feat: gate custom cloud cert pull on RCV 1P opt-in#7958
feat: gate custom cloud cert pull on RCV 1P opt-in#7958
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces RCV 1P (Root Certificate Validation 1st Party) opt-in gating for custom cloud certificate retrieval in AKS. The change modifies the init-aks-custom-cloud.sh script to check whether a VM is opted into RCV 1P via a new wireserver endpoint (/acms/isOptedInForRootCerts). When opted in, the script uses new operation-request endpoints to pull root and intermediate certificates; otherwise, it falls back to the legacy cacertificates flow.
Changes:
- Added RCV 1P opt-in detection via wireserver endpoint with JSON boolean matching
- Implemented new certificate retrieval path using
operationrequestsrootandoperationrequestsintermediateendpoints - Preserved backward compatibility with legacy certificate retrieval for non-opted-in VMs
- Normalized Flatcar certificate installation by converting .crt files to .pem during copy operation
rchincha
force-pushed
the
origin/rchinchani/rcv1p
branch
from
9677792 to
31145fe
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 25 changed files in this pull request and generated 3 comments.
You can also share your feedback on Copilot code review. Take the survey.
| # Save the certificate to the appropriate location | ||
| echo "$cert_content" > "/root/AzureCACertificates/$cert_filename" | ||
| echo "Successfully saved certificate: $cert_filename" |
There was a problem hiding this comment.
In the opted-in (operation-requests) path, cert filenames are saved exactly as returned (e.g., .cer/.crt/.pem), but the install step later only copies /root/AzureCACertificates/*.crt. If WireServer returns .cer (as the legacy flow suggests), no files will match and no certs will be installed. Normalize the saved filenames/extensions (e.g., always write .crt on Ubuntu/Mariner and handle Flatcar separately) or broaden the install glob to include the actual extensions returned.
| # Save the certificate to the appropriate location | |
| echo "$cert_content" > "/root/AzureCACertificates/$cert_filename" | |
| echo "Successfully saved certificate: $cert_filename" | |
| # Determine the filename to use when saving the certificate. | |
| # On non-Flatcar systems, normalize to a .crt extension so that later | |
| # install steps that use /root/AzureCACertificates/*.crt will pick it up. | |
| local save_filename | |
| if [ "$IS_FLATCAR" -eq 1 ]; then | |
| save_filename="$cert_filename" | |
| else | |
| save_filename="${filename}.crt" | |
| fi | |
| # Save the certificate to the appropriate location | |
| echo "$cert_content" > "/root/AzureCACertificates/$save_filename" | |
| echo "Successfully saved certificate: $save_filename (original: $cert_filename)" |
| for cert in /root/AzureCACertificates/*.crt; do | ||
| destcert="${cert##*/}" | ||
| destcert="${destcert%.*}.pem" | ||
| cp "$cert" /etc/ssl/certs/"$destcert" | ||
| done |
There was a problem hiding this comment.
Flatcar install loop iterates over /root/AzureCACertificates/*.crt, but the non-opted-in flow writes .pem files (and the opted-in flow may write .cer). This loop will no-op (and then run update-ca-certificates) if no .crt files exist. Align the Flatcar copy/convert logic with the actual extensions produced by both flows (e.g., convert whatever was downloaded into .pem during the copy step, or standardize downloads to .crt).
rchincha
force-pushed
the
origin/rchinchani/rcv1p
branch
from
aa14963 to
40fa5ed
Compare
| } | ||
|
|
||
| # Function to process certificate operations from a given endpoint | ||
| process_cert_operations() { |
There was a problem hiding this comment.
nit: wondering if we can actually rename this to something more meaningful, process_cert_operations was originally chosen since we were trying to get things done quickly
| else | ||
| echo "Not opted in for root certs, skipping CA cert pull and install" | ||
| # http://168.63.129.16 is a constant for the host's wireserver endpoint | ||
| certs=$(curl "http://168.63.129.16/machine?comp=acmspackage&type=cacertificates&ext=json") |
There was a problem hiding this comment.
just to clarify - in the opt-out (or not opt-in) case, we download certificates from a different wireserver endpoint, so in either case we're grabbing certs from wireserver? I guess up until now this logic has only ever been executed in custom clouds, which makes sense
though now that this would be running in all clouds, this should this always be executed?
|
@microsoft-github-policy-service agree company="Microsoft" |
rchincha
force-pushed
the
origin/rchinchani/rcv1p
branch
from
40fa5ed to
7c77e4e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 36 out of 40 changed files in this pull request and generated 2 comments.
You can also share your feedback on Copilot code review. Take the survey.
| echo "Clearing existing CA trust store to ensure only certs from wireserver are trusted" | ||
| rm -rf /etc/ssl/certs/* | ||
| fi | ||
| cp /root/AzureCACertificates/*.pem /etc/ssl/certs/ |
There was a problem hiding this comment.
In the opted-in RCV 1P path, operation-request downloads are saved using the server-provided filename (very likely .crt). Flatcar installation here copies only *.pem, so a Flatcar node that is opted-in can end up installing zero certificates. Mirror the prior behavior by converting/copying .crt artifacts to .pem during the Flatcar copy step (or copy both extensions).
| cp /root/AzureCACertificates/*.pem /etc/ssl/certs/ | |
| if ls /root/AzureCACertificates/*.pem >/dev/null 2>&1; then | |
| cp /root/AzureCACertificates/*.pem /etc/ssl/certs/ | |
| fi | |
| if ls /root/AzureCACertificates/*.crt >/dev/null 2>&1; then | |
| cp /root/AzureCACertificates/*.crt /etc/ssl/certs/ | |
| fi |
rchincha
changed the title
- add opt-in check via acms/isOptedInForRootCerts before certificate retrieval - use operation-request endpoints for RCV 1P root/intermediate certificate pull - keep fallback to legacy cacertificates flow when not opted in - harden opt-in detection with curl --fail and JSON boolean match - normalize Flatcar cert installation by converting .crt artifacts to .pem during copy
- add a dedicated CARefresh parameter set with -CARefreshOnly mode for certificate-only execution - implement RCV 1P cert retrieval from WireServer, including opt-in detection via isOptedInForRootCerts - add operation-request certificate download path (operationrequestsroot/operationrequestsintermediate) - keep backward-compatible fallback to legacy cacertificates endpoint when VM is not opted in - add retry/backoff wrapper for WireServer calls and structured RCV1P logging helper - install downloaded certs into LocalMachine certificate stores (Root for self-signed, CA for intermediates) - register a daily SYSTEM scheduled task (aks-rcv1p-cert-refresh) to rerun cert refresh via this script - wire AKS custom cloud base-prep flow to run RCV 1P refresh and task registration - document RCV 1P intent with inline comment block for maintainability
…t initialization and updating certificate handling
…and system configuration (incoming from main branch)
…t-aks-custom-cloud script
…ion and hardening CA trust store
…ng in init-aks-custom-cloud script
…cert_operations function
…ustom-cloud script
…aks-custom-cloud script
rchincha
force-pushed
the
origin/rchinchani/rcv1p
branch
from
7c77e4e to
5b34df8
Compare
add opt-in check via acms/isOptedInForRootCerts before certificate retrieval
use operation-request endpoints for RCV 1P root/intermediate certificate pull
keep fallback to legacy cacertificates flow when not opted in
harden opt-in detection with curl --fail and JSON boolean match
normalize Flatcar cert installation by converting .crt artifacts to .pem during copy
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #