kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- adding the waitForCertificates method to wait for the certificates to arrive (this fixes the rollout on a in-place cluster)

This commit is contained in:
Rohith 2018-09-18 10:59:04 +01:00
parent 16904444b4
commit 8c11ecf108
3 changed files with 71 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
node-authorizer/cmd/node-authorizer/server.go
View File

@ -25,6 +25,7 @@ import (
"k8s.io/kops/node-authorizer/pkg/authorizers/aws" "k8s.io/kops/node-authorizer/pkg/authorizers/aws"
"k8s.io/kops/node-authorizer/pkg/server" "k8s.io/kops/node-authorizer/pkg/server"
"github.com/gambol99/aws-sso/pkg/utils"
"github.com/urfave/cli" "github.com/urfave/cli"
) )
@ -90,6 +91,12 @@ func addServerCommand() cli.Command {
EnvVar: "CLIENT_COMMON_NAME", EnvVar: "CLIENT_COMMON_NAME",
Value: "node-authorizer-client", Value: "node-authorizer-client",
}, },
cli.DurationFlag{
Name: "certificate-ttl",
Usage: "check the certificates exist and if not wait for x period `DURATION`",
EnvVar: "CERTIFICATE_TTL",
Value: 10 * time.Minute,
},
cli.DurationFlag{ cli.DurationFlag{
Name: "authorization-timeout", Name: "authorization-timeout",
Usage: "max time permitted for a authorization `DURATION`", Usage: "max time permitted for a authorization `DURATION`",
@ -122,6 +129,16 @@ func actionServerCommand(ctx *cli.Context) error {
if ctx.String("authorizer") == "" { if ctx.String("authorizer") == "" {
return errors.New("no authorizer specified") return errors.New("no authorizer specified")
} }
// @step: should we wait for the certificates to appear
if ctx.Duration("certificate-ttl") > 0 {
var files = []string{ctx.String("tls-cert"), ctx.String("tls-client-ca"), ctx.String("tls-private-key")}
var timeout = ctx.Duration("certificate-ttl")
if err := waitForCertificates(files, timeout); err != nil {
return err
}
}
// @step: create the authorizers // @step: create the authorizers
auth, err := createAuthorizer(ctx.String("authorizer"), config) auth, err := createAuthorizer(ctx.String("authorizer"), config)
if err != nil { if err != nil {
@ -136,6 +153,38 @@ func actionServerCommand(ctx *cli.Context) error {
return svc.Run() return svc.Run()
} }
// waitForCertificates is responisble for waiting for the certificates to appear
func waitForCertificates(files []string, timeout time.Duration) error {
doneCh := make(chan struct{}, 0)
go func() {
expires := time.Now().Add(timeout)
// @step: iterate the file we are looking for
for _, x := range files {
if x == "" {
continue
}
// @step: iterate until we find the file
for {
if utils.FileExists(x) {
break
}
fmt.Printf("waiting for file: %s to appear, timeouts in %s", x, expires.Sub(time.Now()))
time.Sleep(5 * time.Second)
}
}
doneCh <- struct{}{}
}()
select {
case <-doneCh:
return nil
case <-time.After(timeout):
return fmt.Errorf("unable to find the certificates after %s timeout", timeout)
}
}
// createAuthorizer creates and returns a authorizer // createAuthorizer creates and returns a authorizer
func createAuthorizer(name string, config *server.Config) (server.Authorizer, error) { func createAuthorizer(name string, config *server.Config) (server.Authorizer, error) {
switch name { switch name {

10
node-authorizer/pkg/utils/misc.go
View File

@ -19,6 +19,7 @@ package utils
import ( import (
crypto_rand "crypto/rand" crypto_rand "crypto/rand"
"encoding/hex" "encoding/hex"
"os"
"k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
@ -34,6 +35,15 @@ func GetKubernetesClient() (kubernetes.Interface, error) {
return kubernetes.NewForConfig(config) return kubernetes.NewForConfig(config)
} }
// FileExists checks if the file exists
func FileExists(filename string) bool {
if _, err := os.Stat(filename); !os.IsNotExist(err) {
return true
}
return false
}
// RandomBytes generates some random bytes // RandomBytes generates some random bytes
func RandomBytes(length int) (string, error) { func RandomBytes(length int) (string, error) {
b := make([]byte, length) b := make([]byte, length)

24
upup/models/cloudup/resources/addons/node-authorizer.addons.k8s.io/k8s-1.10.yaml.template
View File

@ -152,18 +152,18 @@ spec:
- name: {{ $name }} - name: {{ $name }}
image: {{ $na.Image }} image: {{ $na.Image }}
args: args:
- server - server
- --authorization-timeout={{ $na.Timeout.Duration }} - --authorization-timeout={{ $na.Timeout.Duration }}
- --authorizer={{ $na.Authorizer }} - --authorizer={{ $na.Authorizer }}
- --cluster-name={{ ClusterName }} - --cluster-name={{ ClusterName }}
{{- range $na.Features }} {{- range $na.Features }}
- --feature={{ . }} - --feature={{ . }}
{{- end }} {{- end }}
- --listen=0.0.0.0:{{ $na.Port }} - --listen=0.0.0.0:{{ $na.Port }}
- --tls-cert=/config/tls.pem - --tls-cert=/config/tls.pem
- --tls-client-ca=/config/ca.pem - --tls-client-ca=/config/ca.pem
- --tls-private-key=/config/tls-key.pem - --tls-private-key=/config/tls-key.pem
- --token-ttl={{ $na.TokenTTL.Duration }} - --token-ttl={{ $na.TokenTTL.Duration }}
resources: resources:
limits: limits:
cpu: 100m cpu: 100m