Add service account token and annotation to v1 CredentialProviderRequest

Signed-off-by: Anish Ramasekar <[email protected]>

Author: aramase

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/types.go

@@ -32,6 +32,17 @@ type CredentialProviderRequest struct {
 	// credential provider plugin request. Plugins may optionally parse the image
 	// to extract any information required to fetch credentials.
 	Image string
+
+	// serviceAccountToken is the service account token bound to the pod for which
+	// the image is being pulled. This token is only sent to the plugin if the
+	// tokenAttributes.serviceAccountTokenAudience field is configured in the kubelet's credential provider configuration.
+	ServiceAccountToken string
+
+	// serviceAccountAnnotations is a map of annotations on the service account bound to the
+	// pod for which the image is being pulled. The list of annotations in the service account
+	// that need to be passed to the plugin is configured in the kubelet's credential provider
+	// configuration.
+	ServiceAccountAnnotations map[string]string
 }
 
 type PluginCacheKeyType string

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go

@@ -32,6 +32,18 @@ type CredentialProviderRequest struct {
 	// credential provider plugin request. Plugins may optionally parse the image
 	// to extract any information required to fetch credentials.
 	Image string `json:"image"`
+
+	// serviceAccountToken is the service account token bound to the pod for which
+	// the image is being pulled. This token is only sent to the plugin if the
+	// tokenAttributes.serviceAccountTokenAudience field is configured in the kubelet's credential
+	// provider configuration.
+	ServiceAccountToken string `json:"serviceAccountToken,omitempty" datapolicy:"token"`
+
+	// serviceAccountAnnotations is a map of annotations on the service account bound to the
+	// pod for which the image is being pulled. The list of annotations in the service account
+	// that need to be passed to the plugin is configured in the kubelet's credential provider
+	// configuration.
+	ServiceAccountAnnotations map[string]string `json:"serviceAccountAnnotations,omitempty"`
 }
 
 type PluginCacheKeyType string

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go

@@ -0,0 +1,27 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/kubelet/pkg/apis/credentialprovider"
+)
+
+func Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
+	// This conversion intentionally omits the serviceAccountToken and serviceAccountAnnotations fields which are only supported in v1 CredentialProviderRequest.
+	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in, out, s)
+}

staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go

@@ -0,0 +1,27 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/kubelet/pkg/apis/credentialprovider"
+)
+
+func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
+	// This conversion intentionally omits the serviceAccountToken and serviceAccountAnnotations fields which are only supported in v1 CredentialProviderRequest.
+	return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s)
+}