feat: download kubelet with oras in network isolated windows cluster#8042
feat: download kubelet with oras in network isolated windows cluster#8042jiashun0011 wants to merge 1 commit intomainfrom
Conversation
jiashun0011
requested review from
AbelHu,
Devinwong,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
juan-lee,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
There was a problem hiding this comment.
Pull request overview
Adds support for downloading Windows kubelet binaries via ORAS when running in a network-isolated cluster context (using the bootstrap profile container registry), and extends test coverage to exercise the new path.
Changes:
- Update
Get-KubePackageto download kubelet binaries via ORAS whenBootstrapProfileContainerRegistryServeris set; otherwise keep HTTP download behavior. - Add/extend Pester tests for ORAS vs HTTP selection behavior in
Get-KubePackage. - Add a new Windows network-isolated e2e scenario intended to validate ORAS-based kubelet download behavior.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| staging/cse/windows/kubeletfunc.ps1 | Adds ORAS-based kubelet package download branch when bootstrap profile registry is configured. |
| staging/cse/windows/kubeletfunc.tests.ps1 | Adds Pester contexts to cover ORAS vs HTTP download paths for kubelet package retrieval. |
| e2e/scenario_win_test.go | Adds a network-isolated Windows e2e test and alters Windows 2025 bootstrap mutator to use a custom CSE package URL. |
You can also share your feedback on Copilot code review. Take the survey.
|
forget to delete? |
jiashun0011
force-pushed
the
jiashunliu/ni-oras-cache-1
branch
from
76afb46 to
4450dfb
Compare
jiashun0011
force-pushed
the
jiashunliu/ni-oras-cache-1
branch
from
4450dfb to
bac8e29
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
You can also share your feedback on Copilot code review. Take the survey.
| Set-ExitCode -ExitCode $global:WINDOWS_CSE_ERROR_ORAS_PULL_WINDOWSZIP_FAIL -ErrorMessage "DownloadFileWithOras function is not available. networkisolatedclusterfunc.ps1 may not be sourced." | ||
| } | ||
| Logs-To-Event -TaskName "AKS.WindowsCSE.DownloadKubletBinariesWithOras" -TaskMessage "Start to download kubelet binaries with oras. KubeBinariesVersion: $global:KubeBinariesVersion, BootstrapProfileContainerRegistryServer: $global:BootstrapProfileContainerRegistryServer" | ||
| $orasReference = "$($global:BootstrapProfileContainerRegistryServer)/aks/packages/kubernetes/windowszip:v$($global:KubeBinariesVersion)" |
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
You can also share your feedback on Copilot code review. Take the survey.
| nbc.ContainerService.Properties.SecurityProfile = &datamodel.SecurityProfile{ | ||
| PrivateEgress: &datamodel.PrivateEgress{ | ||
| Enabled: true, | ||
| ContainerRegistryServer: fmt.Sprintf("%s.azurecr.io/aks-managed-repository", config.PrivateACRName(config.Config.DefaultLocation)), |
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
| It "Should call DownloadFileWithOras with correct reference when BootstrapProfileContainerRegistryServer is set" { | ||
| Get-KubePackage -KubeBinariesSASURL 'https://xxx.blob.core.windows.net/kubernetes/v1.29.2/windowszip/v1.29.2-1int.zip' | ||
| Assert-MockCalled -CommandName 'DownloadFileWithOras' -Exactly -Times 1 -ParameterFilter { | ||
| $Reference -eq 'myregistry.azurecr.io/aks/packages/kubernetes/windowszip:v1.29.2' -and | ||
| $DestinationPath -eq 'c:\k.zip' -and | ||
| $ExitCode -eq $global:WINDOWS_CSE_ERROR_ORAS_PULL_WINDOWSZIP_FAIL | ||
| } |
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
deleted |
jiashun0011
force-pushed
the
jiashunliu/ni-oras-cache-1
branch
from
87651bd to
bf626ee
Compare
jiashun0011
force-pushed
the
jiashunliu/ni-oras-cache-1
branch
from
bf626ee to
663af34
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
You can also share your feedback on Copilot code review. Take the survey.
| { DownloadFileWithOras -Reference $reference -DestinationPath $destPath -ExitCode 80 } | Should -Not -Throw | ||
|
|
||
| Assert-MockCalled -CommandName 'Write-Log' -ParameterFilter { | ||
| $message -like "*platform=windows/amd64*" | ||
| } |
| It "should call oras with correct arguments on success" { | ||
| $reference = "myregistry.azurecr.io/aks/packages/kubernetes/windowszip:1.29.2" | ||
| $destPath = "c:\k.zip" | ||
|
|
||
| $global:OrasPath = "Write-Output" | ||
| { DownloadFileWithOras -Reference $reference -DestinationPath $destPath -ExitCode 80 } | Should -Not -Throw | ||
| } |
jiashun0011
force-pushed
the
jiashunliu/ni-oras-cache-1
branch
from
663af34 to
411dd66
Compare
|
There was an error handling pipeline event fa0590be-b5f0-479e-812d-33890e8827ec. |
jiashun0011
force-pushed
the
jiashunliu/ni-oras-cache-1
branch
from
411dd66 to
af24e0a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
You can also share your feedback on Copilot code review. Take the survey.
| } | ||
| }, | ||
| Validator: func(ctx context.Context, s *Scenario) { | ||
| ValidateFileHasContent(ctx, s, "/k/kubeletstart.ps1", "--container-runtime=remote") |
There was a problem hiding this comment.
I think most of the default tests use images that are already cached on the VHD. I think it's worth explicitly checking a pod can start using a container that's not on the VHD - and is only in the aks managed repository you link to above.
There was a problem hiding this comment.
Good point, I agree it’s useful to validate pulling an image that is not pre-cached on the VHD.
For this test though, we are trying to keep it fully isolated using our specified ACR to validate the network-isolated scenario. We still have some essential components that require additional PRs to support oras-based download, so we’re not fully relying on the AKS-managed repo path yet.
We can add a dedicated test case for non-VHD-cached images once those pieces are in place.
timmy-wright
left a comment
timmy-wright
left a comment
There was a problem hiding this comment.
Couple of comments - and as copilot says, the git conflict merge markers indicate that something went unresolved in the tests.
jiashun0011
force-pushed
the
jiashunliu/ni-oras-cache-1
branch
from
af24e0a to
1916729
Compare
What this PR does / why we need it:
/kind feature
Which issue(s) this PR fixes:
Download kubelet with oras in network isolated windows cluster.