test: refactor network isolated cluster e2e (#7885)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: fseldow

e2e/aks_model.go

@@ -471,21 +471,49 @@ func addFirewallRules(
 	return nil
 }
 
-func addAirgapNetworkSettings(ctx context.Context, clusterModel *armcontainerservice.ManagedCluster, privateACRName, location string) error {
-	toolkit.Logf(ctx, "Adding network settings for airgap cluster %s in rg %s", *clusterModel.Name, *clusterModel.Properties.NodeResourceGroup)
+func addPrivateAzureContainerRegistry(ctx context.Context, cluster *armcontainerservice.ManagedCluster, kube *Kubeclient, resourceGroupName string, kubeletIdentity *armcontainerservice.UserAssignedIdentity, isNonAnonymousPull bool) error {
+	if cluster == nil || kube == nil || kubeletIdentity == nil {
+		return errors.New("cluster, kubeclient, and kubeletIdentity cannot be nil when adding Private Azure Container Registry")
+	}
+	if err := createPrivateAzureContainerRegistry(ctx, cluster, resourceGroupName, isNonAnonymousPull); err != nil {
+		return fmt.Errorf("failed to create private acr: %w", err)
+	}
+
+	if err := createPrivateAzureContainerRegistryPullSecret(ctx, cluster, kube, resourceGroupName, isNonAnonymousPull); err != nil {
+		return fmt.Errorf("create private acr pull secret: %w", err)
+	}
+	vnet, err := getClusterVNet(ctx, *cluster.Properties.NodeResourceGroup)
+	if err != nil {
+		return err
+	}
+
+	err = addPrivateEndpointForACR(ctx, *cluster.Properties.NodeResourceGroup, config.GetPrivateACRName(isNonAnonymousPull, *cluster.Location), vnet, *cluster.Location)
+	if err != nil {
+		return err
+	}
+
+	if err := assignACRPullToIdentity(ctx, config.GetPrivateACRName(isNonAnonymousPull, *cluster.Location), *kubeletIdentity.ObjectID, *cluster.Location); err != nil {
+		return fmt.Errorf("assigning acr pull permissions to kubelet identity: %w", err)
+	}
+
+	return nil
+}
+
+func addNetworkIsolatedSettings(ctx context.Context, clusterModel *armcontainerservice.ManagedCluster, location string) error {
+	defer toolkit.LogStepCtx(ctx, fmt.Sprintf("Adding network settings for network isolated cluster %s in rg %s", *clusterModel.Name, *clusterModel.Properties.NodeResourceGroup))
 
 	vnet, err := getClusterVNet(ctx, *clusterModel.Properties.NodeResourceGroup)
 	if err != nil {
 		return err
 	}
 	subnetId := vnet.subnetId
 
-	nsgParams, err := airGapSecurityGroup(location, *clusterModel.Properties.Fqdn)
+	nsgParams, err := networkIsolatedSecurityGroup(location, *clusterModel.Properties.Fqdn)
 	if err != nil {
 		return err
 	}
 
-	nsg, err := createAirgapSecurityGroup(ctx, clusterModel, nsgParams, nil)
+	nsg, err := createNetworkIsolatedSecurityGroup(ctx, clusterModel, nsgParams, nil)
 	if err != nil {
 		return err
 	}
@@ -503,19 +531,14 @@ func addAirgapNetworkSettings(ctx context.Context, clusterModel *armcontainerser
 		return err
 	}
 
-	err = addPrivateEndpointForACR(ctx, *clusterModel.Properties.NodeResourceGroup, privateACRName, vnet, location)
-	if err != nil {
-		return err
-	}
-
-	toolkit.Logf(ctx, "updated cluster %s subnet with airgap settings", *clusterModel.Name)
+	toolkit.Logf(ctx, "updated cluster %s subnet with network isolated cluster settings", *clusterModel.Name)
 	return nil
 }
 
