Merge pull request #5841 from gambol99/node_authorizer_directory

Node Authorizer Fixes
kubernetes · Sep 28, 2018 · edf4a70 · edf4a70
2 parents 1202235 + 90c48a7
commit edf4a70
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 29 deletions.
diff --git a/node-authorizer/cmd/node-authorizer/BUILD.bazel b/node-authorizer/cmd/node-authorizer/BUILD.bazel
@@ -14,6 +14,7 @@ go_library(
         "//node-authorizer/pkg/authorizers/aws:go_default_library",
         "//node-authorizer/pkg/client:go_default_library",
         "//node-authorizer/pkg/server:go_default_library",
+        "//node-authorizer/pkg/utils:go_default_library",
         "//vendor/github.com/urfave/cli:go_default_library",
     ],
 )

diff --git a/node-authorizer/cmd/node-authorizer/server.go b/node-authorizer/cmd/node-authorizer/server.go
@@ -24,6 +24,7 @@ import (
 	"k8s.io/kops/node-authorizer/pkg/authorizers/alwaysallow"
 	"k8s.io/kops/node-authorizer/pkg/authorizers/aws"
 	"k8s.io/kops/node-authorizer/pkg/server"
+	"k8s.io/kops/node-authorizer/pkg/utils"
 
 	"github.com/urfave/cli"
 )
@@ -90,6 +91,12 @@ func addServerCommand() cli.Command {
 				EnvVar: "CLIENT_COMMON_NAME",
 				Value:  "node-authorizer-client",
 			},
+			cli.DurationFlag{
+				Name:   "certificate-ttl",
+				Usage:  "check the certificates exist and if not wait for x period `DURATION`",
+				EnvVar: "CERTIFICATE_TTL",
+				Value:  10 * time.Minute,
+			},
 			cli.DurationFlag{
 				Name:   "authorization-timeout",
 				Usage:  "max time permitted for a authorization `DURATION`",
@@ -122,6 +129,16 @@ func actionServerCommand(ctx *cli.Context) error {
 	if ctx.String("authorizer") == "" {
 		return errors.New("no authorizer specified")
 	}
+
+	// @step: should we wait for the certificates to appear
+	if ctx.Duration("certificate-ttl") > 0 {
+		var files = []string{ctx.String("tls-cert"), ctx.String("tls-client-ca"), ctx.String("tls-private-key")}
+		var timeout = ctx.Duration("certificate-ttl")
+		if err := waitForCertificates(files, timeout); err != nil {
+			return err
+		}
+	}
+
 	// @step: create the authorizers
 	auth, err := createAuthorizer(ctx.String("authorizer"), config)
 	if err != nil {
@@ -136,6 +153,38 @@ func actionServerCommand(ctx *cli.Context) error {
 	return svc.Run()
 }
 
+// waitForCertificates is responsible for waiting for the certificates to appear
+func waitForCertificates(files []string, timeout time.Duration) error {
+	doneCh := make(chan struct{}, 0)
+
+	go func() {
+		expires := time.Now().Add(timeout)
+
+		// @step: iterate the file we are looking for
+		for _, x := range files {
+			if x == "" {
+				continue
+			}
+			// @step: iterate until we find the file
+			for {
+				if utils.FileExists(x) {
+					break
+				}
+				fmt.Printf("waiting for file: %s to appear, timeouts in %s\n", x, expires.Sub(time.Now()))
+				time.Sleep(5 * time.Second)
+			}
+		}
+		doneCh <- struct{}{}
+	}()
+
+	select {
+	case <-doneCh:
+		return nil
+	case <-time.After(timeout):
+		return fmt.Errorf("unable to find the certificates after %s timeout", timeout)
+	}
+}
+
 // createAuthorizer creates and returns a authorizer
 func createAuthorizer(name string, config *server.Config) (server.Authorizer, error) {
 	switch name {

diff --git a/node-authorizer/pkg/utils/misc.go b/node-authorizer/pkg/utils/misc.go
@@ -19,6 +19,7 @@ package utils
 import (
 	crypto_rand "crypto/rand"
 	"encoding/hex"
+	"os"
 
