-
Notifications
You must be signed in to change notification settings - Fork 251
feat(rcv1p): unify cert bootstrap flow and add Windows CA refresh task #8096
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
rchincha
wants to merge
51
commits into
main
Choose a base branch
from
origin/rchinchani/rcv1p-2
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
51 commits
Select commit
Hold shift + click to select a range
daea5db
feat: bump windows image version for 2026-03B (#8074)
aks-node-assistant[bot] 565657e
feat(rcv1p): unify cert bootstrap flow and add Windows CA refresh task
f6a3b37
feat: enhance CA certificates refresh task with endpoint mode based o…
d20ae96
feat: add tests for certificate endpoint mode handling in AKS custom …
cb6feb8
feat: simplify certificate endpoint mode handling and refresh task re…
fe82404
feat: implement conditional CA certificates refresh task registration…
31580f7
feat: enhance CA certificates refresh task registration for legacy CS…
ef38f91
feat: update tests for certificate endpoint mode handling and refresh…
1c4eb30
feat: refactor test setup functions for improved readability and cons…
8de2420
feat: update Get-CustomCloudCertEndpointModeFromLocation to clarify e…
bcc496e
feat: enhance tests for Should-InstallCACertificatesRefreshTask and G…
06efc8e
feat: update cse_cmd.sh and cse_cmd.sh.gtpl to ensure consistent logg…
38a74b8
feat: update CA certificates functions for backward compatibility wit…
c8751d4
feat: remove deprecated Ubuntu repository initialization logic from i…
43e3e1c
Split init-aks-custom-cloud.sh to fix Flatcar/ACL customData size limit
9a46910
feat(e2e): add RCV1P cert mode end-to-end tests
32e80ea
Address PR review feedback: fix multi-subscription, validation, and e…
75338c9
Add Windows not-opted-in negative test for RCV1P cert mode
164d5c6
e2e: add VM instance-level tag update for RCV1P wireserver opt-in
eb47c45
e2e: use JSON injection for VM profile tags at VMSS creation time
6cd1b6b
e2e: use lightweight PATCH for VM instance tags instead of JSON injec…
33f2cd2
Revert "e2e: use lightweight PATCH for VM instance tags instead of JS…
ae25575
e2e: use Microsoft.Resources/tags API for VM instance tag patching
1039e7d
e2e: use BeginUpdate + deferred CSE for VM instance tagging
597a523
e2e: add feature flag check for RCV1P subscription
54e4111
REVERT ME: poll wireserver IsOptedInForRootCerts with retry loop
d59b611
e2e: remove VM instance tagging and CSE deferral — VMSS tags are inhe…
bf3b006
e2e: always log PlatformSettingsOverride feature flag status
da6f852
fix: parse wireserver IsOptedInForRootCerts JSON response with jq
9fd2a4c
fix(windows): parse wireserver IsOptedInForRootCerts JSON with Conver…
8189ca7
e2e: log VMSS and VM instance tags with resource IDs after creation
a10cc42
e2e: make RCV1P_SUBSCRIPTION_ID optional with feature flag auto-detec…
2bc7a70
e2e: always collect Windows CSE logs (not just on failure)
b330111
fix: add wireserver HTTP error diagnostic logging for cert endpoints
ba9d9cc
e2e: use testDir() for Windows CSE output log path consistency
6cb27c5
fix(e2e): filter CSE extension to fix empty Windows CSE log files
1b89b8a
fix(e2e): re-fetch VM instance view for fresh CSE extension status
5da27b7
e2e: trim whitespace from RCV1P_SUBSCRIPTION_ID to fix gating
29be2c6
e2e: add gen2 Windows RCV1P tests, fix Windows2025 TrustedLaunch
3525706
e2e: switch RCV1P tests to Azure CNI Overlay to fix IP exhaustion
6e92ae5
e2e: revert RCV1P from overlay back to kubenet
8cbb6f8
REVERT ME: use dedicated kubenet cluster for RCV1P tests
a4b005f
REVERT ME: use Azure CNI cluster for Windows RCV1P tests
50b4189
