test/e2e_node: install and configure kubelet credential provider

Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
Co-authored-by: Aditi Sharma <adi.sky17@gmail.com>

test/e2e_node/builder/build.go

@@ -35,6 +35,7 @@ var buildTargets = []string{
 	"test/e2e_node/e2e_node.test",
 	"vendor/github.com/onsi/ginkgo/ginkgo",
 	"cluster/gce/gci/mounter",
+	"cluster/gce/gci/credential-provider",
 }
 
 // BuildGo builds k8s binaries.

test/e2e_node/remote/node_e2e.go

@@ -60,7 +60,7 @@ func (n *NodeE2ERemote) SetupTestPackage(tardir, systemSpecName string) error {
 	}
 
 	// Copy binaries
-	requiredBins := []string{"kubelet", "e2e_node.test", "ginkgo", "mounter"}
+	requiredBins := []string{"kubelet", "e2e_node.test", "ginkgo", "mounter", "credential-provider"}
 	for _, bin := range requiredBins {
 		source := filepath.Join(buildOutputDir, bin)
 		if _, err := os.Stat(source); err != nil {
@@ -102,6 +102,16 @@ func prependMemcgNotificationFlag(args string) string {
 	return "--kubelet-flags=--kernel-memcg-notification=true " + args
 }
 
+// prependGCPCredentialProviderFlag prepends the flags for enabling
+// a credential provider plugin.
+func prependGCPCredentialProviderFlag(args, workspace string) string {
+	credentialProviderConfig := filepath.Join(workspace, "credential-provider.yaml")
+	disableIntreeCredentialProviderFlag := "--kubelet-flags=--feature-gates=DisableKubeletCloudCredentialProviders=true"
+	configFlag := fmt.Sprintf("--kubelet-flags=--image-credential-provider-config=%s", credentialProviderConfig)
+	binFlag := fmt.Sprintf("--kubelet-flags=--image-credential-provider-bin-dir=%s", workspace)
+	return fmt.Sprintf("%s %s %s %s", disableIntreeCredentialProviderFlag, configFlag, binFlag, args)
+}
+
 // osSpecificActions takes OS specific actions required for the node tests
 func osSpecificActions(args, host, workspace string) (string, error) {
 	output, err := getOSDistribution(host)
@@ -114,6 +124,7 @@ func osSpecificActions(args, host, workspace string) (string, error) {
 		return args, setKubeletSELinuxLabels(host, workspace)
 	case strings.Contains(output, "gci"), strings.Contains(output, "cos"):
 		args = prependMemcgNotificationFlag(args)
+		args = prependGCPCredentialProviderFlag(args, workspace)
 		return prependCOSMounterFlag(args, host, workspace)
 	case strings.Contains(output, "ubuntu"):
 		return prependMemcgNotificationFlag(args), nil
@@ -166,6 +177,11 @@ func (n *NodeE2ERemote) RunTest(host, workspace, results, imageDesc, junitFilePr
 		return "", err
 	}
 
+	// Install the kubelet credential provider plugin
+	if err := configureCredentialProvider(host, workspace); err != nil {
+		return "", err
+	}
+
 	// Kill any running node processes
 	cleanupNodeProcesses(host)
 

test/e2e_node/remote/utils.go

@@ -48,6 +48,16 @@ const cniConfig = `{
 }
 `
 
+const credentialProviderConfig = `kind: CredentialProviderConfig
+apiVersion: kubelet.config.k8s.io/v1alpha1
+providers:
+  - name: credential-provider
+    apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1
+    matchImages:
+    - "gcr.io"
+    - "*.gcr.io"
+    defaultCacheDuration: 1m`
+
 // Install the cni plugin and add basic bridge configuration to the
 // configuration directory.
 func setupCNI(host, workspace string) error {
@@ -76,6 +86,19 @@ func setupCNI(host, workspace string) error {
 	return nil
 }
 
+func configureCredentialProvider(host, workspace string) error {
+	klog.V(2).Infof("Configuring kubelet credential provider on %q", host)
+
+	cmd := getSSHCommand(" ; ",
+		fmt.Sprintf("echo %s > %s", quote(credentialProviderConfig), filepath.Join(workspace, "credential-provider.yaml")),
+	)
+	if output, err := SSH(host, "sh", "-c", cmd); err != nil {
+		return fmt.Errorf("failed to write credential provider configuration on %q: %v output: %q", host, err, output)
+	}
+
+	return nil
+}
+
 // configureFirewall configures iptable firewall rules.
 func configureFirewall(host string) error {
 	klog.V(2).Infof("Configure iptables firewall rules on %q", host)