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -34,6 +35,15 @@ func GetKubernetesClient() (kubernetes.Interface, error) {
 	return kubernetes.NewForConfig(config)
 }
 
+// FileExists checks if the file exists
+func FileExists(filename string) bool {
+	if _, err := os.Stat(filename); err != nil {
+		return false
+	}
+
+	return true
+}
+
 // RandomBytes generates some random bytes
 func RandomBytes(length int) (string, error) {
 	b := make([]byte, length)

diff --git a/pkg/model/components/node-authorizer/options.go b/pkg/model/components/node-authorizer/options.go
@@ -100,5 +100,5 @@ func GetNodeAuthorizerImage() string {
 		return v
 	}
 
-	return "quay.io/gambol99/node-authorizer:v0.0.1@sha256:3ff243f5af76a73b6faaa6a0b0be8e3882dd1e7ffea6bacda9bede2273446059"
+	return "quay.io/gambol99/node-authorizer:v0.0.2@sha256:78c20c69187d3098e196e2b645d0571aeef377adc5cbd89684023ec668306268"
 }
diff --git a/upup/models/cloudup/resources/addons/node-authorizer.addons.k8s.io/k8s-1.10.yaml.template b/upup/models/cloudup/resources/addons/node-authorizer.addons.k8s.io/k8s-1.10.yaml.template
@@ -147,44 +147,30 @@ spec:
         - name: config
           hostPath:
             path: /srv/kubernetes/node-authorizer
-            type: Directory
+            type: DirectoryOrCreate
       containers:
         - name: {{ $name }}
           image: {{ $na.Image }}
           args:
-          - server
-          - --authorization-timeout={{ $na.Timeout.Duration }}
-          - --authorizer={{ $na.Authorizer }}
-          - --cluster-name={{ ClusterName }}
-          {{- range $na.Features }}
-          - --feature={{ . }}
-          {{- end }}
-          - --listen=0.0.0.0:{{ $na.Port }}
-          - --tls-cert=/config/tls.pem
-          - --tls-client-ca=/config/ca.pem
-          - --tls-private-key=/config/tls-key.pem
-          - --token-ttl={{ $na.TokenTTL.Duration }}
+            - server
+            - --authorization-timeout={{ $na.Timeout.Duration }}
+            - --authorizer={{ $na.Authorizer }}
+            - --cluster-name={{ ClusterName }}
+            {{- range $na.Features }}
+            - --feature={{ . }}
+            {{- end }}
+            - --listen=0.0.0.0:{{ $na.Port }}
+            - --tls-cert=/config/tls.pem
+            - --tls-client-ca=/config/ca.pem
+            - --tls-private-key=/config/tls-key.pem
+            - --token-ttl={{ $na.TokenTTL.Duration }}
           resources:
             limits:
               cpu: 100m
               memory: 64Mi
             requests:
               cpu: 10m
               memory: 10Mi
-          livenessProbe:
-            httpGet:
-              path: /health
-              port: {{ $na.Port }}
-              scheme: HTTPS
-            periodSeconds: 10
-            initialDelaySeconds: 10
-            failureThreshold: 5
-          readinessProbe:
-            httpGet:
-              path: /health
-              port: {{ $na.Port }}
-              scheme: HTTPS
-            periodSeconds: 10
           volumeMounts:
             - mountPath: /config
               readOnly: true

diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
@@ -150,7 +150,7 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri
 	if b.cluster.Spec.NodeAuthorization != nil {
 		{
 			key := "node-authorizer.addons.k8s.io"
-			version := "v0.0.1"
+			version := "v0.0.2"
 
 			{
 				location := key + "/k8s-1.10.yaml"