Azure · cameronmeissner · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
@@ -146,26 +146,10 @@
       "automerge": false,
       "enabled": true,
       "assignees": [
-        "devinwong",
-        "cameronmeissner",
-        "lilypan26",
-        "djsly",
-        "zachary-bailey",
-        "ganeshkumarashok",
-        "mxj220",
-        "pdamianov-dev",
-        "SriHarsha001"
+        "team:aks-node-lifecycle"
       ],
       "reviewers": [
-        "devinwong",
-        "cameronmeissner",
-        "lilypan26",
-        "djsly",
-        "zachary-bailey",
-        "ganeshkumarashok",
-        "mxj220",
-        "pdamianov-dev",
-        "SriHarsha001"
+        "team:aks-node-lifecycle"
       ]
     },
     {
@@ -456,6 +440,20 @@
         "surajssd"
       ]
     },
+    {
+      "matchPackageNames": [
+        "aks-secure-tls-bootstrap-client"
+      ],
+      "groupName": "aks-secure-tls-bootstrap-client",
+      "assignees": [
+        "cameronmeissner",
+        "djsly"
+      ],
+      "reviewers": [
+        "cameronmeissner",
+        "djsly"
+      ]
+    },
     {
       "matchPackageNames": [
         "datacenter-gpu-manager-4-core",

diff --git a/parts/common/components.json b/parts/common/components.json
@@ -926,18 +926,54 @@
     },
     {
       "name": "aks-secure-tls-bootstrap-client",
-      "downloadLocation": "/opt/bin",
+      "downloadLocation": "/opt/aks-secure-tls-bootstrap-client/downloads",
       "windowsDownloadLocation": "c:\\akse-cache\\aks-secure-tls-bootstrap-client\\",
       "downloadURIs": {
-        "default": {
+        "ubuntu": {
+          "r2404": {
+            "versionsV2": [
+              {
+                "renovateTag": "name=aks-secure-tls-bootstrap-client, repository=production, os=ubuntu, release=24.04",
+                "latestVersion": "1.1.3-ubuntu24.04u1"
+              }
+            ]
+          },
+          "r2204": {
+            "versionsV2": [
+              {
+                "renovateTag": "name=aks-secure-tls-bootstrap-client, repository=production, os=ubuntu, release=22.04",
+                "latestVersion": "1.1.3-ubuntu22.04u1"
+              }
+            ]
+          },
+          "r2004": {
+            "versionsV2": [
+              {
+                "renovateTag": "name=aks-secure-tls-bootstrap-client, repository=production, os=ubuntu, release=20.04",
+                "latestVersion": "1.1.3-ubuntu20.04u1"
+              }
+            ]
+          }
+        },
+        "azurelinux": {
+          "v3.0": {
+            "versionsV2": [
+              {
+                "renovateTag": "RPM_registry=https://packages.microsoft.com/azurelinux/3.0/prod/ms-oss/x86_64/repodata, name=aks-secure-tls-bootstrap-client, os=azurelinux, release=3.0",
+                "latestVersion": "1.1.3-1.azl3"
+              }
+            ]
+          }
+        },
+        "flatcar": {
           "current": {
             "versionsV2": [
               {
-                "renovateTag": "<DO_NOT_UPDATE>",
-                "latestVersion": "1.1.3"
+                "renovateTag": "OCI_registry=https://mcr.microsoft.com, name=aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext",
+                "latestVersion": "1.1.3-1-azlinux3"
               }
             ],
-            "downloadURL": "https://github.com/Azure/aks-secure-tls-bootstrap/releases/download/client/v${version}/linux-${CPU_ARCH}.tar.gz"
+            "downloadURL": "mcr.microsoft.com/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext:v${version}-${SYSTEMD_ARCH}"
           }
         },
         "windows": {

@@ -121,6 +121,19 @@ installCredentialProviderPackageFromBootstrapProfileRegistry() {
     installCredentialProviderFromPkg "$2" "$1"
 }
 
+# Called during VHD build to merge the already-downloaded sysext and symlink the binary.
+# The secure TLS bootstrap client is installed at VHD build time, and optionally overridden at provisioning time
+# using a plain tarball download and in-place replacement of the binary within /opt/bin.
+installSecureTLSBootstrapClientSysext() {
+    local version=$1
+    local registry=${2:-mcr.microsoft.com}
+    if ! mergeSysexts aks-secure-tls-bootstrap-client "${registry}"/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext "${version}"; then
+        echo "Failed to install aks-secure-tls-bootstrap-client sysext"
+        return "${ERR_ORAS_PULL_SYSEXT_FAIL}"
+    fi
+    ln -snf /usr/bin/aks-secure-tls-bootstrap-client /opt/bin/aks-secure-tls-bootstrap-client
+}
+
 # Reads VERSION_ID from /etc/os-release for use as the sysext version tag.
 # GPU sysexts are tagged by the OS image version, not the driver version.
 getACLVersionID() {

