support for private containerRegistry and fileRepository

[sgavathe]

is it possible to pull assets from private (ECR & S3) using IAM role?

1. What kops version are you running? The command kops version, will display
this information.

kops version
Client version: 1.33.1

2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.

kubernetesVersion: 1.31.2

3. What cloud provider are you using?

AWS

• cluster.yaml assets

4. What commands did you run? What is the simplest way to reproduce this issue?

• executed below and see the error from link
  kops update cluster --yes --state s3://s3-local-kops-state

Error: you might have not staged your files correctly, please execute 'kops get assets --copy'

kops/pkg/assets/builder.go

Line 318 in 32a1a82

if a.AssetsLocation != nil && a.AssetsLocation.FileRepository != nil {

7. Please provide your cluster manifest. Execute
kops get --name my.example.com -o yaml to display your cluster manifest.
You may want to remove your cluster name and other sensitive information.

assets:
containerRegistry: [XXX-000-000.dkr.ecr.us-east-1.amazonaws.com/kops] (private)
fileRepository: https://s3-kops-bin.s3.us-east-1.amazonaws.com/kops/1.32.2 (private)

• If i switch to using s3 instead of https , update cluster goes through
  fileRepository: s3://s3-kops-bin/kops/1.32.2

But then under node, log says below which also makes sense since curl cant copy from s3 protocol

== Downloading nodeup with hash 6510d0a2b315c1e83f84d331f03e7ba8a57ef76119d53336ceed5871eca8c511 from s3://s3kops-bin/kops/1.32.2/binaries/kops/1.33.1/linux/amd64/nodeup == == Downloading s3://s3kops-bin/kops/1.32.2/binaries/kops/1.33.1/linux/amd64/nodeup using curl -f --compressed -Lo nodeup --connect-timeout 20 --retry 6 --retry-delay 10 == curl: (1) Protocol "s3" not supported or disabled in libcurl == Failed to download s3://s3kops-bin/kops/1.32.2/binaries/kops/1.33.1/linux/amd64/nodeup using curl -f --compressed -Lo nodeup --connect-timeout 20 --retry 6 --retry-delay 10 == == Downloading s3://s3kops-bin/kops/1.32.2/binaries/kops/1.33.1/linux/amd64/nodeup using wget --compression=auto -O nodeup --connect-timeout=20 --tries=6 --wait=10 ==Failed to download s3://s3-kops-bin/kops/1.32.2/binaries/kops/1.33.1/linux/amd64/nodeup

• kops do use IAM role to update state-store, so figured this can be allowed in some fashion.

Thanks.
shay

[sgavathe]

update: been able to pull from private ECR, bin s3 still public, which is designed to be like it i believe.

used ecr-credential-provider https://image-builder.sigs.k8s.io/capi/ecr-credential-provider

path: /etc/kubernetes/ecr-credential-provider-config.yaml