Merge pull request #111616 from ndixita/credential-api-ga

Move the Kubelet Credential Provider feature to GA and Update the Credential Provider API to GA

staging/src/k8s.io/component-base/config/testing/apigroup.go

@@ -56,11 +56,10 @@ const (
 )
 
 var testingFuncs = map[string]testingFunc{
-	verifyTagNaming:                 verifyTagNamingFunc,
-	verifyGroupNameSuffix:           verifyGroupNameSuffixFunc,
-	verifyGroupNameMatch:            verifyGroupNameMatchFunc,
-	verifyCorrectGroupName:          verifyCorrectGroupNameFunc,
-	verifyComponentConfigKindExists: verifyComponentConfigKindExistsFunc,
+	verifyTagNaming:        verifyTagNamingFunc,
+	verifyGroupNameSuffix:  verifyGroupNameSuffixFunc,
+	verifyGroupNameMatch:   verifyGroupNameMatchFunc,
+	verifyCorrectGroupName: verifyCorrectGroupNameFunc,
 }
 
 // VerifyExternalTypePackage tests if external component config package is defined correctly
@@ -94,7 +93,8 @@ func VerifyInternalTypePackage(pkginfo *ComponentConfigPackage) error {
 		return fmt.Errorf("test setup error: %v", err)
 	}
 	extraFns := map[string]testingFunc{
-		verifyInternalAPIVersion: verifyInternalAPIVersionFunc,
+		verifyInternalAPIVersion:        verifyInternalAPIVersionFunc,
+		verifyComponentConfigKindExists: verifyComponentConfigKindExistsFunc,
 	}
 	return runFuncs(scheme, pkginfo, extraFns)
 }

staging/src/k8s.io/kubelet/config/v1/doc.go

@@ -0,0 +1,21 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:openapi-gen=true
+// +groupName=kubelet.config.k8s.io
+
+package v1 // import "k8s.io/kubelet/config/v1"

staging/src/k8s.io/kubelet/config/v1/register.go

@@ -0,0 +1,43 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name used in this package
+const GroupName = "kubelet.config.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+var (
+	// SchemeBuilder is the scheme builder with scheme init functions to run for this API package
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// AddToScheme is a global function that registers this API group & version to a scheme
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+// addKnownTypes registers known types to the given scheme
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&CredentialProviderConfig{},
+	)
+	return nil
+}

staging/src/k8s.io/kubelet/config/v1/register_test.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"testing"
+
+	componentconfigtesting "k8s.io/component-base/config/testing"
+)
+
+func TestComponentConfigSetup(t *testing.T) {
+	pkginfo := &componentconfigtesting.ComponentConfigPackage{
+		ComponentName:      "kubelet",
+		GroupName:          GroupName,
+		SchemeGroupVersion: SchemeGroupVersion,
+		AddToScheme:        AddToScheme,
+	}
+
+	if err := componentconfigtesting.VerifyExternalTypePackage(pkginfo); err != nil {
+		t.Fatal(err)
+	}
+}

