feat: windows base version update & script to do it manually (#8315)

Author: timmy-wright

Makefile

@@ -257,6 +257,10 @@ coverage:
 unit-tests:
 	$(GO) test `go list ./... | grep -v e2e` -coverprofile coverage_raw.out -covermode count
 
+.PHONY: update-windows-base-versions
+update-windows-base-versions:
+	./vhdbuilder/packer/windows/update_windows_base_versions.sh
+
 .PHONY: validate-components
 validate-components:
 	@./hack/tools/bin/cue vet -c ./schemas/components.cue ./parts/common/components.json

e2e/config/vhd.go

@@ -302,6 +302,10 @@ func (i *Image) String() string {
 	return fmt.Sprintf("%s %s %s %s", i.OS, i.Name, i.Version, i.Arch)
 }
 
+func (i *Image) SupportsScriptless() bool {
+	return !i.Flatcar && !i.Distro.IsWindowsDistro()
+}
+
 func GetVHDResourceID(ctx context.Context, i Image, location string) (VHDResourceID, error) {
 	switch {
 	case i.Version != "":

e2e/validators.go

@@ -2018,15 +2018,15 @@ func ValidateNodeHasLabel(ctx context.Context, s *Scenario, labelKey, expectedVa
 // ValidateScriptlessCSECmd checks if the node has scriptless cmd correctly enabled
 func ValidateScriptlessCSECmd(ctx context.Context, s *Scenario) {
 	nbc := s.Runtime.NBC
-	if nbc != nil && nbc.EnableScriptlessCSECmd && !s.VHD.Flatcar && !s.VHD.Distro.IsWindowsDistro() {
+	if nbc != nil && nbc.EnableScriptlessCSECmd && s.VHD.SupportsScriptless() {
 		ValidateFileExists(ctx, s, "/opt/azure/containers/scriptless-cse-overrides.txt")
 	}
 }
 
 // ValidateScriptlessNBCCSECmd checks if the node has scriptless NBCCSECmd correctly enabled
 func ValidateScriptlessNBCCSECmd(ctx context.Context, s *Scenario) {
 	nbc := s.Runtime.NBC
-	if nbc != nil && nbc.EnableScriptlessNBCCSECmd && !s.VHD.Flatcar {
+	if nbc != nil && nbc.EnableScriptlessNBCCSECmd && s.VHD.SupportsScriptless() {
 		fileNameToCheck := "/opt/azure/containers/aks-node-controller-nbc-cmd.sh"
 		if !config.Config.DisableScriptLessCompilation && !s.Tags.NetworkIsolated {
 			fileNameToCheck = "/opt/azure/containers/aks-node-controller-nbc-cmd-hack.sh"

e2e/vmss.go

@@ -341,7 +341,7 @@ func createVMSSModel(ctx context.Context, s *Scenario) armcompute.VirtualMachine
 			customData, err = injectWriteFilesEntriesToCustomData(customData, s.Config.CustomDataWriteFiles)
 			require.NoError(s.T, err, "failed to inject customData write_files entries")
 		}
-		if s.Runtime.NBC.EnableScriptlessCSECmd && !s.VHD.Flatcar && !s.VHD.Distro.IsWindowsDistro() {
+		if s.Runtime.NBC.EnableScriptlessCSECmd && s.VHD.SupportsScriptless() {
 			// Validate that the custom data doesn't contain any script content,
 			// which indicates that the scriptless CSE is working as intended
 			decodedCustomData, err := base64.StdEncoding.DecodeString(customData)

