From 61d83b5639de49ca47e847251bfda072c2d30ea6 Mon Sep 17 00:00:00 2001 From: xinhl Date: Mon, 15 Jun 2026 20:16:45 +1000 Subject: [PATCH 1/4] feat: add credential provider mirror config for network isolated cluster --- staging/cse/windows/configfunc.ps1 | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/staging/cse/windows/configfunc.ps1 b/staging/cse/windows/configfunc.ps1 index a921e1981a5..3d5104839da 100644 --- a/staging/cse/windows/configfunc.ps1 +++ b/staging/cse/windows/configfunc.ps1 @@ -396,6 +396,32 @@ providers: apiVersion: credentialprovider.kubelet.k8s.io/v1 args: - $azureConfigFile +"@ + } + elseif (![string]::IsNullOrEmpty($global:BootstrapProfileContainerRegistryServer)) { + $mcrRegistry = if ((Test-Path variable:global:MCRRepositoryBase) -and + -not [string]::IsNullOrEmpty($global:MCRRepositoryBase)) { + [string]$global:MCRRepositoryBase + } + else { + "mcr.microsoft.com" + } + $credentialProviderConfig = @" +apiVersion: kubelet.config.k8s.io/v1 +kind: CredentialProviderConfig +providers: + - name: acr-credential-provider + matchImages: + - "*.azurecr.io" + - "*.azurecr.cn" + - "*.azurecr.de" + - "*.azurecr.us" + - "${mcrRegistry}" + defaultCacheDuration: "10m" + apiVersion: credentialprovider.kubelet.k8s.io/v1 + args: + - $azureConfigFile + - --registry-mirror=${mcrRegistry}:$global:BootstrapProfileContainerRegistryServer "@ } $credentialProviderConfig | Out-File -encoding ASCII -filepath "$CredentialProviderConfPATH" From fedfd6699113652f29abb8b8298afa13c9db7d35 Mon Sep 17 00:00:00 2001 From: xinhl Date: Mon, 15 Jun 2026 20:26:24 +1000 Subject: [PATCH 2/4] ut --- staging/cse/windows/configfunc.tests.ps1 | 55 +++++++++++++++++++ ...ntainerRegistryServerCustomMCR.config.yaml | 15 +++++ ...ContainerRegistryServerDefault.config.yaml | 15 +++++ 3 files changed, 85 insertions(+) create mode 100644 staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerCustomMCR.config.yaml create mode 100644 staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerDefault.config.yaml diff --git a/staging/cse/windows/configfunc.tests.ps1 b/staging/cse/windows/configfunc.tests.ps1 index 86af4728313..3ff6d5727ea 100644 --- a/staging/cse/windows/configfunc.tests.ps1 +++ b/staging/cse/windows/configfunc.tests.ps1 @@ -153,6 +153,61 @@ Describe 'Config-CredentialProvider' { $normalizedActual | Should -Be $normalizedExpected } } + Context 'BootstrapProfileContainerRegistryServer is set with default MCR' { + BeforeEach { + $global:BootstrapProfileContainerRegistryServer = "myregistry.azurecr.io" + # Ensure MCRRepositoryBase is not set so it falls back to mcr.microsoft.com + Remove-Variable -Name MCRRepositoryBase -Scope Global -ErrorAction SilentlyContinue + } + AfterEach { + $global:BootstrapProfileContainerRegistryServer = $null + } + It "should include mcr.microsoft.com in matchImages and registry-mirror arg" { + $expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "BootstrapProfileContainerRegistryServerDefault.config.yaml")) + Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix "" + $acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH + + $normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n") + $normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n") + $normalizedActual | Should -Be $normalizedExpected + } + } + Context 'BootstrapProfileContainerRegistryServer is set with custom MCRRepositoryBase' { + BeforeEach { + $global:BootstrapProfileContainerRegistryServer = "myregistry.azurecr.io" + $global:MCRRepositoryBase = "custom.mcr.contoso.com" + } + AfterEach { + $global:BootstrapProfileContainerRegistryServer = $null + $global:MCRRepositoryBase = $null + } + It "should use custom MCRRepositoryBase in matchImages and registry-mirror arg" { + $expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "BootstrapProfileContainerRegistryServerCustomMCR.config.yaml")) + Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix "" + $acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH + + $normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n") + $normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n") + $normalizedActual | Should -Be $normalizedExpected + } + } + Context 'CustomCloudContainerRegistryDNSSuffix takes precedence over BootstrapProfileContainerRegistryServer' { + BeforeEach { + $global:BootstrapProfileContainerRegistryServer = "myregistry.azurecr.io" + } + AfterEach { + $global:BootstrapProfileContainerRegistryServer = $null + } + It "should use CustomCloud config and not include registry-mirror when both are set" { + $expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "CustomCloudContainerRegistryDNSSuffixNotEmpty.config.yaml")) + Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix ".azurecr.microsoft.fakecloud" + $acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH + + $normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n") + $normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n") + $normalizedActual | Should -Be $normalizedExpected + } + } } Describe 'Validate-CredentialProviderConfigFlags' { diff --git a/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerCustomMCR.config.yaml b/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerCustomMCR.config.yaml new file mode 100644 index 00000000000..d93f17d531f --- /dev/null +++ b/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerCustomMCR.config.yaml @@ -0,0 +1,15 @@ +apiVersion: kubelet.config.k8s.io/v1 +kind: CredentialProviderConfig +providers: + - name: acr-credential-provider + matchImages: + - "*.azurecr.io" + - "*.azurecr.cn" + - "*.azurecr.de" + - "*.azurecr.us" + - "custom.mcr.contoso.com" + defaultCacheDuration: "10m" + apiVersion: credentialprovider.kubelet.k8s.io/v1 + args: + - staging\cse\windows\credentialProvider.tests.suites\azure.json + - --registry-mirror=custom.mcr.contoso.com:myregistry.azurecr.io diff --git a/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerDefault.config.yaml b/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerDefault.config.yaml new file mode 100644 index 00000000000..9485308eab9 --- /dev/null +++ b/staging/cse/windows/credentialProvider.tests.suites/BootstrapProfileContainerRegistryServerDefault.config.yaml @@ -0,0 +1,15 @@ +apiVersion: kubelet.config.k8s.io/v1 +kind: CredentialProviderConfig +providers: + - name: acr-credential-provider + matchImages: + - "*.azurecr.io" + - "*.azurecr.cn" + - "*.azurecr.de" + - "*.azurecr.us" + - "mcr.microsoft.com" + defaultCacheDuration: "10m" + apiVersion: credentialprovider.kubelet.k8s.io/v1 + args: + - staging\cse\windows\credentialProvider.tests.suites\azure.json + - --registry-mirror=mcr.microsoft.com:myregistry.azurecr.io From d1221d91f360c012a9839d15ca007c2eb83be9db Mon Sep 17 00:00:00 2001 From: Xinhe Li Date: Mon, 15 Jun 2026 20:42:35 +1000 Subject: [PATCH 3/4] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- staging/cse/windows/configfunc.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/staging/cse/windows/configfunc.ps1 b/staging/cse/windows/configfunc.ps1 index 3d5104839da..8043b4f566b 100644 --- a/staging/cse/windows/configfunc.ps1 +++ b/staging/cse/windows/configfunc.ps1 @@ -401,7 +401,7 @@ providers: elseif (![string]::IsNullOrEmpty($global:BootstrapProfileContainerRegistryServer)) { $mcrRegistry = if ((Test-Path variable:global:MCRRepositoryBase) -and -not [string]::IsNullOrEmpty($global:MCRRepositoryBase)) { - [string]$global:MCRRepositoryBase + ([string]$global:MCRRepositoryBase).TrimEnd("/") } else { "mcr.microsoft.com" From b3781ed3177bd4dad70f0ca92ef51af0c94ae1e7 Mon Sep 17 00:00:00 2001 From: xinhl Date: Wed, 17 Jun 2026 14:22:38 +1000 Subject: [PATCH 4/4] add qeoto --- staging/cse/windows/configfunc.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/staging/cse/windows/configfunc.ps1 b/staging/cse/windows/configfunc.ps1 index 8043b4f566b..49ea6bec49d 100644 --- a/staging/cse/windows/configfunc.ps1 +++ b/staging/cse/windows/configfunc.ps1 @@ -421,7 +421,7 @@ providers: apiVersion: credentialprovider.kubelet.k8s.io/v1 args: - $azureConfigFile - - --registry-mirror=${mcrRegistry}:$global:BootstrapProfileContainerRegistryServer + - --registry-mirror=${mcrRegistry}:{$global:BootstrapProfileContainerRegistryServer} "@ } $credentialProviderConfig | Out-File -encoding ASCII -filepath "$CredentialProviderConfPATH"