Merge pull request #1570 from giantswarm/ecr_cred_provider

Add optional support for including ecr-credential-provider

docs/book/src/SUMMARY.md

@@ -19,6 +19,7 @@
   - [vSphere](./capi/providers/vsphere.md)
   - [Proxmox](./capi/providers/proxmox.md)
   - [Windows](./capi/windows/windows.md)
+  - [Including ECR Credential Provider](./capi/ecr-credential-provider.md)
   - [Testing the Images](./capi/goss/goss.md)
   - [Using Container Images](./capi/container-image.md)
   - [Customizing containerd](./capi/containerd/customizing-containerd.md)

docs/book/src/capi/ecr-credential-provider.md

@@ -0,0 +1,21 @@
+# Including ECR Credential Provider
+
+Starting with Kuberentes v1.27 the cloud credential providers are no longer included in-tree and need to be included as external binaries and referenced by the Kubelet.
+
+To do this with image-builder you enable the use of [ecr-credential-provider](https://github.com/kubernetes/cloud-provider-aws/#aws-credential-provider) by setting the `ecr_credential_provider` packer variable to `true`.
+
+Once enabled, the `ecr-credential-provider` binary will be downloaded, a `CredentialProviderConfig` config will be created, and the kubelet flags will be updated to reference both of these.
+
+In most setups, this should be all that is needed but the following vars can be set to override various properties:
+
+| variable | default | description |
+| --- | --- | --- |
+| ecr_credential_provider_version | "v1.31.0" | The release version of [cloud-provider-aws](https://github.com/kubernetes/cloud-provider-aws/) to use  |
+| ecr_credential_provider_os | "linux" | The operating system |
+| ecr_credential_provider_arch | "amd64" | The architecture |
+| ecr_credential_provider_base_url | "https://storage.googleapis.com/k8s-artifacts-prod/binaries/cloud-provider-aws" | The base URL of where to get the binary from |
+| ecr_credential_provider_install_dir | "/opt/bin" | The location to install the binary into |
+| ecr_credential_provider_binary_filename | "ecr-credential-provider" | The filename to use for the downloaded binary |
+| ecr_credential_provider_match_images | ["*.dkr.ecr.*.amazonaws.com", "*.dkr.ecr.*.amazonaws.com.cn"] | An array of globs to use for matching images that should use the credential provider. (If using gov-cloud you may need to change this) |
+| ecr_credential_provider_aws_profile | "default" | The AWS profile to use with the credential provider |
+

