feat: network isolated cluster skip cse download

parts/windows/kuberneteswindowssetup.ps1

@@ -223,6 +223,7 @@ $global:WindowsCiliumInstallPath = Join-Path -Path $global:WindowsCiliumNetworki
 # Network isolated cluster
 $global:BootstrapProfileContainerRegistryServer="{{GetBootstrapProfileContainerRegistryServer}}"
 $global:MCRRepositoryBase="{{GetMCRRepositoryBase}}"
+$global:NetworkIsolatedClusterTestMode = [System.Convert]::ToBoolean("{{GetNetworkIsolatedClusterTestMode}}"); # for ab e2e only for local ab test with remote cse package
 
 $global:OrasCacheDir="c:\aks-tools\oras\" # refer to components.json
 $global:OrasPath="c:\aks-tools\oras\oras.exe"
@@ -246,36 +247,58 @@ try {
 $global:OperationId = New-Guid
 
 if (-not (Test-Path "C:\AzureData\windows\azurecnifunc.ps1")) {
-    # Determine the CSE package URL
-    $WindowsCSEScriptsPackage = "aks-windows-cse-scripts-current.zip"
     # CSEScriptsPackage is cached on VHD. Previously the cse package version was managed in components.json, whereas RP set the package URL which is a storage account.
-    # From 2025-06 The CSE packages is eleased on the VHD. RP can use fully qualified URL to download CSE scripts package when required out of VHD release cycle.
+    # From 2025-06 The CSE packages is released on the VHD. RP can use fully qualified URL to download CSE scripts package when required out of VHD release cycle.
     # In the transition period, it is important that when deal with older VHD versions, the agentbaker runtime provision script needs to be compatible with the latest known storage account package, 0.0.52.
-    Write-Log "Requested CSEScriptsPackageUrl is $global:CSEScriptsPackageUrl"
-    if ($global:CSEScriptsPackageUrl.EndsWith("/")) {
-        $search = @()
-        if ($global:CacheDir -and (Test-Path $global:CacheDir)) {
-            $search = [IO.Directory]::GetFiles($global:CacheDir, $WindowsCSEScriptsPackage, [IO.SearchOption]::AllDirectories)
-            # list files in the cache directory.
-            Write-Log "the directory $global:CacheDir contains the following files:"
-            Get-ChildItem -Path $global:CacheDir | ForEach-Object { Write-Log "  $_" }
+
+    $WindowsCSEScriptsPackage = "aks-windows-cse-scripts-current.zip"
+    $scriptsZip = $null
+    $shouldCleanup = $false
+
+    # Step 1: Try to find cached scripts on VHD
+    if ($global:CacheDir -and (Test-Path $global:CacheDir)) {
+        $searchCachedScripts = [IO.Directory]::GetFiles($global:CacheDir, $WindowsCSEScriptsPackage, [IO.SearchOption]::AllDirectories)
+        Write-Log "the directory $global:CacheDir contains the following files:"
+        Get-ChildItem -Path $global:CacheDir | ForEach-Object { Write-Log "  $_" }
+        if ($searchCachedScripts.Count -gt 0) {
+            $scriptsZip = $searchCachedScripts[0]
+            Write-Log "Found cached CSE scripts at $scriptsZip"
         }
+    }
 
