feat: add Azure Container Linux ARM64 VHD build target

.pipelines/.vsts-vhd-builder-release.yaml

@@ -137,6 +137,10 @@ parameters:
     displayName: Build Azure Container Linux TL Gen2
     type: boolean
     default: true
+  - name: buildaclarm64tlgen2
+    displayName: Build Azure Container Linux ARM64 TL Gen2
+    type: boolean
+    default: true
 
 variables:
   - name: MODE
@@ -874,6 +878,30 @@ stages:
               useOverrides: ${{ parameters.useOverrides }}
               overrideBranch: ${{ parameters.overrideBranch }}
               artifactName: acl-tl-gen2
+      - job: buildaclarm64tlgen2
+        condition: eq('${{ parameters.buildaclarm64tlgen2 }}', true)
+        dependsOn: [ ]
+        timeoutInMinutes: 360
+        steps:
+          - bash: |
+              echo '##vso[task.setvariable variable=OS_SKU]AzureContainerLinux'
+              echo '##vso[task.setvariable variable=OS_VERSION]acl'
+              echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2'
+              echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6'
+              echo '##vso[task.setvariable variable=FEATURE_FLAGS]None'
+              echo '##vso[task.setvariable variable=ARCHITECTURE]ARM64'
+              echo '##vso[task.setvariable variable=ENABLE_FIPS]false'
+              echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]True'
+              echo '##vso[task.setvariable variable=ENABLE_CGROUPV2]True'
+              echo '##vso[task.setvariable variable=SIG_SOURCE_GALLERY_UNIQUE_NAME]035db282-f1c8-4ce7-b78f-2a7265d5398c-ACLDEVEL'
+              echo '##vso[task.setvariable variable=SIG_SOURCE_IMAGE_NAME]acl-arm64'
+              echo '##vso[task.setvariable variable=SIG_SOURCE_IMAGE_VERSION]0.20260316.1069410'
+            displayName: Setup Build Variables
+          - template: ./templates/.builder-release-template.yaml
+            parameters:
+              useOverrides: ${{ parameters.useOverrides }}
+              overrideBranch: ${{ parameters.overrideBranch }}
+              artifactName: acl-arm64-tl-gen2
       - job: build2404arm64gb200gen2containerd
         condition: eq('${{ parameters.build2404arm64gb200gen2containerd }}', true)
         dependsOn: [ ]

e2e/config/vhd.go

@@ -228,6 +228,16 @@ var (
 		OSDiskSizeGB: 60,
 	}
 
+	VHDACLArm64Gen2TL = &Image{
+		Name:         "aclgen2arm64TL",
+		OS:           OSACL,
+		Arch:         "arm64",
+		Distro:       datamodel.AKSACLArm64Gen2TL,
+		Gallery:      imageGalleryLinux,
+		Flatcar:      true,
+		OSDiskSizeGB: 60,
+	}
+
 	VHDWindows2022Containerd = &Image{
 		Name:            "windows-2022-containerd",
 		OS:              "windows",

e2e/scenario_test.go

@@ -199,6 +199,31 @@ func Test_ACL(t *testing.T) {
 	})
 }
 
+func Test_ACL_ARM64(t *testing.T) {
+	RunScenario(t, &Scenario{
+		Description: "Tests that a node using an ACL VHD on ARM64 architecture can be properly bootstrapped",
+		Config: Config{
+			Cluster: ClusterKubenet,
+			VHD:     config.VHDACLArm64Gen2TL,
+			// v6 (Cobalt 100) only supports NVMe disk controllers, not ResourceDisk
+			UseNVMe: true,
+			BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
+				// Ampere Altra (v5) doesn't support TrustedLaunch; Cobalt 100 (v6) does
+				nbc.AgentPoolProfile.VMSize = "Standard_D2pds_v6"
+				nbc.IsARM64 = true
+			},
+			VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
+				vmss.Properties = addTrustedLaunchToVMSS(vmss.Properties)
+				vmss.SKU.Name = to.Ptr("Standard_D2pds_v6")
+			},
+			Validator: func(ctx context.Context, s *Scenario) {
+				ValidateFileHasContent(ctx, s, "/etc/os-release", "ID=azurecontainerlinux")
+				ValidateFileExists(ctx, s, "/etc/ssl/certs/ca-certificates.crt")
+			},
+		},
+	})
+}
+
 func Test_ACL_Scriptless(t *testing.T) {
 	RunScenario(t, &Scenario{
 		Description: "Tests that a node using ACL and the self-contained installer can be properly bootstrapped",

