ARO-9420: *: add acrpull controller

.yamllint.yml

@@ -5,6 +5,7 @@ yaml-files:
   - '.yamllint'
 ignore:
   - 'acm/deploy/helm/clc-state-metrics/'
+  - 'acrpull/deploy/helm/acrpull/templates/deployment.yaml'
 
 rules:
   brackets: enable

acrpull/Makefile

@@ -0,0 +1,15 @@
+-include ../setup-env.mk
+-include ../helm-cmd.mk
+HELM_CMD ?= helm upgrade --install
+
+deploy:
+	kubectl create namespace acrpull --dry-run=client -o json | kubectl apply -f - && \
+	${HELM_CMD} acrpull \
+		deploy/helm/acrpull/ \
+		--set image=mcr.microsoft.com/aks/msi-acrpull@${ACRPULL_DIGEST} \
+		--namespace acrpull
+.PHONY: deploy
+
+undeploy:
+	helm uninstall acrpull --namespace acrpull
+.PHONY: undeploy

acrpull/deploy/helm/acrpull/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: acrpull
+description: Controller for injecting pull credentials from managed identities into AKS clusters.
+type: application
+version: 0.1.0
+appVersion: "v0.1.5"

acrpull/deploy/helm/acrpull/templates/acrpull.microsoft.com_acrpullbindings.yaml

@@ -0,0 +1,225 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: acrpullbindings.acrpull.microsoft.com
+spec:
+  group: acrpull.microsoft.com
+  names:
+    kind: AcrPullBinding
+    listKind: AcrPullBindingList
+    plural: acrpullbindings
+    shortNames:
+    - apb
+    - apbs
+    singular: acrpullbinding
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: FQDN for the ACR.
+      jsonPath: .spec.acr.server
+      name: Server
+      type: string
+    - description: Scope for the ACR token.
+      jsonPath: .spec.acr.scope
+      name: Scope
+      priority: 1
+      type: string
+    - description: ServiceAccount to which the pull credentials are attached.
+      jsonPath: .spec.serviceAccountName
+      name: Target
+      type: string
+    - description: Time the token was last refreshed.
+      jsonPath: .status.lastTokenRefreshTime
+      name: Last Refresh
+      priority: 1
+      type: date
+    - description: Time the current token expires.
+      jsonPath: .status.tokenExpirationTime
+      name: Expiration
+      type: date
+    - description: Errors encountered during token generation, if any.
+      jsonPath: .status.error
+      name: Error
+      type: string
+    name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: AcrPullBinding is the Schema for the acrpullbindings API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AcrPullBindingSpec defines the desired state of AcrPullBinding
+            properties:
+              acr:
+                description: ACR holds specifics of the Azure Container Registry for
+                  which credentials are projected.
+                properties:
+                  cloudConfig:
+                    description: AirgappedCloudConfiguration configures a custom cloud
+                      to interact with when running air-gapped.
+                    properties:
+                      entraAuthorityHost:
+                        description: EntraAuthorityHost configures a custom Entra
+                          host endpoint.
+                        minLength: 1
+                        type: string
+                      resourceManagerAudience:
+                        description: ResourceManagerAudience configures the audience
+                          for which tokens will be requested from Entra.
+                        minLength: 1
+                        type: string
+                    required:
+                    - entraAuthorityHost
+                    - resourceManagerAudience
+                    type: object
+                  environment:
+                    default: PublicCloud
+                    description: Environment specifies the Azure Cloud environment
+                      in which the ACR is deployed.
+                    enum:
+                    - PublicCloud
+                    - USGovernmentCloud
+                    - ChinaCloud
+                    - AirgappedCloud
+                    example: PublicCloud
+                    type: string
+                  scope:
+                    description: |-
+                      Scope defines the scope for the access token, e.g. pull/push access for a repository.
+                      Note: you need to pin it down to the repository level, there is no wildcard available,
+                      however a list of space-delimited scopes is acceptable.
+                      See docs for details: https://distribution.github.io/distribution/spec/auth/scope/
+
+
+                      Examples:
+                      repository:my-repository:pull,push
+                      repository:my-repository:pull repository:other-repository:push,pull
+                    example: repository:my-repository:pull,push
+                    minLength: 1
+                    type: string
+                  server:
+                    description: Server is the FQDN for the Azure Container Registry,
+                      e.g. example.azurecr.io
+                    example: example.azurecr.io
+                    type: string
+                    x-kubernetes-validations:
+                    - message: server must be a fully-qualified domain name
+                      rule: isURL('https://' + self) && url('https://' + self).getHostname()
+                        == self
+                required:
+                - environment
+                - scope
+                - server
+                type: object
+                x-kubernetes-validations:
+                - message: a custom cloud configuration must be present for air-gapped
+                    cloud environments
+                  rule: 'self.environment == ''ArigappedCloud'' ? has(self.cloudConfig)
+                    : !has(self.cloudConfig)'
+              auth:
+                description: Auth determines how we will authenticate to the Azure
