Swiftv2 Long running cluster - test pipeline (#4099)

* init swiftv2 pipeline for persistent tests on aks clusters.

* Set default params.

* Update pipeline.yaml for Azure Pipelines

* long running pipeline infra setup.

* Set depedencies for pipeline jobs.

* template for long running cluster.

* set template.

* set dependency for jobs.

* Change job name.

* Set job scripts.

* set pipeline scripts with permissions.

* set script path.

* set template params.

* Set pipeline template for long running clusters.

* test change.

* set params.

* set params in pipeline scripts.

* set cx vnet name.

* Create clusters parallely

* create NSG.

* Change dependency for creating nsg.

* Update .pipelines/swiftv2-long-running/scripts/create_peerings.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: sivakami-projects <126191544+sivakami-projects@users.noreply.github.com>

* Update .pipelines/swiftv2-long-running/scripts/create_nsg.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: sivakami-projects <126191544+sivakami-projects@users.noreply.github.com>

* Add success/error message for each resource creation.

* Remove unused argument from template.

* Rename subnets. Changed NSG rules to prevent network connectivity between vnet 1 subnet 1 and vnet 1 subnet2.

* Private endpoints.

* Change pipeline template.

* Set output variables.

* private endpoint.

* update private endpoint.

* create storage account.

* disallow shared key access.

* change pipeline template.

* Removed unused param.

* Link private endpoint dns to vnet a2 and vnet a3.

* attach nsg rule to subnets.

* Link nsg with subnet.

* Private endpoint fix - long running pipeline.

* Verify each resource creation - long running cluster test pipeline.

* verify storage account creation.

* use make tragets to create aks clusters.

* misc.

* set aks custom headers.

* Use aks common field in swiftv2-podsubnet-cluster creation.

---------

Signed-off-by: sivakami-projects <126191544+sivakami-projects@users.noreply.github.com>
Co-authored-by: sivakami <sivakamis@microsoft.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

.pipelines/swiftv2-long-running/pipeline.yaml

@@ -0,0 +1,42 @@
+trigger: none
+
+parameters:
+  - name: subscriptionId
+    displayName: "Azure Subscription ID"
+    type: string
+    default: "37deca37-c375-4a14-b90a-043849bd2bf1"
+
+  - name: location
+    displayName: "Deployment Region"
+    type: string
+    default: "centraluseuap"
+
+  - name: resourceGroupName
+    displayName: "Resource Group Name"
+    type: string
+    default: "long-run-$(Build.BuildId)"
+
+  - name: vmSkuDefault
+    displayName: "VM SKU for Default Node Pool"
+    type: string
+    default: "Standard_D2s_v3"
+
+  - name: vmSkuHighNIC
+    displayName: "VM SKU for High NIC Node Pool"
+    type: string
+    default: "Standard_D16s_v3"
+
+  - name: serviceConnection
+    displayName: "Azure Service Connection"
+    type: string
+    default: "Azure Container Networking - Standalone Test Service Connection"
+
+extends:
+  template: template/long-running-pipeline-template.yaml
+  parameters:
+    subscriptionId: ${{ parameters.subscriptionId }}
+    location: ${{ parameters.location }}
+    resourceGroupName: ${{ parameters.resourceGroupName }}
+    vmSkuDefault: ${{ parameters.vmSkuDefault }}
+    vmSkuHighNIC: ${{ parameters.vmSkuHighNIC }}
+    serviceConnection: ${{ parameters.serviceConnection }}