REVERT ME: add wireserver endpoint diagnostics to Windows RCV1P valid…
eae935c
fix: use correct wireserver JSON field name for rcv1p cert download
7fba23b
REVERT ME: add azcopy error logging to Windows log collection
d467ca7
REVERT ME: enable verbose test output for azcopy/wireserver diagnostics
d0a9d98
REVERT ME: use branch-built CSE zip for Windows RCV1P E2E tests
59901f6
REVERT ME: canary check to prove whether SSH validators are broken
31f9a3c
Remove canary check - validators confirmed working
47e5bbb
fix: make wireserver cert retrieval failures fatal on Linux
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| name: $(Date:yyyyMMdd)$(Rev:.r) | ||
| variables: | ||
| TAGS_TO_RUN: "rcv1pcertmode=true" | ||
| SKIP_E2E_TESTS: false | ||
| E2E_GO_TEST_TIMEOUT: "75m" | ||
| schedules: | ||
| - cron: "0 11 * * *" | ||
| displayName: Daily 3am PST | ||
| branches: | ||
| include: | ||
| - main | ||
| always: true | ||
| trigger: none | ||
| pr: none | ||
| jobs: | ||
| - template: ./templates/e2e-template.yaml | ||
| parameters: | ||
| name: RCV1P Cert Mode Tests | ||
| IgnoreScenariosWithMissingVhd: false |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -35,6 +35,7 @@ VHD_BUILD_ID="${VHD_BUILD_ID:-}" | |
| IGNORE_SCENARIOS_WITH_MISSING_VHD="${IGNORE_SCENARIOS_WITH_MISSING_VHD:-}" | ||
| LOGGING_DIR="${LOGGING_DIR:-}" | ||
| E2E_SUBSCRIPTION_ID="${E2E_SUBSCRIPTION_ID:-}" | ||
| RCV1P_SUBSCRIPTION_ID="${RCV1P_SUBSCRIPTION_ID:-}" | ||
| ENABLE_SECURE_TLS_BOOTSTRAPPING="${ENABLE_SECURE_TLS_BOOTSTRAPPING:-true}" | ||
| TAGS_TO_SKIP="${TAGS_TO_SKIP:-}" | ||
| TAGS_TO_RUN="${TAGS_TO_RUN:-}" | ||
|
|
@@ -47,6 +48,7 @@ echo "VHD_BUILD_ID: ${VHD_BUILD_ID}" | |
| echo "IGNORE_SCENARIOS_WITH_MISSING_VHD: ${IGNORE_SCENARIOS_WITH_MISSING_VHD}" | ||
| echo "LOGGING_DIR: ${LOGGING_DIR}" | ||
| echo "E2E_SUBSCRIPTION_ID: ${E2E_SUBSCRIPTION_ID}" | ||
| echo "RCV1P_SUBSCRIPTION_ID: ${RCV1P_SUBSCRIPTION_ID}" | ||
| echo "ENABLE_SECURE_TLS_BOOTSTRAPPING: ${ENABLE_SECURE_TLS_BOOTSTRAPPING}" | ||
| echo "TAGS_TO_SKIP: ${TAGS_TO_SKIP}" | ||
| echo "TAGS_TO_RUN: ${TAGS_TO_RUN}" | ||
|
|
@@ -95,10 +97,11 @@ tar -xzf "$temp_file" -C bin | |
| chmod +x bin/gotestsum | ||
| rm -f "$temp_file" | ||
|
|
||
| # REVERT ME: added -v to see t.Logf output from passing tests (azcopy/wireserver diagnostics) | ||
| # gotestsum configure to only show logs for failed tests, json file for detailed logs | ||
| # Run the tests! Yey! | ||
| test_exit_code=0 | ||
| ./bin/gotestsum --format testdox --junitfile "${BUILD_SRC_DIR}/e2e/report.xml" --jsonfile "${BUILD_SRC_DIR}/e2e/test-log.json" -- -parallel 60 -timeout "${E2E_GO_TEST_TIMEOUT}" || test_exit_code=$? | ||
| ./bin/gotestsum --format testdox --junitfile "${BUILD_SRC_DIR}/e2e/report.xml" --jsonfile "${BUILD_SRC_DIR}/e2e/test-log.json" -- -v -parallel 60 -timeout "${E2E_GO_TEST_TIMEOUT}" || test_exit_code=$? | ||
|
|
||
|
Comment on lines
+100
to
105
|
||
| # Upload test results as Azure DevOps artifacts | ||
| echo "##vso[artifact.upload containerfolder=test-results;artifactname=e2e-test-log]${BUILD_SRC_DIR}/e2e/test-log.json" | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -1,6 +1,7 @@ | ||||||||||||||||
| echo $(date),$(hostname) > ${PROVISION_OUTPUT}; | ||||||||||||||||
| {{if getIsAksCustomCloud .CustomCloudConfig}} | ||||||||||||||||
| REPO_DEPOT_ENDPOINT="{{.CustomCloudConfig.RepoDepotEndpoint}}" | ||||||||||||||||
| {{getInitAKSCustomCloudFilepath}} >> /var/log/azure/cluster-provision.log 2>&1; | ||||||||||||||||
| {{end}} | ||||||||||||||||
| LOCATION="{{getCloudLocation .}}" | ||||||||||||||||
|
rchincha marked this conversation as resolved.
