todo

Author: QiWang19

go.mod

@@ -457,4 +457,4 @@ replace (
 
 replace github.com/openshift/api => github.com/QiWang19/api v0.0.0-20251204232509-5086a5249b02
 
-replace github.com/openshift/client-go => github.com/QiWang19/client-go v0.0.0-20251206033140-b1d9ec91d591
+replace github.com/openshift/client-go => github.com/QiWang19/client-go v0.0.0-20251206041215-b807c9cdcceb

go.sum

@@ -52,8 +52,8 @@ github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBi
 github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
 github.com/QiWang19/api v0.0.0-20251204232509-5086a5249b02 h1:AatkJOk7B+A66PUpR02ZvtEafkaL8Mzn9vC6wqJrOgo=
 github.com/QiWang19/api v0.0.0-20251204232509-5086a5249b02/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
-github.com/QiWang19/client-go v0.0.0-20251206033140-b1d9ec91d591 h1:nq5D1MflQVwqNcDNW3Z+3bo1mDdQLfABzBoYAbSX+X0=
-github.com/QiWang19/client-go v0.0.0-20251206033140-b1d9ec91d591/go.mod h1:iylwyks15hQrMFoa76LqqB5O53iIECos27GarEef8n8=
+github.com/QiWang19/client-go v0.0.0-20251206041215-b807c9cdcceb h1:Wjt5SbxzEsHN1KSmE4kmBZjqoOQnSM+7JyhSXBH89jc=
+github.com/QiWang19/client-go v0.0.0-20251206041215-b807c9cdcceb/go.mod h1:iylwyks15hQrMFoa76LqqB5O53iIECos27GarEef8n8=
 github.com/ajeddeloh/go-json v0.0.0-20170920214419-6a2fe990e083/go.mod h1:otnto4/Icqn88WCcM4bhIJNSgsh9VLBuspyyCfvof9c=
 github.com/ajeddeloh/go-json v0.0.0-20200220154158-5ae607161559 h1:4SPQljF/GJ8Q+QlCWMWxRBepub4DresnOm4eI2ebFGc=
 github.com/ajeddeloh/go-json v0.0.0-20200220154158-5ae607161559/go.mod h1:otnto4/Icqn88WCcM4bhIJNSgsh9VLBuspyyCfvof9c=

pkg/controller/container-runtime-config/container_runtime_config_controller.go

@@ -13,6 +13,7 @@ import (
 	signature "github.com/containers/image/v5/signature"
 	ign3types "github.com/coreos/ignition/v2/config/v3_5/types"
 	apicfgv1 "github.com/openshift/api/config/v1"
+	apicfgv1alpha1 "github.com/openshift/api/config/v1alpha1"
 	features "github.com/openshift/api/features"
 	apioperatorsv1alpha1 "github.com/openshift/api/operator/v1alpha1"
 	configclientset "github.com/openshift/client-go/config/clientset/versioned"
@@ -110,17 +111,19 @@ type Controller struct {
 	itmsLister       cligolistersv1.ImageTagMirrorSetLister
 	itmsListerSynced cache.InformerSynced
 
-	criocpLister         cligolistersv1alpha1.CRIOCredentialProviderConfigLister
-	criocpListerSynced   cache.InformerSynced
-	addedCRIOCPObservers bool
+	criocpLister               cligolistersv1alpha1.CRIOCredentialProviderConfigLister
+	criocpListerSynced         cache.InformerSynced
+	addedCRIOCPObservers       bool
+	criocpInformerFactoryAdded bool
 
 	configInformerFactory          configinformers.SharedInformerFactory
 	clusterImagePolicyLister       cligolistersv1.ClusterImagePolicyLister
 	clusterImagePolicyListerSynced cache.InformerSynced
 
-	imagePolicyLister       cligolistersv1.ImagePolicyLister
-	imagePolicyListerSynced cache.InformerSynced
-	addedPolicyObservers    bool
+	imagePolicyLister          cligolistersv1.ImagePolicyLister
+	imagePolicyListerSynced    cache.InformerSynced
+	addedPolicyObservers       bool
+	policyInformerFactoryAdded bool
 
 	mcpLister       mcfglistersv1.MachineConfigPoolLister
 	mcpListerSynced cache.InformerSynced
@@ -247,15 +250,23 @@ func (ctrl *Controller) Run(workers int, stopCh <-chan struct{}) {
 	if ctrl.sigstoreAPIEnabled() {
 		ctrl.addImagePolicyObservers()
 		klog.Info("addded image policy observers with sigstore featuregate enabled")
-		ctrl.configInformerFactory.Start(stopCh)
-		listerCaches = append(listerCaches, ctrl.clusterImagePolicyListerSynced, ctrl.imagePolicyListerSynced)
-		ctrl.addedPolicyObservers = true
 	}
 
