feat: consume NI kubernetes packages on MAR (#7134)

Signed-off-by: Billy Zha <jinzha1@microsoft.com>

Author: qweeah

e2e/scenario_test.go

@@ -2032,6 +2032,59 @@ func Test_Ubuntu2204_PMC_Install(t *testing.T) {
 	})
 }
 
+func Test_Ubuntu2204Gen2_ContainerdAirgappedNonAnonymousK8sNotCached_InstallPackage(t *testing.T) {
+	location := config.Config.DefaultLocation
+	ctx := newTestCtx(t)
+	identity, err := config.Azure.UserAssignedIdentities.Get(ctx, config.ResourceGroupName(location), config.VMIdentityName, nil)
+	require.NoError(t, err)
+	RunScenario(t, &Scenario{
+		Description: "Tests that a node using the Ubuntu 2204 VHD without k8s binary and is airgap can be properly bootstrapped",
+		Tags: Tags{
+			Airgap:          true,
+			NonAnonymousACR: true,
+		},
+		Config: Config{
+			Cluster: ClusterKubenetAirgapNonAnon,
+			VHD:     config.VHDUbuntu2204Gen2ContainerdAirgappedK8sNotCached,
+			BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
+				nbc.TenantID = *identity.Properties.TenantID
+				nbc.UserAssignedIdentityClientID = *identity.Properties.ClientID
+				nbc.OutboundType = datamodel.OutboundTypeBlock
+				nbc.ContainerService.Properties.SecurityProfile = &datamodel.SecurityProfile{
+					PrivateEgress: &datamodel.PrivateEgress{
+						Enabled:                 true,
+						ContainerRegistryServer: fmt.Sprintf("%s.azurecr.io", config.PrivateACRNameNotAnon(location)),
+					},
+				}
+				nbc.AgentPoolProfile.LocalDNSProfile = nil
+				nbc.ContainerService.Properties.OrchestratorProfile.KubernetesConfig.UseManagedIdentity = true
+				nbc.AgentPoolProfile.KubernetesConfig.UseManagedIdentity = true
+				// intentionally using private acr url to get kube binaries
+				nbc.AgentPoolProfile.KubernetesConfig.CustomKubeBinaryURL = fmt.Sprintf(
+					"%s.azurecr.io/oss/binaries/kubernetes/kubernetes-node:v%s-linux-amd64",
+					config.PrivateACRNameNotAnon(location),
+					nbc.ContainerService.Properties.OrchestratorProfile.OrchestratorVersion)
+				nbc.K8sComponents.LinuxCredentialProviderURL = fmt.Sprintf(
+					"https://packages.aks.azure.com/cloud-provider-azure/v%s/binaries/azure-acr-credential-provider-linux-amd64-v%s.tar.gz",
+					nbc.ContainerService.Properties.OrchestratorProfile.OrchestratorVersion,
+					nbc.ContainerService.Properties.OrchestratorProfile.OrchestratorVersion)
+				nbc.KubeletConfig["--image-credential-provider-config"] = "/var/lib/kubelet/credential-provider-config.yaml"
+				nbc.KubeletConfig["--image-credential-provider-bin-dir"] = "/var/lib/kubelet/credential-provider"
+				nbc.KubeletConfig["--pod-infra-container-image"] = "mcr.microsoft.com/oss/v2/kubernetes/pause:3.6"
+			},
+			VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
+				if vmss.Tags == nil {
+					vmss.Tags = map[string]*string{}
+				}
+				vmss.Tags["ShouldEnforceKubePMCInstall"] = to.Ptr("true")
+			},
+			Validator: func(ctx context.Context, s *Scenario) {
+				ValidateDirectoryContent(ctx, s, "/run", []string{"outbound-check-skipped"})
+			},
+		},
+	})
+}
+
 func Test_AzureLinux3OSGuard_PMC_Install(t *testing.T) {
 	RunScenario(t, &Scenario{
 		Description: "Tests that a node using an Azure Linux V3 OS Guard VHD and install kube pkgs from PMC can be properly bootstrapped",

