refactor: updated STLS bootstrap integration with linux CSE

parts/linux/cloud-init/artifacts/cse_cmd.sh

@@ -118,7 +118,7 @@ NO_PROXY_URLS="{{GetNoProxy}}"
 PROXY_VARS="{{GetProxyVariables}}"
 ENABLE_TLS_BOOTSTRAPPING="{{EnableTLSBootstrapping}}"
 ENABLE_SECURE_TLS_BOOTSTRAPPING="{{EnableSecureTLSBootstrapping}}"
-CUSTOM_SECURE_TLS_BOOTSTRAP_AAD_SERVER_APP_ID="{{GetCustomSecureTLSBootstrapAADServerAppID}}"
+CUSTOM_SECURE_TLS_BOOTSTRAP_AAD_RESOURCE="{{GetCustomSecureTLSBootstrapAADResource}}"
 DHCPV6_SERVICE_FILEPATH="{{GetDHCPv6ServiceCSEScriptFilepath}}"
 DHCPV6_CONFIG_FILEPATH="{{GetDHCPv6ConfigCSEScriptFilepath}}"
 THP_ENABLED="{{GetTransparentHugePageEnabled}}"

parts/linux/cloud-init/artifacts/cse_config.sh

@@ -293,6 +293,27 @@ configureCNIIPTables() {
     fi
 }
 
+configureKubeletSecureTLSBootstrap() {
+    # default AAD resource here so we can minimze bootstrap contract surface
+    AAD_RESOURCE="6dae42f8-4368-4678-94ff-3960e28e3630"
+    if [ -n "$CUSTOM_SECURE_TLS_BOOTSTRAP_AAD_RESOURCE" ]; then
+        AAD_RESOURCE="$CUSTOM_SECURE_TLS_BOOTSTRAP_AAD_RESOURCE"
+    fi
+    TIMEOUT_START_SECONDS=270 # 90s (default) + 180s for secure bootstrapping = 4.5 minutes
+
+    SECURE_TLS_BOOTSTRAP_KUBELET_DROP_IN=/etc/systemd/system/kubelet.service.d/10-securetlsbootstrap.conf
+    mkdir -p "$(dirname "${SECURE_TLS_BOOTSTRAP_KUBELET_DROP_IN}")"
+    touch "${SECURE_TLS_BOOTSTRAP_KUBELET_DROP_IN}"
+    chmod 0600 "${SECURE_TLS_BOOTSTRAP_KUBELET_DROP_IN}"
+    cat > "${SECURE_TLS_BOOTSTRAP_KUBELET_DROP_IN}" <<EOF
+[Service]
+TimeoutStartSec=${TIMEOUT_START_SECONDS}
+ExecStartPre=-/opt/azure/tlsbootstrap/secure-tls-bootstrap.sh
+Environment="SECURE_TLS_BOOTSTRAP_AAD_RESOURCE=${AAD_RESOURCE}"
+Environment="API_SERVER_NAME=${API_SERVER_NAME}"
+EOF
+}
+
 disableSystemdResolved() {
     ls -ltr /etc/resolv.conf
     cat /etc/resolv.conf
@@ -402,60 +423,15 @@ ensureKubelet() {
     if [ -n "${AZURE_ENVIRONMENT_FILEPATH}" ]; then
         echo "AZURE_ENVIRONMENT_FILEPATH=${AZURE_ENVIRONMENT_FILEPATH}" >> "${KUBELET_DEFAULT_FILE}"
     fi
-    
+
     KUBE_CA_FILE="/etc/kubernetes/certs/ca.crt"
     mkdir -p "$(dirname "${KUBE_CA_FILE}")"
     echo "${KUBE_CA_CRT}" | base64 -d > "${KUBE_CA_FILE}"
     chmod 0600 "${KUBE_CA_FILE}"
 
