diff --git a/pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files.go b/pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files.go index 4212d55f3..d7bbc6e7f 100644 --- a/pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files.go +++ b/pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files.go @@ -100,7 +100,7 @@ func templateFilesForImageCredentialProviderConfigs( ) ([]cabpkv1.File, error) { var files []cabpkv1.File - kubeletCredentialProviderConfigFile, err := templateKubeletCredentialProviderConfig() + kubeletCredentialProviderConfigFile, err := templateKubeletCredentialProviderConfig(configs) if err != nil { return nil, err } @@ -108,9 +108,7 @@ func templateFilesForImageCredentialProviderConfigs( files = append(files, *kubeletCredentialProviderConfigFile) } - kubeletDynamicCredentialProviderConfigFile, err := templateDynamicCredentialProviderConfig( - configs, - ) + kubeletDynamicCredentialProviderConfigFile, err := templateDynamicCredentialProviderConfig(configs) if err != nil { return nil, err } @@ -121,14 +119,31 @@ func templateFilesForImageCredentialProviderConfigs( return files, nil } -func templateKubeletCredentialProviderConfig() (*cabpkv1.File, error) { +func templateKubeletCredentialProviderConfig( + configs []providerConfig, +) (*cabpkv1.File, error) { providerBinary, providerArgs, providerAPIVersion := kubeletCredentialProvider() + // In addition to the globs already defined in the template, also include the user provided registries. + // + // This is needed to match registries with a port and/or a URL path. + // From https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/#configure-image-matching + registryHosts := make([]string, 0, len(configs)) + for _, config := range configs { + registryHostWithPath, err := config.registryHostWithPath() + if err != nil { + return nil, err + } + registryHosts = append(registryHosts, registryHostWithPath) + } + templateInput := struct { + RegistryHosts []string ProviderBinary string ProviderArgs []string ProviderAPIVersion string }{ + RegistryHosts: registryHosts, ProviderBinary: providerBinary, ProviderArgs: providerArgs, ProviderAPIVersion: providerAPIVersion, diff --git a/pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files_test.go b/pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files_test.go index ae314901a..75647e5a0 100644 --- a/pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files_test.go +++ b/pkg/handlers/generic/mutation/imageregistries/credentials/credential_provider_config_files_test.go @@ -15,12 +15,16 @@ func Test_templateKubeletCredentialProviderConfig(t *testing.T) { t.Parallel() tests := []struct { - name string - want *cabpkv1.File - wantErr error + name string + credentials []providerConfig + want *cabpkv1.File + wantErr error }{ { name: "ECR image registry", + credentials: []providerConfig{ + {URL: "https://123456789.dkr.ecr.us-east-1.amazonaws.com"}, + }, want: &cabpkv1.File{ Path: "/etc/kubernetes/image-credential-provider-config.yaml", Owner: "", @@ -36,6 +40,7 @@ providers: - -c - /etc/kubernetes/dynamic-credential-provider-config.yaml matchImages: + - "123456789.dkr.ecr.us-east-1.amazonaws.com" - "*" - "*.*" - "*.*.*" @@ -49,6 +54,45 @@ providers: }, { name: "image registry with static config", + credentials: []providerConfig{{ + URL: "https://myregistry.com:5000/myproject", + Username: "myuser", + Password: "mypassword", + }}, + want: &cabpkv1.File{ + Path: "/etc/kubernetes/image-credential-provider-config.yaml", + Owner: "", + Permissions: "0600", + Encoding: "", + Append: false, + Content: `apiVersion: kubelet.config.k8s.io/v1 +kind: CredentialProviderConfig +providers: +- name: dynamic-credential-provider + args: + - get-credentials + - -c + - /etc/kubernetes/dynamic-credential-provider-config.yaml + matchImages: + - "myregistry.com:5000/myproject" + - "*" + - "*.*" + - "*.*.*" + - "*.*.*.*" + - "*.*.*.*.*" + - "*.*.*.*.*.*" + defaultCacheDuration: "0s" + apiVersion: credentialprovider.kubelet.k8s.io/v1 +`, + }, + }, + { + name: "docker.io registry with static credentials", + credentials: []providerConfig{{ + URL: "https://registry-1.docker.io", + Username: "myuser", + Password: "mypassword", + }}, want: &cabpkv1.File{ Path: "/etc/kubernetes/image-credential-provider-config.yaml", Owner: "", @@ -64,6 +108,8 @@ providers: - -c - /etc/kubernetes/dynamic-credential-provider-config.yaml matchImages: + - "registry-1.docker.io" + - "docker.io" - "*" - "*.*" - "*.*.*" @@ -80,7 +126,7 @@ providers: tt := tests[idx] t.Run(tt.name, func(t *testing.T) { t.Parallel() - file, err := templateKubeletCredentialProviderConfig() + file, err := templateKubeletCredentialProviderConfig(tt.credentials) require.ErrorIs(t, err, tt.wantErr) assert.Equal(t, tt.want, file) }) @@ -127,7 +173,7 @@ credentialProviders: { name: "image registry with static credentials", credentials: []providerConfig{{ - URL: "https://myregistry.com", + URL: "https://myregistry.com:5000/myproject", Username: "myuser", Password: "mypassword", }}, @@ -148,7 +194,7 @@ credentialProviders: args: - /etc/kubernetes/static-image-credentials.json matchImages: - - "myregistry.com" + - "myregistry.com:5000/myproject" defaultCacheDuration: "0s" apiVersion: credentialprovider.kubelet.k8s.io/v1 `, diff --git a/pkg/handlers/generic/mutation/imageregistries/credentials/templates/kubelet-image-credential-provider-config.yaml.gotmpl b/pkg/handlers/generic/mutation/imageregistries/credentials/templates/kubelet-image-credential-provider-config.yaml.gotmpl index 3f0510213..674e84dc6 100644 --- a/pkg/handlers/generic/mutation/imageregistries/credentials/templates/kubelet-image-credential-provider-config.yaml.gotmpl +++ b/pkg/handlers/generic/mutation/imageregistries/credentials/templates/kubelet-image-credential-provider-config.yaml.gotmpl @@ -9,6 +9,14 @@ providers: {{- end }} {{- end }} matchImages: + {{- range .RegistryHosts}} + {{- with . }} + - {{ printf "%q" . }} + {{- if eq . "registry-1.docker.io" }} + - "docker.io" + {{- end }} + {{- end }} + {{- end }} - "*" - "*.*" - "*.*.*"