Wiring user identities

Signed-off-by: ritikaguptams <[email protected]>
kubernetes-sigs · Aug 1, 2024 · 8dc7bb1 · 8dc7bb1
1 parent 2cbad0c
commit 8dc7bb1
Show file tree

Hide file tree

Showing 8 changed files with 28 additions and 4 deletions.
diff --git a/capz/run-capz-e2e.sh b/capz/run-capz-e2e.sh
@@ -370,7 +370,7 @@ run_e2e_test() {
 
         if [[ ! "${RUN_SERIAL_TESTS:-}" == "true" ]]; then
             export GINKGO_FOCUS=${GINKGO_FOCUS:-"\[Conformance\]|\[NodeConformance\]|\[sig-windows\]|\[sig-apps\].CronJob|\[sig-api-machinery\].ResourceQuota|\[sig-scheduling\].SchedulerPreemption"}
-            export GINKGO_SKIP=${GINKGO_SKIP:-"\[LinuxOnly\]|\[Serial\]|\[Slow\]|\[Excluded:WindowsDocker\]|\[Feature:DynamicResourceAllocation\]|Networking.Granular.Checks(.*)node-pod.communication|Guestbook.application.should.create.and.stop.a.working.application|device.plugin.for.Windows|Container.Lifecycle.Hook.when.create.a.pod.with.lifecycle.hook.should.execute(.*)http.hook.properly|\[sig-api-machinery\].Garbage.collector|pull.from.private.registry.with.secret"}
+            export GINKGO_SKIP=${GINKGO_SKIP:-"\[LinuxOnly\]|\[Serial\]|\[Slow\]|\[Excluded:WindowsDocker\]|\[Feature:DynamicResourceAllocation\]|Networking.Granular.Checks(.*)node-pod.communication|Guestbook.application.should.create.and.stop.a.working.application|device.plugin.for.Windows|Container.Lifecycle.Hook.when.create.a.pod.with.lifecycle.hook.should.execute(.*)http.hook.properly|\[sig-api-machinery\].Garbage.collector"}
             export GINKGO_NODES="${GINKGO_NODES:-"4"}"
         else
             export GINKGO_FOCUS=${GINKGO_FOCUS:-"(\[sig-windows\]|\[sig-scheduling\].SchedulerPreemption|\[sig-autoscaling\].\[Feature:HPA\]|\[sig-apps\].CronJob).*(\[Serial\]|\[Slow\])|(\[Serial\]|\[Slow\]).*(\[Conformance\]|\[NodeConformance\])|\[sig-api-machinery\].Garbage.collector"}
@@ -379,16 +379,15 @@ run_e2e_test() {
         fi
 
         ADDITIONAL_E2E_ARGS=()
-        if [[ "$CI" == "true" && -n "${DOCKER_CONFIG_FILE:-""}" ]]; then
+        if [[ "$CI" == "true" ]]; then
             # private image repository doesn't have a way to promote images: https://github.com/kubernetes/k8s.io/pull/1929
             # So we are using a custom repository for the test "Container Runtime blackbox test when running a container with a new image should be able to pull from private registry with secret [NodeConformance]"
             # Must also set label preset-windows-private-registry-cred: "true" on the job
 
             # This will not work in community cluster as this secret is not present (hence we only do it if ENV is set)
             # On the community cluster we will use credential providers to a private registry in azure see:
             # https://github.com/kubernetes-sigs/windows-testing/issues/446
-            export KUBE_TEST_REPO_LIST="$SCRIPT_ROOT/../images/image-repo-list-private-registry"
-            ADDITIONAL_E2E_ARGS+=("--docker-config-file=${DOCKER_CONFIG_FILE}")
+            export KUBE_TEST_REPO_LIST="$SCRIPT_ROOT/../images/image-repo-list-private-registry-community"
         fi
 
         # K8s 1.24 and below use ginkgo v1 which has slighly different args

diff --git a/capz/templates/gmsa-ci.yaml b/capz/templates/gmsa-ci.yaml
@@ -122,6 +122,8 @@ spec:
           kubeletExtraArgs:
             cloud-provider: external
             feature-gates: ${NODE_FEATURE_GATES:-"HPAContainerMetrics=true"}
+            image-credential-provider-bin-dir: /var/lib/kubelet/credential-provider
+            image-credential-provider-config: /var/lib/kubelet/credential-provider-config.yaml
             v: "2"
             windows-priorityclass: ABOVE_NORMAL_PRIORITY_CLASS
           name: '{{ ds.meta_data["local_hostname"] }}'

diff --git a/capz/templates/gmsa-pr.yaml b/capz/templates/gmsa-pr.yaml
@@ -117,6 +117,8 @@ spec:
           kubeletExtraArgs:
             cloud-provider: external
             feature-gates: ${NODE_FEATURE_GATES:-"HPAContainerMetrics=true"}
+            image-credential-provider-bin-dir: /var/lib/kubelet/credential-provider
+            image-credential-provider-config: /var/lib/kubelet/credential-provider-config.yaml
             v: "2"
             windows-priorityclass: ABOVE_NORMAL_PRIORITY_CLASS
           name: '{{ ds.meta_data["local_hostname"] }}'

