test(e2e): assign kubelet and abe2e identities to E2E VMs, use kubelet identity to authenticate with private ACR (#7352)

cameronmeissner · web-flow · commit bff377cf7350 · 2025-11-11T19:06:36.000-05:00
diff --git a/e2e/cluster.go b/e2e/cluster.go
@@ -100,11 +100,11 @@ func prepareCluster(ctx context.Context, cluster *armcontainerservice.ManagedClu
 	}
 
 	if isNonAnonymousPull {
-		identity, err := config.Azure.UserAssignedIdentities.Get(ctx, resourceGroupName, config.VMIdentityName, nil)
+		kubeletIdentity, err := getClusterKubeletIdentity(cluster)
 		if err != nil {
-			return nil, fmt.Errorf("failed to get VM identity: %w", err)
+			return nil, fmt.Errorf("getting kubelet identity to assign ACR pull permissions: %w", err)
 		}
-		if err := assignACRPullToIdentity(ctx, config.GetPrivateACRName(isNonAnonymousPull, *cluster.Location), *identity.Properties.PrincipalID, *cluster.Location); err != nil {
+		if err := assignACRPullToIdentity(ctx, config.GetPrivateACRName(isNonAnonymousPull, *cluster.Location), *kubeletIdentity.ObjectID, *cluster.Location); err != nil {
 			return nil, fmt.Errorf("assign acr pull to the managed identity: %w", err)
 		}
 	}
@@ -139,6 +139,17 @@ func prepareCluster(ctx context.Context, cluster *armcontainerservice.ManagedClu
 	}, nil
 }
 
+func getClusterKubeletIdentity(cluster *armcontainerservice.ManagedCluster) (*armcontainerservice.UserAssignedIdentity, error) {
+	if cluster == nil || cluster.Properties == nil || cluster.Properties.IdentityProfile == nil {
+		return nil, fmt.Errorf("cannot dereference cluster identity profile to extract kubelet identity ID")
+	}
+	kubeletIdentity := cluster.Properties.IdentityProfile["kubeletidentity"]
+	if kubeletIdentity == nil {
+		return nil, fmt.Errorf("kubelet identity is missing from cluster properties")
+	}
+	return kubeletIdentity, nil
+}
+
 func extractClusterParameters(ctx context.Context, kube *Kubeclient, cluster *armcontainerservice.ManagedCluster) (*ClusterParams, error) {
 	kubeconfig, err := clientcmd.Load(kube.KubeConfig)
 	if err != nil {
diff --git a/e2e/node_config.go b/e2e/node_config.go
@@ -97,7 +97,7 @@ var baseKubeletConfig = &aksnodeconfigv1.KubeletConfig{
 	},
 }
 
-func getBaseNBC(t testing.TB, cluster *Cluster, vhd *config.Image) *datamodel.NodeBootstrappingConfiguration {
+func getBaseNBC(t testing.TB, cluster *Cluster, vhd *config.Image) (*datamodel.NodeBootstrappingConfiguration, error) {
 	var nbc *datamodel.NodeBootstrappingConfiguration
 
 	if vhd.Distro.IsWindowsDistro() {
@@ -110,17 +110,23 @@ func getBaseNBC(t testing.TB, cluster *Cluster, vhd *config.Image) *datamodel.No
 		nbc.ContainerService.Properties.ClusterID = *cluster.Model.ID
 		nbc.SubscriptionID = config.Config.SubscriptionID
 		nbc.ResourceGroupName = *cluster.Model.Properties.NodeResourceGroup
-		nbc.TenantID = *cluster.Model.Identity.TenantID
 	} else {
 		nbc = baseTemplateLinux(t, *cluster.Model.Location, *cluster.Model.Properties.CurrentKubernetesVersion, vhd.Arch)
 	}
 
+	kubeletIdentity, err := getClusterKubeletIdentity(cluster.Model)
+	if err != nil {
+		return nil, fmt.Errorf("getting cluster kubelet identity to create base NodeBootstrappingConfiguration: %w", err)
+	}
+	nbc.UserAssignedIdentityClientID = *kubeletIdentity.ClientID
+
+	nbc.TenantID = *cluster.Model.Identity.TenantID
 	nbc.ContainerService.Properties.CertificateProfile.CaCertificate = string(cluster.ClusterParams.CACert)
 	nbc.KubeletClientTLSBootstrapToken = &cluster.ClusterParams.BootstrapToken
 	nbc.ContainerService.Properties.HostedMasterProfile.FQDN = cluster.ClusterParams.FQDN
 	nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = vhd.Distro
 	nbc.AgentPoolProfile.Distro = vhd.Distro
-	return nbc
+	return nbc, nil
 }
 
