Azure · rchincha · Mar 13, 2026 · Mar 16, 2026 · Mar 18, 2026 · Mar 19, 2026
@@ -0,0 +1,16 @@
+name: $(Date:yyyyMMdd)$(Rev:.r)
+variables:
+  TAGS_TO_RUN: "rcv1pcertmode=true"
+  SKIP_E2E_TESTS: false
+  E2E_GO_TEST_TIMEOUT: "75m"
+trigger: none
+pr: none
+jobs:
+  - template: ./templates/e2e-template.yaml
+    parameters:
+      name: RCV1P Cert Mode Tests
+      IgnoreScenariosWithMissingVhd: false
+      variableGroup: ab-e2e-tme-rcv1p
+      # The RCV1P testing subscription does not have platform auto-injection enabled,
+      # so the E2E framework explicitly injects opt-in tags on each VMSS.
+      rcv1pTagsAutoInjected: "false"
@@ -1,4 +1,9 @@
 name: $(Date:yyyyMMdd)$(Rev:.r)
+parameters:
+  - name: subscriptionId
+    type: string
+    displayName: Subscription ID to use for E2E tests (empty = use variable group default)
+    default: ""
 variables:
   SKIP_E2E_TESTS: false
 
@@ -8,4 +13,5 @@ jobs:
       name: Linux Tests
       IgnoreScenariosWithMissingVhd: false
       variableGroup: ab-e2e-tme
+      subscriptionId: ${{ parameters.subscriptionId }}
 
@@ -17,6 +17,9 @@ set -euo pipefail
 az account set -s "${E2E_SUBSCRIPTION_ID}"
 echo "Using subscription ${E2E_SUBSCRIPTION_ID} for e2e tests"
 
+# Map E2E_SUBSCRIPTION_ID to SUBSCRIPTION_ID which the Go test framework reads
+export SUBSCRIPTION_ID="${E2E_SUBSCRIPTION_ID}"
+
 # Setup go
 export GOPATH="$(go env GOPATH)"
 go version

@@ -12,14 +12,24 @@ parameters:
     default: ab-e2e
   - name: subscriptionId
     type: string
-    displayName: Subscription ID to use for E2E tests
-    default: $(E2E_SUBSCRIPTION_ID)
+    displayName: Subscription ID to use for E2E tests (empty = use variable group default)
+    default: ""
+  - name: rcv1pTagsAutoInjected
+    type: string
+    displayName: Whether the platform auto-injects RCV1P opt-in tags on all VMSSes
+    default: "true"
 
 jobs:
   - job: e2e
     condition: and(succeeded(), ne(variables.SKIP_E2E_TESTS, 'true'))
     variables:
       - group: ${{parameters.variableGroup}} # all variables prefixed with E2E_* come from this variable group
+      # When a caller (e.g. aks-rp orchestrator) explicitly passes subscriptionId,
+      # override E2E_SUBSCRIPTION_ID from the variable group so the run targets the
+      # requested subscription (e.g. RCV1P). When empty, keep the variable group default.
+      - ${{ if ne(parameters.subscriptionId, '') }}:
+        - name: E2E_SUBSCRIPTION_ID
+          value: ${{parameters.subscriptionId}}
     pool:
       name: $(E2E_POOL_NAME)
     timeoutInMinutes: 90
@@ -41,13 +51,13 @@ jobs:
             bash .pipelines/scripts/e2e_run.sh
         displayName: Run AgentBaker E2E
         env:
-          E2E_SUBSCRIPTION_ID: ${{parameters.subscriptionId}}
           SYS_SSH_PUBLIC_KEY: $(SYS_SSH_PUBLIC_KEY)
           SYS_SSH_PRIVATE_KEY_B64: $(SYS_SSH_PRIVATE_KEY_B64)
           BUILD_SRC_DIR: $(System.DefaultWorkingDirectory)
           DefaultWorkingDirectory: $(Build.SourcesDirectory)
           VHD_BUILD_ID: $(VHD_BUILD_ID)
           IGNORE_SCENARIOS_WITH_MISSING_VHD: ${{parameters.IgnoreScenariosWithMissingVhd}}
+          RCV1P_TAGS_AUTO_INJECTED: ${{parameters.rcv1pTagsAutoInjected}}
 