staging/src/k8s.io/kubelet/config/v1/types.go

@@ -0,0 +1,97 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CredentialProviderConfig is the configuration containing information about
+// each exec credential provider. Kubelet reads this configuration from disk and enables
+// each provider as specified by the CredentialProvider type.
+type CredentialProviderConfig struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// providers is a list of credential provider plugins that will be enabled by the kubelet.
+	// Multiple providers may match against a single image, in which case credentials
+	// from all providers will be returned to the kubelet. If multiple providers are called
+	// for a single image, the results are combined. If providers return overlapping
+	// auth keys, the value from the provider earlier in this list is used.
+	Providers []CredentialProvider `json:"providers"`
+}
+
+// CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only
+// invoked when an image being pulled matches the images handled by the plugin (see matchImages).
+type CredentialProvider struct {
+	// name is the required name of the credential provider. It must match the name of the
+	// provider executable as seen by the kubelet. The executable must be in the kubelet's
+	// bin directory (set by the --image-credential-provider-bin-dir flag).
+	Name string `json:"name"`
+
+	// matchImages is a required list of strings used to match against images in order to
+	// determine if this provider should be invoked. If one of the strings matches the
+	// requested image from the kubelet, the plugin will be invoked and given a chance
+	// to provide credentials. Images are expected to contain the registry domain
+	// and URL path.
+	//
+	// Each entry in matchImages is a pattern which can optionally contain a port and a path.
+	// Globs can be used in the domain, but not in the port or the path. Globs are supported
+	// as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'.
+	// Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match
+	// a single subdomain segment, so *.io does not match *.k8s.io.
+	//
+	// A match exists between an image and a matchImage when all of the below are true:
+	// - Both contain the same number of domain parts and each part matches.
+	// - The URL path of an imageMatch must be a prefix of the target image URL path.
+	// - If the imageMatch contains a port, then the port must match in the image as well.
+	//
+	// Example values of matchImages:
+	//   - 123456789.dkr.ecr.us-east-1.amazonaws.com
+	//   - *.azurecr.io
+	//   - gcr.io
+	//   - *.*.registry.io
+	//   - registry.io:8080/path
+	MatchImages []string `json:"matchImages"`
+
+	// defaultCacheDuration is the default duration the plugin will cache credentials in-memory
+	// if a cache duration is not provided in the plugin response. This field is required.
+	DefaultCacheDuration *metav1.Duration `json:"defaultCacheDuration"`
+
+	// Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse
+	// MUST use the same encoding version as the input. Current supported values are:
+	// - credentialprovider.kubelet.k8s.io/v1
+	APIVersion string `json:"apiVersion"`
+
+	// Arguments to pass to the command when executing it.
+	// +optional
+	Args []string `json:"args,omitempty"`
+
+	// Env defines additional environment variables to expose to the process. These
+	// are unioned with the host's environment, as well as variables client-go uses
+	// to pass argument to the plugin.
+	// +optional
+	Env []ExecEnvVar `json:"env,omitempty"`
+}
+
+// ExecEnvVar is used for setting environment variables when executing an exec-based
+// credential plugin.
+type ExecEnvVar struct {
+	Name  string `json:"name"`
+	Value string `json:"value"`
+}

staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go

@@ -0,0 +1,111 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialProvider) DeepCopyInto(out *CredentialProvider) {
+	*out = *in
+	if in.MatchImages != nil {
+		in, out := &in.MatchImages, &out.MatchImages
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.DefaultCacheDuration != nil {
+		in, out := &in.DefaultCacheDuration, &out.DefaultCacheDuration
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Args != nil {
+		in, out := &in.Args, &out.Args
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Env != nil {
+		in, out := &in.Env, &out.Env
+		*out = make([]ExecEnvVar, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProvider.
+func (in *CredentialProvider) DeepCopy() *CredentialProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialProviderConfig) DeepCopyInto(out *CredentialProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Providers != nil {
+		in, out := &in.Providers, &out.Providers
+		*out = make([]CredentialProvider, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderConfig.
+func (in *CredentialProviderConfig) DeepCopy() *CredentialProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CredentialProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExecEnvVar) DeepCopyInto(out *ExecEnvVar) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecEnvVar.
+func (in *ExecEnvVar) DeepCopy() *ExecEnvVar {
+	if in == nil {
+		return nil
+	}
+	out := new(ExecEnvVar)
+	in.DeepCopyInto(out)
+	return out
+}

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/install/install.go

@@ -20,6 +20,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/kubelet/pkg/apis/credentialprovider"
+	v1 "k8s.io/kubelet/pkg/apis/credentialprovider/v1"
 	"k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1"
 	"k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1"
 )
@@ -31,4 +32,6 @@ func Install(scheme *runtime.Scheme) {
 	utilruntime.Must(scheme.SetVersionPriority(v1alpha1.SchemeGroupVersion))
 	utilruntime.Must(v1beta1.AddToScheme(scheme))
 	utilruntime.Must(scheme.SetVersionPriority(v1beta1.SchemeGroupVersion))
+	utilruntime.Must(v1.AddToScheme(scheme))
+	utilruntime.Must(scheme.SetVersionPriority(v1.SchemeGroupVersion))
 }

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go

@@ -0,0 +1,22 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=k8s.io/kubelet/pkg/apis/credentialprovider
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=credentialprovider.kubelet.k8s.io
+
+package v1 // import "k8s.io/kubelet/pkg/apis/credentialprovider/v1"

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go

@@ -0,0 +1,46 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "credentialprovider.kubelet.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var (
+	SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+	localSchemeBuilder = &SchemeBuilder
+)
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&CredentialProviderRequest{},
+		&CredentialProviderResponse{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go

