From 83912d7c27813d472d75e6de4f5be503e3696153 Mon Sep 17 00:00:00 2001
From: Zeliang Tian <zetia@microsoft.com>
Date: Tue, 7 Mar 2023 14:20:26 +0800
Subject: [PATCH 1/3] fix bug: update operation doesn't respect sslSecret
 parameter

---
 src/k8s-extension/HISTORY.rst                             | 4 ++++
 .../partner_extensions/AzureMLKubernetes.py               | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/src/k8s-extension/HISTORY.rst b/src/k8s-extension/HISTORY.rst
index 20019ce969b..5cad0ca00f8 100644
--- a/src/k8s-extension/HISTORY.rst
+++ b/src/k8s-extension/HISTORY.rst
@@ -3,6 +3,10 @@
 Release History
 ===============
 
+1.4.1
+++++++++++++++++++
+* microsoft.azureml.kubernetes: Fix sslSecret parameter in update operation
+
 1.4.0
 ++++++++++++++++++
 * microsoft.dapr: Update version comparison logic to use semver based comparison
diff --git a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
index e0e88de3851..29e435610e8 100644
--- a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
+++ b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
@@ -408,6 +408,14 @@ def __normalize_config(self, configuration_settings, configuration_protected_set
             logger.warning(
                 'Internal load balancer only supported on AKS and AKS Engine Clusters.')
 
+        fe_ssl_cert_file = configuration_protected_settings.get(self.sslCertPemFile)
+        fe_ssl_key_file = configuration_protected_settings.get(self.sslKeyPemFile)
+        fe_ssl_secret = _get_value_from_config_protected_config(
+                self.SSL_SECRET, configuration_settings, configuration_protected_settings)
+        # use secret if key/cert file is not provided
+        if fe_ssl_secret and (not fe_ssl_cert_file or not fe_ssl_key_file):
+            self.__set_inference_ssl_from_secret(configuration_settings, fe_ssl_secret)
+
     def __validate_config(self, configuration_settings, configuration_protected_settings, release_namespace):
         # perform basic validation of the input config
         config_keys = configuration_settings.keys()

From 2bdeb56e3dad703a145fe1ac0dfeaa2483bb9f86 Mon Sep 17 00:00:00 2001
From: Zeliang Tian <zetia@microsoft.com>
Date: Tue, 7 Mar 2023 14:33:24 +0800
Subject: [PATCH 2/3] fix bug: update operation doesn't respect sslSecret
 parameter

---
 .../partner_extensions/AzureMLKubernetes.py   | 27 ++++++++-----------
 1 file changed, 11 insertions(+), 16 deletions(-)

diff --git a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
index 29e435610e8..d953cc4bd19 100644
--- a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
+++ b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
@@ -366,14 +366,17 @@ def Update(self, cmd, resource_group_name, cluster_name, auto_upgrade_minor_vers
 
             configuration_protected_settings = _dereference(self.reference_mapping, configuration_protected_settings)
 
-            if self.sslKeyPemFile in configuration_protected_settings and \
-                    self.sslCertPemFile in configuration_protected_settings:
-                logger.info(f"Both {self.sslKeyPemFile} and {self.sslCertPemFile} are set, update ssl key.")
-                fe_ssl_cert_file = configuration_protected_settings.get(self.sslCertPemFile)
-                fe_ssl_key_file = configuration_protected_settings.get(self.sslKeyPemFile)
-
-                if fe_ssl_cert_file and fe_ssl_key_file:
-                    self.__set_inference_ssl_from_file(configuration_protected_settings, fe_ssl_cert_file, fe_ssl_key_file)
+        fe_ssl_secret = _get_value_from_config_protected_config(
+            self.SSL_SECRET, configuration_settings, configuration_protected_settings)
+        fe_ssl_cert_file = configuration_protected_settings.get(self.sslCertPemFile)
+        fe_ssl_key_file = configuration_protected_settings.get(self.sslKeyPemFile)
+        # always take ssl key/cert first, then secret if key/cert file is not provided
+        if fe_ssl_cert_file and fe_ssl_key_file:
+            logger.info(f"Both {self.sslKeyPemFile} and {self.sslCertPemFile} are set, update ssl key.")
+            self.__set_inference_ssl_from_file(configuration_protected_settings, fe_ssl_cert_file, fe_ssl_key_file)
+        elif fe_ssl_secret:
+            logger.info(f"{self.SSL_SECRET} is set, update ssl secret.")
+            self.__set_inference_ssl_from_secret(configuration_settings, fe_ssl_secret)
 
         # if no entries are existed in configuration_protected_settings, configuration_settings, return whatever passed
         #  in the Update function(empty dict or None).
@@ -408,14 +411,6 @@ def __normalize_config(self, configuration_settings, configuration_protected_set
             logger.warning(
                 'Internal load balancer only supported on AKS and AKS Engine Clusters.')
 
-        fe_ssl_cert_file = configuration_protected_settings.get(self.sslCertPemFile)
-        fe_ssl_key_file = configuration_protected_settings.get(self.sslKeyPemFile)
-        fe_ssl_secret = _get_value_from_config_protected_config(
-                self.SSL_SECRET, configuration_settings, configuration_protected_settings)
-        # use secret if key/cert file is not provided
-        if fe_ssl_secret and (not fe_ssl_cert_file or not fe_ssl_key_file):
-            self.__set_inference_ssl_from_secret(configuration_settings, fe_ssl_secret)
-
     def __validate_config(self, configuration_settings, configuration_protected_settings, release_namespace):
         # perform basic validation of the input config
         config_keys = configuration_settings.keys()

From 936c48bd07f46e84254b37148b2e502baf3986d0 Mon Sep 17 00:00:00 2001
From: Zeliang Tian <zetia@microsoft.com>
Date: Thu, 16 Mar 2023 17:34:46 +0800
Subject: [PATCH 3/3] fix typo

---
 .../partner_extensions/AzureMLKubernetes.py                   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
index d953cc4bd19..acd60254d91 100644
--- a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
+++ b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py
@@ -372,10 +372,10 @@ def Update(self, cmd, resource_group_name, cluster_name, auto_upgrade_minor_vers
         fe_ssl_key_file = configuration_protected_settings.get(self.sslKeyPemFile)
         # always take ssl key/cert first, then secret if key/cert file is not provided
         if fe_ssl_cert_file and fe_ssl_key_file:
-            logger.info(f"Both {self.sslKeyPemFile} and {self.sslCertPemFile} are set, update ssl key.")
+            logger.info(f"Both {self.sslKeyPemFile} and {self.sslCertPemFile} are set, updating ssl key.")
             self.__set_inference_ssl_from_file(configuration_protected_settings, fe_ssl_cert_file, fe_ssl_key_file)
         elif fe_ssl_secret:
-            logger.info(f"{self.SSL_SECRET} is set, update ssl secret.")
+            logger.info(f"{self.SSL_SECRET} is set, updating ssl secret.")
             self.__set_inference_ssl_from_secret(configuration_settings, fe_ssl_secret)
 
         # if no entries are existed in configuration_protected_settings, configuration_settings, return whatever passed