Merge pull request #5868 from gambol99/fix_up_client

Node Authorizer Fixes

node-authorizer/cmd/node-authorizer/client.go

@@ -51,7 +51,7 @@ func addClientCommand() cli.Command {
 				Name:   "kubeconfig",
 				Usage:  "location to write bootstrap token config `PATH`",
 				EnvVar: "KUBECONFIG_BOOTSTRAP",
-				Value:  "/var/run/kubelet/kubelet-bootstrap.yml",
+				Value:  "/var/lib/kubelet/bootstrap-kubeconfig",
 			},
 			cli.StringFlag{
 				Name:   "tls-client-ca",

node-authorizer/cmd/node-authorizer/server.go

@@ -95,7 +95,7 @@ func addServerCommand() cli.Command {
 				Name:   "certificate-ttl",
 				Usage:  "check the certificates exist and if not wait for x period `DURATION`",
 				EnvVar: "CERTIFICATE_TTL",
-				Value:  10 * time.Minute,
+				Value:  1 * time.Hour,
 			},
 			cli.DurationFlag{
 				Name:   "authorization-timeout",

node-authorizer/pkg/client/client.go

@@ -43,6 +43,14 @@ func New(config *Config) error {
 		zap.String("kubeconfig", config.KubeConfigPath),
 		zap.String("registration-url", config.NodeURL))
 
+	// @step: if we have a kubeconfig already we can skip it
+	if utils.FileExists(config.KubeConfigPath) {
+		utils.Logger.Info("skipping the client authorization as kubeconfig found",
+			zap.String("kubeconfig", config.KubeConfigPath))
+
+		return nil
+	}
+
 	// @step: create the verifier
 	verifier, err := newNodeVerifier(config.Authorizer)
 	if err != nil {

node-authorizer/pkg/server/admission.go

@@ -80,7 +80,8 @@ func (n *NodeAuthorizer) authorizeNodeRequest(ctx context.Context, request *Node
 	if !request.IsAllowed() {
 		utils.Logger.Error("the node has been denied authorization",
 			zap.String("client", request.Spec.RemoteAddr),
-			zap.String("node", request.Spec.NodeName))
+			zap.String("node", request.Spec.NodeName),
+			zap.String("reason", request.Status.Reason))
 
 		nodeAuthorizationMetric.WithLabelValues("denied").Inc()
 

node-authorizer/pkg/server/server.go

@@ -37,7 +37,7 @@ import (
 
 const (
 	// Version is the server version
-	Version = "v0.0.1"
+	Version = "v0.0.4"
 	// the namespace to place the secrets
 	tokenNamespace = "kube-system"
 )
@@ -55,8 +55,8 @@ type NodeAuthorizer struct {
 // New creates and returns a node authorizer
 func New(config *Config, authorizer Authorizer) (*NodeAuthorizer, error) {
 	utils.Logger.Info("starting the node authorization service",
-		zap.String("listen", Version),
-		zap.String("version", config.Listen))
+		zap.String("listen", config.Listen),
+		zap.String("version", Version))
 
 	if err := config.IsValid(); err != nil {
 		return nil, fmt.Errorf("configuration error: %s", err)

pkg/model/components/node-authorizer/options.go

@@ -100,5 +100,5 @@ func GetNodeAuthorizerImage() string {
 		return v
 	}
 
-	return "quay.io/gambol99/node-authorizer:v0.0.2@sha256:78c20c69187d3098e196e2b645d0571aeef377adc5cbd89684023ec668306268"
+	return "quay.io/gambol99/node-authorizer:v0.0.4@sha256:078b948b8207e43d35885f181713de3d3c0491fe40661d198f9bc00136cff271"
 }

upup/models/cloudup/resources/addons/node-authorizer.addons.k8s.io/k8s-1.10.yaml.template

@@ -131,6 +131,7 @@ spec:
       annotations:
         dns.alpha.kubernetes.io/internal: {{ $name }}-internal.{{ ClusterName }}
         prometheus.io/port: "{{ $na.Port }}"
+        prometheus.io/scheme: "https"
         prometheus.io/scrape: "true"
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:

upup/pkg/fi/cloudup/bootstrapchannelbuilder.go

@@ -150,7 +150,7 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri
 	if b.cluster.Spec.NodeAuthorization != nil {
 		{
 			key := "node-authorizer.addons.k8s.io"
-			version := "v0.0.2"
+			version := "v0.0.4"
 
 			{
 				location := key + "/k8s-1.10.yaml"