+                  Container Registry. Only one method may be provided.
+                properties:
+                  managedIdentity:
+                    description: ManagedIdentity uses Azure Managed Identity to authenticate
+                      with Azure.
+                    properties:
+                      clientID:
+                        description: ClientID is the client identifier for the managed
+                          identity. Either provide the client ID or the resource ID.
+                        example: 1b461305-28be-5271-beda-bd9fd2e24251
+                        type: string
+                      resourceID:
+                        description: ResourceID is the resource identifier for the
+                          managed identity. Either provide the client ID or the resource
+                          ID.
+                        example: /subscriptions/sub-name/resourceGroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/1b461305-28be-5271-beda-bd9fd2e24251
+                        type: string
+                    type: object
+                    x-kubernetes-validations:
+                    - message: only client or resource ID can be set
+                      rule: '[has(self.clientID), has(self.resourceID)].exists_one(x,
+                        x)'
+                  workloadIdentity:
+                    description: WorkloadIdentity uses Azure Workload Identity to
+                      authenticate with Azure.
+                    properties:
+                      clientID:
+                        description: |-
+                          ClientID holds an optional client identifier of a federated identity.
+                          Specify this identifier if multiple identities are federated with the
+                          service account and the identity to use for image pulling is not the
+                          default identity stored in the service account's annotations. The
+                          client and tenant ID must be specified together.
+                        example: 1b461305-28be-5271-beda-bd9fd2e24251
+                        type: string
+                      serviceAccountRef:
+                        description: |-
+                          ServiceAccountName specifies the name of the service account
+                          that should be used when authenticating with WorkloadIdentity.
+                        type: string
+                      tenantID:
+                        description: |-
+                          TenantID holds an optional tenant identifier of a federated identity.
+                          Specify this identifier if multiple identities are federated with the
+                          service account and the identity to use for image pulling is not the
+                          default identity stored in the service account's annotations. The
+                          client and tenant ID must be specified together.
+                        example: 72f988bf-86f1-41af-91ab-2d7cd011db47
+                        type: string
+                    type: object
+                    x-kubernetes-validations:
+                    - message: custom client and tenant identifiers must be provided
+                        together, if at all
+                      rule: (has(self.clientID) && has(self.tenantID)) || (!has(self.clientID)
+                        && !has(self.tenantID))
+                type: object
+                x-kubernetes-validations:
+                - message: only one authentication type can be set
+                  rule: '[has(self.managedIdentity), has(self.workloadIdentity)].exists_one(x,
+                    x)'
+              serviceAccountName:
+                description: The name of the service account to associate the image
+                  pull secret with.
+                type: string
+            type: object
+          status:
+            description: AcrPullBindingStatus defines the observed state of AcrPullBinding
+            properties:
+              error:
+                description: Error message if there was an error updating the token.
+                type: string
+              lastTokenRefreshTime:
+                description: Information when was the last time the ACR token was
+                  refreshed.
+                format: date-time
+                type: string
+              tokenExpirationTime:
+                description: The expiration date of the current ACR token.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

acrpull/deploy/helm/acrpull/templates/controller_role.yaml

@@ -0,0 +1,79 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: acrpull-controller
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - acrpull.microsoft.com
+  resources:
+  - acrpullbindings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - acrpull.microsoft.com
+  resources:
+  - acrpullbindings/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - acrpull.microsoft.com
+  resources:
+  - acrpullbindings/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - msi-acrpull.microsoft.com
+  resources:
+  - acrpullbindings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - msi-acrpull.microsoft.com
+  resources:
+  - acrpullbindings/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - msi-acrpull.microsoft.com
+  resources:
+  - acrpullbindings/status
+  verbs:
+  - get
+  - patch
+  - update

acrpull/deploy/helm/acrpull/templates/controller_role_binding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: acrpull
+    app.kubernetes.io/managed-by: Helm
+  name: acrpull-controller-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: acrpull-controller
+subjects:
+- kind: ServiceAccount
+  name: acrpull
+  namespace: {{ .Values.namespace }}