diff --git a/e2e/bastionssh.go b/e2e/bastionssh.go index e7e11735bfb..d820737ba57 100644 --- a/e2e/bastionssh.go +++ b/e2e/bastionssh.go @@ -20,7 +20,7 @@ import ( "golang.org/x/crypto/ssh" ) -var AllowedSSHPrefixes = []string{ssh.KeyAlgoED25519, ssh.KeyAlgoRSA} +var AllowedSSHPrefixes = []string{ssh.KeyAlgoED25519, ssh.KeyAlgoRSA, ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512} type Bastion struct { credential *azidentity.AzureCLICredential diff --git a/e2e/config/config.go b/e2e/config/config.go index 7717d02d9e9..6ec381af0db 100644 --- a/e2e/config/config.go +++ b/e2e/config/config.go @@ -1,7 +1,6 @@ package config import ( - "crypto/ed25519" "crypto/rand" "crypto/rsa" "crypto/x509" @@ -130,7 +129,7 @@ func (c *Configuration) VMIdentityResourceID(location string) string { } func mustLoadConfig() *Configuration { - VMSSHPublicKey, VMSSHPrivateKeyFileName = mustGetNewED25519KeyPair() + VMSSHPrivateKey, VMSSHPublicKey, VMSSHPrivateKeyFileName = mustGetNewRSAKeyPair() err := godotenv.Load(".env") if err != nil { fmt.Printf("Error loading .env file: %s\n", err) @@ -164,43 +163,20 @@ func mustLoadConfig() *Configuration { return cfg } -func mustGetNewED25519KeyPair() ([]byte, string) { - public, privateKeyFileName, err := getNewED25519KeyPair() - if err != nil { - panic(fmt.Sprintf("failed to generate ED25519 key pair: %v", err)) - } - - return public, privateKeyFileName -} - -// Returns a newly generated ED25519 public/private key pair with the private key in PEM format. -func getNewED25519KeyPair() (publicKeyBytes []byte, privateKeyFileName string, e error) { - publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader) - if err != nil { - return nil, "", fmt.Errorf("failed to create rsa private key: %w", err) - } - - sshPubKey, err := ssh.NewPublicKey(publicKey) - if err != nil { - return nil, "", fmt.Errorf("failed to create ssh public key: %w", err) - } - - publicKeyBytes = ssh.MarshalAuthorizedKey(sshPubKey) - - // ----- PRIVATE KEY (OpenSSH format) ----- - pemBlock, err := ssh.MarshalPrivateKey(privateKey, "azureuser") +// Returns a newly generated RSA public/private key pair with the private key in PEM format. +func mustGetNewRSAKeyPair() ([]byte, []byte, string) { + // Generate new key pair + privatePEMBytes, publicKeyBytes, err := getNewRSAKeyPair() if err != nil { - return nil, "", err + panic(fmt.Sprintf("failed to generate RSA key pair: %v", err)) } - VMSSHPrivateKey = pem.EncodeToMemory(pemBlock) - - privateKeyFileName, err = writePrivateKeyToTempFile(VMSSHPrivateKey) + privateKeyFileName, err := writePrivateKeyToTempFile(privatePEMBytes) if err != nil { - return nil, "", fmt.Errorf("failed to write private key to temp file: %w", err) + panic(fmt.Sprintf("failed to write private key to temp file: %w", err)) } - return + return privatePEMBytes, publicKeyBytes, privateKeyFileName } // Returns a newly generated RSA public/private key pair with the private key in PEM format. diff --git a/e2e/config/vhd.go b/e2e/config/vhd.go index 8e5244183fd..52064224183 100644 --- a/e2e/config/vhd.go +++ b/e2e/config/vhd.go @@ -64,6 +64,26 @@ var ( Distro: datamodel.AKSUbuntuContainerd2204Gen2, Gallery: imageGalleryLinux, } + VHDUbuntu2204FIPSContainerd = &Image{ + Name: "2204fipscontainerd", + OS: OSUbuntu, + Arch: "amd64", + Distro: datamodel.AKSUbuntuFipsContainerd2204, + Gallery: imageGalleryLinux, + UnsupportedLocalDns: true, + // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs + UnsupportedSecureTLSBootstrapping: true, + } + VHDUbuntu2204Gen2FIPSContainerd = &Image{ + Name: "2204gen2fipscontainerd", + OS: OSUbuntu, + Arch: "amd64", + Distro: datamodel.AKSUbuntuFipsContainerd2204Gen2, + Gallery: imageGalleryLinux, + UnsupportedLocalDns: true, + // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs + UnsupportedSecureTLSBootstrapping: true, + } VHDAzureLinuxV2Gen2Arm64 = &Image{ Name: "AzureLinuxV2gen2arm64", OS: OSAzureLinux, diff --git a/e2e/scenario_test.go b/e2e/scenario_test.go index 925b435329e..344abe20eea 100644 --- a/e2e/scenario_test.go +++ b/e2e/scenario_test.go @@ -388,6 +388,56 @@ func Test_Ubuntu2204(t *testing.T) { }) } +func Test_Ubuntu2204FIPS(t *testing.T) { + RunScenario(t, &Scenario{ + Description: "Tests that a node using the Ubuntu 2204 FIPS Gen1 VHD can be properly bootstrapped", + Config: Config{ + Cluster: ClusterKubenet, + VHD: config.VHDUbuntu2204FIPSContainerd, + BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) { + }, + VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) { + vmss.Properties.AdditionalCapabilities = &armcompute.AdditionalCapabilities{ + EnableFips1403Encryption: to.Ptr(true), + } + settings := vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.ProtectedSettings + vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.Settings = settings + vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.ProtectedSettings = nil + }, + Validator: func(ctx context.Context, s *Scenario) { + ValidateInstalledPackageVersion(ctx, s, "moby-containerd", components.GetExpectedPackageVersions("containerd", "ubuntu", "r2204")[0]) + ValidateInstalledPackageVersion(ctx, s, "moby-runc", components.GetExpectedPackageVersions("runc", "ubuntu", "r2204")[0]) + ValidateSSHServiceEnabled(ctx, s) + }, + }, + }) +} + +func Test_Ubuntu2204Gen2FIPS(t *testing.T) { + RunScenario(t, &Scenario{ + Description: "Tests that a node using the Ubuntu 2204 FIPS Gen2 VHD can be properly bootstrapped", + Config: Config{ + Cluster: ClusterKubenet, + VHD: config.VHDUbuntu2204Gen2FIPSContainerd, + BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) { + }, + VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) { + vmss.Properties.AdditionalCapabilities = &armcompute.AdditionalCapabilities{ + EnableFips1403Encryption: to.Ptr(true), + } + settings := vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.ProtectedSettings + vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.Settings = settings + vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.ProtectedSettings = nil + }, + Validator: func(ctx context.Context, s *Scenario) { + ValidateInstalledPackageVersion(ctx, s, "moby-containerd", components.GetExpectedPackageVersions("containerd", "ubuntu", "r2204")[0]) + ValidateInstalledPackageVersion(ctx, s, "moby-runc", components.GetExpectedPackageVersions("runc", "ubuntu", "r2204")[0]) + ValidateSSHServiceEnabled(ctx, s) + }, + }, + }) +} + func Test_Ubuntu2204_EntraIDSSH(t *testing.T) { RunScenario(t, &Scenario{ Description: "Tests that a node using Ubuntu 2204 VHD with Entra ID SSH can be properly bootstrapped and SSH private key authentication is disabled", diff --git a/e2e/vmss.go b/e2e/vmss.go index 47065fbae9f..baadd2b2ad3 100644 --- a/e2e/vmss.go +++ b/e2e/vmss.go @@ -895,7 +895,7 @@ func getBaseVMSSModel(s *Scenario, customData, cseCmd string) armcompute.Virtual Properties: &armcompute.VirtualMachineScaleSetExtensionProperties{ Publisher: to.Ptr("Microsoft.Azure.Extensions"), Type: to.Ptr("CustomScript"), - TypeHandlerVersion: to.Ptr("2.0"), + TypeHandlerVersion: to.Ptr("2.1"), AutoUpgradeMinorVersion: to.Ptr(true), Settings: map[string]interface{}{}, ProtectedSettings: map[string]interface{}{