Azure
diff --git a/‎parts/windows/kuberneteswindowssetup.ps1‎
Lines changed: 49 additions & 36 deletions b/‎parts/windows/kuberneteswindowssetup.ps1‎
Lines changed: 49 additions & 36 deletions
diff --git a/‎parts/windows/windowscsehelper.ps1‎
Lines changed: 0 additions & 34 deletions b/‎parts/windows/windowscsehelper.ps1‎
Lines changed: 0 additions & 34 deletions
diff --git a/‎parts/windows/windowscsehelper.tests.ps1‎
Lines changed: 0 additions & 55 deletions b/‎parts/windows/windowscsehelper.tests.ps1‎
Lines changed: 0 additions & 55 deletions
@@ -223,6 +223,7 @@ $global:WindowsCiliumInstallPath = Join-Path -Path $global:WindowsCiliumNetworki
 # Network isolated cluster
 $global:BootstrapProfileContainerRegistryServer="{{GetBootstrapProfileContainerRegistryServer}}"
 $global:MCRRepositoryBase="{{GetMCRRepositoryBase}}"
+$global:NetworkIsolatedClusterTestMode = [System.Convert]::ToBoolean("{{GetNetworkIsolatedClusterTestMode}}"); # for ab e2e only for local ab test with remote cse package
 
 $global:OrasCacheDir="c:\aks-tools\oras\" # refer to components.json
 $global:OrasPath="c:\aks-tools\oras\oras.exe"
@@ -245,49 +246,61 @@ try {
 
 $global:OperationId = New-Guid
 
-if (
-    -not (Test-Path "C:\AzureData\windows\azurecnifunc.ps1") -and
-    ([string]::IsNullOrWhiteSpace($global:BootstrapProfileContainerRegistryServer)) # skip download for network isolated cluster which will use cached scripts
-) {
-    # Determine the CSE package URL
-    $WindowsCSEScriptsPackage = "aks-windows-cse-scripts-current.zip"
+if (-not (Test-Path "C:\AzureData\windows\azurecnifunc.ps1")) {
     # CSEScriptsPackage is cached on VHD. Previously the cse package version was managed in components.json, whereas RP set the package URL which is a storage account.
-    # From 2025-06 The CSE packages is eleased on the VHD. RP can use fully qualified URL to download CSE scripts package when required out of VHD release cycle.
+    # From 2025-06 The CSE packages is released on the VHD. RP can use fully qualified URL to download CSE scripts package when required out of VHD release cycle.
     # In the transition period, it is important that when deal with older VHD versions, the agentbaker runtime provision script needs to be compatible with the latest known storage account package, 0.0.52.
-    Write-Log "Requested CSEScriptsPackageUrl is $global:CSEScriptsPackageUrl"
-    if ($global:CSEScriptsPackageUrl.EndsWith("/")) {
-        $search = @()
-        if ($global:CacheDir -and (Test-Path $global:CacheDir)) {
-            $search = [IO.Directory]::GetFiles($global:CacheDir, $WindowsCSEScriptsPackage, [IO.SearchOption]::AllDirectories)
-            # list files in the cache directory.
-            Write-Log "the directory $global:CacheDir contains the following files:"
-            Get-ChildItem -Path $global:CacheDir | ForEach-Object { Write-Log "  $_" }
+
+    $WindowsCSEScriptsPackage = "aks-windows-cse-scripts-current.zip"
+    $scriptsZip = $null
+    $shouldCleanup = $false
+
+    # Step 1: Try to find cached scripts on VHD
+    if ($global:CacheDir -and (Test-Path $global:CacheDir)) {
+        $searchCachedScripts = [IO.Directory]::GetFiles($global:CacheDir, $WindowsCSEScriptsPackage, [IO.SearchOption]::AllDirectories)
+        Write-Log "the directory $global:CacheDir contains the following files:"
+        Get-ChildItem -Path $global:CacheDir | ForEach-Object { Write-Log "  $_" }
+        if ($searchCachedScripts.Count -gt 0) {
+            $scriptsZip = $searchCachedScripts[0]
+            Write-Log "Found cached CSE scripts at $scriptsZip"
         }
+    }
 