+	klog.Info("Waiting for featuregate criocredentialproviderconfig to be enabled/disabled")
+
 	if ctrl.criocpEnabled() {
 		ctrl.addCRIOCPObservers()
 		klog.Info("added CRIOCredentialProviderConfig observers with CRIOCredentialProviderConfig featuregate enabled")
-		ctrl.configInformerFactory.Start(stopCh)
+	}
+
+	ctrl.configInformerFactory.Start(stopCh)
+
+	if ctrl.policyInformerFactoryAdded {
+		listerCaches = append(listerCaches, ctrl.clusterImagePolicyListerSynced, ctrl.imagePolicyListerSynced)
+		ctrl.addedPolicyObservers = true
+	}
+
+	if ctrl.criocpInformerFactoryAdded {
 		listerCaches = append(listerCaches, ctrl.criocpListerSynced)
 		ctrl.addedCRIOCPObservers = true
 	}
@@ -346,6 +357,7 @@ func (ctrl *Controller) addCRIOCPObservers() {
 	})
 	ctrl.criocpLister = ctrl.configInformerFactory.Config().V1alpha1().CRIOCredentialProviderConfigs().Lister()
 	ctrl.criocpListerSynced = ctrl.configInformerFactory.Config().V1alpha1().CRIOCredentialProviderConfigs().Informer().HasSynced
+	ctrl.criocpInformerFactoryAdded = true
 }
 
 func (ctrl *Controller) criocpConfAdded(_ interface{}) {
@@ -379,6 +391,7 @@ func (ctrl *Controller) addImagePolicyObservers() {
 	})
 	ctrl.imagePolicyLister = ctrl.configInformerFactory.Config().V1().ImagePolicies().Lister()
 	ctrl.imagePolicyListerSynced = ctrl.configInformerFactory.Config().V1().ImagePolicies().Informer().HasSynced
+	ctrl.policyInformerFactoryAdded = true
 }
 
 func (ctrl *Controller) clusterImagePolicyAdded(_ interface{}) {
@@ -410,6 +423,7 @@ func (ctrl *Controller) sigstoreAPIEnabled() bool {
 }
 
 func (ctrl *Controller) criocpEnabled() bool {
+	klog.Infof("CRIOCredentialProviderConfig feature gate enabled: %v", ctrl.fgHandler.Enabled(features.FeatureGateCRIOCredentialProviderConfig))
 	return ctrl.fgHandler.Enabled(features.FeatureGateCRIOCredentialProviderConfig)
 }
 
@@ -637,15 +651,15 @@ func generateOriginalContainerRuntimeConfigs(templateDir string, cc *mcfgv1.Cont
 	return gmcStorageConfig, gmcRegistriesConfig, gmcPolicyJSON, nil
 }
 
-func generateOriginalCredentialProviderConfig(templateDir string, cc *mcfgv1.ControllerConfig, role string) (*ign3types.File, error) {
+func generateOriginalCredentialProviderConfig(templateDir string, cc *mcfgv1.ControllerConfig, role string) (*ign3types.File, string, error) {
 
 	// Render the default templates
 	rc := &mtmpl.RenderConfig{
 		ControllerConfigSpec: &cc.Spec,
 	}
 	generatedConfigs, err := mtmpl.GenerateMachineConfigsForRole(rc, role, templateDir)
 	if err != nil {
-		return nil, fmt.Errorf("generateMachineConfigsforRole failed with error %w", err)
+		return nil, "", fmt.Errorf("generateMachineConfigsforRole failed with error %w", err)
 	}
 	// Find generated provider.yaml
 	var (
@@ -665,7 +679,7 @@ func generateOriginalCredentialProviderConfig(templateDir string, cc *mcfgv1.Con
 	case apicfgv1.AzurePlatformType:
 		credProviderConfigPath = fmt.Sprintf(credProviderConfigPathFormat, "acr")
 	default:
-		return nil, fmt.Errorf("unsupported platform type: %s", cc.Spec.Infra.Status.PlatformStatus.Type)
+		return nil, "", fmt.Errorf("unsupported platform type: %s", cc.Spec.Infra.Status.PlatformStatus.Type)
 	}
 	klog.Infof("credential provider config path set to: %s", credProviderConfigPath)
 