-func airGapSecurityGroup(location, clusterFQDN string) (armnetwork.SecurityGroup, error) {
+func networkIsolatedSecurityGroup(location, clusterFQDN string) (armnetwork.SecurityGroup, error) {
 	requiredRules, err := getRequiredSecurityRules(clusterFQDN)
 	if err != nil {
-		return armnetwork.SecurityGroup{}, fmt.Errorf("failed to get required security rules for airgap resource group: %w", err)
+		return armnetwork.SecurityGroup{}, fmt.Errorf("failed to get required security rules for network isolated resource group: %w", err)
 	}
 
 	allowVnet := &armnetwork.SecurityRule{
@@ -550,7 +573,7 @@ func airGapSecurityGroup(location, clusterFQDN string) (armnetwork.SecurityGroup
 
 	return armnetwork.SecurityGroup{
 		Location:   &location,
-		Name:       &config.Config.AirgapNSGName,
+		Name:       &config.Config.NetworkIsolatedNSGName,
 		Properties: &armnetwork.SecurityGroupPropertiesFormat{SecurityRules: rules},
 	}, nil
 }
@@ -559,7 +582,7 @@ func addPrivateEndpointForACR(ctx context.Context, nodeResourceGroup, privateACR
 	toolkit.Logf(ctx, "Checking if private endpoint for private container registry is in rg %s", nodeResourceGroup)
 	var err error
 	var privateEndpoint *armnetwork.PrivateEndpoint
-	privateEndpointName := "PE-for-ABE2ETests"
+	privateEndpointName := fmt.Sprintf("PE-for-%s", privateACRName)
 	if privateEndpoint, err = createPrivateEndpoint(ctx, nodeResourceGroup, privateEndpointName, privateACRName, vnet, location); err != nil {
 		return err
 	}
@@ -718,7 +741,7 @@ func deletePrivateAzureContainerRegistry(ctx context.Context, resourceGroup, pri
 	return nil
 }
 
-// if the ACR needs to be recreated so does the airgap k8s cluster
+// if the ACR needs to be recreated so does the network isolated k8s cluster
 func shouldRecreateACR(ctx context.Context, resourceGroup, privateACRName string) (error, bool) {
 	toolkit.Logf(ctx, "Checking if private Azure Container Registry cache rules are correct in rg %s", resourceGroup)
 
@@ -1010,8 +1033,8 @@ func getSecurityRule(name, destinationAddressPrefix string, priority int32) *arm
 	}
 }
 
-func createAirgapSecurityGroup(ctx context.Context, cluster *armcontainerservice.ManagedCluster, nsgParams armnetwork.SecurityGroup, options *armnetwork.SecurityGroupsClientBeginCreateOrUpdateOptions) (*armnetwork.SecurityGroupsClientCreateOrUpdateResponse, error) {
-	poller, err := config.Azure.SecurityGroup.BeginCreateOrUpdate(ctx, *cluster.Properties.NodeResourceGroup, config.Config.AirgapNSGName, nsgParams, options)
+func createNetworkIsolatedSecurityGroup(ctx context.Context, cluster *armcontainerservice.ManagedCluster, nsgParams armnetwork.SecurityGroup, options *armnetwork.SecurityGroupsClientBeginCreateOrUpdateOptions) (*armnetwork.SecurityGroupsClientCreateOrUpdateResponse, error) {
+	poller, err := config.Azure.SecurityGroup.BeginCreateOrUpdate(ctx, *cluster.Properties.NodeResourceGroup, config.Config.NetworkIsolatedNSGName, nsgParams, options)
 	if err != nil {
 		return nil, err
 	}

e2e/cache.go

@@ -160,25 +160,25 @@ func clusterKubenet(ctx context.Context, request ClusterRequest) (*Cluster, erro
 	return prepareCluster(ctx, getKubenetClusterModel("abe2e-kubenet-v4", request.Location, request.K8sSystemPoolSKU), false, false)
 }
 
-var ClusterKubenetAirgap = cachedFunc(clusterKubenetAirgap)
+var ClusterAzureNetwork = cachedFunc(clusterAzureNetwork)
 
