fix(windows): register k8s-restart-job in NodePrep to avoid PIS bootstrap race

[r2k1]

What this PR does / why we need it:

Move Register-NodeResetScriptTask from BasePrep to NodePrep (after the temporary kubeconfig removal) on Windows. This fixes a silent kubelet TLS bootstrap failure that hits Windows agentpools attached to a Prepared Image Specification (PIS) / pre-baked VHD path.

Root cause

Windows CSE runs in two phases for PIS / baked VHDs:

1. BasePrep (bake time, PreProvisionOnly=true):

   • Write-KubeConfig writes a temporary c:\k\config with client-certificate-data: <clusterClientCertificate> embedded — the cluster-shared "nodeclient" cert produced by the AKS RP's certificates_goal_resolver.go (Subject: CN=nodeclient, O=system:nodes).
   • Register-NodeResetScriptTask registers k8s-restart-job with an -AtStartup trigger.
   • VHD is captured / staged for the agentpool.

2. NodePrep (provision time):

   • Eventually removes c:\k\config (line ~579) if TLS bootstrap is enabled.
   • Calls Start-ScheduledTask k8s-restart-job.

Because k8s-restart-job is -AtStartup, on the FIRST boot from the baked VHD the task fires before NodePrep removes the temporary kubeconfig. windowsnodereset.ps1 calls Start-Service kubelet. Kubelet reads c:\k\config, extracts the embedded nodeclient certificate into c:\k\pki\kubelet-client-<ts>.pem, never performs the proper bootstrap-token CSR exchange. Subsequent API server calls fail because CN=nodeclient doesn't satisfy the NodeAuthorizer:

"Failed while requesting a signed certificate from the control plane"
err="cannot create certificate signing request:
     certificatesigningrequests.certificates.k8s.io is forbidden:
     User \"nodeclient\" cannot create resource \"certificatesigningrequests\"..."

The pool reports Succeeded (CSE / extension level), so the failure is silent — the node never registers with the cluster.

Reproduction (verified)

On the AKS New Zealand Sandbox subscription, cluster aks-pis-test in australiaeast, K8s 1.34.7, Windows Server 2022:

Pool	PIS attached	Cert subject	K8s join
pislinux	yes (Linux PIS, NodeProvisionTime)	CN=system:node:aks-pislinux-...	✅ Ready
piswin	yes (Windows PIS, NodeProvisionTime)	CN=nodeclient	❌ Never registered
winctl	no (same cluster, same SKU)	CN=system:node:akswinctl000000	✅ Ready in 30s

Timeline on the broken pool (from C:\AzureData\CustomDataSetupScript.log + C:\k\windowsnodereset.log + C:\k\kubelet.err.log):

01:43-01:44   BasePrep (PreProvisionOnly=true), Register-NodeResetScriptTask registered
01:44:04      base_prep.complete written, NodePrep skipped
~01:57:00     VM reboots from baked VHD
01:57:07      windowsnodereset.ps1 starts (k8s-restart-job AtStartup fires)
01:57:11      CSE invocation 2 begins
01:57:20      windowsnodereset.ps1 calls Start-Service kubelet
01:57:30      kubelet writes kubelet-client-<ts>.pem with the nodeclient cert
01:57:33      NodePrep removes c:\k\config (too late)
01:57:44      NodePrep completes

Fix

Move the task registration out of BasePrep and into NodePrep, after the temporary kubeconfig has been removed. The scheduled task does not exist on a baked VHD, so the first boot does not race with NodePrep and kubelet only starts via the explicit Start-ScheduledTask call at the end of NodePrep — at which point the temporary kubeconfig with the embedded cluster client cert is gone and kubelet correctly falls back to the bootstrap-token path in c:\k\bootstrap-config.

Risk / blast radius

• Linux and non-PIS Windows pools are unaffected (single-phase CSE; the task was never registered before the cleanup ran in practice).
• Subsequent boots after the node has been properly provisioned behave identically to today: the task fires -AtStartup, windowsnodereset.ps1 restarts kubelet/kubeproxy as before.

Which issue(s) this PR fixes:

Fixes #

[Copilot]

Pull request overview

This PR moves the registration of the k8s-restart-job scheduled task from the BasePrep phase to the NodePrep phase in the Windows CSE script. The task uses an -AtStartup trigger, and registering it during BasePrep (which runs at VHD bake time in the Prepared Image Specification / two-phase flow) caused it to fire on the first boot before NodePrep could remove the temporary kubeconfig embedding the shared nodeclient certificate. As a result, kubelet would silently skip the proper TLS bootstrap-token CSR exchange and never register with the API server. By registering the task only after the temporary kubeconfig is removed, the race is eliminated for PIS-baked Windows VHDs while preserving existing behavior for non-PIS pools (which run both phases in a single CSE invocation).

Changes:

• Remove Register-NodeResetScriptTask from BasePrep and replace it with an explanatory comment.
• Register Register-NodeResetScriptTask in NodePrep immediately after the temporary c:\k\config cleanup block.

[timmy-wright]

Can we have a test for this - that the registration happens in nodeprop not baseprep?

[r2k1]

I added a validator. But I don't really like it.

I don't like testing "X doesn't supposed to happen". They are infinite amount of things that doesn't suppose to happen ...

[r2k1]

Replaced it with a proper e2e. BootstrapTLS enabled vs disabled

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

[cameronmeissner]

we already have the bootstrap token fallback scenarios which are designed to test a similar path - could we just add another one for the VHDCaching case instead?

[r2k1]

VHDCaching: true