test: mirror credentials config tests in credential provider config

Author: supershal

pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files.go

@@ -52,7 +52,7 @@ func (c providerConfig) isCredentialsEmpty() bool {
 		c.Password == ""
 }
 
-func templateFilesForImageCredentialProviderConfigs(config providerConfig) ([]cabpkv1.File, error) {
+func templateFilesForImageCredentialProviderConfigs(config providerConfig, mirror *mirrorConfig) ([]cabpkv1.File, error) {
 	var files []cabpkv1.File
 
 	kubeletCredentialProviderConfigFile, err := templateKubeletCredentialProviderConfig()
@@ -65,6 +65,7 @@ func templateFilesForImageCredentialProviderConfigs(config providerConfig) ([]ca
 
 	kubeletDynamicCredentialProviderConfigFile, err := templateDynamicCredentialProviderConfig(
 		config,
+		mirror,
 	)
 	if err != nil {
 		return nil, err
@@ -100,6 +101,7 @@ func templateKubeletCredentialProviderConfig() (*cabpkv1.File, error) {
 
 func templateDynamicCredentialProviderConfig(
 	config providerConfig,
+	mirror *mirrorConfig,
 ) (*cabpkv1.File, error) {
 	registryURL, err := url.ParseRequestURI(config.URL)
 	if err != nil {
@@ -137,11 +139,13 @@ func templateDynamicCredentialProviderConfig(
 		ProviderBinary     string
 		ProviderArgs       []string
 		ProviderAPIVersion string
+		Mirror             *mirrorConfig
 	}{
 		RegistryHost:       registryHostWithPath,
 		ProviderBinary:     providerBinary,
 		ProviderArgs:       providerArgs,
 		ProviderAPIVersion: providerAPIVersion,
+		Mirror:             mirror,
 	}
 
 	return fileFromTemplate(t, templateInput, kubeletDynamicCredentialProviderConfigOnRemote)

pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files_test.go

@@ -99,6 +99,7 @@ func Test_templateDynamicCredentialProviderConfig(t *testing.T) {
 	tests := []struct {
 		name        string
 		credentials providerConfig
+		mirror      *mirrorConfig
 		want        *cabpkv1.File
 		wantErr     error
 	}{
@@ -189,6 +190,73 @@ credentialProviders:
 `,
 			},
 		},
+
+		{
+			name:        "ECR image registry used as mirror",
+			credentials: providerConfig{URL: "https://123456789.dkr.ecr.us-east-1.amazonaws.com"},
+			mirror:      &mirrorConfig{},
+			want: &cabpkv1.File{
+				Path:        "/etc/kubernetes/dynamic-credential-provider-config.yaml",
+				Owner:       "",
+				Permissions: "0600",
+				Encoding:    "",
+				Append:      false,
+				Content: `apiVersion: credentialprovider.d2iq.com/v1alpha1
+kind: DynamicCredentialProviderConfig
+mirror:
+  endpoint: "123456789.dkr.ecr.us-east-1.amazonaws.com"
+  credentialsStrategy: "MirrorCredentialsOnly"
+credentialProviderPluginBinDir: /etc/kubernetes/image-credential-provider/
+credentialProviders:
+  apiVersion: kubelet.config.k8s.io/v1beta1
+  kind: CredentialProviderConfig
+  providers:
+  - name: ecr-credential-provider
+    args:
+    - get-credentials
+    matchImages:
+    - "123456789.dkr.ecr.us-east-1.amazonaws.com"
+    defaultCacheDuration: "0s"
+    apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1
+`,
+			},
+		},
+		{
+			name: "image registry with static credentials used as mirror",
+			credentials: providerConfig{
+				URL:      "https://myregistry.com",
+				Username: "myuser",
+				Password: "mypassword",
+			},
+			mirror: &mirrorConfig{
+				CACert: "my-ca-cert",
+			},
+			want: &cabpkv1.File{
+				Path:        "/etc/kubernetes/dynamic-credential-provider-config.yaml",
+				Owner:       "",
+				Permissions: "0600",
+				Encoding:    "",
+				Append:      false,
+				Content: `apiVersion: credentialprovider.d2iq.com/v1alpha1
+kind: DynamicCredentialProviderConfig
+mirror:
+  endpoint: "myregistry.com"
+  credentialsStrategy: "MirrorCredentialsOnly"
+credentialProviderPluginBinDir: /etc/kubernetes/image-credential-provider/
+credentialProviders:
+  apiVersion: kubelet.config.k8s.io/v1beta1
+  kind: CredentialProviderConfig
+  providers:
+  - name: static-credential-provider
+    args:
+    - /etc/kubernetes/static-image-credentials.json
+    matchImages:
+    - "myregistry.com"
+    defaultCacheDuration: "0s"
+    apiVersion: credentialprovider.kubelet.k8s.io/v1beta1
+`,
+			},
+		},
 		{
 			name: "error for a registry with no credentials",
 			credentials: providerConfig{
@@ -201,7 +269,7 @@ credentialProviders:
 		tt := tests[idx]
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
-			file, err := templateDynamicCredentialProviderConfig(tt.credentials)
+			file, err := templateDynamicCredentialProviderConfig(tt.credentials, tt.mirror)
 			assert.ErrorIs(t, err, tt.wantErr)
 			assert.Equal(t, tt.want, file)
 		})