.pipelines/swiftv2-long-running/scripts/create_aks.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+set -euo pipefail
+trap 'echo "[ERROR] Failed during Resource group or AKS cluster creation." >&2' ERR
+SUBSCRIPTION_ID=$1
+LOCATION=$2
+RG=$3
+VM_SKU_DEFAULT=$4
+VM_SKU_HIGHNIC=$5
+
+CLUSTER_COUNT=2                               
+CLUSTER_PREFIX="aks"                          
+DEFAULT_NODE_COUNT=1                               
+COMMON_TAGS="fastpathenabled=true RGOwner=LongRunningTestPipelines stampcreatorserviceinfo=true"
+
+wait_for_provisioning() {                      # Helper for safe retry/wait for provisioning states (basic)
+  local rg="$1" clusterName="$2"                     
+  echo "Waiting for AKS '$clusterName' in RG '$rg' to reach Succeeded/Failed (polling)..."
+  while :; do
+    state=$(az aks show --resource-group "$rg" --name "$clusterName" --query provisioningState -o tsv 2>/dev/null || true)
+    if [ -z "$state" ]; then
+      sleep 3
+      continue
+    fi
+    case "$state" in
+      Succeeded|Succeeded*) echo "Provisioning state: $state"; break ;;
+      Failed|Canceled|Rejected) echo "Provisioning finished with state: $state"; break ;;
+      *) printf "."; sleep 6 ;;
+    esac
+  done
+}
+
+
+for i in $(seq 1 "$CLUSTER_COUNT"); do
+  echo "=============================="
+  echo " Working on cluster set #$i"
+  echo "=============================="
+  
+  CLUSTER_NAME="${CLUSTER_PREFIX}-${i}"
+  echo "Creating AKS cluster '$CLUSTER_NAME' in RG '$RG'"
+
+  make -C ./hack/aks azcfg AZCLI=az REGION=$LOCATION
+
+  make -C ./hack/aks swiftv2-podsubnet-cluster-up \
+  AZCLI=az REGION=$LOCATION \
+  SUB=$SUBSCRIPTION_ID \
+  GROUP=$RG \
+  CLUSTER=$CLUSTER_NAME \
+  NODE_COUNT=$DEFAULT_NODE_COUNT \
+  VM_SIZE=$VM_SKU_DEFAULT \
+
+  echo " - waiting for AKS provisioning state..."
+  wait_for_provisioning "$RG" "$CLUSTER_NAME"
+
+  echo "Adding multi-tenant nodepool ' to '$CLUSTER_NAME'"
+  make -C ./hack/aks linux-swiftv2-nodepool-up \
+  AZCLI=az REGION=$LOCATION \
+  GROUP=$RG \
+  VM_SIZE=$VM_SKU_HIGHNIC \
+  CLUSTER=$CLUSTER_NAME \
+  SUB=$SUBSCRIPTION_ID \
+
+done
+echo "All done. Created $CLUSTER_COUNT cluster set(s)."

.pipelines/swiftv2-long-running/scripts/create_nsg.sh

@@ -0,0 +1,109 @@
+#!/usr/bin/env bash
+set -e
+trap 'echo "[ERROR] Failed during NSG creation or rule setup." >&2' ERR
+
+SUBSCRIPTION_ID=$1
+RG=$2
+LOCATION=$3
+
+VNET_A1="cx_vnet_a1"
+SUBNET1_PREFIX="10.10.1.0/24"
+SUBNET2_PREFIX="10.10.2.0/24"
+NSG_NAME="${VNET_A1}-nsg"
+
+verify_nsg() {
+  local rg="$1"; local name="$2"
+  echo "==> Verifying NSG: $name"
+  if az network nsg show -g "$rg" -n "$name" &>/dev/null; then
+    echo "[OK] Verified NSG $name exists."
+  else
+    echo "[ERROR] NSG $name not found!" >&2
+    exit 1
+  fi
+}
+
+verify_nsg_rule() {
+  local rg="$1"; local nsg="$2"; local rule="$3"
+  echo "==> Verifying NSG rule: $rule in $nsg"
+  if az network nsg rule show -g "$rg" --nsg-name "$nsg" -n "$rule" &>/dev/null; then
+    echo "[OK] Verified NSG rule $rule exists in $nsg."
+  else
+    echo "[ERROR] NSG rule $rule not found in $nsg!" >&2
+    exit 1
+  fi
+}
+
+verify_subnet_nsg_association() {
+  local rg="$1"; local vnet="$2"; local subnet="$3"; local nsg="$4"
+  echo "==> Verifying NSG association on subnet $subnet..."
+  local associated_nsg
+  associated_nsg=$(az network vnet subnet show -g "$rg" --vnet-name "$vnet" -n "$subnet" --query "networkSecurityGroup.id" -o tsv 2>/dev/null || echo "")
+  if [[ "$associated_nsg" == *"$nsg"* ]]; then
+    echo "[OK] Verified subnet $subnet is associated with NSG $nsg."
+  else
+    echo "[ERROR] Subnet $subnet is NOT associated with NSG $nsg!" >&2
+    exit 1
+  fi
+}
+
+# -------------------------------
+#  1. Create NSG
+# -------------------------------
+echo "==> Creating Network Security Group: $NSG_NAME"
+az network nsg create -g "$RG" -n "$NSG_NAME" -l "$LOCATION" --output none \
+  && echo "[OK] NSG '$NSG_NAME' created."
+verify_nsg "$RG" "$NSG_NAME"
+
+# -------------------------------
+#  2. Create NSG Rules
+# -------------------------------
+echo "==> Creating NSG rule to DENY traffic from Subnet1 ($SUBNET1_PREFIX) to Subnet2 ($SUBNET2_PREFIX)"
+az network nsg rule create \
+  --resource-group "$RG" \
+  --nsg-name "$NSG_NAME" \
+  --name deny-subnet1-to-subnet2 \
+  --priority 100 \
+  --source-address-prefixes "$SUBNET1_PREFIX" \
+  --destination-address-prefixes "$SUBNET2_PREFIX" \
+  --direction Inbound \
+  --access Deny \
+  --protocol "*" \
+  --description "Deny all traffic from Subnet1 to Subnet2" \
+  --output none \
+  && echo "[OK] Deny rule from Subnet1 → Subnet2 created."
+
+verify_nsg_rule "$RG" "$NSG_NAME" "deny-subnet1-to-subnet2"
+
+echo "==> Creating NSG rule to DENY traffic from Subnet2 ($SUBNET2_PREFIX) to Subnet1 ($SUBNET1_PREFIX)"
+az network nsg rule create \
+  --resource-group "$RG" \
+  --nsg-name "$NSG_NAME" \
+  --name deny-subnet2-to-subnet1 \
+  --priority 200 \
+  --source-address-prefixes "$SUBNET2_PREFIX" \
+  --destination-address-prefixes "$SUBNET1_PREFIX" \
+  --direction Inbound \
+  --access Deny \
+  --protocol "*" \
+  --description "Deny all traffic from Subnet2 to Subnet1" \
+  --output none \
+  && echo "[OK] Deny rule from Subnet2 → Subnet1 created."
+
+verify_nsg_rule "$RG" "$NSG_NAME" "deny-subnet2-to-subnet1"
+
+# -------------------------------
+#  3. Associate NSG with Subnets
+# -------------------------------
+for SUBNET in s1 s2; do
+  echo "==> Associating NSG $NSG_NAME with subnet $SUBNET"
+  az network vnet subnet update \
+    --name "$SUBNET" \
+    --vnet-name "$VNET_A1" \
+    --resource-group "$RG" \
+    --network-security-group "$NSG_NAME" \
+    --output none
+  verify_subnet_nsg_association "$RG" "$VNET_A1" "$SUBNET" "$NSG_NAME"
+done
+
+echo "NSG '$NSG_NAME' created successfully with bidirectional isolation between Subnet1 and Subnet2."
+

