use custom struct with omitempty tags

QiWang19 · QiWang19 · commit fe6488bcfe87 · 2026-01-27T13:41:15.000-05:00
diff --git a/pkg/controller/container-runtime-config/container_runtime_config_controller.go b/pkg/controller/container-runtime-config/container_runtime_config_controller.go
@@ -690,6 +690,7 @@ func generateOriginalCredentialProviderConfig(templateDir string, cc *mcfgv1.Con
 	for _, gmc := range generatedConfigs {
 		config, errCredProvider = findCredProviderConfig(gmc, credProviderConfigPath)
 		if errCredProvider == nil {
+			klog.Infof("find credential provider config in generated config %s: %v", gmc.Name, errCredProvider)
 			gmcCredProviderConfig = config
 			break
 		}
@@ -1216,8 +1217,10 @@ func (ctrl *Controller) syncCRIOCredentialProviderConfig(key string) error {
 		klog.V(4).Infof("Finished syncing CRIOCredentialProvider config %q (%v)", key, time.Since(startTime))
 	}()
 
-	var crioCredentialProviderConfig *apicfgv1alpha1.CRIOCredentialProviderConfig
-	var err error
+	var (
+		crioCredentialProviderConfig *apicfgv1alpha1.CRIOCredentialProviderConfig
+		err                          error
+	)
 
 	if ctrl.crioCPObserversAdded {
 		crioCredentialProviderConfig, err = ctrl.criocpLister.Get("cluster")
@@ -1227,6 +1230,9 @@ func (ctrl *Controller) syncCRIOCredentialProviderConfig(key string) error {
 		} else if err != nil {
 			return err
 		}
+	} else {
+		klog.V(2).Infof("CRIOCredentialProviderConfig observer not added, skipping sync")
+		return nil
 	}
 
 	// Get ControllerConfig
@@ -1246,48 +1252,40 @@ func (ctrl *Controller) syncCRIOCredentialProviderConfig(key string) error {
 	}
 
 	for _, pool := range mcpPools {
-		role := pool.Name
 		applied := true
 
+		role := pool.Name
 		managedKeyCredentialProvider, err := getManagedKeyCRIOCredentialProvider(pool)
 		if err != nil {
 			return err
 		}
 
 		if err := retry.RetryOnConflict(updateBackoff, func() error {
-
 			if crioCredentialProviderConfig != nil {
 
 				credentialProviderConfigIgn, err := crioCredentialProviderConfigIgnition(ctrl.templatesDir, controllerConfig, role, crioCredentialProviderConfig)
 				if err != nil {
 					klog.Infof("could not generate CRIO Credential Provider Ignition config for role %s: %v", role, err)
 					return fmt.Errorf("could not generate CRIO Credential Provider Ignition config: %w", err)
 				}
-				applied, err = ctrl.syncIgnitionConfig(managedKeyCredentialProvider, credentialProviderConfigIgn, pool, ownerReferenceCredentialProviderConfig(crioCredentialProviderConfig))
+				ownerRef := ownerReferenceCredentialProviderConfig(crioCredentialProviderConfig)
+				klog.Infof("OwnerRef for CRIO Credential Provider Config: %v", ownerRef)
+				applied, err = ctrl.syncIgnitionConfig(managedKeyCredentialProvider, credentialProviderConfigIgn, pool, ownerRef)
 				if err != nil {
 					klog.Infof("could not sync CRIO Credential Provider Ignition config for role %s: %v", role, err)
 					return fmt.Errorf("could not sync CRIO Credential Provider Ignition config: %w", err)
 				}
 			}
+
 			return err
 		}); err != nil {
 			return fmt.Errorf("could not Create/Update MachineConfig: %w", err)
 		}
 
 		if applied {
-			klog.Infof("Applied CRIOCredentialProviderConfig on MachineConfigPool %v", pool.Name)
-			ctrlcommon.UpdateStateMetric(ctrlcommon.MCCSubControllerState, "machine-config-controller-container-runtime-config", "Sync CRIOCredentialProviderConfig", pool.Name)
-		}
-
-		// credProviderConfigIgn, err := generateOriginalCredentialProviderConfig(ctrl.templatesDir, controllerConfig, role)
-		// if err != nil {
-		// 	return fmt.Errorf("could not generate original CRIO credential provider config for role %s: %w", role, err)
-		// }
-		// contents, err := ctrlcommon.DecodeIgnitionFileContents(credProviderConfigIgn.Contents.Source, credProviderConfigIgn.Contents.Compression)
-		// if err != nil {
-		// 	return fmt.Errorf("could not decode CRIO credential provider config for role %s: %w", role, err)
-		// }
-		// klog.Infof("Decoded CRIO credential provider config contents successfully for role %s: %s", role, string(contents))
+			klog.Infof("Applied CRIOCredentialProviderConfig cluster on MachineConfigPool %v", pool.Name)
+			ctrlcommon.UpdateStateMetric(ctrlcommon.MCCSubControllerState, "machine-config-controller-container-runtime-config", "Sync CRIO Credential Provider Config", pool.Name)
+		}
 	}
 
