diff --git a/aks-node-controller/parser/parser.go b/aks-node-controller/parser/parser.go index 0eebd3e542b..8ab9bd263fe 100644 --- a/aks-node-controller/parser/parser.go +++ b/aks-node-controller/parser/parser.go @@ -137,51 +137,49 @@ func getCSEEnv(config *aksnodeconfigv1.Configuration) map[string]string { "SECURE_TLS_BOOTSTRAPPING_GET_NONCE_TIMEOUT": config.GetBootstrappingConfig().GetSecureTlsBootstrappingGetNonceTimeout(), "SECURE_TLS_BOOTSTRAPPING_GET_ATTESTED_DATA_TIMEOUT": config.GetBootstrappingConfig().GetSecureTlsBootstrappingGetAttestedDataTimeout(), "SECURE_TLS_BOOTSTRAPPING_GET_CREDENTIAL_TIMEOUT": config.GetBootstrappingConfig().GetSecureTlsBootstrappingGetCredentialTimeout(), - //nolint:staticcheck // keeping for now for backwards compatibility - will soon be removed - "SECURE_TLS_BOOTSTRAPPING_DEADLINE": config.GetBootstrappingConfig().GetSecureTlsBootstrappingDeadline(), - "CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL": config.GetBootstrappingConfig().GetSecureTlsBootstrappingCustomClientDownloadUrl(), - "ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION": fmt.Sprintf("%v", config.GetKubeletConfig().GetKubeletConfigFileConfig().GetServerTlsBootstrap()), - "DHCPV6_SERVICE_FILEPATH": getDHCPV6ServiceFilepath(), - "DHCPV6_CONFIG_FILEPATH": getDHCPV6ConfigFilepath(), - "THP_ENABLED": config.GetCustomLinuxOsConfig().GetTransparentHugepageSupport(), - "THP_DEFRAG": config.GetCustomLinuxOsConfig().GetTransparentDefrag(), - "SERVICE_PRINCIPAL_FILE_CONTENT": config.GetAuthConfig().GetServicePrincipalSecret(), - "KUBELET_CLIENT_CONTENT": config.GetKubeletConfig().GetKubeletClientKey(), - "KUBELET_CLIENT_CERT_CONTENT": config.GetKubeletConfig().GetKubeletClientCertContent(), - "KUBELET_CONFIG_FILE_ENABLED": fmt.Sprintf("%v", config.GetKubeletConfig().GetEnableKubeletConfigFile()), - "KUBELET_CONFIG_FILE_CONTENT": getKubeletConfigFileContentBase64(config.GetKubeletConfig()), - "SWAP_FILE_SIZE_MB": fmt.Sprintf("%v", config.GetCustomLinuxOsConfig().GetSwapFileSize()), - "GPU_DRIVER_VERSION": getGpuDriverVersion(config.GetVmSize()), - "GPU_IMAGE_SHA": getGpuImageSha(config.GetVmSize()), - "GPU_INSTANCE_PROFILE": config.GetGpuConfig().GetGpuInstanceProfile(), - "GPU_DRIVER_TYPE": getGpuDriverType(config.GetVmSize()), - "CUSTOM_SEARCH_DOMAIN_NAME": config.GetCustomSearchDomainConfig().GetDomainName(), - "CUSTOM_SEARCH_REALM_USER": config.GetCustomSearchDomainConfig().GetRealmUser(), - "CUSTOM_SEARCH_REALM_PASSWORD": config.GetCustomSearchDomainConfig().GetRealmPassword(), - "MESSAGE_OF_THE_DAY": config.GetMessageOfTheDay(), - "HAS_KUBELET_DISK_TYPE": fmt.Sprintf("%v", getHasKubeletDiskType(config.GetKubeletConfig())), - "NEEDS_CGROUPV2": fmt.Sprintf("%v", config.GetNeedsCgroupv2()), - "KUBELET_FLAGS": getKubeletFlags(config.GetKubeletConfig()), - "NETWORK_POLICY": getStringFromNetworkPolicyType(config.GetNetworkConfig().GetNetworkPolicy()), - "KUBELET_NODE_LABELS": createSortedKeyValuePairs(config.GetKubeletConfig().GetKubeletNodeLabels(), ","), - "AZURE_ENVIRONMENT_FILEPATH": getAzureEnvironmentFilepath(config), - "KUBE_CA_CRT": config.GetKubernetesCaCert(), - "KUBENET_TEMPLATE": getKubenetTemplate(), - "CONTAINERD_CONFIG_CONTENT": getContainerdConfigBase64(config), - "CONTAINERD_CONFIG_NO_GPU_CONTENT": getNoGPUContainerdConfigBase64(config), - "IS_KATA": fmt.Sprintf("%v", config.GetIsKata()), - "ARTIFACT_STREAMING_ENABLED": fmt.Sprintf("%v", config.GetEnableArtifactStreaming()), - "SYSCTL_CONTENT": getSysctlContent(config.GetCustomLinuxOsConfig().GetSysctlConfig()), - "PRIVATE_EGRESS_PROXY_ADDRESS": config.GetPrivateEgressProxyAddress(), - "BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER": config.GetBootstrapProfileContainerRegistryServer(), - "ENABLE_IMDS_RESTRICTION": fmt.Sprintf("%v", config.GetImdsRestrictionConfig().GetEnableImdsRestriction()), - "INSERT_IMDS_RESTRICTION_RULE_TO_MANGLE_TABLE": fmt.Sprintf("%v", config.GetImdsRestrictionConfig().GetInsertImdsRestrictionRuleToMangleTable()), - "PRE_PROVISION_ONLY": fmt.Sprintf("%v", config.GetPreProvisionOnly()), - "SHOULD_ENABLE_LOCALDNS": shouldEnableLocalDns(config), - "SHOULD_ENABLE_HOSTS_PLUGIN": shouldEnableHostsPlugin(config), - "LOCALDNS_CPU_LIMIT": getLocalDnsCpuLimitInPercentage(config), - "LOCALDNS_MEMORY_LIMIT": getLocalDnsMemoryLimitInMb(config), - "LOCALDNS_CRITICAL_FQDNS": getLocalDnsCriticalFqdns(config), + "CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL": config.GetBootstrappingConfig().GetSecureTlsBootstrappingCustomClientDownloadUrl(), + "ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION": fmt.Sprintf("%v", config.GetKubeletConfig().GetKubeletConfigFileConfig().GetServerTlsBootstrap()), + "DHCPV6_SERVICE_FILEPATH": getDHCPV6ServiceFilepath(), + "DHCPV6_CONFIG_FILEPATH": getDHCPV6ConfigFilepath(), + "THP_ENABLED": config.GetCustomLinuxOsConfig().GetTransparentHugepageSupport(), + "THP_DEFRAG": config.GetCustomLinuxOsConfig().GetTransparentDefrag(), + "SERVICE_PRINCIPAL_FILE_CONTENT": config.GetAuthConfig().GetServicePrincipalSecret(), + "KUBELET_CLIENT_CONTENT": config.GetKubeletConfig().GetKubeletClientKey(), + "KUBELET_CLIENT_CERT_CONTENT": config.GetKubeletConfig().GetKubeletClientCertContent(), + "KUBELET_CONFIG_FILE_ENABLED": fmt.Sprintf("%v", config.GetKubeletConfig().GetEnableKubeletConfigFile()), + "KUBELET_CONFIG_FILE_CONTENT": getKubeletConfigFileContentBase64(config.GetKubeletConfig()), + "SWAP_FILE_SIZE_MB": fmt.Sprintf("%v", config.GetCustomLinuxOsConfig().GetSwapFileSize()), + "GPU_DRIVER_VERSION": getGpuDriverVersion(config.GetVmSize()), + "GPU_IMAGE_SHA": getGpuImageSha(config.GetVmSize()), + "GPU_INSTANCE_PROFILE": config.GetGpuConfig().GetGpuInstanceProfile(), + "GPU_DRIVER_TYPE": getGpuDriverType(config.GetVmSize()), + "CUSTOM_SEARCH_DOMAIN_NAME": config.GetCustomSearchDomainConfig().GetDomainName(), + "CUSTOM_SEARCH_REALM_USER": config.GetCustomSearchDomainConfig().GetRealmUser(), + "CUSTOM_SEARCH_REALM_PASSWORD": config.GetCustomSearchDomainConfig().GetRealmPassword(), + "MESSAGE_OF_THE_DAY": config.GetMessageOfTheDay(), + "HAS_KUBELET_DISK_TYPE": fmt.Sprintf("%v", getHasKubeletDiskType(config.GetKubeletConfig())), + "NEEDS_CGROUPV2": fmt.Sprintf("%v", config.GetNeedsCgroupv2()), + "KUBELET_FLAGS": getKubeletFlags(config.GetKubeletConfig()), + "NETWORK_POLICY": getStringFromNetworkPolicyType(config.GetNetworkConfig().GetNetworkPolicy()), + "KUBELET_NODE_LABELS": createSortedKeyValuePairs(config.GetKubeletConfig().GetKubeletNodeLabels(), ","), + "AZURE_ENVIRONMENT_FILEPATH": getAzureEnvironmentFilepath(config), + "KUBE_CA_CRT": config.GetKubernetesCaCert(), + "KUBENET_TEMPLATE": getKubenetTemplate(), + "CONTAINERD_CONFIG_CONTENT": getContainerdConfigBase64(config), + "CONTAINERD_CONFIG_NO_GPU_CONTENT": getNoGPUContainerdConfigBase64(config), + "IS_KATA": fmt.Sprintf("%v", config.GetIsKata()), + "ARTIFACT_STREAMING_ENABLED": fmt.Sprintf("%v", config.GetEnableArtifactStreaming()), + "SYSCTL_CONTENT": getSysctlContent(config.GetCustomLinuxOsConfig().GetSysctlConfig()), + "PRIVATE_EGRESS_PROXY_ADDRESS": config.GetPrivateEgressProxyAddress(), + "BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER": config.GetBootstrapProfileContainerRegistryServer(), + "ENABLE_IMDS_RESTRICTION": fmt.Sprintf("%v", config.GetImdsRestrictionConfig().GetEnableImdsRestriction()), + "INSERT_IMDS_RESTRICTION_RULE_TO_MANGLE_TABLE": fmt.Sprintf("%v", config.GetImdsRestrictionConfig().GetInsertImdsRestrictionRuleToMangleTable()), + "PRE_PROVISION_ONLY": fmt.Sprintf("%v", config.GetPreProvisionOnly()), + "SHOULD_ENABLE_LOCALDNS": shouldEnableLocalDns(config), + "SHOULD_ENABLE_HOSTS_PLUGIN": shouldEnableHostsPlugin(config), + "LOCALDNS_CPU_LIMIT": getLocalDnsCpuLimitInPercentage(config), + "LOCALDNS_MEMORY_LIMIT": getLocalDnsMemoryLimitInMb(config), + "LOCALDNS_CRITICAL_FQDNS": getLocalDnsCriticalFqdns(config), // LOCALDNS_GENERATED_COREFILE is the legacy key read by older VHDs that predate the hosts plugin. // It must remain the base (no hosts plugin) corefile for backward compatibility. // LOCALDNS_COREFILE_BASE is the new explicit name used by the dynamic corefile selection logic. diff --git a/aks-node-controller/parser/parser_test.go b/aks-node-controller/parser/parser_test.go index d43ece17486..f08fb5b02df 100644 --- a/aks-node-controller/parser/parser_test.go +++ b/aks-node-controller/parser/parser_test.go @@ -474,7 +474,6 @@ func TestAKSNodeConfigCompatibilityFromJsonToCSECommand(t *testing.T) { assertHasKeyWithValue(t, vars, "SECURE_TLS_BOOTSTRAPPING_GET_NONCE_TIMEOUT", "") assertHasKeyWithValue(t, vars, "SECURE_TLS_BOOTSTRAPPING_GET_ATTESTED_DATA_TIMEOUT", "") assertHasKeyWithValue(t, vars, "SECURE_TLS_BOOTSTRAPPING_GET_CREDENTIAL_TIMEOUT", "") - assertHasKeyWithValue(t, vars, "SECURE_TLS_BOOTSTRAPPING_DEADLINE", "") }, }, } diff --git a/aks-node-controller/pkg/gen/aksnodeconfig/v1/bootstrapping_config.pb.go b/aks-node-controller/pkg/gen/aksnodeconfig/v1/bootstrapping_config.pb.go index 92fee881294..44f51e7bb30 100644 --- a/aks-node-controller/pkg/gen/aksnodeconfig/v1/bootstrapping_config.pb.go +++ b/aks-node-controller/pkg/gen/aksnodeconfig/v1/bootstrapping_config.pb.go @@ -155,12 +155,6 @@ type BootstrappingConfig struct { SecureTlsBootstrappingUserAssignedIdentityId *string `protobuf:"bytes,7,opt,name=secure_tls_bootstrapping_user_assigned_identity_id,json=secureTlsBootstrappingUserAssignedIdentityId,proto3,oneof" json:"secure_tls_bootstrapping_user_assigned_identity_id,omitempty"` // Only used when secure TLS bootstrapping is enabled. If specified, the bootstrap client installation will be replaced with the client version downloaded from this URL. SecureTlsBootstrappingCustomClientDownloadUrl *string `protobuf:"bytes,8,opt,name=secure_tls_bootstrapping_custom_client_download_url,json=secureTlsBootstrappingCustomClientDownloadUrl,proto3,oneof" json:"secure_tls_bootstrapping_custom_client_download_url,omitempty"` - // Only used when secure TLS bootstrapping is enabled. This is the bootstrapping deadline used to perform secure TLS bootstrapping. - // If the deadline is hit, the TLS bootstrap token will be used as a fall-back. - // This field will be deprecated once TLS bootstrap tokens are no longer used. - // - // Deprecated: Marked as deprecated in aksnodeconfig/v1/bootstrapping_config.proto. - SecureTlsBootstrappingDeadline *string `protobuf:"bytes,9,opt,name=secure_tls_bootstrapping_deadline,json=secureTlsBootstrappingDeadline,proto3,oneof" json:"secure_tls_bootstrapping_deadline,omitempty"` // Only used when secure TLS bootstrapping is enabled. Optional override passed to the secure TLS bootstrap client during provisioning. // This is the amount of time given to the bootstrap client to perform kubeconfig validation against the cluster's API server. SecureTlsBootstrappingValidateKubeconfigTimeout *string `protobuf:"bytes,10,opt,name=secure_tls_bootstrapping_validate_kubeconfig_timeout,json=secureTlsBootstrappingValidateKubeconfigTimeout,proto3,oneof" json:"secure_tls_bootstrapping_validate_kubeconfig_timeout,omitempty"` @@ -253,14 +247,6 @@ func (x *BootstrappingConfig) GetSecureTlsBootstrappingCustomClientDownloadUrl() return "" } -// Deprecated: Marked as deprecated in aksnodeconfig/v1/bootstrapping_config.proto. -func (x *BootstrappingConfig) GetSecureTlsBootstrappingDeadline() string { - if x != nil && x.SecureTlsBootstrappingDeadline != nil { - return *x.SecureTlsBootstrappingDeadline - } - return "" -} - func (x *BootstrappingConfig) GetSecureTlsBootstrappingValidateKubeconfigTimeout() string { if x != nil && x.SecureTlsBootstrappingValidateKubeconfigTimeout != nil { return *x.SecureTlsBootstrappingValidateKubeconfigTimeout @@ -310,7 +296,7 @@ var file_aksnodeconfig_v1_bootstrapping_config_proto_rawDesc = []byte{ 0x76, 0x31, 0x2f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x10, 0x61, 0x6b, 0x73, 0x6e, 0x6f, 0x64, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x76, 0x31, 0x22, - 0xf4, 0x0e, 0x0a, 0x13, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0xa3, 0x0e, 0x0a, 0x13, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x65, 0x0a, 0x19, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x29, 0x2e, 0x61, 0x6b, 0x73, @@ -346,121 +332,116 @@ var file_aksnodeconfig_v1_bootstrapping_config_proto_rawDesc = []byte{ 0x01, 0x28, 0x09, 0x48, 0x03, 0x52, 0x2d, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x54, 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x44, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, - 0x64, 0x55, 0x72, 0x6c, 0x88, 0x01, 0x01, 0x12, 0x52, 0x0a, 0x21, 0x73, 0x65, 0x63, 0x75, 0x72, + 0x64, 0x55, 0x72, 0x6c, 0x88, 0x01, 0x01, 0x12, 0x72, 0x0a, 0x34, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x5f, 0x64, 0x65, 0x61, 0x64, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x09, 0x20, 0x01, - 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x48, 0x04, 0x52, 0x1e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, - 0x54, 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, - 0x44, 0x65, 0x61, 0x64, 0x6c, 0x69, 0x6e, 0x65, 0x88, 0x01, 0x01, 0x12, 0x72, 0x0a, 0x34, 0x73, + 0x69, 0x6e, 0x67, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x75, 0x62, + 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, + 0x0a, 0x20, 0x01, 0x28, 0x09, 0x48, 0x04, 0x52, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x54, + 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x56, + 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, + 0x67, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, 0x12, 0x6b, 0x0a, 0x31, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, - 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, - 0x5f, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x74, 0x69, 0x6d, 0x65, - 0x6f, 0x75, 0x74, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x48, 0x05, 0x52, 0x2f, 0x73, 0x65, 0x63, - 0x75, 0x72, 0x65, 0x54, 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x4b, 0x75, 0x62, 0x65, 0x63, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, 0x12, - 0x6b, 0x0a, 0x31, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, + 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, + 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x48, 0x05, 0x52, 0x2b, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, + 0x54, 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, + 0x47, 0x65, 0x74, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x54, 0x69, + 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, 0x12, 0x6d, 0x0a, 0x32, 0x73, 0x65, 0x63, 0x75, + 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, + 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, + 0x65, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0c, + 0x20, 0x01, 0x28, 0x09, 0x48, 0x06, 0x52, 0x2c, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x54, 0x6c, + 0x73, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x65, + 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x44, 0x61, 0x74, 0x61, 0x54, 0x69, 0x6d, + 0x65, 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, 0x12, 0x5e, 0x0a, 0x2a, 0x73, 0x65, 0x63, 0x75, 0x72, + 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x5f, 0x74, 0x69, + 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x48, 0x07, 0x52, 0x25, 0x73, + 0x65, 0x63, 0x75, 0x72, 0x65, 0x54, 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, + 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x6e, 0x63, 0x65, 0x54, 0x69, 0x6d, + 0x65, 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, 0x12, 0x6d, 0x0a, 0x32, 0x73, 0x65, 0x63, 0x75, 0x72, + 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, + 0x5f, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0e, 0x20, + 0x01, 0x28, 0x09, 0x48, 0x08, 0x52, 0x2c, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x54, 0x6c, 0x73, + 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x65, 0x74, + 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x44, 0x61, 0x74, 0x61, 0x54, 0x69, 0x6d, 0x65, + 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, 0x12, 0x68, 0x0a, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, + 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, + 0x6c, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x48, + 0x09, 0x52, 0x2a, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x54, 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, + 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x65, 0x74, 0x43, 0x72, 0x65, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, + 0x42, 0x1a, 0x0a, 0x18, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, + 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x28, 0x0a, 0x26, + 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, + 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x61, 0x61, 0x64, 0x5f, 0x72, 0x65, + 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42, 0x35, 0x0a, 0x33, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, + 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, + 0x69, 0x6e, 0x67, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x61, 0x73, 0x73, 0x69, 0x67, 0x6e, 0x65, + 0x64, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64, 0x42, 0x36, 0x0a, + 0x34, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, + 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x63, 