diff --git a/capz/templates/shared-image-gallery-ci.yaml b/capz/templates/shared-image-gallery-ci.yaml
@@ -127,6 +127,8 @@ spec:
           kubeletExtraArgs:
             cloud-provider: external
             feature-gates: ${NODE_FEATURE_GATES:-"HPAContainerMetrics=true"}
+            image-credential-provider-bin-dir: /var/lib/kubelet/credential-provider
+            image-credential-provider-config: /var/lib/kubelet/credential-provider-config.yaml
             v: "2"
             windows-priorityclass: ABOVE_NORMAL_PRIORITY_CLASS
           name: '{{ ds.meta_data["local_hostname"] }}'
@@ -433,6 +435,7 @@ spec:
       annotations:
         runtime: containerd
     spec:
+      identity: UserAssigned
       image:
         sharedGallery:
           gallery: SigwinTestingImages
@@ -446,4 +449,6 @@ spec:
           storageAccountType: Premium_LRS
         osType: Windows
       sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""}
+      userAssignedIdentities:
+      - providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG:=capz-ci}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY:=cloud-provider-user-identity}
       vmSize: ${AZURE_NODE_MACHINE_TYPE:-"Standard_D4s_v3"}
diff --git a/capz/templates/windows-base.yaml b/capz/templates/windows-base.yaml
@@ -88,6 +88,8 @@ spec:
           criSocket: npipe:////./pipe/containerd-containerd
           kubeletExtraArgs:
             cloud-provider: external
+            image-credential-provider-config: /var/lib/kubelet/credential-provider-config.yaml
+            image-credential-provider-bin-dir: /var/lib/kubelet/credential-provider
             feature-gates: ${NODE_FEATURE_GATES:-"HPAContainerMetrics=true"}
             v: "2"
             windows-priorityclass: ABOVE_NORMAL_PRIORITY_CLASS
@@ -330,11 +332,14 @@ spec:
       annotations:
         runtime: containerd
     spec:
+      identity: UserAssigned
       image:
       osDisk:
         diskSizeGB: 128
         managedDisk:
           storageAccountType: Premium_LRS
         osType: Windows
       sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""}
+      userAssignedIdentities:
+      - providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG:=capz-ci}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY:=cloud-provider-user-identity}
       vmSize: ${AZURE_NODE_MACHINE_TYPE:-"Standard_D4s_v3"}
diff --git a/capz/templates/windows-ci.yaml b/capz/templates/windows-ci.yaml
@@ -122,6 +122,8 @@ spec:
           kubeletExtraArgs:
             cloud-provider: external
             feature-gates: ${NODE_FEATURE_GATES:-"HPAContainerMetrics=true"}
+            image-credential-provider-bin-dir: /var/lib/kubelet/credential-provider
+            image-credential-provider-config: /var/lib/kubelet/credential-provider-config.yaml
             v: "2"
             windows-priorityclass: ABOVE_NORMAL_PRIORITY_CLASS
           name: '{{ ds.meta_data["local_hostname"] }}'
@@ -427,6 +429,7 @@ spec:
       annotations:
         runtime: containerd
     spec:
+      identity: UserAssigned
       image:
         marketplace:
           offer: capi-windows
@@ -439,4 +442,6 @@ spec:
           storageAccountType: Premium_LRS
         osType: Windows
       sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""}
+      userAssignedIdentities:
+      - providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG:=capz-ci}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY:=cloud-provider-user-identity}
       vmSize: ${AZURE_NODE_MACHINE_TYPE:-"Standard_D4s_v3"}
diff --git a/capz/templates/windows-pr.yaml b/capz/templates/windows-pr.yaml
@@ -117,6 +117,8 @@ spec:
           kubeletExtraArgs:
             cloud-provider: external
             feature-gates: ${NODE_FEATURE_GATES:-"HPAContainerMetrics=true"}
+            image-credential-provider-bin-dir: /var/lib/kubelet/credential-provider
+            image-credential-provider-config: /var/lib/kubelet/credential-provider-config.yaml
             v: "2"
             windows-priorityclass: ABOVE_NORMAL_PRIORITY_CLASS
           name: '{{ ds.meta_data["local_hostname"] }}'
@@ -415,6 +417,7 @@ spec:
       annotations:
         runtime: containerd
     spec:
+      identity: UserAssigned
       image:
         marketplace:
           offer: capi-windows
@@ -427,4 +430,6 @@ spec:
           storageAccountType: Premium_LRS
         osType: Windows
       sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""}
+      userAssignedIdentities:
+      - providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG:=capz-ci}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY:=cloud-provider-user-identity}
       vmSize: ${AZURE_NODE_MACHINE_TYPE:-"Standard_D4s_v3"}
diff --git a/images/image-repo-list-private-registry-community b/images/image-repo-list-private-registry-community
@@ -0,0 +1 @@
+gcAuthenticatedRegistry: e2eprivatecommunity.azurecr.io