Skip to content

fix: Correctly configure dynamic credential provider #1040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 12, 2025
Merged

fix: Correctly configure dynamic credential provider #1040

merged 3 commits into from
Feb 12, 2025

Conversation

jimmidyson
Copy link
Member

@jimmidyson jimmidyson commented Feb 10, 2025
edited
Loading

Only allowed a single configuration per provider binary so match up
the image hosts per binary in the config.

Depends on #1039.

@jimmidyson jimmidyson changed the title fix: Correctly configgure dynamic credential provider fix: Correctly configure dynamic credential provider Feb 10, 2025
@github-actions github-actions bot added fix and removed fix labels Feb 10, 2025
dlipovetsky
dlipovetsky previously approved these changes Feb 10, 2025
View reviewed changes
@jimmidyson jimmidyson force-pushed the jimmi/fix-dynamic-credential-provider-config branch from 187304d to 64f9a83 Compare February 11, 2025 08:56
@github-actions github-actions bot removed the stacked label Feb 11, 2025
@jimmidyson
Copy link
Member Author

UPDATE: No longer depends on #1039.

@github-actions github-actions bot added fix and removed fix labels Feb 11, 2025
@dkoshkin
Copy link
Contributor

dkoshkin commented Feb 11, 2025
edited
Loading

I ran a test with this branch and seeing the old config, even though this is a stacked PR.

      - content: |
          [host."https://172.18.0.10:5000/v2"]
            ca = "/etc/certs/172.18.0.10:5000.pem"
        path: /etc/containerd/certs.d/_default/hosts.toml
        permissions: "0600"

Rebased with latest changes from the base branch and seeing correct files

     - content: |2+

        path: /etc/containerd/certs.d/_default/hosts.toml
        permissions: "0600"
      - contentFrom:
          secret:
            key: ca.crt
            name: local-registry
        path: /etc/containerd/certs.d/172.18.0.10:5000/ca.crt
        permissions: "0600"
      - content: |
          apiVersion: credentialprovider.d2iq.com/v1alpha1
          kind: DynamicCredentialProviderConfig
          credentialProviderPluginBinDir: /etc/kubernetes/image-credential-provider/
          credentialProviders:
            apiVersion: kubelet.config.k8s.io/v1
            kind: CredentialProviderConfig
            providers:
            - name: static-credential-provider
              args:
              - /etc/kubernetes/static-image-credentials.json
              matchImages:
              - "172.18.0.10:5000"
              - "docker.io"
              defaultCacheDuration: "0s"
              apiVersion: credentialprovider.kubelet.k8s.io/v1
        path: /etc/kubernetes/dynamic-credential-provider-config.yaml
        permissions: "0600"

@dkoshkin
Copy link
Contributor

Mirror config looks good too:

      - content: |
          apiVersion: kubelet.config.k8s.io/v1
          kind: CredentialProviderConfig
          providers:
          - name: dynamic-credential-provider
            args:
            - get-credentials
            - -c
            - /etc/kubernetes/dynamic-credential-provider-config.yaml
            matchImages:
            - "docker.io"
            - "172.18.0.10:5000"
            - "*"
            - "*.*"
            - "*.*.*"
            - "*.*.*.*"
            - "*.*.*.*.*"
            - "*.*.*.*.*.*"
            defaultCacheDuration: "0s"
            apiVersion: credentialprovider.kubelet.k8s.io/v1
        path: /etc/kubernetes/image-credential-provider-config.yaml
        permissions: "0600"
      - content: |
          apiVersion: credentialprovider.d2iq.com/v1alpha1
          kind: DynamicCredentialProviderConfig
          mirror:
            endpoint: 172.18.0.10:5000
            credentialsStrategy: MirrorCredentialsFirst
          credentialProviderPluginBinDir: /etc/kubernetes/image-credential-provider/
          credentialProviders:
            apiVersion: kubelet.config.k8s.io/v1
            kind: CredentialProviderConfig
            providers:
            - name: static-credential-provider
              args:
              - /etc/kubernetes/static-image-credentials.json
              matchImages:
              - "172.18.0.10:5000"
              - "docker.io"
              defaultCacheDuration: "0s"
              apiVersion: credentialprovider.kubelet.k8s.io/v1
        path: /etc/kubernetes/dynamic-credential-provider-config.yaml
        permissions: "0600"
      - contentFrom:
          secret:
            key: static-credential-provider
            name: dkoshkin-mutliple-registires-static-credential-provider-response
        path: /etc/kubernetes/static-image-credentials.json
        permissions: "0600"

dkoshkin
dkoshkin previously approved these changes Feb 11, 2025
View reviewed changes
@jimmidyson jimmidyson force-pushed the jimmi/fix-dynamic-credential-provider-config branch from 64f9a83 to 3cb4ac1 Compare February 11, 2025 19:15
Base automatically changed from jimmi/fix-registry-ca-certs to main February 11, 2025 22:49
@dlipovetsky dlipovetsky dismissed stale reviews from dkoshkin and themself February 11, 2025 22:49

The base branch was changed.

@github-actions GitHub Actions
Copy link
Contributor

This PR/issue depends on:

@jimmidyson @dlipovetsky
fixup! revert: Keep old mirrors handler
2a65121 
Use for existing CCs.
@jimmidyson @dlipovetsky
fix: Correctly configure dynamic credential provider
f051318 
It is only allowed for a single configuration per provider binary so match up
the image hosts per binary in the config.
@jimmidyson @dlipovetsky
fixup! revert: Keep old image credentials handler
5972683 
Use for existing CCs.
@dlipovetsky dlipovetsky force-pushed the jimmi/fix-dynamic-credential-provider-config branch from 4f7cb66 to 5972683 Compare February 11, 2025 23:34
@dlipovetsky dlipovetsky enabled auto-merge (squash) February 11, 2025 23:36
@dlipovetsky dlipovetsky merged commit a4ee08e into main Feb 12, 2025
21 checks passed
@dlipovetsky dlipovetsky deleted the jimmi/fix-dynamic-credential-provider-config branch February 12, 2025 03:21
@jimmidyson jimmidyson mentioned this pull request Feb 12, 2025
Merged
jimmidyson added a commit that referenced this pull request Feb 12, 2025
@jimmidyson @github-actions
release(main): v0.27.0 (#1048)
fd6d3a2 
🤖 I have created a release *beep* *boop*
---


## 0.27.0 (2025-02-12)

<!-- Release notes generated using configuration in .github/release.yaml
at main -->

## What's Changed
### Exciting New Features 🎉
* feat: Update COSI controller Addon by @dlipovetsky in
#1043
* feat: Build with Go 1.24.0 by @jimmidyson in
#1047
### Fixes 🔧
* fix: Specify PriorityClass for Node Feature Discovery components by
@dlipovetsky in
#1041
* fix: Correctly configure non-mirror registry certificates by
@jimmidyson in
#1039
* fix: Configure priorityClassName for Cilium Hubble by @dlipovetsky in
#1045
* fix: don't generate empty _default containerd mirror file by @dkoshkin
in
#1042
* fix: set priority class name for metallb by @supershal in
#1046
* fix: Correctly configure dynamic credential provider by @jimmidyson in
#1040


**Full Changelog**:
v0.26.0...v0.27.0

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlipovetsky dlipovetsky dlipovetsky approved these changes

@supershal supershal supershal approved these changes

@dkoshkin dkoshkin dkoshkin left review comments

Assignees
No one assigned
Labels
fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jimmidyson @dkoshkin @dlipovetsky @supershal