feat: download azure acr credential provider via oras in network isolated windows cluster (#8152)

fseldow · Copilot · web-flow · commit cd02f0de87ff · 2026-03-27T13:53:10.000+11:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/staging/cse/windows/configfunc.ps1 b/staging/cse/windows/configfunc.ps1
@@ -435,9 +435,8 @@ function Install-CredentialProvider {
         [Parameter(Mandatory = $false)][string]
         $CustomCloudContainerRegistryDNSSuffix
     )
-
     try {
-        # Out of tree credential provider is turned on as a must after 1.30, and is optinal in 1.29, for cluster < 1.29, it's not enabled.
+        # Out of tree credential provider is turned on as a must after 1.30, and is optional in 1.29, for cluster < 1.29, it's not enabled.
         # And only when it's enabled, the credential provider flags are set.
         $global:credentialProviderConfigPath = ""
         $global:credentialProviderBinDir = ""
@@ -454,12 +453,45 @@ function Install-CredentialProvider {
 
         Write-Log "Download credential provider binary from $global:CredentialProviderURL to $global:credentialProviderBinDir"
         $tempDir = New-TemporaryDirectory
-        $credentialproviderbinaryPackage = "$tempDir\credentialprovider.tar.gz"
-        DownloadFileOverHttp -Url $global:CredentialProviderURL -DestinationPath $credentialproviderbinaryPackage -ExitCode $global:WINDOWS_CSE_ERROR_DOWNLOAD_CREDEDNTIAL_PROVIDER
-        tar -xzf $credentialproviderbinaryPackage -C $tempDir
-        if ($LASTEXITCODE -ne 0) {
-            throw "Failed to extract the '$credentialproviderbinaryPackage' archive."
+        if ([string]::IsNullOrEmpty($global:BootstrapProfileContainerRegistryServer)) {
+            $credentialproviderbinaryPackage = "$tempDir\credentialprovider.tar.gz"
+            DownloadFileOverHttp -Url $global:CredentialProviderURL -DestinationPath $credentialproviderbinaryPackage -ExitCode $global:WINDOWS_CSE_ERROR_DOWNLOAD_CREDEDNTIAL_PROVIDER
+            tar -xzf $credentialproviderbinaryPackage -C $tempDir
+            if ($LASTEXITCODE -ne 0) {
+                throw "Failed to extract the '$credentialproviderbinaryPackage' archive."
+            }
+        } else {
+            # network isolated cluster
+            # download azure acr credential provider binaries via oras if BootstrapProfileContainerRegistryServer is set
+            if (-not (Get-Command 'DownloadFileWithOras' -ErrorAction SilentlyContinue)) {
+                Set-ExitCode -ExitCode $global:WINDOWS_CSE_ERROR_ORAS_PULL_CREDENTIAL_PROVIDER -ErrorMessage "DownloadFileWithOras function is not available. networkisolatedclusterfunc.ps1 may not be sourced."
+            }
+            $credentialproviderbinaryPackage = "$tempDir\credentialprovider.zip"
+            # Handle both URL styles:
+            # 1) .../azure-acr-credential-provider/1.34.0/windows/... for dalec url, e.g. https://packages.aks.azure.com/dalec-packages/azure-acr-credential-provider/1.34.0/windows/amd64/azure-acr-credential-provider_1.34.0-1_amd64.zip
+            # 2) .../cloud-provider-azure/v1.34.0/binaries/... for legacy binaries url, e.g. https://packages.aks.azure.com/cloud-provider-azure/v1.34.0/binaries/azure-acr-credential-provider-linux-amd64-v1.34.0.tar.gz
+            # If version is missing in URL, fall back to KubeBinariesVersion.
+            $packageVersion = ([regex]::Match($global:CredentialProviderURL, '/v?(\d+(?:\.\d+)+)(?=/)')).Groups[1].Value
+            if ([string]::IsNullOrEmpty($packageVersion)) {
+                $packageVersion = ([regex]::Match($global:CredentialProviderURL, '(?:^|[._-])v?(\d+(?:\.\d+)+)(?:$|[._-])')).Groups[1].Value
+            }
+            if ([string]::IsNullOrEmpty($packageVersion)) {
+                Write-Warning "Unexpected CredentialProviderURL format, version is not found in URL. CredentialProviderURL: $global:CredentialProviderURL. Fall back to KubeBinariesVersion: $global:KubeBinariesVersion"
+                $packageVersion = $global:KubeBinariesVersion
+                $packageVersion = $packageVersion.TrimStart('v')
+            }
+            Logs-To-Event -TaskName "AKS.WindowsCSE.DownloadCredentialProviderBinariesWithOras" -TaskMessage "Start to download azure acr credential provider binaries with oras. KubeBinariesVersion: $global:KubeBinariesVersion, BootstrapProfileContainerRegistryServer: $global:BootstrapProfileContainerRegistryServer"
+            $orasReference = "$($global:BootstrapProfileContainerRegistryServer)/aks/packages/kubernetes/azure-acr-credential-provider:v$($packageVersion)"
+            try {
+                Retry-Command -Command "DownloadFileWithOras" -Args @{Reference = $orasReference; DestinationPath = $credentialproviderbinaryPackage } -Retries 5 -RetryDelaySeconds 10
+            }
+            catch {
+                del $tempDir -Recurse -Force -ErrorAction SilentlyContinue
+                Set-ExitCode -ExitCode $global:WINDOWS_CSE_ERROR_ORAS_PULL_CREDENTIAL_PROVIDER -ErrorMessage "Exhausted retries for oras pull $orasReference. Error: $_"
+            }
+            AKS-Expand-Archive -Path $credentialproviderbinaryPackage -DestinationPath $tempDir
         }
+
         Create-Directory -FullPath $global:credentialProviderBinDir
         cp "$tempDir\azure-acr-credential-provider.exe" "$global:credentialProviderBinDir\acr-credential-provider.exe"
         # acr-credential-provider.exe cannot be found by kubelet through provider name before the fix https://github.com/kubernetes/kubernetes/pull/120291
diff --git a/staging/cse/windows/configfunc.tests.ps1 b/staging/cse/windows/configfunc.tests.ps1
@@ -1,11 +1,12 @@
 BeforeAll {
     . $PSScriptRoot\..\..\..\parts\windows\windowscsehelper.ps1
+    . $PSScriptRoot\networkisolatedclusterfunc.ps1
     . $PSCommandPath.Replace('.tests.ps1','.ps1')
 