packer.mk

@@ -23,6 +23,9 @@ else ifeq (${OS_SKU},AzureLinux)
 else ifeq (${OS_SKU},Flatcar)
 	@echo "Using packer template file vhd-image-builder-flatcar-arm64.json"
 	@packer build -timestamp-ui  -var-file=vhdbuilder/packer/settings.json vhdbuilder/packer/vhd-image-builder-flatcar-arm64.json
+else ifeq (${OS_SKU},AzureContainerLinux)
+	@echo "Using packer template file vhd-image-builder-acl-arm64.json"
+	@packer build -timestamp-ui  -var-file=vhdbuilder/packer/settings.json vhdbuilder/packer/vhd-image-builder-acl-arm64.json
 else
 	$(error OS_SKU was invalid ${OS_SKU})
 endif

pkg/agent/bakerapi_test.go

@@ -355,6 +355,7 @@ var _ = Describe("AgentBaker API implementation tests", func() {
 
 			aclDistros = []datamodel.Distro{
 				datamodel.AKSACLGen2TL,
+				datamodel.AKSACLArm64Gen2TL,
 			}
 
 			allLinuxDistros = append(allLinuxDistros, ubuntuDistros...)

pkg/agent/datamodel/sig_config.go

@@ -118,6 +118,7 @@ var AvailableContainerdDistros = []Distro{
 	AKSFlatcarGen2,
 	AKSFlatcarArm64Gen2,
 	AKSACLGen2TL,
+	AKSACLArm64Gen2TL,
 	AKSCBLMarinerV1,
 	AKSCBLMarinerV2,
 	AKSAzureLinuxV2,
@@ -180,6 +181,7 @@ var AvailableGen2Distros = []Distro{
 	AKSFlatcarGen2,
 	AKSFlatcarArm64Gen2,
 	AKSACLGen2TL,
+	AKSACLArm64Gen2TL,
 	AKSCBLMarinerV2Gen2,
 	AKSAzureLinuxV2Gen2,
 	AKSAzureLinuxV3Gen2,
@@ -267,6 +269,7 @@ var AvailableFlatcarDistros = []Distro{
 //nolint:gochecknoglobals
 var AvailableACLDistros = []Distro{
 	AKSACLGen2TL,
+	AKSACLArm64Gen2TL,
 }
 
 // IsContainerdSKU returns true if distro type is containerd-enabled.
@@ -753,6 +756,13 @@ var (
 		Version:       LinuxSIGImageVersion,
 	}
 
+	SIGACLArm64Gen2TLImageConfigTemplate = SigImageConfigTemplate{
+		ResourceGroup: AKSAzureLinuxResourceGroup,
+		Gallery:       AKSAzureLinuxGalleryName,
+		Definition:    "aclgen2arm64TL",
+		Version:       LinuxSIGImageVersion,
+	}
+
 	SIGWindows2019ImageConfigTemplate = SigImageConfigTemplate{
 		ResourceGroup: AKSWindowsResourceGroup,
 		Gallery:       AKSWindowsGalleryName,
@@ -849,6 +859,7 @@ func GetMaintainedLinuxSIGImageConfigMap() map[Distro]SigImageConfig {
 	return maintained
 }
 
+//nolint:dupl // each distro family needs its own map, structural similarity is expected.
 func getSigUbuntuImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distro]SigImageConfig {
 	return map[Distro]SigImageConfig{
 		AKSUbuntuFipsContainerd2004:           SIGUbuntuFipsContainerd2004ImageConfigTemplate.WithOptions(opts...),
@@ -887,6 +898,7 @@ func getSigCBLMarinerImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distr
 	}
 }
 
+//nolint:dupl // each distro family needs its own map, structural similarity is expected.
 func getSigAzureLinuxImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distro]SigImageConfig {
 	return map[Distro]SigImageConfig{
 		AKSAzureLinuxV2:                  SIGAzureLinuxV2Gen1ImageConfigTemplate.WithOptions(opts...),
@@ -907,6 +919,7 @@ func getSigAzureLinuxImageConfigMapWithOpts(opts ...SigImageConfigOpt) map[Distr
 		AKSAzureLinuxV3CVMGen2:           SIGAzureLinuxV3CVMGen2ImageConfigTemplate.WithOptions(opts...),
 		AKSAzureLinuxV3OSGuardGen2FIPSTL: SIGAzureLinuxV3OSGuardGen2FIPSTLImageConfigTemplate.WithOptions(opts...),
 		AKSACLGen2TL:                     SIGACLGen2TLImageConfigTemplate.WithOptions(opts...),
+		AKSACLArm64Gen2TL:                SIGACLArm64Gen2TLImageConfigTemplate.WithOptions(opts...),
 	}
 }
 