-// clusterKubenetAirgap creates an airgapped kubenet cluster (no internet access)
-func clusterKubenetAirgap(ctx context.Context, request ClusterRequest) (*Cluster, error) {
-	return prepareCluster(ctx, getKubenetClusterModel("abe2e-kubenet-airgap-v3", request.Location, request.K8sSystemPoolSKU), true, false)
+// clusterAzureNetwork creates a cluster with Azure CNI networking
+func clusterAzureNetwork(ctx context.Context, request ClusterRequest) (*Cluster, error) {
+	return prepareCluster(ctx, getAzureNetworkClusterModel("abe2e-azure-network-v3", request.Location, request.K8sSystemPoolSKU), false, false)
 }
 
-var ClusterKubenetAirgapNonAnon = cachedFunc(clusterKubenetAirgapNonAnon)
+var ClusterAzureBootstrapProfileCache = cachedFunc(clusterAzureBootstrapProfileCache)
 
-// clusterKubenetAirgapNonAnon creates an airgapped kubenet cluster with non-anonymous image pulls
-func clusterKubenetAirgapNonAnon(ctx context.Context, request ClusterRequest) (*Cluster, error) {
-	return prepareCluster(ctx, getKubenetClusterModel("abe2e-kubenet-nonanonpull-airgap-v3", request.Location, request.K8sSystemPoolSKU), true, true)
+// clusterAzureBootstrapProfileCache creates a cluster with bootstrap profile cache but without network isolation
+func clusterAzureBootstrapProfileCache(ctx context.Context, request ClusterRequest) (*Cluster, error) {
+	return prepareCluster(ctx, getAzureNetworkClusterModel("abe2e-azure-bootstrapprofile-cache-v1", request.Location, request.K8sSystemPoolSKU), false, true)
 }
 
-var ClusterAzureNetwork = cachedFunc(clusterAzureNetwork)
+var ClusterAzureNetworkIsolated = cachedFunc(clusterAzureNetworkIsolated)
 
-// clusterAzureNetwork creates a cluster with Azure CNI networking
-func clusterAzureNetwork(ctx context.Context, request ClusterRequest) (*Cluster, error) {
-	return prepareCluster(ctx, getAzureNetworkClusterModel("abe2e-azure-network-v3", request.Location, request.K8sSystemPoolSKU), false, false)
+// clusterAzureNetworkIsolated creates a networkisolated Azure network cluster (no internet access)
+func clusterAzureNetworkIsolated(ctx context.Context, request ClusterRequest) (*Cluster, error) {
+	return prepareCluster(ctx, getAzureNetworkClusterModel("abe2e-azure-networkisolated-v1", request.Location, request.K8sSystemPoolSKU), true, false)
 }
 
 var ClusterAzureOverlayNetwork = cachedFunc(clusterAzureOverlayNetwork)

e2e/cluster.go

@@ -59,7 +59,7 @@ func (c *Cluster) MaxPodsPerNode() (int, error) {
 	return 0, fmt.Errorf("cluster agentpool profiles were nil or empty: %+v", c.Model)
 }
 
-func prepareCluster(ctx context.Context, cluster *armcontainerservice.ManagedCluster, isAirgap, isNonAnonymousPull bool) (*Cluster, error) {
+func prepareCluster(ctx context.Context, cluster *armcontainerservice.ManagedCluster, isNetworkIsolated, attachPrivateAcr bool) (*Cluster, error) {
 	defer toolkit.LogStepCtx(ctx, "preparing cluster")()
 	ctx, cancel := context.WithTimeout(ctx, config.Config.TestTimeoutCluster)
 	defer cancel()
@@ -91,38 +91,32 @@ func prepareCluster(ctx context.Context, cluster *armcontainerservice.ManagedClu
 		return nil, fmt.Errorf("get kube client using cluster %q: %w", *cluster.Name, err)
 	}
 