parts/linux/cloud-init/artifacts/azlosguard/cse_install_osguard.sh

@@ -77,4 +77,9 @@ cleanUpGPUDrivers() {
     stub
 }
 
-#EOF
+installToolFromLocalRepo() {
+    stub
+    return 1
+}
+
+#EOF

parts/linux/cloud-init/artifacts/cse_config.sh

@@ -525,14 +525,22 @@ EOF
 }
 
 configureKubeletAndKubectl() {
-    # Install kubelet and kubectl binaries from URL for Network Isolated, Custom Kube binary, and Private Kube binary
-    if [ -n "${CUSTOM_KUBE_BINARY_DOWNLOAD_URL}" ] || [ -n "${PRIVATE_KUBE_BINARY_DOWNLOAD_URL}" ] || [ -n "${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER}" ]; then
+    # Install kubelet and kubectl binaries from URL for Custom Kube binary and Private Kube binary
+    if [ -n "${CUSTOM_KUBE_BINARY_DOWNLOAD_URL}" ] || [ -n "${PRIVATE_KUBE_BINARY_DOWNLOAD_URL}" ]; then
         logs_to_events "AKS.CSE.configureKubeletAndKubectl.installKubeletKubectlFromURL" installKubeletKubectlFromURL
     # only install kube pkgs from pmc if k8s version >= 1.34.0 or skip_bypass_k8s_version_check is true
     elif [ "${SHOULD_ENFORCE_KUBE_PMC_INSTALL}" != "true" ] && ! semverCompare ${KUBERNETES_VERSION:-"0.0.0"} "1.34.0"; then
         logs_to_events "AKS.CSE.configureKubeletAndKubectl.installKubeletKubectlFromURL" installKubeletKubectlFromURL
     else
-        if isMarinerOrAzureLinux "$OS"; then
+        if [ -n "${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER}" ] ; then
+            # For network isolated clusters, try distro packages first and fallback to binary installation
+            if ! logs_to_events "AKS.CSE.configureKubeletAndKubectl.installK8sToolsFromBootstrapProfileRegistry" "installK8sToolsFromBootstrapProfileRegistry ${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER} ${KUBERNETES_VERSION}" && [ "${SHOULD_ENFORCE_KUBE_PMC_INSTALL}" != "true" ]; then
+                # SHOULD_ENFORCE_KUBE_PMC_INSTALL will only be set for e2e tests, which should not fallback to reflect result of package installation behavior
+                # TODO: remove SHOULD_ENFORCE_KUBE_PMC_INSTALL check when the test cluster supports > 1.34.0 case
+                # if install from bootstrap profile registry fails, fallback to install from URL
+                logs_to_events "AKS.CSE.configureKubeletAndKubectl.installKubeletKubectlFromURL-Fallback" installKubeletKubectlFromURL
+            fi
+        elif isMarinerOrAzureLinux "$OS"; then
             if [ "$OS_VERSION" = "2.0" ]; then
                 # we do not publish packages to PMC for azurelinux V2
                 logs_to_events "AKS.CSE.configureKubeletAndKubectl.installKubeletKubectlFromURL" installKubeletKubectlFromURL

parts/linux/cloud-init/artifacts/cse_helpers.sh

@@ -325,26 +325,37 @@ retrycmd_curl_file() {
     _retry_file_curl_internal "$curl_retries" "$wait_sleep" "$timeout" "$filepath" "$url" "$check_file_exists"
 }
 
-retrycmd_get_tarball_from_registry_with_oras() {
-    tar_retries=$1; wait_sleep=$2; tarball=$3; url=$4
-    tar_folder=$(dirname "$tarball")
-    echo "${tar_retries} retries"
-    for i in $(seq 1 $tar_retries); do
-        [ -f "$tarball" ] && tar -tzf "$tarball" && break || \
-        if [ "$i" -eq "$tar_retries" ]; then
+retrycmd_pull_from_registry_with_oras() {
+    pull_retries=$1; wait_sleep=$2; target_folder=$3; url=$4
+    shift 4  # Remove first 4 parameters, remaining parameters are extra oras flags
+    echo "${pull_retries} retries"
+    for i in $(seq 1 $pull_retries); do
+        if [ "$i" -eq "$pull_retries" ]; then
             return 1
+        fi
+        if [ "$i" -gt 1 ]; then
+            sleep $wait_sleep
+        fi
+        timeout 60 oras pull "$url" -o "$target_folder" --registry-config "${ORAS_REGISTRY_CONFIG_FILE}" "$@" > $ORAS_OUTPUT 2>&1
+        if [ "$?" -eq 0 ]; then
+            return 0
         else
-            if [ "$i" -gt 1 ]; then
-                sleep $wait_sleep
-            fi
-            timeout 60 oras pull $url -o $tar_folder --registry-config ${ORAS_REGISTRY_CONFIG_FILE} > $ORAS_OUTPUT 2>&1
-            if [ "$?" -ne 0 ]; then
-                cat $ORAS_OUTPUT
-            fi
+            cat $ORAS_OUTPUT
         fi
     done
 }
 