@@ -0,0 +1,117 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CredentialProviderRequest includes the image that the kubelet requires authentication for.
+// Kubelet will pass this request object to the plugin via stdin. In general, plugins should
+// prefer responding with the same apiVersion they were sent.
+type CredentialProviderRequest struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// image is the container image that is being pulled as part of the
+	// credential provider plugin request. Plugins may optionally parse the image
+	// to extract any information required to fetch credentials.
+	Image string `json:"image"`
+}
+
+type PluginCacheKeyType string
+
+const (
+	// ImagePluginCacheKeyType means the kubelet will cache credentials on a per-image basis,
+	// using the image passed from the kubelet directly as the cache key. This includes
+	// the registry domain, port (if specified), and path but does not include tags or SHAs.
+	ImagePluginCacheKeyType PluginCacheKeyType = "Image"
+	// RegistryPluginCacheKeyType means the kubelet will cache credentials on a per-registry basis.
+	// The cache key will be based on the registry domain and port (if present) parsed from the requested image.
+	RegistryPluginCacheKeyType PluginCacheKeyType = "Registry"
+	// GlobalPluginCacheKeyType means the kubelet will cache credentials for all images that
+	// match for a given plugin. This cache key should only be returned by plugins that do not use
+	// the image input at all.
+	GlobalPluginCacheKeyType PluginCacheKeyType = "Global"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CredentialProviderResponse holds credentials that the kubelet should use for the specified
+// image provided in the original request. Kubelet will read the response from the plugin via stdout.
+// This response should be set to the same apiVersion as CredentialProviderRequest.
+type CredentialProviderResponse struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// cacheKeyType indiciates the type of caching key to use based on the image provided
+	// in the request. There are three valid values for the cache key type: Image, Registry, and
+	// Global. If an invalid value is specified, the response will NOT be used by the kubelet.
+	CacheKeyType PluginCacheKeyType `json:"cacheKeyType"`
+
+	// cacheDuration indicates the duration the provided credentials should be cached for.
+	// The kubelet will use this field to set the in-memory cache duration for credentials
+	// in the AuthConfig. If null, the kubelet will use defaultCacheDuration provided in
+	// CredentialProviderConfig. If set to 0, the kubelet will not cache the provided AuthConfig.
+	// +optional
+	CacheDuration *metav1.Duration `json:"cacheDuration,omitempty"`
+
+	// auth is a map containing authentication information passed into the kubelet.
+	// Each key is a match image string (more on this below). The corresponding authConfig value
+	// should be valid for all images that match against this key. A plugin should set
+	// this field to null if no valid credentials can be returned for the requested image.
+	//
+	// Each key in the map is a pattern which can optionally contain a port and a path.
+	// Globs can be used in the domain, but not in the port or the path. Globs are supported
+	// as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'.
+	// Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match
+	// a single subdomain segment, so *.io does not match *.k8s.io.
+	//
+	// The kubelet will match images against the key when all of the below are true:
+	// - Both contain the same number of domain parts and each part matches.
+	// - The URL path of an imageMatch must be a prefix of the target image URL path.
+	// - If the imageMatch contains a port, then the port must match in the image as well.
+	//
+	// When multiple keys are returned, the kubelet will traverse all keys in reverse order so that:
+	// - longer keys come before shorter keys with the same prefix
+	// - non-wildcard keys come before wildcard keys with the same prefix.
+	//
+	// For any given match, the kubelet will attempt an image pull with the provided credentials,
+	// stopping after the first successfully authenticated pull.
+	//
+	// Example keys:
+	//   - 123456789.dkr.ecr.us-east-1.amazonaws.com
+	//   - *.azurecr.io
+	//   - gcr.io
+	//   - *.*.registry.io
+	//   - registry.io:8080/path
+	// +optional
+	Auth map[string]AuthConfig `json:"auth,omitempty"`
+}
+
+// AuthConfig contains authentication information for a container registry.
+// Only username/password based authentication is supported today, but more authentication
+// mechanisms may be added in the future.
+type AuthConfig struct {
+	// username is the username used for authenticating to the container registry
+	// An empty username is valid.
+	Username string `json:"username"`
+
+	// password is the password used for authenticating to the container registry
+	// An empty password is valid.
+	Password string `json:"password"`
+}