pkg/handlers/generic/mutation/imageregistries/credentials/inject.go

@@ -268,7 +268,7 @@ func registryWithOptionalCredentialsFromImageRegistryCredentials(
 
 func generateFilesAndCommands(
 	registryWithOptionalCredentials providerConfig,
-	mirrorConfig mirrorConfig,
+	mirrorConfig *mirrorConfig,
 	imageRegistry v1alpha1.ImageRegistry,
 	objName string,
 ) ([]bootstrapv1.File, []string, error) {
@@ -281,6 +281,7 @@ func generateFilesAndCommands(
 	}
 	imageCredentialProviderConfigFiles, err := templateFilesForImageCredentialProviderConfigs(
 		registryWithOptionalCredentials,
+		mirrorConfig,
 	)
 	if err != nil {
 		return nil, nil, fmt.Errorf(

pkg/handlers/generic/mutation/imageregistries/credentials/mirror.go

@@ -36,8 +36,16 @@ func mirrorFromImageRegistry(
 	c ctrlclient.Client,
 	imageRegistry v1alpha1.ImageRegistry,
 	obj ctrlclient.Object,
-) (mirrorConfig, error) {
-	mirrorWithOptionalCACert := mirrorConfig{
+) (*mirrorConfig, error) {
+	// using the registry as a mirror is supported by including empty mirror object or
+	// mirror with CA certificate to the registry variable.
+	// ex.
+	// - url: https://my-registry.com
+	//   mirror: {}
+	if imageRegistry.Mirror == nil {
+		return nil, nil
+	}
+	mirrorWithOptionalCACert := &mirrorConfig{
 		URL: imageRegistry.URL,
 	}
 	secret, err := secretForMirrorCACert(
@@ -47,7 +55,7 @@ func mirrorFromImageRegistry(
 		obj.GetNamespace(),
 	)
 	if err != nil {
-		return mirrorConfig{}, fmt.Errorf(
+		return &mirrorConfig{}, fmt.Errorf(
 			"error getting secret %s/%s from Image Registry variable: %w",
 			obj.GetNamespace(),
 			imageRegistry.Mirror.SecretRef.Name,
@@ -91,7 +99,10 @@ func secretForMirrorCACert(
 // Default Mirror for all registries. Use a mirror regardless of the intended registry.
 // The upstream registry will be automatically used after all defined mirrors have been tried.
 // reference: https://github.com/containerd/containerd/blob/main/docs/hosts.md#setup-default-mirror-for-all-registries
-func generateDefaultRegistryMirrorFile(mirror mirrorConfig) ([]cabpkv1.File, error) {
+func generateDefaultRegistryMirrorFile(mirror *mirrorConfig) ([]cabpkv1.File, error) {
+	if mirror == nil {
+		return nil, nil
+	}
 	t, err := template.New("").Parse(string(defaultRegistryMirrorPatch))
 	if err != nil {
 		return nil, fmt.Errorf("fail to parse go template for registry mirror: %w", err)
@@ -123,10 +134,10 @@ func generateDefaultRegistryMirrorFile(mirror mirrorConfig) ([]cabpkv1.File, err
 }
 
 func generateMirrorCACertFile(
-	config mirrorConfig,
+	config *mirrorConfig,
 	registry v1alpha1.ImageRegistry,
 ) []cabpkv1.File {
-	if config.CACert == "" {
+	if config == nil || config.CACert == "" {
 		return nil
 	}
 	return []cabpkv1.File{

