fix: nest object under imageRegistries.credentials

Author: dkoshkin

api/v1alpha1/clusterconfig_types.go

@@ -29,9 +29,8 @@ type GenericClusterConfig struct {
 	// +optional
 	ExtraAPIServerCertSANs ExtraAPIServerCertSANs `json:"extraAPIServerCertSANs,omitempty"`
 
-	// TODO: Add support for multiple registries.
 	// +optional
-	ImageRegistryCredentials ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty"`
+	ImageRegistries ImageRegistries `json:"imageRegistries,omitempty"`
 
 	// +optional
 	Addons *Addons `json:"addons,omitempty"`
@@ -51,7 +50,7 @@ func (GenericClusterConfig) VariableSchema() clusterv1.VariableSchema {
 					"",
 				).VariableSchema().
 					OpenAPIV3Schema,
-				"imageRegistryCredentials": ImageRegistryCredentials{}.VariableSchema().OpenAPIV3Schema,
+				"imageRegistries": ImageRegistries{}.VariableSchema().OpenAPIV3Schema,
 			},
 		},
 	}
@@ -181,49 +180,85 @@ func (ExtraAPIServerCertSANs) VariableSchema() clusterv1.VariableSchema {
 	}
 }
 
-// ImageRegistryCredentials required for providing credentials for an image registry URL.
-type ImageRegistryCredentials struct {
-	// Registry URL.
-	URL string `json:"url"`
-
-	// The Secret containing the registry credentials.
-	// The Secret should have keys 'username' and 'password'.
-	// This credentials Secret is not required for some registries, e.g. ECR.
+type ImageRegistries struct {
 	// +optional
-	Secret *corev1.ObjectReference `json:"secretRef,omitempty"`
+	ImageRegistryCredentials ImageRegistryCredentials `json:"credentials,omitempty"`
 }
 
-func (ImageRegistryCredentials) VariableSchema() clusterv1.VariableSchema {
+func (ImageRegistries) VariableSchema() clusterv1.VariableSchema {
 	return clusterv1.VariableSchema{
 		OpenAPIV3Schema: clusterv1.JSONSchemaProps{
-			Description: "Extra Subject Alternative Names for the API Server signing cert",
+			Description: "Configuration for image registries.",
 			Type:        "object",
 			Properties: map[string]clusterv1.JSONSchemaProps{
-				"url": {
-					Description: "Registry URL.",
-					Type:        "string",
-				},
-				"secretRef": {
-					Description: "The Secret containing the registry credentials. " +
-						"The Secret should have keys 'username' and 'password'. " +
-						"This credentials Secret is not required for some registries, e.g. ECR.",
-					Type: "object",
-					Properties: map[string]clusterv1.JSONSchemaProps{
-						"name": {
-							Description: "The name of the Secret containing the registry credentials.",
-							Type:        "string",
-						},
-						"namespace": {
-							Description: "The namespace of the Secret containing the registry credentials. " +
-								"Defaults to the namespace of the KubeadmControlPlaneTemplate and KubeadmConfigTemplate" +
-								" that reference this variable.",
-							Type: "string",
-						},
+				"credentials": imageRegistryCredentialsSchema,
+			},
+		},
+	}
+}
+
+var (
+	imageRegistryCredentialsSchema = clusterv1.JSONSchemaProps{
+		Type:        "array",
+		UniqueItems: true,
+		Items:       &imageRegistryCredentialsResourceSchema,
+	}
+
+	imageRegistryCredentialsResourceSchema = clusterv1.JSONSchemaProps{
+		Description: "Image registry credentials to set up on all Nodes in the cluster. " +
+			"Enabling this will the Kubelets with https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/.",
+		Type: "object",
+		Properties: map[string]clusterv1.JSONSchemaProps{
+			"url": {
+				Description: "Registry URL.",
+				Type:        "string",
+			},
+			"secretRef": {
+				Description: "The Secret containing the registry credentials. " +
+					"The Secret should have keys 'username' and 'password'. " +
+					"This credentials Secret is not required for some registries, e.g. ECR.",
+				Type: "object",
+				Properties: map[string]clusterv1.JSONSchemaProps{
+					"name": {
+						Description: "The name of the Secret containing the registry credentials.",
+						Type:        "string",
+					},
+					"namespace": {
+						Description: "The namespace of the Secret containing the registry credentials. " +
+							"Defaults to the namespace of the KubeadmControlPlaneTemplate and KubeadmConfigTemplate" +
+							" that reference this variable.",
+						Type: "string",
 					},
 				},
 			},
-			Required: []string{"url"},
 		},
+		Required: []string{"url"},
+	}
+)
+
+type ImageRegistryCredentials []ImageRegistryCredentialsResource
+
+func (ImageRegistryCredentials) VariableSchema() clusterv1.VariableSchema {
+	return clusterv1.VariableSchema{
+		OpenAPIV3Schema: imageRegistryCredentialsSchema,
+	}
+}
+
+// ImageRegistryCredentialsResource required for providing credentials for an image registry URL.
+type ImageRegistryCredentialsResource struct {
+	// Registry URL.
+	URL string `json:"url"`
+
+	// The Secret containing the registry credentials.
+	// The Secret should have keys 'username' and 'password'.
+	// This credentials Secret is not required for some registries, e.g. ECR.
+	// +optional
+	Secret *corev1.ObjectReference `json:"secretRef,omitempty"`
+}
+
+func (ImageRegistryCredentialsResource) VariableSchema() clusterv1.VariableSchema {
+	return clusterv1.VariableSchema{
+		OpenAPIV3Schema: imageRegistryCredentialsResourceSchema,
 	}
 }
 

