OCPBUGS-25662: Add Image Credential Provider flags for Kubelet on AWS

[JoelSpeed]

- What I did
Adds configuration for the ECR credential provider to kubelet on AWS.

Unit tests show new flags being set correctly.

Depends on the ecr-credential-provider RPM shipping in RHCOS, this is currently a WIP.
/hold

- How to verify it
Kubelet should be able to pull an image from a private ECR registry.

- Description for the changelog

[openshift-ci-robot]

@JoelSpeed: This pull request references Jira Issue OCPBUGS-25662, which is invalid:

• expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

- What I did
Adds configuration for the ECR credential provider to kubelet on AWS.

Unit tests show new flags being set correctly.

Depends on the ecr-credential-provider RPM shipping in RHCOS, this is currently a WIP.
/hold

- How to verify it
Kubelet should be able to pull an image from a private ECR registry.

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[JoelSpeed]

/test unit

[damdo]

@JoelSpeed we had a chat about this in the QE sync meeting, and it looks like the CI failures here are not flakes. Do you have a theory on why this is breaking installation on many providers?

[JoelSpeed]

Will need to bring up a cluster and have a look at what's going on to understand why this is breaking, will see if I can jump on that

[cheesesashimi]

question (non-blocking): Would it make more sense to make ecr-credential-provider.yaml part of credentialProviderConfigFlag variable? In other words:

credentialProviderConfigFlag := "--image-credential-provider-config=/etc/kubernetes/credential-providers/ecr-credential-provider.yaml"

Then the return statement would simplify to:

case configv1.AWSPlatformType:
	return fmt.Sprintf("%s %s", credentialProviderBinDirFlag, credentialProviderConfigFlag)

[JoelSpeed]

In the future, this switch will support more platforms.We will want those variables separate so they can be combined in different ways to get the correct flags for the different platforms, I'm expecting the config file name itself to be different per platform

[cheesesashimi]

Got it, thanks for the clarification!

[cheesesashimi]

Overall, this change looks good; modulo the CI failures. I just have a single non-blocking question, but feel free to ignore it if there are more pressing matters.

[theobarberbany]

/test e2e-aws-ovn

[JoelSpeed]

/restest-required

[JoelSpeed]

/jira refresh
/hold cancel

[openshift-ci-robot]

@JoelSpeed: This pull request references Jira Issue OCPBUGS-25662, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yliu127

In response to this:

/jira refresh
/hold cancel

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: yliu127.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

@JoelSpeed: This pull request references Jira Issue OCPBUGS-25662, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yliu127

In response to this:

/jira refresh
/hold cancel

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[JoelSpeed]

/retest-required

[JoelSpeed]

Looks like the OS image still doesn't have the binary in place yet

[sdodson]

The package has made it into RHCOS 416.92.202401170945-0, just need to wait on a 4.16 CI build to bump to that version and be accepted.

[JoelSpeed]

Just checked on the CI builds again, still not updated to a newer RHCOS build yet, I believe there is an issue that ART are working on

[sdodson]

/retest-required
The latest CI build has the RHCOS bump, I'm not entirely sure if the latest build needs to be accepted or not. Possibly the easiest way to tell is just run the job, so here we go.

[sdodson]

e2e-gcp-op-single-node is a known failure due to https://issues.redhat.com/browse/OCPBUGS-26489 when time comes to merge ping me or MCO team to override that test if it's still broken.

