Azure · cameronmeissner · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
@@ -146,26 +146,10 @@
       "automerge": false,
       "enabled": true,
       "assignees": [
-        "devinwong",
-        "cameronmeissner",
-        "lilypan26",
-        "djsly",
-        "zachary-bailey",
-        "ganeshkumarashok",
-        "mxj220",
-        "pdamianov-dev",
-        "SriHarsha001"
+        "team:aks-node-lifecycle"
       ],
       "reviewers": [
-        "devinwong",
-        "cameronmeissner",
-        "lilypan26",
-        "djsly",
-        "zachary-bailey",
-        "ganeshkumarashok",
-        "mxj220",
-        "pdamianov-dev",
-        "SriHarsha001"
+        "team:aks-node-lifecycle"
       ]
     },
     {
@@ -456,6 +440,20 @@
         "surajssd"
       ]
     },
+    {
+      "matchPackageNames": [
+        "aks-secure-tls-bootstrap-client"
+      ],
+      "groupName": "aks-secure-tls-bootstrap-client",
+      "assignees": [
+        "cameronmeissner",
+        "djsly"
+      ],
+      "reviewers": [
+        "cameronmeissner",
+        "djsly"
+      ]
+    },
     {
       "matchPackageNames": [
         "datacenter-gpu-manager-4-core",

diff --git a/parts/common/components.json b/parts/common/components.json
@@ -937,18 +937,64 @@
     },
     {
       "name": "aks-secure-tls-bootstrap-client",
-      "downloadLocation": "/opt/bin",
+      "downloadLocation": "/opt/aks-secure-tls-bootstrap-client/downloads",
       "windowsDownloadLocation": "c:\\akse-cache\\aks-secure-tls-bootstrap-client\\",
       "downloadURIs": {
-        "default": {
+        "ubuntu": {
+          "r2404": {
+            "versionsV2": [
+              {
+                "renovateTag": "name=aks-secure-tls-bootstrap-client, repository=production, os=ubuntu, release=24.04",
+                "latestVersion": "1.1.4-ubuntu24.04u1"
+              }
+            ]
+          },
+          "r2204": {
+            "versionsV2": [
+              {
+                "renovateTag": "name=aks-secure-tls-bootstrap-client, repository=production, os=ubuntu, release=22.04",
+                "latestVersion": "1.1.4-ubuntu22.04u1"
+              }
+            ]
+          },
+          "r2004": {
+            "versionsV2": [
+              {
+                "renovateTag": "name=aks-secure-tls-bootstrap-client, repository=production, os=ubuntu, release=20.04",
+                "latestVersion": "1.1.4-ubuntu20.04u1"
+              }
+            ]
+          }
+        },
+        "azurelinux": {
+          "v3.0": {
+            "versionsV2": [
+              {
+                "renovateTag": "RPM_registry=https://packages.microsoft.com/azurelinux/3.0/prod/ms-oss/x86_64/repodata, name=aks-secure-tls-bootstrap-client, os=azurelinux, release=3.0",
+                "latestVersion": "1.1.4-1.azl3"
+              }
+            ]
+          }
+        },
+        "azurelinuxkata": {
+          "v3.0": {
+            "versionsV2": [
+              {
+                "renovateTag": "RPM_registry=https://packages.microsoft.com/azurelinux/3.0/prod/ms-oss/x86_64/repodata, name=aks-secure-tls-bootstrap-client, os=azurelinux, release=3.0",
+                "latestVersion": "1.1.4-1.azl3"
+              }
+            ]
+          }
+        },
+        "flatcar": {
           "current": {
             "versionsV2": [
               {
-                "renovateTag": "<DO_NOT_UPDATE>",
-                "latestVersion": "1.1.4"
+                "renovateTag": "OCI_registry=https://mcr.microsoft.com, name=aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext",
+                "latestVersion": "v1.1.4-1-azlinux3"
               }
             ],
-            "downloadURL": "https://github.com/Azure/aks-secure-tls-bootstrap/releases/download/client/v${version}/linux-${CPU_ARCH}.tar.gz"
+            "downloadURL": "mcr.microsoft.com/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext:${version}-${SYSTEMD_ARCH}"
           }
         },
         "windows": {