     $capturedContent = $null
-    Mock Set-Content -MockWith { 
+    Mock Set-Content -MockWith {
         param($Path, $Value)
-        $script:capturedContent = $Value 
+        $script:capturedContent = $Value
     } -Verifiable
 
     Mock Remove-Item
@@ -67,7 +68,7 @@ Describe 'Resize-OSDrive' {
             Write-Host "Invoke-Executable $Executable $ArgList $ExitCode"
         } -Verifiable
     }
-    
+
     Context 'success' {
         It "Should call Invoke-Executable to Diskpart once" {
             Mock Get-Disk -MockWith {
@@ -114,7 +115,7 @@ Describe 'Resize-OSDrive' {
     }
 }
 
-Describe 'Config-CredentialProvider' {    
+Describe 'Config-CredentialProvider' {
     BeforeEach {
         $global:credentialProviderConfigDir = "staging\cse\windows\credentialProvider.tests.suites"
         $CredentialProviderConfPATH=[Io.path]::Combine("$global:credentialProviderConfigDir", "credential-provider-config.yaml")
@@ -126,26 +127,26 @@ Describe 'Config-CredentialProvider' {
 
     AfterEach {
         Remove-Item -Path $CredentialProviderConfPATH
-    }    
+    }
 
     Context 'CustomCloudContainerRegistryDNSSuffix is empty' {
         It "should match the expected config file content" {
             $expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "CustomCloudContainerRegistryDNSSuffixEmpty.config.yaml"))
             Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix ""
-            
+
             $acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH
             # Compare the content by normalizing whitespace and line endings
             $normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n")
             $normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n")
             $normalizedActual | Should -Be $normalizedExpected
         }
-    }   
+    }
     Context 'CustomCloudContainerRegistryDNSSuffix is not empty' {
        It "should match the expected config file content" {
             $expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "CustomCloudContainerRegistryDNSSuffixNotEmpty.config.yaml"))
             Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix ".azurecr.microsoft.fakecloud"
             $acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH
-            
+
             # Compare the content by normalizing whitespace and line endings
             $normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n")
             $normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n")
@@ -170,7 +171,7 @@ Describe 'Validate-CredentialProviderConfigFlags' {
             Write-Host "Set-ExitCode $ExitCode $ErrorMessage"
         } -Verifiable
     }
-    
+
     Context 'success' {
         It "Should return expected config path and bin path" {
             $expectedCredentialProviderConfigPath="c:\k\credential-provider-config.yaml"
@@ -211,4 +212,80 @@ Describe 'Validate-CredentialProviderConfigFlags' {
             Assert-MockCalled -CommandName "Set-ExitCode" -Exactly -Times 1 -ParameterFilter { $ExitCode -eq $global:WINDOWS_CSE_ERROR_CREDENTIAL_PROVIDER_CONFIG }
         }
     }
-}
+}
+
+Describe 'Install-CredentialProvider' {
+    BeforeEach {
+        $global:credentialProviderConfigPath = ""
+        $global:credentialProviderBinDir = ""
+        $global:KubeletConfigArgs = @(
+            "--image-credential-provider-config=c:\k\credential-provider-config.yaml",
+            "--image-credential-provider-bin-dir=c:\var\lib\kubelet\credential-provider"
+        )
