Gangams/arc proxy contract and token renewal updates

charts/azuremonitor-containers/templates/omsagent-deployment.yaml

@@ -157,5 +157,5 @@ spec:
     - name: omsagent-adx-secret
       secret:
        secretName: omsagent-adx-secret
-       optional: true
+       optional: true 
 {{- end }}

charts/azuremonitor-containers/templates/omsagent-rbac.yaml

@@ -28,7 +28,7 @@ rules:
   resources: ["healthstates"]
   verbs: ["get", "create", "patch"]
 - apiGroups: ["clusterconfig.azure.com"]
-  resources: ["azureclusteridentityrequests"]
+  resources: ["azureclusteridentityrequests", "azureclusteridentityrequests/status"]
   resourceNames: ["container-insights-clusteridentityrequest"]
   verbs: ["get", "create", "patch"]
 - nonResourceURLs: ["/metrics"]

charts/azuremonitor-containers/templates/omsagent-secret.yaml

@@ -13,7 +13,19 @@ data:
   WSID: {{ required "A valid workspace id is required!" .Values.omsagent.secret.wsid | b64enc | quote }}
   KEY: {{ required "A valid workspace key is required!" .Values.omsagent.secret.key | b64enc | quote }}
   DOMAIN: {{ .Values.omsagent.domain | b64enc | quote }}
-  {{- if ne .Values.omsagent.proxy "<your_proxy_config>" }}
+  {{- $httpsProxyDict := urlParse .Values.Azure.proxySettings.httpsProxy  -}}
+  {{- $httpProxyDict := urlParse .Values.Azure.proxySettings.httpProxy  -}}
+  {{- if and (and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpsProxy)) ($httpsProxyDict.userinfo) }} 
+  PROXY: {{ .Values.Azure.proxySettings.httpsProxy | b64enc | quote }}
+  {{- else if and (and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpsProxy)) (empty $httpsProxyDict.userinfo) }}   
+  # adding arbitrary creds since omsagent expects arbitrary creds in case of no auth
+  PROXY: {{ urlJoin (dict "scheme" $httpsProxyDict.scheme "userinfo" "admin:secret"  "host"  $httpsProxyDict.host) | b64enc | quote }}
+  {{- else if and (and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpProxy)) ($httpProxyDict.userinfo) }}
+  PROXY: {{ .Values.Azure.proxySettings.httpProxy | b64enc | quote }}
+  {{- else if and (and (.Values.Azure.proxySettings.isProxyEnabled) (.Values.Azure.proxySettings.httpProxy)) (empty $httpProxyDict.userinfo) }} 
+  # adding arbitrary creds since omsagent expects arbitrary creds in case of no auth
+  PROXY: {{ urlJoin (dict "scheme" $httpProxyDict.scheme "userinfo" "admin:secret"  "host"  $httpProxyDict.host) | b64enc | quote }}
+  {{- else if ne .Values.omsagent.proxy "<your_proxy_config>" }}
   PROXY: {{ .Values.omsagent.proxy | b64enc | quote }}
   {{- end }}
 {{- end }}

charts/azuremonitor-containers/values.yaml

@@ -12,6 +12,12 @@ Azure:
   Extension:
     Name: ""
     ResourceId: ""
+  proxySettings:
+    isProxyEnabled: false
+    httpProxy: ""
+    httpsProxy: ""
+    noProxy: ""
+    proxyCert: ""   
 omsagent:
   image:
     repo: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod"

scripts/onboarding/templates/arc-k8s-extension/existingClusterOnboarding.json

@@ -13,14 +13,7 @@
       "metadata": {
         "description": "Location of the Azure Arc Connected Cluster Resource e.g. \"eastus\""
       }
-    },
-    "proxyEndpointUrl": {
-      "type": "string",
-      "defaultValue": "",
-      "metadata": {
-        "description": "If the cluster behind forward proxy, then specify Proxy Endpoint URL in this format: http(s)://<user>:<password>@<proxyhost>:<port>"
-      }
-    },
+    },  
     "workspaceResourceId": {
       "type": "string",
       "metadata": {
@@ -114,8 +107,7 @@
                 },
                 "configurationProtectedSettings": {
                   "omsagent.secret.wsid": "[reference(parameters('workspaceResourceId'), '2015-03-20').customerId]",
-                  "omsagent.secret.key": "[listKeys(parameters('workspaceResourceId'), '2015-03-20').primarySharedKey]" ,
-                  "omsagent.proxy": "[if(equals(parameters('proxyEndpointUrl'), ''), '<your_proxy_config>', parameters('proxyEndpointUrl'))]"             
+                  "omsagent.secret.key": "[listKeys(parameters('workspaceResourceId'), '2015-03-20').primarySharedKey]"              
                 },
                 "autoUpgradeMinorVersion": true,
                 "releaseTrain": "Stable",

scripts/onboarding/templates/arc-k8s-extension/existingClusterParam.json

@@ -8,9 +8,6 @@
     "clusterRegion": {
       "value": "<clusterRegion>"
     },
-    "proxyEndpointUrl": {
-      "value": "<your_proxy_config>"
-    },
     "workspaceResourceId": {
       "value": "/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/microsoft.operationalinsights/workspaces/<workspaceName>"
     },

