OCPBUGS-25662: Add Image Credential Provider flags for Kubelet on AWS

pkg/controller/template/render.go

@@ -326,6 +326,7 @@ func renderTemplate(config RenderConfig, path string, b []byte) ([]byte, error)
 	funcs["skip"] = skipMissing
 	funcs["cloudProvider"] = cloudProvider
 	funcs["cloudConfigFlag"] = cloudConfigFlag
+	funcs["credentialProviderConfigFlag"] = credentialProviderConfigFlag
 	funcs["onPremPlatformAPIServerInternalIP"] = onPremPlatformAPIServerInternalIP
 	funcs["onPremPlatformAPIServerInternalIPs"] = onPremPlatformAPIServerInternalIPs
 	funcs["onPremPlatformIngressIP"] = onPremPlatformIngressIP
@@ -433,6 +434,33 @@ func cloudConfigFlag(cfg RenderConfig) interface{} {
 	}
 }
 
+// Process the {{credentialProviderConfigFlag .}}
+// On supported platforms, this returns the `--image-credential-provider` flags for Kubelet.
+// This will point to the bin dir containing the binaries and the appropriate config for
+// the platform.
+func credentialProviderConfigFlag(cfg RenderConfig) interface{} {
+	if cfg.Infra == nil {
+		cfg.Infra = &configv1.Infrastructure{
+			Status: configv1.InfrastructureStatus{},
+		}
+	}
+
+	if cfg.Infra.Status.PlatformStatus == nil {
+		cfg.Infra.Status.PlatformStatus = &configv1.PlatformStatus{
+			Type: "",
+		}
+	}
+
+	credentialProviderBinDirFlag := "--image-credential-provider-bin-dir=/usr/libexec/kubelet-image-credential-provider-plugins"
+	credentialProviderConfigFlag := "--image-credential-provider-config=/etc/kubernetes/credential-providers/"
+	switch cfg.Infra.Status.PlatformStatus.Type {
+	case configv1.AWSPlatformType:
+		return fmt.Sprintf("%s %s%s", credentialProviderBinDirFlag, credentialProviderConfigFlag, "ecr-credential-provider.yaml")
+	default:
+		return ""
+	}
+}
+
 func onPremPlatformShortName(cfg RenderConfig) interface{} {
 	if cfg.Infra.Status.PlatformStatus != nil {
 		switch cfg.Infra.Status.PlatformStatus.Type {

pkg/controller/template/render_test.go

@@ -298,6 +298,69 @@ func TestCloudConfigFlag(t *testing.T) {
 	}
 }
 
+func TestCredentialProviderConfigFlag(t *testing.T) {
+	dummyTemplate := []byte(`{{credentialProviderConfigFlag .}}`)
+
+	testCases := []struct {
+		platform configv1.PlatformType
+		res      string
+	}{
+		{
+			platform: configv1.AWSPlatformType,
+			res:      "--image-credential-provider-bin-dir=/usr/libexec/kubelet-image-credential-provider-plugins --image-credential-provider-config=/etc/kubernetes/credential-providers/ecr-credential-provider.yaml",
+		},
+		{
+			platform: configv1.AzurePlatformType,
+			res:      "",
+		},
+		{
+			platform: configv1.GCPPlatformType,
+			res:      "",
+		},
+		{
+			platform: configv1.VSpherePlatformType,
+			res:      "",
+		},
+		{
+			platform: configv1.OpenStackPlatformType,
+			res:      "",
+		},
+		{
+			platform: configv1.BareMetalPlatformType,
+			res:      "",
+		},
+	}
+
+	for idx, c := range testCases {
+		name := fmt.Sprintf("case #%d: %s", idx, c.platform)
+		t.Run(name, func(t *testing.T) {
+			config := &mcfgv1.ControllerConfig{
+				Spec: mcfgv1.ControllerConfigSpec{
+					Infra: &configv1.Infrastructure{
+						Status: configv1.InfrastructureStatus{
+							Platform: c.platform,
+							PlatformStatus: &configv1.PlatformStatus{
+								Type: c.platform,
+							},
+						},
+					},
+				},
+			}
+
+			fgAccess := featuregates.NewHardcodedFeatureGateAccess(nil, nil)
+
+			got, err := renderTemplate(RenderConfig{&config.Spec, `{"dummy":"dummy"}`, `{"dummy":"dummy"}`, fgAccess, nil}, name, dummyTemplate)
+			if err != nil {
+				t.Fatalf("expected nil error %v", err)
+			}
+
+			if string(got) != c.res {
+				t.Fatalf("mismatch got: %s want: %s", got, c.res)
+			}
+		})
+	}
+}
+
 func TestSkipMissing(t *testing.T) {
 	dummyTemplate := `{{skip "%s"}}`
 

templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml

@@ -0,0 +1,16 @@
+mode: 0644
+path: "/etc/kubernetes/credential-providers/ecr-credential-provider.yaml"
+contents:
+  inline: |
+    apiVersion: kubelet.config.k8s.io/v1
+    kind: CredentialProviderConfig
+    providers:
+      - name: ecr-credential-provider
+        matchImages:
+          - "*.dkr.ecr.*.amazonaws.com"
+          - "*.dkr.ecr.*.amazonaws.com.cn"
+          - "*.dkr.ecr-fips.*.amazonaws.com"
+          - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov"
+          - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
+        defaultCacheDuration: "12h"
+        apiVersion: credentialprovider.kubelet.k8s.io/v1

templates/master/01-master-kubelet/_base/units/kubelet.service.yaml

@@ -37,6 +37,7 @@ contents: |
         --cloud-provider={{cloudProvider .}} \
         --volume-plugin-dir=/etc/kubernetes/kubelet-plugins/volume/exec \
         {{cloudConfigFlag . }} \
+        {{credentialProviderConfigFlag . }} \
         --hostname-override=${KUBELET_NODE_NAME} \
         --provider-id=${KUBELET_PROVIDERID} \
         --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \

templates/worker/01-worker-kubelet/_base/units/kubelet.service.yaml

@@ -37,6 +37,7 @@ contents: |
         --volume-plugin-dir=/etc/kubernetes/kubelet-plugins/volume/exec \
         --cloud-provider={{cloudProvider .}} \
         {{cloudConfigFlag . }} \
+        {{credentialProviderConfigFlag . }} \
         --hostname-override=${KUBELET_NODE_NAME} \
         --provider-id=${KUBELET_PROVIDERID} \
         --pod-infra-container-image={{.Images.infraImageKey}} \