Workaround: Gardener Node Agent deletes containerd drop-in

pkg/component/extensions/operatingsystemconfig/original/components/containerd/component.go

@@ -16,7 +16,6 @@ import (
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components"
 	"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/containerd/logrotate"
-	"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates"
 	"github.com/gardener/gardener/pkg/utils"
 )
 
@@ -86,12 +85,6 @@ func (containerd) Config(_ components.Context) ([]extensionsv1alpha1.Unit, []ext
 		},
 	}
 
-	// Unit without content to trigger restart of containerd.service when CAs change.
-	containerdUnit := extensionsv1alpha1.Unit{
-		Name:      UnitName,
-		FilePaths: []string{rootcertificates.PathLocalSSLRootCerts},
-	}
-
 	monitorUnit := extensionsv1alpha1.Unit{
 		Name:    UnitNameMonitor,
 		Command: ptr.To(extensionsv1alpha1.CommandStart),
@@ -108,5 +101,5 @@ ExecStart=` + pathHealthMonitor),
 		FilePaths: []string{monitorFile.Path},
 	}
 
-	return append(logRotateUnits, containerdUnit, monitorUnit), append(logRotateFiles, monitorFile), nil
+	return append(logRotateUnits, monitorUnit), append(logRotateFiles, monitorFile), nil
 }

pkg/component/extensions/operatingsystemconfig/original/components/containerd/component_test.go

@@ -28,11 +28,6 @@ var _ = Describe("Component", func() {
 
 			Expect(err).NotTo(HaveOccurred())
 
-			containerdUnit := extensionsv1alpha1.Unit{
-				Name:      "containerd.service",
-				FilePaths: []string{"/var/lib/ca-certificates-local/ROOTcerts.crt"},
-			}
-
 			monitorUnit := extensionsv1alpha1.Unit{
 				Name:    "containerd-monitor.service",
 				Command: ptr.To(extensionsv1alpha1.CommandStart),
@@ -96,7 +91,7 @@ WantedBy=multi-user.target`),
 				},
 			}
 
-			Expect(units).To(ConsistOf(containerdUnit, monitorUnit, logrotateUnit, logrotateTimerUnit))
+			Expect(units).To(ConsistOf(monitorUnit, logrotateUnit, logrotateTimerUnit))
 			Expect(files).To(ConsistOf(monitorFile, logrotateConfigFile))
 		})
 	})

pkg/component/extensions/operatingsystemconfig/original/components/kubelet/component.go

@@ -20,7 +20,6 @@ import (
 	extensionsv1alpha1helper "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1/helper"
 	"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components"
 	"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/containerd"
-	"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates"
 	oscutils "github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/utils"
 	"github.com/gardener/gardener/pkg/utils"
 )
@@ -113,7 +112,7 @@ EnvironmentFile=/etc/environment
 EnvironmentFile=-/var/lib/kubelet/extra_args
 ExecStart=` + v1beta1constants.OperatingSystemConfigFilePathBinaries + `/kubelet \
     ` + utils.Indent(strings.Join(cliFlags, " \\\n"), 4) + ` $KUBELET_EXTRA_ARGS`),
-		FilePaths: append(extensionsv1alpha1helper.FilePathsFrom(kubeletFiles), rootcertificates.PathLocalSSLRootCerts),
+		FilePaths: extensionsv1alpha1helper.FilePathsFrom(kubeletFiles),
 	}
 
 	return []extensionsv1alpha1.Unit{kubeletUnit}, kubeletFiles, nil

pkg/component/extensions/operatingsystemconfig/original/components/kubelet/component_test.go

@@ -239,9 +239,11 @@ EnvironmentFile=/etc/environment
 EnvironmentFile=-/var/lib/kubelet/extra_args` + kubeletStartPre + `
 ExecStart=/opt/bin/kubelet \
     ` + utils.Indent(strings.Join(cliFlags, " \\\n"), 4) + ` $KUBELET_EXTRA_ARGS`),
-		FilePaths: []string{"/var/lib/kubelet/ca.crt", "/var/lib/kubelet/config/kubelet", "/opt/bin/kubelet", "/var/lib/ca-certificates-local/ROOTcerts.crt"},
+		FilePaths: []string{"/var/lib/kubelet/ca.crt", "/var/lib/kubelet/config/kubelet"},
 	}
 
+	unit.FilePaths = append(unit.FilePaths, "/opt/bin/kubelet")
+
 	return unit
 }
 

pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/component.go

@@ -13,17 +13,14 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/utils/ptr"
 