[JoelSpeed]

/hold cancel

[cheesesashimi]

/lgtm
/approval
/override e2e-gcp-op-single-node

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheesesashimi, JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cheesesashimi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@cheesesashimi: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e-gcp-op-single-node

Only the following failed contexts/checkruns were expected:

• ci/prow/bootstrap-unit
• ci/prow/e2e-aws-ovn
• ci/prow/e2e-aws-ovn-upgrade
• ci/prow/e2e-aws-ovn-upgrade-out-of-change
• ci/prow/e2e-azure-ovn-upgrade-out-of-change
• ci/prow/e2e-gcp-op
• ci/prow/e2e-gcp-op-layering
• ci/prow/e2e-gcp-op-single-node
• ci/prow/e2e-hypershift
• ci/prow/images
• ci/prow/okd-images
• ci/prow/okd-scos-e2e-aws-ovn
• ci/prow/okd-scos-images
• ci/prow/unit
• ci/prow/verify
• pull-ci-openshift-machine-config-operator-master-bootstrap-unit
• pull-ci-openshift-machine-config-operator-master-e2e-aws-ovn
• pull-ci-openshift-machine-config-operator-master-e2e-aws-ovn-upgrade
• pull-ci-openshift-machine-config-operator-master-e2e-aws-ovn-upgrade-out-of-change
• pull-ci-openshift-machine-config-operator-master-e2e-azure-ovn-upgrade-out-of-change
• pull-ci-openshift-machine-config-operator-master-e2e-gcp-op
• pull-ci-openshift-machine-config-operator-master-e2e-gcp-op-layering
• pull-ci-openshift-machine-config-operator-master-e2e-gcp-op-single-node
• pull-ci-openshift-machine-config-operator-master-e2e-hypershift
• pull-ci-openshift-machine-config-operator-master-images
• pull-ci-openshift-machine-config-operator-master-okd-images
• pull-ci-openshift-machine-config-operator-master-okd-scos-e2e-aws-ovn
• pull-ci-openshift-machine-config-operator-master-okd-scos-images
• pull-ci-openshift-machine-config-operator-master-unit
• pull-ci-openshift-machine-config-operator-master-verify
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

In response to this:

/lgtm
/approval
/override e2e-gcp-op-single-node

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cheesesashimi]

/override ci/prow/e2e-gcp-op-single-node

[openshift-ci]

@cheesesashimi: Overrode contexts on behalf of cheesesashimi: ci/prow/e2e-gcp-op-single-node

In response to this:

/override ci/prow/e2e-gcp-op-single-node

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@yuqi-zhang: Overrode contexts on behalf of yuqi-zhang: ci/prow/e2e-gcp-op-single-node

In response to this:

/override ci/prow/e2e-gcp-op-single-node

The bot is finicky and requires the full context :)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9fb0e62 and 2 for PR HEAD 2da4c76 in total

[openshift-ci]

@JoelSpeed: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	2da4c76	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-upgrade-out-of-change	2da4c76	link	false	/test e2e-aws-ovn-upgrade-out-of-change
ci/prow/e2e-azure-ovn-upgrade-out-of-change	2da4c76	link	false	/test e2e-azure-ovn-upgrade-out-of-change

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[sdodson]

/retest-required
unit tests have passed on this commit before, maybe flakey

[openshift-ci-robot]

@JoelSpeed: Jira Issue OCPBUGS-25662: Some pull requests linked via external trackers have merged:

• openshift/machine-config-operator#4103
• openshift/cloud-provider-aws#63
• openshift/os#1416
• openshift/cloud-provider-aws#65
• openshift/cloud-provider-aws#66

The following pull requests linked via external trackers have not merged:

• openshift/release#47648 is open

These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-25662 has not been moved to the MODIFIED state.

In response to this:

- What I did
Adds configuration for the ECR credential provider to kubelet on AWS.

Unit tests show new flags being set correctly.

Depends on the ecr-credential-provider RPM shipping in RHCOS, this is currently a WIP.
/hold

- How to verify it
Kubelet should be able to pull an image from a private ECR registry.

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build openshift-proxy-pull-test-container-v4.16.0-202401191549.p0.g6745e60.assembly.stream for distgit openshift-proxy-pull-test.
All builds following this will include this PR.

[JoelSpeed]

/cherry-pick release-4.15

[openshift-cherrypick-robot]

@JoelSpeed: new pull request created: #4134

In response to this:

/cherry-pick release-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vrutkovs]

Please revert, this breaks OKD, which doesn't ship this RPM