       - task: PublishTestResults@2
         displayName: Upload test results

@@ -64,6 +64,7 @@ func getFuncMap() template.FuncMap {
 	return template.FuncMap{
 		"getInitAKSCustomCloudFilepath": getInitAKSCustomCloudFilepath,
 		"getIsAksCustomCloud":           getIsAksCustomCloud,
+		"getCloudLocation":              getCloudLocation,
 	}
 }
 
@@ -538,11 +539,15 @@ func getIsAksCustomCloud(customCloudConfig *aksnodeconfigv1.CustomCloudConfig) b
 	return strings.EqualFold(customCloudConfig.GetCustomCloudEnvName(), helpers.AksCustomCloudName)
 }
 
+func getCloudLocation(v *aksnodeconfigv1.Configuration) string {
+	return strings.ToLower(strings.Join(strings.Fields(v.GetClusterConfig().GetLocation()), ""))
+}
+
 /* GetCloudTargetEnv determines and returns whether the region is a sovereign cloud which
 have their own data compliance regulations (China/Germany/USGov) or standard.  */
 // Azure public cloud.
 func getCloudTargetEnv(v *aksnodeconfigv1.Configuration) string {
-	loc := strings.ToLower(strings.Join(strings.Fields(v.GetClusterConfig().GetLocation()), ""))
+	loc := getCloudLocation(v)
 	switch {
 	case strings.HasPrefix(loc, "china"):
 		return "AzureChinaCloud"

@@ -1,6 +1,7 @@
 echo $(date),$(hostname) > ${PROVISION_OUTPUT};
 {{if getIsAksCustomCloud .CustomCloudConfig}}
 REPO_DEPOT_ENDPOINT="{{.CustomCloudConfig.RepoDepotEndpoint}}"
-{{getInitAKSCustomCloudFilepath}} >> /var/log/azure/cluster-provision.log 2>&1;
 {{end}}
+LOCATION="{{getCloudLocation .}}"
+{{getInitAKSCustomCloudFilepath}} >> /var/log/azure/cluster-provision.log 2>&1;
 /usr/bin/nohup /bin/bash -c "/bin/bash /opt/azure/containers/provision_start.sh"
@@ -210,6 +210,22 @@ func clusterCiliumNetwork(ctx context.Context, request ClusterRequest) (*Cluster
 	return prepareCluster(ctx, model, false, false)
 }
 
+var ClusterRCV1PKubenet = cachedFunc(clusterRCV1PKubenet)
+
+// clusterRCV1PKubenet creates a kubenet cluster for RCV1P cert mode testing.
+func clusterRCV1PKubenet(ctx context.Context, request ClusterRequest) (*Cluster, error) {
+	return prepareCluster(ctx, getKubenetClusterModel("abe2e-rcv1p-kubenet-v1", request.Location, request.K8sSystemPoolSKU), false, false)
+}
+
+var ClusterRCV1PAzureNetwork = cachedFunc(clusterRCV1PAzureNetwork)
+
+// clusterRCV1PAzureNetwork creates an Azure CNI cluster for Windows RCV1P cert mode testing.
+// Windows tests require Azure CNI (not kubenet) because baseTemplateWindows() configures the NBC for
+// Azure CNI overlay mode.
+func clusterRCV1PAzureNetwork(ctx context.Context, request ClusterRequest) (*Cluster, error) {
+	return prepareCluster(ctx, getAzureNetworkClusterModel("abe2e-rcv1p-azure-v1", request.Location, request.K8sSystemPoolSKU), false, false)
+}
+
 // isNotFoundErr checks if an error represents a "not found" response from Azure API
 func isNotFoundErr(err error) bool {
 	var respErr *azcore.ResponseError