feat(client): tracing enhancements, add better error handling for missing userAssignedIdentityID in cloud provider config (#138)

Co-authored-by: Cameron Meissner <[email protected]>

Author: cameronmeissner

client/cmd/client/main.go

@@ -88,15 +88,16 @@ func run(ctx context.Context) int {
 	bootstrapCtx, cancel := context.WithDeadline(bootstrapCtx, bootstrapDeadline)
 	defer cancel()
 
-	finalErr, errs, traces := bootstrap.Bootstrap(bootstrapCtx, bootstrapClient, bootstrapConfig)
+	finalErr, errLog, traces := bootstrap.Bootstrap(bootstrapCtx, bootstrapClient, bootstrapConfig)
 	bootstrapEndTime := time.Now()
 
 	var exitCode int
 	bootstrapResult := &bootstrap.Result{
 		Status:              bootstrap.StatusSuccess,
 		ElapsedMilliseconds: bootstrapEndTime.Sub(bootstrapStartTime).Milliseconds(),
-		Errors:              errs,
-		Traces:              traces,
+		Errors:              errLog,
+		Traces:              traces.GetLastNTraces(5), // only keep the last 5 traces to avoid truncating guest agent event data
+		TraceSummary:        traces.GetTraceSummary(),
 	}
 
 	if finalErr != nil {

client/hack/upload.sh

@@ -1,14 +1,24 @@
 #!/bin/bash
 set -euxo pipefail
 
+SUBSCRIPTION="${SUBSCRIPTION:-}"
+RESOURCE_GROUP="${RESOURCE_GROUP:-}"
 STORAGE_ACCOUNT_NAME="${STORAGE_ACCOUNT_NAME:-}"
 VERSION="${VERSION:-}"
+OS="${OS:-linux}"
 
+[ -z "$SUBSCRIPTION" ] && echo "SUBSCRIPTION must be specified" && exit 1
+[ -z "$RESOURCE_GROUP" ] && echo "RESOURCE_GROUP must be specified" && exit 1
 [ -z "$STORAGE_ACCOUNT_NAME" ] && echo "STORAGE_ACCOUNT_NAME must be specified" && exit 1
 [ -z "$VERSION" ] && echo "VERSION must be specified" && exit 1
 
-function build_and_upload_linux_amd64() {
-    rm -rf "bin/"
+display_download_url() {
+    local relpath="$1"
+    web_endpoint=$(az storage account show -g $RESOURCE_GROUP -n $STORAGE_ACCOUNT_NAME --subscription $SUBSCRIPTION --query primaryEndpoints.web | tr -d \")
+    echo "client download URL: ${web_endpoint}${relpath}"
+}
+
+build_and_upload_linux_amd64() {
     make build OS=linux ARCH=amd64
 
     if [ ! -f "bin/aks-secure-tls-bootstrap-client-amd64" ]; then
@@ -21,8 +31,37 @@ function build_and_upload_linux_amd64() {
         mv "${client_path}-amd64" "$client_path"
         tar_path="linux-amd64.tar.gz"
         tar -czvf "$tar_path" "$client_path"
-        az storage blob upload -f "$tar_path" --auth-mode login --blob-url "https://${STORAGE_ACCOUNT_NAME}.blob.core.windows.net/\$web/client/linux/amd64/${VERSION}"
+        az storage blob upload -f "$tar_path" --auth-mode login --blob-url "https://${STORAGE_ACCOUNT_NAME}.blob.core.windows.net/\$web/client/linux/amd64/${VERSION}.tar.gz"
     popd
+
+    display_download_url "client/linux/amd64/${VERSION}.tar.gz"
 }
 
