feat: global image registry mirror variable

Author: supershal

api/v1alpha1/clusterconfig_types.go

@@ -90,6 +90,9 @@ type GenericClusterConfig struct {
 	// +optional
 	ImageRegistries ImageRegistries `json:"imageRegistries,omitempty"`
 
+	// +optional
+	GlobalImageRegistryMirror *GlobalImageRegistryMirror `json:"globalImageRegistryMirror,omitempty"`
+
 	// +optional
 	Addons *Addons `json:"addons,omitempty"`
 }
@@ -108,7 +111,8 @@ func (s GenericClusterConfig) VariableSchema() clusterv1.VariableSchema { //noli
 					"",
 				).VariableSchema().
 					OpenAPIV3Schema,
-				"imageRegistries": ImageRegistries{}.VariableSchema().OpenAPIV3Schema,
+				"imageRegistries":           ImageRegistries{}.VariableSchema().OpenAPIV3Schema,
+				"globalImageRegistryMirror": GlobalImageRegistryMirror{}.VariableSchema().OpenAPIV3Schema,
 			},
 		},
 	}
@@ -240,7 +244,7 @@ func (ExtraAPIServerCertSANs) VariableSchema() clusterv1.VariableSchema {
 
 type ImageCredentials struct {
 	// The Secret containing the registry credentials and CA certificate
-	// The Secret should have keys 'username', 'password' and 'caCert'
+	// The Secret should have keys 'username', 'password' and 'ca.crt'
 	// This credentials Secret is not required for some registries, e.g. ECR.
 	// +optional
 	SecretRef *corev1.ObjectReference `json:"secretRef,omitempty"`
@@ -253,7 +257,7 @@ func (ImageCredentials) VariableSchema() clusterv1.VariableSchema {
 			Properties: map[string]clusterv1.JSONSchemaProps{
 				"secretRef": {
 					Description: "The Secret containing the registry credentials. " +
-						"The Secret should have keys 'username', 'password'. " +
+						"The Secret should have keys 'username', 'password' and 'ca.crt' " +
 						"This credentials Secret is not required for some registries, e.g. ECR.",
 					Type: "object",
 					Properties: map[string]clusterv1.JSONSchemaProps{
@@ -274,37 +278,28 @@ func (ImageCredentials) VariableSchema() clusterv1.VariableSchema {
 	}
 }
 
-type RegistryMirror struct {
-	// The secret containing CA certificate for the registry mirror.
-	// The secret should have 'ca.crt' key
+// GlobalImageRegistryMirror sets default mirror configuration for all the image registries.
+type GlobalImageRegistryMirror struct {
+	// Registry URL.
+	URL string `json:"url"`
+
+	// Credentials and CA certificate for the image registry mirror
 	// +optional
-	SecretRef *corev1.ObjectReference `json:"secretRef,omitempty"`
+	Credentials *ImageCredentials `json:"credentials,omitempty"`
 }
 
-func (RegistryMirror) VariableSchema() clusterv1.VariableSchema {
+func (GlobalImageRegistryMirror) VariableSchema() clusterv1.VariableSchema {
 	return clusterv1.VariableSchema{
 		OpenAPIV3Schema: clusterv1.JSONSchemaProps{
 			Type: "object",
 			Properties: map[string]clusterv1.JSONSchemaProps{
-				"secretRef": {
-					Description: "The Secret containing the registry CA certificate. " +
-						"The Secret should have keys 'ca.crt'. " +
-						"This credentials Secret is not required for public registries.",
-					Type: "object",
-					Properties: map[string]clusterv1.JSONSchemaProps{
-						"name": {
-							Description: "The name of the Secret containing the registry CA certificate.",
-							Type:        "string",
-						},
-						"namespace": {
-							Description: "The namespace of the Secret containing the registry CA certificate. " +
-								"Defaults to the namespace of the KubeadmControlPlaneTemplate and KubeadmConfigTemplate" +
-								" that reference this variable.",
-							Type: "string",
-						},
-					},
+				"url": {
+					Description: "Registry mirror URL.",
+					Type:        "string",
 				},
+				"credentials": ImageCredentials{}.VariableSchema().OpenAPIV3Schema,
 			},
+			Required: []string{"url"},
 		},
 	}
 }
@@ -313,13 +308,9 @@ type ImageRegistry struct {
 	// Registry URL.
 	URL string `json:"url"`
 