+retrycmd_get_tarball_from_registry_with_oras() {
+    tar_retries=$1; wait_sleep=$2; tarball=$3; url=$4
+    if [ -f "$tarball" ] && tar -tzf "$tarball" > /dev/null 2>&1; then
+        # skip if tarball exists and is valid
+        return 0
+    fi
+
+    tar_folder=$(dirname "$tarball")
+    retrycmd_pull_from_registry_with_oras "$tar_retries" "$wait_sleep" "$tar_folder" "$url"
+}
+
 retrycmd_cp_oci_layout_with_oras() {
     retries=$1; wait_sleep=$2; path=$3; tag=$4; url=$5
     mkdir -p "$path"
@@ -1197,6 +1208,12 @@ extract_tarball() {
     esac
 }
 
+# Returns a list of Kubernetes tool names that need to be installed
+# Usage: for tool in $(get_kubernetes_tools); do ... done
+get_kubernetes_tools() {
+    echo "kubelet kubectl"
+}
+
 function get_sandbox_image(){
     sandbox_image=$(get_sandbox_image_from_containerd_config "/etc/containerd/config.toml")
     if [ -z "$sandbox_image" ]; then

parts/linux/cloud-init/artifacts/cse_install.sh

@@ -526,6 +526,46 @@ extractKubeBinaries() {
     extractKubeBinariesToUsrLocalBin "${k8s_tgz_tmp}" "${k8s_version}" "${is_private_url}"
 }
 
+installK8sToolsFromBootstrapProfileRegistry() {
+    local registry_server=$1
+    local kubernetes_version=$2
+
+    # Try to pull distro-specific packages (e.g., .deb for Ubuntu) from registry
+    local download_root="/tmp/kubernetes/downloads" # /opt folder will return permission error
+
+    for tool_name in $(get_kubernetes_tools); do
+        tool_package_url="${registry_server}/aks/packages/kubernetes/${tool_name}:v${kubernetes_version}"
+        tool_download_dir="${download_root}/${tool_name}"
+        mkdir -p "${tool_download_dir}"
+
+        # Construct platform string for ORAS pull
+        os_version=$(getOsVersion) || return 1 # Platform-specific OS version detection
+        platform_flag="--platform=linux/${CPU_ARCH}:${OS,,} ${os_version}"
+
+        echo "Attempting to pull ${tool_name} package from ${tool_package_url} with platform ${platform_flag}"
+        # retrycmd_pull_from_registry_with_oras will pull all artifacts to the directory with platform selection
+        if ! retrycmd_pull_from_registry_with_oras 10 5 "${tool_download_dir}" "${tool_package_url}" "${platform_flag}"; then
+            echo "Failed to pull ${tool_name} package from registry"
+            rm -rf "${tool_download_dir}"
+            return 1
+        fi
+
+        echo "Successfully pulled ${tool_name} package"
+
+        # Try to install using distro-specific package installer from local repo
+        installation_root="/usr/local/bin"
+        if ! installToolFromLocalRepo "${tool_name}" "${tool_download_dir}" "${installation_root}"; then
+            echo "Failed to install ${tool_name} from local repo ${tool_download_dir}"
+            rm -rf "${tool_download_dir}"
+            return 1
+        fi
+    done
+
+    # All tools installed successfully
+    rm -rf "${download_root}"
+    return 0
+}
+
 installKubeletKubectlFromURL() {
     # when both, custom and private urls for kubernetes packages are set, custom url will be used and private url will be ignored
     CUSTOM_KUBE_BINARY_DOWNLOAD_URL="${CUSTOM_KUBE_BINARY_URL:=}"

parts/linux/cloud-init/artifacts/flatcar/cse_install_flatcar.sh

@@ -32,4 +32,14 @@ cleanUpGPUDrivers() {
     rm -Rf $GPU_DEST /opt/gpu
 }
 
+installToolFromLocalRepo() {
+    stub
+    return 1
+}
+
+getOsVersion() {
+    stub
+    return 1
+}
+
 #EOF

parts/linux/cloud-init/artifacts/mariner/cse_install_mariner.sh

@@ -175,6 +175,16 @@ installKubeletKubectlPkgFromPMC() {
     installRPMPackageFromFile "kubectl" $desiredVersion || exit $ERR_KUBECTL_INSTALL_FAIL
 }
 
