feat: windows network isolated cluster support anonymous-disabled bootstrap acr#8039
Merged
feat: windows network isolated cluster support anonymous-disabled bootstrap acr#8039
Conversation
fseldow
requested review from
AbelHu,
Devinwong,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
juan-lee,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Windows network-isolated cluster support for bootstrapping from a non-anonymous ACR by attempting an anonymous oras repo ls first, then falling back to managed-identity IMDS token exchange + oras login when anonymous access is disabled.
Changes:
- Update Windows CSE network-isolated cluster logic to perform
oraslogin via IMDS + ACR token exchange when needed. - Add Pester coverage for the new
Invoke-OrasLoginflow andGet-BootstrapRegistryDomainName. - Extend Windows network-isolated e2e scenario to enable managed identity + set credential provider flags/URL based on orchestrator version.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| staging/cse/windows/networkisolatedclusterfunc.ps1 | Adds Invoke-OrasLogin and helpers; wires login into Initialize-Oras. |
| staging/cse/windows/networkisolatedclusterfunc.tests.ps1 | Adds Pester tests for the new login and registry-domain helper logic. |
| e2e/scenario_win_test.go | Updates the Windows network-isolated scenario to configure MI + credential provider URL selection. |
fseldow
force-pushed
the
xinhl/ninwinlogin
branch
from
5f35d99 to
6e87a72
Compare
timmy-wright
reviewed
Mar 9, 2026
timmy-wright
approved these changes
Mar 10, 2026
fseldow
force-pushed
the
xinhl/ninwinlogin
branch
from
078bea2 to
ae867e2
Compare
fseldow
force-pushed
the
xinhl/ninwinlogin
branch
from
9586a40 to
006265e
Compare
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
feat: windows network isolated cluster support anonymous-disabled bootstrap acr
Which issue(s) this PR fixes:
oras login via kubelet identity.
Flow: try to ls repo first to identity if anonymous access enabled. If not, call imds to get token to login