From f440a69c704203c4417079d4c93bc71d466634f0 Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Thu, 10 Mar 2022 15:57:25 +0000 Subject: [PATCH 1/7] test/e2e_node: install and configure kubelet credential provider Signed-off-by: Andrew Sy Kim Co-authored-by: Aditi Sharma --- test/e2e_node/builder/build.go | 1 + test/e2e_node/remote/node_e2e.go | 18 +++++++++++++++++- test/e2e_node/remote/utils.go | 23 +++++++++++++++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/test/e2e_node/builder/build.go b/test/e2e_node/builder/build.go index 33699358b58..afaf3341ba0 100644 --- a/test/e2e_node/builder/build.go +++ b/test/e2e_node/builder/build.go @@ -35,6 +35,7 @@ var buildTargets = []string{ "test/e2e_node/e2e_node.test", "vendor/github.com/onsi/ginkgo/ginkgo", "cluster/gce/gci/mounter", + "cluster/gce/gci/credential-provider", } // BuildGo builds k8s binaries. diff --git a/test/e2e_node/remote/node_e2e.go b/test/e2e_node/remote/node_e2e.go index 4ebd1859554..ab8f40beeb0 100644 --- a/test/e2e_node/remote/node_e2e.go +++ b/test/e2e_node/remote/node_e2e.go @@ -60,7 +60,7 @@ func (n *NodeE2ERemote) SetupTestPackage(tardir, systemSpecName string) error { } // Copy binaries - requiredBins := []string{"kubelet", "e2e_node.test", "ginkgo", "mounter"} + requiredBins := []string{"kubelet", "e2e_node.test", "ginkgo", "mounter", "credential-provider"} for _, bin := range requiredBins { source := filepath.Join(buildOutputDir, bin) if _, err := os.Stat(source); err != nil { @@ -102,6 +102,16 @@ func prependMemcgNotificationFlag(args string) string { return "--kubelet-flags=--kernel-memcg-notification=true " + args } +// prependGCPCredentialProviderFlag prepends the flags for enabling +// a credential provider plugin. +func prependGCPCredentialProviderFlag(args, workspace string) string { + credentialProviderConfig := filepath.Join(workspace, "credential-provider.yaml") + disableIntreeCredentialProviderFlag := "--kubelet-flags=--feature-gates=DisableKubeletCloudCredentialProviders=true" + configFlag := fmt.Sprintf("--kubelet-flags=--image-credential-provider-config=%s", credentialProviderConfig) + binFlag := fmt.Sprintf("--kubelet-flags=--image-credential-provider-bin-dir=%s", workspace) + return fmt.Sprintf("%s %s %s %s", disableIntreeCredentialProviderFlag, configFlag, binFlag, args) +} + // osSpecificActions takes OS specific actions required for the node tests func osSpecificActions(args, host, workspace string) (string, error) { output, err := getOSDistribution(host) @@ -114,6 +124,7 @@ func osSpecificActions(args, host, workspace string) (string, error) { return args, setKubeletSELinuxLabels(host, workspace) case strings.Contains(output, "gci"), strings.Contains(output, "cos"): args = prependMemcgNotificationFlag(args) + args = prependGCPCredentialProviderFlag(args, workspace) return prependCOSMounterFlag(args, host, workspace) case strings.Contains(output, "ubuntu"): return prependMemcgNotificationFlag(args), nil @@ -166,6 +177,11 @@ func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePr return "", err } + // Install the kubelet credential provider plugin + if err := configureCredentialProvider(host, workspace); err != nil { + return "", err + } + // Kill any running node processes cleanupNodeProcesses(host) diff --git a/test/e2e_node/remote/utils.go b/test/e2e_node/remote/utils.go index 044a3e838bb..48408929574 100644 --- a/test/e2e_node/remote/utils.go +++ b/test/e2e_node/remote/utils.go @@ -48,6 +48,16 @@ const cniConfig = `{ } ` +const credentialProviderConfig = `kind: CredentialProviderConfig +apiVersion: kubelet.config.k8s.io/v1alpha1 +providers: + - name: credential-provider + apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1 + matchImages: + - "gcr.io" + - "*.gcr.io" + defaultCacheDuration: 1m` + // Install the cni plugin and add basic bridge configuration to the // configuration directory. func setupCNI(host, workspace string) error { @@ -76,6 +86,19 @@ func setupCNI(host, workspace string) error { return nil } +func configureCredentialProvider(host, workspace