-	// Credentials for the image registry
+	// Credentials and CA certificate for the image registry
 	// +optional
 	Credentials *ImageCredentials `json:"credentials,omitempty"`
-
-	// Use this registry as a mirror
-	// +optional
-	Mirror *RegistryMirror `json:"mirror,omitempty"`
 }
 
 func (ImageRegistry) VariableSchema() clusterv1.VariableSchema {
@@ -332,7 +323,6 @@ func (ImageRegistry) VariableSchema() clusterv1.VariableSchema {
 					Type:        "string",
 				},
 				"credentials": ImageCredentials{}.VariableSchema().OpenAPIV3Schema,
-				"mirror":      RegistryMirror{}.VariableSchema().OpenAPIV3Schema,
 			},
 			Required: []string{"url"},
 		},

api/v1alpha1/zz_generated.deepcopy.go

@@ -38,6 +38,8 @@ import (
 	imageregistrycredentialstests "github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/imageregistries/credentials/tests"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/kubernetesimagerepository"
 	kubernetesimagerepositorytests "github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/kubernetesimagerepository/tests"
+	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/mirrors"
+	globalimageregistrymirrortests "github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/mirrors/tests"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/workerconfig"
 )
 
@@ -156,12 +158,12 @@ func TestGeneratePatches(t *testing.T) {
 		imageregistries.VariableName,
 	)
 
-	imageregistrycredentialstests.TestGenerateMirrorPatches(
+	globalimageregistrymirrortests.TestGeneratePatches(
 		t,
 		metaPatchGeneratorFunc(mgr),
 		mgr.GetClient(),
 		clusterconfig.MetaVariableName,
-		imageregistries.VariableName,
+		mirrors.GlobalMirrorVariableName,
 	)
 
 	amitests.TestControlPlaneGeneratePatches(

pkg/handlers/aws/mutation/metapatch_handler_test.go

@@ -28,6 +28,8 @@ import (
 	imageregistrycredentialstests "github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/imageregistries/credentials/tests"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/kubernetesimagerepository"
 	kubernetesimagerepositorytests "github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/kubernetesimagerepository/tests"
+	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/mirrors"
+	globalimageregistrymirrortests "github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/mirrors/tests"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/workerconfig"
 )
 
@@ -113,11 +115,11 @@ func TestGeneratePatches(t *testing.T) {
 		imageregistries.VariableName,
 	)
 
-	imageregistrycredentialstests.TestGenerateMirrorPatches(
+	globalimageregistrymirrortests.TestGeneratePatches(
 		t,
 		metaPatchGeneratorFunc(mgr),
 		mgr.GetClient(),
 		clusterconfig.MetaVariableName,
-		imageregistries.VariableName,
+		mirrors.GlobalMirrorVariableName,
 	)
 }

pkg/handlers/docker/mutation/metapatch_handler_test.go

@@ -14,6 +14,7 @@ import (
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/httpproxy"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/imageregistries/credentials"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/kubernetesimagerepository"
+	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation/mirrors"
 )
 
 // MetaMutators returns all generic patch handlers.
@@ -25,6 +26,7 @@ func MetaMutators(mgr manager.Manager) []mutation.MetaMutator {
 		httpproxy.NewPatch(mgr.GetClient()),
 		kubernetesimagerepository.NewPatch(),
 		credentials.NewPatch(mgr.GetClient()),
+		mirrors.NewPatch(mgr.GetClient()),
 		calico.NewPatch(),
 	}
 }

pkg/handlers/generic/mutation/handlers.go

@@ -52,10 +52,7 @@ func (c providerConfig) isCredentialsEmpty() bool {
 		c.Password == ""
 }
 
-func templateFilesForImageCredentialProviderConfigs(
-	config providerConfig,
-	mirror *mirrorConfig,
-) ([]cabpkv1.File, error) {
+func templateFilesForImageCredentialProviderConfigs(config providerConfig) ([]cabpkv1.File, error) {
 	var files []cabpkv1.File
 
 	kubeletCredentialProviderConfigFile, err := templateKubeletCredentialProviderConfig()
@@ -68,7 +65,6 @@ func templateFilesForImageCredentialProviderConfigs(
 
 	kubeletDynamicCredentialProviderConfigFile, err := templateDynamicCredentialProviderConfig(
 		config,
-		mirror,
 	)
 	if err != nil {
 		return nil, err
@@ -104,7 +100,6 @@ func templateKubeletCredentialProviderConfig() (*cabpkv1.File, error) {
 