@@ -20,8 +20,8 @@ installRPMPackageFromFile() {
     local fullPackageVersion=""
 
     echo "installing ${packageName} version ${desiredVersion} by manually unpacking the RPM"
-    if [ "${packageName}" != "kubelet" ] && [ "${packageName}" != "kubectl" ] && [ "${packageName}" != "azure-acr-credential-provider" ]; then
-        echo "Error: Unsupported package ${packageName}. Only kubelet, kubectl, and azure-acr-credential-provider installs are allowed on OSGuard."
+    if [ "${packageName}" != "kubelet" ] && [ "${packageName}" != "kubectl" ] && [ "${packageName}" != "azure-acr-credential-provider" ] && [ "${packageName}" != "aks-secure-tls-bootstrap-client" ]; then
+        echo "Error: Unsupported package ${packageName}. Only kubelet, kubectl, azure-acr-credential-provider, and aks-secure-tls-bootstrap-client installs are allowed on OSGuard."
         exit 1
     fi
     echo "installing ${packageName} version ${desiredVersion}"

@@ -255,11 +255,14 @@ installOras() {
 # if secure TLS bootstrapping is disabled, this will simply remove the client binary from disk.
 # otherwise, if a custom URL is provided, it will use the custom URL to overwrite the existing installation
 installSecureTLSBootstrapClient() {
-    # TODO(cameissner): can probably remove this once we get to preview
     if [ "${ENABLE_SECURE_TLS_BOOTSTRAPPING}" != "true" ]; then
         echo "secure TLS bootstrapping is disabled, will remove secure TLS bootstrap client binary installation"
         rm -f "${SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}/aks-secure-tls-bootstrap-client" &
         rm -rf "${SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_DIR}" &
+        if isFlatcar || isACL; then
+            rm -f /etc/extensions/aks-secure-tls-bootstrap-client.raw
+            systemd-sysext --no-reload refresh || true
+        fi
         return 0
     fi
 
@@ -272,13 +275,11 @@ installSecureTLSBootstrapClient() {
         return 0
     fi
 
-    downloadSecureTLSBootstrapClient "${SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}" "${CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL}" || exit $ERR_SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_ERROR
+    downloadSecureTLSBootstrapClientFromURL "${SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}" "${CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL}" || exit $ERR_SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_ERROR
 }
 
-downloadSecureTLSBootstrapClient() {
-    # TODO(cameissner): have this managed by renovate, migrate from github to MCR/packages.microsoft.com
-
-    local CLIENT_EXTRACTED_DIR=${1-$:SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}
+downloadSecureTLSBootstrapClientFromURL() {
+    local CLIENT_EXTRACTED_DIR=${1:-$SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR}
     local CLIENT_DOWNLOAD_URL=$2
 