string) error { + klog.V(2).Infof("Configuring kubelet credential provider on %q", host) + + cmd := getSSHCommand(" ; ", + fmt.Sprintf("echo %s > %s", quote(credentialProviderConfig), filepath.Join(workspace, "credential-provider.yaml")), + ) + if output, err := SSH(host, "sh", "-c", cmd); err != nil { + return fmt.Errorf("failed to write credential provider configuration on %q: %v output: %q", host, err, output) + } + + return nil +} + // configureFirewall configures iptable firewall rules. func configureFirewall(host string) error { klog.V(2).Infof("Configure iptables firewall rules on %q", host) From 758d78a662e7b39ba9ab4fba970e96840402fcf8 Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Thu, 10 Mar 2022 15:58:37 +0000 Subject: [PATCH 2/7] test/e2e_node: add a test pulling a private GCR image Signed-off-by: Andrew Sy Kim Co-authored-by: Aditi Sharma --- test/e2e_node/image_credential_provider.go | 63 ++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 test/e2e_node/image_credential_provider.go diff --git a/test/e2e_node/image_credential_provider.go b/test/e2e_node/image_credential_provider.go new file mode 100644 index 00000000000..b94917f3c7c --- /dev/null +++ b/test/e2e_node/image_credential_provider.go @@ -0,0 +1,63 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package e2enode + +import ( + "github.com/onsi/ginkgo" + + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/uuid" + "k8s.io/kubernetes/test/e2e/framework" + imageutils "k8s.io/kubernetes/test/utils/image" +) + +var _ = SIGDescribe("ImageCredentialProvider [Feature:KubeletCredentialProviders]", func() { + f := framework.NewDefaultFramework("image-credential-provider") + var podClient *framework.PodClient + + ginkgo.BeforeEach(func() { + podClient = f.PodClient() + }) + + /* + Release: v1.24 + Testname: Test kubelet image pull with external credential provider plugins + Description: Create Pod with an image from a private registry. This test assumes that the kubelet credential provider plugin is enabled for the registry hosting imageutils.AgnhostPrivate. + */ + ginkgo.It("should be able to create pod with image credentials fetched from external credential provider ", func() { + privateimage := imageutils.GetConfig(imageutils.AgnhostPrivate) + name := "pod-auth-image-" + string(uuid.NewUUID()) + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "container-auth-image", + Image: privateimage.GetE2EImage(), + ImagePullPolicy: v1.PullAlways, + }, + }, + }, + } + + // CreateSync tests that the Pod is running and ready + podClient.CreateSync(pod) + }) +}) From ddeb1e1352832de931ef2d1252e49b38ab61cb33 Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Thu, 10 Mar 2022 15:56:48 +0000 Subject: [PATCH 3/7] cluster/gce/gci/credential-provider: add barebones GCP credential provider for testing only Signed-off-by: Andrew Sy Kim Co-authored-by: Aditi Sharma --- cluster/gce/gci/credential-provider/main.go | 77 +++++++++++ .../gce/gci/credential-provider/provider.go | 122 ++++++++++++++++++ test/e2e_node/remote/node_e2e.go | 4 +- test/e2e_node/remote/utils.go | 2 + 4 files changed, 203 insertions(+), 2 deletions(-) create mode 100644 cluster/gce/gci/credential-provider/main.go create mode 100644 cluster/gce/gci/credential-provider/provider.go diff --git a/cluster/gce/gci/credential-provider/main.go b/cluster/gce/gci/credential-provider/main.go new file mode 100644 index 00000000000..29b1c89db39 --- /dev/null +++ b/cluster/gce/gci/credential-provider/main.go @@ -0,0 +1,77 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "encoding/json" + "errors" + "io" + "io/ioutil" + "net/http" + "os" + "time" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/klog/v2" + credentialproviderv1alpha1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1" +) + +func main() { + if err := getCredentials(os.Stdout); err != nil { + klog.Fatalf("failed to get credentials: %v", err) + } +} + +func getCredentials(w io.Writer) error { + provider := &provider{ + client: &http.Client{ + Timeout: 10 * time.Second, + }, + } + + data, err := ioutil.ReadAll(os.Stdin) + if err != nil { + return err + } + + var authRequest credentialproviderv1alpha1.CredentialProviderRequest + err = json.Unmarshal(data, &authRequest) + if err != nil { + return err + } + + auth, err := provider.Provide(authRequest.Image) + if err != nil { + return err + } + + response := &credentialproviderv1alpha1.CredentialProviderResponse{ + TypeMeta: metav1.TypeMeta{ + Kind: "CredentialProviderResponse", + APIVersion: "credentialprovider.kubelet.k8s.io/v1alpha1", + }, + CacheKeyType: credentialproviderv1alpha1.RegistryPluginCacheKeyType, + Auth: auth, + } + + if err := json.NewEncoder(w).Encode(response); err != nil { + // The error from json.Marshal is intentionally not included so as to not leak credentials into the logs + return errors.New("error marshaling response") + } + + return nil +} diff --git a/cluster/gce/gci/credential-provider/provider.go b/cluster/gce/gci/credential-provider/provider.go new file mode 100644 index 00000000000..3ba61e0557a --- /dev/null +++ b/cluster/gce/gci/credential-provider/provider.go @@ -0,0 +1,122 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Originally copied from pkg/credentialproviders/gcp +package main + +import ( + "encoding/json" + "errors" + "fmt" + "io" + "io/ioutil" + "net/http" + + credentialproviderv1alpha1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1" +) + +const ( + metadataToken = "http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/default/token" + metadataEmail = "http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/default/email" + maxReadLength = 10 * 1 << 20 // 10MB +) + +var containerRegistryUrls = []string{"container.cloud.google.com", "gcr.io", "*.gcr.io", "*.pkg.dev"} + +// HTTPError wraps a non-StatusOK error code as an error. +type HTTPError struct { + StatusCode int + URL string +} + +var _ error = &HTTPError{} + +// Error implements error +func (h *HTTPError) Error() string { + return fmt.Sprintf("http status code: %d while fetching url %s", + h.StatusCode, h.URL) +} + +// TokenBlob is used to decode the JSON blob containing an access token +// that is returned by GCE metadata. +type TokenBlob struct { + AccessToken string `json:"access_token"` +} + +type provider struct { + client *http.Client +} + +func (p *provider) Provide(image string) (map[string]credentialproviderv1alpha1.AuthConfig, error) { + cfg := map[string]credentialproviderv1alpha1.AuthConfig{} + + tokenJSONBlob, err := readURL(p.tokenEndpoint, p.client) + if err != nil { + return cfg, err + } + + var parsedBlob TokenBlob + if err := json.Unmarshal(tokenJSONBlob, &parsedBlob); err != nil { + return cfg, err + } + + authConfig := credentialproviderv1alpha1.AuthConfig{ + Username: "_token", + Password: parsedBlob.AccessToken, + } + + // Add our entry for each of the supported container registry URLs + for _, k := range containerRegistryUrls { + cfg[k] = authConfig + } + return cfg, nil +} + +func readURL(url string, client *http.Client) (body []byte, err error) { + req, err := http.NewRequest("GET", url, nil) + if err != nil { + return nil, err + } + + rea.Header = &http.Header{ + "Metadata-Flavor": []string{"Google"}, + } + + resp, err := client.Do(req) + if err != nil { + return nil, err + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return nil, &HTTPError{ + StatusCode: resp.StatusCode, + URL: url, + } + } + + limitedReader := &io.LimitedReader{R: resp.Body, N: maxReadLength} + contents, err := ioutil.ReadAll(limitedReader) + if err != nil { + return nil, err + } + + if limitedReader.N <= 0 { + return nil, errors.New("the read limit is reached") + } + + return contents, nil +} diff --git a/test/e2e_node/remote/node_e2e.go b/test/e2e_node/remote/node_e2e.go index ab8f40beeb0..4d7b7732578 100644 --- a/test/e2e_node/remote/node_e2e.go +++ b/test/e2e_node/remote/node_e2e.go @@ -106,10 +106,10 @@ func prependMemcgNotificationFlag(args string) string { // a credential provider plugin. func prependGCPCredentialProviderFlag(args, workspace string) string { credentialProviderConfig := filepath.Join(workspace, "credential-provider.yaml") - disableIntreeCredentialProviderFlag := "--kubelet-flags=--feature-gates=DisableKubeletCloudCredentialProviders=true" + featureGateFlag := "--kubelet-flags=--feature-gates=DisableKubeletCloudCredentialProviders=true,KubeletCredentialProviders=true" configFlag := fmt.Sprintf("--kubelet-flags=--image-credential-provider-config=%s", credentialProviderConfig) binFlag := fmt.Sprintf("--kubelet-flags=--image-credential-provider-bin-dir=%s", workspace) - return fmt.Sprintf("%s %s %s %s", disableIntreeCredentialProviderFlag, configFlag, binFlag, args) + return fmt.Sprintf("%s %s %s %s", featureGateFlag, configFlag, binFlag, args) } // osSpecificActions takes OS specific actions required for the node tests diff --git a/test/e2e_node/remote/utils.go b/test/e2e_node/remote/utils.go index 48408929574..7751ad9bb2c 100644 --- a/test/e2e_node/remote/utils.go +++ b/test/e2e_node/remote/utils.go @@ -56,6 +56,8 @@ providers: matchImages: - "gcr.io" - "*.gcr.io" + - "container.cloud.google.com" + - "*.pkg.dev" defaultCacheDuration: 1m` // Install the cni plugin and add basic bridge configuration to the From fe55bf111bc138f2dc872d9d0ccc1a9f3bcf9964 Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Fri, 11 Mar 2022 15:47:27 +0000 Subject: [PATCH 4/7] cluster/gce/gci/credential-provider: add a README Signed-off-by: Andrew Sy Kim Co-authored-by: Aditi Sharma --- cluster/gce/gci/credential-provider/README.md | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 cluster/gce/gci/credential-provider/README.md diff --git a/cluster/gce/gci/credential-provider/README.md b/cluster/gce/gci/credential-provider/README.md new file mode 100644 index 00000000000..1c3bde27c4e --- /dev/null +++ b/cluster/gce/gci/credential-provider/README.md @@ -0,0 +1,35 @@ +# GCP credential provider for e2e testing + +This package contains a barebones implementation of the [kubelet GCP credential +provider](https://github.com/kubernetes/cloud-provider-gcp/tree/master/cmd/auth-provider-gcp) +for testing purposes only. This plugin SHOULD NOT be used in production. + +This credential provider is installed and configured in the node e2e tests by: + +1. Building the credential-provider binary and including it in the test archive + uploaded to the GCE remote node. + +2. Writing the credential provider config into the temporary workspace consumed + by the kubelet. The contents of the config should be something like this: + +```yaml +kind: CredentialProviderConfig +apiVersion: kubelet.config.k8s.io/v1alpha1 +providers: + - name: credential-provider + apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1 + matchImages: + - "gcr.io" + - "*.gcr.io" + - "container.cloud.google.com" + - "*.pkg.dev" + defaultCacheDuration: 1m` +``` + +3. Configuring the following additional flags on the kubelet: + +``` +--feature-gates=DisableKubeletCloudCredentialProviders=true,KubeletCredentialProviders=true +--image-credential-provider-config=/tmp/node-e2e-123456/credential-provider.yaml +--image-credential-provider-bin-dir=/tmp/node-e2e-12345 +``` From bfed342e5c0fb8d348d4f65271199cd70025659d Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Mon, 14 Mar 2022 15:56:46 +0000 Subject: [PATCH 5/7] cluster/gce/gci/credential-provider: refactor for better testability Signed-off-by: Andrew Sy Kim Co-authored-by: Aditi Sharma --- cluster/gce/gci/credential-provider/main.go | 9 ++++++--- cluster/gce/gci/credential-provider/provider.go | 7 +++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/cluster/gce/gci/credential-provider/main.go b/cluster/gce/gci/credential-provider/main.go index 29b1c89db39..79215a4e2ae 100644 --- a/cluster/gce/gci/credential-provider/main.go +++ b/cluster/gce/gci/credential-provider/main.go @@ -30,20 +30,23 @@ import ( credentialproviderv1alpha1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1" ) +const metadataTokenEndpoint = "http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/default/token" + func main() { - if err := getCredentials(os.Stdout); err != nil { + if err := getCredentials(metadataTokenEndpoint, os.Stdin, os.Stdout); err != nil { klog.Fatalf("failed to get credentials: %v", err) } } -func getCredentials(w io.Writer) error { +func getCredentials(tokenEndpoint string, r io.Reader, w io.Writer) error { provider := &provider{ client: &http.Client{ Timeout: 10 * time.Second, }, + tokenEndpoint: tokenEndpoint, } - data, err := ioutil.ReadAll(os.Stdin) + data, err := ioutil.ReadAll(r) if err != nil { return err } diff --git a/cluster/gce/gci/credential-provider/provider.go b/cluster/gce/gci/credential-provider/provider.go index 3ba61e0557a..caf0fde489f 100644 --- a/cluster/gce/gci/credential-provider/provider.go +++ b/cluster/gce/gci/credential-provider/provider.go @@ -29,8 +29,6 @@ import ( ) const ( - metadataToken = "http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/default/token" - metadataEmail = "http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/default/email" maxReadLength = 10 * 1 << 20 // 10MB ) @@ -57,7 +55,8 @@ type TokenBlob struct { } type provider struct { - client *http.Client + client *http.Client + tokenEndpoint string } func (p *provider) Provide(image string) (map[string]credentialproviderv1alpha1.AuthConfig, error) { @@ -91,7 +90,7 @@ func readURL(url string, client *http.Client) (body []byte, err error) { return nil, err } - rea.Header = &http.Header{ + req.Header = http.Header{ "Metadata-Flavor": []string{"Google"}, } From 3bd37e6deb43ce780e52c6f8e24d9658796171e1 Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Mon, 14 Mar 2022 15:57:16 +0000 Subject: [PATCH 6/7] cluster/gce/gci/credential-provider: add unit tests for getCredentials() Signed-off-by: Andrew Sy Kim Co-authored-by: Aditi Sharma --- .../gce/gci/credential-provider/main_test.go | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 cluster/gce/gci/credential-provider/main_test.go diff --git a/cluster/gce/gci/credential-provider/main_test.go b/cluster/gce/gci/credential-provider/main_test.go new file mode 100644 index 00000000000..1aec604dd49 --- /dev/null +++ b/cluster/gce/gci/credential-provider/main_test.go @@ -0,0 +1,55 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "bytes" + "fmt" + "net/http" + "net/http/httptest" + "testing" +) + +type fakeTokenServer struct { + token string +} + +func (f *fakeTokenServer) ServeHTTP(w http.ResponseWriter, req *http.Request) { + fmt.Fprintf(w, `{"access_token": "%s"}`, f.token) +} + +func Test_getCredentials(t *testing.T) { + server := httptest.NewServer(&fakeTokenServer{token: "abc123"}) + defer server.Close() + + in := bytes.NewBuffer([]byte(`{"kind":"CredentialProviderRequest","apiVersion":"credentialprovider.kubelet.k8s.io/v1alpha1","image":"gcr.io/foobar"}`)) + out := bytes.NewBuffer(nil) + + err := getCredentials(server.URL, in, out) + if err != nil { + t.Fatalf("unexpected error running getCredentials: %v", err) + } + + expected := `{"kind":"CredentialProviderResponse","apiVersion":"credentialprovider.kubelet.k8s.io/v1alpha1","cacheKeyType":"Registry","auth":{"*.gcr.io":{"username":"_token","password":"abc123"},"*.pkg.dev":{"username":"_token","password":"abc123"},"container.cloud.google.com":{"username":"_token","password":"abc123"},"gcr.io":{"username":"_token","password":"abc123"}}} +` + + if out.String() != expected { + t.Logf("actual response: %v", out) + t.Logf("expected response: %v", expected) + t.Errorf("unexpected credential provider response") + } +} From a4b79590ebaa77d63166c0141b7ce12e21875b2b Mon Sep 17 00:00:00 2001 From: Andrew Sy Kim Date: Thu, 17 Mar 2022 21:36:20 -0400 Subject: [PATCH 7/7] move cluster/gce/gci/credential-provider to test/e2e_node/plugins/gcp-credential-provider Signed-off-by: Andrew Sy Kim --- test/e2e_node/builder/build.go | 2 +- .../e2e_node/plugins/gcp-credential-provider}/README.md | 4 ++-- .../e2e_node/plugins/gcp-credential-provider}/main.go | 0 .../e2e_node/plugins/gcp-credential-provider}/main_test.go | 0 .../e2e_node/plugins/gcp-credential-provider}/provider.go | 0 test/e2e_node/remote/node_e2e.go | 2 +- test/e2e_node/remote/utils.go | 2 +- 7 files changed, 