source/plugins/ruby/arc_k8s_cluster_identity.rb

@@ -26,6 +26,7 @@ def initialize
     @log.info "initialize start @ #{Time.now.utc.iso8601}"
     @token_expiry_time = Time.now
     @cached_access_token = String.new
+    @isLastTokenRenewalUpdatePending = false 
     @token_file_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"
     @cert_file_path = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
     @kube_api_server_url = KubernetesApiClient.getKubeAPIServerUrl
@@ -41,14 +42,20 @@ def initialize
 
   def get_cluster_identity_token()
     begin
-      # get the cluster msi identity token either if its empty or near expirty. Token is valid 24 hrs.
+      # get the cluster msi identity token either if its empty or near expiry. Token is valid 24 hrs.
       if @cached_access_token.to_s.empty? || (Time.now + 60 * 60 > @token_expiry_time) # Refresh token 1 hr from expiration
         # renew the token if its near expiry
         if !@cached_access_token.to_s.empty? && (Time.now + 60 * 60 > @token_expiry_time)
-          @log.info "renewing the token since its near expiry @ #{Time.now.utc.iso8601}"
-          renew_near_expiry_token
-          # sleep 60 seconds to get the renewed token  available
-          sleep 60
+          if !@isLastTokenRenewalUpdatePending
+            @log.info "token expiry - @ #{@token_expiry_time}"
+            @log.info "renewing the token since token has near expiry @ #{Time.now.utc.iso8601}"
+            renew_near_expiry_token
+            # sleep 60 seconds to get the renewed token  available
+            sleep 60
+            @isLastTokenRenewalUpdatePending = true
+          else
+            @log.warn "last token renewal update still pending @ #{Time.now.utc.iso8601}"
+          end 
         end
         @log.info "get token reference from crd @ #{Time.now.utc.iso8601}"
         tokenReference = get_token_reference_from_crd
@@ -61,6 +68,7 @@ def get_cluster_identity_token()
           token = get_token_from_secret(token_secret_name, token_secret_data_name)
           if !token.nil?
             @cached_access_token = token
+            @isLastTokenRenewalUpdatePending = false 
           else
             @log.warn "got token nil from secret: #{@token_secret_name}"
           end
@@ -123,7 +131,17 @@ def get_token_reference_from_crd()
         tokenReference["expirationTime"] = status["expirationTime"]
         tokenReference["secretName"] = status["tokenReference"]["secretName"]
         tokenReference["dataName"] = status["tokenReference"]["dataName"]
-      end
+      elsif get_response.code.to_i == 404 # this might happen if the crd resource deleted by user accidently
+        @log.info "since crd resource doesnt exist hence creating crd resource : #{@@cluster_identity_resource_name} @ #{Time.now.utc.iso8601}"
+        crd_request_body = get_crd_request_body
+        crd_request_body_json = crd_request_body.to_json
+        create_request = Net::HTTP::Post.new(crd_request_uri)
+        create_request["Content-Type"] = "application/json"
+        create_request["Authorization"] = "Bearer #{@service_account_token}"
+        create_request.body = crd_request_body_json
+        create_response = @http_client.request(create_request)
+        @log.info "Got response of #{create_response.code} for POST #{crd_request_uri} @ #{Time.now.utc.iso8601}"
+      end      
     rescue => err
       @log.warn "get_token_reference_from_crd call failed: #{err}"
       ApplicationInsightsUtility.sendExceptionTelemetry(err, { "FeatureArea" => "MDM" })
@@ -141,20 +159,23 @@ def renew_near_expiry_token()
         cluster_identity_resource_namespace: @@cluster_identity_resource_namespace,
         cluster_identity_resource_name: @@cluster_identity_resource_name,
       }
-      crd_request_body = get_crd_request_body
-      crd_request_body_json = crd_request_body.to_json
-      update_request = Net::HTTP::Patch.new(crd_request_uri)
+      update_crd_request_body = { 'status': {'expirationTime': ''} }
+      update_crd_request_body_json = update_crd_request_body.to_json
+      update_crd_request_uri = crd_request_uri + "/status"
+      update_request = Net::HTTP::Patch.new(update_crd_request_uri)
       update_request["Content-Type"] = "application/merge-patch+json"
       update_request["Authorization"] = "Bearer #{@service_account_token}"
-      update_request.body = crd_request_body_json
+      update_request.body = update_crd_request_body_json
       update_response = @http_client.request(update_request)
-      @log.info "Got response of #{update_response.code} for PATCH #{crd_request_uri} @ #{Time.now.utc.iso8601}"
+      @log.info "Got response of #{update_response.code} for PATCH #{update_crd_request_uri} @ #{Time.now.utc.iso8601}"
       if update_response.code.to_i == 404
         @log.info "since crd resource doesnt exist hence creating crd resource : #{@@cluster_identity_resource_name} @ #{Time.now.utc.iso8601}"
         create_request = Net::HTTP::Post.new(crd_request_uri)
         create_request["Content-Type"] = "application/json"
         create_request["Authorization"] = "Bearer #{@service_account_token}"
-        create_request.body = crd_request_body_json
+        create_crd_request_body = get_crd_request_body
+        create_crd_request_body_json = create_crd_request_body.to_json
+        create_request.body = create_crd_request_body_json
         create_response = @http_client.request(create_request)
         @log.info "Got response of #{create_response.code} for POST #{crd_request_uri} @ #{Time.now.utc.iso8601}"
       end