api/v1alpha1/zz_generated.deepcopy.go

@@ -37,7 +37,7 @@ import (
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/etcd"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/extraapiservercertsans"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/httpproxy"
-	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/imageregistrycredentials"
+	imageregistrycredentials "github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/imageregistries/credentials"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/kubernetesimagerepository"
 )
 

cmd/main.go

@@ -39,10 +39,11 @@ spec:
             additionalNo:
               - no-proxy-1.example.com
               - no-proxy-2.example.com
-          imageRegistryCredentials:
-            url: https://my-registry.io
-            secretRef:
-              name: my-registry-credentials
+          imageRegistries:
+            credentials:
+              - url: https://my-registry.io
+                secretRef:
+                  name: my-registry-credentials
           cni:
             provider: calico
 ```

docs/content/customization/_index.md

@@ -1,15 +1,12 @@
 +++
-title = "Image registry credentials"
+title = "Image registries"
 +++
 
-In some network environments it is necessary to use HTTP proxy to successfuly execute HTTP requests.
-To configure Kubernetes components (`containerd`, `kubelet`) to use HTTP proxy use the `httpproxypatch`
-external patch that will generate appropriate configuration for control plane and worker nodes.
+Add image registry configuration to all Nodes in the cluster.
 
-Add image registry credentials to all Nodes in the cluster.
-When this handle is enabled, the handler will add `files` and `preKubeadmnCommands` with configurations for
+When the `credentials` variable is set, `files` and `preKubeadmnCommands` with configurations for
 [Kubelet image credential provider](https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/)
-and [dynamic credential provider](https://github.com/mesosphere/dynamic-credential-provider).
+and [dynamic credential provider](https://github.com/mesosphere/dynamic-credential-provider) will be added.
 
 This customization will be available when the
 [provider-specific cluster configuration patch]({{< ref "..">}}) is included in the `ClusterClass`.
@@ -20,10 +17,10 @@ If your registry requires static credentials, create a Kubernetes Secret with ke
 
