diff --git a/.github/renovate.json b/.github/renovate.json index b3c8308141f..c165aca6851 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -146,26 +146,10 @@ "automerge": false, "enabled": true, "assignees": [ - "devinwong", - "cameronmeissner", - "lilypan26", - "djsly", - "zachary-bailey", - "ganeshkumarashok", - "mxj220", - "pdamianov-dev", - "SriHarsha001" + "team:aks-node-lifecycle" ], "reviewers": [ - "devinwong", - "cameronmeissner", - "lilypan26", - "djsly", - "zachary-bailey", - "ganeshkumarashok", - "mxj220", - "pdamianov-dev", - "SriHarsha001" + "team:aks-node-lifecycle" ] }, { @@ -456,6 +440,18 @@ "surajssd" ] }, + { + "matchPackageNames": [ + "aks-secure-tls-bootstrap-client" + ], + "groupName": "aks-secure-tls-bootstrap-client", + "assignees": [ + "team:aks-node-lifecycle" + ], + "reviewers": [ + "team:aks-node-lifecycle" + ] + }, { "matchPackageNames": [ "datacenter-gpu-manager-4-core", diff --git a/e2e/config/vhd.go b/e2e/config/vhd.go index c730cc2b1f9..4ebcfd614b9 100644 --- a/e2e/config/vhd.go +++ b/e2e/config/vhd.go @@ -53,6 +53,7 @@ var ( Distro: datamodel.AKSUbuntuArm64Containerd2204Gen2, Gallery: imageGalleryLinux, } + VHDUbuntu2204Gen2Containerd = &Image{ Name: "2204gen2containerd", OS: OSUbuntu, @@ -60,6 +61,7 @@ var ( Distro: datamodel.AKSUbuntuContainerd2204Gen2, Gallery: imageGalleryLinux, } + VHDUbuntu2204Gen2TLContainerd = &Image{ Name: "2204gen2TLcontainerd", OS: OSUbuntu, @@ -68,17 +70,16 @@ var ( Gallery: imageGalleryLinux, } VHDUbuntu2004FIPSContainerd = &Image{ - Name: "2004fipscontainerd", - OS: OSUbuntu, - Arch: "amd64", - Distro: datamodel.AKSUbuntuFipsContainerd2004, - Gallery: imageGalleryLinux, - UnsupportedLocalDns: true, - // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs - UnsupportedSecureTLSBootstrapping: true, - UnsupportedGen2: true, - SkipOldVHDValidations: true, + Name: "2004fipscontainerd", + OS: OSUbuntu, + Arch: "amd64", + Distro: datamodel.AKSUbuntuFipsContainerd2004, + Gallery: imageGalleryLinux, + UnsupportedLocalDns: true, + UnsupportedGen2: true, + SkipOldVHDValidations: true, } + VHDUbuntu2204FIPSContainerd = &Image{ Name: "2204fipscontainerd", OS: OSUbuntu, @@ -86,10 +87,9 @@ var ( Distro: datamodel.AKSUbuntuFipsContainerd2204, Gallery: imageGalleryLinux, UnsupportedLocalDns: true, - // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs - UnsupportedSecureTLSBootstrapping: true, - UnsupportedGen2: true, + UnsupportedGen2: true, } + VHDUbuntu2204Gen2FIPSContainerd = &Image{ Name: "2204gen2fipscontainerd", OS: OSUbuntu, @@ -97,9 +97,8 @@ var ( Distro: datamodel.AKSUbuntuFipsContainerd2204Gen2, Gallery: imageGalleryLinux, UnsupportedLocalDns: true, - // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs - UnsupportedSecureTLSBootstrapping: true, } + VHDUbuntu2204Gen2FIPSTLContainerd = &Image{ Name: "2204gen2fipsTLcontainerd", OS: OSUbuntu, @@ -107,9 +106,8 @@ var ( Distro: datamodel.AKSUbuntuFipsContainerd2204TLGen2, Gallery: imageGalleryLinux, UnsupportedLocalDns: true, - // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs - UnsupportedSecureTLSBootstrapping: true, } + VHDAzureLinuxV2Gen2 = &Image{ Name: "V2gen2", OS: OSAzureLinux, @@ -119,6 +117,7 @@ var ( Gallery: imageGalleryLinux, SkipOldVHDValidations: true, } + VHDAzureLinuxV3Gen2 = &Image{ Name: "AzureLinuxV3gen2", OS: OSAzureLinux, @@ -126,6 +125,7 @@ var ( Distro: datamodel.AKSAzureLinuxV3Gen2, Gallery: imageGalleryLinux, } + VHDAzureLinux3OSGuard = &Image{ Name: "AzureLinuxOSGuardOSGuardV3gen2fipsTL", OS: OSAzureLinux, @@ -133,9 +133,8 @@ var ( Distro: datamodel.AKSAzureLinuxV3OSGuardGen2FIPSTL, Gallery: imageGalleryLinux, UnsupportedLocalDns: true, - // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs - UnsupportedSecureTLSBootstrapping: true, } + VHDAzureLinuxV3Gen2FIPS = &Image{ Name: "AzureLinuxV3gen2fips", OS: OSAzureLinux, @@ -143,8 +142,6 @@ var ( Distro: datamodel.AKSAzureLinuxV3Gen2FIPS, Gallery: imageGalleryLinux, UnsupportedLocalDns: true, - // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs - UnsupportedSecureTLSBootstrapping: true, } VHDUbuntu2404Gen1Containerd = &Image{ @@ -230,8 +227,6 @@ var ( Flatcar: true, OSDiskSizeGB: 60, UnsupportedLocalDns: true, - // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs - UnsupportedSecureTLSBootstrapping: true, } VHDACLArm64Gen2FIPSTL = &Image{ @@ -243,8 +238,6 @@ var ( Flatcar: true, OSDiskSizeGB: 60, UnsupportedLocalDns: true, - // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs - UnsupportedSecureTLSBootstrapping: true, } VHDWindows2022Containerd = &Image{ @@ -299,7 +292,6 @@ type Image struct { Gallery *Gallery UnsupportedKubeletNodeIP bool UnsupportedLocalDns bool - UnsupportedSecureTLSBootstrapping bool UnsupportedNVMe bool UnsupportedGen2 bool IgnoreFailedCgroupTelemetryServices bool diff --git a/e2e/node_config.go b/e2e/node_config.go index 2f6f38b150b..9a4f7bc78cc 100644 --- a/e2e/node_config.go +++ b/e2e/node_config.go @@ -131,7 +131,7 @@ func getBaseNBC(t testing.TB, cluster *Cluster, vhd *config.Image) (*datamodel.N // 3. bootstrap token nbc.KubeletClientTLSBootstrapToken = &cluster.ClusterParams.BootstrapToken nbc.SecureTLSBootstrappingConfig = &datamodel.SecureTLSBootstrappingConfig{ - Enabled: config.Config.EnableSecureTLSBootstrapping && !vhd.UnsupportedSecureTLSBootstrapping, + Enabled: config.Config.EnableSecureTLSBootstrapping, } nbc.TenantID = *cluster.Model.Identity.TenantID diff --git a/parts/common/components.json b/parts/common/components.json index c226a12455f..e3010b09fe6 100644 --- a/parts/common/components.json +++ b/parts/common/components.json @@ -937,18 +937,64 @@ }, { "name": "aks-secure-tls-bootstrap-client", - "downloadLocation": "/opt/bin", + "downloadLocation": "/opt/aks-secure-tls-bootstrap-client/downloads", "windowsDownloadLocation": "c:\\akse-cache\\aks-secure-tls-bootstrap-client\\", "downloadURIs": { - "default": { + "ubuntu": { + "r2404": { + "versionsV2": [ + { + "renovateTag": "name=aks-secure-tls-bootstrap-client, repository=production, os=ubuntu, release=24.04", + "latestVersion": "1.1.4-ubuntu24.04u1" + } + ] + }, + "r2204": { + "versionsV2": [ + { + "renovateTag": "name=aks-secure-tls-bootstrap-client, repository=production, os=ubuntu, release=22.04", + "latestVersion": "1.1.4-ubuntu22.04u1" + } + ] + }, + "r2004": { + "versionsV2": [ + { + "renovateTag": "name=aks-secure-tls-bootstrap-client, repository=production, os=ubuntu, release=20.04", + "latestVersion": "1.1.4-ubuntu20.04u1" + } + ] + } + }, + "azurelinux": { + "v3.0": { + "versionsV2": [ + { + "renovateTag": "RPM_registry=https://packages.microsoft.com/azurelinux/3.0/prod/ms-oss/x86_64/repodata, name=aks-secure-tls-bootstrap-client, os=azurelinux, release=3.0", + "latestVersion": "1.1.4-1.azl3" + } + ] + } + }, + "azurelinuxkata": { + "v3.0": { + "versionsV2": [ + { + "renovateTag": "RPM_registry=https://packages.microsoft.com/azurelinux/3.0/prod/ms-oss/x86_64/repodata, name=aks-secure-tls-bootstrap-client, os=azurelinux, release=3.0", + "latestVersion": "1.1.4-1.azl3" + } + ] + } + }, + "flatcar": { "current": { "versionsV2": [ { - "renovateTag": "", - "latestVersion": "1.1.4" + "renovateTag": "OCI_registry=https://mcr.microsoft.com, name=aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext", + "latestVersion": "v1.1.4-1-azlinux3" } ], - "downloadURL": "https://github.com/Azure/aks-secure-tls-bootstrap/releases/download/client/v${version}/linux-${CPU_ARCH}.tar.gz" + "downloadURL": "mcr.microsoft.com/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext:${version}-${SYSTEMD_ARCH}" } }, "windows": { diff --git a/parts/linux/cloud-init/artifacts/acl/cse_install_acl.sh b/parts/linux/cloud-init/artifacts/acl/cse_install_acl.sh index ac785347e55..c04cab766b4 100644 --- a/parts/linux/cloud-init/artifacts/acl/cse_install_acl.sh +++ b/parts/linux/cloud-init/artifacts/acl/cse_install_acl.sh @@ -121,6 +121,20 @@ installCredentialProviderPackageFromBootstrapProfileRegistry() { installCredentialProviderFromPkg "$2" "$1" } +# Only called at build-time, unlike kubelet or credential provider installation. +installSecureTLSBootstrapClientSysext() { + local version=$1 + local registry=${2:-mcr.microsoft.com} + # matchLocalSysext prepends 'v' when building the local filename glob, so strip any leading 'v' + # from the version to avoid 'vv' in the pattern (versions in components.json carry a 'v' prefix). + version=${version#v} + if ! mergeSysexts aks-secure-tls-bootstrap-client "${registry}"/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext "${version}"; then + echo "Failed to install aks-secure-tls-bootstrap-client sysext" + return "${ERR_ORAS_PULL_SYSEXT_FAIL}" + fi + ln -snf /usr/bin/aks-secure-tls-bootstrap-client /opt/bin/aks-secure-tls-bootstrap-client +} + # Reads VERSION_ID from /etc/os-release for use as the sysext version tag. # GPU sysexts are tagged by the OS image version, not the driver version. getACLVersionID() { diff --git a/parts/linux/cloud-init/artifacts/azlosguard/azurelinux-ms-oss.repo b/parts/linux/cloud-init/artifacts/azlosguard/azurelinux-ms-oss.repo new file mode 100644 index 00000000000..1d286029517 --- /dev/null +++ b/parts/linux/cloud-init/artifacts/azlosguard/azurelinux-ms-oss.repo @@ -0,0 +1,9 @@ +[azurelinux-official-ms-oss] +name=Azure Linux Official Microsoft Open Source Repository $releasever $basearch +baseurl=https://packages.microsoft.com/azurelinux/$releasever/prod/ms-oss/$basearch +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=1 +skip_if_unavailable=True +sslverify=1 diff --git a/parts/linux/cloud-init/artifacts/azlosguard/cse_install_osguard.sh b/parts/linux/cloud-init/artifacts/azlosguard/cse_install_osguard.sh index a22882f435d..9193afdfde3 100644 --- a/parts/linux/cloud-init/artifacts/azlosguard/cse_install_osguard.sh +++ b/parts/linux/cloud-init/artifacts/azlosguard/cse_install_osguard.sh @@ -20,8 +20,8 @@ installRPMPackageFromFile() { local fullPackageVersion="" echo "installing ${packageName} version ${desiredVersion} by manually unpacking the RPM" - if [ "${packageName}" != "kubelet" ] && [ "${packageName}" != "kubectl" ] && [ "${packageName}" != "azure-acr-credential-provider" ]; then - echo "Error: Unsupported package ${packageName}. Only kubelet, kubectl, and azure-acr-credential-provider installs are allowed on OSGuard." + if [ "${packageName}" != "kubelet" ] && [ "${packageName}" != "kubectl" ] && [ "${packageName}" != "azure-acr-credential-provider" ] && [ "${packageName}" != "aks-secure-tls-bootstrap-client" ]; then + echo "Error: Unsupported package ${packageName}. Only kubelet, kubectl, azure-acr-credential-provider, and aks-secure-tls-bootstrap-client installs are allowed on OSGuard." exit 1 fi echo "installing ${packageName} version ${desiredVersion}" diff --git a/parts/linux/cloud-init/artifacts/cse_install.sh b/parts/linux/cloud-init/artifacts/cse_install.sh index 65f6e6058b3..0958e3bab86 100755 --- a/parts/linux/cloud-init/artifacts/cse_install.sh +++ b/parts/linux/cloud-init/artifacts/cse_install.sh @@ -255,11 +255,14 @@ installOras() { # if secure TLS bootstrapping is disabled, this will simply remove the client binary from disk. # otherwise, if a custom URL is provided, it will use the custom URL to overwrite the existing installation installSecureTLSBootstrapClient() { - # TODO(cameissner): can probably remove this once we get to preview if [ "${ENABLE_SECURE_TLS_BOOTSTRAPPING}" != "true" ]; then echo "secure TLS bootstrapping is disabled, will remove secure TLS bootstrap client binary installation" rm -f "${SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}/aks-secure-tls-bootstrap-client" & rm -rf "${SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_DIR}" & + if isFlatcar || isACL; then + rm -f /etc/extensions/aks-secure-tls-bootstrap-client.raw + (systemd-sysext --no-reload refresh || echo "WARNING: systemd-sysext refresh failed after removing aks-secure-tls-bootstrap-client sysext") & + fi return 0 fi @@ -272,13 +275,11 @@ installSecureTLSBootstrapClient() { return 0 fi - downloadSecureTLSBootstrapClient "${SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}" "${CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL}" || exit $ERR_SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_ERROR + downloadSecureTLSBootstrapClientFromURL "${SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}" "${CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL}" || exit $ERR_SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_ERROR } -downloadSecureTLSBootstrapClient() { - # TODO(cameissner): have this managed by renovate, migrate from github to MCR/packages.microsoft.com - - local CLIENT_EXTRACTED_DIR=${1-$:SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR} +downloadSecureTLSBootstrapClientFromURL() { + local CLIENT_EXTRACTED_DIR=${1:-$SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR} local CLIENT_DOWNLOAD_URL=$2 mkdir -p $SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_DIR diff --git a/parts/linux/cloud-init/artifacts/flatcar/cse_install_flatcar.sh b/parts/linux/cloud-init/artifacts/flatcar/cse_install_flatcar.sh index 77b023cf474..cf45aba65d3 100755 --- a/parts/linux/cloud-init/artifacts/flatcar/cse_install_flatcar.sh +++ b/parts/linux/cloud-init/artifacts/flatcar/cse_install_flatcar.sh @@ -106,6 +106,29 @@ installCredentialProviderPackageFromBootstrapProfileRegistry() { installCredentialProviderFromPkg "$2" "$1" } +# Only called at build-time, unlike kubelet or credential provider installation. +# Flatcar's matchLocalSysext glob (name-v${ver}[.~-]*-${arch}.raw) cannot match the +# bootstrap client's filename, which has only a single '-' between the version and arch +# (e.g. aks-secure-tls-bootstrap-client-v1.1.3-2-azlinux3-x86-64.raw). The download has +# already been completed by install-dependencies.sh into a known location with a known +# filename, so activate the sysext directly instead of going through mergeSysexts. +installSecureTLSBootstrapClientSysext() { + local version=$1 + local seName=aks-secure-tls-bootstrap-client + local seArch + seArch=$(getSystemdArch) + # Normalize to ensure a leading 'v' to match the artifact filename produced by oras pull. + version="v${version#v}" + local seFile="/opt/${seName}/downloads/${seName}-${version}-${seArch}.raw" + if ! test -f "${seFile}"; then + echo "Failed to find downloaded ${seName} sysext at ${seFile}" + return "${ERR_ORAS_PULL_SYSEXT_FAIL}" + fi + ln -snf "${seFile}" "/etc/extensions/${seName}.raw" + systemd-sysext --no-reload refresh + ln -snf "/usr/bin/${seName}" "/opt/bin/${seName}" +} + ensureRunc() { stub } diff --git a/spec/parts/linux/cloud-init/artifacts/cse_install_acl_spec.sh b/spec/parts/linux/cloud-init/artifacts/cse_install_acl_spec.sh new file mode 100644 index 00000000000..5dc081524e3 --- /dev/null +++ b/spec/parts/linux/cloud-init/artifacts/cse_install_acl_spec.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +# Mock functions that the ACL script depends on +oras() { + echo "mock oras $*" >&2 +} + +ln() { + echo "mock ln $*" >&2 +} + +systemd-sysext() { + echo "mock systemd-sysext $*" >&2 +} + +timeout() { + shift # remove timeout duration + "$@" # execute the command +} + +mkdir() { + echo "mock mkdir $*" >&2 +} + +getSystemdArch() { + echo "x86-64" +} + +getCPUArch() { + echo "amd64" +} + +sleep() { + echo "sleeping $1 seconds" >&2 +} + +find() { + echo "mock find $*" >&2 +} + +CSE_STARTTIME_SECONDS=$(date +%s) + +Describe 'cse_install_acl.sh' + Include "./parts/linux/cloud-init/artifacts/acl/cse_install_acl.sh" + Include "./parts/linux/cloud-init/artifacts/cse_helpers.sh" + + Describe 'installSecureTLSBootstrapClientSysext' + It 'calls mergeSysexts with correct URL and creates symlink on success' + mergeSysexts() { + echo "mock mergeSysexts $*" >&2 + } + ln() { + echo "mock ln $*" >&2 + } + When call installSecureTLSBootstrapClientSysext "1.1.3" + The error should include "mock mergeSysexts aks-secure-tls-bootstrap-client mcr.microsoft.com/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext 1.1.3" + The error should include "mock ln -snf /usr/bin/aks-secure-tls-bootstrap-client /opt/bin/aks-secure-tls-bootstrap-client" + The status should be success + End + + It 'uses custom registry when provided' + mergeSysexts() { + echo "mock mergeSysexts $*" >&2 + } + ln() { + echo "mock ln $*" >&2 + } + When call installSecureTLSBootstrapClientSysext "1.1.3" "custom.registry.io" + The error should include "mock mergeSysexts aks-secure-tls-bootstrap-client custom.registry.io/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext 1.1.3" + The status should be success + End + + It 'returns ERR_ORAS_PULL_SYSEXT_FAIL when mergeSysexts fails' + mergeSysexts() { + return 1 + } + ERR_ORAS_PULL_SYSEXT_FAIL=231 + When call installSecureTLSBootstrapClientSysext "1.1.3" + The output should include "Failed to install aks-secure-tls-bootstrap-client sysext" + The status should be failure + End + + It 'strips a leading v from the version before passing to mergeSysexts' + mergeSysexts() { + echo "mock mergeSysexts $*" >&2 + } + ln() { + echo "mock ln $*" >&2 + } + When call installSecureTLSBootstrapClientSysext "v1.1.3-2-azlinux3" + The error should include "mock mergeSysexts aks-secure-tls-bootstrap-client mcr.microsoft.com/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext 1.1.3-2-azlinux3" + The error should not include "vv1.1.3" + The status should be success + End + End +End diff --git a/spec/parts/linux/cloud-init/artifacts/cse_install_flatcar_spec.sh b/spec/parts/linux/cloud-init/artifacts/cse_install_flatcar_spec.sh index df5a6fe368c..2ff7c24f1d1 100644 --- a/spec/parts/linux/cloud-init/artifacts/cse_install_flatcar_spec.sh +++ b/spec/parts/linux/cloud-init/artifacts/cse_install_flatcar_spec.sh @@ -374,6 +374,44 @@ EOF End End + Describe 'installSecureTLSBootstrapClientSysext' + It 'symlinks downloaded sysext into /etc/extensions and /opt/bin and refreshes systemd-sysext' + ln() { echo "mock ln $*" >&2; } + getSystemdArch() { echo "x86-64"; } + test() { [ "$1" = -f ] && return 0; return 1; } + Mock systemd-sysext + echo "mock systemd-sysext $*" >&2 + End + When call installSecureTLSBootstrapClientSysext "v1.1.3-2-azlinux3" + The error should include "mock ln -snf /opt/aks-secure-tls-bootstrap-client/downloads/aks-secure-tls-bootstrap-client-v1.1.3-2-azlinux3-x86-64.raw /etc/extensions/aks-secure-tls-bootstrap-client.raw" + The error should include "mock systemd-sysext --no-reload refresh" + The error should include "mock ln -snf /usr/bin/aks-secure-tls-bootstrap-client /opt/bin/aks-secure-tls-bootstrap-client" + The status should be success + End + + It 'normalizes a version without leading v to match the artifact filename' + ln() { echo "mock ln $*" >&2; } + getSystemdArch() { echo "x86-64"; } + test() { [ "$1" = -f ] && return 0; return 1; } + Mock systemd-sysext + echo "mock systemd-sysext $*" >&2 + End + When call installSecureTLSBootstrapClientSysext "1.1.3-2-azlinux3" + The error should include "/opt/aks-secure-tls-bootstrap-client/downloads/aks-secure-tls-bootstrap-client-v1.1.3-2-azlinux3-x86-64.raw" + The error should not include "vv1.1.3" + The status should be success + End + + It 'returns ERR_ORAS_PULL_SYSEXT_FAIL when the downloaded sysext file is missing' + getSystemdArch() { echo "x86-64"; } + test() { return 1; } + ERR_ORAS_PULL_SYSEXT_FAIL=231 + When call