pkg/handlers/generic/mutation/imageregistries/credentials/mirror_test.go

@@ -17,13 +17,13 @@ func Test_generateDefaultRegistryMirrorFile(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name    string
-		config  mirrorConfig
+		config  *mirrorConfig
 		want    []cabpkv1.File
 		wantErr error
 	}{
 		{
 			name:   "ECR image registry and no CA certificate",
-			config: mirrorConfig{URL: "https://123456789.dkr.ecr.us-east-1.amazonaws.com"},
+			config: &mirrorConfig{URL: "https://123456789.dkr.ecr.us-east-1.amazonaws.com"},
 			want: []cabpkv1.File{
 				{
 					Path:        "/etc/containerd/certs.d/_default/hosts.toml",
@@ -40,7 +40,7 @@ func Test_generateDefaultRegistryMirrorFile(t *testing.T) {
 		},
 		{
 			name: "image registry with CA certificates",
-			config: mirrorConfig{
+			config: &mirrorConfig{
 				URL:    "https://myregistry.com",
 				CACert: "mycacert",
 			},
@@ -75,13 +75,13 @@ func Test_generateMirrorCACertFile(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name     string
-		config   mirrorConfig
+		config   *mirrorConfig
 		registry v1alpha1.ImageRegistry
 		want     []cabpkv1.File
 	}{
 		{
 			name: "Mirror registry with no CA certificate",
-			config: mirrorConfig{
+			config: &mirrorConfig{
 				URL: "https://123456789.dkr.ecr.us-east-1.amazonaws.com",
 			},
 			registry: v1alpha1.ImageRegistry{
@@ -91,7 +91,7 @@ func Test_generateMirrorCACertFile(t *testing.T) {
 		},
 		{
 			name: "Mirror registry with CA certificate",
-			config: mirrorConfig{
+			config: &mirrorConfig{
 				URL:    "https://myregistry.com",
 				CACert: "mycacert",
 			},

pkg/handlers/generic/mutation/imageregistries/credentials/templates/dynamic-credential-provider-config.yaml.gotmpl

@@ -1,5 +1,12 @@
 apiVersion: credentialprovider.d2iq.com/v1alpha1
 kind: DynamicCredentialProviderConfig
+{{- if .Mirror }}
+mirror:
+  {{- with .RegistryHost }}
+  endpoint: {{ printf "%q" . }}
+  {{- end }}
+  credentialsStrategy: "MirrorCredentialsOnly"
+{{- end }}
 credentialProviderPluginBinDir: /etc/kubernetes/image-credential-provider/
 credentialProviders:
   apiVersion: kubelet.config.k8s.io/v1

pkg/handlers/generic/mutation/imageregistries/credentials/tests/generate_patches.go

@@ -37,21 +37,30 @@ func TestGeneratePatches(
 
 	// Server side apply does not work with the fake client, hack around it by pre-creating empty Secrets
 	// https://github.com/kubernetes-sigs/controller-runtime/issues/2341
-	fakeClient.Create(
-		context.Background(),
-		newRegistryCredentialsSecret(validSecretName, request.Namespace),
+	require.NoError(
+		t,
+		fakeClient.Create(
+			context.Background(),
+			newRegistryCredentialsSecret(validSecretName, request.Namespace),
+		),
 	)
 
-	fakeClient.Create(
-		context.Background(),
-		newMirrorSecret(validMirrorSecretName, request.Namespace),
+	require.NoError(
+		t,
+		fakeClient.Create(
+			context.Background(),
+			newMirrorSecret(validMirrorSecretName, request.Namespace),
+		),
 	)
 
-	fakeClient.Create(
-		context.Background(),
-		newEmptySecret(
-			request.KubeadmControlPlaneTemplateRequestObjectName+"-registry-config",
-			request.Namespace,
+	require.NoError(
+		t,
+		fakeClient.Create(
+			context.Background(),
+			newEmptySecret(
+				request.KubeadmControlPlaneTemplateRequestObjectName+"-registry-config",
+				request.Namespace,
+			),
 		),
 	)
 	require.NoError(
@@ -420,7 +429,7 @@ func TestGeneratePatches(
 					variableName,
 					v1alpha1.ImageRegistries{
 						v1alpha1.ImageRegistry{
-							URL: "https://my-registry.io",
+							URL: "https://mirror-registry.com",
 							Credentials: &v1alpha1.ImageCredentials{
 								SecretRef: &corev1.ObjectReference{
 									Name: validSecretName,