 ```shell
 kubectl create secret generic my-registry-credentials \
-  --from-literal username=${REGISTRY_USERNAME} password=${REGISTRY_PASSWORD}
+  --from-literal username=${REGISTRY_USERNAME} --from-literal password=${REGISTRY_PASSWORD}
 ```
 
-On the cluster resource then specify desired image registry credentials:
+To add image registry credentials, specify the following configuration:
 
 ```yaml
 apiVersion: cluster.x-k8s.io/v1beta1
@@ -35,10 +32,11 @@ spec:
     variables:
       - name: clusterConfig
         value:
-          imageRegistryCredentials:
-            url: https://my-registry.io
-            secretRef:
-              name: my-registry-credentials
+          imageRegistries:
+            credentials:
+              - url: https://my-registry.io
+                secretRef:
+                  name: my-registry-credentials
 ```
 
 Applying this configuration will result in new files and preKubeadmCommands

docs/content/customization/generic/image-registry-credentials.md renamed to docs/content/customization/generic/image-registries.md

@@ -0,0 +1,8 @@
+// Copyright 2023 D2iQ, Inc. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package imageregistries
+
+const (
+	VariableName = "imageRegistries"
+)

pkg/handlers/generic/mutation/imageregistries/constants.go

@@ -1,7 +1,7 @@
 // Copyright 2023 D2iQ, Inc. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package imageregistrycredentials
+package credentials
 
 import (
 	"bytes"
@@ -15,7 +15,7 @@ import (
 	credentialproviderv1beta1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1"
 	cabpkv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 
-	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/imageregistrycredentials/credentialprovider"
+	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/imageregistries/credentials/credentialprovider"
 )
 
 const (
@@ -51,18 +51,18 @@ var (
 	installKubeletCredentialProvidersScript []byte
 )
 
-type imageRegistryCredentials struct {
+type providerInput struct {
 	URL      string
 	Username string
 	Password string
 }
 
-func (c imageRegistryCredentials) isCredentialsEmpty() bool {
+func (c providerInput) isCredentialsEmpty() bool {
 	return c.Username == "" &&
 		c.Password == ""
 }
 
-func templateFilesForImageCredentialProviderConfigs(credentials imageRegistryCredentials) ([]cabpkv1.File, error) {
+func templateFilesForImageCredentialProviderConfigs(credentials providerInput) ([]cabpkv1.File, error) {
 	var files []cabpkv1.File
 
 	kubeletCredentialProviderConfigFile, err := templateKubeletCredentialProviderConfig(credentials)
@@ -84,7 +84,7 @@ func templateFilesForImageCredentialProviderConfigs(credentials imageRegistryCre
 	return files, nil
 }
 
-func templateKubeletCredentialProviderConfig(credentials imageRegistryCredentials) (*cabpkv1.File, error) {
+func templateKubeletCredentialProviderConfig(credentials providerInput) (*cabpkv1.File, error) {
 	return templateCredentialProviderConfig(
 		credentials,
 		imageCredentialProviderConfigPatch,
@@ -94,7 +94,7 @@ func templateKubeletCredentialProviderConfig(credentials imageRegistryCredential
 }
 
 func templateDynamicCredentialProviderConfig(
-	credentials imageRegistryCredentials,
+	credentials providerInput,
 ) (*cabpkv1.File, error) {
 	return templateCredentialProviderConfig(
 		credentials,
@@ -105,15 +105,14 @@ func templateDynamicCredentialProviderConfig(
 }
 
 func templateCredentialProviderConfig(
-	credentials imageRegistryCredentials,
+	credentials providerInput,
 	inputTemplate []byte,
 	filePath string,
 	providerFunc func(
 		hasStaticCredentials bool,
 		host string,
 	) (providerBinary string, providerArgs []string, providerAPIVersion string, err error),
 ) (*cabpkv1.File, error) {
-
 	mirrorURL, err := url.ParseRequestURI(credentials.URL)
 	if err != nil {
 		return nil, fmt.Errorf("failed parsing registry mirror: %w", err)