diff --git a/pkg/component/extensions/operatingsystemconfig/original/components/containerd/component.go b/pkg/component/extensions/operatingsystemconfig/original/components/containerd/component.go index ca8b9262db4..836adf11bf1 100644 --- a/pkg/component/extensions/operatingsystemconfig/original/components/containerd/component.go +++ b/pkg/component/extensions/operatingsystemconfig/original/components/containerd/component.go @@ -16,7 +16,6 @@ import ( extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" "github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components" "github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/containerd/logrotate" - "github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates" "github.com/gardener/gardener/pkg/utils" ) @@ -86,12 +85,6 @@ func (containerd) Config(_ components.Context) ([]extensionsv1alpha1.Unit, []ext }, } - // Unit without content to trigger restart of containerd.service when CAs change. - containerdUnit := extensionsv1alpha1.Unit{ - Name: UnitName, - FilePaths: []string{rootcertificates.PathLocalSSLRootCerts}, - } - monitorUnit := extensionsv1alpha1.Unit{ Name: UnitNameMonitor, Command: ptr.To(extensionsv1alpha1.CommandStart), @@ -108,5 +101,5 @@ ExecStart=` + pathHealthMonitor), FilePaths: []string{monitorFile.Path}, } - return append(logRotateUnits, containerdUnit, monitorUnit), append(logRotateFiles, monitorFile), nil + return append(logRotateUnits, monitorUnit), append(logRotateFiles, monitorFile), nil } diff --git a/pkg/component/extensions/operatingsystemconfig/original/components/containerd/component_test.go b/pkg/component/extensions/operatingsystemconfig/original/components/containerd/component_test.go index 972de2e7754..60fe3ff5970 100644 --- a/pkg/component/extensions/operatingsystemconfig/original/components/containerd/component_test.go +++ b/pkg/component/extensions/operatingsystemconfig/original/components/containerd/component_test.go @@ -28,11 +28,6 @@ var _ = Describe("Component", func() { Expect(err).NotTo(HaveOccurred()) - containerdUnit := extensionsv1alpha1.Unit{ - Name: "containerd.service", - FilePaths: []string{"/var/lib/ca-certificates-local/ROOTcerts.crt"}, - } - monitorUnit := extensionsv1alpha1.Unit{ Name: "containerd-monitor.service", Command: ptr.To(extensionsv1alpha1.CommandStart), @@ -96,7 +91,7 @@ WantedBy=multi-user.target`), }, } - Expect(units).To(ConsistOf(containerdUnit, monitorUnit, logrotateUnit, logrotateTimerUnit)) + Expect(units).To(ConsistOf(monitorUnit, logrotateUnit, logrotateTimerUnit)) Expect(files).To(ConsistOf(monitorFile, logrotateConfigFile)) }) }) diff --git a/pkg/component/extensions/operatingsystemconfig/original/components/kubelet/component.go b/pkg/component/extensions/operatingsystemconfig/original/components/kubelet/component.go index b0c74101dc3..847d653a595 100644 --- a/pkg/component/extensions/operatingsystemconfig/original/components/kubelet/component.go +++ b/pkg/component/extensions/operatingsystemconfig/original/components/kubelet/component.go @@ -20,7 +20,6 @@ import ( extensionsv1alpha1helper "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1/helper" "github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components" "github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/containerd" - "github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates" oscutils "github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/utils" "github.com/gardener/gardener/pkg/utils" ) @@ -113,7 +112,7 @@ EnvironmentFile=/etc/environment EnvironmentFile=-/var/lib/kubelet/extra_args ExecStart=` + v1beta1constants.OperatingSystemConfigFilePathBinaries + `/kubelet \ ` + utils.Indent(strings.Join(cliFlags, " \\\n"), 4) + ` $KUBELET_EXTRA_ARGS`), - FilePaths: append(extensionsv1alpha1helper.FilePathsFrom(kubeletFiles), rootcertificates.PathLocalSSLRootCerts), + FilePaths: extensionsv1alpha1helper.FilePathsFrom(kubeletFiles), } return []extensionsv1alpha1.Unit{kubeletUnit}, kubeletFiles, nil diff --git a/pkg/component/extensions/operatingsystemconfig/original/components/kubelet/component_test.go b/pkg/component/extensions/operatingsystemconfig/original/components/kubelet/component_test.go index 03c17f6b69b..e36ca4fdabd 100644 --- a/pkg/component/extensions/operatingsystemconfig/original/components/kubelet/component_test.go +++ b/pkg/component/extensions/operatingsystemconfig/original/components/kubelet/component_test.go @@ -239,9 +239,11 @@ EnvironmentFile=/etc/environment EnvironmentFile=-/var/lib/kubelet/extra_args` + kubeletStartPre + ` ExecStart=/opt/bin/kubelet \ ` + utils.Indent(strings.Join(cliFlags, " \\\n"), 4) + ` $KUBELET_EXTRA_ARGS`), - FilePaths: []string{"/var/lib/kubelet/ca.crt", "/var/lib/kubelet/config/kubelet", "/opt/bin/kubelet", "/var/lib/ca-certificates-local/ROOTcerts.crt"}, + FilePaths: []string{"/var/lib/kubelet/ca.crt", "/var/lib/kubelet/config/kubelet"}, } + unit.FilePaths = append(unit.FilePaths, "/opt/bin/kubelet") + return unit } diff --git a/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/component.go b/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/component.go index 271e03ea588..70feefaacdf 100644 --- a/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/component.go +++ b/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/component.go @@ -13,17 +13,14 