 // is a temporary workaround
diff --git a/e2e/scenario_test.go b/e2e/scenario_test.go
@@ -195,8 +195,9 @@ func Test_AzureLinuxV2_SecureTLSBootstrapping_BootstrapToken_Fallback(t *testing
 			VHD:     config.VHDAzureLinuxV2Gen2,
 			BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
 				nbc.SecureTLSBootstrappingConfig = &datamodel.SecureTLSBootstrappingConfig{
-					Enabled:  true,
-					Deadline: (30 * time.Second).String(),
+					Enabled:     true,
+					Deadline:    (30 * time.Second).String(),
+					AADResource: "https://management.azure.com/", // use an unexpected AAD resource to force a secure TLS bootstrapping failure
 				}
 			},
 		},
@@ -899,12 +900,6 @@ func Test_Ubuntu2204_AirGap(t *testing.T) {
 // TODO: refactor NonAnonymous tests to use the same cluster as Anonymous airgap
 // or deprecate anonymous ACR airgap tests once it is unsupported
 func Test_Ubuntu2204_AirGap_NonAnonymousACR(t *testing.T) {
-	location := config.Config.DefaultLocation
-
-	ctx := newTestCtx(t)
-	identity, err := config.Azure.UserAssignedIdentities.Get(ctx, config.ResourceGroupName(location), config.VMIdentityName, nil)
-	require.NoError(t, err)
-
 	RunScenario(t, &Scenario{
 		Description: "Tests that a node using the Ubuntu 2204 VHD and is airgap can be properly bootstrapped",
 		Tags: Tags{
@@ -915,9 +910,6 @@ func Test_Ubuntu2204_AirGap_NonAnonymousACR(t *testing.T) {
 			Cluster: ClusterKubenetAirgapNonAnon,
 			VHD:     config.VHDUbuntu2204Gen2Containerd,
 			BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
-				nbc.TenantID = *identity.Properties.TenantID
-				nbc.UserAssignedIdentityClientID = *identity.Properties.ClientID
-
 				nbc.OutboundType = datamodel.OutboundTypeBlock
 				nbc.ContainerService.Properties.SecurityProfile = &datamodel.SecurityProfile{
 					PrivateEgress: &datamodel.PrivateEgress{
@@ -971,10 +963,6 @@ func Test_Ubuntu2204Gen2_ContainerdAirgappedK8sNotCached(t *testing.T) {
 }
 
