feat: cse support credential provider and vhd cache binary for Linux #4258
Conversation
mainred
requested review from
juan-lee,
cameronmeissner,
UtheMan,
ganeshkumarashok,
anujmaheshwari1,
AlisonB319,
Devinwong,
lilypan26,
ShiqianTao,
AbelHu,
junjiezhang1997 and
jason1028kr
as code owners
mainred
force-pushed
the
qinhao/credential-provider
branch
from
74af154 to
019f1f7
Compare
| EOF | ||
| } | ||
| # remove blank lines from the config file. | ||
| sed -i '/^$/d' ${CREDENTIAL_PROVIDER_CONFIG_FILE} |
There was a problem hiding this comment.
if L721 condition does not meet, there'll be a blank line left over.
| @@ -503,6 +503,14 @@ EOF | |||
| # for DNS. | |||
| iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP | |||
| EOF | |||
|
|
|||
| # check if kubelet flags contain image-credential-provider-config and image-credential-provider-bin-dir | |||
| if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then | |||
There was a problem hiding this comment.
before 1.30 these two flags are optional
| @@ -408,6 +408,15 @@ fi | |||
| stop_watch $capture_time "GPU Device plugin" false | |||
| start_watch | |||
|
|
|||
| # Kubelet credential provider plugins | |||
| CREDENTIAL_PROVIDER_VERSIONS=" | |||
| " | |||
There was a problem hiding this comment.
There's no release published yet.
Same case for Windows VHD packer script.
There was a problem hiding this comment.
where is windows packer script?
There was a problem hiding this comment.
I guess we'd need something similar here: https://github.com/Azure/AgentBaker/blob/master/vhdbuilder/packer/generate-windows-vhd-configuration.ps1
mainred
force-pushed
the
qinhao/credential-provider
branch
from
019f1f7 to
57f9fef
Compare
mainred
force-pushed
the
qinhao/credential-provider
branch
from
57f9fef to
e213418
Compare
| # Kubelet credential provider | ||
| $global:CredentialProviderURL = "{{GetParameter "windowsCredentialProviderURL"}}" | ||
| $global:CredentialProviderBinDir = "c:\var\lib\kubelet\credential-provider" | ||
| $global:CredentialProviderConfDir = "c:\var\lib\kubelet" |
There was a problem hiding this comment.
Should use c:\k instead because c:\k is the working folder of kuberentes for Windows node, and the other folder will bring error like access failure.
In my test, "c:\var\lib\kubelet" lead to access failure when writing the configure file.
|Access to the path 'C:\var\lib\kubelet\credential-provider-config.yaml' is denied.
mainred
force-pushed
the
qinhao/credential-provider
branch
2 times, most recently
from
7123bbd to
ebbdb5d
Compare
mainred
force-pushed
the
qinhao/credential-provider
branch
from
ebbdb5d to
f1bcfe6
Compare
mainred
force-pushed
the
qinhao/credential-provider
branch
from
dfd1c8c to
1646a1c
Compare
|
|
||
| // Full path to the Windows credential provider (tar.gz) to use. | ||
| // For example: https://acs-mirror.azureedge.net/cloud-provider-azure/v1.29.4/binaries/azure-acr-credential-provider-windows-amd64-v1.29.4.tar.gz | ||
| WindowsCredentialProviderURL string |
There was a problem hiding this comment.
are these specifically for ACR? if so can we reflect that in their names?
e.g. WindowsACRCredentialProviderURL
There was a problem hiding this comment.
CredentialProviderURL is enough, credentialprovider is an official indicating container registry credential provider and in our case acr.
| @@ -503,6 +503,14 @@ EOF | |||
| # for DNS. | |||
| iptables -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP | |||
| EOF | |||
|
|
|||
| # check if kubelet flags contain image-credential-provider-config and image-credential-provider-bin-dir | |||
| if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* && $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then | |||
There was a problem hiding this comment.
nit: separate clauses with 2 separate [[ ]]'s
if [[ $KUBELET_FLAGS == *"image-credential-provider-config"* ]] && [[ $KUBELET_FLAGS == *"image-credential-provider-bin-dir"* ]]; then
There was a problem hiding this comment.
I think it makes no difference between these two if logic.
| CREDENTIAL_PROVIDER_CONFIG_FILE=/var/lib/kubelet/credential-provider-config.yaml | ||
| mkdir -p "$(dirname "${CREDENTIAL_PROVIDER_CONFIG_FILE}")" | ||
| touch "${CREDENTIAL_PROVIDER_CONFIG_FILE}" | ||
| tee "${CREDENTIAL_PROVIDER_CONFIG_FILE}" > /dev/null <<EOF |
There was a problem hiding this comment.
nit: just use cat instead of tee'ing and piping output to the null device
There was a problem hiding this comment.
tee is the common tool used in case to write files, so I it's good to keep it as it is.
| CREDENTIAL_PROVIDER_CONFIG_FILE=/var/lib/kubelet/credential-provider-config.yaml | ||
| mkdir -p "$(dirname "${CREDENTIAL_PROVIDER_CONFIG_FILE}")" | ||
| touch "${CREDENTIAL_PROVIDER_CONFIG_FILE}" | ||
| tee "${CREDENTIAL_PROVIDER_CONFIG_FILE}" > /dev/null <<EOF |
There was a problem hiding this comment.
| tee "${CREDENTIAL_PROVIDER_CONFIG_FILE}" > /dev/null <<EOF | |
| cat > "${CREDENTIAL_PROVIDER_CONFIG_FILE}" <<EOF |
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Requirements:
Special notes for your reviewer:
Release note: