feat: add ACL VHD build, provisioning, and e2e support

[aadhar-agarwal]

What this PR does / why we need it:

Add ACL (Azure Container Linux) support

Summary

Adds Azure Container Linux (ACL) support across VHD build, provisioning/customData, SIG image config, and e2e validation.

Changes

• New supported target: Add ACL (Azure Container Linux) as a new target
• Provisioning behavior: Enable node bootstrap on ACL, while keeping ACL ignition-based
• SIG/API: Expose ACL SIG image config and honor linux node image version overrides for ACL (same model as other distros).
• VHD build: Add Packer template + pipeline wiring to build/publish ACL images.
• Validation: Add e2e coverage for ACL

Testing

• ACL AgentBaker E2Es - https://msazure.visualstudio.com/CloudNativeCompute/_build/results?buildId=155454994&view=results

Which issue(s) this PR fixes:

Fixes #

[Copilot]

Pull request overview

Adds Azure Container Linux (ACL) Gen2 as a first-class distro across the VHD build pipeline, AgentBaker customData/provisioning, SIG image config exposure, and e2e validation.

Changes:

• Introduces an ACL Packer template + ignition (Butane) customdata and wires it into build pipelines and packer tooling.
• Extends AgentBaker datamodel/API/customData generation to recognize ACL (including SIG config + node image version overrides).
• Adds/updates e2e scenarios and validators to cover ACL (scripted + scriptless), plus adjusts provisioning scripts for ACL CA-trust/chrony behavior.

