Merge pull request #7 from abhay-krishna/hybrid-nodes-setup-scripts

Add Hybrid nodes setup scripts to bootstrap container

Author: jpculp

Dockerfile

@@ -1,17 +1,47 @@
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023 AS builder
+
+ARG SSM_AGENT_VERSION
+ENV SSM_AGENT_VERSION=$SSM_AGENT_VERSION
+
+# Validation
+RUN : "${SSM_AGENT_VERSION:?SSM Agent version required to build}"
+
+# SSM Agent is downloaded from eu-north-1 as this region gets new releases of SSM Agent first.
+COPY ./hashes/ssm ./hashes
+COPY ./gpg-keys/amazon-ssm-agent.gpg ./amazon-ssm-agent.gpg
+RUN \
+    ARCH=$(uname -m | sed 's/aarch64/arm64/' | sed 's/x86_64/amd64/') && \
+    curl -L "https://s3.eu-north-1.amazonaws.com/amazon-ssm-eu-north-1/${SSM_AGENT_VERSION}/linux_${ARCH}/amazon-ssm-agent.rpm" \
+        -o "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
+    grep "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" hashes \
+        | sha512sum --check - && \
+    rpm --import amazon-ssm-agent.gpg && \
+    rpm --checksig "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
+    dnf install -y "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm"
+
 FROM public.ecr.aws/amazonlinux/amazonlinux:2023
 
+# IMAGE_VERSION is the assigned version of inputs for this image.
+ARG IMAGE_VERSION
+ENV IMAGE_VERSION=$IMAGE_VERSION
+
+# Validation
+RUN : "${IMAGE_VERSION:?IMAGE_VERSION is required to build}"
+
+LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
+
 # Install necessary packages
-RUN yum update -y 
-    
-RUN yum install -y \
-    aws-cli \
-    jq \
-    util-linux \
-    e2fsprogs \
-    xfsprogs \
-    lvm2 \
-    mdadm && \
-    yum clean all
+RUN dnf update -y && \
+    dnf install -y \
+        aws-cli \
+        jq \
+        util-linux \
+        e2fsprogs \
+        xfsprogs \
+        lvm2 \
+        mdadm \
+        rsync && \
+    dnf clean all
 
 # Verify that all packages are installed
 RUN \
@@ -21,10 +51,16 @@ RUN \
     command -v mkfs.ext4 && \
     command -v mkfs.xfs && \
     command -v lvm && \
-    command -v mdadm
+    command -v mdadm && \
+    command -v rsync
 
-# Copy the wrapper script into the container
+# Copy the wrapper script and EKS Hybrid setup scripts into the container
 COPY bootstrap-script.sh /usr/local/bin/bootstrap-script.sh
+COPY eks-hybrid-ssm-setup.sh /usr/local/bin/eks-hybrid-ssm-setup
+COPY eks-hybrid-iam-ra-setup.sh /usr/local/bin/eks-hybrid-iam-ra-setup
+
+# Copy the SSM agent from the builder stage
+COPY --from=builder /usr/bin/amazon-ssm-agent /usr/local/bin/amazon-ssm-agent
 
 # Set the wrapper script as the entry point
 ENTRYPOINT ["/usr/local/bin/bootstrap-script.sh"]

Makefile

@@ -16,10 +16,18 @@ DISTFILE ?= $(subst /,,$(DESTDIR))/$(subst /,_,$(IMAGE_NAME)).tar.gz
 UNAME_ARCH = $(shell uname -m)
 ARCH ?= $(lastword $(subst :, ,$(filter $(UNAME_ARCH):%,x86_64:amd64 aarch64:arm64)))
 
-.PHONY: all build dist clean
+# SSM_AGENT_VERSION is the SSM Agent's distributed RPM Version to install.
+SSM_AGENT_VERSION ?= 3.3.1957.0
+
+TEST_ACTIVATION_ID=abcdef12-3456-7890-abcd-ef1234567890
+TEST_ACTIVATION_CODE=abcdef1234567890abcdef
+TEST_NODE_CERT=test-certificate
+TEST_NODE_KEY=test-key
+
+.PHONY: all build dist check check-ssm-agent check-ssm-setup check-iam-ra-setup clean download-ssm-agent update-ssm-agent
 