pkg/agent/datamodel/sig_config_test.go

@@ -37,6 +37,7 @@ var _ = Describe("GetMaintainedLinuxSIGImageConfigMap", func() {
 			AKSFlatcarGen2:                   SIGFlatcarGen2ImageConfigTemplate.WithOptions(),
 			AKSFlatcarArm64Gen2:              SIGFlatcarArm64Gen2ImageConfigTemplate.WithOptions(),
 			AKSACLGen2TL:                     SIGACLGen2TLImageConfigTemplate.WithOptions(),
+			AKSACLArm64Gen2TL:                SIGACLArm64Gen2TLImageConfigTemplate.WithOptions(),
 		}
 		actual := GetMaintainedLinuxSIGImageConfigMap()
 		for distro, config := range expected {
@@ -104,7 +105,7 @@ var _ = Describe("GetSIGAzureCloudSpecConfig", func() {
 		Expect(mariner.Definition).To(Equal("V1"))
 		Expect(mariner.Version).To(Equal(FrozenCBLMarinerV1SIGImageVersionForDeprecation))
 
-		Expect(len(sigConfig.SigAzureLinuxImageConfig)).To(Equal(18))
+		Expect(len(sigConfig.SigAzureLinuxImageConfig)).To(Equal(19))
 
 		azurelinuxV2 := sigConfig.SigAzureLinuxImageConfig[AKSAzureLinuxV2]
 		Expect(azurelinuxV2.ResourceGroup).To(Equal("resourcegroup"))
@@ -379,5 +380,11 @@ var _ = Describe("GetSIGAzureCloudSpecConfig", func() {
 		Expect(aclGen2.Gallery).To(Equal("aksazurelinux"))
 		Expect(aclGen2.Definition).To(Equal("aclgen2TL"))
 		Expect(aclGen2.Version).To(Equal(LinuxSIGImageVersion))
+
+		aclArm64Gen2 := sigConfig.SigAzureLinuxImageConfig[AKSACLArm64Gen2TL]
+		Expect(aclArm64Gen2.ResourceGroup).To(Equal("resourcegroup"))
+		Expect(aclArm64Gen2.Gallery).To(Equal("aksazurelinux"))
+		Expect(aclArm64Gen2.Definition).To(Equal("aclgen2arm64TL"))
+		Expect(aclArm64Gen2.Version).To(Equal(LinuxSIGImageVersion))
 	})
 })

pkg/agent/datamodel/types.go

@@ -193,6 +193,7 @@ const (
 	AKSFlatcarGen2                        Distro = "aks-flatcar-gen2"
 	AKSFlatcarArm64Gen2                   Distro = "aks-flatcar-arm64-gen2"
 	AKSACLGen2TL                          Distro = "aks-acl-gen2-tl"
+	AKSACLArm64Gen2TL                     Distro = "aks-acl-arm64-gen2-tl"
 
 	// Windows string const.
 	// AKSWindows2019 stands for distro of windows server 2019 SIG image with docker.
@@ -274,6 +275,7 @@ var AKSDistrosAvailableOnVHD = []Distro{
 	AKSFlatcarGen2,
 	AKSFlatcarArm64Gen2,
 	AKSACLGen2TL,
+	AKSACLArm64Gen2TL,
 }
 
 type CustomConfigurationComponent string

pkg/agent/datamodel/types_test.go

@@ -1245,6 +1245,13 @@ func TestAgentPoolProfileIsACL(t *testing.T) {
 			},
 			expected: true,
 		},
+		{
+			name: "ACL ARM64 distro",
+			ap: AgentPoolProfile{
+				Distro: AKSACLArm64Gen2TL,
+			},
+			expected: true,
+		},
 		{
 			name: "Flatcar distro is not ACL",
 			ap: AgentPoolProfile{

vhdbuilder/packer/test/run-test.sh

@@ -62,12 +62,17 @@ set -x
 # ERROR: This user name 'root' meets the general requirements, but is specifically disallowed for this image. Please try a different value.
 TARGET_COMMAND_STRING=""
 if [ "${ARCHITECTURE,,}" = "arm64" ]; then
-  TARGET_COMMAND_STRING="--size Standard_D2pds_V5"
+  # Ampere Altra (v5) doesn't support TrustedLaunch; Cobalt 100 (v6) does
+  if [ "${ENABLE_TRUSTED_LAUNCH,,}" = "true" ]; then
+    TARGET_COMMAND_STRING="--size Standard_D2pds_v6"
+  else
+    TARGET_COMMAND_STRING="--size Standard_D2pds_v5"
+  fi
 else
   TARGET_COMMAND_STRING="--size Standard_D2ds_v5"
 fi
 
-if [ "${OS_TYPE}" = "Linux" ] && [ "${ENABLE_TRUSTED_LAUNCH}" = "True" ]; then
+if [ "${OS_TYPE}" = "Linux" ] && [ "${ENABLE_TRUSTED_LAUNCH,,}" = "true" ]; then
   if [ -n "$TARGET_COMMAND_STRING" ]; then
     # To take care of Mariner Kata TL images
     TARGET_COMMAND_STRING+=" "