|
||||||||||||||||
| LOCATION="{{getCloudLocation .}}" | |
| export LOCATION="{{getCloudLocation .}}" |
Comment on lines
4
to
+6
Copilot
AI
Mar 26, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
{{getInitAKSCustomCloudFilepath}} is executed even when getIsAksCustomCloud is false, which would run the custom-cloud init logic (repo/chrony/cert refresh) on all clusters. Also LOCATION is assigned but not exported, so the init script won’t receive it when executed as a child process. Move export LOCATION=... and the init script invocation back under the {{if getIsAksCustomCloud ...}} block (or pass location as an argument).
Suggested change
| {{end}} | |
| LOCATION="{{getCloudLocation .}}" | |
| {{getInitAKSCustomCloudFilepath}} >> /var/log/azure/cluster-provision.log 2>&1; | |
| LOCATION="{{getCloudLocation .}}" | |
| export LOCATION | |
| {{getInitAKSCustomCloudFilepath}} >> /var/log/azure/cluster-provision.log 2>&1; | |
| {{end}} |
Comment on lines
2
to
+6
Copilot
AI
Apr 16, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LOCATION (and REPO_DEPOT_ENDPOINT) are set but not exported before running init-aks-custom-cloud.sh. Because the init script runs in a separate process, it won’t see these variables unless exported (or passed as explicit args), which can break cert mode selection and repo depot/chrony initialization.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -299,22 +299,23 @@ func getFirewall(ctx context.Context, location, firewallSubnetID, publicIPID str | |
| } | ||
|
|
||
| func addFirewallRules( | ||
| ctx context.Context, clusterModel *armcontainerservice.ManagedCluster, | ||
| ctx context.Context, infra *ClusterInfra, clusterModel *armcontainerservice.ManagedCluster, | ||
| ) error { | ||
| location := *clusterModel.Location | ||
| defer toolkit.LogStepCtx(ctx, "adding firewall rules")() | ||
|
|
||
| rg := *clusterModel.Properties.NodeResourceGroup | ||
| vnet, err := getClusterVNet(ctx, rg) | ||
| vnet, err := getClusterVNet(ctx, infra, rg) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| // For kubenet, the AKS-managed route table must stay attached so that pod | ||
| // routes (managed by cloud-provider-azure) and firewall routes coexist. | ||
| // For Azure CNI variants, the subnet may not have any route table, so we | ||
| // create and associate a dedicated one before adding the firewall routes. | ||
| aksSubnetResp, err := config.Azure.Subnet.Get(ctx, rg, vnet.name, "aks-subnet", nil) | ||
| // Find the AKS-managed route table currently associated with the subnet. | ||
| // We add firewall routes directly to this table so that both pod routes | ||
| // (managed by cloud-provider-azure) and firewall routes coexist. Creating | ||
| // a separate route table and swapping the subnet association disconnects | ||
| // the pod routes and breaks kubenet networking. | ||
| aksSubnetResp, err := infra.Azure.Subnet.Get(ctx, rg, vnet.name, "aks-subnet", nil) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to get AKS subnet: %w", err) | ||
| } | ||
|
|
@@ -332,7 +333,7 @@ func addFirewallRules( | |
| } | ||
|
|
||
| toolkit.Logf(ctx, "Creating subnet %s in VNet %s", firewallSubnetName, vnet.name) | ||
| subnetPoller, err := config.Azure.Subnet.BeginCreateOrUpdate( | ||
| subnetPoller, err := infra.Azure.Subnet.BeginCreateOrUpdate( | ||
| ctx, | ||
