Add credential provider option to kubeadm

cluster/kubeadm/kubeadm.go

@@ -0,0 +1,38 @@
+package kubeadm
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/openconfig/kne/exec/run"
+)
+
+const (
+	kubeadmFlagPath = "/var/lib/kubelet/kubeadm-flags.env"
+)
+
+// EnableCredentialProvider enables a credential provider according
+// to the specified config file on the kubelet.
+func EnableCredentialProvider(cfgPath string) error {
+	if err := run.LogCommand("sudo", "kubeadm", "upgrade", "node", "phase", "kubelet-config"); err != nil {
+		return err
+	}
+	b, err := os.ReadFile(kubeadmFlagPath)
+	if err != nil {
+		return err
+	}
+	s, _ := strings.CutSuffix(string(b), `"`)
+	s = fmt.Sprintf(`%s --image-credential-provider-config=%s --image-credential-provider-bin-dir=/etc/kubernetes/bin"`, s, cfgPath)
+	f, err := os.Create(kubeadmFlagPath)
+	if err != nil {
+		return err
+	}
+	if _, err := f.WriteString(s); err != nil {
+		return err
+	}
+	if err := run.LogCommand("sudo", "systemctl", "restart", "kubelet"); err != nil {
+		return err
+	}
+	return nil
+}

controller/server/main.go

@@ -27,6 +27,7 @@ import (
 	"time"
 
 	log "github.com/golang/glog"
+	"github.com/openconfig/kne/cluster/kubeadm"
 	"github.com/openconfig/kne/deploy"
 	"github.com/openconfig/kne/exec/run"
 	cpb "github.com/openconfig/kne/proto/controller"
@@ -588,6 +589,11 @@ func (s *server) JoinCluster(ctx context.Context, req *cpb.JoinClusterRequest) (
 	if err := run.LogCommand("sudo", args...); err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to join kubeadm cluster: %v", err)
 	}
+	if req.GetCredentialProviderConfig() != "" {
+		if err := kubeadm.EnableCredentialProvider(req.GetCredentialProviderConfig()); err != nil {
+			return nil, err
+		}
+	}
 	return &cpb.JoinClusterResponse{}, nil
 }
 

deploy/deploy.go

@@ -19,6 +19,7 @@ import (
 	"github.com/openconfig/gnmi/errlist"
 	metallbclientv1 "github.com/openconfig/kne/api/metallb/clientset/v1beta1"
 	"github.com/openconfig/kne/cluster/kind"
+	"github.com/openconfig/kne/cluster/kubeadm"
 	"github.com/openconfig/kne/events"
 	"github.com/openconfig/kne/exec/run"
 	"github.com/openconfig/kne/load"
@@ -420,6 +421,7 @@ type KubeadmSpec struct {
 	PodNetworkCIDR              string `yaml:"podNetworkCIDR"`
 	PodNetworkAddOnManifest     string `yaml:"podNetworkAddOnManifest" kne:"yaml"`
 	PodNetworkAddOnManifestData []byte
+	CredentialProviderConfig    string `yaml:"credentialProviderConfig" kne:"yaml"`
 	TokenTTL                    string `yaml:"tokenTTL"`
 	Network                     string `yaml:"network"`
 	AllowControlPlaneScheduling bool   `yaml:"allowControlPlaneScheduling"`
@@ -493,7 +495,12 @@ func (k *KubeadmSpec) Deploy(ctx context.Context) error {
 			return err
 		}
 	}
-
+	// If credential provider config provided, apply it.
+	if k.CredentialProviderConfig != "" {
+		if err := kubeadm.EnableCredentialProvider(k.CredentialProviderConfig); err != nil {
+			return err
+		}
+	}
 	// Create a new docker network if not specified.
 	if k.Network == "" {
 		k.Network = "kne-kubeadm-" + uuid.New()

manifests/kube/credential-provider-config.yaml

@@ -0,0 +1,14 @@
+kind: CredentialProviderConfig
+apiVersion: kubelet.config.k8s.io/v1
+providers:
+- name: auth-provider-gcp
+  apiVersion: credentialprovider.kubelet.k8s.io/v1
+  matchImages:
+  - "container.cloud.google.com"
+  - "gcr.io"
+  - "*.gcr.io"
+  - "*.pkg.dev"
+  args:
+  - get-credentials
+  - --v=3
+  defaultCacheDuration: 1m

proto/controller.proto

@@ -72,6 +72,7 @@ message KubeadmSpec {
   string token_ttl = 4;
   string network = 5; // name of the docker network to use for ingress
   bool allow_control_plane_scheduling = 6;
+  string credential_provider_config = 7;
 }
 
 // External cluster specifications
@@ -286,6 +287,7 @@ message JoinClusterRequest {
   string token = 2;
   string discovery_token_ca_cert_hash = 3;
   string cri_socket = 4;
+  string credential_provider_config = 5;
 }
 
 // Returns join cluster response.