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/utils/ptr" - v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" extensionsv1alpha1helper "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1/helper" "github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components" + "github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/kubelet" "github.com/gardener/gardener/pkg/utils" ) const ( - // PathLocalSSLRootCerts is the path to the Gardener CAs. It can be used as trigger for other components to reload the CAs. - PathLocalSSLRootCerts = pathLocalSSLCerts + "/ROOTcerts.crt" - pathLocalSSLCerts = "/var/lib/ca-certificates-local" pathUpdateLocalCaCertificates = "/var/lib/ssl/update-local-ca-certificates.sh" ) @@ -72,7 +69,7 @@ func (component) Config(ctx components.Context) ([]extensionsv1alpha1.Unit, []ex updateLocalCaCertificatesScriptFile, // This file contains Gardener CAs for Debian based OS { - Path: PathLocalSSLRootCerts, + Path: pathLocalSSLCerts + "/ROOTcerts.crt", Permissions: ptr.To[uint32](0644), Content: extensionsv1alpha1.FileContent{ Inline: &extensionsv1alpha1.FileContentInline{ @@ -103,9 +100,10 @@ Description=Update local certificate authorities DefaultDependencies=no Wants=systemd-tmpfiles-setup.service clean-ca-certificates.service After=systemd-tmpfiles-setup.service clean-ca-certificates.service -Before=sysinit.target ` + v1beta1constants.OperatingSystemConfigUnitNameKubeletService + ` +Before=sysinit.target ` + kubelet.UnitName + ` ConditionPathIsReadWrite=` + pathEtcSSLCerts + ` ConditionPathIsReadWrite=` + pathLocalSSLCerts + ` +ConditionPathExists=!` + kubelet.PathKubeconfigReal + ` [Service] Type=oneshot ExecStart=` + pathUpdateLocalCaCertificates + ` diff --git a/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/component_test.go b/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/component_test.go index 63e60b32982..09c24e4c849 100644 --- a/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/component_test.go +++ b/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/component_test.go @@ -57,6 +57,7 @@ After=systemd-tmpfiles-setup.service clean-ca-certificates.service Before=sysinit.target kubelet.service ConditionPathIsReadWrite=/etc/ssl/certs ConditionPathIsReadWrite=/var/lib/ca-certificates-local +ConditionPathExists=!/var/lib/kubelet/kubeconfig-real [Service] Type=oneshot ExecStart=/var/lib/ssl/update-local-ca-certificates.sh diff --git a/skaffold-operator.yaml b/skaffold-operator.yaml index cbdc37963bf..2d65a7f61da 100644 --- a/skaffold-operator.yaml +++ b/skaffold-operator.yaml @@ -110,8 +110,6 @@ build: - pkg/component/extensions/operatingsystemconfig/original/components/containerd/templates/scripts/health-monitor.tpl.sh - pkg/component/extensions/operatingsystemconfig/original/components/containerd/templates/scripts/init.sh - pkg/component/extensions/operatingsystemconfig/original/components/kubelet - - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates - - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/templates/scripts/update-local-ca-certificates.tpl.sh - pkg/component/extensions/operatingsystemconfig/utils - pkg/component/garden/system/runtime - pkg/component/garden/system/virtual @@ -1069,8 +1067,6 @@ build: - pkg/component/extensions/operatingsystemconfig/original/components/containerd/templates/scripts/init.sh - pkg/component/extensions/operatingsystemconfig/original/components/kubelet - pkg/component/extensions/operatingsystemconfig/original/components/nodeagent - - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates - - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/templates/scripts/update-local-ca-certificates.tpl.sh - pkg/component/extensions/operatingsystemconfig/original/components/valitail - pkg/component/extensions/operatingsystemconfig/original/components/valitail/templates/valitail-config.tpl.yaml - pkg/component/extensions/operatingsystemconfig/utils diff --git a/skaffold.yaml b/skaffold.yaml index d8f1e8aba05..60bc70e710f 100644 --- a/skaffold.yaml +++ b/skaffold.yaml @@ -709,8 +709,6 @@ build: - pkg/component/extensions/operatingsystemconfig/original/components/containerd/templates/scripts/init.sh - pkg/component/extensions/operatingsystemconfig/original/components/kubelet - pkg/component/extensions/operatingsystemconfig/original/components/nodeagent - - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates - - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/templates/scripts/update-local-ca-certificates.tpl.sh - pkg/component/extensions/operatingsystemconfig/original/components/valitail - pkg/component/extensions/operatingsystemconfig/original/components/valitail/templates/valitail-config.tpl.yaml - pkg/component/extensions/operatingsystemconfig/utils @@ -1482,8 +1480,6 @@ build: - pkg/component/extensions/operatingsystemconfig/original/components/containerd/templates/scripts/init.sh - pkg/component/extensions/operatingsystemconfig/original/components/kubelet - pkg/component/extensions/operatingsystemconfig/original/components/nodeagent - - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates - - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/templates/scripts/update-local-ca-certificates.tpl.sh - pkg/component/extensions/operatingsystemconfig/original/components/valitail - pkg/component/extensions/operatingsystemconfig/original/components/valitail/templates/valitail-config.tpl.yaml - pkg/component/extensions/operatingsystemconfig/utils