 	return nil
diff --git a/pkg/controller/container-runtime-config/helpers.go b/pkg/controller/container-runtime-config/helpers.go
@@ -1248,22 +1248,44 @@ func imagePolicyConfigFileList(namespaceJSONs map[string][]byte) []generatedConf
 	return namespacedPolicyConfigFileList
 }
 
-func credProviderConfigObject(contents []byte) (*kubeletconfig.CredentialProviderConfig, error) {
-	credProviderConfigObject := &kubeletconfig.CredentialProviderConfig{}
+func credProviderConfigObject(contents []byte) (*credentialProviderConfigWithVersion, error) {
+	// Unmarshal into custom struct first to handle YAML with omitempty fields
+	credProviderConfigObject := &credentialProviderConfigWithVersion{}
 	err := yaml.Unmarshal(contents, credProviderConfigObject)
 	if err != nil {
 		return nil, fmt.Errorf("error unmarshalling credential provider config: %w", err)
 	}
+
 	return credProviderConfigObject, nil
 }
 
-type credentialProviderConfigVersioned struct {
-	APIVersion string                             `yaml:"apiVersion"`
-	Kind       string                             `yaml:"kind"`
-	Providers  []kubeletconfig.CredentialProvider `yaml:"providers"`
+// credentialProviderWithTag is a custom struct with omitempty tags to avoid null values in YAML
+type credentialProviderWithTag struct {
+	Name                 string                                  `json:"name"`
+	MatchImages          []string                                `json:"matchImages"`
+	DefaultCacheDuration *metav1.Duration                        `json:"defaultCacheDuration,omitempty"`
+	APIVersion           string                                  `json:"apiVersion"`
+	Args                 []string                                `json:"args,omitempty"`
+	Env                  []kubeletconfig.ExecEnvVar              `json:"env,omitempty"`
+	TokenAttributes      *serviceAccountTokenAttributesVersioned `json:"tokenAttributes,omitempty"`
+}
+
+// serviceAccountTokenAttributesVersioned is a custom struct with omitempty tags to avoid null values in YAML
+type serviceAccountTokenAttributesVersioned struct {
+	ServiceAccountTokenAudience          string                                     `json:"serviceAccountTokenAudience"`
+	CacheType                            kubeletconfig.ServiceAccountTokenCacheType `json:"cacheType"`
+	RequireServiceAccount                *bool                                      `json:"requireServiceAccount"`
+	RequiredServiceAccountAnnotationKeys []string                                   `json:"requiredServiceAccountAnnotationKeys,omitempty"`
+	OptionalServiceAccountAnnotationKeys []string                                   `json:"optionalServiceAccountAnnotationKeys,omitempty"`
+}
+
+type credentialProviderConfigWithVersion struct {
+	APIVersion string                       `json:"apiVersion"`
+	Kind       string                       `json:"kind"`
+	Providers  []*credentialProviderWithTag `json:"providers"`
 }
 
-func updateCredentialProviderConfig(credProviderConfigObject *kubeletconfig.CredentialProviderConfig, matchImages map[string]bool) ([]byte, error) {
+func updateCredentialProviderConfig(credProviderConfigObject *credentialProviderConfigWithVersion, matchImages map[string]bool) ([]byte, error) {
 
 	// matchImages is not expected to be empty here as the caller should skip calling this function if there are no images
 	images := []string{}
@@ -1287,12 +1309,12 @@ func updateCredentialProviderConfig(credProviderConfigObject *kubeletconfig.Cred
 	if crioCredProviderExist && crioCredProviderIdx != -1 {
 		credProviderConfigObject.Providers[crioCredProviderIdx].MatchImages = images
 	} else {
-		newProvider := kubeletconfig.CredentialProvider{
+		newProvider := &credentialProviderWithTag{
 			Name:                 crioCredentialProviderName,
 			MatchImages:          images,
 			DefaultCacheDuration: &metav1.Duration{Duration: time.Second},
 			APIVersion:           credentialProviderAPIVersion,
-			TokenAttributes: &kubeletconfig.ServiceAccountTokenAttributes{
+			TokenAttributes: &serviceAccountTokenAttributesVersioned{
 				ServiceAccountTokenAudience: "https://kubernetes.default.svc",
 				RequireServiceAccount:       ptr.To(false),
 				CacheType:                   kubeletconfig.TokenServiceAccountTokenCacheType,
@@ -1301,15 +1323,10 @@ func updateCredentialProviderConfig(credProviderConfigObject *kubeletconfig.Cred
 		credProviderConfigObject.Providers = append(credProviderConfigObject.Providers, newProvider)
 	}
 
