imagepullmanager: add v1alpha1 config API

Kubernetes-commit: 37e0fd50aac2a1860839ece6f256b74c4f73a012
2024-10-09 14:38:25 +02:00 · 2024-10-09 14:38:25 +02:00 · 317a26d34c
parent de5a54b8fc
commit 317a26d34c
2 changed files with 74 additions and 0 deletions
--- a/config/v1alpha1/register.go
+++ b/config/v1alpha1/register.go
@ -38,6 +38,8 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&CredentialProviderConfig{},
 		&ImagePullIntent{},
 		&ImagePulledRecord{},
 	)
 	return nil
 }
--- a/config/v1alpha1/types.go
+++ b/config/v1alpha1/types.go
@ -96,3 +96,75 @@ type ExecEnvVar struct {
 	Name  string `json:"name"`
 	Value string `json:"value"`
 }
 // ImagePullIntent is a record of the kubelet attempting to pull an image.
 //
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type ImagePullIntent struct {
 	metav1.TypeMeta `json:",inline"`
 	// Image is the image spec from a Container's `image` field.
 	// The filename is a SHA-256 hash of this value. This is to avoid filename-unsafe
 	// characters like ':' and '/'.
 	Image string `json:"image"`
 }
 // ImagePullRecord is a record of an image that was pulled by the kubelet.
 //
 // If there are no records in the `kubernetesSecrets` field and both `nodeWideCredentials`
 // and `anonymous` are `false`, credentials must be re-checked the next time an
 // image represented by this record is being requested.
 //
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type ImagePulledRecord struct {
 	metav1.TypeMeta `json:",inline"`
 	// LastUpdatedTime is the time of the last update to this record
 	LastUpdatedTime metav1.Time `json:"lastUpdatedTime"`
 	// ImageRef is a reference to the image represented by this file as received
 	// from the CRI.
 	// The filename is a SHA-256 hash of this value. This is to avoid filename-unsafe
 	// characters like ':' and '/'.
 	ImageRef string `json:"imageRef"`
 	// CredentialMapping maps `image` to the set of credentials that it was
 	// previously pulled with.
 	// `image` in this case is the content of a pod's container `image` field that's
 	// got its tag/digest removed.
 	//
 	// Example:
 	//   Container requests the `hello-world:latest@sha256:91fb4b041da273d5a3273b6d587d62d518300a6ad268b28628f74997b93171b2` image:
 	//     "credentialMapping": {
 	//       "hello-world": { "nodePodsAccessible": true }
 	//     }
 	CredentialMapping map[string]ImagePullCredentials `json:"credentialMapping,omitempty"`
 }
 // ImagePullCredentials describe credentials that can be used to pull an image.
 type ImagePullCredentials struct {
 	// KuberneteSecretCoordinates is an index of coordinates of all the kubernetes
 	// secrets that were used to pull the image.
 	// +optional
 	// +listType=set
 	KubernetesSecrets []ImagePullSecret `json:"kubernetesSecrets"`
 	// NodePodsAccessible is a flag denoting the pull credentials are accessible
 	// by all the pods on the node, or that no credentials are needed for the pull.
 	//
 	// If true, it is mutually exclusive with the `kubernetesSecrets` field.
 	// +optional
 	NodePodsAccessible bool `json:"nodePodsAccessible,omitempty"`
 }
 // ImagePullSecret is a representation of a Kubernetes secret object coordinates along
 // with a credential hash of the pull secret credentials this object contains.
 type ImagePullSecret struct {
 	UID       string `json:"uid"`
 	Namespace string `json:"namespace"`
 	Name      string `json:"name"`
 	// CredentialHash is a SHA-256 retrieved by hashing the image pull credentials
 	// content of the secret specified by the UID/Namespace/Name coordinates.
 	CredentialHash string `json:"credentialHash"`
 }