@@ -121,6 +121,20 @@ installCredentialProviderPackageFromBootstrapProfileRegistry() {
     installCredentialProviderFromPkg "$2" "$1"
 }
 
+# Only called at build-time, unlike kubelet or credential provider installation.
+installSecureTLSBootstrapClientSysext() {
+    local version=$1
+    local registry=${2:-mcr.microsoft.com}
+    # matchLocalSysext prepends 'v' when building the local filename glob, so strip any leading 'v'
+    # from the version to avoid 'vv' in the pattern (versions in components.json carry a 'v' prefix).
+    version=${version#v}
+    if ! mergeSysexts aks-secure-tls-bootstrap-client "${registry}"/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext "${version}"; then
+        echo "Failed to install aks-secure-tls-bootstrap-client sysext"
+        return "${ERR_ORAS_PULL_SYSEXT_FAIL}"
+    fi
+    ln -snf /usr/bin/aks-secure-tls-bootstrap-client /opt/bin/aks-secure-tls-bootstrap-client
+}
+
 # Reads VERSION_ID from /etc/os-release for use as the sysext version tag.
 # GPU sysexts are tagged by the OS image version, not the driver version.
 getACLVersionID() {

@@ -0,0 +1,9 @@
+[azurelinux-official-ms-oss]
+name=Azure Linux Official Microsoft Open Source Repository $releasever $basearch
+baseurl=https://packages.microsoft.com/azurelinux/$releasever/prod/ms-oss/$basearch
+gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
+gpgcheck=1
+repo_gpgcheck=1
+enabled=1
+skip_if_unavailable=True
+sslverify=1
@@ -20,8 +20,8 @@ installRPMPackageFromFile() {
     local fullPackageVersion=""
 
     echo "installing ${packageName} version ${desiredVersion} by manually unpacking the RPM"
-    if [ "${packageName}" != "kubelet" ] && [ "${packageName}" != "kubectl" ] && [ "${packageName}" != "azure-acr-credential-provider" ]; then
-        echo "Error: Unsupported package ${packageName}. Only kubelet, kubectl, and azure-acr-credential-provider installs are allowed on OSGuard."
+    if [ "${packageName}" != "kubelet" ] && [ "${packageName}" != "kubectl" ] && [ "${packageName}" != "azure-acr-credential-provider" ] && [ "${packageName}" != "aks-secure-tls-bootstrap-client" ]; then
+        echo "Error: Unsupported package ${packageName}. Only kubelet, kubectl, azure-acr-credential-provider, and aks-secure-tls-bootstrap-client installs are allowed on OSGuard."
         exit 1
     fi
     echo "installing ${packageName} version ${desiredVersion}"

@@ -255,11 +255,14 @@ installOras() {
 # if secure TLS bootstrapping is disabled, this will simply remove the client binary from disk.
 # otherwise, if a custom URL is provided, it will use the custom URL to overwrite the existing installation
 installSecureTLSBootstrapClient() {
-    # TODO(cameissner): can probably remove this once we get to preview
     if [ "${ENABLE_SECURE_TLS_BOOTSTRAPPING}" != "true" ]; then
         echo "secure TLS bootstrapping is disabled, will remove secure TLS bootstrap client binary installation"
         rm -f "${SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}/aks-secure-tls-bootstrap-client" &
         rm -rf "${SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_DIR}" &
+        if isFlatcar || isACL; then
+            rm -f /etc/extensions/aks-secure-tls-bootstrap-client.raw
+            systemd-sysext --no-reload refresh || true
+        fi
         return 0
     fi
 
@@ -272,13 +275,11 @@ installSecureTLSBootstrapClient() {
         return 0
     fi
 
-    downloadSecureTLSBootstrapClient "${SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}" "${CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL}" || exit $ERR_SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_ERROR
+    downloadSecureTLSBootstrapClientFromURL "${SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}" "${CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL}" || exit $ERR_SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_ERROR
 }
 
