From bf0564dc039957ade00c0f51a749422dd887f79d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Str=C3=B6ger=20Florian?= Date: Wed, 4 Oct 2023 15:34:43 +0200 Subject: [PATCH] feat: create 'ecr-credential-provider' extension MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issue: https://github.com/siderolabs/extensions/issues/241 Signed-off-by: Ströger Florian --- Makefile | 1 + README.md | 1 + .../ecr-credential-provider/README.md | 61 +++++++++++++++++++ .../ecr-credential-provider/manifest.yaml | 11 ++++ .../ecr-credential-provider/pkg.yaml | 40 ++++++++++++ .../ecr-credential-provider/vars.yaml | 1 + container-runtime/vars.yaml | 2 + 7 files changed, 117 insertions(+) create mode 100644 container-runtime/ecr-credential-provider/README.md create mode 100644 container-runtime/ecr-credential-provider/manifest.yaml create mode 100644 container-runtime/ecr-credential-provider/pkg.yaml create mode 100644 container-runtime/ecr-credential-provider/vars.yaml diff --git a/Makefile b/Makefile index 1dcf062a..7b8c1fd6 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,7 @@ TARGETS = \ chelsio-drivers \ chelsio-firmware \ drbd \ + ecr-credential-provider \ fuse3 \ gasket-driver \ gvisor \ diff --git a/README.md b/README.md index 330af66f..c7ef0487 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi | ----------------------------------- | ------------------------------------------------------------------------------------------- | ----------------------------------------------- | ---------------------------------- | | [gvisor](container-runtime/gvisor/) | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | [gVisor](https://gvisor.dev/) container runtime | `upstream version`-`talos version` | | [stargz-snapshotter](container-runtime/stargz-snapshotter/) | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | [Stargz Snapshotter](https://github.com/containerd/stargz-snapshotter) container runtime | `upstream version`-`talos version` | +| [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` | ### Firmware diff --git a/container-runtime/ecr-credential-provider/README.md b/container-runtime/ecr-credential-provider/README.md new file mode 100644 index 00000000..31791341 --- /dev/null +++ b/container-runtime/ecr-credential-provider/README.md @@ -0,0 +1,61 @@ +# Kubelet ECR Credential Provider extension + +This extension provides the [ecr-credential-provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) binary, +which can be executed by Kubelet to provide a short-lived token for pulling container images +from Amazon Web Services' Elastic Container Registry (ECR). + +## Installation + +See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions). + +You also need to configure `ecr-credential-provider` as a Kubelet image +credential provider. For this you'll need to add two Kubelet arguments: + +```yaml +- op: add + path: /machine/kubelet/extraArgs + value: + image-credential-provider-bin-dir: "/usr/local/lib/kubelet/credentialproviders" + image-credential-provider-config: "/var/lib/kubelet/credentialproviderconfig.yaml" +``` + +You'll also need to mount the binary to the kubelet container: + +```yaml +- op: add + path: /machine/kubelet/extraMounts + value: + - destination: /usr/local/lib/kubelet + type: bind + source: /usr/local/lib/kubelet + options: [bind, ro] +``` + +and then create the `CredentialProviderConfig`: + +```yaml +- op: add + path: /machine/files + value: + - op: create + path: /var/lib/kubelet/credentialproviderconfig.yaml + content: | + apiVersion: kubelet.config.k8s.io/v1 + kind: CredentialProviderConfig + providers: + - name: ecr-credential-provider + matchImages: + - "*.dkr.ecr.*.amazonaws.com" + - "*.dkr.ecr.*.amazonaws.com.cn" + - "*.dkr.ecr-fips.*.amazonaws.com" + - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov" + - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov" + defaultCacheDuration: "12h" + apiVersion: credentialprovider.kubelet.k8s.io/v1 +``` + +## More Information + +- +- +- diff --git a/container-runtime/ecr-credential-provider/manifest.yaml b/container-runtime/ecr-credential-provider/manifest.yaml new file mode 100644 index 00000000..421feb51 --- /dev/null +++ b/container-runtime/ecr-credential-provider/manifest.yaml @@ -0,0 +1,11 @@ +version: v1alpha1 +metadata: + name: ecr-credential-provider + version: "$VERSION" + author: Florian Ströger + description: | + This system extension provides a binary which implements Kubelet's CredentialProvider API + to authenticate against AWS' Elastic Container Registry and pull images. + compatibility: + talos: + version: ">= v1.0.0" diff --git a/container-runtime/ecr-credential-provider/pkg.yaml b/container-runtime/ecr-credential-provider/pkg.yaml new file mode 100644 index 00000000..a362394b --- /dev/null +++ b/container-runtime/ecr-credential-provider/pkg.yaml @@ -0,0 +1,40 @@ +name: ecr-credential-provider +variant: scratch +shell: /toolchain/bin/bash +dependencies: + - stage: base +steps: + - sources: + - url: https://github.com/kubernetes/cloud-provider-aws/archive/refs/tags/{{ .VERSION }}.tar.gz + destination: cloud-provider-aws.tar.gz + sha256: 9d3e20d79facf336a466a1647dff8033007385fb628005c8bf84eb67330ba004 + sha512: b9adc389be9301dc4be36c6bf546f354b9f2895cbad13d28d074dbab77f9aecec8d5fd02590d21c2a4acc91b559371adfe9702898c7880d92aea6657b315a539 + env: + GOPATH: /go + prepare: + - | + sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml + - | + mkdir -p ${GOPATH}/src/k8s.io/cloud-provider-aws + + tar -xzf cloud-provider-aws.tar.gz --strip-components=1 -C ${GOPATH}/src/k8s.io/cloud-provider-aws + build: + - | + export PATH=${PATH}:${TOOLCHAIN}/go/bin + + go build \ + -C ${GOPATH}/src/k8s.io/cloud-provider-aws \ + -o ./dist/ecr-credential-provider \ + -ldflags "-s -w \ + -X k8s.io/component-base/version.gitVersion={{ .VERSION }} \ + -X main.gitVersion={{ .VERSION }}" \ + ./cmd/ecr-credential-provider + install: + - install -D -m 0755 + ${GOPATH}/src/k8s.io/cloud-provider-aws/dist/ecr-credential-provider + /rootfs/usr/local/lib/kubelet/credentialproviders/ecr-credential-provider +finalize: + - from: /rootfs + to: /rootfs + - from: /pkg/manifest.yaml + to: / diff --git a/container-runtime/ecr-credential-provider/vars.yaml b/container-runtime/ecr-credential-provider/vars.yaml new file mode 100644 index 00000000..d99b1fce --- /dev/null +++ b/container-runtime/ecr-credential-provider/vars.yaml @@ -0,0 +1 @@ +VERSION: "{{ .CLOUD_PROVIDER_AWS_VERSION }}" diff --git a/container-runtime/vars.yaml b/container-runtime/vars.yaml index 0e90ef78..238a45f1 100644 --- a/container-runtime/vars.yaml +++ b/container-runtime/vars.yaml @@ -2,3 +2,5 @@ GVISOR_VERSION: 20231214.0 # renovate: datasource=github-releases depName=containerd/stargz-snapshotter STARGZ_SNAPSHOTTER_VERSION: v0.14.3 +# renovate: datasource=github-releases depName=kubernetes/cloud-provider-aws +CLOUD_PROVIDER_AWS_VERSION: v1.28.1