зеркало из https://github.com/Azure/AgentBaker.git
feat: respect nodepool tags for disabling kubelet serving certificate rotation (#4911)
Co-authored-by: Cameron Meissner <cameissner@microsoft.com>
This commit is contained in:
Родитель
cb45912bd1
Коммит
6d6960b123
|
@ -984,6 +984,144 @@ func Test_ubuntu2204Wasm(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func Test_Ubuntu2204DisableKubeletServingCertificateRotationWithTags(t *testing.T) {
|
||||
RunScenario(t, &Scenario{
|
||||
Tags: Tags{
|
||||
ServerTLSBootstrapping: true,
|
||||
},
|
||||
Description: "tests that a node on ubuntu 2204 bootstrapped with kubelet serving certificate rotation enabled will disable certificate rotation due to nodepool tags",
|
||||
Config: Config{
|
||||
Cluster: ClusterKubenet,
|
||||
VHD: config.VHDUbuntu2204Gen2Containerd,
|
||||
BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
|
||||
nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = "aks-ubuntu-containerd-22.04-gen2"
|
||||
nbc.AgentPoolProfile.Distro = "aks-ubuntu-containerd-22.04-gen2"
|
||||
if nbc.KubeletConfig == nil {
|
||||
nbc.KubeletConfig = map[string]string{}
|
||||
}
|
||||
nbc.KubeletConfig["--rotate-server-certificates"] = "true"
|
||||
},
|
||||
VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
|
||||
if vmss.Tags == nil {
|
||||
vmss.Tags = map[string]*string{}
|
||||
}
|
||||
vmss.Tags["aks-disable-kubelet-serving-certificate-rotation"] = to.Ptr("true")
|
||||
},
|
||||
LiveVMValidators: []*LiveVMValidator{
|
||||
FileExcludesContentsValidator("/etc/default/kubelet", "\\-\\-rotate-server-certificates=true", "\\-\\-rotate-server-certificates=true"),
|
||||
FileExcludesContentsValidator("/etc/default/kubelet", "kubernetes.azure.com/kubelet-serving-ca=cluster", "kubernetes.azure.com/kubelet-serving-ca=cluster"),
|
||||
FileHasContentsValidator("/etc/default/kubelet", "\\-\\-rotate-server-certificates=false"),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func Test_Ubuntu2204DisableKubeletServingCertificateRotationWithTags_CustomKubeletConfig(t *testing.T) {
|
||||
RunScenario(t, &Scenario{
|
||||
Tags: Tags{
|
||||
ServerTLSBootstrapping: true,
|
||||
},
|
||||
Description: "tests that a node on ubuntu 2204 bootstrapped with custom kubelet config and kubelet serving certificate rotation enabled will disable certificate rotation due to nodepool tags",
|
||||
Config: Config{
|
||||
Cluster: ClusterKubenet,
|
||||
VHD: config.VHDUbuntu2204Gen2Containerd,
|
||||
BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
|
||||
nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = "aks-ubuntu-containerd-22.04-gen2"
|
||||
nbc.AgentPoolProfile.Distro = "aks-ubuntu-containerd-22.04-gen2"
|
||||
|
||||
// to force kubelet config file
|
||||
customKubeletConfig := &datamodel.CustomKubeletConfig{
|
||||
FailSwapOn: to.Ptr(true),
|
||||
AllowedUnsafeSysctls: &[]string{"kernel.msg*", "net.ipv4.route.min_pmtu"},
|
||||
}
|
||||
nbc.AgentPoolProfile.CustomKubeletConfig = customKubeletConfig
|
||||
nbc.ContainerService.Properties.AgentPoolProfiles[0].CustomKubeletConfig = customKubeletConfig
|
||||
|
||||
if nbc.KubeletConfig == nil {
|
||||
nbc.KubeletConfig = map[string]string{}
|
||||
}
|
||||
nbc.KubeletConfig["--rotate-server-certificates"] = "true"
|
||||
},
|
||||
VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
|
||||
if vmss.Tags == nil {
|
||||
vmss.Tags = map[string]*string{}
|
||||
}
|
||||
vmss.Tags["aks-disable-kubelet-serving-certificate-rotation"] = to.Ptr("true")
|
||||
},
|
||||
LiveVMValidators: []*LiveVMValidator{
|
||||
FileExcludesContentsValidator("/etc/default/kubelet", "\\-\\-rotate-server-certificates=true", "\\-\\-rotate-server-certificates=true"),
|
||||
FileExcludesContentsValidator("/etc/default/kubelet", "kubernetes.azure.com/kubelet-serving-ca=cluster", "kubernetes.azure.com/kubelet-serving-ca=cluster"),
|
||||
FileExcludesContentsValidator("/etc/default/kubeletconfig.json", "\"serverTLSBootstrap\": true", "serverTLSBootstrap: true"),
|
||||
FileHasContentsValidator("/etc/default/kubeletconfig.json", "\"serverTLSBootstrap\": false"),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func Test_Ubuntu2204DisableKubeletServingCertificateRotationWithTags_AlreadyDisabled(t *testing.T) {
|
||||
RunScenario(t, &Scenario{
|
||||
Tags: Tags{
|
||||
ServerTLSBootstrapping: true,
|
||||
},
|
||||
Description: "tests that a node on ubuntu 2204 bootstrapped with kubelet serving certificate rotation disabled will disable certificate rotation regardless of nodepool tags",
|
||||
Config: Config{
|
||||
Cluster: ClusterKubenet,
|
||||
VHD: config.VHDUbuntu2204Gen2Containerd,
|
||||
BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
|
||||
nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = "aks-ubuntu-containerd-22.04-gen2"
|
||||
nbc.AgentPoolProfile.Distro = "aks-ubuntu-containerd-22.04-gen2"
|
||||
},
|
||||
VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
|
||||
if vmss.Tags == nil {
|
||||
vmss.Tags = map[string]*string{}
|
||||
}
|
||||
vmss.Tags["aks-disable-kubelet-serving-certificate-rotation"] = to.Ptr("true")
|
||||
},
|
||||
LiveVMValidators: []*LiveVMValidator{
|
||||
FileExcludesContentsValidator("/etc/default/kubelet", "\\-\\-rotate-server-certificates=true", "\\-\\-rotate-server-certificates=true"),
|
||||
FileExcludesContentsValidator("/etc/default/kubelet", "kubernetes.azure.com/kubelet-serving-ca=cluster", "kubernetes.azure.com/kubelet-serving-ca=cluster"),
|
||||
FileExcludesContentsValidator("/etc/default/kubeletconfig.json", "\"serverTLSBootstrap\": true", "serverTLSBootstrap: true"),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func Test_Ubuntu2204DisableKubeletServingCertificateRotationWithTags_AlreadyDisabled_CustomKubeletConfig(t *testing.T) {
|
||||
RunScenario(t, &Scenario{
|
||||
Tags: Tags{
|
||||
ServerTLSBootstrapping: true,
|
||||
},
|
||||
Description: "tests that a node on ubuntu 2204 bootstrapped with kubelet serving certificate rotation disabled and custom kubelet config will disable certificate rotation regardless of nodepool tags",
|
||||
Config: Config{
|
||||
Cluster: ClusterKubenet,
|
||||
VHD: config.VHDUbuntu2204Gen2Containerd,
|
||||
BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
|
||||
nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = "aks-ubuntu-containerd-22.04-gen2"
|
||||
nbc.AgentPoolProfile.Distro = "aks-ubuntu-containerd-22.04-gen2"
|
||||
|
||||
// to force kubelet config file
|
||||
customKubeletConfig := &datamodel.CustomKubeletConfig{
|
||||
FailSwapOn: to.Ptr(true),
|
||||
AllowedUnsafeSysctls: &[]string{"kernel.msg*", "net.ipv4.route.min_pmtu"},
|
||||
}
|
||||