@@ -674,14 +688,14 @@ func generateOriginalCredentialProviderConfig(templateDir string, cc *mcfgv1.Con
 		config, errCredProvider = findCredProviderConfig(gmc, credProviderConfigPath)
 		if errCredProvider != nil {
 			klog.Infof("could not find credential provider config in generated config %s: %v", gmc.Name, errCredProvider)
-			return nil, fmt.Errorf("could not generate original credential provider configs: %w", errCredProvider)
+			return nil, "", fmt.Errorf("could not generate original credential provider configs: %w", errCredProvider)
 		}
 
 		gmcCredProviderConfig = config
 
 	}
 
-	return gmcCredProviderConfig, nil
+	return gmcCredProviderConfig, credProviderConfigPath, nil
 }
 
 func (ctrl *Controller) syncStatusOnly(cfg *mcfgv1.ContainerRuntimeConfig, err error, args ...interface{}) error {
@@ -1076,6 +1090,7 @@ func (ctrl *Controller) syncImageConfig(key string) error {
 		clusterScopePolicies                          map[string]signature.PolicyRequirements
 		imagePolicies                                 []*apicfgv1.ImagePolicy
 		scopeNamespacePolicies                        map[string]map[string]signature.PolicyRequirements
+		crioCredentialProviderConfig                  *apicfgv1alpha1.CRIOCredentialProviderConfig
 	)
 
 	if ctrl.sigstoreAPIEnabled() && ctrl.addedPolicyObservers {
@@ -1095,6 +1110,15 @@ func (ctrl *Controller) syncImageConfig(key string) error {
 		}
 	}
 
+	if ctrl.addedCRIOCPObservers {
+		crioCredentialProviderConfig, err = ctrl.criocpLister.Get("cluster")
+		if err != nil && errors.IsNotFound(err) {
+			crioCredentialProviderConfig = &apicfgv1alpha1.CRIOCredentialProviderConfig{}
+		} else if err != nil {
+			return nil
+		}
+	}
+
 	if clusterVersionCfg != nil {
 		// The possibility of releaseImage being "" is very unlikely, will only happen if clusterVersionCfg is nil. If this happens
 		// then there is something very wrong with the cluster and in that situation it would be best to fail here till clusterVersionCfg
@@ -1137,6 +1161,12 @@ func (ctrl *Controller) syncImageConfig(key string) error {
 		if err != nil {
 			return err
 		}
+
+		managedKeyCredentialProvider, err := getManagedKeyCRIOCredentialProvider(pool)
+		if err != nil {
+			return err
+		}
+
 		if err := retry.RetryOnConflict(updateBackoff, func() error {
 			registriesIgn, err := registriesConfigIgnition(ctrl.templatesDir, controllerConfig, role, releaseImage,
 				imgcfg.Spec.RegistrySources.InsecureRegistries, registriesBlocked, policyBlocked, allowedRegs,
@@ -1150,7 +1180,19 @@ func (ctrl *Controller) syncImageConfig(key string) error {
 				return fmt.Errorf("could not sync registries Ignition config: %w", err)
 			}
 
-			crioCredentialProviderConfigIgnition(ctrl.templatesDir, controllerConfig, role, releaseImage)
+			if crioCredentialProviderConfig != nil {
+
+				credentialProviderConfigIgn, err := crioCredentialProviderConfigIgnition(ctrl.templatesDir, controllerConfig, role, crioCredentialProviderConfig)
+				if err != nil {
+					klog.Infof("could not generate CRIO Credential Provider Ignition config for role %s: %v", role, err)
+					return fmt.Errorf("could not generate CRIO Credential Provider Ignition config: %w", err)
+				}
+				applied, err = ctrl.syncIgnitionConfig(managedKeyCredentialProvider, credentialProviderConfigIgn, pool, ownerReferenceCredentialProviderConfig(crioCredentialProviderConfig))
+				if err != nil {
+					klog.Infof("could not sync CRIO Credential Provider Ignition config for role %s: %v", role, err)
+					return fmt.Errorf("could not sync CRIO Credential Provider Ignition config: %w", err)
+				}
+			}
 
 			return err
 		}); err != nil {
@@ -1548,15 +1590,55 @@ func (ctrl *Controller) getPoolsForContainerRuntimeConfig(config *mcfgv1.Contain
 	return pools, nil
 }
 