 func Test_Ubuntu2204Gen2_ContainerdAirgappedNonAnonymousK8sNotCached(t *testing.T) {
-	location := config.Config.DefaultLocation
-	ctx := newTestCtx(t)
-	identity, err := config.Azure.UserAssignedIdentities.Get(ctx, config.ResourceGroupName(location), config.VMIdentityName, nil)
-	require.NoError(t, err)
 	RunScenario(t, &Scenario{
 		Description: "Tests that a node using the Ubuntu 2204 VHD without k8s binary and is airgap can be properly bootstrapped",
 		Tags: Tags{
@@ -985,13 +973,11 @@ func Test_Ubuntu2204Gen2_ContainerdAirgappedNonAnonymousK8sNotCached(t *testing.
 			Cluster: ClusterKubenetAirgapNonAnon,
 			VHD:     config.VHDUbuntu2204Gen2ContainerdAirgappedK8sNotCached,
 			BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
-				nbc.TenantID = *identity.Properties.TenantID
-				nbc.UserAssignedIdentityClientID = *identity.Properties.ClientID
 				nbc.OutboundType = datamodel.OutboundTypeBlock
 				nbc.ContainerService.Properties.SecurityProfile = &datamodel.SecurityProfile{
 					PrivateEgress: &datamodel.PrivateEgress{
 						Enabled:                 true,
-						ContainerRegistryServer: fmt.Sprintf("%s.azurecr.io", config.PrivateACRNameNotAnon(location)),
+						ContainerRegistryServer: fmt.Sprintf("%s.azurecr.io", config.PrivateACRNameNotAnon(config.Config.DefaultLocation)),
 					},
 				}
 				nbc.AgentPoolProfile.LocalDNSProfile = nil
@@ -1000,7 +986,7 @@ func Test_Ubuntu2204Gen2_ContainerdAirgappedNonAnonymousK8sNotCached(t *testing.
 				// intentionally using private acr url to get kube binaries
 				nbc.AgentPoolProfile.KubernetesConfig.CustomKubeBinaryURL = fmt.Sprintf(
 					"%s.azurecr.io/oss/binaries/kubernetes/kubernetes-node:v%s-linux-amd64",
-					config.PrivateACRNameNotAnon(location),
+					config.PrivateACRNameNotAnon(config.Config.DefaultLocation),
 					nbc.ContainerService.Properties.OrchestratorProfile.OrchestratorVersion)
 				nbc.K8sComponents.LinuxCredentialProviderURL = fmt.Sprintf(
 					"https://packages.aks.azure.com/cloud-provider-azure/v%s/binaries/azure-acr-credential-provider-linux-amd64-v%s.tar.gz",
@@ -1910,8 +1896,9 @@ func Test_Ubuntu2404Gen2_SecureTLSBootstrapping_BootstrapToken_Fallback(t *testi
 			VHD:     config.VHDUbuntu2404Gen2Containerd,
 			BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
 				nbc.SecureTLSBootstrappingConfig = &datamodel.SecureTLSBootstrappingConfig{
-					Enabled:  true,
-					Deadline: (30 * time.Second).String(),
+					Enabled:     true,
+					Deadline:    (30 * time.Second).String(),
+					AADResource: "https://management.azure.com/", // use an unexpected AAD resource to force a secure TLS bootstrapping failure
 				}
 			},
 		},
@@ -2118,10 +2105,6 @@ func Test_Ubuntu2204_PMC_Install(t *testing.T) {
 }
 
 func Test_Ubuntu2204Gen2_ContainerdAirgappedNonAnonymousK8sNotCached_InstallPackage(t *testing.T) {
-	location := config.Config.DefaultLocation
-	ctx := newTestCtx(t)
-	identity, err := config.Azure.UserAssignedIdentities.Get(ctx, config.ResourceGroupName(location), config.VMIdentityName, nil)
-	require.NoError(t, err)
 	RunScenario(t, &Scenario{
 		Description: "Tests that a node using the Ubuntu 2204 VHD without k8s binary and is airgap can be properly bootstrapped",
 		Tags: Tags{
@@ -2132,13 +2115,11 @@ func Test_Ubuntu2204Gen2_ContainerdAirgappedNonAnonymousK8sNotCached_InstallPack
 			Cluster: ClusterKubenetAirgapNonAnon,
 			VHD:     config.VHDUbuntu2204Gen2ContainerdAirgappedK8sNotCached,
 			BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
-				nbc.TenantID = *identity.Properties.TenantID
-				nbc.UserAssignedIdentityClientID = *identity.Properties.ClientID
 				nbc.OutboundType = datamodel.OutboundTypeBlock
 				nbc.ContainerService.Properties.SecurityProfile = &datamodel.SecurityProfile{
 					PrivateEgress: &datamodel.PrivateEgress{
 						Enabled:                 true,
-						ContainerRegistryServer: fmt.Sprintf("%s.azurecr.io", config.PrivateACRNameNotAnon(location)),
+						ContainerRegistryServer: fmt.Sprintf("%s.azurecr.io", config.PrivateACRNameNotAnon(config.Config.DefaultLocation)),
 					},
 				}
 				nbc.AgentPoolProfile.LocalDNSProfile = nil
@@ -2147,7 +2128,7 @@ func Test_Ubuntu2204Gen2_ContainerdAirgappedNonAnonymousK8sNotCached_InstallPack
 				// intentionally using private acr url to get kube binaries
 				nbc.AgentPoolProfile.KubernetesConfig.CustomKubeBinaryURL = fmt.Sprintf(
 					"%s.azurecr.io/oss/binaries/kubernetes/kubernetes-node:v%s-linux-amd64",
-					config.PrivateACRNameNotAnon(location),
+					config.PrivateACRNameNotAnon(config.Config.DefaultLocation),
 					nbc.ContainerService.Properties.OrchestratorProfile.OrchestratorVersion)
 				nbc.K8sComponents.LinuxCredentialProviderURL = fmt.Sprintf(
 					"https://packages.aks.azure.com/cloud-provider-azure/v%s/binaries/azure-acr-credential-provider-linux-amd64-v%s.tar.gz",
diff --git a/e2e/test_helpers.go b/e2e/test_helpers.go
@@ -229,7 +229,9 @@ func prepareAKSNode(ctx context.Context, s *Scenario) *ScenarioVM {
 		s.T.Fatalf("exactly one of BootstrapConfigMutator or AKSNodeConfigMutator must be set")
 	}
 
