Fix ACR MSI cross-subscription authentication error

[norshtein]

What type of PR is this?
/kind bug

What this PR does / why we need it:
Method Provide() in interface DockerConfigProvider now takes image name as its parameter(added in a recent PR #75587). So we can parse the login server from the image name, and then interact with the login server to get docker login credential.
Which issue(s) this PR fixes:

Fixes #67892

Special notes for your reviewer:

Does this PR introduce a user-facing change?: no user-facing change

release note:

fix issue that pull image failed from a cross-subscription Azure Container Registry when using MSI to authenticate

/sig azure
/assign @andyzhangx @feiskyer

[k8s-ci-robot]

Hi @norshtein. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[andyzhangx]

/ok-to-test

[andyzhangx]

could you also check what if ACR is a public repo, does this PR also work? And what if that image is a docker hub image ...

[andyzhangx]

would you use regexp.MustCompile to parse login server, here is an example:

kubernetes/pkg/volume/azure_dd/azure_common.go

Line 216 in 1608578

matches := lunPathRE.FindStringSubmatch(deviceInfo)

And also there should be error handling in case image is an invalid image url

[norshtein]

I have switched to use regular expression. For a public ACR, below code will handle for it
https://github.com/kubernetes/kubernetes/pull/77245/files#diff-65860720abfa0057bc9fe725fde21bedR220 . For other image registries, they will be filtered out.

[andyzhangx]

provide an example format for image address and also print out the original image url in the log

[norshtein]

Added an example in comment

[feiskyer]

should filter out non-ACR images here.

[norshtein]

Code updated.

[feiskyer]

@norshtein Could you also add a unit test for this change?

/priority important-soon

[norshtein]

@norshtein Could you also add a unit test for this change?

/priority important-soon

If the credential type is MSI, it will interact with MSI endpoint to get a token and write the token to DockerConfigEntry: https://github.com/kubernetes/kubernetes/pull/77245/files#diff-65860720abfa0057bc9fe725fde21bedR255 . It is not a static token similar as service principal. Seems it's hard to add unit test for it...

[andyzhangx]

for the unit test, I think you could move following code into a seperate function, e.g. isACRImage:

		// Parse login server from parameter `image`. An example of parameter `image`: foo.azurecr.io/bar/imageName:version
		regEx, err := regexp.Compile(`.*\.azurecr\.io|.*\.azurecr\.cn|.*\.azurecr\.de|.*\.azurecr\.us`)
		if err != nil {
			klog.Error("Unexpected error: failed to construct regular expression: %v", err)
		}
		match := regEx.FindAllString(image, -1)
		if len(match) != 1 {
			klog.V(4).Infof("Found the image is not in acr, will not generate the token using MSI")
		}

Then you could add all kinds of unit tests, that would be testable

[norshtein]

Cool. Thanks for the reminding, will do.

[andyzhangx]

only log error here?

[norshtein]

Please refer to latest commit.

[norshtein]

It would be OK to only log error, the error is not fatal and we can't do anything about it. For the worst case, cfg is not correctly filled and pulling image will fail, which is acceptable.

[andyzhangx]

klog.V(4).Infof("image(%s) is not from ACR, skip MSI authentication", image)

[norshtein]

Updated.

[andyzhangx]

klog.Errorf("getACRDockerEntryFromARMToken(%s) failed with %v", loginServer, err)

[norshtein]

Updated.

[andyzhangx]

pls add a separate unit test, you could refer to follow unit test as example:

kubernetes/staging/src/k8s.io/legacy-cloud-providers/azure/azure_standard_test.go

Line 52 in cf22c56

func TestGetLastSegment(t *testing.T) {

[norshtein]

Added in a new function.

[andyzhangx]

@norshtein I mean also copy the test code style like following, it's more maintainable:

	tests := []struct {
		ID        string
		expected  string
		expectErr bool
	}{
		{
			ID:        "",
			expected:  "",
			expectErr: true,
		},
		{
			ID:        "foo/",
			expected:  "",
			expectErr: true,
		},
		{
			ID:        "foo/bar",
			expected:  "bar",
			expectErr: false,
		},
		{
			ID:        "foo/bar/baz",
			expected:  "baz",
			expectErr: false,
		},
	}

	for _, test := range tests {
		s, e := getLastSegment(test.ID)
		if test.expectErr && e == nil {
			t.Errorf("Expected err, but it was nil")
			continue
		}
		if !test.expectErr && e != nil {
			t.Errorf("Unexpected error: %v", e)
			continue
		}
		if s != test.expected {
			t.Errorf("expected: %s, got %s", test.expected, s)
		}
	}
}

[andyzhangx]

I think use regexp.MustCompile is better, define that var as global, if there is error, it won't pass on e2e test, no need to check error every time:

kubernetes/pkg/volume/azure_dd/azure_common.go

Line 65 in 1608578

lunPathRE = regexp.MustCompile(`/dev/disk/azure/scsi(?:.*)/lun(.+)`)

[andyzhangx]

shall we return error here? If return error, no need to log every error

[andyzhangx]

klog.V(4).Infof is better, V(2) is the dispalying log level by default, it would flush the log file

[andyzhangx]

BTW, pls sqush all commits into one @norshtein

[norshtein]

Updated and rebased. PTAL @andyzhangx

[andyzhangx]

remove this comment since it's already exists in acrRE

[andyzhangx]

looks much better now, one small comment about test coverage.

[andyzhangx]

add test for azurecr.cn

[norshtein]

Added.

[andyzhangx]

/lgtm
@feiskyer do you have any comments?

[feiskyer]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feiskyer, norshtein

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/credentialprovider/azure/OWNERS [feiskyer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[norshtein]

Many thanks for reviewing! @andyzhangx @feiskyer 😄

[andyzhangx]

/test pull-kubernetes-kubemark-e2e-gce-big 

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[tedyu]

Should there be a log for len(match) > 1 ?

[norshtein]

The image name is already logged here. len(match) > 1 indicates a wrong image is provided, credential provider can't handle this, in later code flow, no credential will be provided and this error will be caught outside the credential provider when trying to pull the image. Does this make sense?