feat: windows node set mcr containerd host config for network isolated cluster

[fseldow]

…d cluster

What this PR does / why we need it:
To support network isolated cluster
setup mcr containerd hosts, to allow the cluster pull mcr images from acr first.

feat: windows node set mcr containerd host config for network isolated cluster
Which issue(s) this PR fixes:

Fixes #

[Copilot]

Pull request overview

This PR adds Windows node support for network isolated clusters by configuring containerd to use a bootstrap profile container registry as a mirror for MCR (Microsoft Container Registry) images. The implementation adds a new PowerShell function for Windows nodes and includes corresponding variable initialization in the CSE scripts. Additionally, it fixes a missing "server" directive in the Linux MCR China Cloud configuration.

Changes:

• Adds Windows containerd configuration to redirect MCR image pulls to the bootstrap profile container registry for network isolated clusters
• Sets global variables for bootstrap profile registry and MCR repository base in Windows CSE scripts
• Fixes missing "server" directive in Linux MCR China Cloud containerd hosts configuration
• Adds e2e test to validate Windows containerd registry configuration in network isolated clusters

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
staging/cse/windows/containerdfunc.ps1	Adds Set-BootstrapProfileRegistryContainerdHost function and conditional logic to configure MCR registry mirroring for network isolated clusters
parts/windows/kuberneteswindowssetup.ps1	Initializes global variables for bootstrap profile container registry server and MCR repository base
parts/linux/cloud-init/artifacts/cse_config.sh	Adds missing "server" directive to MCR China Cloud containerd hosts configuration
e2e/scenario_win_test.go	Adds test for Windows network isolated cluster containerd configuration

[Copilot]

The test is named "Test_NetworkIsolatedCluster_Windows_WithEgress" and validates Windows-specific files (C:\ProgramData\containerd...), but it uses a Linux VHD (config.VHDUbuntu2204Gen2Containerd). This VHD should be changed to a Windows VHD such as config.VHDWindows2022Containerd, config.VHDWindows2025Gen2, or config.VHDWindows23H2Gen2 to properly test the Windows containerd configuration changes.

Suggested change

	VHD: config.VHDUbuntu2204Gen2Containerd,
	VHD: config.VHDWindows2022Containerd,

[Copilot]

The test only validates the existence of the hosts.toml file but doesn't verify its content. For network isolated clusters, the hosts.toml should contain specific registry mirror configuration with the bootstrap profile container registry server. Consider adding ValidateFileHasContent checks similar to Test_Windows2022_McrChinaCloud_Windows (lines 511-516) to verify that the file contains the expected "server" line and registry host configuration pointing to the bootstrap profile registry.

Suggested change

	// Verify mcr.microsoft.com host config exist
	ValidateFileExists(ctx, s, `C:\ProgramData\containerd\certs.d\mcr.microsoft.com\hosts.toml`)
	// Verify mcr.microsoft.com host config exists and points to the bootstrap profile registry mirror
	ValidateFileExists(ctx, s, `C:\ProgramData\containerd\certs.d\mcr.microsoft.com\hosts.toml`)
	acrHost := fmt.Sprintf("%s.azurecr.io", config.PrivateACRNameNotAnon(config.Config.DefaultLocation))
	ValidateFileHasContent(ctx, s,
	`C:\ProgramData\containerd\certs.d\mcr.microsoft.com\hosts.toml`,
	`server = "https://mcr.microsoft.com"`,
	acrHost)

[Copilot]

The test description mentions "credential provider config includes identity binding" but the validation only checks for the existence of containerd hosts.toml files. This description appears to be copied from the Linux test (Test_Ubuntu2204Gen2_ImagePullIdentityBinding_NetworkIsolated) and doesn't accurately describe what this Windows test validates. Consider updating the description to something like: "Tests that Windows nodes in network isolated clusters configure containerd to use the bootstrap profile container registry for MCR images".

Suggested change

	Description: "Tests that credential provider config includes identity binding in network isolated (NI) clusters",
	Description: "Tests that Windows nodes in network isolated clusters configure containerd to use the bootstrap profile container registry for MCR images",

[Copilot]

The URL parsing logic differs from the Linux implementation and may strip the path component from the registry URL. The Windows version extracts only the domain (line 250: Split('/')[0]) and then appends '/v2', while the Linux version (cse_config.sh:386) inserts '/v2/' after the first slash, preserving any path component. For a registry URL like "https://example.azurecr.io/aks-managed-repository", this produces: Windows: "example.azurecr.io/v2", Linux: "example.azurecr.io/v2/aks-managed-repository/". The path component (e.g., "aks-managed-repository") is significant for network isolated clusters and should be preserved. Consider updating the parsing logic to match the Linux behavior: $registryHost = ($registryHost -replace '^https?://', '').TrimEnd('/'); $registryHost = $registryHost -replace '^([^/]+)', '$1/v2'

Suggested change

	$registryHost = ($registryHost -replace '^https?://', '').TrimEnd('/').Split('/')[0]
	$registryHost = "$registryHost/v2"
	$registryHost = ($registryHost -replace '^https?://', '').TrimEnd('/')
	$registryHost = $registryHost -replace '^([^/]+)', '$1/v2'