-	nbc := getBaseNBC(s.T, s.Runtime.Cluster, s.VHD)
+	var err error
+	nbc, err := getBaseNBC(s.T, s.Runtime.Cluster, s.VHD)
+	require.NoError(s.T, err)
 
 	if s.IsWindows() {
 		nbc.ContainerService.Properties.WindowsProfile.CseScriptsPackageURL = "https://packages.aks.azure.com/aks/windows/cse/"
@@ -244,7 +246,6 @@ func prepareAKSNode(ctx context.Context, s *Scenario) *ScenarioVM {
 		s.AKSNodeConfigMutator(nodeconfig)
 		s.Runtime.AKSNodeConfig = nodeconfig
 	}
-	var err error
 	publicKeyData := datamodel.PublicKey{KeyData: string(SSHKeyPublic)}
 
 	// check it all.
diff --git a/e2e/types.go b/e2e/types.go
@@ -238,7 +238,6 @@ func (s *Scenario) updateTags(ctx context.Context, vmss *armcompute.VirtualMachi
 		}
 	}
 	vmss.Tags["owner"] = to.Ptr(owner)
-
 }
 
 func getLoggedInAzUser() (string, error) {
diff --git a/e2e/vmss.go b/e2e/vmss.go
@@ -194,20 +194,16 @@ func createVMSSModel(ctx context.Context, s *Scenario) armcompute.VirtualMachine
 	}
 
 	model := getBaseVMSSModel(s, customData, cse)
-	if s.Tags.NonAnonymousACR {
-		// add acr pull identity
-		userAssignedIdentity := fmt.Sprintf(
-			"/subscriptions/%s/resourceGroups/%s/providers/Microsoft.ManagedIdentity/userAssignedIdentities/%s",
-			config.Config.SubscriptionID,
-			config.ResourceGroupName(s.Location),
-			config.VMIdentityName,
-		)
-		model.Identity = &armcompute.VirtualMachineScaleSetIdentity{
-			Type: to.Ptr(armcompute.ResourceIdentityTypeSystemAssignedUserAssigned),
-			UserAssignedIdentities: map[string]*armcompute.UserAssignedIdentitiesValue{
-				userAssignedIdentity: {},
-			},
-		}
+
+	// always assign the abe2e + kubelet identities to the VMSS
+	kubeletIdentity, err := getClusterKubeletIdentity(s.Runtime.Cluster.Model)
+	require.NoError(s.T, err)
+	model.Identity = &armcompute.VirtualMachineScaleSetIdentity{
+		Type: to.Ptr(armcompute.ResourceIdentityTypeSystemAssignedUserAssigned),
+		UserAssignedIdentities: map[string]*armcompute.UserAssignedIdentitiesValue{
+			*kubeletIdentity.ResourceID:                    {},
+			config.Config.VMIdentityResourceID(s.Location): {},
+		},
 	}
 
 	isAzureCNI, err := cluster.IsAzureCNI()

Original file line number	Diff line number	Diff line change
`@@ -238,7 +238,6 @@ func (s Scenario) updateTags(ctx context.Context, vmss armcompute.VirtualMachi`
`238`	`238`	`}`
`239`	`239`	`}`
`240`	`240`	`vmss.Tags["owner"] = to.Ptr(owner)`
`241`		`-`
`242`	`241`	`}`
`243`	`242`
`244`	`243`	`func getLoggedInAzUser() (string, error) {`