fix: CredentialProviderConfig matchImages to support registries with port (#724)

**What problem does this PR solve?**:
While debugging another issue where I launched a local registry in a
container at `https://172.18.0.10:5000`, I noticed that Deployments with
an image in that registry failed:
```
  Warning  Failed     7m14s (x4 over 8m47s)   kubelet            Failed to pull image "172.18.0.10:5000/library/nginx:latest": failed to pull and unpack image "172.18.0.10:5000/library/nginx:latest": failed to resolve reference "172.18.0.10:5000/library/nginx:latest": pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials
```

This is because of a bug in how `matchImages` in
`CredentialProviderConfig` was generated, the globs don't match images
with a port or a path. This PR fixes that by explicitly including the
user provided registries in `matchImages`.

**Which issue(s) this PR fixes**:
Fixes #

**How Has This Been Tested?**:
<!--
Please describe the tests that you ran to verify your changes.
Provide output from the tests and any manual steps needed to replicate
the tests.
-->
* Updated unit tests

**Special notes for your reviewer**:
<!--
Use this to provide any additional information to the reviewers.
This may include:
- Best way to review the PR.
- Where the author wants the most review attention on.
- etc.
-->

Author: dkoshkin

pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files.go

@@ -100,17 +100,15 @@ func templateFilesForImageCredentialProviderConfigs(
 ) ([]cabpkv1.File, error) {
 	var files []cabpkv1.File
 
-	kubeletCredentialProviderConfigFile, err := templateKubeletCredentialProviderConfig()
+	kubeletCredentialProviderConfigFile, err := templateKubeletCredentialProviderConfig(configs)
 	if err != nil {
 		return nil, err
 	}
 	if kubeletCredentialProviderConfigFile != nil {
 		files = append(files, *kubeletCredentialProviderConfigFile)
 	}
 
-	kubeletDynamicCredentialProviderConfigFile, err := templateDynamicCredentialProviderConfig(
-		configs,
-	)
+	kubeletDynamicCredentialProviderConfigFile, err := templateDynamicCredentialProviderConfig(configs)
 	if err != nil {
 		return nil, err
 	}
@@ -121,14 +119,31 @@ func templateFilesForImageCredentialProviderConfigs(
 	return files, nil
 }
 
-func templateKubeletCredentialProviderConfig() (*cabpkv1.File, error) {
+func templateKubeletCredentialProviderConfig(
+	configs []providerConfig,
+) (*cabpkv1.File, error) {
 	providerBinary, providerArgs, providerAPIVersion := kubeletCredentialProvider()
 
+	// In addition to the globs already defined in the template, also include the user provided registries.
+	//
+	// This is needed to match registries with a port and/or a URL path.
+	// From https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/#configure-image-matching
+	registryHosts := make([]string, 0, len(configs))
+	for _, config := range configs {
+		registryHostWithPath, err := config.registryHostWithPath()
+		if err != nil {
+			return nil, err
+		}
+		registryHosts = append(registryHosts, registryHostWithPath)
+	}
+
 	templateInput := struct {
+		RegistryHosts      []string
 		ProviderBinary     string
 		ProviderArgs       []string
 		ProviderAPIVersion string
 	}{
+		RegistryHosts:      registryHosts,
 		ProviderBinary:     providerBinary,
 		ProviderArgs:       providerArgs,
 		ProviderAPIVersion: providerAPIVersion,

pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files_test.go

@@ -15,12 +15,16 @@ func Test_templateKubeletCredentialProviderConfig(t *testing.T) {
 	t.Parallel()
 