| rg, | ||
| vnet.name, | ||
|
|
@@ -365,7 +366,7 @@ func addFirewallRules( | |
| } | ||
|
|
||
| toolkit.Logf(ctx, "Creating public IP %s", publicIPName) | ||
| pipPoller, err := config.Azure.PublicIPAddresses.BeginCreateOrUpdate( | ||
| pipPoller, err := infra.Azure.PublicIPAddresses.BeginCreateOrUpdate( | ||
| ctx, | ||
| rg, | ||
| publicIPName, | ||
|
|
@@ -386,7 +387,7 @@ func addFirewallRules( | |
|
|
||
| firewallName := "abe2e-fw" | ||
| firewall := getFirewall(ctx, location, firewallSubnetID, publicIPID) | ||
| fwPoller, err := config.Azure.AzureFirewall.BeginCreateOrUpdate(ctx, rg, firewallName, *firewall, nil) | ||
| fwPoller, err := infra.Azure.AzureFirewall.BeginCreateOrUpdate(ctx, rg, firewallName, *firewall, nil) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to start Firewall creation: %w", err) | ||
| } | ||
|
|
@@ -432,7 +433,7 @@ func addFirewallRules( | |
|
|
||
| for _, route := range firewallRoutes { | ||
| toolkit.Logf(ctx, "Adding route %q to AKS route table %q", *route.Name, aksRTName) | ||
| poller, err := config.Azure.Routes.BeginCreateOrUpdate(ctx, rg, aksRTName, *route.Name, route, nil) | ||
| poller, err := infra.Azure.Routes.BeginCreateOrUpdate(ctx, rg, aksRTName, *route.Name, route, nil) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to start adding route %q: %w", *route.Name, err) | ||
| } | ||
|
|
@@ -510,7 +511,7 @@ func addPrivateAzureContainerRegistry(ctx context.Context, cluster *armcontainer | |
| if err := createPrivateAzureContainerRegistryPullSecret(ctx, cluster, kube, resourceGroupName, isNonAnonymousPull); err != nil { | ||
| return fmt.Errorf("create private acr pull secret: %w", err) | ||
| } | ||
| vnet, err := getClusterVNet(ctx, *cluster.Properties.NodeResourceGroup) | ||
| vnet, err := getClusterVNet(ctx, DefaultClusterInfra, *cluster.Properties.NodeResourceGroup) | ||
|
||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
@@ -531,7 +532,7 @@ func addNetworkIsolatedSettings(ctx context.Context, clusterModel *armcontainers | |
| location := *clusterModel.Location | ||
| defer toolkit.LogStepCtx(ctx, fmt.Sprintf("Adding network settings for network isolated cluster %s in rg %s", *clusterModel.Name, *clusterModel.Properties.NodeResourceGroup)) | ||
|
|
||
| vnet, err := getClusterVNet(ctx, *clusterModel.Properties.NodeResourceGroup) | ||
| vnet, err := getClusterVNet(ctx, DefaultClusterInfra, *clusterModel.Properties.NodeResourceGroup) | ||
|
||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
@@ -678,7 +679,7 @@ func createPrivateAzureContainerRegistry(ctx context.Context, cluster *armcontai | |
| } | ||
| // if ACR gets recreated so should the cluster | ||
| toolkit.Logf(ctx, "Private ACR deleted, deleting cluster %s", *cluster.Name) | ||
| if err := deleteCluster(ctx, *cluster.Name, resourceGroup); err != nil { | ||
| if err := deleteCluster(ctx, DefaultClusterInfra, *cluster.Name, resourceGroup); err != nil { | ||
| return fmt.Errorf("failed to delete cluster: %w", err) | ||
| } | ||
| } else { | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pipeline test runner now forces
go test -v(explicitly markedREVERT ME). This will significantly increase log volume for all E2E runs and can slow CI / inflate artifact sizes. Please remove this or gate it behind an env var (e.g.,E2E_VERBOSE=true) before merging.