 # Run all build tasks for this container image.
-all: build
+all: build check
 
 # Create a distribution container image tarball for release.
 dist: all
@@ -31,7 +39,65 @@ build:
 	DOCKER_BUILDKIT=1 docker build $(DOCKER_BUILD_FLAGS) \
 		--tag $(IMAGE_NAME) \
 		--build-arg IMAGE_VERSION="$(IMAGE_VERSION)" \
+		--build-arg SSM_AGENT_VERSION="$(SSM_AGENT_VERSION)" \
 		-f Dockerfile . >&2
 
+# Run checks against the bootstrap container image
+check: check-ssm-agent check-ssm-setup check-iam-ra-setup
+
+# Check that the SSM Agent is the expected version.
+check-ssm-agent:
+	@echo "Running SSM version check"
+	@docker run --rm --entrypoint /usr/bin/bash \
+		$(IMAGE_NAME) \
+		-c 'amazon-ssm-agent -version | grep -Fw "$(SSM_AGENT_VERSION)"' >&2
+
+# Check that the SSM setup script doesn't print sensitive input
+check-ssm-setup:
+	@echo "Running SSM setup check"
+	@OUTPUT=$$(docker run --rm --entrypoint /usr/bin/bash \
+		$(IMAGE_NAME) \
+		-c "eks-hybrid-ssm-setup --region=us-west-2 --activation-id=${TEST_ACTIVATION_ID} --activation-code=${TEST_ACTIVATION_CODE} --enable-credentials-file=true 2>&1 || true"); \
+	if echo "$$OUTPUT" | grep -q "${TEST_ACTIVATION_ID}"; then \
+		echo "Test failed: hybrid activation ID found in output"; \
+		exit 1; \
+	elif echo "$$OUTPUT" | grep -q "${TEST_ACTIVATION_CODE}"; then \
+		echo "Test failed: hybrid activation code found in output"; \
+		exit 1; \
+	else \
+		echo "Test passed: No sensitive content in output"; \
+	fi
+
+# Check that the IAM-RA setup script doesn't print sensitive input
+check-iam-ra-setup:
+	@echo "Running IAM-RA setup check"
+	@OUTPUT=$$(docker run --rm --entrypoint /usr/bin/bash \
+		$(IMAGE_NAME) \
+		-c "cp /usr/bin/true /usr/bin/apiclient; eks-hybrid-iam-ra-setup --certificate=${TEST_NODE_CERT} --key=${TEST_NODE_KEY} --dry-run=true 2>&1 || true"); \
+	if echo "$$OUTPUT" | grep -q "${TEST_NODE_CERT}"; then \
+		echo "Test failed: certificate content found in output"; \
+		exit 1; \
+	elif echo "$$OUTPUT" | grep -q "${TEST_NODE_KEY}"; then \
+		echo "Test failed: private key content found in output"; \
+		exit 1; \
+	else \
+		echo "Test passed: No sensitive content in output"; \
+	fi
+
+# Download SSM Agent version SSM_AGENT_VERSION for all architectures.
+download-ssm-agent: amazon-ssm-agent-${SSM_AGENT_VERSION}.amd64.rpm amazon-ssm-agent-${SSM_AGENT_VERSION}.arm64.rpm
+
+amazon-ssm-agent-${SSM_AGENT_VERSION}.amd64.rpm:
+	curl -L "https://s3.eu-north-1.amazonaws.com/amazon-ssm-eu-north-1/${SSM_AGENT_VERSION}/linux_amd64/amazon-ssm-agent.rpm" \
+		-o "amazon-ssm-agent-${SSM_AGENT_VERSION}.amd64.rpm"
+
+amazon-ssm-agent-${SSM_AGENT_VERSION}.arm64.rpm:
+	curl -L "https://s3.eu-north-1.amazonaws.com/amazon-ssm-eu-north-1/${SSM_AGENT_VERSION}/linux_arm64/amazon-ssm-agent.rpm" \
+		-o "amazon-ssm-agent-${SSM_AGENT_VERSION}.arm64.rpm"
+
+# Update the expected hashes of SSM Agent to those for SSM_AGENT_VERSION.
+update-ssm-agent: download-ssm-agent
+	sha512sum amazon-ssm-agent-${SSM_AGENT_VERSION}.*.rpm >hashes/ssm
+
 clean:
 	rm -f $(DISTFILE)