installSecureTLSBootstrapClientSysext "v1.1.3-2-azlinux3" + The output should include "Failed to find downloaded aks-secure-tls-bootstrap-client sysext at /opt/aks-secure-tls-bootstrap-client/downloads/aks-secure-tls-bootstrap-client-v1.1.3-2-azlinux3-x86-64.raw" + The status should be failure + End + End + Describe 'cleanUpGPUDrivers' It 'removes GPU directories' rm() { diff --git a/spec/parts/linux/cloud-init/artifacts/cse_install_spec.sh b/spec/parts/linux/cloud-init/artifacts/cse_install_spec.sh index 9fa8b4b94bc..2603b789599 100644 --- a/spec/parts/linux/cloud-init/artifacts/cse_install_spec.sh +++ b/spec/parts/linux/cloud-init/artifacts/cse_install_spec.sh @@ -249,6 +249,68 @@ Describe 'cse_install.sh' The output should include "aks-secure-tls-bootstrap-client installed successfully" The status should be success End + + It 'should remove sysext and refresh on ACL when secure TLS bootstrapping is disabled' + ENABLE_SECURE_TLS_BOOTSTRAPPING="false" + OS="AZURECONTAINERLINUX" + OS_VARIANT="" + ACL_OS_NAME="AZURECONTAINERLINUX" + ACL_OS_VARIANT="AZURECONTAINERLINUX" + FLATCAR_OS_NAME="FLATCAR" + rm() { + echo "mock rm $*" >&2 + } + systemd-sysext() { + echo "mock systemd-sysext $*" >&2 + } + # systemd-sysext refresh is backgrounded; wait so its output is captured. + installAndWait() { + installSecureTLSBootstrapClient + wait + } + When call installAndWait + The output should include "secure TLS bootstrapping is disabled" + The error should include "mock rm -f /etc/extensions/aks-secure-tls-bootstrap-client.raw" + The error should include "mock systemd-sysext --no-reload refresh" + The error should not include "WARNING: systemd-sysext refresh failed" + The status should be success + End + + It 'should log a warning if systemd-sysext refresh fails on ACL when secure TLS bootstrapping is disabled' + ENABLE_SECURE_TLS_BOOTSTRAPPING="false" + OS="AZURECONTAINERLINUX" + OS_VARIANT="" + ACL_OS_NAME="AZURECONTAINERLINUX" + ACL_OS_VARIANT="AZURECONTAINERLINUX" + FLATCAR_OS_NAME="FLATCAR" + rm() { + echo "mock rm $*" >&2 + } + systemd-sysext() { + return 1 + } + installAndWait() { + installSecureTLSBootstrapClient + wait + } + When call installAndWait + The output should include "WARNING: systemd-sysext refresh failed after removing aks-secure-tls-bootstrap-client sysext" + The error should include "mock rm -f /etc/extensions/aks-secure-tls-bootstrap-client.raw" + The status should be success + End + + It 'should be a no-op on ACL when secure TLS bootstrapping is enabled and no custom URL' + ENABLE_SECURE_TLS_BOOTSTRAPPING="true" + CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL="" + OS="AZURECONTAINERLINUX" + OS_VARIANT="" + ACL_OS_NAME="AZURECONTAINERLINUX" + ACL_OS_VARIANT="AZURECONTAINERLINUX" + FLATCAR_OS_NAME="FLATCAR" + When call installSecureTLSBootstrapClient + The output should include "secure TLS bootstrapping is enabled but no custom client download URL was provided, nothing to download" + The status should be success + End End Describe 'installKubeletKubectlFromBootstrapProfileRegistry' diff --git a/vhdbuilder/packer/imagecustomizer/azlosguard/azlosguard.yml b/vhdbuilder/packer/imagecustomizer/azlosguard/azlosguard.yml index b8a6cd40e7a..476ad42a951 