.pipelines/swiftv2-long-running/scripts/create_pe.sh

@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+set -e
+trap 'echo "[ERROR] Failed during Private Endpoint or DNS setup." >&2' ERR
+
+SUBSCRIPTION_ID=$1
+LOCATION=$2
+RG=$3
+SA1_NAME=$4  # Storage account 1
+
+VNET_A1="cx_vnet_a1"
+VNET_A2="cx_vnet_a2"
+VNET_A3="cx_vnet_a3"
+SUBNET_PE_A1="pe"
+PE_NAME="${SA1_NAME}-pe"
+PRIVATE_DNS_ZONE="privatelink.blob.core.windows.net"
+
+# -------------------------------
+#  Function: Verify Resource Exists
+# -------------------------------
+verify_dns_zone() {
+  local rg="$1"; local zone="$2"
+  echo "==> Verifying Private DNS zone: $zone"
+  if az network private-dns zone show -g "$rg" -n "$zone" &>/dev/null; then
+    echo "[OK] Verified DNS zone $zone exists."
+  else
+    echo "[ERROR] DNS zone $zone not found!" >&2
+    exit 1
+  fi
+}
+
+verify_dns_link() {
+  local rg="$1"; local zone="$2"; local link="$3"
+  echo "==> Verifying DNS link: $link for zone $zone"
+  if az network private-dns link vnet show -g "$rg" --zone-name "$zone" -n "$link" &>/dev/null; then
+    echo "[OK] Verified DNS link $link exists."
+  else
+    echo "[ERROR] DNS link $link not found!" >&2
+    exit 1
+  fi
+}
+
+verify_private_endpoint() {
+  local rg="$1"; local name="$2"
+  echo "==> Verifying Private Endpoint: $name"
+  if az network private-endpoint show -g "$rg" -n "$name" &>/dev/null; then
+    echo "[OK] Verified Private Endpoint $name exists."
+  else
+    echo "[ERROR] Private Endpoint $name not found!" >&2
+    exit 1
+  fi
+}
+
+# 1. Create Private DNS zone
+echo "==> Creating Private DNS zone: $PRIVATE_DNS_ZONE"
+az network private-dns zone create -g "$RG" -n "$PRIVATE_DNS_ZONE" --output none \
+  && echo "[OK] DNS zone $PRIVATE_DNS_ZONE created."
+
+verify_dns_zone "$RG" "$PRIVATE_DNS_ZONE"
+
+# 2. Link DNS zone to VNet
+for VNET in "$VNET_A1" "$VNET_A2" "$VNET_A3"; do
+  LINK_NAME="${VNET}-link"
+  echo "==> Linking DNS zone $PRIVATE_DNS_ZONE to VNet $VNET"
+  az network private-dns link vnet create \
+    -g "$RG" -n "$LINK_NAME" \
+    --zone-name "$PRIVATE_DNS_ZONE" \
+    --virtual-network "$VNET" \
+    --registration-enabled false \
+    --output none \
+    && echo "[OK] Linked DNS zone to $VNET."
+  verify_dns_link "$RG" "$PRIVATE_DNS_ZONE" "$LINK_NAME"
+done
+
+# 3. Create Private Endpoint
+echo "==> Creating Private Endpoint for Storage Account: $SA1_NAME"
+SA1_ID=$(az storage account show -g "$RG" -n "$SA1_NAME" --query id -o tsv)
+az network private-endpoint create \
+  -g "$RG" -n "$PE_NAME" -l "$LOCATION" \
+  --vnet-name "$VNET_A1" --subnet "$SUBNET_PE_A1" \
+  --private-connection-resource-id "$SA1_ID" \
+  --group-id blob \
+  --connection-name "${PE_NAME}-conn" \
+  --output none \
+  && echo "[OK] Private Endpoint $PE_NAME created for $SA1_NAME."
+verify_private_endpoint "$RG" "$PE_NAME"
+
+echo "All Private DNS and Endpoint resources created and verified successfully."