-downloadSecureTLSBootstrapClient() {
-    # TODO(cameissner): have this managed by renovate, migrate from github to MCR/packages.microsoft.com
-
-    local CLIENT_EXTRACTED_DIR=${1-$:SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}
+downloadSecureTLSBootstrapClientFromURL() {
+    local CLIENT_EXTRACTED_DIR=${1:-$SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}
     local CLIENT_DOWNLOAD_URL=$2
 
     mkdir -p $SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_DIR

@@ -106,6 +106,29 @@ installCredentialProviderPackageFromBootstrapProfileRegistry() {
     installCredentialProviderFromPkg "$2" "$1"
 }
 
+# Only called at build-time, unlike kubelet or credential provider installation.
+# Flatcar's matchLocalSysext glob (name-v${ver}[.~-]*-${arch}.raw) cannot match the
+# bootstrap client's filename, which has only a single '-' between the version and arch
+# (e.g. aks-secure-tls-bootstrap-client-v1.1.3-2-azlinux3-x86-64.raw). The download has
+# already been completed by install-dependencies.sh into a known location with a known
+# filename, so activate the sysext directly instead of going through mergeSysexts.
+installSecureTLSBootstrapClientSysext() {
+    local version=$1
+    local seName=aks-secure-tls-bootstrap-client
+    local seArch
+    seArch=$(getSystemdArch)
+    # Normalize to ensure a leading 'v' to match the artifact filename produced by oras pull.
+    version="v${version#v}"
+    local seFile="/opt/${seName}/downloads/${seName}-${version}-${seArch}.raw"
+    if ! test -f "${seFile}"; then
+        echo "Failed to find downloaded ${seName} sysext at ${seFile}"
+        return "${ERR_ORAS_PULL_SYSEXT_FAIL}"
+    fi
+    ln -snf "${seFile}" "/etc/extensions/${seName}.raw"
+    systemd-sysext --no-reload refresh
+    ln -snf "/usr/bin/${seName}" "/opt/bin/${seName}"
+}
+
 ensureRunc() {
     stub
 }

@@ -0,0 +1,96 @@
+#!/bin/bash
+
+# Mock functions that the ACL script depends on
+oras() {
+    echo "mock oras $*" >&2
+}
+
+ln() {
+    echo "mock ln $*" >&2
+}
+
+systemd-sysext() {
+    echo "mock systemd-sysext $*" >&2
+}
+
+timeout() {
+    shift # remove timeout duration
+    "$@" # execute the command
+}
+
+mkdir() {
+    echo "mock mkdir $*" >&2
+}
+
+getSystemdArch() {
+    echo "x86-64"
+}
+
+getCPUArch() {
+    echo "amd64"
+}
+
+sleep() {
+    echo "sleeping $1 seconds" >&2
+}
+
+find() {
+    echo "mock find $*" >&2
+}
+
+CSE_STARTTIME_SECONDS=$(date +%s)
+
+Describe 'cse_install_acl.sh'
+    Include "./parts/linux/cloud-init/artifacts/acl/cse_install_acl.sh"
+    Include "./parts/linux/cloud-init/artifacts/cse_helpers.sh"
+
+    Describe 'installSecureTLSBootstrapClientSysext'
+        It 'calls mergeSysexts with correct URL and creates symlink on success'
+            mergeSysexts() {
+                echo "mock mergeSysexts $*" >&2
+            }
+            ln() {
+                echo "mock ln $*" >&2
+            }
+            When call installSecureTLSBootstrapClientSysext "1.1.3"
+            The error should include "mock mergeSysexts aks-secure-tls-bootstrap-client mcr.microsoft.com/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext 1.1.3"
+            The error should include "mock ln -snf /usr/bin/aks-secure-tls-bootstrap-client /opt/bin/aks-secure-tls-bootstrap-client"
+            The status should be success
+        End
+
+        It 'uses custom registry when provided'
+            mergeSysexts() {
+                echo "mock mergeSysexts $*" >&2
+            }
+            ln() {
+                echo "mock ln $*" >&2
+            }
+            When call installSecureTLSBootstrapClientSysext "1.1.3" "custom.registry.io"
+            The error should include "mock mergeSysexts aks-secure-tls-bootstrap-client custom.registry.io/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext 1.1.3"
+            The status should be success
+        End
+
+        It 'returns ERR_ORAS_PULL_SYSEXT_FAIL when mergeSysexts fails'
+            mergeSysexts() {
+                return 1
+            }
+            ERR_ORAS_PULL_SYSEXT_FAIL=231
+            When call installSecureTLSBootstrapClientSysext "1.1.3"
+            The output should include "Failed to install aks-secure-tls-bootstrap-client sysext"
+            The status should be failure
+        End
+
+        It 'strips a leading v from the version before passing to mergeSysexts'
+            mergeSysexts() {
+                echo "mock mergeSysexts $*" >&2
+            }
+            ln() {
+                echo "mock ln $*" >&2
+            }
+            When call installSecureTLSBootstrapClientSysext "v1.1.3-2-azlinux3"
+            The error should include "mock mergeSysexts aks-secure-tls-bootstrap-client mcr.microsoft.com/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext 1.1.3-2-azlinux3"
+            The error should not include "vv1.1.3"
+            The status should be success
+        End
+    End
+End
@@ -374,6 +374,44 @@ EOF
         End
     End
 