eks-hybrid-iam-ra-setup.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+exec >&2
+set -eu -o pipefail
+
+declare -r SECRETS_DIR="/.bottlerocket/rootfs/root/.aws"
+
+DRY_RUN="false"
+for opt in "$@"; do
+    optarg="$(expr "${opt}" : '[^ =]*[= ]\(.*\)')"
+    case "${opt}" in
+        --certificate=*) NODE_CERT_DATA="${optarg}" ;;
+        --key=*) NODE_KEY_DATA="${optarg}" ;;
+        --dry-run=*) DRY_RUN="${optarg}" ;;
+    esac
+done
+
+if [ "${DRY_RUN}" = "true" ]; then
+    mkdir -p "${SECRETS_DIR}"
+fi
+
+if [ -z "${NODE_CERT_DATA}" ]; then
+    echo "Unable to retrieve certificate data for IAM-RA"
+    echo "Please provide certificate contents as --certificate=<Certificate>"
+    exit 1
+fi
+
+if [ -z "${NODE_KEY_DATA}" ]; then
+    echo "Unable to retrieve private key data for IAM-RA"
+    echo "Please provide private key contents as --key=<Key>"
+    exit 1
+fi
+
+if ! [ -d "${SECRETS_DIR}" ]; then
+    echo "Error: Directory ${SECRETS_DIR} is missing"
+    exit 1
+fi
+
+if ! [ "${DRY_RUN}" = "true" ]; then
+    context=$(stat -c "%C" "${SECRETS_DIR}" 2>/dev/null || echo "")
+    if [[ ! "$context" == *":secret_t:"* ]]; then
+        echo "Error: Directory ${SECRETS_DIR} is not labeled with secret_t"
+    fi
+fi
+
+cat << EOF > "${SECRETS_DIR}/node.crt"
+${NODE_CERT_DATA}
+EOF
+
+cat << EOF > "${SECRETS_DIR}/node.key"
+${NODE_KEY_DATA}
+EOF
+
+variant_id="$(apiclient get os.variant_id | jq -r '.os.variant_id')"
+version_id="$(apiclient get os.version_id | jq -r '.os.version_id')"
+apiclient set \
+    "settings.kubernetes.node-labels.\"os.bottlerocket.aws/variant\""="${variant_id}" \
+    "settings.kubernetes.node-labels.\"os.bottlerocket.aws/version\""="${version_id}"

