move network configuration to NodePrep phase

r2k1 · r2k1 · commit e5b51b259cf4 · 2025-11-04T20:59:03.000+13:00
fix network configuration for VHD caching
diff --git a/e2e/scenario_test.go b/e2e/scenario_test.go
@@ -2195,14 +2195,17 @@ func Test_Ubuntu2404_VHDCaching(t *testing.T) {
 	RunScenario(t, &Scenario{
 		Description: "T",
 		Config: Config{
-			Cluster:    ClusterKubenet,
-			VHD:        config.VHDUbuntu2204Gen2Containerd,
-			VHDCaching: true,
-			BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
-			},
+			Cluster:                ClusterKubenet,
+			VHD:                    config.VHDUbuntu2204Gen2Containerd,
+			VHDCaching:             true,
+			BootstrapConfigMutator: EmptyBootstrapConfigMutator,
 			Validator: func(ctx context.Context, s *Scenario) {
 			},
 			VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
+				// If the VHD is misconfigured (e.g. incorrect network settings), deploying multiple instances may cause conflicts.
+				// This validation can be unreliable and may not catch issues on every run, as the current framework creates only a single VM per test.
+				// False positives are more likely than false negatives in this scenario.
+				vmss.SKU.Capacity = to.Ptr[int64](2)
 			},
 		},
 	})
diff --git a/e2e/scenario_win_test.go b/e2e/scenario_win_test.go
@@ -346,10 +346,15 @@ func Test_Windows2022_VHDCaching(t *testing.T) {
 	RunScenario(t, &Scenario{
 		Description: "VHD Caching",
 		Config: Config{
-			Cluster:                ClusterAzureNetwork,
-			VHD:                    config.VHDWindows2022Containerd, // gen1 is default for windows 2022
-			VHDCaching:             true,
-			VMConfigMutator:        EmptyVMConfigMutator,
+			Cluster:    ClusterAzureNetwork,
+			VHD:        config.VHDWindows2022Containerd, // gen1 is default for windows 2022
+			VHDCaching: true,
+			VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
+				// If the VHD is misconfigured (e.g. incorrect network settings), deploying multiple instances may cause conflicts.
+				// This validation can be unreliable and may not catch issues on every run, as the current framework creates only a single VM per test.
+				// False positives are more likely than false negatives in this scenario.
+				vmss.SKU.Capacity = to.Ptr[int64](2)
+			},
 			BootstrapConfigMutator: EmptyBootstrapConfigMutator,
 			Validator: func(ctx context.Context, s *Scenario) {
 				ValidateWindowsVersionFromWindowsSettings(ctx, s, "2022-containerd")
diff --git a/parts/windows/kuberneteswindowssetup.ps1 b/parts/windows/kuberneteswindowssetup.ps1
@@ -411,6 +411,56 @@ function BasePrep {
         New-HostsConfigService
     }
 
