feat(windows): add support for configuring secure TLS bootstrap client RPC timeouts#8398
feat(windows): add support for configuring secure TLS bootstrap client RPC timeouts#8398cameronmeissner wants to merge 1 commit intomainfrom
Conversation
cameronmeissner
added
the
windows cse package
cameronmeissner
requested review from
AbelHu,
Devinwong,
SriHarsha001,
awesomenix,
calvin197,
djsly,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
There was a problem hiding this comment.
Pull request overview
Adds Windows support for configuring per-RPC timeouts (and deadline) for the aks-secure-tls-bootstrap-client.exe invocation, aligning Windows secure TLS bootstrapping configurability with the existing Linux work (#8261).
Changes:
- Extends
securetlsbootstrap.ps1to accept and forward individual RPC timeout flags to the bootstrap client. - Plumbs new SecureTLSBootstrapArgs fields through kubelet startup flow (
kubeletstart.ps1). - Adds new templated variables for these timeouts in the Windows CSE entrypoint (
kuberneteswindowssetup.ps1) and writes them intokubeclusterconfig.json(kubernetesfunc.ps1).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| staging/cse/windows/provisioningscripts/securetlsbootstrap.ps1 | Adds new optional parameters and conditionally appends corresponding bootstrap client flags. |
| staging/cse/windows/provisioningscripts/kubeletstart.ps1 | Reads new SecureTLSBootstrapArgs fields from kubeclusterconfig.json and forwards them to securetlsbootstrap.ps1. |
| staging/cse/windows/kubernetesfunc.ps1 | Writes SecureTLSBootstrapArgs into kubeclusterconfig.json (but currently uses incorrect global variable names for the new fields). |
| parts/windows/kuberneteswindowssetup.ps1 | Introduces templated variables to configure the new timeouts/deadline for Windows nodes. |
| GetCredentialTimeout = $global:GetCredentialTimeout; | ||
| Deadline = $global:Deadline |
There was a problem hiding this comment.
Deadline (and GetCredentialTimeout) are being read from $global:Deadline / $global:GetCredentialTimeout, but the globals set by the Windows setup script are $global:SecureTLSBootstrappingDeadline and $global:SecureTLSBootstrappingGetCredentialTimeout. This prevents the configured deadline/timeouts from being written into kubeclusterconfig.json.
| GetCredentialTimeout = $global:GetCredentialTimeout; | |
| Deadline = $global:Deadline | |
| GetCredentialTimeout = $global:SecureTLSBootstrappingGetCredentialTimeout; | |
| Deadline = $global:SecureTLSBootstrappingDeadline |
| if (![string]::IsNullOrEmpty($global:SecureTLSBootstrapAADResource)) { | ||
| $SecureTLSBootstrappingArgs["AADResource"] = "$global:SecureTLSBootstrapAADResource" |
There was a problem hiding this comment.
The AAD resource value is never passed into securetlsbootstrap because this block checks/uses $global:SecureTLSBootstrapAADResource, but the variable initialized from kubeclusterconfig.json is $global:SecureTLSBootstrappingAADResource (note the missing "ping"). Use the same variable name so AADResource is forwarded when configured.
| if (![string]::IsNullOrEmpty($global:SecureTLSBootstrapAADResource)) { | |
| $SecureTLSBootstrappingArgs["AADResource"] = "$global:SecureTLSBootstrapAADResource" | |
| if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingAADResource)) { | |
| $SecureTLSBootstrappingArgs["AADResource"] = "$global:SecureTLSBootstrappingAADResource" |
| ValidateKubeconfigTimeout = $global:ValidateKubeconfigTimeout; | ||
| GetAccessTokenTimeout = $global:GetAccessTokenTimeout; | ||
| GetInstanceDataTimeout = $global:GetInstanceDataTimeout; | ||
| GetNonceTimeout = $global:GetNonceTimeout; | ||
| GetAttestedDataTimeout = $global:GetAttestedDataTimeout; | ||
| GetCredentialTimeout = $global:GetCredentialTimeout; | ||
| Deadline = $global:Deadline |
There was a problem hiding this comment.
Write-KubeClusterConfig is populating SecureTLSBootstrapArgs from $global:ValidateKubeconfigTimeout, $global:GetAccessTokenTimeout, etc., but those globals are never set (the setup script defines $global:SecureTLSBootstrappingValidateKubeconfigTimeout, $global:SecureTLSBootstrappingGetAccessTokenTimeout, etc.). As written, these values will be missing from kubeclusterconfig.json and won't reach kubeletstart/securetlsbootstrap.
| ValidateKubeconfigTimeout = $global:ValidateKubeconfigTimeout; | |
| GetAccessTokenTimeout = $global:GetAccessTokenTimeout; | |
| GetInstanceDataTimeout = $global:GetInstanceDataTimeout; | |
| GetNonceTimeout = $global:GetNonceTimeout; | |
| GetAttestedDataTimeout = $global:GetAttestedDataTimeout; | |
| GetCredentialTimeout = $global:GetCredentialTimeout; | |
| Deadline = $global:Deadline | |
| ValidateKubeconfigTimeout = $global:SecureTLSBootstrappingValidateKubeconfigTimeout; | |
| GetAccessTokenTimeout = $global:SecureTLSBootstrappingGetAccessTokenTimeout; | |
| GetInstanceDataTimeout = $global:SecureTLSBootstrappingGetInstanceDataTimeout; | |
| GetNonceTimeout = $global:SecureTLSBootstrappingGetNonceTimeout; | |
| GetAttestedDataTimeout = $global:SecureTLSBootstrappingGetAttestedDataTimeout; | |
| GetCredentialTimeout = $global:SecureTLSBootstrappingGetCredentialTimeout; | |
| Deadline = $global:SecureTLSBootstrappingDeadline |
What this PR does / why we need it:
add support for configuring secure TLS bootstrap client RPC timeouts - this PR is the Windows analog to #8261, which added the same support for Linux.
Which issue(s) this PR fixes:
Fixes #