-build_and_upload_linux_amd64
+build_and_upload_windows_amd64() {
+    make build OS=windows ARCH=amd64 EXTENSION=.exe
+
+    if [ ! -f "bin/aks-secure-tls-bootstrap-client-amd64.exe" ]; then
+        echo "could not find client binary aks-secure-tls-bootstrap-client-amd64.exe for upload within bin/"
+        exit 1
+    fi
+
+    pushd "bin/"
+        client_path="aks-secure-tls-bootstrap-client-amd64.exe"
+        mv "${client_path}" "aks-secure-tls-bootstrap-client.exe"
+        zip -r "windows-amd64.zip" "aks-secure-tls-bootstrap-client.exe"
+        az storage blob upload -f "windows-amd64.zip" --auth-mode login --blob-url "https://${STORAGE_ACCOUNT_NAME}.blob.core.windows.net/\$web/client/windows/amd64/${VERSION}.zip"
+    popd
+
+    display_download_url "client/windows/amd64/${VERSION}.zip"
+}
+
+rm -rf "bin/"
+
+if [ "${OS}" == "linux" ]; then
+    build_and_upload_linux_amd64
+elif [ "${OS}" == "windows" ]; then
+    build_and_upload_windows_amd64
+else
+    echo "unsupported OS: $OS, must be \"linux\" or \"windows\""
+    exit 1
+fi

client/internal/bootstrap/auth.go

@@ -20,6 +20,10 @@ const (
 	certificateSecretPrefix = "certificate:"
 )
 
+const (
+	clientIDForMSI = "msi"
+)
+
 const (
 	maxMSIRefreshAttempts = 3
 )
@@ -55,12 +59,16 @@ func (c *Client) getAccessToken(ctx context.Context, customClientID, resource st
 		if err != nil {
 			return "", fmt.Errorf("generating MSI access token: %w", err)
 		}
-		// to avoid falling too deep into exponential backoff implemented by adal, which follows the public retry guidance
+		// to avoid falling too deep into exponential backoff implemented by adal, which follows the public retry guidance:
 		// https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#retry-guidance
 		token.MaxMSIRefreshAttempts = maxMSIRefreshAttempts
 		return c.extractAccessTokenFunc(token)
 	}
 
+	if cloudProviderConfig.ClientID == clientIDForMSI {
+		return "", fmt.Errorf("client ID within cloud provider config indicates usage of a managed identity, though no user-assigned identity ID was provided")
+	}
+
 	env, err := azure.EnvironmentFromName(cloudProviderConfig.CloudName)
 	if err != nil {
 		return "", fmt.Errorf("getting azure environment config for cloud %q: %w", cloudProviderConfig.CloudName, err)

client/internal/bootstrap/auth_test.go

@@ -113,6 +113,7 @@ func TestGetAccessToken(t *testing.T) {
 			name: "UserAssignedIdentityID is specified in cloud provider config",
 			setupCloudProviderConfig: func(t *testing.T, config *cloud.ProviderConfig) {
 				config.UserAssignedIdentityID = "kubelet-identity-id"
+				config.ClientID = clientIDForMSI
 			},
 			setupExtractAccessTokenFunc: func(t *testing.T) extractAccessTokenFunc {
 				return func(token *adal.ServicePrincipalToken) (string, error) {
@@ -123,11 +124,26 @@ func TestGetAccessToken(t *testing.T) {
 			expectedToken: "token",
 			expectedErr:   nil,
 		},
+		{
+			name: "UserAssignedIdentityID is not specified in cloud provider config, but client ID indicates MSI usage",
+			setupCloudProviderConfig: func(t *testing.T, config *cloud.ProviderConfig) {
+				config.UserAssignedIdentityID = ""
+				config.ClientID = clientIDForMSI
+			},
+			setupExtractAccessTokenFunc: func(t *testing.T) extractAccessTokenFunc {
+				return func(token *adal.ServicePrincipalToken) (string, error) {
+					return "token", nil
+				}
+			},
+			expectedToken: "",
+			expectedErr:   errors.New("client ID within cloud provider config indicates usage of a managed identity, though no user-assigned identity ID was provided"),
+		},
 		{
 			name:           "a custom client ID is specified",
 			customClientID: "custom",
 			setupCloudProviderConfig: func(t *testing.T, config *cloud.ProviderConfig) {
 				config.UserAssignedIdentityID = "kubelet-identity-id"
+				config.ClientID = clientIDForMSI
 			},
 			setupExtractAccessTokenFunc: func(t *testing.T) extractAccessTokenFunc {
 				return func(token *adal.ServicePrincipalToken) (string, error) {

client/internal/bootstrap/bootstrap.go

@@ -1,9 +1,14 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
 package bootstrap
 
 import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
+	"path/filepath"
 	"time"
 
