feat: add patch-only version matching for ANC hotfix download#8355
Merged
feat: add patch-only version matching for ANC hotfix download#8355
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a new toggle-driven mechanism to pass an AKS Node Controller (ANC) hotfix version into Linux cloud-init, so nodes can self-update ANC to a specified version when a post-release hotfix is required.
Changes:
- Extend the
Togglesinterface withGetANCHotfixVersionand plumb its value intoNodeBootstrappingConfiguration. - Expose
ANCHotfixVersionto the cloud-init template function map and emit a JSON config file viawrite_fileswhen set. - Add unit tests to validate presence/absence of the hotfix config in rendered customData.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/agent/toggles/types.go | Adds a new toggle method GetANCHotfixVersion with a default no-op implementation. |
| pkg/agent/datamodel/types.go | Introduces NodeBootstrappingConfiguration.ANCHotfixVersion with JSON serialization. |
| pkg/agent/bakerapi.go | Resolves the ANC hotfix version from toggles prior to template rendering. |
| pkg/agent/baker.go | Exposes ANCHotfixVersion to template rendering via GetANCHotfixVersion. |
| parts/linux/cloud-init/nodecustomdata.yml | Conditionally writes /opt/azure/containers/aks-node-controller-hotfix.json when a hotfix version is set. |
| pkg/agent/bakerapi_test.go | Adds tests and a helper to decode customData for validating the rendered cloud-init content. |
Devinwong
force-pushed
the
devinwon/anc_hotfix_ab
branch
from
a102504 to
4347a4a
Compare
Devinwong
requested review from
AbelHu,
awesomenix,
cameronmeissner,
djsly,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
phealy,
r2k1,
timmy-wright and
zachary-bailey
as code owners
Devinwong
force-pushed
the
devinwon/anc_hotfix_ab
branch
from
a84ff09 to
0f5a2a0
Compare
Devinwong
force-pushed
the
devinwon/anc_hotfix_ab
branch
from
0f5a2a0 to
5d27896
Compare
Devinwong
force-pushed
the
devinwon/anc_hotfix_ab
branch
from
5d27896 to
6968fac
Compare
Devinwong
changed the title
Devinwong
force-pushed
the
devinwon/anc_hotfix_ab
branch
from
6968fac to
91d53d5
Compare
Devinwong
force-pushed
the
devinwon/anc_hotfix_ab
branch
from
91d53d5 to
5cd47e6
Compare
Devinwong
force-pushed
the
devinwon/anc_hotfix_ab
branch
from
5cd47e6 to
befa61c
Compare
Replace simple Version == hotfixVersion check in downloadHotfix with shouldUpgradeToHotfix using Masterminds/semver: only upgrade when same YYYYMM.DD base and hotfix has strictly higher PATCH. Parse errors (e.g. 'dev' builds) skip. - Add versioncmp.go with shouldUpgradeToHotfix (uses semver.NewVersion) - Add versioncmp_test.go with 18 upgrade test cases - Update hotfix_test.go with patch-version test data and new tests: DifferentBaseSkips, DevVersionSkips, MatchingBaseUpgrades - Update app_test.go to use YYYYMM.DD.PATCH format - Promote Masterminds/semver/v3 from indirect to direct dependency Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
awesomenix
approved these changes
Apr 24, 2026
lilypan26
approved these changes
Apr 24, 2026
Collaborator
Author
|
aclarm64tlgen2 build failed likely because of current eastus2 outage. Also seen in other pipelines. Will skip this build and merge. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace the simple
Version == hotfixVersionequality check indownloadHotfixwith patch-only version matching usingMasterminds/semver. The hotfix only targets the specific VHD it was built for — matching on the sameYYYYMM.DDbase with a strictly higherPATCH.What changed
hotfix.go: ReplaceVersion == hotfixVersionwithshouldUpgradeToHotfix()usingsemver.NewVersionto parse and compare Major/Minor/Patch segmentshotfix_test.go: AddDifferentBaseSkips,DevVersionSkips,MatchingBaseUpgradestests; update existing tests to useYYYYMM.DD.PATCHformatapp_test.go: Updatedownload-hotfixtest to useYYYYMM.DD.PATCHformatgo.mod: PromoteMasterminds/semver/v3from indirect to direct dependencyHow patch-only matching works
shouldUpgradeToHotfix(current, hotfix)returnstrueonly when:Examples:
202604.01.0→202604.01.1✅ upgrade (same base, higher patch)202603.15.0→202604.01.1❌ skip (different base, older VHD)202605.01.0→202604.01.1❌ skip (different base, newer VHD)202604.01.1→202604.01.1❌ skip (already at hotfix)dev→202604.01.1❌ skip (parse error)Why
The previous approach (
Version == hotfixVersion) would skip the download if versions matched but had no protection against applying a hotfix to the wrong VHD. With patch-only matching:Dependencies
Built on top of #8397 (urfave/cli refactor +
download-hotfixcommand).