From 4cf37a20ad316142785e7fe94122072a7d42cf0d Mon Sep 17 00:00:00 2001
From: Jack Francis <jack.francis@microsoft.com>
Date: Mon, 28 Sep 2020 13:33:55 -0700
Subject: [PATCH 1/3] chore: create azure.json via CSE

---
 parts/k8s/cloud-init/artifacts/cse_config.sh |  3 +++
 parts/k8s/cloud-init/nodecustomdata.yml      |  8 --------
 pkg/engine/templates_generated.go            | 11 +++--------
 3 files changed, 6 insertions(+), 16 deletions(-)

diff --git a/parts/k8s/cloud-init/artifacts/cse_config.sh b/parts/k8s/cloud-init/artifacts/cse_config.sh
index 0a8c1fe956..d7903d08e7 100755
--- a/parts/k8s/cloud-init/artifacts/cse_config.sh
+++ b/parts/k8s/cloud-init/artifacts/cse_config.sh
@@ -147,6 +147,9 @@ configureKubeletServerCert() {
 }
 configureK8s() {
   local client_key="/etc/kubernetes/certs/client.key" apiserver_crt="/etc/kubernetes/certs/apiserver.crt" azure_json="/etc/kubernetes/azure.json"
+  touch $azure_json
+  chmod 0600 $azure_json
+  chown root:root $azure_json
   touch "${client_key}"
   chmod 0600 "${client_key}"
   chown root:root "${client_key}"
diff --git a/parts/k8s/cloud-init/nodecustomdata.yml b/parts/k8s/cloud-init/nodecustomdata.yml
index 98bb6a935e..34425ca1a8 100644
--- a/parts/k8s/cloud-init/nodecustomdata.yml
+++ b/parts/k8s/cloud-init/nodecustomdata.yml
@@ -1,14 +1,6 @@
 #cloud-config
 
 write_files:
-{{- if .RequiresCloudproviderConfig}}
-- path: /etc/kubernetes/azure.json
-  permissions: "0600"
-  owner: root
-  content: |
-    #EOF
-{{end}}
-
 - path: {{GetCSEHelpersScriptFilepath}}
   permissions: "0744"
   encoding: gzip
diff --git a/pkg/engine/templates_generated.go b/pkg/engine/templates_generated.go
index 16548ac7d6..7edaef2cec 100644
--- a/pkg/engine/templates_generated.go
+++ b/pkg/engine/templates_generated.go
@@ -18470,6 +18470,9 @@ configureKubeletServerCert() {
 }
 configureK8s() {
   local client_key="/etc/kubernetes/certs/client.key" apiserver_crt="/etc/kubernetes/certs/apiserver.crt" azure_json="/etc/kubernetes/azure.json"
+  touch $azure_json
+  chmod 0600 $azure_json
+  chown root:root $azure_json
   touch "${client_key}"
   chmod 0600 "${client_key}"
   chown root:root "${client_key}"
@@ -22017,14 +22020,6 @@ func k8sCloudInitMasternodecustomdataYml() (*asset, error) {
 var _k8sCloudInitNodecustomdataYml = []byte(`#cloud-config
 
 write_files:
-{{- if .RequiresCloudproviderConfig}}
-- path: /etc/kubernetes/azure.json
-  permissions: "0600"
-  owner: root
-  content: |
-    #EOF
-{{end}}
-
 - path: {{GetCSEHelpersScriptFilepath}}
   permissions: "0744"
   encoding: gzip

From ff898552f32583023dc6bc023f11e1173774746c Mon Sep 17 00:00:00 2001
From: Jack Francis <jack.francis@microsoft.com>
Date: Mon, 28 Sep 2020 14:02:06 -0700
Subject: [PATCH 2/3] need the cloud-init foo after all

---
 parts/k8s/cloud-init/artifacts/cse_config.sh |  4 ++--
 parts/k8s/cloud-init/nodecustomdata.yml      |  8 ++++++++
 pkg/engine/templates_generated.go            | 12 ++++++++++--
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/parts/k8s/cloud-init/artifacts/cse_config.sh b/parts/k8s/cloud-init/artifacts/cse_config.sh
index d7903d08e7..f16a0914ee 100755
--- a/parts/k8s/cloud-init/artifacts/cse_config.sh
+++ b/parts/k8s/cloud-init/artifacts/cse_config.sh
@@ -167,8 +167,8 @@ configureK8s() {
       generateAggregatedAPICerts
     fi
   else
-    {{- /* If we are a node vm then we only proceed w/ local azure.json configuration if cloud-init has pre-paved that file */}}
-    wait_for_file 1 1 $azure_json || return
+    {{- /* If we are a node that does not need azure.json (cloud-init tells us), then return immediately */}}
+    wait_for_file 1 1 /opt/azure/needs_azure.json || return
   fi
 
