Merge pull request #1930 from aramase/automated-cherry-pick-of-#1929-upstream-release-1.5

ci: resolve azure e2e test flakes with rbac, windows vm size

Author: k8s-ci-robot

test/scripts/run-e2e-azure.sh

@@ -77,13 +77,14 @@ main() {
     # only add windows pool if TEST_WINDOWS is set and equal to true
     if [[ "${TEST_WINDOWS:-}" == "true" ]]; then
         echo "Adding windows nodepool"
-        # add windows nodepool
+        # add windows nodepool with explicit x64 VM size (Windows doesn't support ARM64)
         az aks nodepool add \
             --resource-group "${CLUSTER_NAME}" \
             --cluster-name "${CLUSTER_NAME}" \
             --os-type Windows \
             --name npwin \
-            --node-count 1 > /dev/null
+            --node-count 1 \
+            --node-vm-size Standard_D2s_v3 > /dev/null
     fi
 
     az aks get-credentials --resource-group "${CLUSTER_NAME}" --name "${CLUSTER_NAME}" --overwrite-existing
@@ -133,9 +134,12 @@ main() {
     # Assigning the managed identity the necessary permissions to access the keyvault using RBAC
     echo "Assigning managed identity Key Vault Secrets User role on keyvault"
     KEYVAULT_RESOURCE_ID=$(az keyvault show --name "${KEYVAULT_NAME}" --query "id" -otsv)
+    # Use --assignee-principal-type to avoid replication delay issues
+    # See: https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting#symptom---assigning-a-role-to-a-new-principal-sometimes-fails
     az role assignment create \
         --role "Key Vault Secrets User" \
-        --assignee "${IDENTITY_OBJECT_ID}" \
+        --assignee-object-id "${IDENTITY_OBJECT_ID}" \
+        --assignee-principal-type ServicePrincipal \
         --scope "${KEYVAULT_RESOURCE_ID}" > /dev/null
 
     docker pull "${IMAGE_TAG}" || ALL_ARCH_linux=amd64 make container-all push-manifest