.pipelines/swiftv2-long-running/scripts/create_peerings.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -e
+trap 'echo "[ERROR] Failed during VNet peering creation." >&2' ERR
+
+RG=$1
+VNET_A1="cx_vnet_a1"
+VNET_A2="cx_vnet_a2"
+VNET_A3="cx_vnet_a3"
+VNET_B1="cx_vnet_b1"
+
+verify_peering() {
+  local rg="$1"; local vnet="$2"; local peering="$3"
+  echo "==> Verifying peering $peering on $vnet..."
+  if az network vnet peering show -g "$rg" --vnet-name "$vnet" -n "$peering" --query "peeringState" -o tsv | grep -q "Connected"; then
+    echo "[OK] Peering $peering on $vnet is Connected."
+  else
+    echo "[ERROR] Peering $peering on $vnet not found or not Connected!" >&2
+    exit 1
+  fi
+}
+
+peer_two_vnets() {
+  local rg="$1"; local v1="$2"; local v2="$3"; local name12="$4"; local name21="$5"
+  echo "==> Peering $v1 <-> $v2"
+  az network vnet peering create -g "$rg" -n "$name12" --vnet-name "$v1" --remote-vnet "$v2" --allow-vnet-access --output none \
+    && echo "Created peering $name12"
+  az network vnet peering create -g "$rg" -n "$name21" --vnet-name "$v2" --remote-vnet "$v1" --allow-vnet-access --output none \
+    && echo "Created peering $name21"
+
+  # Verify both peerings are active
+  verify_peering "$rg" "$v1" "$name12"
+  verify_peering "$rg" "$v2" "$name21"
+}
+
+peer_two_vnets "$RG" "$VNET_A1" "$VNET_A2" "A1-to-A2" "A2-to-A1"
+peer_two_vnets "$RG" "$VNET_A2" "$VNET_A3" "A2-to-A3" "A3-to-A2"
+peer_two_vnets "$RG" "$VNET_A1" "$VNET_A3" "A1-to-A3" "A3-to-A1"
+echo "All VNet peerings created and verified successfully."

.pipelines/swiftv2-long-running/scripts/create_storage.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+set -e
+trap 'echo "[ERROR] Failed during Storage Account creation." >&2' ERR
+
+SUBSCRIPTION_ID=$1
+LOCATION=$2
+RG=$3
+
+RAND=$(openssl rand -hex 4)
+SA1="sa1${RAND}"
+SA2="sa2${RAND}"
+
+# Set subscription context
+az account set --subscription "$SUBSCRIPTION_ID"
+
+# Create storage accounts
+for SA in "$SA1" "$SA2"; do
+  echo "==> Creating storage account $SA"
+  az storage account create \
+    --name "$SA" \
+    --resource-group "$RG" \
+    --location "$LOCATION" \
+    --sku Standard_LRS \
+    --kind StorageV2 \
+    --allow-blob-public-access false \
+    --allow-shared-key-access false \
+    --https-only true \
+    --min-tls-version TLS1_2 \
+    --query "name" -o tsv \
+  && echo "Storage account $SA created successfully."
+  # Verify creation success
+  echo "==> Verifying storage account $SA exists..."
+  if az storage account show --name "$SA" --resource-group "$RG" &>/dev/null; then
+    echo "[OK] Storage account $SA verified successfully."
+  else
+    echo "[ERROR] Storage account $SA not found after creation!" >&2
+    exit 1
+  fi
+done
+
+echo "All storage accounts created and verified successfully."
+
+# Set pipeline output variables
+set +x
+echo "##vso[task.setvariable variable=StorageAccount1;isOutput=true]$SA1"
+echo "##vso[task.setvariable variable=StorageAccount2;isOutput=true]$SA2"
+set -x