     mkdir -p $SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_DIR

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# Mock functions that the ACL script depends on
+oras() {
+    echo "mock oras $*" >&2
+}
+
+ln() {
+    echo "mock ln $*" >&2
+}
+
+systemd-sysext() {
+    echo "mock systemd-sysext $*" >&2
+}
+
+timeout() {
+    shift # remove timeout duration
+    "$@" # execute the command
+}
+
+mkdir() {
+    echo "mock mkdir $*" >&2
+}
+
+getSystemdArch() {
+    echo "x86-64"
+}
+
+getCPUArch() {
+    echo "amd64"
+}
+
+sleep() {
+    echo "sleeping $1 seconds" >&2
+}
+
+find() {
+    echo "mock find $*" >&2
+}
+
+CSE_STARTTIME_SECONDS=$(date +%s)
+
+Describe 'cse_install_acl.sh'
+    Include "./parts/linux/cloud-init/artifacts/acl/cse_install_acl.sh"
+    Include "./parts/linux/cloud-init/artifacts/cse_helpers.sh"
+
+    Describe 'installSecureTLSBootstrapClientSysext'
+        It 'calls mergeSysexts with correct URL and creates symlink on success'
+            mergeSysexts() {
+                echo "mock mergeSysexts $*" >&2
+            }
+            ln() {
+                echo "mock ln $*" >&2
+            }
+            When call installSecureTLSBootstrapClientSysext "1.1.3"
+            The error should include "mock mergeSysexts aks-secure-tls-bootstrap-client mcr.microsoft.com/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext 1.1.3"
+            The error should include "mock ln -snf /usr/bin/aks-secure-tls-bootstrap-client /opt/bin/aks-secure-tls-bootstrap-client"
+            The status should be success
+        End
+
+        It 'uses custom registry when provided'
+            mergeSysexts() {
+                echo "mock mergeSysexts $*" >&2
+            }
+            ln() {
+                echo "mock ln $*" >&2
+            }
+            When call installSecureTLSBootstrapClientSysext "1.1.3" "custom.registry.io"
+            The error should include "mock mergeSysexts aks-secure-tls-bootstrap-client custom.registry.io/aks-secure-tls-bootstrap/v2/aks-secure-tls-bootstrap-client-sysext 1.1.3"
+            The status should be success
+        End
+
+        It 'returns ERR_ORAS_PULL_SYSEXT_FAIL when mergeSysexts fails'
+            mergeSysexts() {
+                return 1
+            }
+            ERR_ORAS_PULL_SYSEXT_FAIL=231
+            When call installSecureTLSBootstrapClientSysext "1.1.3"
+            The output should include "Failed to install aks-secure-tls-bootstrap-client sysext"
+            The status should be failure
+        End
+    End
+End
@@ -249,6 +249,39 @@ Describe 'cse_install.sh'
             The output should include "aks-secure-tls-bootstrap-client installed successfully"
             The status should be success
         End
+
+        It 'should remove sysext and refresh on ACL when secure TLS bootstrapping is disabled'
+            ENABLE_SECURE_TLS_BOOTSTRAPPING="false"
+            OS="AZURECONTAINERLINUX"
+            OS_VARIANT=""
+            ACL_OS_NAME="AZURECONTAINERLINUX"
+            ACL_OS_VARIANT="AZURECONTAINERLINUX"
+            FLATCAR_OS_NAME="FLATCAR"
+            rm() {
+                echo "mock rm $*" >&2
+            }
+            systemd-sysext() {
+                echo "mock systemd-sysext $*" >&2
+            }
+            When call installSecureTLSBootstrapClient
+            The output should include "secure TLS bootstrapping is disabled"
+            The error should include "mock rm -f /etc/extensions/aks-secure-tls-bootstrap-client.raw"
+            The error should include "mock systemd-sysext --no-reload refresh"
+            The status should be success
+        End
+
+        It 'should be a no-op on ACL when secure TLS bootstrapping is enabled and no custom URL'
+            ENABLE_SECURE_TLS_BOOTSTRAPPING="true"
+            CUSTOM_SECURE_TLS_BOOTSTRAPPING_CLIENT_DOWNLOAD_URL=""
+            OS="AZURECONTAINERLINUX"
+            OS_VARIANT=""
+            ACL_OS_NAME="AZURECONTAINERLINUX"
+            ACL_OS_VARIANT="AZURECONTAINERLINUX"
+            FLATCAR_OS_NAME="FLATCAR"
+            When call installSecureTLSBootstrapClient
+            The output should include "secure TLS bootstrapping is enabled but no custom client download URL was provided, nothing to download"
+            The status should be success
+        End
     End
 
     Describe 'installKubeletKubectlFromBootstrapProfileRegistry'

@@ -474,9 +474,18 @@ while IFS= read -r p; do
     "aks-secure-tls-bootstrap-client")
       for version in ${PACKAGE_VERSIONS[@]}; do
         # removed at provisioning time if secure TLS bootstrapping is disabled
-        evaluatedURL=$(evalPackageDownloadURL ${PACKAGE_DOWNLOAD_URL})
-        downloadSecureTLSBootstrapClient "${downloadDir}" "${evaluatedURL}" "${version}"
-        echo "  - aks-secure-tls-bootstrap-client version ${version}" >> ${VHD_LOGS_FILEPATH}
+        if isUbuntu; then
+          downloadPkgFromVersion "${name}" "${version}" "${downloadDir}"
+          installPackageFromCache "${name}" "${version}" "/opt/bin/${name}" || exit $?
+        elif isMarinerOrAzureLinux; then
+          downloadPkgFromVersion "${name}" "${version}" "${downloadDir}"
+          installRPMPackageFromFile "${name}" "${version}" "/opt/bin/${name}" || exit $?
+        elif isFlatcar || isACL "$OS" "$OS_VARIANT"; then
+          evaluatedURL=$(evalPackageDownloadURL ${PACKAGE_DOWNLOAD_URL})
+          downloadSysextFromVersion "${name}" "${evaluatedURL}" "${downloadDir}" || exit $?
+          installSecureTLSBootstrapClientSysext "${version}" || exit $?
+        fi
+        echo "  - ${name} version ${version}" >> ${VHD_LOGS_FILEPATH}
       done
       ;;
     "azure-acr-credential-provider")