OCPNODE-3753: CRIOCredentialProviderConfig for Namespace-Scoped Mirror Authentication

[QiWang19]

Propose a new CRIOCredentialProviderConfig CRD that enables use namespace-scoped secrets for mirror registry authentication.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[QiWang19]

/test all

[saschagrunert]

Great write-up, it nicely summarizes the whole effort!

[QiWang19]

@saschagrunert PTAL

[saschagrunert]

Overall LGTM 👍

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: saschagrunert
Once this PR has been reviewed and has the lgtm label, please assign dhellmann for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[saschagrunert]

/lgtm

[openshift-ci-robot]

@QiWang19: This pull request references OCPNODE-3753 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

Propose a new CRIOCredentialProviderConfig CRD that enables use namespace-scoped secrets for mirror registry authentication.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@QiWang19: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[saschagrunert]

/lgtm

[lyman9966]

Suggested change

	3. Cluster Admin configures cluster-wide `CRIOCredentialProviderConfig` object specifying source registries that should trigger `crio-credential-provider`
	4. Cluster Admin configures cluster-wide `CRIOCredentialProviderConfig` object specifying source registries that should trigger `crio-credential-provider`

[lyman9966]

Suggested change

	- Extend the container runtime config controller to manage the `CRIOCredentialProviderConfig` objects
	- Extends the container runtime config controller to manage the `CRIOCredentialProviderConfig` objects

[lyman9966]

Suggested change

	- Finds mirror pull secrets in Pod namespace (team-alpha-mirror-secret) by using the service account token from the request
	- Finds mirror pull secrets in Pod namespace (app-team-alpha-mirror-secret) by using the service account token from the request

[lyman9966]

In previous 'Component Changes & Interactions' part, it describes:
If the auth file generated by crio-credential-provider exists, moves the auth file from /etc/crio/auth/<NAMESPACE>-<IMAGE_NAME_SHA256>.json to a unique temporary location (/etc/crio/auth/in-use/<NAMESPACE>-<IMAGE_NAME_SHA256>-<UUID>.json) for each image pull

So it's better to add the part of moving auth file to a unique temporary directory

[lyman9966]

I'm not sure if this enhancement have strict formatting requirements. It seems the font and color of titles at each level are not consistent. It's better to standardize.

[bitoku]

I think it's just a problem of github, not the content.

[bitoku]

What was the reason why we return empty credential instead of returning the token in the response?

I think we discussed it somewhere, but I forgot where it was.

[saschagrunert]

The kubelet will ignore the credentials within the response if it does not match the original image (without tag or digest). Means the we cannot pass the credentials there.