diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go index a35410014a17..55961a3cad71 100644 --- a/pkg/agent/config/config.go +++ b/pkg/agent/config/config.go @@ -140,6 +140,20 @@ func getNodeNamedCrt(nodeName string, nodeIPs []net.IP, nodePasswordFile string) } defer resp.Body.Close() + // If we got a 401 Unauthorized response when using client certs, try again without client cert auth. + // This allows us to fall back from node identity to token when the node resource is deleted. + if resp.StatusCode == http.StatusUnauthorized { + if transport, ok := client.Transport.(*http.Transport); ok && transport.TLSClientConfig != nil && len(transport.TLSClientConfig.Certificates) != 0 { + logrus.Infof("Node authorization rejected, retrying without client certificate authentication") + transport.TLSClientConfig.Certificates = []tls.Certificate{} + resp, err = client.Do(req) + if err != nil { + return nil, err + } + defer resp.Body.Close() + } + } + if resp.StatusCode == http.StatusForbidden { return nil, fmt.Errorf("Node password rejected, duplicate hostname or contents of '%s' may not match server node-passwd entry, try enabling a unique node name with the --with-node-id flag", nodePasswordFile) } diff --git a/pkg/clientaccess/token.go b/pkg/clientaccess/token.go index 8538c8e476e3..37031379f120 100644 --- a/pkg/clientaccess/token.go +++ b/pkg/clientaccess/token.go @@ -367,7 +367,7 @@ func getCACerts(u url.URL) ([]byte, error) { return cacerts, nil } -// get makes a request to a url using a provided client, username, and password, +// get makes a request to a url using a provided client and credentials, // returning the response body. func get(u string, client *http.Client, username, password, token string) ([]byte, error) { req, err := http.NewRequest(http.MethodGet, u, nil) @@ -394,7 +394,7 @@ func get(u string, client *http.Client, username, password, token string) ([]byt return io.ReadAll(resp.Body) } -// put makes a request to a url using a provided client, username, and password +// put makes a request to a url using a provided client and credentials, // only an error is returned func put(u string, body []byte, client *http.Client, username, password, token string) error { req, err := http.NewRequest(http.MethodPut, u, bytes.NewBuffer(body))