Merge pull request #111616 from ndixita/credential-api-ga

Move the Kubelet Credential Provider feature to GA and Update the Credential Provider API to GA

api/api-rules/violation_exceptions.list

@@ -349,6 +349,10 @@ API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1beta2,Exten
 API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1beta3,ExtenderTLSConfig,CAData
 API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1beta3,ExtenderTLSConfig,CertData
 API rule violation: list_type_missing,k8s.io/kube-scheduler/config/v1beta3,ExtenderTLSConfig,KeyData
+API rule violation: list_type_missing,k8s.io/kubelet/config/v1,CredentialProvider,Args
+API rule violation: list_type_missing,k8s.io/kubelet/config/v1,CredentialProvider,Env
+API rule violation: list_type_missing,k8s.io/kubelet/config/v1,CredentialProvider,MatchImages
+API rule violation: list_type_missing,k8s.io/kubelet/config/v1,CredentialProviderConfig,Providers
 API rule violation: list_type_missing,k8s.io/kubelet/config/v1alpha1,CredentialProvider,Args
 API rule violation: list_type_missing,k8s.io/kubelet/config/v1alpha1,CredentialProvider,Env
 API rule violation: list_type_missing,k8s.io/kubelet/config/v1alpha1,CredentialProvider,MatchImages

hack/.import-aliases

@@ -45,6 +45,7 @@
   "k8s.io/kubelet/apis/stats/v1alpha1": "kubeletstatsv1alpha1",
   "k8s.io/kubernetes/pkg/controller/apis/config/v1alpha1": "controllerconfigv1alpha1",
   "k8s.io/kubernetes/pkg/kubelet/apis/config/v1beta1": "kubeletconfigv1beta1",
+  "k8s.io/kubernetes/pkg/kubelet/apis/config/v1": "kubeletconfigv1",
   "k8s.io/kubelet/pkg/apis/deviceplugin/v1alpha": "kubeletdevicepluginv1alpha",
   "k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1": "kubeletdevicepluginv1beta1",
   "k8s.io/kubelet/pkg/apis/pluginregistration/v1": "kubeletpluginregistrationv1",

pkg/credentialprovider/plugin/config_test.go

@@ -229,6 +229,52 @@ providers:
 				},
 			},
 		},
+		{
+			name: "v1 config with multiple providers",
+			configData: `---
+kind: CredentialProviderConfig
+apiVersion: kubelet.config.k8s.io/v1
+providers:
+  - name: test1
+    matchImages:
+    - "registry.io/one"
+    defaultCacheDuration: 10m
+    apiVersion: credentialprovider.kubelet.k8s.io/v1
+  - name: test2
+    matchImages:
+    - "registry.io/two"
+    defaultCacheDuration: 10m
+    apiVersion: credentialprovider.kubelet.k8s.io/v1
+    args:
+    - --v=5
+    env:
+    - name: FOO
+      value: BAR`,
+
+			config: &kubeletconfig.CredentialProviderConfig{
+				Providers: []kubeletconfig.CredentialProvider{
+					{
+						Name:                 "test1",
+						MatchImages:          []string{"registry.io/one"},
+						DefaultCacheDuration: &metav1.Duration{Duration: 10 * time.Minute},
+						APIVersion:           "credentialprovider.kubelet.k8s.io/v1",
+					},
+					{
+						Name:                 "test2",
+						MatchImages:          []string{"registry.io/two"},
+						DefaultCacheDuration: &metav1.Duration{Duration: 10 * time.Minute},
+						APIVersion:           "credentialprovider.kubelet.k8s.io/v1",
+						Args:                 []string{"--v=5"},
+						Env: []kubeletconfig.ExecEnvVar{
+							{
+								Name:  "FOO",
+								Value: "BAR",
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "config with wrong Kind",
 			configData: `---

pkg/credentialprovider/plugin/plugin.go

@@ -38,10 +38,12 @@ import (
 	"k8s.io/klog/v2"
 	credentialproviderapi "k8s.io/kubelet/pkg/apis/credentialprovider"
 	"k8s.io/kubelet/pkg/apis/credentialprovider/install"
+	credentialproviderv1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1"
 	credentialproviderv1alpha1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1"
 	credentialproviderv1beta1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1"
 	"k8s.io/kubernetes/pkg/credentialprovider"
 	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
+	kubeletconfigv1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1"
 	kubeletconfigv1alpha1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1alpha1"
 	kubeletconfigv1beta1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1beta1"
 	"k8s.io/utils/clock"
@@ -59,6 +61,7 @@ var (
 	apiVersions = map[string]schema.GroupVersion{
 		credentialproviderv1alpha1.SchemeGroupVersion.String(): credentialproviderv1alpha1.SchemeGroupVersion,
 		credentialproviderv1beta1.SchemeGroupVersion.String():  credentialproviderv1beta1.SchemeGroupVersion,
+		credentialproviderv1.SchemeGroupVersion.String():       credentialproviderv1.SchemeGroupVersion,
 	}
 )
 
@@ -67,6 +70,7 @@ func init() {
 	kubeletconfig.AddToScheme(scheme)
 	kubeletconfigv1alpha1.AddToScheme(scheme)
 	kubeletconfigv1beta1.AddToScheme(scheme)
+	kubeletconfigv1.AddToScheme(scheme)
 }
 