-	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	extensionsv1alpha1helper "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1/helper"
 	"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components"
+	"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig/original/components/kubelet"
 	"github.com/gardener/gardener/pkg/utils"
 )
 
 const (
-	// PathLocalSSLRootCerts is the path to the Gardener CAs. It can be used as trigger for other components to reload the CAs.
-	PathLocalSSLRootCerts = pathLocalSSLCerts + "/ROOTcerts.crt"
-
 	pathLocalSSLCerts             = "/var/lib/ca-certificates-local"
 	pathUpdateLocalCaCertificates = "/var/lib/ssl/update-local-ca-certificates.sh"
 )
@@ -72,7 +69,7 @@ func (component) Config(ctx components.Context) ([]extensionsv1alpha1.Unit, []ex
 		updateLocalCaCertificatesScriptFile,
 		// This file contains Gardener CAs for Debian based OS
 		{
-			Path:        PathLocalSSLRootCerts,
+			Path:        pathLocalSSLCerts + "/ROOTcerts.crt",
 			Permissions: ptr.To[uint32](0644),
 			Content: extensionsv1alpha1.FileContent{
 				Inline: &extensionsv1alpha1.FileContentInline{
@@ -103,9 +100,10 @@ Description=Update local certificate authorities
 DefaultDependencies=no
 Wants=systemd-tmpfiles-setup.service clean-ca-certificates.service
 After=systemd-tmpfiles-setup.service clean-ca-certificates.service
-Before=sysinit.target ` + v1beta1constants.OperatingSystemConfigUnitNameKubeletService + `
+Before=sysinit.target ` + kubelet.UnitName + `
 ConditionPathIsReadWrite=` + pathEtcSSLCerts + `
 ConditionPathIsReadWrite=` + pathLocalSSLCerts + `
+ConditionPathExists=!` + kubelet.PathKubeconfigReal + `
 [Service]
 Type=oneshot
 ExecStart=` + pathUpdateLocalCaCertificates + `

pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/component_test.go

@@ -57,6 +57,7 @@ After=systemd-tmpfiles-setup.service clean-ca-certificates.service
 Before=sysinit.target kubelet.service
 ConditionPathIsReadWrite=/etc/ssl/certs
 ConditionPathIsReadWrite=/var/lib/ca-certificates-local
+ConditionPathExists=!/var/lib/kubelet/kubeconfig-real
 [Service]
 Type=oneshot
 ExecStart=/var/lib/ssl/update-local-ca-certificates.sh

skaffold-operator.yaml

@@ -110,8 +110,6 @@ build:
             - pkg/component/extensions/operatingsystemconfig/original/components/containerd/templates/scripts/health-monitor.tpl.sh
             - pkg/component/extensions/operatingsystemconfig/original/components/containerd/templates/scripts/init.sh
             - pkg/component/extensions/operatingsystemconfig/original/components/kubelet
-            - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates
-            - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/templates/scripts/update-local-ca-certificates.tpl.sh
             - pkg/component/extensions/operatingsystemconfig/utils
             - pkg/component/garden/system/runtime
             - pkg/component/garden/system/virtual
@@ -1069,8 +1067,6 @@ build:
             - pkg/component/extensions/operatingsystemconfig/original/components/containerd/templates/scripts/init.sh
             - pkg/component/extensions/operatingsystemconfig/original/components/kubelet
             - pkg/component/extensions/operatingsystemconfig/original/components/nodeagent
-            - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates
-            - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/templates/scripts/update-local-ca-certificates.tpl.sh
             - pkg/component/extensions/operatingsystemconfig/original/components/valitail
             - pkg/component/extensions/operatingsystemconfig/original/components/valitail/templates/valitail-config.tpl.yaml
             - pkg/component/extensions/operatingsystemconfig/utils

skaffold.yaml

@@ -709,8 +709,6 @@ build:
             - pkg/component/extensions/operatingsystemconfig/original/components/containerd/templates/scripts/init.sh
             - pkg/component/extensions/operatingsystemconfig/original/components/kubelet
             - pkg/component/extensions/operatingsystemconfig/original/components/nodeagent
-            - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates
-            - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/templates/scripts/update-local-ca-certificates.tpl.sh
             - pkg/component/extensions/operatingsystemconfig/original/components/valitail
             - pkg/component/extensions/operatingsystemconfig/original/components/valitail/templates/valitail-config.tpl.yaml
             - pkg/component/extensions/operatingsystemconfig/utils
@@ -1482,8 +1480,6 @@ build:
             - pkg/component/extensions/operatingsystemconfig/original/components/containerd/templates/scripts/init.sh
             - pkg/component/extensions/operatingsystemconfig/original/components/kubelet
             - pkg/component/extensions/operatingsystemconfig/original/components/nodeagent
-            - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates
-            - pkg/component/extensions/operatingsystemconfig/original/components/rootcertificates/templates/scripts/update-local-ca-certificates.tpl.sh
             - pkg/component/extensions/operatingsystemconfig/original/components/valitail
             - pkg/component/extensions/operatingsystemconfig/original/components/valitail/templates/valitail-config.tpl.yaml
             - pkg/component/extensions/operatingsystemconfig/utils