vhdbuilder/packer/windows/update_windows_base_versions.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+set -euo pipefail
+
+# Updates base_image_version in windows_settings.json to the latest available
+# version from the Azure Marketplace for each Windows SKU.
+#
+# This script is a backup. In an ideal world, use the pipeline https://dev.azure.com/msazure/CloudNativeCompute/_build/results?buildId=160464184&view=results
+# and only run this script manually if the pipeline fails to update the versions or if you want to check for updates without modifying the settings file (using --dry-run).
+#
+# Prerequisites:
+#   - az CLI installed and logged in
+#   - jq installed
+#
+# Usage:
+#   ./update_windows_base_versions.sh [--dry-run]
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SETTINGS_FILE="${SCRIPT_DIR}/windows_settings.json"
+DEFAULT_PUBLISHER="MicrosoftWindowsServer"
+DEFAULT_OFFER="MicrosoftWindowsServer"
+DRY_RUN=false
+
+if [ "${1:-}" = "--dry-run" ]; then
+    DRY_RUN=true
+fi
+
+if [ ! -f "${SETTINGS_FILE}" ]; then
+    echo "ERROR: ${SETTINGS_FILE} not found"
+    exit 1
+fi
+
+for cmd in az jq; do
+    if ! command -v "${cmd}" &>/dev/null; then
+        echo "ERROR: ${cmd} is required but not installed"
+        exit 1
+    fi
+done
+
+# Build a list of unique (publisher, sku) pairs to query.
+# Multiple JSON keys can share the same SKU prefix (e.g. 2025 and 2025-gen2
+# have different SKUs but should resolve to the same base_image_version).
+# We query each unique SKU individually.
+mapfile -t sku_keys < <(jq -r '.WindowsBaseVersions | keys[]' "${SETTINGS_FILE}")
+
+updated=0
+errors=0
+
+for key in "${sku_keys[@]}"; do
+    sku=$(jq -r ".WindowsBaseVersions.\"${key}\".base_image_sku" "${SETTINGS_FILE}")
+    offer=$(jq -r ".WindowsBaseVersions.\"${key}\".base_image_offer // \"${DEFAULT_OFFER}\"" "${SETTINGS_FILE}")
+    publisher=$(jq -r ".WindowsBaseVersions.\"${key}\".base_image_publisher // \"${DEFAULT_PUBLISHER}\"" "${SETTINGS_FILE}")
+    current_version=$(jq -r ".WindowsBaseVersions.\"${key}\".base_image_version" "${SETTINGS_FILE}")
+
+    echo "Querying latest version for ${key} (publisher=${publisher}, offer=${offer}, sku=${sku})..."
+
+    latest_version=$(
+        az vm image list \
+            -p "${publisher}" \
+            -f "${offer}" \
+            -s "${sku}" \
+            --all \
+            --query "[].version" \
+            -o tsv 2>/dev/null |
+            sort -uV |
+            tail -n 1
+    ) || true
+
+    if [ -z "${latest_version}" ]; then
+        echo "  WARNING: no versions found for sku=${sku}, skipping"
+        errors=$((errors + 1))
+        continue
+    fi
+
+    if [ "${current_version}" = "${latest_version}" ]; then
+        echo "  ${key}: already up to date (${current_version})"
+        continue
+    fi
+
+    echo "  ${key}: ${current_version} -> ${latest_version}"
+
+    if [ "${DRY_RUN}" = "false" ]; then
+        tmp=$(mktemp)
+        jq ".WindowsBaseVersions.\"${key}\".base_image_version = \"${latest_version}\"" \
+            "${SETTINGS_FILE}" >"${tmp}" &&
+            mv "${tmp}" "${SETTINGS_FILE}"
+        updated=$((updated + 1))
+    else
+        updated=$((updated + 1))
+    fi
+done
+
+echo ""
+if [ "${DRY_RUN}" = "true" ]; then
+    echo "Dry run complete. ${updated} version(s) would be updated, ${errors} error(s)."
+else
+    echo "Done. ${updated} version(s) updated, ${errors} error(s)."
+fi
+
+if [ "${errors}" -gt 0 ]; then
+    exit 1
+fi
+

vhdbuilder/packer/windows/windows_settings.json

@@ -19,7 +19,7 @@
       "base_image_offer": "windowsserver2022",
       "base_image_sku": "2022-Datacenter-Core-smalldisk",
       "windows_image_name": "windows-2022-containerd",
-      "base_image_version": "20348.4893.260303",
+      "base_image_version": "20348.5020.260413",
       "patches_to_apply": []
     },
     "2022-containerd-gen2": {
@@ -28,35 +28,35 @@
       "base_image_offer": "windowsserver2022",
       "base_image_sku": "2022-datacenter-core-smalldisk-g2",
       "windows_image_name": "windows-2022-containerd",
-      "base_image_version": "20348.4893.260303",
+      "base_image_version": "20348.5020.260413",
       "patches_to_apply": []
     },
     "2025": {
       "os_disk_size": "45",
       "base_image_sku": "2025-datacenter-core-smalldisk",
       "windows_image_name": "windows-2025",
-      "base_image_version": "26100.32522.260306",
+      "base_image_version": "26100.32690.260413",
       "patches_to_apply": []
     },
     "2025-gen2": {
       "os_disk_size": "45",
       "base_image_sku": "2025-datacenter-core-smalldisk-g2",
       "windows_image_name": "windows-2025",
-      "base_image_version": "26100.32522.260306",
+      "base_image_version": "26100.32690.260413",
       "patches_to_apply": []
     },
     "23H2": {
       "os_disk_size": "35",
       "base_image_sku": "23h2-datacenter-core",
       "windows_image_name": "windows-23H2",
-      "base_image_version": "25398.2207.260303",
+      "base_image_version": "25398.2274.260411",
       "patches_to_apply": []
     },
     "23H2-gen2": {
       "os_disk_size": "35",
       "base_image_sku": "23h2-datacenter-core-g2",
       "windows_image_name": "windows-23H2",
-      "base_image_version": "25398.2207.260303",
+      "base_image_version": "25398.2274.260411",
       "patches_to_apply": []
     }
   },