100644 --- a/vhdbuilder/packer/imagecustomizer/azlosguard/azlosguard.yml +++ b/vhdbuilder/packer/imagecustomizer/azlosguard/azlosguard.yml @@ -9,6 +9,9 @@ os: - source: /AgentBaker/parts/linux/cloud-init/artifacts/azlosguard/azurelinux-cloud-native-preview.repo destination: /etc/yum.repos.d/azurelinux-cloud-native-preview.repo permissions: 644 + - source: /AgentBaker/parts/linux/cloud-init/artifacts/azlosguard/azurelinux-ms-oss.repo + destination: /etc/yum.repos.d/azurelinux-ms-oss.repo + permissions: 644 # Build-time scripts and tools - source: /AgentBaker/vhdbuilder/packer/install-dependencies.sh destination: /opt/azure/containers/install-dependencies.sh diff --git a/vhdbuilder/packer/install-dependencies.sh b/vhdbuilder/packer/install-dependencies.sh index ff00707ee68..dee2f800db2 100644 --- a/vhdbuilder/packer/install-dependencies.sh +++ b/vhdbuilder/packer/install-dependencies.sh @@ -474,9 +474,18 @@ while IFS= read -r p; do "aks-secure-tls-bootstrap-client") for version in ${PACKAGE_VERSIONS[@]}; do # removed at provisioning time if secure TLS bootstrapping is disabled - evaluatedURL=$(evalPackageDownloadURL ${PACKAGE_DOWNLOAD_URL}) - downloadSecureTLSBootstrapClient "${downloadDir}" "${evaluatedURL}" "${version}" - echo " - aks-secure-tls-bootstrap-client version ${version}" >> ${VHD_LOGS_FILEPATH} + if isUbuntu; then + downloadPkgFromVersion "${name}" "${version}" "${downloadDir}" + installPackageFromCache "${name}" "${version}" "/opt/bin/${name}" || exit $? + elif isMarinerOrAzureLinux; then + downloadPkgFromVersion "${name}" "${version}" "${downloadDir}" + installRPMPackageFromFile "${name}" "${version}" "/opt/bin/${name}" || exit $? + elif isFlatcar || isACL "$OS" "$OS_VARIANT"; then + evaluatedURL=$(evalPackageDownloadURL ${PACKAGE_DOWNLOAD_URL}) + downloadSysextFromVersion "${name}" "${evaluatedURL}" "${downloadDir}" || exit $? + installSecureTLSBootstrapClientSysext "${version}" || exit $? + fi + echo " - ${name} version ${version}" >> ${VHD_LOGS_FILEPATH} done ;; "azure-acr-credential-provider") diff --git a/vhdbuilder/packer/test/linux-vhd-content-test.sh b/vhdbuilder/packer/test/linux-vhd-content-test.sh index 0c65887e034..da466bdda25 100644 --- a/vhdbuilder/packer/test/linux-vhd-content-test.sh +++ b/vhdbuilder/packer/test/linux-vhd-content-test.sh @@ -245,6 +245,10 @@ testPackagesInstalled() { testPkgDownloaded "${name%-pmc}" "${downloadLocation}" "${PACKAGE_VERSIONS[@]}" continue ;; + "aks-secure-tls-bootstrap-client") + testSecureTLSBootstrapClientInstalled + continue + ;; "kubelet"|\ "kubectl") testPkgDownloaded "${name}" "${downloadLocation}" "${PACKAGE_VERSIONS[@]}" @@ -1018,6 +1022,21 @@ testAppArmorInstalled() { echo "$test:Finish" } +testSecureTLSBootstrapClientInstalled() { + local test="testSecureTLSBootstrapClientInstalled" + local binary="/opt/bin/aks-secure-tls-bootstrap-client" + echo "$test:Start" + if [ ! -x "${binary}" ]; then + err "$test" "${binary} does not exist or is not executable" + echo "$test:Finish" + return + fi + if ! "${binary}" -h >/dev/null 2>&1; then + err "$test" "${binary} -h failed to execute successfully" + fi + echo "$test:Finish" +} + testKubeBinariesPresent() { local test="testKubeBinaries" echo "$test:Start"