+        $global:CredentialProviderURL = "https://packages.aks.azure.com/dalec-packages/azure-acr-credential-provider/1.34.0/windows/amd64/azure-acr-credential-provider_1.34.0-1_amd64.zip"
+        $global:BootstrapProfileContainerRegistryServer = "myregistry.azurecr.io"
+        $global:KubeBinariesVersion = "1.31.9"
+        $script:lastDownloadReference = ""
+
+        Mock Config-CredentialProvider
+        Mock New-TemporaryDirectory -MockWith { "C:\temp\credprovider" }
+        Mock DownloadFileOverHttp
+        Mock DownloadFileWithOras -MockWith {
+            param(
+                [string]$Reference,
+                [string]$DestinationPath,
+                [string]$Platform
+            )
+            $script:lastDownloadReference = $Reference
+        }
+        Mock AKS-Expand-Archive
+        Mock Create-Directory
+        Mock cp
+        Mock del
+        Mock tar -MockWith { $global:LASTEXITCODE = 0 }
+        Mock Get-Command -MockWith {
+            [pscustomobject]@{ Name = "DownloadFileWithOras" }
+        } -ParameterFilter { $Name -eq 'DownloadFileWithOras' }
+        Mock Set-ExitCode -MockWith {
+            Param($ExitCode, $ErrorMessage)
+            throw "Set-ExitCode:${ExitCode}:${ErrorMessage}"
+            return
+        }
+    }
+    AfterEach {
+        $global:BootstrapProfileContainerRegistryServer = $null
+    }
+
+    It 'returns early when out-of-tree credential provider flags are not configured' {
+        $global:KubeletConfigArgs = @("--address=0.0.0.0")
+
+        { Install-CredentialProvider -KubeDir 'c:\k' -CustomCloudContainerRegistryDNSSuffix '' } | Should -Not -Throw
+        Assert-MockCalled -CommandName 'Config-CredentialProvider' -Times 0
+        $script:lastDownloadReference | Should -Be ""
+        Assert-MockCalled -CommandName 'DownloadFileOverHttp' -Times 0
+    }
+
+    It 'uses legacy binaries URL for non-ni cluster' {
+        $global:BootstrapProfileContainerRegistryServer = ""
+        $global:CredentialProviderURL = 'https://packages.aks.azure.com/cloud-provider-azure/v1.34.0/binaries/azure-acr-credential-provider-linux-amd64-v1.34.0.tar.gz'
+        Install-CredentialProvider -KubeDir 'c:\k' -CustomCloudContainerRegistryDNSSuffix ''
+        Assert-MockCalled -CommandName 'DownloadFileOverHttp' -Times 1
+    }
+
+    It 'uses version parsed from dalec URL for ORAS reference' {
+        Install-CredentialProvider -KubeDir 'c:\k' -CustomCloudContainerRegistryDNSSuffix ''
+        $script:lastDownloadReference | Should -Be 'myregistry.azurecr.io/aks/packages/kubernetes/azure-acr-credential-provider:v1.34.0'
+    }
+
+    It 'uses version parsed from legacy binaries URL for ORAS reference' {
+        $global:CredentialProviderURL = 'https://packages.aks.azure.com/cloud-provider-azure/v1.34.0/binaries/azure-acr-credential-provider-linux-amd64-v1.34.0.tar.gz'
+        Install-CredentialProvider -KubeDir 'c:\k' -CustomCloudContainerRegistryDNSSuffix ''
+        $script:lastDownloadReference | Should -Be 'myregistry.azurecr.io/aks/packages/kubernetes/azure-acr-credential-provider:v1.34.0'
+    }
+
+    It 'falls back to KubeBinariesVersion when URL contains no parseable version' {
+        $global:CredentialProviderURL = 'https://packages.aks.azure.com/invalid/credential-provider.zip'
+        Install-CredentialProvider -KubeDir 'c:\k' -CustomCloudContainerRegistryDNSSuffix ''
+        $script:lastDownloadReference | Should -Be 'myregistry.azurecr.io/aks/packages/kubernetes/azure-acr-credential-provider:v1.31.9'
+    }
+}