nbc.AgentPoolProfile.CustomKubeletConfig = customKubeletConfig
|
||||
nbc.ContainerService.Properties.AgentPoolProfiles[0].CustomKubeletConfig = customKubeletConfig
|
||||
},
|
||||
VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
|
||||
if vmss.Tags == nil {
|
||||
vmss.Tags = map[string]*string{}
|
||||
}
|
||||
vmss.Tags["aks-disable-kubelet-serving-certificate-rotation"] = to.Ptr("true")
|
||||
},
|
||||
LiveVMValidators: []*LiveVMValidator{
|
||||
FileExcludesContentsValidator("/etc/default/kubelet", "\\-\\-rotate-server-certificates=true", "\\-\\-rotate-server-certificates=true"),
|
||||
FileExcludesContentsValidator("/etc/default/kubelet", "kubernetes.azure.com/kubelet-serving-ca=cluster", "kubernetes.azure.com/kubelet-serving-ca=cluster"),
|
||||
FileExcludesContentsValidator("/etc/default/kubeletconfig.json", "\"serverTLSBootstrap\": true", "serverTLSBootstrap: true"),
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func Test_ubuntu2204WasmAirGap(t *testing.T) {
|
||||
RunScenario(t, &Scenario{
|
||||
Description: "tests that a new ubuntu 2204 node using krustlet can be properly bootstrapepd when it is network isolated cluster",
|
||||
|
|
15
e2e/types.go
15
e2e/types.go
|
@ -17,13 +17,14 @@ import (
|
|||
)
|
||||
|
||||
type Tags struct {
|
||||
Name string
|
||||
ImageName string
|
||||
OS string
|
||||
Arch string
|
||||
Airgap bool
|
||||
GPU bool
|
||||
WASM bool
|
||||
Name string
|
||||
ImageName string
|
||||
OS string
|
||||
Arch string
|
||||
Airgap bool
|
||||
GPU bool
|
||||
WASM bool
|
||||
ServerTLSBootstrapping bool
|
||||
}
|
||||
|
||||
// MatchesFilters checks if the Tags struct matches all given filters.
|
||||
|
|
|
@ -17,7 +17,7 @@ func DirectoryValidator(path string, files []string) *LiveVMValidator {
|
|||
}
|
||||
for _, file := range files {
|
||||
if !strings.Contains(stdout, file) {
|
||||
return fmt.Errorf(fmt.Sprintf("expected to find file %s within directory %s, but did not", file, path))
|
||||
return fmt.Errorf("expected to find file %s within directory %s, but did not", file, path)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
@ -41,7 +41,7 @@ func SysctlConfigValidator(customSysctls map[string]string) *LiveVMValidator {
|
|||
}
|
||||
for name, value := range customSysctls {
|
||||
if !strings.Contains(stdout, fmt.Sprintf("%s = %v", name, value)) {
|
||||
return fmt.Errorf(fmt.Sprintf("expected to find %s set to %v, but was not", name, value))
|
||||
return fmt.Errorf("expected to find %s set to %v, but was not", name, value)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
@ -107,9 +107,8 @@ func NonEmptyDirectoryValidator(dirName string) *LiveVMValidator {
|
|||
|
||||
func FileHasContentsValidator(fileName string, contents string) *LiveVMValidator {
|
||||
steps := []string{
|
||||
// Verify the service is active - print the state then verify so we have logs
|
||||
fmt.Sprintf("ls -la %[1]s", fileName),
|
||||
fmt.Sprintf("(sudo cat %[1]s | grep -q '%[2]s')", fileName, contents),
|
||||
fmt.Sprintf("(sudo cat %[1]s | grep -q %[2]q)", fileName, contents),
|
||||
}
|
||||
|
||||
command := makeExecutableCommand(steps)
|
||||
|
@ -142,9 +141,7 @@ func FileExcludesContentsValidator(fileName string, contents string, contentsNam
|
|||
|
||||
// this function is just used to remove some bash specific tokens so we can echo the command to stdout.