 // RegisterCredentialProviderPlugins is called from kubelet to register external credential provider

pkg/credentialprovider/plugin/plugin_test.go

@@ -30,6 +30,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/client-go/tools/cache"
 	credentialproviderapi "k8s.io/kubelet/pkg/apis/credentialprovider"
+	credentialproviderv1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1"
 	credentialproviderv1alpha1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1"
 	credentialproviderv1beta1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1"
 	"k8s.io/kubernetes/pkg/credentialprovider"
@@ -432,6 +433,16 @@ func Test_encodeRequest(t *testing.T) {
 				Image: "test.registry.io/foobar",
 			},
 			expectedData: []byte(`{"kind":"CredentialProviderRequest","apiVersion":"credentialprovider.kubelet.k8s.io/v1beta1","image":"test.registry.io/foobar"}
+`),
+			expectedErr: false,
+		},
+		{
+			name:       "successful with v1",
+			apiVersion: credentialproviderv1.SchemeGroupVersion,
+			request: &credentialproviderapi.CredentialProviderRequest{
+				Image: "test.registry.io/foobar",
+			},
+			expectedData: []byte(`{"kind":"CredentialProviderRequest","apiVersion":"credentialprovider.kubelet.k8s.io/v1","image":"test.registry.io/foobar"}
 `),
 			expectedErr: false,
 		},
@@ -474,6 +485,23 @@ func Test_decodeResponse(t *testing.T) {
 		expectedResponse *credentialproviderapi.CredentialProviderResponse
 		expectedErr      bool
 	}{
+		{
+			name: "success with v1",
+			data: []byte(`{"kind":"CredentialProviderResponse","apiVersion":"credentialprovider.kubelet.k8s.io/v1","cacheKeyType":"Registry","cacheDuration":"1m","auth":{"*.registry.io":{"username":"user","password":"password"}}}`),
+			expectedResponse: &credentialproviderapi.CredentialProviderResponse{
+				CacheKeyType: credentialproviderapi.RegistryPluginCacheKeyType,
+				CacheDuration: &metav1.Duration{
+					Duration: time.Minute,
+				},
+				Auth: map[string]credentialproviderapi.AuthConfig{
+					"*.registry.io": {
+						Username: "user",
+						Password: "password",
+					},
+				},
+			},
+			expectedErr: false,
+		},
 		{
 			name: "success with v1beta1",
 			data: []byte(`{"kind":"CredentialProviderResponse","apiVersion":"credentialprovider.kubelet.k8s.io/v1beta1","cacheKeyType":"Registry","cacheDuration":"1m","auth":{"*.registry.io":{"username":"user","password":"password"}}}`),

pkg/features/kube_features.go

@@ -446,9 +446,10 @@ const (
 	// yet.
 	JobTrackingWithFinalizers featuregate.Feature = "JobTrackingWithFinalizers"
 
-	// owner: @andrewsykim @adisky
+	// owner: @andrewsykim @adisky @ndixita
 	// alpha: v1.20
 	// beta: v1.24
+	// GA: v1.26
 	//
 	// Enable kubelet exec plugins for image pull credentials.
 	KubeletCredentialProviders featuregate.Feature = "KubeletCredentialProviders"
@@ -911,7 +912,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	JobTrackingWithFinalizers: {Default: true, PreRelease: featuregate.Beta},
 
-	KubeletCredentialProviders: {Default: true, PreRelease: featuregate.Beta},
+	KubeletCredentialProviders: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28
 
 	KubeletInUserNamespace: {Default: false, PreRelease: featuregate.Alpha},
 

pkg/kubelet/apis/config/scheme/scheme.go

@@ -20,6 +20,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
+	kubeletconfigv1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1"
 	kubeletconfigv1beta1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1beta1"
 )
 
@@ -36,6 +37,9 @@ func NewSchemeAndCodecs(mutators ...serializer.CodecFactoryOptionsMutator) (*run
 	if err := kubeletconfigv1beta1.AddToScheme(scheme); err != nil {
 		return nil, nil, err
 	}
+	if err := kubeletconfigv1.AddToScheme(scheme); err != nil {
+		return nil, nil, err
+	}
 	codecs := serializer.NewCodecFactory(scheme, mutators...)
 	return scheme, &codecs, nil
 }

pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/after/v1.yaml

@@ -0,0 +1,3 @@
+apiVersion: kubelet.config.k8s.io/v1
+kind: CredentialProviderConfig
+providers: null

pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/before/v1.yaml

@@ -0,0 +1,2 @@
+kind: CredentialProviderConfig
+apiVersion: kubelet.config.k8s.io/v1

pkg/kubelet/apis/config/scheme/testdata/CredentialProviderConfig/roundtrip/default/v1.yaml

@@ -0,0 +1,3 @@
+apiVersion: kubelet.config.k8s.io/v1
+kind: CredentialProviderConfig
+providers: null

pkg/kubelet/apis/config/types.go

@@ -595,6 +595,7 @@ type CredentialProvider struct {
 	// MUST use the same encoding version as the input. Current supported values are:
 	// - credentialprovider.kubelet.k8s.io/v1alpha1
 	// - credentialprovider.kubelet.k8s.io/v1beta1
+	// - credentialprovider.kubelet.k8s.io/v1
 	APIVersion string
 
 	// Arguments to pass to the command when executing it.