feat: download containerd with oras in network isolated windows cluster#8151
feat: download containerd with oras in network isolated windows cluster#8151jiashun0011 merged 1 commit intomainfrom
Conversation
jiashun0011
requested review from
cameronmeissner and
ganeshkumarashok
as code owners
jiashun0011
requested review from
AbelHu,
Devinwong,
awesomenix,
calvin197,
djsly,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
There was a problem hiding this comment.
Pull request overview
Adds Windows network-isolated-cluster support for downloading containerd via ORAS when a bootstrap profile container registry is configured, with corresponding unit and e2e coverage.
Changes:
- Update Windows
Install-Containerdto download via ORAS whenBootstrapProfileContainerRegistryServeris set, falling back to HTTP otherwise. - Add a new Windows CSE error code for ORAS containerd pull failures.
- Add Pester unit tests and an e2e scenario to validate the ORAS containerd download path.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| staging/cse/windows/containerdfunc.ps1 | Adds ORAS-based containerd download path gated by BootstrapProfileContainerRegistryServer. |
| staging/cse/windows/containerdfunc.tests.ps1 | Adds Pester coverage for the new ORAS/HTTP branching and retry/error behavior. |
| parts/windows/windowscsehelper.ps1 | Introduces a new error code constant and updates error code bookkeeping. |
| e2e/scenario_win_test.go | Adds a network-isolated Windows scenario asserting containerd ORAS download logging. |
jiashun0011
force-pushed
the
feature/ni-oras-download-containerd
branch
from
51b6431 to
49f71e5
Compare
jiashun0011
force-pushed
the
feature/ni-oras-download-containerd
branch
from
49f71e5 to
0391e2c
Compare
| # Sanitize the registry server value: strip scheme and trailing slash, preserve any repo prefix | ||
| $sanitizedRegistry = ($global:BootstrapProfileContainerRegistryServer -replace '^https?://', '').TrimEnd('/') | ||
|
|
||
| Logs-To-Event -TaskName "AKS.WindowsCSE.DownloadContainerdWithOras" -TaskMessage "Start to download containerd with oras. ContainerdVersionTag: $containerdVersionTag, BootstrapProfileContainerRegistryServer: $global:BootstrapProfileContainerRegistryServer" | ||
| $orasReference = "$sanitizedRegistry/aks/packages/containerd/containerd:$containerdVersionTag" |
There was a problem hiding this comment.
BootstrapProfileContainerRegistryServer is sanitized here (scheme stripped + trailing slash trimmed) before constructing the ORAS reference, but other ORAS call sites (e.g. kubelet download) build references directly from the raw global value. If the input ever includes http(s):// or a trailing / (as covered by the new tests), this can cause kubelet/containerd to target different (or invalid) registry references. Consider normalizing BootstrapProfileContainerRegistryServer once (e.g., in config/setup) and reusing that normalized value everywhere ORAS references are constructed.
jiashun0011
force-pushed
the
feature/ni-oras-download-containerd
branch
from
0391e2c to
405ea94
Compare
jiashun0011
force-pushed
the
feature/ni-oras-download-containerd
branch
from
405ea94 to
2acc346
Compare
| } | ||
|
|
||
| . $PSScriptRoot\containerdfunc.ps1 | ||
| . $PSScriptRoot\..\..\..\parts\windows\windowscsehelper.ps1 |
There was a problem hiding this comment.
parts/windows/windowscsehelper.ps1 redefines Set-ExitCode to call exit. In this test file, the earlier function Set-ExitCode { ... } stub is therefore overwritten when windowscsehelper.ps1 is dot-sourced, which makes the stub ineffective and can cause the Pester run to terminate if any code path reaches Set-ExitCode before an explicit Mock Set-ExitCode is applied.
To make the tests robust, either re-define the stub after dot-sourcing windowscsehelper.ps1, or add a Mock Set-ExitCode in BeforeAll to ensure the real exit implementation is never invoked during this test run.
| . $PSScriptRoot\..\..\..\parts\windows\windowscsehelper.ps1 | |
| . $PSScriptRoot\..\..\..\parts\windows\windowscsehelper.ps1 | |
| # windowscsehelper.ps1 defines Set-ExitCode to call exit; restore the | |
| # test-safe stub after dot-sourcing so later imports/tests cannot terminate | |
| # the Pester session. | |
| function Set-ExitCode { | |
| param($ExitCode, $ErrorMessage) | |
| Write-Host "MOCK: Exit Code would be: $ExitCode, Error: $ErrorMessage" | |
| # Don't actually exit in tests | |
| } | |
| Mock Set-ExitCode -MockWith { | |
| param($ExitCode, $ErrorMessage) | |
| Write-Host "MOCK: Exit Code would be: $ExitCode, Error: $ErrorMessage" | |
| } |
jiashun0011
force-pushed
the
feature/ni-oras-download-containerd
branch
from
2acc346 to
87fcbc7
Compare
What this PR does / why we need it:
/kind feature
Which issue(s) this PR fixes:
Download containerd with oras in network isolated windows cluster.