-        if ($search.Count -eq 0) {
-            Write-Log "Could not find windows cse package on VHD. Use remote version instead."
-            $WindowsCSEScriptsPackage = "aks-windows-cse-scripts-v0.0.52.zip"
+    # Step 2: For non-network-isolated clusters, download scripts if needed (overrides cached version when appropriate)
+    $isNetworkIsolated = -not [string]::IsNullOrWhiteSpace($global:BootstrapProfileContainerRegistryServer) -and -not $global:NetworkIsolatedClusterTestMode
+    if (-not $isNetworkIsolated) {
+        Write-Log "Requested CSEScriptsPackageUrl is $global:CSEScriptsPackageUrl"
+        if ($global:CSEScriptsPackageUrl.EndsWith("/")) {
+            if (-not $scriptsZip) {
+                Write-Log "Could not find windows cse package on VHD. Use remote version instead."
+                $WindowsCSEScriptsPackage = "aks-windows-cse-scripts-v0.0.52.zip"
+            }
+            Write-Log "WindowsCSEScriptsPackage is $WindowsCSEScriptsPackage"
+            $global:CSEScriptsPackageUrl = $global:CSEScriptsPackageUrl + $WindowsCSEScriptsPackage
+        }
+        Write-Log "CSEScriptsPackageUrl used for provision is $global:CSEScriptsPackageUrl"
+
+        # Download CSE function scripts
+        $downloadedFile = 'c:\csescripts.zip'
+        Logs-To-Event -TaskName "AKS.WindowsCSE.DownloadAndExpandCSEScriptPackageUrl" -TaskMessage "Start to get CSE scripts. CSEScriptsPackageUrl: $global:CSEScriptsPackageUrl"
+        DownloadFileOverHttp -Url $global:CSEScriptsPackageUrl -DestinationPath $downloadedFile -ExitCode $global:WINDOWS_CSE_ERROR_DOWNLOAD_CSE_PACKAGE
+        $scriptsZip = $downloadedFile
+        $shouldCleanup = $true
+    } else {
+        Write-Log "Network isolated cluster detected (BootstrapProfileContainerRegistryServer is set), skip CSE scripts download and use cached scripts"
+        if (-not $scriptsZip) {
+            Set-ExitCode -ExitCode $global:WINDOWS_CSE_ERROR_NETWORK_ISOLATED_CLUSTER_CSE_NOT_CACHED -ErrorMessage "Cached CSE scripts package '$WindowsCSEScriptsPackage' not found under cache directory '$global:CacheDir'"
         }
-        Write-Log "WindowsCSEScriptsPackage is $WindowsCSEScriptsPackage"
-        $global:CSEScriptsPackageUrl = $global:CSEScriptsPackageUrl + $WindowsCSEScriptsPackage
     }
-    Write-Log "CSEScriptsPackageUrl used for provision is $global:CSEScriptsPackageUrl"
-
-    # Download CSE function scripts
-    Logs-To-Event -TaskName "AKS.WindowsCSE.DownloadAndExpandCSEScriptPackageUrl" -TaskMessage "Start to get CSE scripts. CSEScriptsPackageUrl: $global:CSEScriptsPackageUrl"
-    $tempfile = 'c:\csescripts.zip'
-    DownloadFileOverHttp -Url $global:CSEScriptsPackageUrl -DestinationPath $tempfile -ExitCode $global:WINDOWS_CSE_ERROR_DOWNLOAD_CSE_PACKAGE
-    AKS-Expand-Archive -Path $tempfile -DestinationPath "C:\\AzureData\\windows"
-    Remove-Item -Path $tempfile -Force
-} else {
-    Write-Log "CSE scripts already exist or detect network isolated cluster, skipping download"
-}
 
-# always use the cached scripts for network isolated cluster
-if (-not (Test-Path "C:\AzureData\windows\azurecnifunc.ps1") -and
-    (-not [string]::IsNullOrWhiteSpace($global:BootstrapProfileContainerRegistryServer))) {
-    Write-Log "BootstrapProfileContainerRegistryServer is set, skip CSE scripts download"
-    Install-CachedScripts -ExitCode $global:WINDOWS_CSE_ERROR_NETWORK_ISOLATED_CLUSTER_CSE_NOT_CACHED
+    # Step 3: Extract scripts from the resolved zip
+    Write-Log "Extracting CSE scripts from $scriptsZip"
+    AKS-Expand-Archive -Path $scriptsZip -DestinationPath "C:\\AzureData\\windows"
+    if ($shouldCleanup) {
+        Remove-Item -Path $scriptsZip -Force
+    }
+} else {
+    Write-Log "CSE scripts already exist, skipping download"
 }
 