images/capi/.ansible-lint-ignore

@@ -8,13 +8,16 @@ ansible/python.yml name[play]
 ansible/roles/containerd/tasks/main.yml name[missing]
 ansible/roles/containerd/tasks/main.yml risky-file-permissions
 ansible/roles/containerd/tasks/photon.yml no-changed-when
+ansible/roles/containerd/tasks/redhat.yml fqcn[action-core]
+ansible/roles/ecr_credential_provider/tasks/main.yaml no-changed-when
+ansible/roles/ecr_credential_provider/tasks/main.yaml yaml[line-length]
 ansible/roles/firstboot/tasks/main.yaml name[missing]
 ansible/roles/firstboot/tasks/qemu.yml name[missing]
 ansible/roles/gpu/tasks/amd.yml no-changed-when
-ansible/roles/gpu/tasks/main.yml ignore-errors
 ansible/roles/gpu/tasks/nvidia.yml no-changed-when
 ansible/roles/kubernetes/defaults/main.yml var-naming[no-role-prefix]
 ansible/roles/kubernetes/defaults/main.yml yaml[line-length]
+ansible/roles/kubernetes/tasks/azurelinux.yml fqcn[action-core]
 ansible/roles/kubernetes/tasks/crictl-url.yml name[template]
 ansible/roles/kubernetes/tasks/debian.yml jinja[spacing]
 ansible/roles/kubernetes/tasks/ecrpull.yml command-instead-of-shell
@@ -24,6 +27,7 @@ ansible/roles/kubernetes/tasks/kubeadmpull.yml no-changed-when
 ansible/roles/kubernetes/tasks/main.yml name[missing]
 ansible/roles/kubernetes/tasks/photon.yml jinja[spacing]
 ansible/roles/kubernetes/tasks/photon.yml no-changed-when
+ansible/roles/kubernetes/tasks/redhat.yml fqcn[action-core]
 ansible/roles/kubernetes/tasks/redhat.yml jinja[spacing]
 ansible/roles/kubernetes/tasks/url.yml command-instead-of-shell
 ansible/roles/kubernetes/tasks/url.yml no-changed-when
@@ -44,6 +48,7 @@ ansible/roles/providers/defaults/main.yml var-naming[no-role-prefix]
 ansible/roles/providers/tasks/aws.yml command-instead-of-shell
 ansible/roles/providers/tasks/aws.yml name[missing]
 ansible/roles/providers/tasks/aws.yml no-changed-when
+ansible/roles/providers/tasks/awscliv2.yml fqcn[action-core]
 ansible/roles/providers/tasks/awscliv2.yml no-changed-when
 ansible/roles/providers/tasks/awscliv2.yml package-latest
 ansible/roles/providers/tasks/awscliv2.yml risky-file-permissions
@@ -52,18 +57,25 @@ ansible/roles/providers/tasks/azure.yml risky-file-permissions
 ansible/roles/providers/tasks/cloudstack.yml command-instead-of-shell
 ansible/roles/providers/tasks/cloudstack.yml no-changed-when
 ansible/roles/providers/tasks/googlecompute.yml command-instead-of-shell
+ansible/roles/providers/tasks/googlecompute.yml fqcn[action-core]
 ansible/roles/providers/tasks/googlecompute.yml no-changed-when
+ansible/roles/providers/tasks/hcloud.yml fqcn[action-core]
 ansible/roles/providers/tasks/main.yml name[missing]
 ansible/roles/providers/tasks/main.yml risky-file-permissions
+ansible/roles/providers/tasks/nutanix-redhat.yml fqcn[action-core]
 ansible/roles/providers/tasks/nutanix-redhat.yml risky-file-permissions
 ansible/roles/providers/tasks/nutanix-ubuntu.yml risky-file-permissions
 ansible/roles/providers/tasks/nutanix.yml name[missing]
 ansible/roles/providers/tasks/nutanix.yml risky-file-permissions
+ansible/roles/providers/tasks/proxmox.yml fqcn[action-core]
+ansible/roles/providers/tasks/qemu.yml fqcn[action-core]
 ansible/roles/providers/tasks/raw.yml command-instead-of-shell
+ansible/roles/providers/tasks/raw.yml fqcn[action-core]
 ansible/roles/providers/tasks/raw.yml no-changed-when
 ansible/roles/providers/tasks/vmware-photon.yml no-changed-when
 ansible/roles/providers/tasks/vmware-photon.yml risky-file-permissions
 ansible/roles/providers/tasks/vmware-redhat.yml command-instead-of-shell
+ansible/roles/providers/tasks/vmware-redhat.yml fqcn[action-core]
 ansible/roles/providers/tasks/vmware-redhat.yml no-changed-when
 ansible/roles/providers/tasks/vmware-ubuntu.yml risky-file-permissions
 ansible/roles/providers/tasks/vmware.yml name[missing]
@@ -73,6 +85,7 @@ ansible/roles/python/tasks/main.yml name[missing]
 ansible/roles/python/tasks/main.yml no-changed-when
 ansible/roles/security/tasks/trivy.yml jinja[spacing]
 ansible/roles/setup/defaults/main.yml var-naming[no-role-prefix]
+ansible/roles/setup/tasks/azurelinux.yml fqcn[action-core]
 ansible/roles/setup/tasks/azurelinux.yml name[missing]
 ansible/roles/setup/tasks/azurelinux.yml package-latest
 ansible/roles/setup/tasks/debian.yml command-instead-of-module
@@ -84,6 +97,7 @@ ansible/roles/setup/tasks/main.yml name[missing]
 ansible/roles/setup/tasks/photon.yml name[missing]
 ansible/roles/setup/tasks/photon.yml no-changed-when
 ansible/roles/setup/tasks/redhat.yml command-instead-of-module
+ansible/roles/setup/tasks/redhat.yml fqcn[action-core]
 ansible/roles/setup/tasks/redhat.yml name[missing]
 ansible/roles/setup/tasks/redhat.yml no-changed-when
 ansible/roles/setup/tasks/redhat.yml package-latest
@@ -98,6 +112,7 @@ ansible/roles/sysprep/tasks/main.yml risky-file-permissions
 ansible/roles/sysprep/tasks/photon.yml name[missing]
 ansible/roles/sysprep/tasks/photon.yml no-changed-when
 ansible/roles/sysprep/tasks/redhat.yml command-instead-of-module
+ansible/roles/sysprep/tasks/redhat.yml fqcn[action-core]
 ansible/roles/sysprep/tasks/redhat.yml name[missing]
 ansible/roles/sysprep/tasks/redhat.yml no-changed-when
 ansible/roles/sysprep/tasks/rpm_repos.yml no-changed-when