eks-hybrid-ssm-setup.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+
+exec >&2
+set -eu -o pipefail
+
+HOST_ROOTFS="/.bottlerocket/rootfs"
+SSM_AGENT_PERSISTENT_STATE_DIR="${HOST_ROOTFS}/local/host-containers/control/ssm"
+SSM_AGENT_REGISTRATION="${SSM_AGENT_PERSISTENT_STATE_DIR}/registration"
+mkdir -p "${SSM_AGENT_PERSISTENT_STATE_DIR}"
+ENABLE_CREDENTIALS_FILE="false"
+SSM_ACTIVATION_ID_REGEX="^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
+
+for opt in "$@"; do
+    optarg="$(expr "${opt}" : '[^ =]*[= ]\(.*\)')"
+    case "${opt}" in
+        --region=*) AWS_REGION="${optarg}" ;;
+        --activation-code=*) SSM_ACTIVATION_CODE="${optarg}" ;;
+        --activation-id=*) SSM_ACTIVATION_ID="${optarg}" ;;
+        --enable-credentials-file=*) ENABLE_CREDENTIALS_FILE="${optarg}" ;;
+    esac
+done
+
+validate_activation_id() {
+    if ! [[ "${SSM_ACTIVATION_ID}" =~ ${SSM_ACTIVATION_ID_REGEX} ]]; then
+        echo "Error: Invalid activation ID format" >&2
+        exit 1
+    fi
+}
+
+register_hybrid_node() {
+    amazon-ssm-agent \
+        -register \
+        -region "${AWS_REGION}" \
+        -code "${SSM_ACTIVATION_CODE}" \
+        -id "${SSM_ACTIVATION_ID}" \
+        -disableSimilarityCheck
+}
+
+persist_ssm_state() {
+    rsync -aq \
+        /var/lib/amazon/ssm/ \
+        "${SSM_AGENT_PERSISTENT_STATE_DIR}"
+}
+
+set_hostname_settings() {
+    local ssm_node_id
+    local cluster_name
+    local variant_id
+    local version_id
+    ssm_node_id="$(jq -r '.ManagedInstanceID' "${SSM_AGENT_PERSISTENT_STATE_DIR}/registration")"
+    cluster_name="$(apiclient get settings.kubernetes.cluster-name | jq -r ".settings.kubernetes.\"cluster-name\"")"
+    variant_id="$(apiclient get os.variant_id | jq -r '.os.variant_id')"
+    version_id="$(apiclient get os.version_id | jq -r '.os.version_id')"
+
+    apiclient set \
+        network.hostname="${ssm_node_id}" \
+        kubernetes.hostname-override="${ssm_node_id}" \
+        kubernetes.provider-id="eks-hybrid:///${AWS_REGION}/${cluster_name}/${ssm_node_id}" \
+        "settings.kubernetes.node-labels.\"os.bottlerocket.aws/variant\""="${variant_id}" \
+        "settings.kubernetes.node-labels.\"os.bottlerocket.aws/version\""="${version_id}"
+}
+
+symlink_aws_creds() {
+    local control_aws_dir
+    local control_aws_dir_relative_to_host
+    local control_creds
+    local host_creds
+    local hybrid_nodes_pod_identity_aws_dir
+    control_aws_dir="${HOST_ROOTFS}/run/host-containerd/io.containerd.runtime.v2.task/default/control/rootfs/root/.aws"
+    control_aws_dir_relative_to_host="/run/host-containerd/io.containerd.runtime.v2.task/default/control/rootfs/root/.aws"
+    control_creds="${control_aws_dir}/credentials"
+    host_creds="${HOST_ROOTFS}/root/.aws/credentials"
+    ln -srnf "${control_creds}" "${host_creds}"
+    if [ "${ENABLE_CREDENTIALS_FILE}" = "true" ]; then
+        hybrid_nodes_pod_identity_aws_dir="${HOST_ROOTFS}/var/eks-hybrid/.aws"
+        mkdir -p "$(dirname "${hybrid_nodes_pod_identity_aws_dir}")"
+        ln -sf "${control_aws_dir_relative_to_host}" "${hybrid_nodes_pod_identity_aws_dir}"
+    fi
+}
+
+if [ ! -s "${SSM_AGENT_REGISTRATION}" ]; then
+    validate_activation_id
+    register_hybrid_node
+    persist_ssm_state
+    set_hostname_settings
+fi
+
+symlink_aws_creds

