feat: support ib-based image pull

Signed-off-by: Billy Zha <[email protected]>

Author: qweeah

aks-node-controller/parser/helper.go

@@ -810,3 +810,39 @@ func getLocalDnsMemoryLimitInMb(aksnodeconfig *aksnodeconfigv1.Configuration) st
 }
 
 // ---------------------- End of localdns related helper code ----------------------//
+
+// ---------------------- Image Pull Identity helper functions ----------------------//
+
+// getImagePullIdentityBindingEnabled returns whether identity binding-based image pull is enabled.
+func getImagePullIdentityBindingEnabled(securityProfile *aksnodeconfigv1.SecurityProfile) bool {
+	if securityProfile == nil || securityProfile.GetImagePullIdentityProfile() == nil {
+		return false
+	}
+	return securityProfile.GetImagePullIdentityProfile().GetEnabled()
+}
+
+// getImagePullIdentityDefaultClientID returns the default client ID for image pull identity binding.
+func getImagePullIdentityDefaultClientID(securityProfile *aksnodeconfigv1.SecurityProfile) string {
+	if securityProfile == nil || securityProfile.GetImagePullIdentityProfile() == nil {
+		return ""
+	}
+	return securityProfile.GetImagePullIdentityProfile().GetDefaultClientId()
+}
+
+// getImagePullIdentityDefaultTenantID returns the default tenant ID for image pull identity binding.
+func getImagePullIdentityDefaultTenantID(securityProfile *aksnodeconfigv1.SecurityProfile) string {
+	if securityProfile == nil || securityProfile.GetImagePullIdentityProfile() == nil {
+		return ""
+	}
+	return securityProfile.GetImagePullIdentityProfile().GetDefaultTenantId()
+}
+
+// getImagePullIdentityLocalAuthoritySNI returns the local authority SNI for identity bindings.
+func getImagePullIdentityLocalAuthoritySNI(securityProfile *aksnodeconfigv1.SecurityProfile) string {
+	if securityProfile == nil || securityProfile.GetImagePullIdentityProfile() == nil {
+		return ""
+	}
+	return securityProfile.GetImagePullIdentityProfile().GetLocalAuthoritySni()
+}
+
+// ---------------------- End of Image Pull Identity helper functions ----------------------//

aks-node-controller/parser/helper_test.go

@@ -1811,3 +1811,187 @@ func Test_getLocalDnsMemoryLimitInMb(t *testing.T) {
 		})
 	}
 }
+
+func Test_getImagePullIdentityBindingEnabled(t *testing.T) {
+	tests := []struct {
+		name            string
+		securityProfile *aksnodeconfigv1.SecurityProfile
+		want            bool
+	}{
+		{
+			name:            "nil SecurityProfile",
+			securityProfile: nil,
+			want:            false,
+		},
+		{
+			name: "nil ImagePullIdentityProfile",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: nil,
+			},
+			want: false,
+		},
+		{
+			name: "enabled true",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: &aksnodeconfigv1.ImagePullIdentityProfile{
+					Enabled: true,
+				},
+			},
+			want: true,
+		},
+		{
+			name: "enabled false",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: &aksnodeconfigv1.ImagePullIdentityProfile{
+					Enabled: false,
+				},
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := getImagePullIdentityBindingEnabled(tt.securityProfile); got != tt.want {
+				t.Errorf("getImagePullIdentityBindingEnabled() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_getImagePullIdentityDefaultClientID(t *testing.T) {
+	tests := []struct {
+		name            string
+		securityProfile *aksnodeconfigv1.SecurityProfile
+		want            string
+	}{
+		{
+			name:            "nil SecurityProfile",
+			securityProfile: nil,
+			want:            "",
+		},
+		{
+			name: "nil ImagePullIdentityProfile",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: nil,
+			},
+			want: "",
+		},
+		{
+			name: "with client ID",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: &aksnodeconfigv1.ImagePullIdentityProfile{
+					DefaultClientId: "test-client-id",
+				},
+			},
+			want: "test-client-id",
+		},
+		{
+			name: "empty client ID",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: &aksnodeconfigv1.ImagePullIdentityProfile{
+					DefaultClientId: "",
+				},
+			},
+			want: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := getImagePullIdentityDefaultClientID(tt.securityProfile); got != tt.want {
+				t.Errorf("getImagePullIdentityDefaultClientID() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_getImagePullIdentityDefaultTenantID(t *testing.T) {
+	tests := []struct {
+		name            string
+		securityProfile *aksnodeconfigv1.SecurityProfile
+		want            string
+	}{
+		{
+			name:            "nil SecurityProfile",
+			securityProfile: nil,
+			want:            "",
+		},
+		{
+			name: "nil ImagePullIdentityProfile",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: nil,
+			},
+			want: "",
+		},
+		{
+			name: "with tenant ID",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: &aksnodeconfigv1.ImagePullIdentityProfile{
+					DefaultTenantId: "test-tenant-id",
+				},
+			},
+			want: "test-tenant-id",
+		},
+		{
+			name: "empty tenant ID",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: &aksnodeconfigv1.ImagePullIdentityProfile{
+					DefaultTenantId: "",
+				},
+			},
+			want: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := getImagePullIdentityDefaultTenantID(tt.securityProfile); got != tt.want {
+				t.Errorf("getImagePullIdentityDefaultTenantID() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_getImagePullIdentityLocalAuthoritySNI(t *testing.T) {
+	tests := []struct {
+		name            string
+		securityProfile *aksnodeconfigv1.SecurityProfile
+		want            string
+	}{
+		{
+			name:            "nil SecurityProfile",
+			securityProfile: nil,
+			want:            "",
+		},
+		{
+			name: "nil ImagePullIdentityProfile",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: nil,
+			},
+			want: "",
+		},
+		{
+			name: "with local authority SNI",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: &aksnodeconfigv1.ImagePullIdentityProfile{
+					LocalAuthoritySni: "test-sni.local",
+				},
+			},
+			want: "test-sni.local",
+		},
+		{
+			name: "empty local authority SNI",
+			securityProfile: &aksnodeconfigv1.SecurityProfile{
+				ImagePullIdentityProfile: &aksnodeconfigv1.ImagePullIdentityProfile{
+					LocalAuthoritySni: "",
+				},
+			},
+			want: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := getImagePullIdentityLocalAuthoritySNI(tt.securityProfile); got != tt.want {
+				t.Errorf("getImagePullIdentityLocalAuthoritySNI() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

aks-node-controller/parser/parser.go

@@ -173,6 +173,10 @@ func getCSEEnv(config *aksnodeconfigv1.Configuration) map[string]string {
 		"LOCALDNS_MEMORY_LIMIT":                              getLocalDnsMemoryLimitInMb(config),
 		"LOCALDNS_GENERATED_COREFILE":                        getLocalDnsCorefileBase64(config),
 		"DISABLE_PUBKEY_AUTH":                                fmt.Sprintf("%v", config.GetDisablePubkeyAuth()),
+		"IMAGE_PULL_IDENTITY_BINDING_ENABLED":                fmt.Sprintf("%v", getImagePullIdentityBindingEnabled(config.GetSecurityProfile())),
+		"IMAGE_PULL_IDENTITY_DEFAULT_CLIENT_ID":              getImagePullIdentityDefaultClientID(config.GetSecurityProfile()),
+		"IMAGE_PULL_IDENTITY_DEFAULT_TENANT_ID":              getImagePullIdentityDefaultTenantID(config.GetSecurityProfile()),
+		"IDENTITY_BINDINGS_LOCAL_AUTHORITY_SNI":              getImagePullIdentityLocalAuthoritySNI(config.GetSecurityProfile()),
 	}
 
 	for i, cert := range config.CustomCaCerts {