Reviewed changes

Copilot reviewed 43 out of 115 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
vhdbuilder/scripts/linux/acl/tool_installs_acl.sh	Adds ACL-specific tool install stubs and chrony/timesyncd handling for VHD build.
vhdbuilder/packer/vhd-scanning.sh	Adds isACL and excludes ACL from CIS scanning.
vhdbuilder/packer/vhd-image-builder-acl.json	New Packer template for building/publishing ACL Gen2 images.
vhdbuilder/packer/trivy-scan.sh	Treats AzureContainerLinux like Flatcar for azure-cli install via venv; minor formatting fixes.
vhdbuilder/packer/test/run-test.sh	Ensures IMG_SKU defaults to empty (needed for ACL pipeline template).
vhdbuilder/packer/test/linux-vhd-content-test.sh	Updates test conditions to recognize ACL behavior (git, chrony, IG, etc.).
vhdbuilder/packer/pre-install-dependencies.sh	Adds ACL handling for permissions/logging/rsyslog/waagent conf.
vhdbuilder/packer/post-install-dependencies.sh	Adds ACL disk sizing behavior (like Flatcar).
vhdbuilder/packer/packer_source.sh	Updates file-copy logic for ACL (PAM files, NOTICE, IG skip, etc.).
vhdbuilder/packer/install-ig.sh	Skips IG installation during VHD build for ACL.
vhdbuilder/packer/install-dependencies.sh	Adds ACL-specific VHD-build behaviors (iptables/resolved adjustments, sysext download path).
vhdbuilder/packer/cis-report.sh	Treats ACL like Flatcar for azure-cli PATH/venv assumptions.
vhdbuilder/packer/acl-customdata.yaml	New Butane ignition config for ACL VHD builds.
vhdbuilder/packer/acl-customdata.json	Generated ignition JSON for ACL builds.
pkg/agent/variables.go	Adds ACL distro script variables and disables cloud-init-only redact step for ACL.
pkg/agent/testdata/ACL/CustomData	New ACL ignition customData snapshot.
pkg/agent/testdata/ACL/CSECommand	New ACL CSE command snapshot.
pkg/agent/testdata/ACL+CustomCloud/CSECommand	New ACL + custom cloud CSE command snapshot.
pkg/agent/testdata/ACL+CustomCloud+USSec/CSECommand	New ACL + custom cloud + USSec CSE command snapshot.
pkg/agent/datamodel/types_test.go	Adds tests for IsACL and ACL vs Flatcar behavior.
pkg/agent/datamodel/types.go	Adds AKSACLGen2 distro, ACL detection helpers, and NodeBootstrappingConfiguration.IsACL().
pkg/agent/datamodel/sig_config_test.go	Extends SIG config tests to include ACL gallery/config.
pkg/agent/datamodel/sig_config.go	Adds ACL SIG image config plumbing and AvailableACLDistros.
pkg/agent/datamodel/const.go	Adds OSSKUAzureContainerLinux.
pkg/agent/const.go	Adds embedded ACL-specific CSE helper/install script paths.
pkg/agent/bakerapi_test.go	Extends API tests for SIG config and version overrides to include ACL.
pkg/agent/bakerapi.go	Includes ACL SIG configs in returned distro map and lookup.
pkg/agent/baker_test.go	Adds ACL test entries and handles base64 decoding for ACL ignition customData.
pkg/agent/baker.go	Treats ACL like Flatcar for ignition encoding, cgroupv2, and disables customData for ACL.
parts/linux/cloud-init/nodecustomdata.yml	Adds ACL branches for distro-specific helper/install payloads and skips cloud-init-only artifacts for ACL.
parts/linux/cloud-init/artifacts/init-aks-custom-cloud.sh	Adds ACL OS detection and CA trust handling for custom cloud init.
parts/linux/cloud-init/artifacts/init-aks-custom-cloud-operation-requests.sh	Adds ACL OS detection and CA trust handling for operation-requests flow.
parts/linux/cloud-init/artifacts/cse_helpers.sh	Adds ACL_OS_NAME, isACL, and ACL package URI fallback logic.
parts/linux/cloud-init/artifacts/cse_config.sh	Adds ACL CA-trust paths and ensures PMC install gating excludes ACL like Flatcar.
parts/linux/cloud-init/artifacts/cis.sh	Skips Ubuntu-only CIS hardening steps for ACL.
parts/linux/cloud-init/artifacts/acl/update_certs.service	New ACL systemd unit for custom CA trust update.
parts/linux/cloud-init/artifacts/acl/cse_install_acl.sh	New ACL distro install script (sysext-based kubelet/kubectl/credential provider install).
parts/linux/cloud-init/artifacts/acl/cse_helpers_acl.sh	New ACL distro helpers stub file.
packer.mk	Adds ACL build target and ACL ignition generation target.
e2e/validators.go	Adjusts kernel log patterns to ignore ACL-specific benign strings.
e2e/scenario_test.go	Adds ACL e2e scenarios (scripted/scriptless/custom CA/AzureCNI/chrony restart/disable SSH/TLS fallback).
e2e/node_config.go	Disables customData for ACL in aks-node-controller config and wires ACL SIG gallery config into templates.
e2e/config/vhd.go	Adds ACL VHD definition (VHDACLGen2).
.pipelines/templates/.builder-release-template.yaml	Excludes ACL from SKU_NAME containerd suffix logic.
.pipelines/.vsts-vhd-builder-release.yaml	Adds a new buildaclgen2 release job with ACL-specific build variables.

[Copilot]

Pull request overview

Copilot reviewed 43 out of 115 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 42 out of 114 changed files in this pull request and generated 2 comments.

[aadhar-agarwal]

• The AgentBaker E2E PR check is failing for the ACL tests I added. It is failing with the error:
  could not find image for VHD aks-acl-gen2-tl due to failed to get latest image by tag branch=refs/heads/main: not found

  • This makes sense as the ACL VHD is a new image type being added in this PR, so it doesn't exist in the SIG gallery yet (no version tagged branch=refs/heads/main). Any thoughts on how to handle this PR check?

  • For reference, the AgentBaker E2Es are passing in [TEST All VHDs] AKS Linux VHD Build - Msft Tenant since it uses the built image to test with

• The AgentBaker Windows E2E is also failing with a similar error:
  failing scenario "Test_Windows2019AzureNetwork": could not find image for VHD aks-windows-2019-containerd due to failed to get latest image by tag branch=refs/heads/main: not found

[Copilot]

Pull request overview

Copilot reviewed 42 out of 114 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 42 out of 114 changed files in this pull request and generated no new comments.