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go

@@ -0,0 +1,137 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	unsafe "unsafe"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	credentialprovider "k8s.io/kubelet/pkg/apis/credentialprovider"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*AuthConfig)(nil), (*credentialprovider.AuthConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_AuthConfig_To_credentialprovider_AuthConfig(a.(*AuthConfig), b.(*credentialprovider.AuthConfig), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*credentialprovider.AuthConfig)(nil), (*AuthConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_credentialprovider_AuthConfig_To_v1_AuthConfig(a.(*credentialprovider.AuthConfig), b.(*AuthConfig), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*CredentialProviderRequest)(nil), (*credentialprovider.CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(a.(*CredentialProviderRequest), b.(*credentialprovider.CredentialProviderRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderResponse)(nil), (*CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_credentialprovider_CredentialProviderResponse_To_v1_CredentialProviderResponse(a.(*credentialprovider.CredentialProviderResponse), b.(*CredentialProviderResponse), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1_AuthConfig_To_credentialprovider_AuthConfig(in *AuthConfig, out *credentialprovider.AuthConfig, s conversion.Scope) error {
+	out.Username = in.Username
+	out.Password = in.Password
+	return nil
+}
+
+// Convert_v1_AuthConfig_To_credentialprovider_AuthConfig is an autogenerated conversion function.
+func Convert_v1_AuthConfig_To_credentialprovider_AuthConfig(in *AuthConfig, out *credentialprovider.AuthConfig, s conversion.Scope) error {
+	return autoConvert_v1_AuthConfig_To_credentialprovider_AuthConfig(in, out, s)
+}
+
+func autoConvert_credentialprovider_AuthConfig_To_v1_AuthConfig(in *credentialprovider.AuthConfig, out *AuthConfig, s conversion.Scope) error {
+	out.Username = in.Username
+	out.Password = in.Password
+	return nil
+}
+
+// Convert_credentialprovider_AuthConfig_To_v1_AuthConfig is an autogenerated conversion function.
+func Convert_credentialprovider_AuthConfig_To_v1_AuthConfig(in *credentialprovider.AuthConfig, out *AuthConfig, s conversion.Scope) error {
+	return autoConvert_credentialprovider_AuthConfig_To_v1_AuthConfig(in, out, s)
+}
+
+func autoConvert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error {
+	out.Image = in.Image
+	return nil
+}
+
+// Convert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest is an autogenerated conversion function.
+func Convert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error {
+	return autoConvert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in, out, s)
+}
+
+func autoConvert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
+	out.Image = in.Image
+	return nil
+}
+
+// Convert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest is an autogenerated conversion function.
+func Convert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
+	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in, out, s)
+}
+
+func autoConvert_v1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
+	out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
+	out.CacheDuration = (*metav1.Duration)(unsafe.Pointer(in.CacheDuration))
+	out.Auth = *(*map[string]credentialprovider.AuthConfig)(unsafe.Pointer(&in.Auth))
+	return nil
+}
+
+// Convert_v1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse is an autogenerated conversion function.
+func Convert_v1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
+	return autoConvert_v1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in, out, s)
+}
+
+func autoConvert_credentialprovider_CredentialProviderResponse_To_v1_CredentialProviderResponse(in *credentialprovider.CredentialProviderResponse, out *CredentialProviderResponse, s conversion.Scope) error {
+	out.CacheKeyType = PluginCacheKeyType(in.CacheKeyType)
+	out.CacheDuration = (*metav1.Duration)(unsafe.Pointer(in.CacheDuration))
+	out.Auth = *(*map[string]AuthConfig)(unsafe.Pointer(&in.Auth))
+	return nil
+}
+
+// Convert_credentialprovider_CredentialProviderResponse_To_v1_CredentialProviderResponse is an autogenerated conversion function.
+func Convert_credentialprovider_CredentialProviderResponse_To_v1_CredentialProviderResponse(in *credentialprovider.CredentialProviderResponse, out *CredentialProviderResponse, s conversion.Scope) error {
+	return autoConvert_credentialprovider_CredentialProviderResponse_To_v1_CredentialProviderResponse(in, out, s)
+}

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go

@@ -0,0 +1,105 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthConfig) DeepCopyInto(out *AuthConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthConfig.
+func (in *AuthConfig) DeepCopy() *AuthConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderRequest.
+func (in *CredentialProviderRequest) DeepCopy() *CredentialProviderRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialProviderRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CredentialProviderRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CredentialProviderResponse) DeepCopyInto(out *CredentialProviderResponse) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.CacheDuration != nil {
+		in, out := &in.CacheDuration, &out.CacheDuration
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = make(map[string]AuthConfig, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderResponse.
+func (in *CredentialProviderResponse) DeepCopy() *CredentialProviderResponse {
+	if in == nil {
+		return nil
+	}
+	out := new(CredentialProviderResponse)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CredentialProviderResponse) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go

@@ -0,0 +1,33 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}