feat: create 'ecr-credential-provider' extension

Issue: #241
Signed-off-by: Ströger Florian <[email protected]>

Makefile

@@ -57,6 +57,7 @@ TARGETS += btrfs
 TARGETS += chelsio-drivers
 TARGETS += chelsio-firmware
 TARGETS += drbd
+TARGETS += ecr-credential-provider
 TARGETS += fuse3
 TARGETS += gasket-driver
 TARGETS += gvisor

README.md

@@ -44,6 +44,7 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
 | ----------------------------------- | ------------------------------------------------------------------------------------------- | ----------------------------------------------- | ---------------------------------- |
 | [gvisor](container-runtime/gvisor/) | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | [gVisor](https://gvisor.dev/) container runtime | `upstream version`-`talos version` |
 | [stargz-snapshotter](container-runtime/stargz-snapshotter/) | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | [Stargz Snapshotter](https://github.com/containerd/stargz-snapshotter) container runtime | `upstream version`-`talos version` |
+| [ecr-credential-provider](container-runtime/ecr-credential-provider) | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | [ECR Credential Provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) kubelet plugin | `upstream version` |
 
 ### Firmware
 

container-runtime/ecr-credential-provider/README.md

@@ -0,0 +1,61 @@
+# Kubelet ECR Credential Provider extension
+
+This extension provides the [ecr-credential-provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) binary,
+which can be executed by Kubelet to provide a short-lived token for pulling container images
+from Amazon Web Services' Elastic Container Registry (ECR).
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+You also need to configure `ecr-credential-provider` as a Kubelet image
+credential provider. For this you'll need to add two Kubelet arguments:
+
+```yaml
+- op: add
+  path: /machine/kubelet/extraArgs
+  value:
+    image-credential-provider-bin-dir: "/usr/local/lib/kubelet/credentialproviders"
+    image-credential-provider-config: "/var/lib/kubelet/credentialproviderconfig.yaml"
+```
+
+You'll also need to mount the binary to the kubelet container:
+
+```yaml
+- op: add
+  path: /machine/kubelet/extraMounts
+  value:
+    - destination: /usr/local/lib/kubelet
+      type: bind
+      source: /usr/local/lib/kubelet
+      options: [bind, ro]
+```
+
+and then create the `CredentialProviderConfig`:
+
+```yaml
+- op: add
+  path: /machine/files
+  value:
+    - op: create
+      path: /var/lib/kubelet/credentialproviderconfig.yaml
+      content: |
+        apiVersion: kubelet.config.k8s.io/v1
+        kind: CredentialProviderConfig
+        providers:
+          - name: ecr-credential-provider
+            matchImages:
+              - "*.dkr.ecr.*.amazonaws.com"
+              - "*.dkr.ecr.*.amazonaws.com.cn"
+              - "*.dkr.ecr-fips.*.amazonaws.com"
+              - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov"
+              - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
+            defaultCacheDuration: "12h"
+            apiVersion: credentialprovider.kubelet.k8s.io/v1
+```
+
+## More Information
+
+- <https://cloud-provider-aws.sigs.k8s.io/credential_provider/>
+- <https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/>
+- <https://kubernetes.io/docs/reference/config-api/kubelet-credentialprovider.v1/>

container-runtime/ecr-credential-provider/manifest.yaml

@@ -0,0 +1,11 @@
+version: v1alpha1
+metadata:
+  name: ecr-credential-provider
+  version: "$VERSION"
+  author: Florian Ströger
+  description: |
+    This system extension provides a binary which implements Kubelet's CredentialProvider API
+    to authenticate against AWS' Elastic Container Registry and pull images.
+  compatibility:
+    talos:
+      version: ">= v1.0.0"

container-runtime/ecr-credential-provider/pkg.yaml

@@ -0,0 +1,40 @@
+name: ecr-credential-provider
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/kubernetes/cloud-provider-aws/archive/refs/tags/{{ .VERSION }}.tar.gz
+        destination: cloud-provider-aws.tar.gz
+        sha256: 9d3e20d79facf336a466a1647dff8033007385fb628005c8bf84eb67330ba004
+        sha512: b9adc389be9301dc4be36c6bf546f354b9f2895cbad13d28d074dbab77f9aecec8d5fd02590d21c2a4acc91b559371adfe9702898c7880d92aea6657b315a539
+    env:
+      GOPATH: /go
+    prepare:
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
+      - |
+        mkdir -p ${GOPATH}/src/k8s.io/cloud-provider-aws
+
+        tar -xzf cloud-provider-aws.tar.gz --strip-components=1 -C ${GOPATH}/src/k8s.io/cloud-provider-aws
+    build:
+      - |
+        export PATH=${PATH}:${TOOLCHAIN}/go/bin
+
+        go build \
+          -C ${GOPATH}/src/k8s.io/cloud-provider-aws \
+          -o ./dist/ecr-credential-provider \
+          -ldflags "-s -w \
+                   -X k8s.io/component-base/version.gitVersion={{ .VERSION }} \
+                   -X main.gitVersion={{ .VERSION }}" \
+          ./cmd/ecr-credential-provider
+    install:
+      - install -D -m 0755
+        ${GOPATH}/src/k8s.io/cloud-provider-aws/dist/ecr-credential-provider
+        /rootfs/usr/local/lib/kubelet/credentialproviders/ecr-credential-provider
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /

container-runtime/ecr-credential-provider/vars.yaml

@@ -0,0 +1 @@
+VERSION: "{{ .CLOUD_PROVIDER_AWS_VERSION }}"

container-runtime/vars.yaml

@@ -2,3 +2,5 @@
 GVISOR_VERSION: 20231214.0
 # renovate: datasource=github-releases  depName=containerd/stargz-snapshotter
 STARGZ_SNAPSHOTTER_VERSION: v0.14.3
+# renovate: datasource=github-releases depName=kubernetes/cloud-provider-aws
+CLOUD_PROVIDER_AWS_VERSION: v1.28.1