images/capi/Makefile

@@ -263,7 +263,8 @@ COMMON_NODE_VAR_FILES := packer/config/kubernetes.json \
 					packer/config/ansible-args.json \
 					packer/config/goss-args.json \
 					packer/config/common.json \
-					packer/config/additional_components.json
+					packer/config/additional_components.json \
+					packer/config/ecr_credential_provider.json
 
 COMMON_WINDOWS_VAR_FILES :=	packer/config/kubernetes.json \
 					packer/config/windows/kubernetes.json \
@@ -274,20 +275,22 @@ COMMON_WINDOWS_VAR_FILES :=	packer/config/kubernetes.json \
 					packer/config/windows/common.json \
 					packer/config/windows/cloudbase-init.json \
 					packer/config/goss-args.json \
-					packer/config/additional_components.json
+					packer/config/additional_components.json \
+					packer/config/ecr_credential_provider.json
 
 COMMON_POWERVS_VAR_FILES := packer/config/kubernetes.json \
 					packer/config/ppc64le/kubernetes.json \
 					packer/config/cni.json \
 					packer/config/ppc64le/cni.json \
 					packer/config/containerd.json \
 					packer/config/wasm-shims.json \
-                    packer/config/ppc64le/containerd.json \
-                    packer/config/ansible-args.json \
-                    packer/config/goss-args.json \
-                    packer/config/common.json \
-                    packer/config/ppc64le/common.json \
-                    packer/config/additional_components.json
+					packer/config/ppc64le/containerd.json \
+					packer/config/ansible-args.json \
+					packer/config/goss-args.json \
+					packer/config/common.json \
+					packer/config/ppc64le/common.json \
+					packer/config/additional_components.json \
+					packer/config/ecr_credential_provider.json
 
 # Initialize a list of flags to pass to Packer. This includes any existing flags
 # specified by PACKER_FLAGS, as well as prefixing the list with the variable

images/capi/ansible/node.yml

@@ -37,6 +37,9 @@
     - ansible.builtin.include_role:
         name: load_additional_components
       when: load_additional_components | bool
+    - ansible.builtin.include_role:
+        name: ecr_credential_provider
+      when: ecr_credential_provider | bool
     - ansible.builtin.include_role:
         name: "{{ role }}"
       loop: "{{ custom_role_names.split() + node_custom_roles_post.split() }}"