-	toolkit.Logf(ctx, "using private acr %q isNonAnonymousPull %v", config.GetPrivateACRName(isNonAnonymousPull, *cluster.Location), isNonAnonymousPull)
-	if isAirgap {
-		// private acr must be created before we add the debug daemonsets
-		if err := createPrivateAzureContainerRegistry(ctx, cluster, resourceGroupName, isNonAnonymousPull); err != nil {
-			return nil, fmt.Errorf("failed to create private acr: %w", err)
-		}
-
-		if err := createPrivateAzureContainerRegistryPullSecret(ctx, cluster, kube, resourceGroupName, isNonAnonymousPull); err != nil {
-			return nil, fmt.Errorf("create private acr pull secret: %w", err)
-		}
-
-		if err := addAirgapNetworkSettings(ctx, cluster, config.GetPrivateACRName(isNonAnonymousPull, *cluster.Location), *cluster.Location); err != nil {
-			return nil, fmt.Errorf("add airgap network settings: %w", err)
-		}
-	}
-
-	if err := addFirewallRules(ctx, cluster, *cluster.Location); err != nil {
-		return nil, fmt.Errorf("add firewall rules: %w", err)
-	}
-
 	kubeletIdentity, err := getClusterKubeletIdentity(cluster)
 	if err != nil {
 		return nil, fmt.Errorf("getting cluster kubelet identity: %w", err)
 	}
 
-	if isNonAnonymousPull {
-		if err := assignACRPullToIdentity(ctx, config.GetPrivateACRName(isNonAnonymousPull, *cluster.Location), *kubeletIdentity.ObjectID, *cluster.Location); err != nil {
-			return nil, fmt.Errorf("assigning acr pull permissions to kubelet identity: %w", err)
+	if isNetworkIsolated || attachPrivateAcr {
+		// private acr must be created before we add the debug daemonsets
+		if err := addPrivateAzureContainerRegistry(ctx, cluster, kube, resourceGroupName, kubeletIdentity, true); err != nil {
+			return nil, fmt.Errorf("add private azure container registry (true): %w", err)
+		}
+		if err := addPrivateAzureContainerRegistry(ctx, cluster, kube, resourceGroupName, kubeletIdentity, false); err != nil {
+			return nil, fmt.Errorf("add private azure container registry (false): %w", err)
+		}
+	}
+	if isNetworkIsolated {
+		if err := addNetworkIsolatedSettings(ctx, cluster, *cluster.Location); err != nil {
+			return nil, fmt.Errorf("add network isolated settings: %w", err)
+		}
+	}
+	if !isNetworkIsolated { // network isolated cluster blocks all egress via NSG
+		if err := addFirewallRules(ctx, cluster, *cluster.Location); err != nil {
+			return nil, fmt.Errorf("add firewall rules: %w", err)
 		}
 	}
 
-	if err := kube.EnsureDebugDaemonsets(ctx, isAirgap, config.GetPrivateACRName(isNonAnonymousPull, *cluster.Location)); err != nil {
+	if err := kube.EnsureDebugDaemonsets(ctx, isNetworkIsolated, config.GetPrivateACRName(true, *cluster.Location)); err != nil {
 		return nil, fmt.Errorf("ensure debug daemonsets for %q: %w", *cluster.Name, err)
 	}
 

e2e/config/config.go

@@ -37,19 +37,18 @@ func ResourceGroupName(location string) string {
 }
 
 func PrivateACRNameNotAnon(location string) string {
-	return "e2eprivateacrnonanon" + location // will have anonymous pull enabled
+	return "abe2eprivatenonanon" + location // will have anonymous pull enabled
 }
 
 func PrivateACRName(location string) string {
-	return "e2eprivateacr" + location // will not have anonymous pull enabled
+	return "abe2eprivate" + location // will not have anonymous pull enabled
 }
 