-	credProviderConfigVersionedObj := credentialProviderConfigVersioned{
-		APIVersion: "kubelet.config.k8s.io/v1",
-		Kind:       "CredentialProviderConfig",
-		Providers:  credProviderConfigObject.Providers,
-	}
-
-	credProviderConfigsYaml, err := yaml.Marshal(credProviderConfigVersionedObj)
+	credProviderConfigsYaml, err := yaml.Marshal(credProviderConfigObject)
 	if err != nil {
 		return nil, fmt.Errorf("error marshalling credential provider config: %v", err)
 	}
+
 	return credProviderConfigsYaml, nil
 }
diff --git a/pkg/controller/container-runtime-config/helpers_test.go b/pkg/controller/container-runtime-config/helpers_test.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"log"
 	"os"
 	"reflect"
 	"testing"
@@ -27,7 +28,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
 	"k8s.io/apimachinery/pkg/util/yaml"
-	kubeletapiconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	"k8s.io/utils/ptr"
 )
 
@@ -2353,16 +2353,16 @@ providers:
 		matchImages    []string
 		templateConfig []byte
 		expectError    bool
-		expectedConfig *credentialProviderConfigVersioned
+		expectedConfig *credentialProviderConfigWithVersion
 	}{
 		{
 			name:           "add crio-credential-provider when not present",
 			matchImages:    []string{"myhost.com", "quay.io"},
 			templateConfig: templateCredProviderConfig,
-			expectedConfig: &credentialProviderConfigVersioned{
+			expectedConfig: &credentialProviderConfigWithVersion{
 				APIVersion: "kubelet.config.k8s.io/v1",
 				Kind:       "CredentialProviderConfig",
-				Providers: []kubeletapiconfig.CredentialProvider{
+				Providers: []*credentialProviderWithTag{
 					{
 						Name:                 "gcr-credential-provider",
 						APIVersion:           "credentialprovider.kubelet.k8s.io/v1",
@@ -2375,7 +2375,7 @@ providers:
 						MatchImages:          []string{"myhost.com", "quay.io"},
 						APIVersion:           "credentialprovider.kubelet.k8s.io/v1",
 						DefaultCacheDuration: &metav1.Duration{Duration: time.Second},
-						TokenAttributes: &kubeletapiconfig.ServiceAccountTokenAttributes{
+						TokenAttributes: &serviceAccountTokenAttributesVersioned{
 							ServiceAccountTokenAudience: "https://kubernetes.default.svc",
 							CacheType:                   "Token",
 							RequireServiceAccount:       ptr.To(false),
@@ -2388,10 +2388,10 @@ providers:
 			name:           "crio-credential-provider already present",
 			matchImages:    []string{"myhost.com"},
 			templateConfig: templateCredProviderConfigWithCRIOProvider,
-			expectedConfig: &credentialProviderConfigVersioned{
+			expectedConfig: &credentialProviderConfigWithVersion{
 				APIVersion: "kubelet.config.k8s.io/v1",
 				Kind:       "CredentialProviderConfig",
-				Providers: []kubeletapiconfig.CredentialProvider{
+				Providers: []*credentialProviderWithTag{
 					{
 						Name:                 "gcr-credential-provider",
 						APIVersion:           "credentialprovider.kubelet.k8s.io/v1",
@@ -2404,7 +2404,7 @@ providers:
 						MatchImages:          []string{"myhost.com"},
 						APIVersion:           "credentialprovider.kubelet.k8s.io/v1",
 						DefaultCacheDuration: &metav1.Duration{Duration: time.Second},
-						TokenAttributes: &kubeletapiconfig.ServiceAccountTokenAttributes{
+						TokenAttributes: &serviceAccountTokenAttributesVersioned{
 							ServiceAccountTokenAudience: "https://kubernetes.default.svc",
 							CacheType:                   "Token",
 							RequireServiceAccount:       ptr.To(false),
@@ -2431,7 +2431,9 @@ providers:
 			}
 			require.NoError(t, err)
 
-			var gotConfig credentialProviderConfigVersioned
+			log.Println("updated bytes: ", string(updatedConfigBytes))
+
+			var gotConfig credentialProviderConfigWithVersion
 			err = yaml.Unmarshal(updatedConfigBytes, &gotConfig)
 			require.NoError(t, err)
 			assert.Equal(t, tt.expectedConfig, &gotConfig)