images/capi/ansible/roles/ecr_credential_provider/defaults/main.yml

@@ -0,0 +1,25 @@
+# Copyright 2024 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+
+ecr_credential_provider_version: v1.31.0
+ecr_credential_provider_os: linux
+ecr_credential_provider_arch: amd64
+ecr_credential_provider_base_url: https://storage.googleapis.com/k8s-artifacts-prod/binaries/cloud-provider-aws
+ecr_credential_provider_install_dir: /opt/bin
+ecr_credential_provider_binary_filename: ecr-credential-provider
+ecr_credential_provider_match_images:
+  - "*.dkr.ecr.*.amazonaws.com"
+  - "*.dkr.ecr.*.amazonaws.com.cn"
+ecr_credential_provider_aws_profile: default

images/capi/ansible/roles/ecr_credential_provider/tasks/main.yaml

@@ -0,0 +1,48 @@
+---
+- name: Ensure ecr_credential_provider is not already installed
+  ansible.builtin.stat:
+    path: "{{ ecr_credential_provider_install_dir }}/{{ ecr_credential_provider_binary_filename }}"
+  register: ecr_credential_provider_binary
+
+- name: Install ECR Credential Provider binary
+  when: not ecr_credential_provider_binary.stat.exists
+  block:
+    - name: Ensure bin directory exists
+      ansible.builtin.file:
+        path: "{{ ecr_credential_provider_install_dir }}"
+        state: directory
+        mode: "0755"
+
+    - name: Download ecr_credential_provider binary
+      ansible.builtin.get_url:
+        url: "{{ ecr_credential_provider_base_url }}/{{ ecr_credential_provider_version }}/{{ ecr_credential_provider_os }}/{{ ecr_credential_provider_arch }}/ecr-credential-provider-{{ ecr_credential_provider_os }}-{{ ecr_credential_provider_arch }}"
+        dest: "{{ ecr_credential_provider_install_dir }}/{{ ecr_credential_provider_binary_filename }}"
+        mode: "0755"
+
+- name: Create the CredentialProviderConfig for the ECR Credential Provider
+  block:
+    - name: Ensure config directory exists
+      ansible.builtin.file:
+        path: /var/usr/ecr-credential-provider
+        state: directory
+        mode: "0755"
+
+    - name: Create CredentialProviderConfig
+      ansible.builtin.template:
+        src: var/usr/ecr-credential-provider/ecr-credential-provider-config
+        dest: /var/usr/ecr-credential-provider/ecr-credential-provider-config
+        mode: "0644"
+
+- name: Update kubelet args to include credential provider flags
+  block:
+    - name: Ensure kubelet config exists
+      ansible.builtin.stat:
+        path: "{{ '/etc/default/kubelet' if ansible_os_family == 'Debian' else '/etc/sysconfig/kubelet' }}"
+      register: kubelet_config
+      failed_when: not kubelet_config.stat.exists
+
+    - name: Add credential provider flags
+      when: kubelet_config.stat.exists
+      ansible.builtin.shell: |
+        set -e -o pipefail
+        sed -Ei 's|^(KUBELET_EXTRA_ARGS.*)|\1 --image-credential-provider-config=/var/usr/ecr-credential-provider/ecr-credential-provider-config --image-credential-provider-bin-dir={{ ecr_credential_provider_install_dir }}|' {{ '/etc/default/kubelet' if ansible_os_family == 'Debian' else '/etc/sysconfig/kubelet' }}

images/capi/ansible/roles/ecr_credential_provider/templates/var/usr/ecr-credential-provider/ecr-credential-provider-config

@@ -0,0 +1,10 @@
+apiVersion: kubelet.config.k8s.io/v1
+kind: CredentialProviderConfig
+providers:
+  - name: ecr-credential-provider
+    matchImages: {{ ecr_credential_provider_match_images }}
+    defaultCacheDuration: "12h"
+    apiVersion: credentialprovider.kubelet.k8s.io/v1
+    env:
+      - name: AWS_PROFILE
+        value: "{{ ecr_credential_provider_aws_profile }}"