+    # NOTE: Network configuration has been moved to NodePrep to prevent HNS network
+    # state from being baked into VHD images, which causes DHCP conflicts when
+    # multiple VMs are created from the same image.
+
+    Set-Explorer
+    Adjust-PageFileSize
+    Logs-To-Event -TaskName "AKS.WindowsCSE.PreprovisionExtension" -TaskMessage "Start preProvisioning script"
+    PREPROVISION_EXTENSION
+    Update-ServiceFailureActions
+    Adjust-DynamicPortRange
+    Register-LogsCleanupScriptTask
+    Register-NodeResetScriptTask
+
+    Update-DefenderPreferences
+
+    $windowsVersion = Get-WindowsVersion
+    if ($windowsVersion -ne "1809") {
+        Logs-To-Event -TaskName "AKS.WindowsCSE.EnableSecureTLS" -TaskMessage "Skip secure TLS protocols for Windows version: $windowsVersion"
+    } else {
+        Logs-To-Event -TaskName "AKS.WindowsCSE.EnableSecureTLS" -TaskMessage "Start to enable secure TLS protocols"
+        try {
+            . C:\k\windowssecuretls.ps1
+            Enable-SecureTls
+        }
+        catch {
+            Set-ExitCode -ExitCode $global:WINDOWS_CSE_ERROR_ENABLE_SECURE_TLS -ErrorMessage $_
+        }
+    }
+
+    Enable-FIPSMode -FipsEnabled $fipsEnabled
+    if ($global:WindowsGmsaPackageUrl) {
+        Install-GmsaPlugin -GmsaPackageUrl $global:WindowsGmsaPackageUrl
+    }
+
+    Write-Log "BasePrep completed successfully"
+    Logs-To-Event -TaskName "AKS.WindowsCSE.BasePrep" -TaskMessage "BasePrep completed successfully"
+}
+
+# ====== NODE PREP: CLUSTER INTEGRATION ======
+# All operations that should only run when connecting to the actual cluster
+function NodePrep {
+    Install-KubernetesServices -KubeDir $global:KubeDir
+
+    Write-Log "Starting NodePrep - Cluster integration"
+    Logs-To-Event -TaskName "AKS.WindowsCSE.NodePrep" -TaskMessage "Starting NodePrep - Cluster integration"
+
+    Check-APIServerConnectivity -MasterIP $MasterIP
+
+    # Configure networking - this must run during node provisioning, not VHD creation
+    # to ensure each VM gets unique HNS network IDs and avoids DHCP conflicts
     Write-Log "Configuring networking with NetworkPlugin:$global:NetworkPlugin"
 
     # Configure network policy.
@@ -458,50 +508,6 @@ function BasePrep {
         Write-Log "Enable-WindowsCiliumNetworking is not a recognized function, will skip Windows Cilium Networking installation"
     }
 
-    Set-Explorer
-    Adjust-PageFileSize
-    Logs-To-Event -TaskName "AKS.WindowsCSE.PreprovisionExtension" -TaskMessage "Start preProvisioning script"
-    PREPROVISION_EXTENSION
-    Update-ServiceFailureActions
-    Adjust-DynamicPortRange
-    Register-LogsCleanupScriptTask
-    Register-NodeResetScriptTask
-
-    Update-DefenderPreferences
-
-    $windowsVersion = Get-WindowsVersion
-    if ($windowsVersion -ne "1809") {
-        Logs-To-Event -TaskName "AKS.WindowsCSE.EnableSecureTLS" -TaskMessage "Skip secure TLS protocols for Windows version: $windowsVersion"
-    } else {
-        Logs-To-Event -TaskName "AKS.WindowsCSE.EnableSecureTLS" -TaskMessage "Start to enable secure TLS protocols"
-        try {
-            . C:\k\windowssecuretls.ps1
-            Enable-SecureTls
-        }
-        catch {
-            Set-ExitCode -ExitCode $global:WINDOWS_CSE_ERROR_ENABLE_SECURE_TLS -ErrorMessage $_
-        }
-    }
-
-    Enable-FIPSMode -FipsEnabled $fipsEnabled
-    if ($global:WindowsGmsaPackageUrl) {
-        Install-GmsaPlugin -GmsaPackageUrl $global:WindowsGmsaPackageUrl
-    }
-
-    Write-Log "BasePrep completed successfully"
-    Logs-To-Event -TaskName "AKS.WindowsCSE.BasePrep" -TaskMessage "BasePrep completed successfully"
-}
-
-# ====== NODE PREP: CLUSTER INTEGRATION ======
-# All operations that should only run when connecting to the actual cluster
-function NodePrep {
-    Install-KubernetesServices -KubeDir $global:KubeDir
-
-    Write-Log "Starting NodePrep - Cluster integration"
-    Logs-To-Event -TaskName "AKS.WindowsCSE.NodePrep" -TaskMessage "Starting NodePrep - Cluster integration"
-
-    Check-APIServerConnectivity -MasterIP $MasterIP
-
     if ($global:WindowsCalicoPackageURL) {
         Start-InstallCalico -RootDir "c:\" -KubeServiceCIDR $global:KubeServiceCIDR -KubeDnsServiceIp $KubeDnsServiceIp
     }