 	"github.com/Azure/aks-secure-tls-bootstrap/client/internal/telemetry"
@@ -18,16 +23,14 @@ import (
 // In any case, a record of all errors encountered during the bootstrap process will be returned in errs, where error type is mapped to the corresponding occurrence count.
 // Additionally, a map of traces is returned in traces, which records how long each bootstrapping step took, mapping task name to a corresponding time.Duration.
 // Trace data is separately recorded for each retry attempt.
-func Bootstrap(ctx context.Context, client *Client, config *Config) (finalErr error, errs map[ErrorType]int, traces map[int]telemetry.Trace) {
-	errs = map[ErrorType]int{}
-	traces = map[int]telemetry.Trace{}
-	var retryCount int
+func Bootstrap(ctx context.Context, client *Client, config *Config) (finalErr error, errLog map[ErrorType]int, traces *telemetry.TraceStore) {
+	errLog = make(map[ErrorType]int)
+	traces = telemetry.NewTraceStore()
 
 	finalErr = retry.Do(
 		func() error {
 			defer func() {
-				traces[retryCount] = telemetry.MustGetTracer(ctx).GetTrace()
-				retryCount++
+				traces.Add(telemetry.MustGetTracer(ctx).GetTrace())
 			}()
 
 			kubeconfigData, err := client.BootstrapKubeletClientCredential(ctx, config)
@@ -44,10 +47,11 @@ func Bootstrap(ctx context.Context, client *Client, config *Config) (finalErr er
 		},
 		retry.RetryIf(func(err error) bool {
 			var bootstrapErr *BootstrapError
-			if errors.As(err, &bootstrapErr) {
-				errs[bootstrapErr.Type()]++
+			if !errors.As(err, &bootstrapErr) {
+				return false
 			}
-			return true
+			errLog[bootstrapErr.Type()]++
+			return bootstrapErr.Retryable()
 		}),
 		retry.Context(ctx),
 		retry.WrapContextErrorWithLastError(true),
@@ -58,7 +62,7 @@ func Bootstrap(ctx context.Context, client *Client, config *Config) (finalErr er
 		retry.Attempts(0), // retry indefinitely according to the context deadline
 	)
 
-	return finalErr, errs, traces
+	return finalErr, errLog, traces
 }
 
 func writeKubeconfig(ctx context.Context, config *clientcmdapi.Config, path string) error {
@@ -67,6 +71,13 @@ func writeKubeconfig(ctx context.Context, config *clientcmdapi.Config, path stri
 	tracer.StartSpan(traceName)
 	defer tracer.EndSpan(traceName)
 
+	if err := os.MkdirAll(filepath.Dir(path), 0600); err != nil {
+		return &BootstrapError{
+			errorType: ErrorTypeWriteKubeconfigFailure,
+			inner:     fmt.Errorf("creating parent directories for kubeconfig path: %w", err),
+		}
+	}
+
 	if err := clientcmd.WriteToFile(*config, path); err != nil {
 		return &BootstrapError{
 			errorType: ErrorTypeWriteKubeconfigFailure,

client/internal/bootstrap/errors.go

@@ -1,3 +1,6 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
 package bootstrap
 
 import "fmt"
@@ -21,6 +24,19 @@ type BootstrapError struct {
 	inner     error
 }
 
+func (e *BootstrapError) Retryable() bool {
+	switch e.errorType {
+	case ErrorTypeGetAccessTokenFailure,
+		ErrorTypeGetInstanceDataFailure,
+		ErrorTypeGetAttestedDataFailure,
+		ErrorTypeGetNonceFailure,
+		ErrorTypeGetCredentialFailure:
+		return true
+	default:
+		return false
+	}
+}
+
 func (e *BootstrapError) Error() string {
 	return fmt.Sprintf("%s: %s", e.errorType, e.inner.Error())
 }