-func crioCredentialProviderConfigIgnition(templateDir string, controllerConfig *mcfgv1.ControllerConfig, role, releaseImage string) error {
-	credProviderConfigIgn, err := generateOriginalCredentialProviderConfig(templateDir, controllerConfig, role)
+func crioCredentialProviderConfigIgnition(templateDir string, controllerConfig *mcfgv1.ControllerConfig, role string, crioCredentialProviderConfig *apicfgv1alpha1.CRIOCredentialProviderConfig) (*ign3types.Config, error) {
+
+	var credProviderConfigYaml []byte
+
+	originalCredProviderConfigIgn, credProviderConfigPath, err := generateOriginalCredentialProviderConfig(templateDir, controllerConfig, role)
 	if err != nil {
-		return fmt.Errorf("could not generate original CRIO credential provider config for role %s: %w", role, err)
+		return nil, fmt.Errorf("could not generate original CRIO credential provider config for role %s: %w", role, err)
 	}
-	contents, err := ctrlcommon.DecodeIgnitionFileContents(credProviderConfigIgn.Contents.Source, credProviderConfigIgn.Contents.Compression)
+	contents, err := ctrlcommon.DecodeIgnitionFileContents(originalCredProviderConfigIgn.Contents.Source, originalCredProviderConfigIgn.Contents.Compression)
 	if err != nil {
-		return fmt.Errorf("could not decode CRIO credential provider config for role %s: %w", role, err)
+		return nil, fmt.Errorf("could not decode CRIO credential provider config for role %s: %w", role, err)
 	}
 	klog.Infof("Decoded CRIO credential provider config contents successfully for role %s: %s", role, string(contents))
-	return nil
+
+	matchImages := make(map[string]bool)
+
+	credProviderConfigObject, err := credProviderConfigObject(contents)
+	if err != nil {
+		return nil, err
+	}
+	existingMatchImages := make(map[string]bool)
+	for _, provider := range credProviderConfigObject.Providers {
+		for _, image := range provider.MatchImages {
+			existingMatchImages[image] = true
+		}
+	}
+
+	var ignored []string
+	for _, img := range crioCredentialProviderConfig.Spec.MatchImages {
+		imgStr := string(img)
+		if _, exists := existingMatchImages[imgStr]; exists {
+			ignored = append(ignored, imgStr)
+			continue
+		}
+		matchImages[imgStr] = true
+	}
+	if len(ignored) > 0 {
+		// syncStatusOnly could be added here to update the status of the CRIOCredentialProviderConfig
+		klog.V(2).Infof("CRIOCredentialProviderConfig %s in namespace %s has ignored matchImages that already exist in the config: %v", crioCredentialProviderConfig.Name, crioCredentialProviderConfig.Namespace, ignored)
+	}
+
+	if len(matchImages) != 0 {
+		credProviderConfigYaml, err = updateCredentialProviderConfig(credProviderConfigObject, matchImages)
+		if err != nil {
+			return nil, err
+		}
+	}
+	credProviderConfigIgn := createNewIgnition([]generatedConfigFile{
+		{filePath: credProviderConfigPath, data: credProviderConfigYaml},
+	})
+	return &credProviderConfigIgn, nil
 }

pkg/controller/container-runtime-config/helpers.go

@@ -13,6 +13,7 @@ import (
 	"sort"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/BurntSushi/toml"
 	"github.com/containers/image/v5/docker/reference"
@@ -24,6 +25,7 @@ import (
 	"github.com/ghodss/yaml"
 	"github.com/opencontainers/go-digest"
 	apicfgv1 "github.com/openshift/api/config/v1"
+	apicfgv1alpha1 "github.com/openshift/api/config/v1alpha1"
 	apioperatorsv1alpha1 "github.com/openshift/api/operator/v1alpha1"
 	"github.com/openshift/runtime-utils/pkg/registries"
 	runtimeutils "github.com/openshift/runtime-utils/pkg/registries"
@@ -37,6 +39,8 @@ import (
 	"github.com/openshift/machine-config-operator/pkg/apihelpers"
 	ctrlcommon "github.com/openshift/machine-config-operator/pkg/controller/common"
 	"github.com/openshift/machine-config-operator/pkg/daemon/constants"
+	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -55,6 +59,8 @@ const (
 	CRIODropInFilePathDefaultRuntime = "/etc/crio/crio.conf.d/01-ctrcfg-defaultRuntime"
 	imagepolicyType                  = "sigstoreSigned"
 	sigstoreRegistriesConfigFilePath = "/etc/containers/registries.d/sigstore-registries.yaml"
+	crioCredentialProviderName       = "crio-credential-provider"
+	credentialProviderAPIVersion     = "credentialprovider.kubelet.k8s.io/v1"
 )
 
 var (
@@ -351,6 +357,12 @@ func notLatestContainerRuntimeConfigInPool(ctrcfgList []mcfgv1.ContainerRuntimeC
 	return false
 }
 
