From cee5e28d7e8328270853c6c18895baa462133923 Mon Sep 17 00:00:00 2001 From: Cameron Meissner Date: Fri, 24 Apr 2026 12:40:46 -0700 Subject: [PATCH] feat(windows): add support for configuring secure TLS bootstrap client RPC timeouts --- parts/windows/kuberneteswindowssetup.ps1 | 8 +++- staging/cse/windows/kubernetesfunc.ps1 | 14 ++++-- .../provisioningscripts/kubeletstart.ps1 | 32 +++++++++++-- .../securetlsbootstrap.ps1 | 45 +++++++++++++++++-- 4 files changed, 87 insertions(+), 12 deletions(-) diff --git a/parts/windows/kuberneteswindowssetup.ps1 b/parts/windows/kuberneteswindowssetup.ps1 index f7506c68db6..14b67334d5f 100644 --- a/parts/windows/kuberneteswindowssetup.ps1 +++ b/parts/windows/kuberneteswindowssetup.ps1 @@ -180,10 +180,16 @@ $global:TLSBootstrapToken = "{{GetTLSBootstrapTokenForKubeConfig}}" # Secure TLS Bootstrap settings $global:EnableSecureTLSBootstrapping = [System.Convert]::ToBoolean("{{EnableSecureTLSBootstrapping}}"); -$global:SecureTLSBootstrappingDeadline = "{{GetSecureTLSBootstrappingDeadline}}"; $global:SecureTLSBootstrappingAADResource = "{{GetSecureTLSBootstrappingAADResource}}"; $global:SecureTLSBootstrappingUserAssignedIdentityID = "{{GetSecureTLSBootstrappingUserAssignedIdentityID}}"; $global:CustomSecureTLSBootstrappingClientDownloadURL = "{{GetCustomSecureTLSBootstrappingClientDownloadURL}}"; +$global:SecureTLSBootstrappingValidateKubeconfigTimeout = "{{GetSecureTLSBootstrappingValidateKubeconfigTimeout}}"; +$global:SecureTLSBootstrappingGetAccessTokenTimeout = "{{GetSecureTLSBootstrappingGetAccessTokenTimeout}}"; +$global:SecureTLSBootstrappingGetInstanceDataTimeout = "{{GetSecureTLSBootstrappingGetInstanceDataTimeout}}"; +$global:SecureTLSBootstrappingGetNonceTimeout = "{{GetSecureTLSBootstrappingGetNonceTimeout}}"; +$global:SecureTLSBootstrappingGetAttestedDataTimeout = "{{GetSecureTLSBootstrappingGetAttestedDataTimeout}}"; +$global:SecureTLSBootstrappingGetCredentialTimeout = "{{GetSecureTLSBootstrappingGetCredentialTimeout}}"; +$global:SecureTLSBootstrappingDeadline = "{{GetSecureTLSBootstrappingDeadline}}"; # uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks # this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens diff --git a/staging/cse/windows/kubernetesfunc.ps1 b/staging/cse/windows/kubernetesfunc.ps1 index abdb0ff24d6..20ec303f285 100644 --- a/staging/cse/windows/kubernetesfunc.ps1 +++ b/staging/cse/windows/kubernetesfunc.ps1 @@ -126,10 +126,16 @@ function Write-KubeClusterConfig { NodeLabels = $global:KubeletNodeLabels; ConfigArgs = $global:KubeletConfigArgs SecureTLSBootstrapArgs = @{ - Enabled = $global:EnableSecureTLSBootstrapping; - Deadline = $global:SecureTLSBootstrappingDeadline; - AADResource = $global:SecureTLSBootstrappingAADResource; - UserAssignedIdentityID = $global:SecureTLSBootstrappingUserAssignedIdentityID + Enabled = $global:EnableSecureTLSBootstrapping; + AADResource = $global:SecureTLSBootstrappingAADResource; + UserAssignedIdentityID = $global:SecureTLSBootstrappingUserAssignedIdentityID; + ValidateKubeconfigTimeout = $global:ValidateKubeconfigTimeout; + GetAccessTokenTimeout = $global:GetAccessTokenTimeout; + GetInstanceDataTimeout = $global:GetInstanceDataTimeout; + GetNonceTimeout = $global:GetNonceTimeout; + GetAttestedDataTimeout = $global:GetAttestedDataTimeout; + GetCredentialTimeout = $global:GetCredentialTimeout; + Deadline = $global:Deadline }; }; Kubeproxy = @{ diff --git a/staging/cse/windows/provisioningscripts/kubeletstart.ps1 b/staging/cse/windows/provisioningscripts/kubeletstart.ps1 index 1ffcc817693..894e45c5129 100644 --- a/staging/cse/windows/provisioningscripts/kubeletstart.ps1 +++ b/staging/cse/windows/provisioningscripts/kubeletstart.ps1 @@ -16,9 +16,15 @@ $global:KubeletNodeLabels = $Global:ClusterConfiguration.Kubernetes.Kubelet.Node $global:IsSkipCleanupNetwork = [System.Convert]::ToBoolean($Global:ClusterConfiguration.Services.IsSkipCleanupNetwork) $global:EnableSecureTLSBootstrapping = [System.Convert]::ToBoolean($Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.Enabled) -$global:SecureTLSBootstrappingDeadline = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.Deadline $global:SecureTLSBootstrappingAADResource = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.AADResource $global:SecureTLSBootstrappingUserAssignedIdentityID = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.UserAssignedIdentityID +$global:SecureTLSBootstrappingValidateKubeconfigTimeout = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.ValidateKubeconfigTimeout +$global:SecureTLSBootstrappingGetAccessTokenTimeout = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.GetAccessTokenTimeout +$global:SecureTLSBootstrappingGetInstanceDataTimeout = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.GetInstanceDataTimeout +$global:SecureTLSBootstrappingGetNonceTimeout = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.GetNonceTimeout +$global:SecureTLSBootstrappingGetAttestedDataTimeout = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.GetAttestedDataTimeout +$global:SecureTLSBootstrappingGetCredentialTimeout = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.GetCredentialTimeout +$global:SecureTLSBootstrappingDeadline = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.Deadline $global:AzureCNIDir = [Io.path]::Combine("$global:KubeDir", "azurecni") $global:AzureCNIBinDir = [Io.path]::Combine("$global:AzureCNIDir", "bin") @@ -108,15 +114,33 @@ if ($global:EnableSecureTLSBootstrapping) { KubeDir = "$global:KubeDir" MasterIP = "$global:MasterIP" } - if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingDeadline)) { - $SecureTLSBootstrappingArgs["Deadline"] = "$global:SecureTLSBootstrappingDeadline" - } if (![string]::IsNullOrEmpty($global:SecureTLSBootstrapAADResource)) { $SecureTLSBootstrappingArgs["AADResource"] = "$global:SecureTLSBootstrapAADResource" } if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingUserAssignedIdentityID)) { $SecureTLSBootstrappingArgs["UserAssignedIdentityID"] = "$global:SecureTLSBootstrappingUserAssignedIdentityID" } + if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingValidateKubeconfigTimeout)) { + $SecureTLSBootstrappingArgs["ValidateKubeconfigTimeout"] = "$global:SecureTLSBootstrappingValidateKubeconfigTimeout" + } + if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingGetAccessTokenTimeout)) { + $SecureTLSBootstrappingArgs["GetAccessTokenTimeout"] = "$global:SecureTLSBootstrappingGetAccessTokenTimeout" + } + if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingGetInstanceDataTimeout)) { + $SecureTLSBootstrappingArgs["GetInstanceDataTimeout"] = "$global:SecureTLSBootstrappingGetInstanceDataTimeout" + } + if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingGetNonceTimeout)) { + $SecureTLSBootstrappingArgs["GetNonceTimeout"] = "$global:SecureTLSBootstrappingGetNonceTimeout" + } + if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingGetAttestedDataTimeout)) { + $SecureTLSBootstrappingArgs["GetAttestedDataTimeout"] = "$global:SecureTLSBootstrappingGetAttestedDataTimeout" + } + if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingGetCredentialTimeout)) { + $SecureTLSBootstrappingArgs["GetCredentialTimeout"] = "$global:SecureTLSBootstrappingGetCredentialTimeout" + } + if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingDeadline)) { + $SecureTLSBootstrappingArgs["Deadline"] = "$global:SecureTLSBootstrappingDeadline" + } & "c:\k\securetlsbootstrap.ps1" @SecureTLSBootstrappingArgs } diff --git a/staging/cse/windows/provisioningscripts/securetlsbootstrap.ps1 b/staging/cse/windows/provisioningscripts/securetlsbootstrap.ps1 index 31417671ccc..a82dead39f8 100644 --- a/staging/cse/windows/provisioningscripts/securetlsbootstrap.ps1 +++ b/staging/cse/windows/provisioningscripts/securetlsbootstrap.ps1 @@ -18,7 +18,19 @@ Param( [Parameter(Mandatory=$false)][string] $LogFilePath = [Io.path]::Combine("$KubeDir", "secure-tls-bootstrap.log"), [Parameter(Mandatory=$false)][string] - $Deadline = "120s" # default deadline of 2 minutes + $ValidateKubeconfigTimeout = "", + [Parameter(Mandatory=$false)][string] + $GetAccessTokenTimeout = "", + [Parameter(Mandatory=$false)][string] + $GetInstanceDataTimeout = "", + [Parameter(Mandatory=$false)][string] + $GetNonceTimeout = "", + [Parameter(Mandatory=$false)][string] + $GetAttestedDataTimeout = "", + [Parameter(Mandatory=$false)][string] + $GetCredentialTimeout = "", + [Parameter(Mandatory=$false)][string] + $Deadline = "" ) $global:BootstrapClientPath = [Io.path]::Combine("$KubeDir", "aks-secure-tls-bootstrap-client.exe") @@ -46,14 +58,41 @@ $BootstrapClientArgList = @( "--cloud-provider-config=$AzureConfigPath", "--cert-dir=$CertDir", "--kubeconfig=$KubeconfigPath", - "--log-file=$LogFilePath", - "--deadline=$Deadline" + "--log-file=$LogFilePath" ) if (![string]::IsNullOrEmpty($UserAssignedIdentityID)) { Write-Log "secure TLS bootstrapping user-assigned identity ID is specified: $UserAssignedIdentityID" $BootstrapClientArgList += "--user-assigned-identity-id=$UserAssignedIdentityID" } +if (![string]::IsNullOrEmpty($ValidateKubeconfigTimeout)) { + Write-Log "secure TLS bootstrapping validate kubeconfig timeout is specified: $ValidateKubeconfigTimeout" + $BootstrapClientArgList += "--validate-kubeconfig-timeout=$ValidateKubeconfigTimeout" +} +if (![string]::IsNullOrEmpty($GetAccessTokenTimeout)) { + Write-Log "secure TLS bootstrapping get access token timeout is specified: $GetAccessTokenTimeout" + $BootstrapClientArgList += "--get-access-token-timeout=$GetAccessTokenTimeout" +} +if (![string]::IsNullOrEmpty($GetInstanceDataTimeout)) { + Write-Log "secure TLS bootstrapping get instance data timeout is specified: $GetInstanceDataTimeout" + $BootstrapClientArgList += "--get-instance-data-timeout=$GetInstanceDataTimeout" +} +if (![string]::IsNullOrEmpty($GetNonceTimeout)) { + Write-Log "secure TLS bootstrapping get nonce timeout is specified: $GetNonceTimeout" + $BootstrapClientArgList += "--get-nonce-timeout=$GetNonceTimeout" +} +if (![string]::IsNullOrEmpty($GetAttestedDataTimeout)) { + Write-Log "secure TLS bootstrapping get attested data timeout is specified: $GetAttestedDataTimeout" + $BootstrapClientArgList += "--get-attested-data-timeout=$GetAttestedDataTimeout" +} +if (![string]::IsNullOrEmpty($GetCredentialTimeout)) { + Write-Log "secure TLS bootstrapping get credential timeout is specified: $GetCredentialTimeout" + $BootstrapClientArgList += "--get-credential-timeout=$GetCredentialTimeout" +} +if (![string]::IsNullOrEmpty($Deadline)) { + Write-Log "secure TLS bootstrapping deadline is specified: $Deadline" + $BootstrapClientArgList += "--deadline=$Deadline" +} Write-Log "Starting secure TLS bootstrapping: invoking aks-secure-tls-bootstrap-client.exe"