 type Configuration struct {
 	// The defaults should only be used when running tests locally, as the CI will set these env vars.
 	// We have separate Linux and Windows consts to have different defaults - they use the same env vars.
 	ACRSecretName                          string        `env:"ACR_SECRET_NAME" envDefault:"acr-secret-code2"`
-	AirgapNSGName                          string        `env:"AIRGAP_NSG_NAME" envDefault:"abe2e-airgap-securityGroup"`
-	AzureContainerRegistrytargetRepository string        `env:"ACR_TARGET_REPOSITORY" envDefault:"*"`
+	AzureContainerRegistrytargetRepository string        `env:"ACR_TARGET_REPOSITORY" envDefault:"aks-managed-repository/*"`
 	BlobContainer                          string        `env:"BLOB_CONTAINER" envDefault:"abe2e"`
 	BlobStorageAccountPrefix               string        `env:"BLOB_STORAGE_ACCOUNT_PREFIX" envDefault:"abe2e"`
 	BuildID                                string        `env:"BUILD_ID" envDefault:"local"`
@@ -67,6 +66,7 @@ type Configuration struct {
 	GallerySubscriptionIDWindows           string        `env:"GALLERY_SUBSCRIPTION_ID" envDefault:"c4c3550e-a965-4993-a50c-628fd38cd3e1"`
 	IgnoreScenariosWithMissingVHD          bool          `env:"IGNORE_SCENARIOS_WITH_MISSING_VHD"`
 	KeepVMSS                               bool          `env:"KEEP_VMSS"`
+	NetworkIsolatedNSGName                 string        `env:"NETWORK_ISOLATED_NSG_NAME" envDefault:"abe2e-networkisolated-securityGroup"`
 	SIGVersionTagName                      string        `env:"SIG_VERSION_TAG_NAME" envDefault:"branch"`
 	SIGVersionTagValue                     string        `env:"SIG_VERSION_TAG_VALUE" envDefault:"refs/heads/main"`
 	SkipTestsWithSKUCapacityIssue          bool          `env:"SKIP_TESTS_WITH_SKU_CAPACITY_ISSUE"`

e2e/config/vhd.go

@@ -154,7 +154,7 @@ var (
 	}
 
 	// without kubelet, kubectl, credential-provider and wasm
-	VHDUbuntu2204Gen2ContainerdAirgappedK8sNotCached = &Image{
+	VHDUbuntu2204Gen2ContainerdNetworkIsolatedK8sNotCached = &Image{
 		Name:                "2204Gen2",
 		OS:                  OSUbuntu,
 		Arch:                "amd64",

e2e/kube.go

@@ -293,14 +293,14 @@ func getClusterKubeconfigBytes(ctx context.Context, resourceGroupName, clusterNa
 }
 
 // this is a bit ugly, but we don't want to execute this piece concurrently with other tests
-func (k *Kubeclient) EnsureDebugDaemonsets(ctx context.Context, isAirgap bool, privateACRName string) error {
-	ds := daemonsetDebug(ctx, hostNetworkDebugAppLabel, "nodepool1", privateACRName, true, isAirgap)
+func (k *Kubeclient) EnsureDebugDaemonsets(ctx context.Context, isNetworkIsolated bool, privateACRName string) error {
+	ds := daemonsetDebug(ctx, hostNetworkDebugAppLabel, "nodepool1", privateACRName, true, isNetworkIsolated)
 	err := k.CreateDaemonset(ctx, ds)
 	if err != nil {
 		return err
 	}
 
-	nonHostDS := daemonsetDebug(ctx, podNetworkDebugAppLabel, "nodepool2", privateACRName, false, isAirgap)
+	nonHostDS := daemonsetDebug(ctx, podNetworkDebugAppLabel, "nodepool2", privateACRName, false, isNetworkIsolated)
 	err = k.CreateDaemonset(ctx, nonHostDS)
 	if err != nil {
 		return err
@@ -358,11 +358,11 @@ func (k *Kubeclient) createKubernetesSecret(ctx context.Context, namespace, secr
 	return nil
 }
 
-func daemonsetDebug(ctx context.Context, deploymentName, targetNodeLabel, privateACRName string, isHostNetwork, isAirgap bool) *appsv1.DaemonSet {
+func daemonsetDebug(ctx context.Context, deploymentName, targetNodeLabel, privateACRName string, isHostNetwork, isNetworkIsolated bool) *appsv1.DaemonSet {
 	image := "mcr.microsoft.com/cbl-mariner/base/core:2.0"
 	secretName := ""
-	if isAirgap {
-		image = fmt.Sprintf("%s.azurecr.io/cbl-mariner/base/core:2.0", privateACRName)
+	if isNetworkIsolated {
+		image = fmt.Sprintf("%s.azurecr.io/aks-managed-repository/cbl-mariner/base/core:2.0", privateACRName)
 		secretName = config.Config.ACRSecretName
 	}
 	toolkit.Logf(ctx, "Creating daemonset %s with image %s", deploymentName, image)