes/sig-auth-misc
- Factor out token constants to kubeadmconstants.
- Move cmd/kubeadm/app/util/{,token/}tokens.go
- Use the token-id, token-secret, etc constants provided by the bootstrapapi package
- Move cmd/kubeadm/app/master/tokens.go to cmd/kubeadm/app/phases/token/csv.go
This refactor basically makes it possible to hook up kubeadm to the BootstrapSigner controller later on
Automatic merge from submit-queue (batch tested with PRs 41466, 41456, 41550, 41238, 41416)
add check to authorization config
Prompt user to create the config when using abac/webhook.