-    if [ "${ENABLE_SECURE_TLS_BOOTSTRAPPING}" == "true" ] || [ "${ENABLE_TLS_BOOTSTRAPPING}" == "true" ]; then
-        KUBELET_TLS_DROP_IN="/etc/systemd/system/kubelet.service.d/10-tlsbootstrap.conf"
-        mkdir -p "$(dirname "${KUBELET_TLS_DROP_IN}")"
-        touch "${KUBELET_TLS_DROP_IN}"
-        chmod 0600 "${KUBELET_TLS_DROP_IN}"
-        tee "${KUBELET_TLS_DROP_IN}" > /dev/null <<EOF
-[Service]
-Environment="KUBELET_TLS_BOOTSTRAP_FLAGS=--kubeconfig /var/lib/kubelet/kubeconfig --bootstrap-kubeconfig /var/lib/kubelet/bootstrap-kubeconfig"
-EOF
-    fi
-
-    if [ "${ENABLE_SECURE_TLS_BOOTSTRAPPING}" == "true" ]; then
-        AAD_RESOURCE="6dae42f8-4368-4678-94ff-3960e28e3630"
-        if [ -n "$CUSTOM_SECURE_TLS_BOOTSTRAP_AAD_SERVER_APP_ID" ]; then
-            AAD_RESOURCE=$CUSTOM_SECURE_TLS_BOOTSTRAP_AAD_SERVER_APP_ID
-        fi
-        SECURE_BOOTSTRAP_KUBECONFIG_FILE=/var/lib/kubelet/bootstrap-kubeconfig
-        mkdir -p "$(dirname "${SECURE_BOOTSTRAP_KUBECONFIG_FILE}")"
-        touch "${SECURE_BOOTSTRAP_KUBECONFIG_FILE}"
-        chmod 0644 "${SECURE_BOOTSTRAP_KUBECONFIG_FILE}"
-        tee "${SECURE_BOOTSTRAP_KUBECONFIG_FILE}" > /dev/null <<EOF
-apiVersion: v1
-kind: Config
-clusters:
-- name: localcluster
-  cluster:
-    certificate-authority: /etc/kubernetes/certs/ca.crt
-    server: https://${API_SERVER_NAME}:443
-users:
-- name: kubelet-bootstrap
-  user:
-    exec:
-        apiVersion: client.authentication.k8s.io/v1
-        command: /opt/azure/tlsbootstrap/tls-bootstrap-client
-        args:
-        - bootstrap
-        - --next-proto=aks-tls-bootstrap
-        - --aad-resource=${AAD_RESOURCE}
-        interactiveMode: Never
-        provideClusterInfo: true
-contexts:
-- context:
-    cluster: localcluster
-    user: kubelet-bootstrap
-  name: bootstrap-context
-current-context: bootstrap-context
-EOF
-    elif [ "${ENABLE_TLS_BOOTSTRAPPING}" == "true" ]; then
+    if [ "${ENABLE_TLS_BOOTSTRAPPING}" == "true" ]; then
+        # used in vanilla TLS bootstrapping cases and when secure TLS bootstrapping has failed to generate a kubeconfig
+        # by the time we need to start kubelet
         BOOTSTRAP_KUBECONFIG_FILE=/var/lib/kubelet/bootstrap-kubeconfig
         mkdir -p "$(dirname "${BOOTSTRAP_KUBECONFIG_FILE}")"
         touch "${BOOTSTRAP_KUBECONFIG_FILE}"
@@ -479,7 +455,13 @@ contexts:
   name: bootstrap-context
 current-context: bootstrap-context
 EOF
-    else
+    fi
+
+    if [ "${ENABLE_SECURE_TLS_BOOTSTRAPPING}" == "true" ]; then
+        configureKubeletSecureTLSBootstrap
+    fi
+
+    if [ "${ENABLE_SECURE_TLS_BOOTSTRAPPING}" == "false" ] && [ "${ENABLE_TLS_BOOTSTRAPPING}" == "false" ]; then
         KUBECONFIG_FILE=/var/lib/kubelet/kubeconfig
         mkdir -p "$(dirname "${KUBECONFIG_FILE}")"
         touch "${KUBECONFIG_FILE}"
@@ -528,6 +510,16 @@ EOF
         logs_to_events "AKS.CSE.ensureKubelet.installCredentalProvider" installCredentalProvider
     fi
 
+    if [ "${ENABLE_SECURE_TLS_BOOTSTRAPPING}" == "true" ]; then
+        # we continue with CSE without ensuring the kubelet startup completed
+        # due to user-assigned managed identities not being assigned by RP to agent nodes
+        # until after the initial PUT has been completed, thus we need to ensure to
+        # complete CSE as quickly as possible so secure bootstrapping has a chance to run
+        # in cases where the node is using a kubelet identity
+        systemctlEnableAndStartNoBlock kubelet || exit $ERR_KUBELET_START_FAIL
+        return 0
+    fi
+
     systemctlEnableAndStart kubelet || exit $ERR_KUBELET_START_FAIL
 }
 

parts/linux/cloud-init/artifacts/cse_helpers.sh

@@ -82,7 +82,7 @@ ERR_ARTIFACT_STREAMING_INSTALL=153 # Error installing mirror proxy and overlaybd
 
