Azure · cameronmeissner · Oct 21, 2024 · Oct 17, 2024 · Oct 17, 2024 · Oct 18, 2024
@@ -423,21 +423,9 @@ getPrimaryNicIP() {
     echo "$ip"
 }
 
-# removes the specified LABEL_STRING (which should be in the form of 'label=value') from KUBELET_NODE_LABELS
-clearKubeletNodeLabel() {
-    local LABEL_STRING=$1
-    if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
-        KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
-    elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
-        KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
-    elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
-        KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
-    fi
-}
-
-disableKubeletServingCertificateRotationForTags() {
-    if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true"  ]]; then
-        echo "kubelet serving certificate rotation is already disabled"
+configureKubeletServingCertificateRotation() {
+    if [ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]; then
+        echo "kubelet serving certificate rotation is disabled, nothing to configure"
         return 0
     fi
 
@@ -449,25 +437,27 @@ disableKubeletServingCertificateRotationForTags() {
         exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
     fi
 
-    if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
-        echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
-        return 0
-    fi
+    KUBELET_SERVING_CERTIFICATE_ROTATION_LABEL="kubernetes.azure.com/kubelet-serving-ca=cluster"
 
-    echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
+    if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" == "true" ]; then
+        echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels"
 
-    # set the --rotate-server-certificates flag to false if needed
-    KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
+        # set the --rotate-server-certificates flag to false if needed
+        KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
 
-    if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
-        set +x
-        # set the serverTLSBootstrap property to false if needed
-        KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
-        set -x
+        if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
+            set +x
+            # set the serverTLSBootstrap property to false if needed
+            KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
+            set -x
+        fi
+
+        removeKubeletNodeLabel $KUBELET_SERVING_CERTIFICATE_ROTATION_LABEL
+        return 0
     fi
 
-    # remove the "kubernetes.azure.com/kubelet-serving-ca=cluster" label if needed
-    clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
+    echo "kubelet serving certificate rotation is enabled, will add node label if needed"
+    addKubeletNodeLabel $KUBELET_SERVING_CERTIFICATE_ROTATION_LABEL
 }
 
 ensureKubelet() {

@@ -615,4 +615,33 @@ updatePackageDownloadURL() {
     return    
 }
 
+# adds the specified LABEL_STRING (which should be in the form of 'label=value') to KUBELET_NODE_LABELS
+addKubeletNodeLabel() {
+    local LABEL_STRING=$1
+    if grep -i "$LABEL_STRING" <<< "$KUBELET_NODE_LABELS" > /dev/null 2>&1; then
+        echo "kubelet node label $LABEL_STRING is already present, nothing to add"
+        return 0
+    fi
+
+    echo "adding label $LABEL_STRING to kubelet node labels..."
+    if [ -n "$KUBELET_NODE_LABELS" ]; then
+        KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS},${LABEL_STRING}"
+    else
+        # node labels shouldn't ever be empty, but we guard against it to be safe
+        KUBELET_NODE_LABELS=$LABEL_STRING
+    fi
+}
+
+# removes the specified LABEL_STRING (which should be in the form of 'label=value') from KUBELET_NODE_LABELS
+removeKubeletNodeLabel() {
+    local LABEL_STRING=$1
+    if grep -e ",${LABEL_STRING}" <<< "$KUBELET_NODE_LABELS" > /dev/null 2>&1; then
+        KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
+    elif grep -e "${LABEL_STRING}," <<< "$KUBELET_NODE_LABELS" > /dev/null 2>&1; then
+        KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
+    elif grep -e "${LABEL_STRING}" <<< "$KUBELET_NODE_LABELS" > /dev/null 2>&1; then
+        KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
+    fi
+}
+
 #HELPERSEOF
@@ -220,10 +220,9 @@ fi
 # for drop ins, so they don't all have to check/create the dir
 mkdir -p "/etc/systemd/system/kubelet.service.d"
 
-# we do this here since this function has the potential to mutate kubelet flags, 
-# kubelet config file, and node labels if a special tag has been added to the underlying VM. 
-# kubelet config file content is decoded and written to disk by configureK8s, thus we need to make sure the content is correct beforehand.
-logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
+# IMPORTANT NOTE: We do this here since this function can mutate kubelet flags and node labels, 
+# which is used by configureK8s and other functions. Thus, we need to make sure flag and label content is correct beforehand.
+logs_to_events "AKS.CSE.configureKubeletServingCertificateRotation" configureKubeletServingCertificateRotation
 
 logs_to_events "AKS.CSE.configureK8s" configureK8s
 

@@ -297,6 +297,9 @@ try
     # NOTE: this function MUST be called before Write-KubeClusterConfig since it has the potential
     # to mutate both kubelet config args and kubelet node labels.
     Disable-KubeletServingCertificateRotationForTags
+
+    # TODO(cameissner): uncomment once CSE package has been updated
+    # Configure-KubeletServingCertificateRotation
 
     Write-KubeClusterConfig -MasterIP $MasterIP -KubeDnsServiceIp $KubeDnsServiceIp