ARO-9420: *: add acrpull controller, binding

.yamllint.yml

@@ -5,6 +5,7 @@ yaml-files:
   - '.yamllint'
 ignore:
   - 'cluster-service/deploy/helm/templates/azure-operators-managed-identities-config.configmap.yaml'
+  - 'acrpull/deploy/helm/acrpull/templates/deployment.yaml'
 
 rules:
   brackets: enable

acrpull/Makefile

@@ -0,0 +1,13 @@
+-include ../setup-env.mk
+
+deploy:
+	kubectl create namespace acrpull --dry-run=client -o json | kubectl apply -f - && \
+	helm upgrade --install ${HELM_DRY_RUN} acrpull \
+		deploy/helm/acrpull/ \
+		--set image=mcr.microsoft.com/aks/msi-acrpull@${ACRPULL_DIGEST} \
+		--namespace acrpull
+.PHONY: deploy
+
+undeploy:
+	helm uninstall acrpull --namespace acrpull
+.PHONY: undeploy

acrpull/deploy/helm/acrpull/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: acrpull
+description: Controller for injecting pull credentials from managed identities into AKS clusters.
+type: application
+version: 0.1.0
+appVersion: "v0.1.5"

acrpull/deploy/helm/acrpull/templates/acrpull.microsoft.com_acrpullbindings.yaml

@@ -0,0 +1,175 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: acrpullbindings.acrpull.microsoft.com
+spec:
+  group: acrpull.microsoft.com
+  names:
+    kind: AcrPullBinding
+    listKind: AcrPullBindingList
+    plural: acrpullbindings
+    shortNames:
+    - apb
+    - apbs
+    singular: acrpullbinding
+  scope: Namespaced
+  versions:
+  - name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: AcrPullBinding is the Schema for the acrpullbindings API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AcrPullBindingSpec defines the desired state of AcrPullBinding
+            properties:
+              acr:
+                description: ACR holds specifics of the Azure Container Registry for
+                  which credentials are projected.
+                properties:
+                  cloudConfig:
+                    description: AirgappedCloudConfiguration configures a custom cloud
+                      to interact with when running air-gapped.
+                    properties:
+                      entraAuthorityHost:
+                        description: EntraAuthorityHost configures a custom Entra
+                          host endpoint.
+                        minLength: 1
+                        type: string
+                      resourceManagerAudience:
+                        description: ResourceManagerAudience configures the audience
+                          for which tokens will be requested from Entra.
+                        minLength: 1
+                        type: string
+                    required:
+                    - entraAuthorityHost
+                    - resourceManagerAudience
+                    type: object
+                  environment:
+                    default: PublicCloud
+                    description: Environment specifies the Azure Cloud environment
+                      in which the ACR is deployed.
+                    enum:
+                    - PublicCloud
+                    - USGovernmentCloud
+                    - ChinaCloud
+                    - AirgappedCloud
+                    example: PublicCloud
+                    type: string
+                  scope:
+                    description: |-
+                      Scope defines the scope for the access token, e.g. pull/push access for a repository.
+                      Note: you need to pin it down to the repository level, there is no wildcard available,
+                      however a list of space-delimited scopes is acceptable.
+                      See docs for details: https://distribution.github.io/distribution/spec/auth/scope/
+
+
+                      Examples:
+                      repository:my-repository:pull,push
+                      repository:my-repository:pull repository:other-repository:push,pull
+                    example: repository:my-repository:pull,push
+                    minLength: 1
+                    type: string
+                  server:
+                    description: Server is the FQDN for the Azure Container Registry,
+                      e.g. example.azurecr.io
+                    example: example.azurecr.io
+                    type: string
+                    x-kubernetes-validations:
+                    - message: server must be a fully-qualified domain name
+                      rule: isURL('https://' + self) && url('https://' + self).getHostname()
+                        == self
+                required:
+                - environment
+                - scope
+                - server
+                type: object
+                x-kubernetes-validations:
+                - message: a custom cloud configuration must be present for air-gapped
+                    cloud environments
+                  rule: 'self.environment == ''ArigappedCloud'' ? has(self.cloudConfig)
+                    : !has(self.cloudConfig)'
+              auth:
+                description: Auth determines how we will authenticate to the Azure
+                  Container Registry. Only one method may be provided.
+                properties:
+                  managedIdentity:
+                    description: ManagedIdentity uses Azure Managed Identity to authenticate
+                      with Azure.
+                    properties:
+                      clientID:
+                        description: ClientID is the client identifier for the managed
+                          identity. Either provide the client ID or the resource ID.
+                        example: 1b461305-28be-5271-beda-bd9fd2e24251
+                        type: string
+                      resourceID:
+                        description: ResourceID is the resource identifier for the
+                          managed identity. Either provide the client ID or the resource
+                          ID.
+                        example: /subscriptions/sub-name/resourceGroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/1b461305-28be-5271-beda-bd9fd2e24251
+                        type: string
+                    type: object
+                    x-kubernetes-validations:
+                    - message: only client or resource ID can be set
+                      rule: '[has(self.clientID), has(self.resourceID)].exists_one(x,
+                        x)'
+                  workloadIdentity:
+                    description: WorkloadIdentity uses Azure Workload Identity to
+                      authenticate with Azure.
+                    properties:
+                      serviceAccountRef:
+                        description: |-
+                          ServiceAccountName specifies the name of the service account
+                          that should be used when authenticating with WorkloadIdentity.
+                        type: string
+                    type: object
+                type: object
+                x-kubernetes-validations:
+                - message: only one authentication type can be set
+                  rule: '[has(self.managedIdentity), has(self.workloadIdentity)].exists_one(x,
+                    x)'
+              serviceAccountName:
+                description: The name of the service account to associate the image
+                  pull secret with.
+                type: string
+            type: object
+          status:
+            description: AcrPullBindingStatus defines the observed state of AcrPullBinding
+            properties:
+              error:
+                description: Error message if there was an error updating the token.
+                type: string
+              lastTokenRefreshTime:
+                description: Information when was the last time the ACR token was
+                  refreshed.
+                format: date-time
+                type: string
+              tokenExpirationTime:
+                description: The expiration date of the current ACR token.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

