cherry-pick: fix: default AKSAADServerAppID in kuberneteswindowssetup.ps1 (#7278) (#7279)

cameronmeissner · web-flow · commit 9f62cab78bf4 · 2025-10-29T09:37:53.000-07:00
diff --git a/parts/windows/kuberneteswindowssetup.ps1 b/parts/windows/kuberneteswindowssetup.ps1
@@ -185,6 +185,11 @@ $global:SecureTLSBootstrappingAADResource = "{{GetSecureTLSBootstrappingAADResou
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "{{GetSecureTLSBootstrappingUserAssignedIdentityID}}";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "{{GetCustomSecureTLSBootstrappingClientDownloadURL}}";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("{{GetVariable "isDisableWindowsOutboundNat" }}");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+CustomCloud+ootcredentialprovider/CustomData b/pkg/agent/testdata/AKSWindows2019+CustomCloud+ootcredentialprovider/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+CustomCloud/CustomData b/pkg/agent/testdata/AKSWindows2019+CustomCloud/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+CustomVnet/CustomData b/pkg/agent/testdata/AKSWindows2019+CustomVnet/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+EnablePrivateClusterHostsConfigAgent/CustomData b/pkg/agent/testdata/AKSWindows2019+EnablePrivateClusterHostsConfigAgent/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+K8S116/CustomData b/pkg/agent/testdata/AKSWindows2019+K8S116/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+K8S117/CustomData b/pkg/agent/testdata/AKSWindows2019+K8S117/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+K8S118/CustomData b/pkg/agent/testdata/AKSWindows2019+K8S118/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+K8S119+CSI/CustomData b/pkg/agent/testdata/AKSWindows2019+K8S119+CSI/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+K8S119+FIPS/CustomData b/pkg/agent/testdata/AKSWindows2019+K8S119+FIPS/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+K8S119/CustomData b/pkg/agent/testdata/AKSWindows2019+K8S119/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+KubeletClientTLSBootstrapping/CustomData b/pkg/agent/testdata/AKSWindows2019+KubeletClientTLSBootstrapping/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+KubeletServingCertificateRotation/CustomData b/pkg/agent/testdata/AKSWindows2019+KubeletServingCertificateRotation/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+ManagedIdentity/CustomData b/pkg/agent/testdata/AKSWindows2019+ManagedIdentity/CustomData
@@ -181,6 +181,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+SecurityProfile/CustomData b/pkg/agent/testdata/AKSWindows2019+SecurityProfile/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows2019+ootcredentialprovider/CustomData b/pkg/agent/testdata/AKSWindows2019+ootcredentialprovider/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows23H2Gen2+NextGenNetworking/CustomData b/pkg/agent/testdata/AKSWindows23H2Gen2+NextGenNetworking/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows23H2Gen2+NextGenNetworkingDisabled/CustomData b/pkg/agent/testdata/AKSWindows23H2Gen2+NextGenNetworkingDisabled/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
diff --git a/pkg/agent/testdata/AKSWindows23H2Gen2+NextGenNetworkingNoConfig/CustomData b/pkg/agent/testdata/AKSWindows23H2Gen2+NextGenNetworkingNoConfig/CustomData
@@ -179,6 +179,11 @@ $global:SecureTLSBootstrappingAADResource = "";
 $global:SecureTLSBootstrappingUserAssignedIdentityID = "";
 $global:CustomSecureTLSBootstrappingClientDownloadURL = "";
 
+# uniquely identifies AKS's Entra ID application, see: https://learn.microsoft.com/en-us/azure/aks/kubelogin-authentication#how-to-use-kubelogin-with-aks
+# this is used by aks-secure-tls-bootstrap-client.exe when requesting AAD tokens
+# TODO(cameissner): remove once 2025-10B image is released
+$global:AKSAADServerAppID = "6dae42f8-4368-4678-94ff-3960e28e3630"
+
 # Disable OutBoundNAT in Azure CNI configuration
 $global:IsDisableWindowsOutboundNat = [System.Convert]::ToBoolean("false");
 