|
||||
func cleanse(str string) string {
|
||||
str = strings.Replace(str, "'", "", -1)
|
||||
|
||||
return str
|
||||
return strings.Replace(str, "'", "", -1)
|
||||
}
|
||||
|
||||
func makeExecutableCommand(steps []string) string {
|
||||
|
@ -208,7 +205,6 @@ func ServiceCanRestartValidator(serviceName string, restartTimeoutInSeconds int)
|
|||
|
||||
func CommandHasOutputValidator(commandToExecute string, expectedOutput string) *LiveVMValidator {
|
||||
steps := []string{
|
||||
// Verify the service is active - print the state then verify so we have logs
|
||||
fmt.Sprint(commandToExecute),
|
||||
}
|
||||
|
||||
|
|
|
@ -249,8 +249,11 @@ EOF
|
|||
sed -i "/cloudProviderBackoffJitter/d" /etc/kubernetes/azure.json
|
||||
fi
|
||||
|
||||
# generate a kubelet serving certificate if we aren't relying on
|
||||
# TLS bootstrapping to generate one for us
|
||||
# generate a kubelet serving certificate if we aren't relying on TLS bootstrapping to generate one for us.
|
||||
# NOTE: in the case where ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION is true but
|
||||
# the customer has disabled serving certificate rotation via nodepool tags,
|
||||
# the self-signed serving certificate will be bootstrapped by the kubelet instead of this function
|
||||
# TODO(cameissner): remove configureKubeletServerCert altogether
|
||||
if [ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]; then
|
||||
configureKubeletServerCert
|
||||
fi
|
||||
|
@ -402,6 +405,53 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
# removes the specified LABEL_STRING (which should be in the form of 'label=value') from KUBELET_NODE_LABELS
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
# check if kubelet serving certificate rotation is disabled by customer-specified nodepool tags
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
# set the --rotate-server-certificates flag to false if needed
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
# set the serverTLSBootstrap property to false if needed
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
# remove the "kubernetes.azure.com/kubelet-serving-ca=cluster" label if needed
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -119,6 +119,9 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210 # Error pulling artifact with oras from registr
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211 # Error pulling artifact with oras from registry
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212 # Error pulling artifact with oras from registry
|
||||
|
||||
# Error checking nodepools tags for whether we need to disable kubelet serving certificate rotation
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
# For both Ubuntu and Mariner, /etc/*-release should exist.
|
||||
# For unit tests, the OS and OS_VERSION will be set in the unit test script.
|
||||
# So whether it's if or else actually doesn't matter to our unit test.
|
||||
|
@ -438,6 +441,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
|
@ -219,6 +219,11 @@ fi
|
|||
# for drop ins, so they don't all have to check/create the dir
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
# we do this here since this function has the potential to mutate kubelet flags,
|
||||
# kubelet config file, and node labels if a special tag has been added to the underlying VM.
|
||||
# kubelet config file content is decoded and written to disk by configureK8s, thus we need to make sure the content is correct beforehand.
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -213,6 +213,8 @@ $global:RebootNeeded = $false
|
|||
|
||||
$global:IsSkipCleanupNetwork = [System.Convert]::ToBoolean("{{GetVariable "isSkipCleanupNetwork" }}");
|
||||
|
||||
$global:EnableKubeletServingCertificateRotation = [System.Convert]::ToBoolean("{{EnableKubeletServingCertificateRotation}}")
|
||||
|
||||
# Extract cse helper script from ZIP
|
||||
[io.file]::WriteAllBytes("scripts.zip", [System.Convert]::FromBase64String($zippedFiles))
|
||||
Expand-Archive scripts.zip -DestinationPath "C:\\AzureData\\" -Force
|
||||
|
@ -291,6 +293,9 @@ try
|
|||
icacls.exe "c:\k"
|
||||
Get-ProvisioningScripts
|
||||
Get-LogCollectionScripts
|
||||
|
||||
# TODO(cameissner): uncomment once next CSE package is rolled out to all regions
|
||||
# Disable-KubeletServingCertificateRotationForTags
|
||||
|
||||
Write-KubeClusterConfig -MasterIP $MasterIP -KubeDnsServiceIp $KubeDnsServiceIp
|
||||
|
||||
|
|
|
@ -72,9 +72,10 @@ $global:WINDOWS_CSE_ERROR_INSTALL_CREDENTIAL_PROVIDER = 65 # exit code for insta
|
|||
$global:WINDOWS_CSE_ERROR_DOWNLOAD_CREDEDNTIAL_PROVIDER=66 # exit code for downloading credential provider failure
|
||||
$global:WINDOWS_CSE_ERROR_CREDENTIAL_PROVIDER_CONFIG=67 # exit code for checking credential provider config failure
|
||||
$global:WINDOWS_CSE_ERROR_ADJUST_PAGEFILE_SIZE=68
|
||||
$global:WINDOWS_CSE_ERROR_LOOKUP_INSTANCE_DATA_TAG=69 # exit code for looking up nodepool/VM tags via IMDS
|
||||
# WINDOWS_CSE_ERROR_MAX_CODE is only used in unit tests to verify whether new error code name is added in $global:ErrorCodeNames
|
||||
# Please use the current value of WINDOWS_CSE_ERROR_MAX_CODE as the value of the new error code and increment it by 1
|
||||
$global:WINDOWS_CSE_ERROR_MAX_CODE=69
|
||||
$global:WINDOWS_CSE_ERROR_MAX_CODE=70
|
||||
|
||||
# Please add new error code for downloading new packages in RP code too
|
||||
$global:ErrorCodeNames = @(
|
||||
|
@ -146,7 +147,8 @@ $global:ErrorCodeNames = @(
|
|||
"WINDOWS_CSE_ERROR_INSTALL_CREDENTIAL_PROVIDER",
|
||||
"WINDOWS_CSE_ERROR_DOWNLOAD_CREDEDNTIAL_PROVIDER",
|
||||
"WINDOWS_CSE_ERROR_CREDENTIAL_PROVIDER_CONFIG",
|
||||
"WINDOWS_CSE_ERROR_ADJUST_PAGEFILE_SIZE"
|
||||
"WINDOWS_CSE_ERROR_ADJUST_PAGEFILE_SIZE",
|
||||
"WINDOWS_CSE_ERROR_LOOKUP_INSTANCE_DATA_TAG"
|
||||
)
|
||||
|
||||
# NOTE: KubernetesVersion does not contain "v"
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -192,6 +192,8 @@ fi
|
|||
|
||||
mkdir -p "/etc/systemd/system/kubelet.service.d"
|
||||
|
||||
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
|
||||
|
||||
logs_to_events "AKS.CSE.configureK8s" configureK8s
|
||||
|
||||
logs_to_events "AKS.CSE.configureCNI" configureCNI
|
||||
|
|
|
@ -389,6 +389,48 @@ ensureDHCPv6() {
|
|||
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
|
||||
}
|
||||
|
||||
clearKubeletNodeLabel() {
|
||||
local LABEL_STRING=$1
|
||||
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
|
||||
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
|
||||
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
|
||||
fi
|
||||
}
|
||||
|
||||
disableKubeletServingCertificateRotationForTags() {
|
||||
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
|
||||
echo "kubelet serving certificate rotation is already disabled"
|
||||
return 0
|
||||
fi
|
||||
|
||||
export -f should_disable_kubelet_serving_certificate_rotation
|
||||
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
|
||||
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
|
||||
fi
|
||||
|
||||
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
|
||||
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
|
||||
|
||||
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
|
||||
|
||||
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
|
||||
set +x
|
||||
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
|
||||
set -x
|
||||
fi
|
||||
|
||||
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
|
||||
}
|
||||
|
||||
ensureKubelet() {
|
||||
KUBELET_DEFAULT_FILE=/etc/default/kubelet
|
||||
mkdir -p /etc/default
|
||||
|
|
|
@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
|
|||
ERR_ORAS_PULL_FAIL_RESERVE_4=211
|
||||
ERR_ORAS_PULL_FAIL_RESERVE_5=212
|
||||
|
||||
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
|
||||
|
||||
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
|
||||
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
|
||||
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
|
||||
|
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
|
|||
echo "$should_skip"
|
||||
}
|
||||
|
||||
should_disable_kubelet_serving_certificate_rotation() {
|
||||
set -x
|
||||
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
|
||||
ret=$?
|
||||
if [ "$ret" != "0" ]; then
|
||||
return $ret
|
||||
fi
|
||||
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
|
||||
echo "$should_disable"
|
||||
}
|
||||
|
||||
isMarinerOrAzureLinux() {
|
||||
local os=$1
|
||||
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then
|
||||
|
|
Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше
Загрузка…
Ссылка в новой задаче