Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable environment variables for Kubernetes credential providers #2934

Merged
merged 1 commit into from
Apr 10, 2023
Merged

Enable environment variables for Kubernetes credential providers #2934

merged 1 commit into from
Apr 10, 2023

Conversation

stmcginnis
Copy link
Contributor

Issue number:

Closes #2602

Description of changes:

This adds the capability to provide environment variables that can be passed through to the Kubernetes credential provider configuration.

This makes it possible to provide user data settings like:

[settings.kubernetes.credential-providers.my-provider.env-variables]
"GOMAXPROCS" = "2"

and have that show up in the credential provider configuration file as:

providers:
  - name: my-provider
    matchImages:
      - "*.dkr.ecr.us-east-2.amazonaws.com"
    apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1
    env:
      - name: GOMAXPROCS
        value: 2

Testing done:

Deployed node and verified launched successfully.

Ran:

apiclient apply <<EOL
  [settings.kubernetes.credential-providers.ecr-credential-provider]
  enabled = true
  # (optional - defaults to "12h")
  cache-duration = "30m"
  image-patterns = [
    # One or more URL paths to match an image prefix. Supports globbing of subdomains.
    "*.dkr.ecr.us-east-2.amazonaws.com",
    "*.dkr.ecr.us-west-2.amazonaws.com"
  ]
EOL

Checked kubelet status and cat'd `/etc/kubernetes/kubelet/credential-provider-config.yaml to make sure it reflected normal (pre-this change) configuration.

Ran:

apiclient apply <<EOL
  [settings.kubernetes.credential-providers.ecr-credential-provider.env-variables]
  # The following are not used with ecr-credential-provider, but are provided for illustration
  "KEY" = "abc123xyz"
  "GOMAXPROCS" = "2"
EOL

Checked kubelet status and cat'd /etc/kubernetes/kubelet/credential-provider-config.yaml to see that it now contained the expected env:` entries.

On new clean nodes, tried specifying all settings at once, and only current settings with adding environment variables later to make sure there was proper handling for template generation in all cases.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

webern
webern approved these changes Mar 23, 2023
View reviewed changes
packages/kubernetes-1.22/credential-provider-config-yaml Outdated
@@ -11,8 +11,15 @@ providers:
{{/each}}
defaultCacheDuration: "{{default "12h" this.cache-duration}}"
apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1
{{#if (eq @key "ecr-credential-provider")}}
{{#if (or (eq @key "ecr-credential-provider") this.env-variables)}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😅

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right?!

sources/models/src/modeled_types/kubernetes.rs Outdated
#[serde(rename_all = "kebab-case")]
pub struct CredentialProvider {
enabled: bool,
image_patterns: Vec<SingleLineString>,
cache_duration: Option<KubernetesDurationValue>,
env_variables: Option<EnvVarMap>,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably doesn't matter here, but these will be randomly ordered when iterated for the config file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, it shouldn't matter what order these come in as in the final rendering of the template. They all just end up being environment variables in the credential process.

I briefly considered using a BTreeMap, but it ultimately doesn't matter.

gthao313
gthao313 approved these changes Mar 27, 2023
View reviewed changes
Copy link
Member

@gthao313 gthao313 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

bcressey
bcressey reviewed Apr 4, 2023
View reviewed changes
README.md Outdated Show resolved Hide resolved
packages/kubernetes-1.22/credential-provider-config-yaml Show resolved Hide resolved
packages/kubernetes-1.22/credential-provider-config-yaml Outdated Show resolved Hide resolved
@stmcginnis
kubelet: Enable env variables for cred providers
2fcb890 
This adds the capability to provide environment variables that can be
passed through to the Kubernetes credential provider configuration.

Signed-off-by: Sean McGinnis <[email protected]>
@stmcginnis stmcginnis merged commit 570d90b into bottlerocket-os:develop Apr 10, 2023
@stmcginnis stmcginnis deleted the cred-prov-env branch April 10, 2023 00:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcressey bcressey bcressey approved these changes

@webern webern webern approved these changes

@gthao313 gthao313 gthao313 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support env in CredentialProviderConfig
4 participants
@stmcginnis @bcressey @webern @gthao313