gpg-keys/amazon-ssm-agent.gpg

@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBGeRNq4BEACrlf5h6Pz+k+M+QCJJ2LfK7d2Tn9J8iJ9qBK2Vwvuxco1rpSO+
+KEI3nTeysPuheximps8WOCADX4VlbsKxMZQLjQM4mA26m1Tiw9nAI4kod4bKjiuM
+BMUTCD1wfnjH3zQi4kDUdbpfAEMiPgNLVLH85Wf+lhK+Zm+V38DYzLyVj03kX4wK
+iG6RMoxzOBZa5gNsVq+j+oCUITGz/URxH713Rgo8WeoEegI0+7iCBLKg+PM0b7GV
+2nzkwWJz796HdkqSg8BwXsYaLTrHxa2P1IpwPCisAkyO7gZaMd6Uj69dtMFO+V8a
+Qee6b57qGuFKZw7h1Vvc85PbF1Gy/wNIpary57kUHBFUg1vYep/roJuEbJCq97r5
+I2liLl4NAyrWb9r/TAVxlXvqM4iZUhxm8GAp0FywMdBr9ZECClKa5HxuVmlm0Wgl
+TXoYTOZKeDg6ZoCvyhNxWneCNip74fohXymeFF5L/budhBwy5wuwSniOgTGLo/4C
+VgZHWCcN+d0Q3bx/sl2QNqPg5/xzsxEtymXLdVdwLIsLdEQUnIvy8KTs5jol3Dwi
+nnEEyhly6wdaw+qDOhkSOT/VnErrSMkYF8VJfa5GjhCBWKw9JVSkaP2CI/VHOgHM
+MKROnulq0hRQBR7RmLYt98xu38BHJWMmF8Ga/HJuIxzD1VmkZOPvDDESUwARAQAB
+tCdTU00gQWdlbnQgPHNzbS1hZ2VudC1zaWduZXJAYW1hem9uLmNvbT6JAj8EEwEC
+ACkFAmeRNq4CGy8FCQLGmIAHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBR
+qOBQ0AUuXTdND/9qldQ1E3dYjBVXOnbhiUQL594bkS5VoEX7D4fZ5UMVZa5pGiz+
+husnoRUS9rH1cSeq7aHJu9hSCMuMdvRpuoo0CwLB+7HtzJvAO2M01hcEkUYa6Qdj
+njTzP0ZjnoenJmqF9SYmVqAI/VPa9mNQ1OJ+HQ3qh5i6w+FoWlVqEdXjZGrWijub
+TqyN33i1Y26t7Os/x8I9fUeNx37y/7Kama8LTdtv9GhWiMVBg2IuVf27HCMYofrQ
+m2uCGe61IhtsnhsYaYupmljl+6qgdiuCiS9BAsoIGtqTnu8lnKcGyGz6YnRszN+U
+1bNE4w+UFpXWJF8ogpYcghJ06aW/LhjZnQSx3VliLdW8eOJzou41yWmiuL3ZY8eW
+KAlD+7eYKS6N6fEJCeNO2VX2lcKtDfaOX+lqGIVyexKayMfpi+0frNzt/92YCpF5
+3jkeS77vMMVqKIUiIp1OCGv3XsFpIr6Bt2c2throYPDoQL3zvq6vvG40BKeRQ4tT
+Y+5vTc8MeNn3LdzTl9pusxTcKifrJq7f5FIsL2CpAX8uQ+Qz+XWsYQQ5PvyUDtOz
+nU/MRZaP6HnqY42bzI9ZlKgXi9IE3MXIwoET9YyzFjkIDvat7SlB4uJCpeIqp/KM
+OIrTMb7paGLYmBU6YqxNBkDWItNG7NeZzyhh/R/Qqb4vJaf4S+ZqD1RZXokCHAQQ
+AQIABgUCZ5E2rwAKCRB90Jej2tf1/CdnD/46It+RNoE00TesZK5n2bijH5Eljw0E
+4/UpMi1SV6t2zY7lIm7TcKNn18tynJNFqB6YXXOwSbBG/fbN2E9RaoUCZw23TmAv
+amuHwrfsDqsHb7zzPF0bISYjqEDLQJj/gtEugUc6XY1dEpFSlWJIOvgryG04cFXI
+uD2KY87ya4s1R+sEVAJ14K4RlUCiMmzJdR0NJNYJOwBi1gkLEp6jG86ttiG2U7fY
+pE2ibV+c0GeIFq8PIzqqENsn9KBuRH5EcbdBwfnsj2XfM4aR3ZtRIdWXkKkdP9Rs
+yU5dTF/Y7XPId5h8/gp00+DMlXFBinQ1jE7A7eDYviEFd1ba8P7dIom3Q3gzKiWu
+KTGpnykShs5NvpQmvGUF6JqDHI4RK9s3kLqsNyZkhenJfRBrJ/45fQAuP4CRedkF
+7PSfX0Xp7kDnKuyK6wEUEfXXrqmuLGDmigTXblO5qgdyMwkOLjiY9znBZbHoKs76
+VplOoNgGnN19i3nuMcPf2npFICJv7kTIyn5Fh7pjWDCahl3U/PwoLjrrlEzpyStU
+oXSZrK3kiAADEdSODXJl8KYU0Pb27JbRr1ZbWnxb+O39TOhtssstulkR0v+IDGDQ
+rQE1b12sKgcNFSzInzWrNGu4S06WN8DYzlrTZ9aSHj+37ZqpXAevi8WOFXKPV3PA
+E6+O8RI2451Dcg==
+=aDkv
+-----END PGP PUBLIC KEY BLOCK-----

hashes/ssm

@@ -0,0 +1,2 @@
+514cf1e5e0c38a0d2f43ac9f5e9ef18aa77044fdc4807a49f6451aeef906efbedd88ccfa4c82aafcec88a86f4de92c8ff85c5cba67d88b6ed8844703af732715  amazon-ssm-agent-3.3.1957.0.amd64.rpm
+37af64673c097e7f83ee85ba49ef1f23bf319cb9480ea91657651829e1e07fdcf4f207059332b05ae598ecb35ba01c1fe5e5cd7a7d52f7aa58570382b1260bec  amazon-ssm-agent-3.3.1957.0.arm64.rpm