- adding the waitForCertificates method to wait for the certificates to arrive (this fixes the rollout on a in-place cluster)

2018-09-18 10:59:04 +01:00 · 2018-09-18 10:59:04 +01:00 · 8c11ecf108
parent 16904444b4
commit 8c11ecf108
3 changed files with 71 additions and 12 deletions
--- a/node-authorizer/cmd/node-authorizer/server.go
+++ b/node-authorizer/cmd/node-authorizer/server.go
@ -25,6 +25,7 @@ import (
 	"k8s.io/kops/node-authorizer/pkg/authorizers/aws"
 	"k8s.io/kops/node-authorizer/pkg/server"

+	"github.com/gambol99/aws-sso/pkg/utils"
 	"github.com/urfave/cli"
 )

@ -90,6 +91,12 @@ func addServerCommand() cli.Command {
 				EnvVar: "CLIENT_COMMON_NAME",
 				Value:  "node-authorizer-client",
 			},
+			cli.DurationFlag{
+				Name:   "certificate-ttl",
+				Usage:  "check the certificates exist and if not wait for x period `DURATION`",
+				EnvVar: "CERTIFICATE_TTL",
+				Value:  10 * time.Minute,
+			},
 			cli.DurationFlag{
 				Name:   "authorization-timeout",
 				Usage:  "max time permitted for a authorization `DURATION`",
@ -122,6 +129,16 @@ func actionServerCommand(ctx *cli.Context) error {
 	if ctx.String("authorizer") == "" {
 		return errors.New("no authorizer specified")
 	}
+
+	// @step: should we wait for the certificates to appear
+	if ctx.Duration("certificate-ttl") > 0 {
+		var files = []string{ctx.String("tls-cert"), ctx.String("tls-client-ca"), ctx.String("tls-private-key")}
+		var timeout = ctx.Duration("certificate-ttl")
+		if err := waitForCertificates(files, timeout); err != nil {
+			return err
+		}
+	}
+
 	// @step: create the authorizers
 	auth, err := createAuthorizer(ctx.String("authorizer"), config)
 	if err != nil {
@ -136,6 +153,38 @@ func actionServerCommand(ctx *cli.Context) error {
 	return svc.Run()
 }

+// waitForCertificates is responisble for waiting for the certificates to appear
+func waitForCertificates(files []string, timeout time.Duration) error {
+	doneCh := make(chan struct{}, 0)
+
+	go func() {
+		expires := time.Now().Add(timeout)
+
+		// @step: iterate the file we are looking for
+		for _, x := range files {
+			if x == "" {
+				continue
+			}
+			// @step: iterate until we find the file
+			for {
+				if utils.FileExists(x) {
+					break
+				}
+				fmt.Printf("waiting for file: %s to appear, timeouts in %s", x, expires.Sub(time.Now()))
+				time.Sleep(5 * time.Second)
+			}
+		}
+		doneCh <- struct{}{}
+	}()
+
+	select {
+	case <-doneCh:
+		return nil
+	case <-time.After(timeout):
+		return fmt.Errorf("unable to find the certificates after %s timeout", timeout)
+	}
+}
+
 // createAuthorizer creates and returns a authorizer
 func createAuthorizer(name string, config *server.Config) (server.Authorizer, error) {
 	switch name {
--- a/node-authorizer/pkg/utils/misc.go
+++ b/node-authorizer/pkg/utils/misc.go
@ -19,6 +19,7 @@ package utils
 import (
 	crypto_rand "crypto/rand"
 	"encoding/hex"
+	"os"

 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@ -34,6 +35,15 @@ func GetKubernetesClient() (kubernetes.Interface, error) {
 	return kubernetes.NewForConfig(config)
 }

+// FileExists checks if the file exists
+func FileExists(filename string) bool {
+	if _, err := os.Stat(filename); !os.IsNotExist(err) {
+		return true
+	}
+
+	return false
+}
+
 // RandomBytes generates some random bytes
 func RandomBytes(length int) (string, error) {
 	b := make([]byte, length)
--- a/upup/models/cloudup/resources/addons/node-authorizer.addons.k8s.io/k8s-1.10.yaml.template
+++ b/upup/models/cloudup/resources/addons/node-authorizer.addons.k8s.io/k8s-1.10.yaml.template
@ -152,18 +152,18 @@ spec:
        - name: {{ $name }}
          image: {{ $na.Image }}
          args:
-          - server
-          - --authorization-timeout={{ $na.Timeout.Duration }}
-          - --authorizer={{ $na.Authorizer }}
-          - --cluster-name={{ ClusterName }}
-          {{- range $na.Features }}
-          - --feature={{ . }}
-          {{- end }}
-          - --listen=0.0.0.0:{{ $na.Port }}
-          - --tls-cert=/config/tls.pem
-          - --tls-client-ca=/config/ca.pem
-          - --tls-private-key=/config/tls-key.pem
-          - --token-ttl={{ $na.TokenTTL.Duration }}
+            - server
+            - --authorization-timeout={{ $na.Timeout.Duration }}
+            - --authorizer={{ $na.Authorizer }}
+            - --cluster-name={{ ClusterName }}
+            {{- range $na.Features }}
+            - --feature={{ . }}
+            {{- end }}
+            - --listen=0.0.0.0:{{ $na.Port }}
+            - --tls-cert=/config/tls.pem
+            - --tls-client-ca=/config/ca.pem
+            - --tls-private-key=/config/tls-key.pem
+            - --token-ttl={{ $na.TokenTTL.Duration }}
          resources:
            limits:
              cpu: 100m