 # Dot-source cse scripts with functions that are called in this script
 
@@ -651,37 +651,3 @@ function Resolve-Error ($ErrorRecord=$Error[0])
        $Exception |Format-List * -Force
    }
 }
-
-function Install-CachedScripts {
-    Param(
-        [Parameter(Mandatory = $true)][int]
-        $ExitCode
-    )
-
-    $fileName = "aks-windows-cse-scripts-current.zip"
-
-    $search = @()
-    if ($global:CacheDir -and (Test-Path $global:CacheDir)) {
-        $search = [IO.Directory]::GetFiles($global:CacheDir, $fileName, [IO.SearchOption]::AllDirectories)
-    }
-
-    if ($search.Count -ne 0) {
-        $tempfile = 'c:\csescripts.zip'
-        Write-Log "Using cached version of $fileName - Copying file from $($search[0]) to $tempfile"
-        try {
-            Copy-Item -Path $search[0] -Destination $tempfile -Force
-            AKS-Expand-Archive -Path $tempfile -DestinationPath "C:\\AzureData\\windows"
-        }
-        catch {
-            Set-ExitCode -ExitCode $ExitCode -ErrorMessage ("failed to install cached CSE scripts: {0}" -f $_.Exception.Message)
-            return
-        }
-        finally {
-            Remove-Item -Path $tempfile -Force -ErrorAction SilentlyContinue
-        }
-    }
-    else {
-        Set-ExitCode -ExitCode $ExitCode -ErrorMessage "cached CSE not found in VHD"
-    }
-}
-
@@ -429,61 +429,6 @@ Describe "DownloadFileOverHttp" {
   }
 }
 
-Describe "Install-CachedScripts" {
-  BeforeEach {
-    $script:originalCacheDir = $global:CacheDir
-    $global:CacheDir = Join-Path $TestDrive ([guid]::NewGuid().ToString())
-
-    Mock Copy-Item -MockWith {}
-    Mock AKS-Expand-Archive -MockWith {}
-    Mock Remove-Item -MockWith {}
-    Mock Set-ExitCode -MockWith {
-      param(
-        [Parameter(Mandatory = $true)][int]$ExitCode,
-        [Parameter(Mandatory = $true)][string]$ErrorMessage
-      )
-      throw "Set-ExitCode:${ExitCode}:${ErrorMessage}"
-    }
-  }
-
-  AfterEach {
-    $global:CacheDir = $script:originalCacheDir
-  }
-
-  It "copies and expands cached CSE scripts when cache file exists" {
-    $nestedDir = Join-Path $global:CacheDir "nested"
-    New-Item -ItemType Directory -Path $nestedDir -Force | Out-Null
-
-    $cachedArchive = Join-Path $nestedDir "aks-windows-cse-scripts-current.zip"
-    New-Item -ItemType File -Path $cachedArchive -Force | Out-Null
-
-    { Install-CachedScripts -ExitCode 33 } | Should -Not -Throw
-
-    Assert-MockCalled -CommandName 'Copy-Item' -Times 1 -ParameterFilter {
-      $Path -eq $cachedArchive -and $Destination -eq 'c:\csescripts.zip'
-    }
-    Assert-MockCalled -CommandName 'AKS-Expand-Archive' -Times 1 -ParameterFilter {
-      $Path -eq 'c:\csescripts.zip' -and $DestinationPath -eq 'C:\\AzureData\\windows'
-    }
-    Assert-MockCalled -CommandName 'Remove-Item' -Times 1
-    Assert-MockCalled -CommandName 'Set-ExitCode' -Times 0
-  }
-
-  It "sets exit code when cached CSE scripts are not found" {
-    New-Item -ItemType Directory -Path $global:CacheDir -Force | Out-Null
-
-    {
-      Install-CachedScripts -ExitCode 33
-    } | Should -Throw "*Set-ExitCode:33:cached CSE not found in VHD*"
-
-    Assert-MockCalled -CommandName 'Copy-Item' -Times 0
-    Assert-MockCalled -CommandName 'AKS-Expand-Archive' -Times 0
-    Assert-MockCalled -CommandName 'Set-ExitCode' -Times 1 -ParameterFilter {
-      $ExitCode -eq 33 -and $ErrorMessage -eq 'cached CSE not found in VHD'
-    }
-  }
-}
-
 Describe "Update-BaseUrl" {
   BeforeEach {
     # Reset the PackageDownloadFqdn before each test