+    Describe 'installSecureTLSBootstrapClientSysext'
+        It 'symlinks downloaded sysext into /etc/extensions and /opt/bin and refreshes systemd-sysext'
+            ln() { echo "mock ln $*" >&2; }
+            getSystemdArch() { echo "x86-64"; }
+            test() { [ "$1" = -f ] && return 0; return 1; }
+            Mock systemd-sysext
+                echo "mock systemd-sysext $*" >&2
+            End
+            When call installSecureTLSBootstrapClientSysext "v1.1.3-2-azlinux3"
+            The error should include "mock ln -snf /opt/aks-secure-tls-bootstrap-client/downloads/aks-secure-tls-bootstrap-client-v1.1.3-2-azlinux3-x86-64.raw /etc/extensions/aks-secure-tls-bootstrap-client.raw"
+            The error should include "mock systemd-sysext --no-reload refresh"
+            The error should include "mock ln -snf /usr/bin/aks-secure-tls-bootstrap-client /opt/bin/aks-secure-tls-bootstrap-client"
+            The status should be success
+        End
+
+        It 'normalizes a version without leading v to match the artifact filename'
+            ln() { echo "mock ln $*" >&2; }
+            getSystemdArch() { echo "x86-64"; }
+            test() { [ "$1" = -f ] && return 0; return 1; }
+            Mock systemd-sysext
+                echo "mock systemd-sysext $*" >&2
+            End
+            When call installSecureTLSBootstrapClientSysext "1.1.3-2-azlinux3"
+            The error should include "/opt/aks-secure-tls-bootstrap-client/downloads/aks-secure-tls-bootstrap-client-v1.1.3-2-azlinux3-x86-64.raw"
+            The error should not include "vv1.1.3"
+            The status should be success
+        End
+
+        It 'returns ERR_ORAS_PULL_SYSEXT_FAIL when the downloaded sysext file is missing'
+            getSystemdArch() { echo "x86-64"; }
+            test() { return 1; }
+            ERR_ORAS_PULL_SYSEXT_FAIL=231
+            When call installSecureTLSBootstrapClientSysext "v1.1.3-2-azlinux3"
+            The output should include "Failed to find downloaded aks-secure-tls-bootstrap-client sysext at /opt/aks-secure-tls-bootstrap-client/downloads/aks-secure-tls-bootstrap-client-v1.1.3-2-azlinux3-x86-64.raw"
+            The status should be failure
+        End
+    End
+
     Describe 'cleanUpGPUDrivers'
         It 'removes GPU directories'
             rm() {