fix: sort epInfos to process InfraNIC first before EndpointCreate

Move the epInfos sort from network.EndpointCreate to the CNI plugin
layer (cni/network/network.go) after the createEpInfo loop. In stateless
mode, ExternalInterfaces is empty on every ADD so whichever NIC is
processed first determines which interface the network gets bound to. If
DelegatedVMNIC wins the race, SecondaryEndpointClient moves its interface
into the pod namespace, then TransparentEndpointClient fails with
"no such network interface".

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: behzad-mir

cni/network/network.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net"
 	"regexp"
+	"slices"
 	"strconv"
 	"time"
 
@@ -640,6 +641,24 @@ func (plugin *NetPlugin) Add(args *cniSkel.CmdArgs) error {
 		}
 	}()
 
+	// Sort epInfos so InfraNIC is processed first. In stateless mode, ExternalInterfaces is empty
+	// on every ADD, so whichever NIC is processed first determines which interface the network
+	// gets bound to. If DelegatedVMNIC wins the race, the network gets created with eth1 as extIf.
+	// SecondaryEndpointClient then moves eth1 into the pod namespace, and the subsequent InfraNIC
+	// iteration finds the network bound to that now-gone interface, causing
+	// TransparentEndpointClient.AddEndpoints to fail with "no such network interface".
+	slices.SortStableFunc(epInfos, func(a, b *network.EndpointInfo) int {
+		aIsInfra := a.NICType == cns.InfraNIC || a.NICType == ""
+		bIsInfra := b.NICType == cns.InfraNIC || b.NICType == ""
+		if aIsInfra && !bIsInfra {
+			return -1
+		}
+		if !aIsInfra && bIsInfra {
+			return 1
+		}
+		return 0
+	})
+
 	err = plugin.nm.EndpointCreate(cnsclient, epInfos)
 	if err != nil {
 		return errors.Wrap(err, "failed to create endpoint") // behavior can change if you don't assign to err prior to returning

cni/network/network_linux_test.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"regexp"
+	"slices"
 	"testing"
 
 	"github.com/Azure/azure-container-networking/cni"
@@ -794,3 +795,41 @@ func (m *mockInterfaceGetter) GetNetworkInterfaces() ([]net.Interface, error) {
 func (m *mockInterfaceGetter) GetNetworkInterfaceAddrs(_ *net.Interface) ([]net.Addr, error) {
 	return nil, errNotImplemented
 }
+
+func TestSortEpInfosInfraNICFirst(t *testing.T) {
+	// Replicate the sort logic used before EndpointCreate to verify InfraNIC
+	// is always processed first regardless of input order.
+	epInfos := []*network.EndpointInfo{
+		{
+			NICType:    cns.DelegatedVMNIC,
+			EndpointID: "delegated-ep",
+			NetworkID:  network.DefaultNetworkID,
+		},
+		{
+			NICType:    cns.InfraNIC,
+			EndpointID: "infra-ep",
+			NetworkID:  network.DefaultNetworkID,
+		},
+		{
+			NICType:    cns.NodeNetworkInterfaceFrontendNIC,
+			EndpointID: "frontend-ep",
+			NetworkID:  "other",
+		},
+	}
+
+	slices.SortStableFunc(epInfos, func(a, b *network.EndpointInfo) int {
+		aIsInfra := a.NICType == cns.InfraNIC || a.NICType == ""
+		bIsInfra := b.NICType == cns.InfraNIC || b.NICType == ""
+		if aIsInfra && !bIsInfra {
+			return -1
+		}
+		if !aIsInfra && bIsInfra {
+			return 1
+		}
+		return 0
+	})
+
+	assert.Equal(t, cns.InfraNIC, epInfos[0].NICType, "InfraNIC should be sorted first")
+	assert.Equal(t, cns.DelegatedVMNIC, epInfos[1].NICType, "DelegatedVMNIC should come after InfraNIC")
+	assert.Equal(t, cns.NodeNetworkInterfaceFrontendNIC, epInfos[2].NICType, "FrontendNIC should come last")
+}