 ERR_HTTP_PROXY_CA_CONVERT=160 # Error converting http proxy ca cert from pem to crt format
 ERR_UPDATE_CA_CERTS=161 # Error updating ca certs to include user-provided certificates
-ERR_DOWNLOAD_SECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_TIMEOUT=169 # Timeout waiting for secure TLS bootrstrap kubelet exec plugin download
+ERR_DOWNLOAD_SECURE_TLS_BOOTSTRAP_CLIENT_BINARY=169 # Timeout waiting for secure TLS bootrstrap client binary download
 
 ERR_DISBALE_IPTABLES=170 # Error disabling iptables service
 
@@ -231,6 +231,20 @@ systemctl_restart() {
         fi
     done
 }
+systemctl_restart_noblock() {
+    retries=$1; wait_sleep=$2; timeout=$3 svcname=$4
+    for i in $(seq 1 $retries); do
+        timeout $timeout systemctl daemon-reload
+        timeout $timeout systemctl restart $svcname --no-block && break || \
+        if [ $i -eq $retries ]; then
+            return 1
+        else
+            systemctl status $svcname --no-pager -l
+            journalctl -u $svcname
+            sleep $wait_sleep
+        fi
+    done
+}
 systemctl_stop() {
     retries=$1; wait_sleep=$2; timeout=$3 svcname=$4
     for i in $(seq 1 $retries); do
@@ -284,6 +298,20 @@ systemctlEnableAndStart() {
     fi
 }
 
+systemctlEnableAndStartNoBlock() {
+    systemctl_restart_noblock 100 5 30 $1
+    RESTART_STATUS=$?
+    systemctl status $1 --no-pager -l > /var/log/azure/$1-status.log
+    if [ $RESTART_STATUS -ne 0 ]; then
+        echo "$1 could not be started"
+        return 1
+    fi
+    if ! retrycmd_if_failure 120 5 25 systemctl enable --no-block $1; then
+        echo "$1 could not be enabled by systemctl"
+        return 1
+    fi
+}
+
 systemctlDisableAndStop() {
     if systemctl list-units --full --all | grep -q "$1.service"; then
         systemctl_stop 20 5 25 $1 || echo "$1 could not be stopped"

parts/linux/cloud-init/artifacts/cse_install.sh

@@ -12,8 +12,6 @@ RUNC_DOWNLOADS_DIR="/opt/runc/downloads"
 K8S_DOWNLOADS_DIR="/opt/kubernetes/downloads"
 K8S_PRIVATE_PACKAGES_CACHE_DIR="/opt/kubernetes/downloads/private-packages"
 UBUNTU_RELEASE=$(lsb_release -r -s)
-SECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR="/opt/azure/tlsbootstrap"
-SECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION="v0.1.0-alpha.2"
 TELEPORTD_PLUGIN_DOWNLOAD_DIR="/opt/teleportd/downloads"
 CREDENTIAL_PROVIDER_DOWNLOAD_DIR="/opt/credentialprovider/downloads"
 CREDENTIAL_PROVIDER_BIN_DIR="/var/lib/kubelet/credential-provider"
@@ -22,6 +20,7 @@ CONTAINERD_WASM_VERSIONS="v0.3.0 v0.5.1 v0.8.0"
 MANIFEST_FILEPATH="/opt/azure/manifest.json"
 MAN_DB_AUTO_UPDATE_FLAG_FILEPATH="/var/lib/man-db/auto-update"
 CURL_OUTPUT=/tmp/curl_verbose.out
+SECURE_TLS_BOOTSTRAP_CLIENT_BINARY_VERSION="client-v0.1.0-alpha.4"
 
 removeManDbAutoUpdateFlagFile() {
     rm -f $MAN_DB_AUTO_UPDATE_FLAG_FILEPATH
@@ -92,19 +91,17 @@ installCredentalProvider() {
     rm -rf ${CREDENTIAL_PROVIDER_DOWNLOAD_DIR}
 }
 
