Skip to content

feat(windows): add credential provider mirror config for network isolated cluster #8708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fseldow wants to merge 4 commits into
base: main
Choose a base branch
from
+111 −0
Open

feat(windows): add credential provider mirror config for network isolated cluster #8708

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
61d83b5
feat: add credential provider mirror config for network isolated cluster
fseldow Jun 15, 2026
fedfd66
ut
fseldow Jun 15, 2026
d1221d9
Potential fix for pull request finding
fseldow Jun 15, 2026
b3781ed
add qeoto
fseldow Jun 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions staging/cse/windows/configfunc.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,32 @@ providers:
apiVersion: credentialprovider.kubelet.k8s.io/v1
args:
- $azureConfigFile
"@
}
elseif (![string]::IsNullOrEmpty($global:BootstrapProfileContainerRegistryServer)) {
$mcrRegistry = if ((Test-Path variable:global:MCRRepositoryBase) -and
-not [string]::IsNullOrEmpty($global:MCRRepositoryBase)) {
([string]$global:MCRRepositoryBase).TrimEnd("/")
}
else {
"mcr.microsoft.com"
}
$credentialProviderConfig = @"
apiVersion: kubelet.config.k8s.io/v1
kind: CredentialProviderConfig
providers:
- name: acr-credential-provider
matchImages:
- "*.azurecr.io"
- "*.azurecr.cn"
- "*.azurecr.de"
- "*.azurecr.us"
- "${mcrRegistry}"
defaultCacheDuration: "10m"
apiVersion: credentialprovider.kubelet.k8s.io/v1
args:
- $azureConfigFile
- --registry-mirror=${mcrRegistry}:{$global:BootstrapProfileContainerRegistryServer}
"@
Comment thread
fseldow marked this conversation as resolved.
}
$credentialProviderConfig | Out-File -encoding ASCII -filepath "$CredentialProviderConfPATH"
Expand Down
55 changes: 55 additions & 0 deletions staging/cse/windows/configfunc.tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,61 @@ Describe 'Config-CredentialProvider' {
$normalizedActual | Should -Be $normalizedExpected
}
}
Context 'BootstrapProfileContainerRegistryServer is set with default MCR' {
BeforeEach {
$global:BootstrapProfileContainerRegistryServer = "myregistry.azurecr.io"
# Ensure MCRRepositoryBase is not set so it falls back to mcr.microsoft.com
Remove-Variable -Name MCRRepositoryBase -Scope Global -ErrorAction SilentlyContinue
}
AfterEach {
$global:BootstrapProfileContainerRegistryServer = $null
}
It "should include mcr.microsoft.com in matchImages and registry-mirror arg" {
$expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "BootstrapProfileContainerRegistryServerDefault.config.yaml"))
Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix ""
$acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH

$normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n")
$normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n")
$normalizedActual | Should -Be $normalizedExpected
}
}
Comment on lines +156 to +174

@fseldow fseldow Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. If we add CSE-side normalization for this path, I’ll include an https://.../ input case so the generated --registry-mirror formatting is covered.

Context 'BootstrapProfileContainerRegistryServer is set with custom MCRRepositoryBase' {
BeforeEach {
$global:BootstrapProfileContainerRegistryServer = "myregistry.azurecr.io"
$global:MCRRepositoryBase = "custom.mcr.contoso.com"

@r2k1 r2k1 Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Low / Test Coverage — This value has no trailing slash, so the .TrimEnd("/") you added in configfunc.ps1 never runs in the tests. Set it to custom.mcr.contoso.com/ and keep the fixture without the slash, so the test proves the trim works.

@fseldow fseldow Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. I’ll update the custom MCR test input to include a trailing slash while keeping the expected fixture trimmed, so the test proves the trim behavior.

}
AfterEach {
$global:BootstrapProfileContainerRegistryServer = $null
$global:MCRRepositoryBase = $null
}
It "should use custom MCRRepositoryBase in matchImages and registry-mirror arg" {
$expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "BootstrapProfileContainerRegistryServerCustomMCR.config.yaml"))
Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix ""
$acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH

$normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n")
$normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n")
$normalizedActual | Should -Be $normalizedExpected
}
}
Context 'CustomCloudContainerRegistryDNSSuffix takes precedence over BootstrapProfileContainerRegistryServer' {
BeforeEach {
$global:BootstrapProfileContainerRegistryServer = "myregistry.azurecr.io"
}
AfterEach {
$global:BootstrapProfileContainerRegistryServer = $null
}
It "should use CustomCloud config and not include registry-mirror when both are set" {
$expectedCredentialProviderConfig = Read-Format-Yaml ([Io.path]::Combine($credentialProviderConfigDir, "CustomCloudContainerRegistryDNSSuffixNotEmpty.config.yaml"))
Config-CredentialProvider -KubeDir $credentialProviderConfigDir -CredentialProviderConfPath $CredentialProviderConfPATH -CustomCloudContainerRegistryDNSSuffix ".azurecr.microsoft.fakecloud"
$acutalCredentialProviderConfig = Read-Format-Yaml $CredentialProviderConfPATH

$normalizedExpected = $expectedCredentialProviderConfig.Trim().Replace("`r`n", "`n")
$normalizedActual = $acutalCredentialProviderConfig.Trim().Replace("`r`n", "`n")
$normalizedActual | Should -Be $normalizedExpected
}
}
}

Describe 'Validate-CredentialProviderConfigFlags' {
Expand Down
15 changes: 15 additions & 0 deletions ...dentialProvider.tests.suites/BootstrapProfileContainerRegistryServerCustomMCR.config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: kubelet.config.k8s.io/v1
kind: CredentialProviderConfig
providers:
- name: acr-credential-provider
matchImages:
- "*.azurecr.io"
- "*.azurecr.cn"
- "*.azurecr.de"
- "*.azurecr.us"
- "custom.mcr.contoso.com"
defaultCacheDuration: "10m"
apiVersion: credentialprovider.kubelet.k8s.io/v1
args:
- staging\cse\windows\credentialProvider.tests.suites\azure.json
- --registry-mirror=custom.mcr.contoso.com:myregistry.azurecr.io
15 changes: 15 additions & 0 deletions ...redentialProvider.tests.suites/BootstrapProfileContainerRegistryServerDefault.config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: kubelet.config.k8s.io/v1
kind: CredentialProviderConfig
providers:
- name: acr-credential-provider
matchImages:
- "*.azurecr.io"
- "*.azurecr.cn"
- "*.azurecr.de"
- "*.azurecr.us"
- "mcr.microsoft.com"
defaultCacheDuration: "10m"
apiVersion: credentialprovider.kubelet.k8s.io/v1
args:
- staging\cse\windows\credentialProvider.tests.suites\azure.json
- --registry-mirror=mcr.microsoft.com:myregistry.azurecr.io
Loading