+installToolFromLocalRepo() {
+    echo "installToolFromLocalRepo is not yet implemented for Mariner"
+    return 1
+}
+
+getOsVersion() {
+    echo "getOsVersion is not yet implemented for Mariner"
+    return 1
+}
+
 updateDnfWithNvidiaPkg() {
   if [ "$OS_VERSION" != "3.0" ]; then
     echo "NVIDIA repo setup is only supported on Azure Linux 3.0"

parts/linux/cloud-init/artifacts/ubuntu/cse_helpers_ubuntu.sh

@@ -21,15 +21,18 @@ wait_for_apt_locks() {
         sleep 3
     done
 }
-apt_get_update() {
-    retries=10
-    apt_update_output=/tmp/apt-get-update.out
+# Core update function used by apt_get_update and apt_get_install_from_local_repo
+_apt_get_update() {
+    local retries=$1
+    local apt_opts=$2
+    local apt_update_output=/tmp/apt-get-update.out
+
     for i in $(seq 1 $retries); do
         wait_for_apt_locks
         export DEBIAN_FRONTEND=noninteractive
         dpkg --configure -a --force-confdef
-        apt-get -f -y install
-        ! (apt-get update 2>&1 | tee $apt_update_output | grep -E "^([WE]:.*)|^([Ee][Rr][Rr][Oo][Rr].*)$") && \
+        apt-get ${apt_opts} -f -y install
+        ! (apt-get ${apt_opts} update 2>&1 | tee $apt_update_output | grep -E "^([WE]:.*)|^([Ee][Rr][Rr][Oo][Rr].*)$") && \
         cat $apt_update_output && break || \
         cat $apt_update_output
         if [ $i -eq $retries ]; then
@@ -40,22 +43,37 @@ apt_get_update() {
     echo Executed apt-get update $i times
     wait_for_apt_locks
 }
-apt_get_install() {
-    retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
+apt_get_update() {
+    _apt_get_update 10 ""
+}
+_apt_get_install() {
+    local retries=$1
+    local wait_sleep=$2
+    local apt_opts=$3
+    shift && shift && shift
+
     for i in $(seq 1 $retries); do
         wait_for_apt_locks
         export DEBIAN_FRONTEND=noninteractive
         dpkg --configure -a --force-confdef
-        apt-get install -o Dpkg::Options::="--force-confold" --no-install-recommends -y ${@} && break || \
+
+        if apt-get install ${apt_opts} -o Dpkg::Options::="--force-confold" --no-install-recommends "${@}"; then
+            echo "Executed apt-get install \"${packages[@]}\" $i times"
+            wait_for_apt_locks
+            return 0
+        fi
+
         if [ $i -eq $retries ]; then
             return 1
         else
             sleep $wait_sleep
             apt_get_update
         fi
     done
-    echo Executed apt-get install --no-install-recommends -y \"$@\" $i times;
-    wait_for_apt_locks
+}
+apt_get_install() {
+    retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
+    _apt_get_install $retries $wait_sleep "-y" "$@"
 }
 apt_get_purge() {
     retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
@@ -101,4 +119,65 @@ installDebPackageFromFile() {
         return 1
     fi
 }
+
+apt_get_install_from_local_repo() {
+    local local_repo_dir=$1
+    local package_name=$2
+    local installation_root=$3
+
+    # Convert to absolute path
+    local_repo_dir=$(realpath "${local_repo_dir}")
+
+    if [ ! -d "${local_repo_dir}" ]; then
+        echo "Local repo directory ${local_repo_dir} does not exist"
+        return 1
+    fi
+
+    # Check if Packages.gz exists in the repo
+    if [ ! -f "${local_repo_dir}/Packages.gz" ]; then
+        echo "Packages.gz not found in ${local_repo_dir}"
+        return 1
+    fi
+
+    wait_for_apt_locks
+
+    local tmp_list=$(mktemp)
+    local tmp_dir=$(mktemp -d)
+
+    # Create temporary sources.list pointing to local repo
+    printf 'deb [trusted=yes] file:%s ./\n' "${local_repo_dir}" > "${tmp_list}"
+
+    local opts="-o Dir::Etc::sourcelist=${tmp_list} -o Dir::Etc::sourceparts=${tmp_dir}"
+
+    # Update apt cache with local repo using core update function
+    if ! _apt_get_update 10 "${opts}"; then
+        echo "Failed to update apt cache from local repo ${local_repo_dir}"
+        rm -f "${tmp_list}"
+        rmdir "${tmp_dir}"
+        return 1
+    fi
+
+    # Install package from local repo using core installation function
+    local retries=10
+    local wait_sleep=5
+    if ! _apt_get_install $retries $wait_sleep "${opts}" "${package_name}"; then
+        echo "Failed to install ${package_name} from local repo"
+        rm -f "${tmp_list}"
+        rmdir "${tmp_dir}"
+        return 1
+    fi
+
+    # Cleanup
+    rm -f "${tmp_list}"
+    rmdir "${tmp_dir}"
+
+    # If installation_root is specified, copy binaries to that location
+    if [ -n "${installation_root}" ]; then
+        echo "Copying binaries ${package_name} to ${installation_root}"
+        mkdir -p "${installation_root}"
+        mv "/usr/bin/${package_name}" "/usr/local/bin/${package_name}"
+    fi
+
+    return 0
+}
 #EOF