-downloadSecureTLSBootstrapKubeletExecPlugin() {
-    local plugin_url="https://k8sreleases.blob.core.windows.net/aks-tls-bootstrap-client/${SECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION}/linux/amd64/tls-bootstrap-client"
-    if [[ $(isARM64) == 1 ]]; then
-        plugin_url="https://k8sreleases.blob.core.windows.net/aks-tls-bootstrap-client/${SECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION}/linux/arm64/tls-bootstrap-client"
-    fi
-
-    mkdir -p $SECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR
-    plugin_download_path="${SECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR}/tls-bootstrap-client"
-
-    if [ ! -f "$plugin_download_path" ]; then
-        retrycmd_if_failure 30 5 60 curl -fSL -o "$plugin_download_path" "$plugin_url" || exit $ERR_DOWNLOAD_SECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_TIMEOUT
-        chown -R root:root "$SECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR"
-        chmod -R 755 "$SECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR"
+downloadSecureTLSBootstrapClient() {
+    CPU_ARCH=$(getCPUArch)
+    CLIENT_BINARY_DOWNLOAD_URL="https://kubernetesreleases.blob.core.windows.net/aks-tls-bootstrap-client/${SECURE_TLS_BOOTSTRAP_CLIENT_BINARY_VERSION}/linux/${CPU_ARCH}/tls-bootstrap-client"
+    CLIENT_BINARY_DIR="/opt/azure/tlsbootstrap"
+    CLIENT_BINARY_PATH="${CLIENT_BINARY_DIR}/tls-bootstrap-client"
+
+    mkdir -p $CLIENT_BINARY_DIR
+    if [ ! -f "$CLIENT_BINARY_PATH" ]; then
+        retrycmd_if_failure 30 5 60 curl -fSL -o "$CLIENT_BINARY_PATH" "$CLIENT_BINARY_DOWNLOAD_URL" || exit $ERR_DOWNLOAD_SECURE_TLS_BOOTSTRAP_CLIENT_BINARY
+        chown -R root:root "$CLIENT_BINARY_DIR"
+        chmod -R 755 "$CLIENT_BINARY_DIR"
     fi
 }
 
@@ -486,4 +483,4 @@ datasource:
         apply_network_config: false
 EOF
 }
-#EOF
+#EOF

parts/linux/cloud-init/artifacts/cse_main.sh

@@ -135,7 +135,7 @@ if [ "${IS_KRUSTLET}" == "true" ]; then
 fi
 
 if [ "${ENABLE_SECURE_TLS_BOOTSTRAPPING}" == "true" ]; then
-    logs_to_events "AKS.CSE.downloadSecureTLSBootstrapKubeletExecPlugin" downloadSecureTLSBootstrapKubeletExecPlugin
+    logs_to_events "AKS.CSE.downloadSecureTLSBootstrapClient" downloadSecureTLSBootstrapClient
 fi
 
 # By default, never reboot new nodes.

parts/linux/cloud-init/artifacts/kubelet.service

@@ -1,6 +1,7 @@
 [Unit]
 Description=Kubelet
 ConditionPathExists=/usr/local/bin/kubelet
+ConditionPathExists=/opt/azure/containers/start-kubelet.sh
 Wants=network-online.target containerd.service
 After=network-online.target containerd.service
 
@@ -19,17 +20,7 @@ ExecStartPre=/bin/mount --make-shared /var/lib/kubelet
 ExecStartPre=-/sbin/ebtables -t nat --list
 ExecStartPre=-/sbin/iptables -t nat --numeric --list
 
-ExecStart=/usr/local/bin/kubelet \
-        --enable-server \
-        --node-labels="${KUBELET_NODE_LABELS}" \
-        --v=2 \
-        --volume-plugin-dir=/etc/kubernetes/volumeplugins \
-        $KUBELET_TLS_BOOTSTRAP_FLAGS \
-        $KUBELET_CONFIG_FILE_FLAGS \
-        $KUBELET_CONTAINERD_FLAGS \
-        $KUBELET_CONTAINER_RUNTIME_FLAG \
-        $KUBELET_CGROUP_FLAGS \
-        $KUBELET_FLAGS
+ExecStart=/opt/azure/containers/start-kubelet.sh
 