5 insertions(+), 5 deletions(-) rename {cluster/gce/gci/credential-provider => test/e2e_node/plugins/gcp-credential-provider}/README.md (90%) rename {cluster/gce/gci/credential-provider => test/e2e_node/plugins/gcp-credential-provider}/main.go (100%) rename {cluster/gce/gci/credential-provider => test/e2e_node/plugins/gcp-credential-provider}/main_test.go (100%) rename {cluster/gce/gci/credential-provider => test/e2e_node/plugins/gcp-credential-provider}/provider.go (100%) diff --git a/test/e2e_node/builder/build.go b/test/e2e_node/builder/build.go index afaf3341ba0..ab5576b348a 100644 --- a/test/e2e_node/builder/build.go +++ b/test/e2e_node/builder/build.go @@ -35,7 +35,7 @@ var buildTargets = []string{ "test/e2e_node/e2e_node.test", "vendor/github.com/onsi/ginkgo/ginkgo", "cluster/gce/gci/mounter", - "cluster/gce/gci/credential-provider", + "test/e2e_node/plugins/gcp-credential-provider", } // BuildGo builds k8s binaries. diff --git a/cluster/gce/gci/credential-provider/README.md b/test/e2e_node/plugins/gcp-credential-provider/README.md similarity index 90% rename from cluster/gce/gci/credential-provider/README.md rename to test/e2e_node/plugins/gcp-credential-provider/README.md index 1c3bde27c4e..2a63d95398c 100644 --- a/cluster/gce/gci/credential-provider/README.md +++ b/test/e2e_node/plugins/gcp-credential-provider/README.md @@ -6,7 +6,7 @@ for testing purposes only. This plugin SHOULD NOT be used in production. This credential provider is installed and configured in the node e2e tests by: -1. Building the credential-provider binary and including it in the test archive +1. Building the gcp-credential-provider binary and including it in the test archive uploaded to the GCE remote node. 2. Writing the credential provider config into the temporary workspace consumed @@ -16,7 +16,7 @@ This credential provider is installed and configured in the node e2e tests by: kind: CredentialProviderConfig apiVersion: kubelet.config.k8s.io/v1alpha1 providers: - - name: credential-provider + - name: gcp-credential-provider apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1 matchImages: - "gcr.io" diff --git a/cluster/gce/gci/credential-provider/main.go b/test/e2e_node/plugins/gcp-credential-provider/main.go similarity index 100% rename from cluster/gce/gci/credential-provider/main.go rename to test/e2e_node/plugins/gcp-credential-provider/main.go diff --git a/cluster/gce/gci/credential-provider/main_test.go b/test/e2e_node/plugins/gcp-credential-provider/main_test.go similarity index 100% rename from cluster/gce/gci/credential-provider/main_test.go rename to test/e2e_node/plugins/gcp-credential-provider/main_test.go diff --git a/cluster/gce/gci/credential-provider/provider.go b/test/e2e_node/plugins/gcp-credential-provider/provider.go similarity index 100% rename from cluster/gce/gci/credential-provider/provider.go rename to test/e2e_node/plugins/gcp-credential-provider/provider.go diff --git a/test/e2e_node/remote/node_e2e.go b/test/e2e_node/remote/node_e2e.go index 4d7b7732578..66be4d4d4fc 100644 --- a/test/e2e_node/remote/node_e2e.go +++ b/test/e2e_node/remote/node_e2e.go @@ -60,7 +60,7 @@ func (n *NodeE2ERemote) SetupTestPackage(tardir, systemSpecName string) error { } // Copy binaries - requiredBins := []string{"kubelet", "e2e_node.test", "ginkgo", "mounter", "credential-provider"} + requiredBins := []string{"kubelet", "e2e_node.test", "ginkgo", "mounter", "gcp-credential-provider"} for _, bin := range requiredBins { source := filepath.Join(buildOutputDir, bin) if _, err := os.Stat(source); err != nil { diff --git a/test/e2e_node/remote/utils.go b/test/e2e_node/remote/utils.go index 7751ad9bb2c..29bd2fa9493 100644 --- a/test/e2e_node/remote/utils.go +++ b/test/e2e_node/remote/utils.go @@ -51,7 +51,7 @@ const cniConfig = `{ const credentialProviderConfig = `kind: CredentialProviderConfig apiVersion: kubelet.config.k8s.io/v1alpha1 providers: - - name: credential-provider + - name: gcp-credential-provider apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1 matchImages: - "gcr.io"