openshift · QiWang19 · Nov 1, 2025 · JoelSpeed · Dec 1, 2025 · JoelSpeed
diff --git a/config/v1alpha1/register.go b/config/v1alpha1/register.go
@@ -40,6 +40,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ImagePolicyList{},
 		&ClusterImagePolicy{},
 		&ClusterImagePolicyList{},
+		&CRIOCredentialProviderConfig{},
+		&CRIOCredentialProviderConfigList{},
 	)
 	metav1.AddToGroupVersion(scheme, GroupVersion)
 	return nil

diff --git a/...tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml b/...tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
@@ -0,0 +1,52 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "CRIOCredentialProviderConfig"
+crdName: "criocredentialproviderconfigs.config.openshift.io"
+featureGates:
+  - CRIOCredentialProviderConfig
+tests:
+  onCreate:
+    - name: Should create a valid CRIOCredentialProviderConfig
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+          - 123456789.dkr.ecr.us-east-1.amazonaws.com
+          - "*.azurecr.io"
+          - gcr.io
+          - "*.*.registry.io"
+          - registry.io:8080/path
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+          - 123456789.dkr.ecr.us-east-1.amazonaws.com
+          - "*.azurecr.io"
+          - gcr.io
+          - "*.*.registry.io"
+          - registry.io:8080/path
+    - name: Should reject matchImages with invalid characters
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+          - "reg!stry.io"
+      expectedError: "spec.matchImages[0]: Invalid value: \"string\": invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+    - name: Should reject matchImages wildcard in the path
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+          - "registry.io:8080/pa*th"
+      expectedError: "spec.matchImages[0]: Invalid value: \"string\": invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+    - name: Should reject wildcard for partial subdomains
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        spec:
+          matchImages:
+          - "example.app*.com"
+      expectedError: "spec.matchImages[0]: Invalid value: \"string\": invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
diff --git a/config/v1alpha1/types_crio_credential_provider_config.go b/config/v1alpha1/types_crio_credential_provider_config.go
@@ -0,0 +1,153 @@
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfig holds cluster-wide configurations for CRI-O credential provider. CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+// For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+// CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=criocredentialproviderconfigs,scope=Cluster
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1929
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=CRIOCredentialProviderConfig
+// +openshift:compatibility-gen:level=4
+type CRIOCredentialProviderConfig struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata"`
+
+	// spec defines the desired configuration of the CRI-O Credential Provider.
+	// This field is required and must be provided when creating the resource.
+	// +required
+	Spec CRIOCredentialProviderConfigSpec `json:"spec,omitzero"`
+
+	// status represents the current state of the CRIOCredentialProviderConfig.
+	// When omitted or nil, it indicates that the status has not yet been set by the controller.
+	// The controller will populate this field with validation conditions and operational state.
+	// +optional
+	Status *CRIOCredentialProviderConfigStatus `json:"status,omitempty"`
+}
+
+// CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.
+type CRIOCredentialProviderConfigSpec struct {
+	// matchImages is a required list of string patterns used to determine whether
+	// the CRI-O credential provider should be invoked for a given image. This list is
+	// passed to the kubelet CredentialProviderConfig, and if any pattern matches
+	// the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+	// that image or its mirrors.
+	//
-	//
+	//
+	// This field is required and must contain between 1 and 50 entries.
+	// The list is treated as a set, so duplicate entries are not allowed.
+	//
-	//
+	//
+	// This field is required and must contain between 1 and 50 entries.
+	// The list is treated as a set, so duplicate entries are not allowed.
+	//
+	// This field is required and must contain between 1 and 50 entries.
+	// The list is treated as a set, so duplicate entries are not allowed.
+	//
+	// For more details, see:
+	// - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+	// - https://github.com/cri-o/crio-credential-provider#architecture
+	//
+	// Each entry in matchImages is a pattern which can optionally contain a port and a path.
+	// Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+	// and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+	// A global wildcard '*' (matching any domain) is not allowed.
+	// Wildcards are not allowed in the port or path, nor may they appear in the middle of a hostname label.
+	// For example, '*.example.com' is valid, but 'example*.*.com' is not.
+	// Each wildcard matches only a single domain label,
+	// so '*.io' does **not** match '*.k8s.io'.
+	//
+	// A match exists between an image and a matchImage when all of the below are true:
+	// - Both contain the same number of domain parts and each part matches.
+	// - The URL path of an matchImages must be a prefix of the target image URL path.
+	// - If the matchImages contains a port, then the port must match in the image as well.
+	//
+	// Example values of matchImages:
+	// - 123456789.dkr.ecr.us-east-1.amazonaws.com
+	// - *.azurecr.io
+	// - gcr.io
+	// - *.*.registry.io
+	// - registry.io:8080/path
+	//
+	// +kubebuilder:validation:MaxItems=50
+	// +kubebuilder:validation:MinItems=1
+	// +listType=set
+	// +required
+	MatchImages []MatchImage `json:"matchImages,omitempty"`
+}
+
+// MatchImage is a string pattern used to match container image registry addresses.
+// It must be a valid fully qualified domain name with optional wildcard, port, and path.
+// The maximum length is 512 characters.
+//
+// Wildcards ('*') are supported for full subdomain labels and top-level domains.
+// Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+// Wildcards are not allowed in the port or path portions.
+//
+// Examples:
+// - "registry.io" - matches exactly registry.io
+// - "*.azurecr.io" - matches any single subdomain of azurecr.io
+// - "registry.io:8080/path" - matches with specific port and path prefix
+//
+// +kubebuilder:validation:MaxLength=512
+// +kubebuilder:validation:XValidation:rule=`self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')`,message="invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+type MatchImage string
+
+// +k8s:deepcopy-gen=true
+// CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig
+type CRIOCredentialProviderConfigStatus struct {
+	// conditions represent the latest available observations of the configuration state.
+	// When omitted or empty, it indicates that no conditions have been reported yet.
+	// The maximum number of conditions is 4.
+	// Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+	//
+	// Expected condition types include:
+	// - "Validated": indicates whether the matchImages configuration is valid
+	// +optional
+	// +kubebuilder:validation:MaxItems=4
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+type CRIOCredentialProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []CRIOCredentialProviderConfig `json:"items"`
+}
+
+const (
+	// ConditionTypeValidated is a condition type that indicates whether the CRIOCredentialProviderConfig
+	// matchImages configuration has been validated successfully.
+	// When True, all matchImage patterns are valid and have been applied.
+	// When False, the configuration contains errors (see Reason for details).
+	// Possible reasons for False status:
+	// - ValidationFailed: matchImages contains invalid patterns
+	// - ConfigurationPartiallyApplied: some matchImage entries were ignored due to conflicts
+	ConditionTypeValidated = "Validated"
+
+	// ReasonValidationFailed is a condition reason used with ConditionTypeValidated=False
+	// to indicate that the matchImages configuration contains one or more invalid registry patterns
+	// that do not conform to the required format (valid FQDN with optional wildcard, port, and path).
+	ReasonValidationFailed = "ValidationFailed"
+
+	// ReasonConfigurationPartiallyApplied is a condition reason used with ConditionTypeValidated=False
+	// to indicate that some matchImage entries were ignored due to conflicts or overlapping patterns.
+	// The condition message will contain details about which entries were ignored and why.
+	ReasonConfigurationPartiallyApplied = "ConfigurationPartiallyApplied"
+)