 [Install]
 WantedBy=multi-user.target

parts/linux/cloud-init/artifacts/secure-tls-bootstrap.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+EVENTS_LOGGING_DIR="/var/log/azure/Microsoft.Azure.Extensions.CustomScript/events"
+NEXT_PROTO_VALUE="aks-tls-bootstrap"
+
+RETRY_PERIOD_SECONDS=180 # 3 minutes
+RETRY_WAIT_SECONDS=3
+
+AAD_RESOURCE="${SECURE_TLS_BOOTSTRAP_AAD_RESOURCE:-""}"
+API_SERVER_NAME="${API_SERVER_NAME:-""}"
+
+CLIENT_BINARY_PATH="${SECURE_TLS_BOOTSTRAP_CLIENT_BINARY_PATH:-/opt/azure/tlsbootstrap/tls-bootstrap-client}"
+KUBECONFIG_PATH="${SECURE_TLS_BOOTSTRAP_KUBECONFIG_PATH:-/var/lib/kubelet/kubeconfig}"
+CLIENT_CERT_PATH="${SECURE_TLS_BOOTSTRAP_CLIENT_CERT_PATH:-/etc/kubernetes/certs/client.crt}"
+CLIENT_KEY_PATH="${SECURE_TLS_BOOTSTRAP_CLIENT_KEY_PATH:-/etc/kubernetes/certs/client.key}"
+AZURE_CONFIG_PATH="${SECURE_TLS_BOOTSTRAP_ZURE_CONFIG_PATH:-/etc/kubernetes/azure.json}"
+CLUSTER_CA_FILE_PATH="${SECURE_TLS_BOOTSTRAP_CLUSTER_CA_FILE_PATH:-/etc/kubernetes/certs/ca.crt}"
+LOG_FILE_PATH="${SECURE_TLS_BOOTSTRAP_LOG_FILE_PATH:-/var/log/azure/aks/secure-tls-bootstrap.log}"
+
+logs_to_events() {
+    local task=$1; shift
+    local eventsFileName=$(date +%s%3N)
+
+    local startTime=$(date +"%F %T.%3N")
+    ${@}
+    ret=$?
+    local endTime=$(date +"%F %T.%3N")
+
+    msg_string=$(jq -n --arg Status "Succeeded" '{Status: $Status}')
+    if [ "$ret" != "0" ]; then
+        msg_string=$(jq -n --arg Status "Failed" --arg LogTail "$(tail -n 10 $LOG_FILE_PATH)" '{Status: $Status, LogTail: $LogTail}')
+    fi
+
+    json_string=$( jq -n \
+        --arg Timestamp   "${startTime}" \
+        --arg OperationId "${endTime}" \
+        --arg Version     "1.23" \
+        --arg TaskName    "${task}" \
+        --arg EventLevel  "Informational" \
+        --arg Message     "${msg_string}" \
+        --arg EventPid    "0" \
+        --arg EventTid    "0" \
+        '{Timestamp: $Timestamp, OperationId: $OperationId, Version: $Version, TaskName: $TaskName, EventLevel: $EventLevel, Message: $Message, EventPid: $EventPid, EventTid: $EventTid}'
+    )
+    echo ${json_string} > "${EVENTS_LOGGING_DIR}/${eventsFileName}.json"
+
+    if [ "$ret" != "0" ]; then
+      return $ret
+    fi
+}
+
+bootstrap() {
+    if [ -z "$API_SERVER_NAME" ]; then
+        echo "ERROR: missing apiserver FQDN, cannot continue bootstrapping"
+        return 1
+    fi
+    if [ ! -f "$CLIENT_BINARY_PATH" ]; then
+        echo "ERROR: bootstrap client binary does not exist at path $CLIENT_BINARY_PATH"
+        return 1
+    fi
+
+    chmod +x $CLIENT_BINARY_PATH
+
+    deadline=$(($(date +%s) + RETRY_PERIOD_SECONDS))
+    while true; do
+        now=$(date +%s)
+        if [ $((now - deadline)) -ge 0 ]; then
+            echo "ERROR: bootstrapping deadline exceeded"
+            return 1
+        fi
+
+        $CLIENT_BINARY_PATH bootstrap \
+         --aad-resource="$AAD_RESOURCE" \
+         --apiserver-fqdn="$API_SERVER_NAME" \
+         --cluster-ca-file="$CLUSTER_CA_FILE_PATH" \
+         --azure-config="$AZURE_CONFIG_PATH" \
+         --cert-file="$CLIENT_CERT_PATH" \
+         --key-file="$CLIENT_KEY_PATH" \
+         --next-proto="$NEXT_PROTO_VALUE" \
+         --kubeconfig="$KUBECONFIG_PATH" \
+         --log-file="$LOG_FILE_PATH"
+
+        [ $? -eq 0 ] && echo "secure TLS bootstrapping succeeded, generated kubeconfig is at ${KUBECONFIG_PATH}" && break
+
+        sleep $RETRY_WAIT_SECONDS
+    done
+}
+
+logs_to_events "AKS.performSecureTLSBootstrapping" bootstrap || exit $?
+
+#EOF