acrpull/deploy/helm/acrpull/templates/controller_role.yaml

@@ -0,0 +1,79 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: acrpull-controller
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - acrpull.microsoft.com
+  resources:
+  - acrpullbindings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - acrpull.microsoft.com
+  resources:
+  - acrpullbindings/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - acrpull.microsoft.com
+  resources:
+  - acrpullbindings/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - msi-acrpull.microsoft.com
+  resources:
+  - acrpullbindings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - msi-acrpull.microsoft.com
+  resources:
+  - acrpullbindings/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - msi-acrpull.microsoft.com
+  resources:
+  - acrpullbindings/status
+  verbs:
+  - get
+  - patch
+  - update

acrpull/deploy/helm/acrpull/templates/controller_role_binding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: acrpull
+    app.kubernetes.io/managed-by: Helm
+  name: acrpull-controller-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: acrpull-controller
+subjects:
+- kind: ServiceAccount
+  name: acrpull
+  namespace: {{ .Values.namespace }}

acrpull/deploy/helm/acrpull/templates/deployment.yaml

@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: acrpull
+  namespace: {{ .Values.namespace }}
+  labels:
+    app.kubernetes.io/name: acrpull
+    app.kubernetes.io/managed-by: Helm
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: acrpull
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: acrpull
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      containers:
+        - command:
+            - /manager
+          args:
+            - "--health-probe-bind-address=:8081"
+            - "--metrics-bind-address=127.0.0.1:8080"
+            - "--leader-elect"
+          image: "{{ .Values.image }}"
+          name: acrpull-controller
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+              name: metrics
+          securityContext:
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+            readOnlyRootFilesystem: true
+            runAsUser: 1000
+            runAsGroup: 3000
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            limits:
+              cpu: 100m
+              memory: 100Mi
+            requests:
+              cpu: 100m
+              memory: 20Mi
+      serviceAccountName: acrpull
+      terminationGracePeriodSeconds: 10
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}