 func templateDynamicCredentialProviderConfig(
 	config providerConfig,
-	mirror *mirrorConfig,
 ) (*cabpkv1.File, error) {
 	registryURL, err := url.ParseRequestURI(config.URL)
 	if err != nil {
@@ -142,13 +137,11 @@ func templateDynamicCredentialProviderConfig(
 		ProviderBinary     string
 		ProviderArgs       []string
 		ProviderAPIVersion string
-		Mirror             *mirrorConfig
 	}{
 		RegistryHost:       registryHostWithPath,
 		ProviderBinary:     providerBinary,
 		ProviderArgs:       providerArgs,
 		ProviderAPIVersion: providerAPIVersion,
-		Mirror:             mirror,
 	}
 
 	return fileFromTemplate(t, templateInput, kubeletDynamicCredentialProviderConfigOnRemote)

pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files.go

@@ -99,7 +99,6 @@ func Test_templateDynamicCredentialProviderConfig(t *testing.T) {
 	tests := []struct {
 		name        string
 		credentials providerConfig
-		mirror      *mirrorConfig
 		want        *cabpkv1.File
 		wantErr     error
 	}{
@@ -190,73 +189,6 @@ credentialProviders:
 `,
 			},
 		},
-
-		{
-			name:        "ECR image registry used as mirror",
-			credentials: providerConfig{URL: "https://123456789.dkr.ecr.us-east-1.amazonaws.com"},
-			mirror:      &mirrorConfig{},
-			want: &cabpkv1.File{
-				Path:        "/etc/kubernetes/dynamic-credential-provider-config.yaml",
-				Owner:       "",
-				Permissions: "0600",
-				Encoding:    "",
-				Append:      false,
-				Content: `apiVersion: credentialprovider.d2iq.com/v1alpha1
-kind: DynamicCredentialProviderConfig
-mirror:
-  endpoint: "123456789.dkr.ecr.us-east-1.amazonaws.com"
-  credentialsStrategy: "MirrorCredentialsOnly"
-credentialProviderPluginBinDir: /etc/kubernetes/image-credential-provider/
-credentialProviders:
-  apiVersion: kubelet.config.k8s.io/v1
-  kind: CredentialProviderConfig
-  providers:
-  - name: ecr-credential-provider
-    args:
-    - get-credentials
-    matchImages:
-    - "123456789.dkr.ecr.us-east-1.amazonaws.com"
-    defaultCacheDuration: "0s"
-    apiVersion: credentialprovider.kubelet.k8s.io/v1
-`,
-			},
-		},
-		{
-			name: "image registry with static credentials used as mirror",
-			credentials: providerConfig{
-				URL:      "https://myregistry.com",
-				Username: "myuser",
-				Password: "mypassword",
-			},
-			mirror: &mirrorConfig{
-				CACert: "my-ca-cert",
-			},
-			want: &cabpkv1.File{
-				Path:        "/etc/kubernetes/dynamic-credential-provider-config.yaml",
-				Owner:       "",
-				Permissions: "0600",
-				Encoding:    "",
-				Append:      false,
-				Content: `apiVersion: credentialprovider.d2iq.com/v1alpha1
-kind: DynamicCredentialProviderConfig
-mirror:
-  endpoint: "myregistry.com"
-  credentialsStrategy: "MirrorCredentialsOnly"
-credentialProviderPluginBinDir: /etc/kubernetes/image-credential-provider/
-credentialProviders:
-  apiVersion: kubelet.config.k8s.io/v1
-  kind: CredentialProviderConfig
-  providers:
-  - name: static-credential-provider
-    args:
-    - /etc/kubernetes/static-image-credentials.json
-    matchImages:
-    - "myregistry.com"
-    defaultCacheDuration: "0s"
-    apiVersion: credentialprovider.kubelet.k8s.io/v1
-`,
-			},
-		},
 		{
 			name: "error for a registry with no credentials",
 			credentials: providerConfig{
@@ -269,7 +201,7 @@ credentialProviders:
 		tt := tests[idx]
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
-			file, err := templateDynamicCredentialProviderConfig(tt.credentials, tt.mirror)
+			file, err := templateDynamicCredentialProviderConfig(tt.credentials)
 			assert.ErrorIs(t, err, tt.wantErr)
 			assert.Equal(t, tt.want, file)
 		})