+func getManagedKeyCRIOCredentialProvider(pool *mcfgv1.MachineConfigPool) (string, error) {
+	return ctrlcommon.GetManagedKey(pool, nil, "97", "credentialproviderconfig", "")
+
+	// return ctrlcommon.GetManagedKey(pool, client, "97", "credentialproviderconfig", fmt.Sprintf("97-%s-%s-criocredentialprovider", pool.Name, pool.ObjectMeta.UID))
+}
+
 // Deprecated: use getManagedKeyReg
 func getManagedKeyRegDeprecated(pool *mcfgv1.MachineConfigPool) string {
 	return fmt.Sprintf("99-%s-%s-registries", pool.Name, pool.ObjectMeta.UID)
@@ -867,6 +879,15 @@ func ownerReferenceImageConfig(imageConfig *apicfgv1.Image) metav1.OwnerReferenc
 	}
 }
 
+func ownerReferenceCredentialProviderConfig(credentialProviderConfig *apicfgv1alpha1.CRIOCredentialProviderConfig) metav1.OwnerReference {
+	return metav1.OwnerReference{
+		APIVersion: apicfgv1alpha1.SchemeGroupVersion.String(),
+		Kind:       "CRIOCredentialProviderConfig",
+		Name:       credentialProviderConfig.Name,
+		UID:        credentialProviderConfig.UID,
+	}
+}
+
 func policyItemFromSpec(policy apicfgv1.Policy) (signature.PolicyRequirement, error) {
 	var (
 		sigstorePolicyRequirement signature.PolicyRequirement
@@ -1226,3 +1247,69 @@ func imagePolicyConfigFileList(namespaceJSONs map[string][]byte) []generatedConf
 	}
 	return namespacedPolicyConfigFileList
 }
+
+func credProviderConfigObject(contents []byte) (*kubeletconfig.CredentialProviderConfig, error) {
+	credProviderConfigObject := &kubeletconfig.CredentialProviderConfig{}
+	err := yaml.Unmarshal(contents, credProviderConfigObject)
+	if err != nil {
+		return nil, fmt.Errorf("error unmarshalling credential provider config: %w", err)
+	}
+	return credProviderConfigObject, nil
+}
+
+type credentialProviderConfigVersioned struct {
+	APIVersion string                             `yaml:"apiVersion"`
+	Kind       string                             `yaml:"kind"`
+	Providers  []kubeletconfig.CredentialProvider `yaml:"providers"`
+}
+
+func updateCredentialProviderConfig(credProviderConfigObject *kubeletconfig.CredentialProviderConfig, matchImages map[string]bool) ([]byte, error) {
+
+	// matchImages is not expected to be empty here as the caller should skip calling this function if there are no images
+	images := []string{}
+	for image := range matchImages {
+		images = append(images, image)
+	}
+
+	crioCredProviderExist := false
+	crioCredProviderIdx := -1
+	for i, provider := range credProviderConfigObject.Providers {
+
+		if provider.Name != crioCredentialProviderName {
+			continue
+		}
+
+		crioCredProviderExist = true
+		crioCredProviderIdx = i
+		break
+	}
+
+	if crioCredProviderExist && crioCredProviderIdx != -1 {
+		credProviderConfigObject.Providers[crioCredProviderIdx].MatchImages = images
+	} else {
+		newProvider := kubeletconfig.CredentialProvider{
+			Name:                 crioCredentialProviderName,
+			MatchImages:          images,
+			DefaultCacheDuration: &metav1.Duration{Duration: time.Second},
+			APIVersion:           credentialProviderAPIVersion,
+			TokenAttributes: &kubeletconfig.ServiceAccountTokenAttributes{
+				ServiceAccountTokenAudience: "https://kubernetes.default.svc",
+				RequireServiceAccount:       ptr.To(false),
+				CacheType:                   kubeletconfig.TokenServiceAccountTokenCacheType,
+			},
+		}
+		credProviderConfigObject.Providers = append(credProviderConfigObject.Providers, newProvider)
+	}
+
+	credProviderConfigVersionedObj := credentialProviderConfigVersioned{
+		APIVersion: "kubelet.config.k8s.io/v1",
+		Kind:       "CredentialProviderConfig",
+		Providers:  credProviderConfigObject.Providers,
+	}
+
+	credProviderConfigsYaml, err := yaml.Marshal(credProviderConfigVersionedObj)
+	if err != nil {
+		return nil, fmt.Errorf("error marshalling credential provider config: %v", err)
+	}
+	return credProviderConfigsYaml, nil
+}