-        if ($search.Count -eq 0) {
-            Write-Log "Could not find windows cse package on VHD. Use remote version instead."
-            $WindowsCSEScriptsPackage = "aks-windows-cse-scripts-v0.0.52.zip"
+    # Step 2: For non-network-isolated clusters, download scripts if needed (overrides cached version when appropriate)
+    $isNetworkIsolated = -not [string]::IsNullOrWhiteSpace($global:BootstrapProfileContainerRegistryServer) -and -not $global:NetworkIsolatedClusterTestMode
+    if (-not $isNetworkIsolated) {
+        Write-Log "Requested CSEScriptsPackageUrl is $global:CSEScriptsPackageUrl"
+        if ($global:CSEScriptsPackageUrl.EndsWith("/")) {
+            if (-not $scriptsZip) {
+                Write-Log "Could not find windows cse package on VHD. Use remote version instead."
+                $WindowsCSEScriptsPackage = "aks-windows-cse-scripts-v0.0.52.zip"
+            }
+            Write-Log "WindowsCSEScriptsPackage is $WindowsCSEScriptsPackage"
+            $global:CSEScriptsPackageUrl = $global:CSEScriptsPackageUrl + $WindowsCSEScriptsPackage
         }
-        Write-Log "WindowsCSEScriptsPackage is $WindowsCSEScriptsPackage"
-        $global:CSEScriptsPackageUrl = $global:CSEScriptsPackageUrl + $WindowsCSEScriptsPackage
+        Write-Log "CSEScriptsPackageUrl used for provision is $global:CSEScriptsPackageUrl"
+
+        # Download CSE function scripts
+        $downloadedFile = 'c:\csescripts.zip'
+        Logs-To-Event -TaskName "AKS.WindowsCSE.DownloadAndExpandCSEScriptPackageUrl" -TaskMessage "Start to get CSE scripts. CSEScriptsPackageUrl: $global:CSEScriptsPackageUrl"
+        DownloadFileOverHttp -Url $global:CSEScriptsPackageUrl -DestinationPath $downloadedFile -ExitCode $global:WINDOWS_CSE_ERROR_DOWNLOAD_CSE_PACKAGE
+        $scriptsZip = $downloadedFile
+        $shouldCleanup = $true
+    } else {
+        Write-Log "Network isolated cluster detected (BootstrapProfileContainerRegistryServer is set), skip CSE scripts download and use cached scripts"
+        if (-not $scriptsZip) {
+            Set-ExitCode -ExitCode $global:WINDOWS_CSE_ERROR_NETWORK_ISOLATED_CLUSTER_CSE_NOT_CACHED -ErrorMessage "Cached CSE scripts package '$WindowsCSEScriptsPackage' not found under cache directory '$global:CacheDir'"
+        }
+    }
+
+    # Step 3: Extract scripts from the resolved zip
+    Write-Log "Extracting CSE scripts from $scriptsZip"
+    AKS-Expand-Archive -Path $scriptsZip -DestinationPath "C:\\AzureData\\windows"
+    if ($shouldCleanup) {
+        Remove-Item -Path $scriptsZip -Force
     }
-    Write-Log "CSEScriptsPackageUrl used for provision is $global:CSEScriptsPackageUrl"
-
-    # Download CSE function scripts
-    Logs-To-Event -TaskName "AKS.WindowsCSE.DownloadAndExpandCSEScriptPackageUrl" -TaskMessage "Start to get CSE scripts. CSEScriptsPackageUrl: $global:CSEScriptsPackageUrl"
-    $tempfile = 'c:\csescripts.zip'
-    DownloadFileOverHttp -Url $global:CSEScriptsPackageUrl -DestinationPath $tempfile -ExitCode $global:WINDOWS_CSE_ERROR_DOWNLOAD_CSE_PACKAGE
-    AKS-Expand-Archive -Path $tempfile -DestinationPath "C:\\AzureData\\windows"
-    Remove-Item -Path $tempfile -Force
 } else {
     Write-Log "CSE scripts already exist, skipping download"
 }

parts/windows/windowscsehelper.ps1

@@ -86,9 +86,10 @@ $global:WINDOWS_CSE_ERROR_ORAS_PULL_UNAUTHORIZED=79 # exit code for error pullin
 $global:WINDOWS_CSE_ERROR_ORAS_PULL_WINDOWSZIP_FAIL=80 # exit code for error pulling kubelet kubectl artifact with oras from registry
 $global:WINDOWS_CSE_ERROR_ORAS_PULL_CREDENTIAL_PROVIDER=81 # exit code for error pulling credential provider artifact with oras from registry
 $global:WINDOWS_CSE_ERROR_ORAS_PULL_POD_INFRA_CONTAINER=82 # exit code for error pulling pause image with oras from registry
+$global:WINDOWS_CSE_ERROR_NETWORK_ISOLATED_CLUSTER_CSE_NOT_CACHED=83 # exit code for cse of network isolated cluster not cached
 # WINDOWS_CSE_ERROR_MAX_CODE is only used in unit tests to verify whether new error code name is added in $global:ErrorCodeNames
 # Please use the current value of WINDOWS_CSE_ERROR_MAX_CODE as the value of the new error code and increment it by 1
-$global:WINDOWS_CSE_ERROR_MAX_CODE=83
+$global:WINDOWS_CSE_ERROR_MAX_CODE=84
 
 # Please add new error code for downloading new packages in RP code too
 $global:ErrorCodeNames = @(
@@ -174,7 +175,8 @@ $global:ErrorCodeNames = @(
     "WINDOWS_CSE_ERROR_ORAS_PULL_UNAUTHORIZED",
     "WINDOWS_CSE_ERROR_ORAS_PULL_WINDOWSZIP_FAIL",
     "WINDOWS_CSE_ERROR_ORAS_PULL_CREDENTIAL_PROVIDER",
-    "WINDOWS_CSE_ERROR_ORAS_PULL_POD_INFRA_CONTAINER"
+    "WINDOWS_CSE_ERROR_ORAS_PULL_POD_INFRA_CONTAINER",
+    "WINDOWS_CSE_ERROR_NETWORK_ISOLATED_CLUSTER_CSE_NOT_CACHED"
 )
 
 # The package domain to be used
@@ -649,4 +651,3 @@ function Resolve-Error ($ErrorRecord=$Error[0])
        $Exception |Format-List * -Force
    }
 }
-