Add CRIOCredentialProviderConfig API and related functionality

- Add feature gate for CRIOCredentialProviderConfig in various feature gate manifests.

Signed-off-by: Qi Wang <[email protected]>

Author: QiWang19

config/v1alpha1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml

@@ -0,0 +1,59 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "CRIOCredentialProviderConfig"
+crdName: "criocredentialproviderconfigs.config.openshift.io"
+featureGates:
+  - CRIOCredentialProviderConfig
+tests:
+  onCreate:
+    - name: Should create a valid CRIOCredentialProviderConfig
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+          - 123456789.dkr.ecr.us-east-1.amazonaws.com
+          - "*.azurecr.io"
+          - gcr.io
+          - "*.*.registry.io"
+          - registry.io:8080/path
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+          - 123456789.dkr.ecr.us-east-1.amazonaws.com
+          - "*.azurecr.io"
+          - gcr.io
+          - "*.*.registry.io"
+          - registry.io:8080/path
+        - name: Should reject matchImages with invalid characters
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+          - "reg!stry.io"
+      expectedError: "spec.matchImages[0]: Invalid value: \"string\": invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+    - name: Should reject empty matchImages
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+      expectedError: "spec.matchImages: Invalid value: []string{}: must contain at least 1 items"
+    - name: Should reject matchImages wildcard in the path
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+          - "registry.io:8080/pa*th"
+      expectedError: "spec.matchImages[0]: Invalid value: \"string\": invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+    - name: Should reject wildcard for partial subdomains
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+          - "example.app*.com"
+      expectedError: "spec.matchImages[0]: Invalid value: \"string\": invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"

config/v1alpha1/types_image_credential_provider_config.go

@@ -0,0 +1,117 @@
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfig holds cluster-wide configurations for CRI-O credential provider. CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+// For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+// CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=criocredentialproviderconfigs,scope=Cluster
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1929
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=CRIOCredentialProviderConfig
+// +openshift:compatibility-gen:level=4
+type CRIOCredentialProviderConfig struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata"`
+
+	// spec defines the desired configuration of the CRIO Credential Provider.
+	// +required
+	Spec CRIOCredentialProviderConfigSpec `json:"spec,omitzero"`
+
+	// status represents the current state of the CRIOCredentialProviderConfig.
+	// +optional
+	Status *CRIOCredentialProviderConfigStatus `json:"status,omitempty"`
+}
+
+// CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.
+type CRIOCredentialProviderConfigSpec struct {
+	// matchImages is a required list of string patterns used to determine whether
+	// the CRI-O credential provider should be invoked for a given image. This list is
+	// passed to the kubelet CredentialProviderConfig, and if any pattern matches
+	// the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+	// that image or its mirrors.
+	//
+	// For more details, see:
+	// - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+	// - https://github.com/cri-o/crio-credential-provider#architecture
+	//
+	// Each entry in matchImages is a pattern which can optionally contain a port and a path.
+	// Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+	// and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+	// Wildcards are not allowed in the port or path, nor may they appear in the middle of a hostname label.
+	// For example, '*.example.com' is valid, but 'example*.*.com' is not.
+	// Each wildcard matches only a single domain label,
+	// so '*.io' does **not** match '*.k8s.io'.
+	//
+	// A match exists between an image and a matchImage when all of the below are true:
+	// - Both contain the same number of domain parts and each part matches.
+	// - The URL path of an matchImages must be a prefix of the target image URL path.
+	// - If the matchImages contains a port, then the port must match in the image as well.
+	//
+	// Example values of matchImages:
+	// - 123456789.dkr.ecr.us-east-1.amazonaws.com
+	// - *.azurecr.io
+	// - gcr.io
+	// - *.*.registry.io
+	// - registry.io:8080/path
+	//
+	// +kubebuilder:validation:MaxItems=50
+	// +kubebuilder:validation:MinItems=1
+	// +listType=set
+	// +required
+	MatchImages []MatchImage `json:"matchImages,omitempty"`
+}
+
+// +kubebuilder:validation:MaxLength=512
+// +kubebuilder:validation:XValidation:rule=`self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')`,message="invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+type MatchImage string
+
+// +k8s:deepcopy-gen=true
+// CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig
+type CRIOCredentialProviderConfigStatus struct {
+	// conditions represent the latest available observations of the configuration state
+	// +optional
+	// +kubebuilder:validation:MaxItems=4
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+type CRIOCredentialProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []CRIOCredentialProviderConfig `json:"items"`
+}
+
+const (
+	// ConditionTypeValidated indicates whether the configuration is failed, or partially valid
+	ConditionTypeValidated = "Validated"
+
+	// ReasonValidationFailed indicates the MatchImages configuration contains invalid patterns
+	ReasonValidationFailed = "ValidationFailed"
+
+	// ReasonConfigurationPartiallyApplied indicates some matchImage entries were ignored due to conflicts
+	ReasonConfigurationPartiallyApplied = "ConfigurationPartiallyApplied"
+)

config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-CustomNoUpgrade.crd.yaml

@@ -0,0 +1,168 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/1929
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: CustomNoUpgrade
+  name: criocredentialproviderconfigs.config.openshift.io
+spec:
+  group: config.openshift.io
+  names:
+    kind: CRIOCredentialProviderConfig
+    listKind: CRIOCredentialProviderConfigList
+    plural: criocredentialproviderconfigs
+    singular: criocredentialproviderconfig
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          CRIOCredentialProviderConfig holds cluster-wide configurations for CRI-O credential provider. CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+          For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+          CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+
+          Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired configuration of the CRIO Credential
+              Provider.
+            properties:
+              matchImages:
+                description: |-
+                  matchImages is a required list of string patterns used to determine whether
+                  the CRI-O credential provider should be invoked for a given image. This list is
+                  passed to the kubelet CredentialProviderConfig, and if any pattern matches
+                  the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+                  that image or its mirrors.
+
+                  For more details, see:
+                  - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+                  - https://github.com/cri-o/crio-credential-provider#architecture
+
+                  Each entry in matchImages is a pattern which can optionally contain a port and a path.
+                  Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+                  and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+                  Wildcards are not allowed in the port or path, nor may they appear in the middle of a hostname label.
+                  For example, '*.example.com' is valid, but 'example*.*.com' is not.
+                  Each wildcard matches only a single domain label,
+                  so '*.io' does **not** match '*.k8s.io'.
+
+                  A match exists between an image and a matchImage when all of the below are true:
+                  - Both contain the same number of domain parts and each part matches.
+                  - The URL path of an matchImages must be a prefix of the target image URL path.
+                  - If the matchImages contains a port, then the port must match in the image as well.
+
+                  Example values of matchImages:
+                  - 123456789.dkr.ecr.us-east-1.amazonaws.com
+                  - *.azurecr.io
+                  - gcr.io
+                  - *.*.registry.io
+                  - registry.io:8080/path
+                items:
+                  maxLength: 512
+                  type: string
+                  x-kubernetes-validations:
+                  - message: invalid matchImages value, must be a valid fully qualified
+                      domain name with optional wildcard, port, and path
+                    rule: self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')
+                maxItems: 50
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - matchImages
+            type: object
+          status:
+            description: status represents the current state of the CRIOCredentialProviderConfig.
+            properties:
+              conditions:
+                description: conditions represent the latest available observations
+                  of the configuration state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 4
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}