   {{/* Perform the required JSON escaping */}}
diff --git a/parts/k8s/cloud-init/nodecustomdata.yml b/parts/k8s/cloud-init/nodecustomdata.yml
index 34425ca1a8..3240167945 100644
--- a/parts/k8s/cloud-init/nodecustomdata.yml
+++ b/parts/k8s/cloud-init/nodecustomdata.yml
@@ -1,6 +1,14 @@
 #cloud-config
 
 write_files:
+{{- if .RequiresCloudproviderConfig}}
+- path: /opt/azure/needs_azure.json
+  permissions: "0644"
+  owner: root
+  content: |
+    #EOF
+{{end}}
+
 - path: {{GetCSEHelpersScriptFilepath}}
   permissions: "0744"
   encoding: gzip
diff --git a/pkg/engine/templates_generated.go b/pkg/engine/templates_generated.go
index 7edaef2cec..8a4ddf75cb 100644
--- a/pkg/engine/templates_generated.go
+++ b/pkg/engine/templates_generated.go
@@ -18490,8 +18490,8 @@ configureK8s() {
       generateAggregatedAPICerts
     fi
   else
-    {{- /* If we are a node vm then we only proceed w/ local azure.json configuration if cloud-init has pre-paved that file */}}
-    wait_for_file 1 1 $azure_json || return
+    {{- /* If we are a node that does not need azure.json (cloud-init tells us), then return immediately */}}
+    wait_for_file 1 1 /opt/azure/needs_azure.json || return
   fi
 
   {{/* Perform the required JSON escaping */}}
@@ -22020,6 +22020,14 @@ func k8sCloudInitMasternodecustomdataYml() (*asset, error) {
 var _k8sCloudInitNodecustomdataYml = []byte(`#cloud-config
 
 write_files:
+{{- if .RequiresCloudproviderConfig}}
+- path: /opt/azure/needs_azure.json
+  permissions: "0644"
+  owner: root
+  content: |
+    #EOF
+{{end}}
+
 - path: {{GetCSEHelpersScriptFilepath}}
   permissions: "0744"
   encoding: gzip

From cbdca0fb4c70beeb2c75e32cef8b638cb4107036 Mon Sep 17 00:00:00 2001
From: Jack Francis <jack.francis@microsoft.com>
Date: Mon, 28 Sep 2020 14:04:51 -0700
Subject: [PATCH 3/3] only create azure.json if necessary

---
 parts/k8s/cloud-init/artifacts/cse_config.sh | 6 +++---
 pkg/engine/templates_generated.go            | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/parts/k8s/cloud-init/artifacts/cse_config.sh b/parts/k8s/cloud-init/artifacts/cse_config.sh
index f16a0914ee..7ea59fa500 100755
--- a/parts/k8s/cloud-init/artifacts/cse_config.sh
+++ b/parts/k8s/cloud-init/artifacts/cse_config.sh
@@ -147,9 +147,6 @@ configureKubeletServerCert() {
 }
 configureK8s() {
   local client_key="/etc/kubernetes/certs/client.key" apiserver_crt="/etc/kubernetes/certs/apiserver.crt" azure_json="/etc/kubernetes/azure.json"
-  touch $azure_json
-  chmod 0600 $azure_json
-  chown root:root $azure_json
   touch "${client_key}"
   chmod 0600 "${client_key}"
   chown root:root "${client_key}"
@@ -171,6 +168,9 @@ configureK8s() {
     wait_for_file 1 1 /opt/azure/needs_azure.json || return
   fi
 
+  touch $azure_json
+  chmod 0600 $azure_json
+  chown root:root $azure_json
   {{/* Perform the required JSON escaping */}}
   local sp_secret=${SERVICE_PRINCIPAL_CLIENT_SECRET//\\/\\\\}
   sp_secret=${SERVICE_PRINCIPAL_CLIENT_SECRET//\"/\\\"}
diff --git a/pkg/engine/templates_generated.go b/pkg/engine/templates_generated.go
index 8a4ddf75cb..a2a9be4182 100644
--- a/pkg/engine/templates_generated.go
+++ b/pkg/engine/templates_generated.go
@@ -18470,9 +18470,6 @@ configureKubeletServerCert() {
 }
 configureK8s() {
   local client_key="/etc/kubernetes/certs/client.key" apiserver_crt="/etc/kubernetes/certs/apiserver.crt" azure_json="/etc/kubernetes/azure.json"
-  touch $azure_json
-  chmod 0600 $azure_json
-  chown root:root $azure_json
   touch "${client_key}"
   chmod 0600 "${client_key}"
   chown root:root "${client_key}"
@@ -18494,6 +18491,9 @@ configureK8s() {
     wait_for_file 1 1 /opt/azure/needs_azure.json || return
   fi
 
+  touch $azure_json
+  chmod 0600 $azure_json
+  chown root:root $azure_json
   {{/* Perform the required JSON escaping */}}
   local sp_secret=${SERVICE_PRINCIPAL_CLIENT_SECRET//\\/\\\\}
   sp_secret=${SERVICE_PRINCIPAL_CLIENT_SECRET//\"/\\\"}