client/internal/bootstrap/errors_test.go

@@ -0,0 +1,71 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+package bootstrap
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBootstrapErrorRetryable(t *testing.T) {
+	cases := []struct {
+		name     string
+		err      *BootstrapError
+		expected bool
+	}{
+		{
+			name:     "get access token failure should be retryable",
+			err:      &BootstrapError{errorType: ErrorTypeGetAccessTokenFailure, inner: errors.New("get access token error")},
+			expected: true,
+		},
+		{
+			name:     "get instance data failure should be retryable",
+			err:      &BootstrapError{errorType: ErrorTypeGetInstanceDataFailure, inner: errors.New("get instance data error")},
+			expected: true,
+		},
+		{
+			name:     "get attested data failure should be retryable",
+			err:      &BootstrapError{errorType: ErrorTypeGetAttestedDataFailure, inner: errors.New("get attested data error")},
+			expected: true,
+		},
+		{
+			name:     "get nonce failure should be retryable",
+			err:      &BootstrapError{errorType: ErrorTypeGetNonceFailure, inner: errors.New("get nonce error")},
+			expected: true,
+		},
+		{
+			name:     "get credential failure should be retryable",
+			err:      &BootstrapError{errorType: ErrorTypeGetCredentialFailure, inner: errors.New("get credential error")},
+			expected: true,
+		},
+		{
+			name:     "get service client error should not be retryable",
+			err:      &BootstrapError{errorType: ErrorTypeGetServiceClientFailure, inner: errors.New("get service client error")},
+			expected: false,
+		},
+		{
+			name:     "get CSR failure should not be retryable",
+			err:      &BootstrapError{errorType: ErrorTypeGetCSRFailure, inner: errors.New("get CSR error")},
+			expected: false,
+		},
+		{
+			name:     "generate kubeconfig error should not be retryable",
+			err:      &BootstrapError{errorType: ErrorTypeGenerateKubeconfigFailure, inner: errors.New("generate kubeconfig error")},
+			expected: false,
+		},
+		{
+			name:     "write kubeconfig error should not be retryable",
+			err:      &BootstrapError{errorType: ErrorTypeWriteKubeconfigFailure, inner: errors.New("write kubeconfig error")},
+			expected: false,
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			assert.Equal(t, c.expected, c.err.Retryable())
+		})
+	}
+}

client/internal/bootstrap/event.go

@@ -1,3 +1,6 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
 package bootstrap
 
 import (
@@ -55,11 +58,19 @@ const (
 )
 
 type Result struct {
-	Status              Status                  `json:"Status"`
-	ElapsedMilliseconds int64                   `json:"ElapsedMilliseconds"`
-	Errors              map[ErrorType]int       `json:"Errors,omitempty"`
-	Traces              map[int]telemetry.Trace `json:"Traces,omitempty"`
-	FinalError          string                  `json:"FinalError,omitempty"`
+	// Status is terminal status of the bootstrapping event.
+	Status Status `json:"Status"`
+	// ElapsedMilliseconds measures how long the bootstrapping event took to execute, in milliseconds.
+	ElapsedMilliseconds int64 `json:"ElapsedMilliseconds"`
+	// Errors is a mapping from top-level bootstrapping error type of the number of times it occurred during the event.
+	Errors map[ErrorType]int `json:"Errors,omitempty"`
+	// Traces is a mapping from retry attempt to corresponding Trace. A Trace maps span names to their respective durations.
+	// This will only ever contain data for the last 3 retries to avoid truncating guest agent event data.
+	Traces map[int]telemetry.Trace `json:"Traces,omitempty"`
+	// TraceSummary is a special Trace which maps span names to their total durations across all retry attempts.
+	TraceSummary telemetry.Trace `json:"TraceSummary,omitempty"`
+	// FinalError is the the error returned by the last retry attempt, assuming the overall bootstrapping event failed.
+	FinalError string `json:"FinalError,omitempty"`
 }
 
 type Event struct {

client/internal/bootstrap/event_test.go

@@ -1,3 +1,6 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
 package bootstrap
 
 import (

client/internal/build/build.go

@@ -1,3 +1,6 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
 package build
 
 // version holds the current version string, provided via go ldflags.