0x75, 0x73, 0x74, 0x6f, + 0x6d, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x64, 0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, + 0x64, 0x5f, 0x75, 0x72, 0x6c, 0x42, 0x37, 0x0a, 0x35, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, + 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, + 0x6e, 0x67, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x75, 0x62, 0x65, + 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x34, + 0x0a, 0x32, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x74, 0x69, 0x6d, - 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x48, 0x06, 0x52, 0x2b, 0x73, 0x65, - 0x63, 0x75, 0x72, 0x65, 0x54, 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, - 0x70, 0x69, 0x6e, 0x67, 0x47, 0x65, 0x74, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, - 0x65, 0x6e, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, 0x12, 0x6d, 0x0a, 0x32, + 0x65, 0x6f, 0x75, 0x74, 0x42, 0x35, 0x0a, 0x33, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, + 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, + 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x64, + 0x61, 0x74, 0x61, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x2d, 0x0a, 0x2b, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, - 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x69, 0x6e, 0x73, - 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, - 0x75, 0x74, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x48, 0x07, 0x52, 0x2c, 0x73, 0x65, 0x63, 0x75, - 0x72, 0x65, 0x54, 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x44, 0x61, 0x74, - 0x61, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, 0x12, 0x5e, 0x0a, 0x2a, 0x73, - 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, - 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x6e, 0x6f, 0x6e, 0x63, - 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x48, - 0x08, 0x52, 0x25, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x54, 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, - 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x6e, 0x63, - 0x65, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, 0x12, 0x6d, 0x0a, 0x32, 0x73, + 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x6e, 0x6f, 0x6e, + 0x63, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x35, 0x0a, 0x33, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, - 0x74, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x09, 0x48, 0x09, 0x52, 0x2c, 0x73, 0x65, 0x63, 0x75, 0x72, - 0x65, 0x54, 0x6c, 0x73, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x44, 0x61, 0x74, 0x61, - 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x88, 0x01, 0x01, 0x12, 0x68, 0x0a, 0x2f, 0x73, 0x65, - 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, - 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0f, 0x20, - 0x01, 0x28, 0x09, 0x48, 0x0a, 0x52, 0x2a, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x54, 0x6c, 0x73, - 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x47, 0x65, 0x74, - 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, - 0x74, 0x88, 0x01, 0x01, 0x42, 0x1a, 0x0a, 0x18, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, - 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, - 0x42, 0x28, 0x0a, 0x26, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, - 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x61, 0x61, - 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x42, 0x35, 0x0a, 0x33, 0x5f, 0x73, - 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, - 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x61, 0x73, 0x73, - 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x69, - 0x64, 0x42, 0x36, 0x0a, 0x34, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, - 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x63, - 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x64, 0x6f, 0x77, - 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x75, 0x72, 0x6c, 0x42, 0x24, 0x0a, 0x22, 0x5f, 0x73, 0x65, - 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, - 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x64, 0x65, 0x61, 0x64, 0x6c, 0x69, 0x6e, 0x65, 0x42, - 0x37, 0x0a, 0x35, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, - 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x76, 0x61, 0x6c, - 0x69, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x34, 0x0a, 0x32, 0x5f, 0x73, 0x65, 0x63, - 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, - 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, - 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x35, - 0x0a, 0x33, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, - 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, - 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x74, 0x69, - 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x2d, 0x0a, 0x2b, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, - 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, - 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x5f, 0x74, 0x69, 0x6d, - 0x65, 0x6f, 0x75, 0x74, 0x42, 0x35, 0x0a, 0x33, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, - 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, - 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x5f, 0x64, - 0x61, 0x74, 0x61, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x32, 0x0a, 0x30, 0x5f, - 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, - 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, 0x65, 0x74, 0x5f, 0x63, 0x72, 0x65, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x4a, - 0x04, 0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x52, 0x13, 0x63, 0x75, 0x73, - 0x74, 0x6f, 0x6d, 0x5f, 0x61, 0x61, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, - 0x52, 0x14, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x61, 0x61, 0x64, 0x5f, 0x63, 0x6c, 0x69, - 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x2a, 0xfb, 0x01, 0x0a, 0x17, 0x42, 0x6f, 0x6f, 0x74, 0x73, - 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x41, 0x75, 0x74, 0x68, 0x4d, 0x65, 0x74, 0x68, - 0x6f, 0x64, 0x12, 0x29, 0x0a, 0x25, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x50, - 0x49, 0x4e, 0x47, 0x5f, 0x41, 0x55, 0x54, 0x48, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, - 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x2d, 0x0a, - 0x29, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x41, - 0x55, 0x54, 0x48, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x42, 0x4f, 0x4f, 0x54, 0x53, - 0x54, 0x52, 0x41, 0x50, 0x5f, 0x54, 0x4f, 0x4b, 0x45, 0x4e, 0x10, 0x01, 0x12, 0x36, 0x0a, 0x32, + 0x74, 0x42, 0x32, 0x0a, 0x30, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, + 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x67, + 0x65, 0x74, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x74, 0x69, + 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x05, 0x10, + 0x06, 0x4a, 0x04, 0x08, 0x09, 0x10, 0x0a, 0x52, 0x13, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, + 0x61, 0x61, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x14, 0x63, 0x75, + 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x61, 0x61, 0x64, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, + 0x69, 0x64, 0x52, 0x21, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x62, + 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x5f, 0x64, 0x65, 0x61, + 0x64, 0x6c, 0x69, 0x6e, 0x65, 0x2a, 0xfb, 0x01, 0x0a, 0x17, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, + 0x72, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x41, 0x75, 0x74, 0x68, 0x4d, 0x65, 0x74, 0x68, 0x6f, + 0x64, 0x12, 0x29, 0x0a, 0x25, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x50, 0x49, + 0x4e, 0x47, 0x5f, 0x41, 0x55, 0x54, 0x48, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x55, + 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x2d, 0x0a, 0x29, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x41, 0x55, - 0x54, 0x48, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x45, - 0x5f, 0x54, 0x4c, 0x53, 0x5f, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x50, 0x49, - 0x4e, 0x47, 0x10, 0x02, 0x12, 0x25, 0x0a, 0x21, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, - 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x41, 0x55, 0x54, 0x48, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, - 0x44, 0x5f, 0x41, 0x52, 0x43, 0x5f, 0x4d, 0x53, 0x49, 0x10, 0x03, 0x12, 0x27, 0x0a, 0x23, 0x42, + 0x54, 0x48, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, + 0x52, 0x41, 0x50, 0x5f, 0x54, 0x4f, 0x4b, 0x45, 0x4e, 0x10, 0x01, 0x12, 0x36, 0x0a, 0x32, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x41, 0x55, 0x54, - 0x48, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x41, 0x5a, 0x55, 0x52, 0x45, 0x5f, 0x4d, - 0x53, 0x49, 0x10, 0x04, 0x2a, 0x8e, 0x01, 0x0a, 0x11, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, - 0x4a, 0x6f, 0x69, 0x6e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x23, 0x0a, 0x1f, 0x43, 0x4c, - 0x55, 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4a, 0x4f, 0x49, 0x4e, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, - 0x44, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, - 0x24, 0x0a, 0x20, 0x43, 0x4c, 0x55, 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4a, 0x4f, 0x49, 0x4e, 0x5f, - 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x47, 0x45, 0x4e, 0x45, 0x52, 0x41, 0x54, 0x45, 0x5f, - 0x43, 0x53, 0x52, 0x10, 0x01, 0x12, 0x2e, 0x0a, 0x2a, 0x43, 0x4c, 0x55, 0x53, 0x54, 0x45, 0x52, - 0x5f, 0x4a, 0x4f, 0x49, 0x4e, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x55, 0x53, 0x45, - 0x5f, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x41, - 0x55, 0x54, 0x48, 0x10, 0x02, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, - 0x63, 0x6f, 0x6d, 0x2f, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x2f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x62, - 0x61, 0x6b, 0x65, 0x72, 0x2f, 0x61, 0x6b, 0x73, 0x2d, 0x6e, 0x6f, 0x64, 0x65, 0x2d, 0x63, 0x6f, - 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, - 0x2f, 0x61, 0x6b, 0x73, 0x6e, 0x6f, 0x64, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, - 0x31, 0x3b, 0x61, 0x6b, 0x73, 0x6e, 0x6f, 0x64, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x76, - 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x48, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x53, 0x45, 0x43, 0x55, 0x52, 0x45, 0x5f, + 0x54, 0x4c, 0x53, 0x5f, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x50, 0x49, 0x4e, + 0x47, 0x10, 0x02, 0x12, 0x25, 0x0a, 0x21, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, + 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x41, 0x55, 0x54, 0x48, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, + 0x5f, 0x41, 0x52, 0x43, 0x5f, 0x4d, 0x53, 0x49, 0x10, 0x03, 0x12, 0x27, 0x0a, 0x23, 0x42, 0x4f, + 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x41, 0x55, 0x54, 0x48, + 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x41, 0x5a, 0x55, 0x52, 0x45, 0x5f, 0x4d, 0x53, + 0x49, 0x10, 0x04, 0x2a, 0x8e, 0x01, 0x0a, 0x11, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x4a, + 0x6f, 0x69, 0x6e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x23, 0x0a, 0x1f, 0x43, 0x4c, 0x55, + 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4a, 0x4f, 0x49, 0x4e, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, + 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x24, + 0x0a, 0x20, 0x43, 0x4c, 0x55, 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4a, 0x4f, 0x49, 0x4e, 0x5f, 0x4d, + 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x47, 0x45, 0x4e, 0x45, 0x52, 0x41, 0x54, 0x45, 0x5f, 0x43, + 0x53, 0x52, 0x10, 0x01, 0x12, 0x2e, 0x0a, 0x2a, 0x43, 0x4c, 0x55, 0x53, 0x54, 0x45, 0x52, 0x5f, + 0x4a, 0x4f, 0x49, 0x4e, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x55, 0x53, 0x45, 0x5f, + 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x41, 0x55, + 0x54, 0x48, 0x10, 0x02, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, + 0x6f, 0x6d, 0x2f, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x2f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x62, 0x61, + 0x6b, 0x65, 0x72, 0x2f, 0x61, 0x6b, 0x73, 0x2d, 0x6e, 0x6f, 0x64, 0x65, 0x2d, 0x63, 0x6f, 0x6e, + 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, + 0x61, 0x6b, 0x73, 0x6e, 0x6f, 0x64, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, + 0x3b, 0x61, 0x6b, 0x73, 0x6e, 0x6f, 0x64, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x76, 0x31, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/aks-node-controller/proto/aksnodeconfig/v1/bootstrapping_config.proto b/aks-node-controller/proto/aksnodeconfig/v1/bootstrapping_config.proto index 66626a8fb3f..fbc73f75fb9 100644 --- a/aks-node-controller/proto/aksnodeconfig/v1/bootstrapping_config.proto +++ b/aks-node-controller/proto/aksnodeconfig/v1/bootstrapping_config.proto @@ -45,6 +45,8 @@ message BootstrappingConfig { reserved "custom_aad_resource"; reserved 5; reserved "custom_aad_client_id"; + reserved 9; + reserved "secure_tls_bootstrapping_deadline"; // Only used when secure TLS bootstrapping is enabled. This is the AAD resource used to request access tokens from Entra ID. optional string secure_tls_bootstrapping_aad_resource = 6; @@ -55,11 +57,6 @@ message BootstrappingConfig { // Only used when secure TLS bootstrapping is enabled. If specified, the bootstrap client installation will be replaced with the client version downloaded from this URL. optional string secure_tls_bootstrapping_custom_client_download_url = 8; - // Only used when secure TLS bootstrapping is enabled. This is the bootstrapping deadline used to perform secure TLS bootstrapping. - // If the deadline is hit, the TLS bootstrap token will be used as a fall-back. - // This field will be deprecated once TLS bootstrap tokens are no longer used. - optional string secure_tls_bootstrapping_deadline = 9 [deprecated = true]; - // Only used when secure TLS bootstrapping is enabled. Optional override passed to the secure TLS bootstrap client during provisioning. // This is the amount of time given to the bootstrap client to perform kubeconfig validation against the cluster's API server. optional string secure_tls_bootstrapping_validate_kubeconfig_timeout = 10; diff --git a/aks-node-controller/proto/aksnodeconfig/v1/kubelet_config.proto b/aks-node-controller/proto/aksnodeconfig/v1/kubelet_config.proto index aafdc17b94b..6efb39e37ea 100644 --- a/aks-node-controller/proto/aksnodeconfig/v1/kubelet_config.proto +++ b/aks-node-controller/proto/aksnodeconfig/v1/kubelet_config.proto @@ -37,12 +37,12 @@ enum KubeletDisk { message KubeletConfigFileConfig { /* Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds. - +optional.*/ + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds. + +optional.*/ string kind = 1; /* APIVersion defines the versioned schema of this representation of an object. @@ -53,64 +53,64 @@ message KubeletConfigFileConfig { string api_version = 2; /* staticPodPath is the path to the directory containing local (static) pods to - run, or the path to a single static pod file. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - the set of static pods specified at the new path may be different than the - ones the Kubelet initially started with, and this may disrupt your node. - Default: "" - +optional.*/ + run, or the path to a single static pod file. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + the set of static pods specified at the new path may be different than the + ones the Kubelet initially started with, and this may disrupt your node. + Default: "" + +optional.*/ string static_pod_path = 3; /* address is the IP address for the Kubelet to serve on (set to 0.0.0.0 - for all interfaces). - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may disrupt components that interact with the Kubelet server. - Default: "0.0.0.0" - +optional. */ + for all interfaces). + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may disrupt components that interact with the Kubelet server. + Default: "0.0.0.0" + +optional. */ string address = 4; /* readOnlyPort is the read-only port for the Kubelet to serve on with - no authentication/authorization. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may disrupt components that interact with the Kubelet server. - Default: 0 (disabled) - +optional. */ + no authentication/authorization. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may disrupt components that interact with the Kubelet server. + Default: 0 (disabled) + +optional. */ int32 read_only_port = 5; /* tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert, - if any, concatenated after server cert). If tlsCertFile and - tlsPrivateKeyFile are not provided, a self-signed certificate - and key are generated for the public address and saved to the directory - passed to the Kubelet's --cert-dir flag. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may disrupt components that interact with the Kubelet server. - Default: "" - +optional. */ + if any, concatenated after server cert). If tlsCertFile and + tlsPrivateKeyFile are not provided, a self-signed certificate + and key are generated for the public address and saved to the directory + passed to the Kubelet's --cert-dir flag. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may disrupt components that interact with the Kubelet server. + Default: "" + +optional. */ string tls_cert_file = 6; /* tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may disrupt components that interact with the Kubelet server. - Default: "" - +optional. */ + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may disrupt components that interact with the Kubelet server. + Default: "" + +optional. */ string tls_private_key_file = 7; /* TLSCipherSuites is the list of allowed cipher suites for the server. - Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may disrupt components that interact with the Kubelet server. - Default: nil - +optional. */ + Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may disrupt components that interact with the Kubelet server. + Default: nil + +optional. */ repeated string tls_cipher_suites = 8; /* rotateCertificates enables client certificate rotation. The Kubelet will request a - new certificate from the certificates.k8s.io API. This requires an approver to approve the - certificate signing requests. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - disabling it may disrupt the Kubelet's ability to authenticate with the API server - after the current certificate expires. - Default: false - +optional. */ + new certificate from the certificates.k8s.io API. This requires an approver to approve the + certificate signing requests. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + disabling it may disrupt the Kubelet's ability to authenticate with the API server + after the current certificate expires. + Default: false + +optional. */ bool rotate_certificates = 9; // serverTLSBootstrap enables server certificate bootstrap. Instead of self @@ -123,198 +123,198 @@ message KubeletConfigFileConfig { bool server_tls_bootstrap = 10 [json_name = "serverTLSBootstrap"]; /* authentication specifies how requests to the Kubelet's server are authenticated - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may disrupt components that interact with the Kubelet server. - Defaults: - anonymous: - enabled: false - webhook: - enabled: true - cacheTTL: "2m" - +optional. */ + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may disrupt components that interact with the Kubelet server. + Defaults: + anonymous: + enabled: false + webhook: + enabled: true + cacheTTL: "2m" + +optional. */ KubeletAuthentication authentication = 11; /* authorization specifies how requests to the Kubelet's server are authorized - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may disrupt components that interact with the Kubelet server. - Defaults: - mode: Webhook - webhook: - cacheAuthorizedTTL: "5m" - cacheUnauthorizedTTL: "30s" - +optional. */ + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may disrupt components that interact with the Kubelet server. + Defaults: + mode: Webhook + webhook: + cacheAuthorizedTTL: "5m" + cacheUnauthorizedTTL: "30s" + +optional. */ KubeletAuthorization authorization = 12; /* eventRecordQPS is the maximum event creations per second. If 0, there - is no limit enforced. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may impact scalability by changing the amount of traffic produced by - event creations. - Default: 5 - +optional. */ + is no limit enforced. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may impact scalability by changing the amount of traffic produced by + event creations. + Default: 5 + +optional. */ optional int32 event_record_qps = 13 [json_name = "eventRecordQPS"]; /* clusterDomain is the DNS domain for this cluster. If set, kubelet will - configure all containers to search this domain in addition to the - host's search domains. - Dynamic Kubelet Config (beta): Dynamically updating this field is not recommended, - as it should be kept in sync with the rest of the cluster. - Default: "" - +optional. */ + configure all containers to search this domain in addition to the + host's search domains. + Dynamic Kubelet Config (beta): Dynamically updating this field is not recommended, + as it should be kept in sync with the rest of the cluster. + Default: "" + +optional. */ string cluster_domain = 14; /* clusterDNS is a list of IP addresses for the cluster DNS server. If set, - kubelet will configure all containers to use this for DNS resolution - instead of the host's DNS servers. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - changes will only take effect on Pods created after the update. Draining - the node is recommended before changing this field. - Default: nil - +optional. */ + kubelet will configure all containers to use this for DNS resolution + instead of the host's DNS servers. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + changes will only take effect on Pods created after the update. Draining + the node is recommended before changing this field. + Default: nil + +optional. */ repeated string cluster_dns = 15 [json_name = "clusterDNS"]; /* streamingConnectionIdleTimeout is the maximum time a streaming connection - can be idle before the connection is automatically closed. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may impact components that rely on infrequent updates over streaming - connections to the Kubelet server. - Default: "4h" - +optional. */ + can be idle before the connection is automatically closed. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may impact components that rely on infrequent updates over streaming + connections to the Kubelet server. + Default: "4h" + +optional. */ string streaming_connection_idle_timeout = 16; /* nodeStatusUpdateFrequency is the frequency that kubelet computes node - status. If node lease feature is not enabled, it is also the frequency that - kubelet posts node status to master. - Note: When node lease feature is not enabled, be cautious when changing the - constant, it must work with nodeMonitorGracePeriod in nodecontroller. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may impact node scalability, and also that the node controller's - nodeMonitorGracePeriod must be set to N*NodeStatusUpdateFrequency, - where N is the number of retries before the node controller marks - the node unhealthy. - Default: "10s" - +optional. */ + status. If node lease feature is not enabled, it is also the frequency that + kubelet posts node status to master. + Note: When node lease feature is not enabled, be cautious when changing the + constant, it must work with nodeMonitorGracePeriod in nodecontroller. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may impact node scalability, and also that the node controller's + nodeMonitorGracePeriod must be set to N*NodeStatusUpdateFrequency, + where N is the number of retries before the node controller marks + the node unhealthy. + Default: "10s" + +optional. */ string node_status_update_frequency = 17; /* nodeStatusReportFrequency is the frequency that kubelet posts node - status to master if node status does not change. Kubelet will ignore this - frequency and post node status immediately if any change is detected. It is - only used when node lease feature is enabled. nodeStatusReportFrequency's - default value is 5m. But if nodeStatusUpdateFrequency is set explicitly, - nodeStatusReportFrequency's default value will be set to - nodeStatusUpdateFrequency for backward compatibility. - Default: "5m" - +optional. */ + status to master if node status does not change. Kubelet will ignore this + frequency and post node status immediately if any change is detected. It is + only used when node lease feature is enabled. nodeStatusReportFrequency's + default value is 5m. But if nodeStatusUpdateFrequency is set explicitly, + nodeStatusReportFrequency's default value will be set to + nodeStatusUpdateFrequency for backward compatibility. + Default: "5m" + +optional. */ string node_status_report_frequency = 18; /* imageGCHighThresholdPercent is the percent of disk usage after which - image garbage collection is always run. The percent is calculated as - this field value out of 100. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may trigger or delay garbage collection, and may change the image overhead - on the node. - Default: 85 - +optional. */ + image garbage collection is always run. The percent is calculated as + this field value out of 100. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may trigger or delay garbage collection, and may change the image overhead + on the node. + Default: 85 + +optional. */ optional int32 image_gc_high_threshold_percent = 19 [json_name = "imageGCHighThresholdPercent"]; /* imageGCLowThresholdPercent is the percent of disk usage before which - image garbage collection is never run. Lowest disk usage to garbage - collect to. The percent is calculated as this field value out of 100. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may trigger or delay garbage collection, and may change the image overhead - on the node. - Default: 80 - +optional. */ + image garbage collection is never run. Lowest disk usage to garbage + collect to. The percent is calculated as this field value out of 100. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may trigger or delay garbage collection, and may change the image overhead + on the node. + Default: 80 + +optional. */ optional int32 image_gc_low_threshold_percent = 20 [json_name = "imageGCLowThresholdPercent"]; /* Enable QoS based Cgroup hierarchy: top level cgroups for QoS Classes - And all Burstable and BestEffort pods are brought up under their - specific top level QoS cgroup. - Dynamic Kubelet Config (beta): This field should not be updated without a full node - reboot. It is safest to keep this value the same as the local config. - Default: true - +optional. */ + And all Burstable and BestEffort pods are brought up under their + specific top level QoS cgroup. + Dynamic Kubelet Config (beta): This field should not be updated without a full node + reboot. It is safest to keep this value the same as the local config. + Default: true + +optional. */ optional bool cgroups_per_qos = 21 [json_name = "cgroupsPerQOS"]; /* CPUManagerPolicy is the name of the policy to use. - Requires the CPUManager feature gate to be enabled. - Dynamic Kubelet Config (beta): This field should not be updated without a full node - reboot. It is safest to keep this value the same as the local config. - Default: "none" - +optional. */ + Requires the CPUManager feature gate to be enabled. + Dynamic Kubelet Config (beta): This field should not be updated without a full node + reboot. It is safest to keep this value the same as the local config. + Default: "none" + +optional. */ string cpu_manager_policy = 22; /* TopologyManagerPolicy is the name of the policy to use. - Policies other than "none" require the TopologyManager feature gate to be enabled. - Dynamic Kubelet Config (beta): This field should not be updated without a full node - reboot. It is safest to keep this value the same as the local config. - Default: "none" - +optional. */ + Policies other than "none" require the TopologyManager feature gate to be enabled. + Dynamic Kubelet Config (beta): This field should not be updated without a full node + reboot. It is safest to keep this value the same as the local config. + Default: "none" + +optional. */ string topology_manager_policy = 23; /* maxPods is the number of pods that can run on this Kubelet. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - changes may cause Pods to fail admission on Kubelet restart, and may change - the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting - future scheduling decisions. Increasing this value may also decrease performance, - as more Pods can be packed into a single node. - Default: 110 - +optional. */ + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + changes may cause Pods to fail admission on Kubelet restart, and may change + the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting + future scheduling decisions. Increasing this value may also decrease performance, + as more Pods can be packed into a single node. + Default: 110 + +optional. */ optional int32 max_pods = 24; /* PodPidsLimit is the maximum number of pids in any pod. - Requires the SupportPodPidsLimit feature gate to be enabled. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - lowering it may prevent container processes from forking after the change. - Default: -1 - +optional. */ + Requires the SupportPodPidsLimit feature gate to be enabled. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + lowering it may prevent container processes from forking after the change. + Default: -1 + +optional. */ optional int32 pod_pids_limit = 25; /* ResolvConf is the resolver configuration file used as the basis - for the container DNS resolution configuration. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - changes will only take effect on Pods created after the update. Draining - the node is recommended before changing this field. - Default: "/etc/resolv.conf" - +optional. */ + for the container DNS resolution configuration. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + changes will only take effect on Pods created after the update. Draining + the node is recommended before changing this field. + Default: "/etc/resolv.conf" + +optional. */ string resolv_conf = 26; /* cpuCFSQuota enables CPU CFS quota enforcement for containers that - specify CPU limits. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - disabling it may reduce node stability. - Default: true - +optional. */ + specify CPU limits. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + disabling it may reduce node stability. + Default: true + +optional. */ optional bool cpu_cfs_quota = 27 [json_name = "cpuCFSQuota"]; /* CPUCFSQuotaPeriod is the CPU CFS quota period value, cpu.cfs_period_us. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - limits set for containers will result in different cpu.cfs_quota settings. This - will trigger container restarts on the node being reconfigured. - Default: "100ms" - +optional. */ + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + limits set for containers will result in different cpu.cfs_quota settings. This + will trigger container restarts on the node being reconfigured. + Default: "100ms" + +optional. */ string cpu_cfs_quota_period = 28 [json_name = "cpuCFSQuotaPeriod"]; /* Map of signal names to quantities that defines hard eviction thresholds. For example: {"memory.available": "300Mi"}. - To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may trigger or delay Pod evictions. - Default: - memory.available: "100Mi" - nodefs.available: "10%" - nodefs.inodesFree: "5%" - imagefs.available: "15%" - +optional. */ + To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may trigger or delay Pod evictions. + Default: + memory.available: "100Mi" + nodefs.available: "10%" + nodefs.inodesFree: "5%" + imagefs.available: "15%" + +optional. */ map eviction_hard = 29; /* protectKernelDefaults, if true, causes the Kubelet to error if kernel - flags are not as it expects. Otherwise the Kubelet will attempt to modify - kernel flags to match its expectation. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - enabling it may cause the Kubelet to crash-loop if the Kernel is not configured as - Kubelet expects. - Default: false - +optional. */ + flags are not as it expects. Otherwise the Kubelet will attempt to modify + kernel flags to match its expectation. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + enabling it may cause the Kubelet to crash-loop if the Kernel is not configured as + Kubelet expects. + Default: false + +optional. */ bool protect_kernel_defaults = 30; /* featureGates is a map of feature names to bools that enable or disable alpha/experimental @@ -330,51 +330,51 @@ message KubeletConfigFileConfig { map feature_gates = 31; /* failSwapOn tells the Kubelet to fail to start if swap is enabled on the node. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - setting it to true will cause the Kubelet to crash-loop if swap is enabled. - Default: true - +optional. */ + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + setting it to true will cause the Kubelet to crash-loop if swap is enabled. + Default: true + +optional. */ optional bool fail_swap_on = 32; /* A quantity defines the maximum size of the container log file before it is rotated. - For example: "5Mi" or "256Ki". - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may trigger log rotation. - Default: "10Mi" - +optional. */ + For example: "5Mi" or "256Ki". + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may trigger log rotation. + Default: "10Mi" + +optional. */ string container_log_max_size = 33; /* Maximum number of container log files that can be present for a container. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - lowering it may cause log files to be deleted. - Default: 5 - +optional. */ + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + lowering it may cause log files to be deleted. + Default: 5 + +optional. */ optional int32 container_log_max_files = 34; /* the following fields are meant for Node Allocatable */ /* systemReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) - pairs that describe resources reserved for non-kubernetes components. - Currently only cpu and memory are supported. - See http://kubernetes.io/docs/user-guide/compute-resources for more detail. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may not be possible to increase the reserved resources, because this - requires resizing cgroups. Always look for a NodeAllocatableEnforced event - after updating this field to ensure that the update was successful. - Default: nil - +optional. */ + pairs that describe resources reserved for non-kubernetes components. + Currently only cpu and memory are supported. + See http://kubernetes.io/docs/user-guide/compute-resources for more detail. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may not be possible to increase the reserved resources, because this + requires resizing cgroups. Always look for a NodeAllocatableEnforced event + after updating this field to ensure that the update was successful. + Default: nil + +optional. */ map system_reserved = 35; /* A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs - that describe resources reserved for kubernetes system components. - Currently cpu, memory and local storage for root file system are supported. - See http://kubernetes.io/docs/user-guide/compute-resources for more detail. - Dynamic Kubelet Config (beta): If dynamically updating this field, consider that - it may not be possible to increase the reserved resources, because this - requires resizing cgroups. Always look for a NodeAllocatableEnforced event - after updating this field to ensure that the update was successful. - Default: nil - +optional. */ + that describe resources reserved for kubernetes system components. + Currently cpu, memory and local storage for root file system are supported. + See http://kubernetes.io/docs/user-guide/compute-resources for more detail. + Dynamic Kubelet Config (beta): If dynamically updating this field, consider that + it may not be possible to increase the reserved resources, because this + requires resizing cgroups. Always look for a NodeAllocatableEnforced event + after updating this field to ensure that the update was successful. + Default: nil + +optional. */ map kube_reserved = 36; /* This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform. @@ -394,46 +394,46 @@ message KubeletConfigFileConfig { repeated string enforce_node_allocatable = 37; /* evictionSoft is a map of signal names to quantities that defines soft eviction thresholds. - Each signal listed here must also have a corresponding entry in evictionSoftGracePeriod. - Soft eviction terminates pods gracefully (respecting terminationGracePeriodSeconds, capped by - evictionMaxPodGracePeriod) once the threshold is breached for the configured grace period. - Used by AKS Node Memory Hardening (F2/F5). - +optional. */ + Each signal listed here must also have a corresponding entry in evictionSoftGracePeriod. + Soft eviction terminates pods gracefully (respecting terminationGracePeriodSeconds, capped by + evictionMaxPodGracePeriod) once the threshold is breached for the configured grace period. + Used by AKS Node Memory Hardening (F2/F5). + +optional. */ map eviction_soft = 41; /* evictionSoftGracePeriod is a map of signal names to durations defining how long the soft - eviction threshold must be breached before triggering eviction. Each entry must correspond - to a signal listed in evictionSoft. Used by AKS Node Memory Hardening (F2/F5). - +optional. */ + eviction threshold must be breached before triggering eviction. Each entry must correspond + to a signal listed in evictionSoft. Used by AKS Node Memory Hardening (F2/F5). + +optional. */ map eviction_soft_grace_period = 42; /* evictionMaxPodGracePeriod is the maximum allowed grace period (in seconds) to use when - terminating pods in response to a soft eviction threshold being met. Setting this value - caps the pod's terminationGracePeriodSeconds during soft eviction. Used by AKS Node - Memory Hardening (F2/F5). - +optional. */ + terminating pods in response to a soft eviction threshold being met. Setting this value + caps the pod's terminationGracePeriodSeconds during soft eviction. Used by AKS Node + Memory Hardening (F2/F5). + +optional. */ int32 eviction_max_pod_grace_period = 43; /* kubeReservedCgroup is the absolute name of the cgroup the kubelet should manage for the - kube-reserved compute resources. When enforce-node-allocatable contains "kube-reserved", - this cgroup must exist before kubelet starts. Example: "/kubelet.slice". - Used by AKS Node Memory Hardening (F2/F5). - +optional. */ + kube-reserved compute resources. When enforce-node-allocatable contains "kube-reserved", + this cgroup must exist before kubelet starts. Example: "/kubelet.slice". + Used by AKS Node Memory Hardening (F2/F5). + +optional. */ string kube_reserved_cgroup = 44; /* systemReservedCgroup is the absolute name of the cgroup the kubelet should manage for the - system-reserved compute resources. When enforce-node-allocatable contains "system-reserved", - this cgroup must exist before kubelet starts. Example: "/system.slice". - Used by AKS Node Memory Hardening (F2/F5). - +optional. */ + system-reserved compute resources. When enforce-node-allocatable contains "system-reserved", + this cgroup must exist before kubelet starts. Example: "/system.slice". + Used by AKS Node Memory Hardening (F2/F5). + +optional. */ string system_reserved_cgroup = 45; /* A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in *). - Unsafe sysctl groups are kernel.shm*, kernel.msg*, kernel.sem, fs.mqueue.*, and net.*. - These sysctls are namespaced but not allowed by default. - For example: "kernel.msg*,net.ipv4.route.min_pmtu" - Default: [] - +optional. */ + Unsafe sysctl groups are kernel.shm*, kernel.msg*, kernel.sem, fs.mqueue.*, and net.*. + These sysctls are namespaced but not allowed by default. + For example: "kernel.msg*,net.ipv4.route.min_pmtu" + Default: [] + +optional. */ repeated string allowed_unsafe_sysctls = 38; // serializeImagePulls when enabled, tells the Kubelet to pull images one @@ -466,9 +466,9 @@ message KubeletAuthentication { message KubeletX509Authentication { /* clientCAFile is the path to a PEM-encoded certificate bundle. If set, any request presenting a client certificate - signed by one of the authorities in the bundle is authenticated with a username corresponding to the CommonName, - and groups corresponding to the Organization in the client certificate. - +optional. */ + signed by one of the authorities in the bundle is authenticated with a username corresponding to the CommonName, + and groups corresponding to the Organization in the client certificate. + +optional. */ string client_ca_file = 1 [json_name = "clientCAFile"]; } diff --git a/parts/linux/cloud-init/artifacts/cse_cmd.sh b/parts/linux/cloud-init/artifacts/cse_cmd.sh index 52ffb72de76..e86721a00c5 100644 --- a/parts/linux/cloud-init/artifacts/cse_cmd.sh +++ b/parts/linux/cloud-init/artifacts/cse_cmd.sh @@ -139,7 +139,6 @@ SECURE_TLS_BOOTSTRAPPING_GET_INSTANCE_DATA_TIMEOUT="{{GetSecureTLSBootstrappingG SECURE_TLS_BOOTSTRAPPING_GET_NONCE_TIMEOUT="{{GetSecureTLSBootstrappingGetNonceTimeout}}" SECURE_TLS_BOOTSTRAPPING_GET_ATTESTED_DATA_TIMEOUT="{{GetSecureTLSBootstrappingGetAttestedDataTimeout}}" SECURE_TLS_BOOTSTRAPPING_GET_CREDENTIAL_TIMEOUT="{{GetSecureTLSBootstrappingGetCredentialTimeout}}" -SECURE_TLS_BOOTSTRAPPING_DEADLINE="{{GetSecureTLSBootstrappingDeadline}}" CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL="{{GetCustomSecureTLSBootstrappingClientDownloadURL}}" ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION="{{EnableKubeletServingCertificateRotation}}" DHCPV6_SERVICE_FILEPATH="{{GetDHCPv6ServiceCSEScriptFilepath}}" diff --git a/parts/linux/cloud-init/artifacts/cse_config.sh b/parts/linux/cloud-init/artifacts/cse_config.sh index ff146905b4b..57b968559da 100755 --- a/parts/linux/cloud-init/artifacts/cse_config.sh +++ b/parts/linux/cloud-init/artifacts/cse_config.sh @@ -544,9 +544,6 @@ configureAndEnableSecureTLSBootstrapping() { if [ -n "${SECURE_TLS_BOOTSTRAPPING_GET_CREDENTIAL_TIMEOUT}" ]; then BOOTSTRAP_CLIENT_FLAGS="${BOOTSTRAP_CLIENT_FLAGS} --get-credential-timeout=${SECURE_TLS_BOOTSTRAPPING_GET_CREDENTIAL_TIMEOUT}" fi - if [ -n "${SECURE_TLS_BOOTSTRAPPING_DEADLINE}" ]; then - BOOTSTRAP_CLIENT_FLAGS="${BOOTSTRAP_CLIENT_FLAGS} --deadline=${SECURE_TLS_BOOTSTRAPPING_DEADLINE}" - fi mkdir -p "$(dirname "${SECURE_TLS_BOOTSTRAPPING_DEFAULT_FILE}")" touch "${SECURE_TLS_BOOTSTRAPPING_DEFAULT_FILE}" diff --git a/parts/windows/kuberneteswindowssetup.ps1 b/parts/windows/kuberneteswindowssetup.ps1 index 86590db76b7..0d4bf2da76d 100644 --- a/parts/windows/kuberneteswindowssetup.ps1 +++ b/parts/windows/kuberneteswindowssetup.ps1 @@ -190,7 +190,6 @@ $global:SecureTLSBootstrappingGetInstanceDataTimeout = "{{GetSecureTLSBootstrapp $global:SecureTLSBootstrappingGetNonceTimeout = "{{GetSecureTLSBootstrappingGetNonceTimeout}}"; $global:SecureTLSBootstrappingGetAttestedDataTimeout = "{{GetSecureTLSBootstrappingGetAttestedDataTimeout}}"; $global:SecureTLSBootstrappingGetCredentialTimeout = "{{GetSecureTLSBootstrappingGetCredentialTimeout}}"; -$global:SecureTLSBootstrappingDeadline = "{{GetSecureTLSBootstrappingDeadline}}"; # uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks # this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens diff --git a/pkg/agent/baker.go b/pkg/agent/baker.go index bdc69f59aed..c9955bde934 100644 --- a/pkg/agent/baker.go +++ b/pkg/agent/baker.go @@ -740,9 +740,6 @@ func getContainerServiceFuncMap(config *datamodel.NodeBootstrappingConfiguration "GetSecureTLSBootstrappingGetCredentialTimeout": func() string { return config.SecureTLSBootstrappingConfig.GetGetCredentialTimeout() }, - "GetSecureTLSBootstrappingDeadline": func() string { - return config.SecureTLSBootstrappingConfig.GetDeadline() - }, "GetTLSBootstrapTokenForKubeConfig": func() string { return GetTLSBootstrapTokenForKubeConfig(config.KubeletClientTLSBootstrapToken) }, diff --git a/pkg/agent/baker_test.go b/pkg/agent/baker_test.go index c167bafd10c..48838e52280 100644 --- a/pkg/agent/baker_test.go +++ b/pkg/agent/baker_test.go @@ -1163,7 +1163,6 @@ var _ = Describe("getLinuxNodeCSECommand", func() { GetNonceTimeout: "custom-get-nonce-timeout", GetAttestedDataTimeout: "custom-get-attested-data-timeout", GetCredentialTimeout: "custom-get-credential-timeout", - Deadline: "custom-deadline", } cseCmd := templateGenerator.getLinuxNodeCSECommand(baseConfig) @@ -1181,7 +1180,6 @@ var _ = Describe("getLinuxNodeCSECommand", func() { Expect(vars).To(HaveKeyWithValue("SECURE_TLS_BOOTSTRAPPING_GET_NONCE_TIMEOUT", "custom-get-nonce-timeout")) Expect(vars).To(HaveKeyWithValue("SECURE_TLS_BOOTSTRAPPING_GET_ATTESTED_DATA_TIMEOUT", "custom-get-attested-data-timeout")) Expect(vars).To(HaveKeyWithValue("SECURE_TLS_BOOTSTRAPPING_GET_CREDENTIAL_TIMEOUT", "custom-get-credential-timeout")) - Expect(vars).To(HaveKeyWithValue("SECURE_TLS_BOOTSTRAPPING_DEADLINE", "custom-deadline")) Expect(vars).To(HaveKeyWithValue("CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL", "custom-client-download-url")) }) diff --git a/pkg/agent/datamodel/types.go b/pkg/agent/datamodel/types.go index 2f3acde27e4..3bd0094c269 100644 --- a/pkg/agent/datamodel/types.go +++ b/pkg/agent/datamodel/types.go @@ -1906,13 +1906,6 @@ type SecureTLSBootstrappingConfig struct { // GetCredentialTimeout is an optional override passed to the secure TLS bootstrap client during provisioning. // This is the amount of time given to the bootstrap client to retrieve a credential from the bootstrap server. GetCredentialTimeout string `json:"secureTLSBootstrappingGetCredentialTimeout,omitempty"` - - // Deadline is an optional override passed to the secure TLS bootstrap client during provisioning. - // This is the amount of time we let secure TLS bootstrapping attempt to succeed before falling back - // to using the bootstrap token. This will be removed once bootstrap tokens are no longer a viable fall-back. - // - // Deprecated: Use individual RPC timeouts instead. - Deadline string `json:"secureTLSBootstrappingDeadline,omitempty"` } func (c *SecureTLSBootstrappingConfig) GetEnabled() bool { @@ -1985,13 +1978,6 @@ func (c *SecureTLSBootstrappingConfig) GetGetCredentialTimeout() string { return c.GetCredentialTimeout } -func (c *SecureTLSBootstrappingConfig) GetDeadline() string { - if c == nil { - return "" - } - return c.Deadline -} - // AKSKubeletConfiguration contains the configuration for the Kubelet that AKS set. /* this is a subset of KubeletConfiguration defined in https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go diff --git a/spec/parts/linux/cloud-init/artifacts/cse_config_spec.sh b/spec/parts/linux/cloud-init/artifacts/cse_config_spec.sh index bc98214c428..13e7b629dd9 100755 --- a/spec/parts/linux/cloud-init/artifacts/cse_config_spec.sh +++ b/spec/parts/linux/cloud-init/artifacts/cse_config_spec.sh @@ -1597,7 +1597,6 @@ SETUP_EOF SECURE_TLS_BOOTSTRAPPING_GET_NONCE_TIMEOUT="custom-get-nonce-timeout" SECURE_TLS_BOOTSTRAPPING_GET_ATTESTED_DATA_TIMEOUT="custom-get-attested-data-timeout" SECURE_TLS_BOOTSTRAPPING_GET_CREDENTIAL_TIMEOUT="custom-get-credential-timeout" - SECURE_TLS_BOOTSTRAPPING_DEADLINE="custom-deadline" SECURE_TLS_BOOTSTRAPPING_AAD_RESOURCE="custom-resource" SECURE_TLS_BOOTSTRAPPING_USER_ASSIGNED_IDENTITY_ID="custom-identity-id" When call configureAndEnableSecureTLSBootstrapping @@ -1611,7 +1610,7 @@ SETUP_EOF The contents of file "secure-tls-bootstrap.service.d/10-securetlsbootstrap.conf" should include "EnvironmentFile=default/secure-tls-bootstrap" The contents of file "secure-tls-bootstrap.service.d/10-securetlsbootstrap.conf" should include "[Install]" The contents of file "secure-tls-bootstrap.service.d/10-securetlsbootstrap.conf" should include "WantedBy=kubelet.service" - The contents of file "default/secure-tls-bootstrap" should include 'BOOTSTRAP_FLAGS=--aad-resource=custom-resource --apiserver-fqdn=fqdn --cloud-provider-config=/etc/kubernetes/azure.json --user-assigned-identity-id=custom-identity-id --validate-kubeconfig-timeout=custom-validate-kubeconfig-timeout --get-access-token-timeout=custom-get-access-token-timeout --get-instance-data-timeout=custom-get-instance-data-timeout --get-nonce-timeout=custom-get-nonce-timeout --get-attested-data-timeout=custom-get-attested-data-timeout --get-credential-timeout=custom-get-credential-timeout --deadline=custom-deadline' + The contents of file "default/secure-tls-bootstrap" should include 'BOOTSTRAP_FLAGS=--aad-resource=custom-resource --apiserver-fqdn=fqdn --cloud-provider-config=/etc/kubernetes/azure.json --user-assigned-identity-id=custom-identity-id --validate-kubeconfig-timeout=custom-validate-kubeconfig-timeout --get-access-token-timeout=custom-get-access-token-timeout --get-instance-data-timeout=custom-get-instance-data-timeout --get-nonce-timeout=custom-get-nonce-timeout --get-attested-data-timeout=custom-get-attested-data-timeout --get-credential-timeout=custom-get-credential-timeout' The status should be success End End diff --git a/staging/cse/windows/kubernetesfunc.ps1 b/staging/cse/windows/kubernetesfunc.ps1 index a71e04daf6d..0d43a23eb02 100644 --- a/staging/cse/windows/kubernetesfunc.ps1 +++ b/staging/cse/windows/kubernetesfunc.ps1 @@ -134,8 +134,7 @@ function Write-KubeClusterConfig { GetInstanceDataTimeout = $global:SecureTLSBootstrappingGetInstanceDataTimeout; GetNonceTimeout = $global:SecureTLSBootstrappingGetNonceTimeout; GetAttestedDataTimeout = $global:SecureTLSBootstrappingGetAttestedDataTimeout; - GetCredentialTimeout = $global:SecureTLSBootstrappingGetCredentialTimeout; - Deadline = $global:SecureTLSBootstrappingDeadline + GetCredentialTimeout = $global:SecureTLSBootstrappingGetCredentialTimeout }; }; Kubeproxy = @{ diff --git a/staging/cse/windows/provisioningscripts/kubeletstart.ps1 b/staging/cse/windows/provisioningscripts/kubeletstart.ps1 index 5a7557333cb..be2ddced90d 100644 --- a/staging/cse/windows/provisioningscripts/kubeletstart.ps1 +++ b/staging/cse/windows/provisioningscripts/kubeletstart.ps1 @@ -24,7 +24,6 @@ $global:SecureTLSBootstrappingGetInstanceDataTimeout = $Global:ClusterConfigurat $global:SecureTLSBootstrappingGetNonceTimeout = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.GetNonceTimeout $global:SecureTLSBootstrappingGetAttestedDataTimeout = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.GetAttestedDataTimeout $global:SecureTLSBootstrappingGetCredentialTimeout = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.GetCredentialTimeout -$global:SecureTLSBootstrappingDeadline = $Global:ClusterConfiguration.Kubernetes.Kubelet.SecureTLSBootstrapArgs.Deadline $global:AzureCNIDir = [Io.path]::Combine("$global:KubeDir", "azurecni") $global:AzureCNIBinDir = [Io.path]::Combine("$global:AzureCNIDir", "bin") @@ -138,9 +137,6 @@ if ($global:EnableSecureTLSBootstrapping) { if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingGetCredentialTimeout)) { $SecureTLSBootstrappingArgs["GetCredentialTimeout"] = "$global:SecureTLSBootstrappingGetCredentialTimeout" } - if (![string]::IsNullOrEmpty($global:SecureTLSBootstrappingDeadline)) { - $SecureTLSBootstrappingArgs["Deadline"] = "$global:SecureTLSBootstrappingDeadline" - } & "c:\k\securetlsbootstrap.ps1" @SecureTLSBootstrappingArgs }