Azure · acs-bot · Feb 25, 2019 · Feb 22, 2019
diff --git a/docs/topics/clusterdefinitions.md b/docs/topics/clusterdefinitions.md
@@ -185,7 +185,7 @@ Above you see custom configuration for both tiller and kubernetes-dashboard. Bot
 
 See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ for more on Kubernetes resource limits.
 
-Additionally above, we specified a custom docker image for tiller, let's say we want to build a cluster and test an alpha version of tiller in it. **Important note!** customizing the image is not sticky across upgrade/scale, to ensure that aks-engine always delivers a version-curated, known-working addon when moving a cluster to a new version. Considering all that, providing a custom image reference for an addon configuration should be considered for testing/development, but not for a production cluster. If you'd like to entirely customize one of the addons available, including across scale/upgrade operations, you may include in an addon's spec a gzip+base64-encoded (in that order) string of a Kubernetes yaml manifest. E.g.,
+Additionally above, we specified a custom docker image for tiller, let's say we want to build a cluster and test an alpha version of tiller in it. **Important note!** customizing the image is not sticky across upgrade/scale, to ensure that aks-engine always delivers a version-curated, known-working addon when moving a cluster to a new version. Considering all that, providing a custom image reference for an addon configuration should be considered for testing/development, but not for a production cluster. If you'd like to entirely customize one of the addons available, including across scale/upgrade operations, you may include in an addon's spec a base64-encoded string of a Kubernetes yaml manifest. E.g.,
 
 ```
 "kubernetesConfig": {
@@ -199,7 +199,7 @@ Additionally above, we specified a custom docker image for tiller, let's say we
 }
 ```
 
-The reason for the unsightly gzip+base64 encoded input type is to optimize delivery payload, and to squash a human-maintainable yaml file representation into something that can be tightly pasted into a JSON string value without the arguably more unsightly carriage returns / whitespace that would be delivered with a literal copy/paste of a Kubernetes manifest.
+The reason for the unsightly base64 encoded input type is to optimize delivery payload, and to squash a human-maintainable yaml file representation into something that can be tightly pasted into a JSON string value without the arguably more unsightly carriage returns / whitespace that would be delivered with a literal copy/paste of a Kubernetes manifest.
 
 Finally, the `addons.enabled` boolean property was omitted above; that's by design. If you specify a `containers` configuration, aks-engine assumes you're enabling the addon. The very first example above demonstrates a simple "enable this addon with default configuration" declaration.
 

diff --git a/pkg/engine/artifacts.go b/pkg/engine/artifacts.go
@@ -286,15 +286,7 @@ func kubernetesArtifactSettingsInitAgent(profile *api.Properties) []kubernetesFe
 
 func getAddonString(input, destinationPath, destinationFile string) string {
 	addonString := getBase64CustomScriptFromStr(input)
-	contents := []string{
-		fmt.Sprintf("- path: %s/%s", destinationPath, destinationFile),
-		"  permissions: \\\"0644\\\"",
-		"  encoding: gzip",
-		"  owner: \\\"root\\\"",
-		"  content: !!binary |",
-		fmt.Sprintf("    %s\\n\\n", addonString),
-	}
-	return strings.Join(contents, "\\n")
+	return buildConfigString(addonString, destinationFile, destinationPath)
 }
 
 func substituteConfigString(input string, kubernetesFeatureSettings []kubernetesFeatureSetting, sourcePath string, destinationPath string, placeholder string, orchestratorVersion string) string {
@@ -305,24 +297,28 @@ func substituteConfigString(input string, kubernetesFeatureSettings []kubernetes
 		if setting.isEnabled {
 			var cscript string
 			if setting.rawScript != "" {
-				cscript = setting.rawScript
+				var err error
+				cscript, err = getStringFromBase64(setting.rawScript)
+				if err != nil {
+					return ""
+				}
+				config += getAddonString(cscript, setting.destinationFile, destinationPath)
 			} else {
 				cscript = getCustomScriptFromFile(setting.sourceFile,
 					sourcePath,
 					versions[0]+"."+versions[1])
+				config += buildConfigString(
+					cscript,
+					setting.destinationFile,
+					destinationPath)
 			}
-			config += buildConfigString(
-				cscript,
-				setting.destinationFile,
-				destinationPath)
 		}
 	}
 
 	return strings.Replace(input, placeholder, config, -1)
 }
 
 func buildConfigString(configString, destinationFile, destinationPath string) string {
-
 	contents := []string{
 		fmt.Sprintf("- path: %s/%s", destinationPath, destinationFile),
 		"  permissions: \\\"0644\\\"",

diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go
@@ -646,6 +646,11 @@ func getBase64CustomScript(csFilename string) string {
 	return getBase64CustomScriptFromStr(csStr)
 }
 
+func getStringFromBase64(str string) (string, error) {
+	decodedBytes, err := base64.StdEncoding.DecodeString(str)
+	return string(decodedBytes), err
+}
+
 // getBase64CustomScript will return a base64 of the CSE
 func getBase64CustomScriptFromStr(str string) string {
 	var gzipB bytes.Buffer
@@ -719,7 +724,11 @@ func getContainerAddonsString(properties *api.Properties, sourcePath string) str
 		if setting.isEnabled {
 			var input string
 			if setting.rawScript != "" {
-				input = setting.rawScript
+				var err error
+				input, err = getStringFromBase64(setting.rawScript)
+				if err != nil {
+					return ""
+				}
 			} else {
 				orchProfile := properties.OrchestratorProfile
 				versions := strings.Split(orchProfile.OrchestratorVersion, ".")