 	tests := []struct {
-		name    string
-		want    *cabpkv1.File
-		wantErr error
+		name        string
+		credentials []providerConfig
+		want        *cabpkv1.File
+		wantErr     error
 	}{
 		{
 			name: "ECR image registry",
+			credentials: []providerConfig{
+				{URL: "https://123456789.dkr.ecr.us-east-1.amazonaws.com"},
+			},
 			want: &cabpkv1.File{
 				Path:        "/etc/kubernetes/image-credential-provider-config.yaml",
 				Owner:       "",
@@ -36,6 +40,7 @@ providers:
   - -c
   - /etc/kubernetes/dynamic-credential-provider-config.yaml
   matchImages:
+  - "123456789.dkr.ecr.us-east-1.amazonaws.com"
   - "*"
   - "*.*"
   - "*.*.*"
@@ -49,6 +54,45 @@ providers:
 		},
 		{
 			name: "image registry with static config",
+			credentials: []providerConfig{{
+				URL:      "https://myregistry.com:5000/myproject",
+				Username: "myuser",
+				Password: "mypassword",
+			}},
+			want: &cabpkv1.File{
+				Path:        "/etc/kubernetes/image-credential-provider-config.yaml",
+				Owner:       "",
+				Permissions: "0600",
+				Encoding:    "",
+				Append:      false,
+				Content: `apiVersion: kubelet.config.k8s.io/v1
+kind: CredentialProviderConfig
+providers:
+- name: dynamic-credential-provider
+  args:
+  - get-credentials
+  - -c
+  - /etc/kubernetes/dynamic-credential-provider-config.yaml
+  matchImages:
+  - "myregistry.com:5000/myproject"
+  - "*"
+  - "*.*"
+  - "*.*.*"
+  - "*.*.*.*"
+  - "*.*.*.*.*"
+  - "*.*.*.*.*.*"
+  defaultCacheDuration: "0s"
+  apiVersion: credentialprovider.kubelet.k8s.io/v1
+`,
+			},
+		},
+		{
+			name: "docker.io registry with static credentials",
+			credentials: []providerConfig{{
+				URL:      "https://registry-1.docker.io",
+				Username: "myuser",
+				Password: "mypassword",
+			}},
 			want: &cabpkv1.File{
 				Path:        "/etc/kubernetes/image-credential-provider-config.yaml",
 				Owner:       "",
@@ -64,6 +108,8 @@ providers:
   - -c
   - /etc/kubernetes/dynamic-credential-provider-config.yaml
   matchImages:
+  - "registry-1.docker.io"
+  - "docker.io"
   - "*"
   - "*.*"
   - "*.*.*"
@@ -80,7 +126,7 @@ providers:
 		tt := tests[idx]
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
-			file, err := templateKubeletCredentialProviderConfig()
+			file, err := templateKubeletCredentialProviderConfig(tt.credentials)
 			require.ErrorIs(t, err, tt.wantErr)
 			assert.Equal(t, tt.want, file)
 		})
@@ -127,7 +173,7 @@ credentialProviders:
 		{
 			name: "image registry with static credentials",
 			credentials: []providerConfig{{
-				URL:      "https://myregistry.com",
+				URL:      "https://myregistry.com:5000/myproject",
 				Username: "myuser",
 				Password: "mypassword",
 			}},
@@ -148,7 +194,7 @@ credentialProviders:
     args:
     - /etc/kubernetes/static-image-credentials.json
     matchImages:
-    - "myregistry.com"
+    - "myregistry.com:5000/myproject"
     defaultCacheDuration: "0s"
     apiVersion: credentialprovider.kubelet.k8s.io/v1
 `,

pkg/handlers/generic/mutation/imageregistries/credentials/templates/kubelet-image-credential-provider-config.yaml.gotmpl

@@ -9,6 +9,14 @@ providers:
   {{- end }}
   {{- end }}
   matchImages:
+  {{- range .RegistryHosts}}
+  {{- with . }}
+  - {{ printf "%q" . }}
+  {{- if eq . "registry-1.docker.io" }}
+  - "docker.io"
+  {{- end }}
+  {{- end }}
+  {{- end }}
   - "*"
   - "*.*"
   - "*.*.*"