From 69533964c2b8775e9926d1de1c174d939f3f74e4 Mon Sep 17 00:00:00 2001 From: Rashmi Mysore Chandrashekar Date: Wed, 19 Aug 2020 12:14:41 -0700 Subject: [PATCH 1/5] bootstrapping certs --- kubernetes/windows/main.ps1 | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/kubernetes/windows/main.ps1 b/kubernetes/windows/main.ps1 index de82722ad..f63a7edd6 100644 --- a/kubernetes/windows/main.ps1 +++ b/kubernetes/windows/main.ps1 @@ -263,6 +263,27 @@ function Generate-Certificates { C:\\opt\\omsagentwindows\\certgenerator\\certificategenerator.exe } +function Bootstrap-CACertificates { + try { + $caCerts=Invoke-WebRequest 'http://168.63.129.16/machine?comp=acmspackage&type=cacertificates&ext=json' -UseBasicParsing | ConvertFrom-Json + if (![string]::IsNullOrEmpty($caCerts)) { + $certificates = $caCerts.Certificates + for ($index = 0; $index -lt $certificates.Length ; $index++) { + $name=$certificates[$index].Name + # Write-Host "certificate-object: $($certificates[$index])" + $certificates[$index].CertBody > $name + Write-Host "name: $($name)" + Import-Certificate -FilePath .\$name -CertStoreLocation 'Cert:\LocalMachine\Root' -Verbose + } + } + } + catch { + $e = $_.Exception + Write-Host $e + Write-Host "exception occured in Bootstrap-CACertificates..." + } +} + function Test-CertificatePath { $certLocation = $env:CI_CERT_LOCATION $keyLocation = $env:CI_KEY_LOCATION @@ -288,6 +309,10 @@ Start-Transcript -Path main.txt Remove-WindowsServiceIfItExists "fluentdwinaks" Set-EnvironmentVariables Start-FileSystemWatcher + +#Bootstrapping CA certs for non public clouds +Bootstrap-CACertificates + Generate-Certificates Test-CertificatePath Start-Fluent From fca66809939d3706a3ebba0c05a4a6773f1f0351 Mon Sep 17 00:00:00 2001 From: Rashmi Mysore Chandrashekar Date: Mon, 28 Sep 2020 19:01:08 -0700 Subject: [PATCH 2/5] adding windows cert changes --- kubernetes/windows/main.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/windows/main.ps1 b/kubernetes/windows/main.ps1 index f63a7edd6..325435489 100644 --- a/kubernetes/windows/main.ps1 +++ b/kubernetes/windows/main.ps1 @@ -265,12 +265,12 @@ function Generate-Certificates { function Bootstrap-CACertificates { try { + # This is required when the root CA certs are different for some clouds. $caCerts=Invoke-WebRequest 'http://168.63.129.16/machine?comp=acmspackage&type=cacertificates&ext=json' -UseBasicParsing | ConvertFrom-Json if (![string]::IsNullOrEmpty($caCerts)) { $certificates = $caCerts.Certificates for ($index = 0; $index -lt $certificates.Length ; $index++) { $name=$certificates[$index].Name - # Write-Host "certificate-object: $($certificates[$index])" $certificates[$index].CertBody > $name Write-Host "name: $($name)" Import-Certificate -FilePath .\$name -CertStoreLocation 'Cert:\LocalMachine\Root' -Verbose From 82f827d78298de1aa264096f7314d8778b81bed7 Mon Sep 17 00:00:00 2001 From: Rashmi Mysore Chandrashekar Date: Wed, 30 Sep 2020 16:10:55 -0700 Subject: [PATCH 3/5] Adding AKS resource check --- kubernetes/windows/main.ps1 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kubernetes/windows/main.ps1 b/kubernetes/windows/main.ps1 index 325435489..082eee860 100644 --- a/kubernetes/windows/main.ps1 +++ b/kubernetes/windows/main.ps1 @@ -310,8 +310,10 @@ Remove-WindowsServiceIfItExists "fluentdwinaks" Set-EnvironmentVariables Start-FileSystemWatcher -#Bootstrapping CA certs for non public clouds -Bootstrap-CACertificates +#Bootstrapping CA certs for non public clouds and AKS clusters +if (![string]::IsNullOrEmpty([System.Environment]::GetEnvironmentVariable("AKS_RESOURCE_ID"))) { + Bootstrap-CACertificates +} Generate-Certificates Test-CertificatePath From 6327b729e22dca445d2844be491cc81547fb8b0c Mon Sep 17 00:00:00 2001 From: Rashmi Mysore Chandrashekar Date: Thu, 1 Oct 2020 13:12:55 -0700 Subject: [PATCH 4/5] changes for checking if it is an AKS cluster --- kubernetes/windows/main.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kubernetes/windows/main.ps1 b/kubernetes/windows/main.ps1 index 082eee860..7e0077f07 100644 --- a/kubernetes/windows/main.ps1 +++ b/kubernetes/windows/main.ps1 @@ -311,7 +311,9 @@ Set-EnvironmentVariables Start-FileSystemWatcher #Bootstrapping CA certs for non public clouds and AKS clusters -if (![string]::IsNullOrEmpty([System.Environment]::GetEnvironmentVariable("AKS_RESOURCE_ID"))) { +$aksResourceId = [System.Environment]::GetEnvironmentVariable("AKS_RESOURCE_ID") +if (![string]::IsNullOrEmpty($aksResourceId) && $aksResourceId.ToLower() -contains "/microsoft.containerservice/managedclusters/") +{ Bootstrap-CACertificates } From bc58f22aed3b7809ecd953c9e32b2fffcb882f17 Mon Sep 17 00:00:00 2001 From: Rashmi Mysore Chandrashekar Date: Thu, 1 Oct 2020 13:27:28 -0700 Subject: [PATCH 5/5] fixing bugs --- kubernetes/windows/main.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/windows/main.ps1 b/kubernetes/windows/main.ps1 index 7e0077f07..2e8659601 100644 --- a/kubernetes/windows/main.ps1 +++ b/kubernetes/windows/main.ps1 @@ -312,7 +312,7 @@ Start-FileSystemWatcher #Bootstrapping CA certs for non public clouds and AKS clusters $aksResourceId = [System.Environment]::GetEnvironmentVariable("AKS_RESOURCE_ID") -if (![string]::IsNullOrEmpty($aksResourceId) && $aksResourceId.ToLower() -contains "/microsoft.containerservice/managedclusters/") +if (![string]::IsNullOrEmpty($aksResourceId) -and $aksResourceId.ToLower().Contains("/microsoft.containerservice/managedclusters/")) { Bootstrap-CACertificates }