kubernetes
diff --git a/‎docs/releases/1.34-NOTES.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/releases/1.34-NOTES.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎k8s/crds/kops.k8s.io_clusters.yaml‎
Lines changed: 6 additions & 0 deletions b/‎k8s/crds/kops.k8s.io_clusters.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎k8s/crds/kops.k8s.io_instancegroups.yaml‎
Lines changed: 6 additions & 0 deletions b/‎k8s/crds/kops.k8s.io_instancegroups.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎nodeup/pkg/model/crictl.go‎
Lines changed: 15 additions & 0 deletions b/‎nodeup/pkg/model/crictl.go‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎nodeup/pkg/model/nerdctl.go‎
Lines changed: 20 additions & 20 deletions b/‎nodeup/pkg/model/nerdctl.go‎
Lines changed: 20 additions & 20 deletions
diff --git a/‎pkg/apis/kops/containerdconfig.go‎
Lines changed: 4 additions & 0 deletions b/‎pkg/apis/kops/containerdconfig.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎pkg/apis/kops/v1alpha2/containerdconfig.go‎
Lines changed: 4 additions & 0 deletions b/‎pkg/apis/kops/v1alpha2/containerdconfig.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎pkg/apis/kops/v1alpha2/zz_generated.conversion.go‎
Lines changed: 4 additions & 0 deletions b/‎pkg/apis/kops/v1alpha2/zz_generated.conversion.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎pkg/apis/kops/v1alpha3/containerdconfig.go‎
Lines changed: 4 additions & 0 deletions b/‎pkg/apis/kops/v1alpha3/containerdconfig.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎pkg/apis/kops/v1alpha3/zz_generated.conversion.go‎
Lines changed: 4 additions & 0 deletions b/‎pkg/apis/kops/v1alpha3/zz_generated.conversion.go‎
Lines changed: 4 additions & 0 deletions
@@ -7,6 +7,7 @@ This is a document to gather the release notes prior to the release.
 # Significant changes
 
 * Default SSH key is now `~/.ssh/id_ed25519.pub`, instead of the less secure `~/.ssh/id_rsa.pub`.
+* `crictl` and `nerdctl` are now only installed on demand, by setting `spec.containerd.installCriCtl=true` and `spec.containerd.installNerdCtl=true`.
 
 ## Some Feature
 
 
@@ -897,6 +897,12 @@ spec:
                     description: ConfigOverride is the complete containerd config
                       file provided by the user.
                     type: string
+                  installCriCtl:
+                    description: InstallCriCtl installs crictl (default "false").
+                    type: boolean
+                  installNerdCtl:
+                    description: InstallNerdCtl installs nerdctl (default "false").
+                    type: boolean
                   logLevel:
                     description: LogLevel controls the logging details [trace, debug,
                       info, warn, error, fatal, panic] (default "info").
 
@@ -133,6 +133,12 @@ spec:
                     description: ConfigOverride is the complete containerd config
                       file provided by the user.
                     type: string
+                  installCriCtl:
+                    description: InstallCriCtl installs crictl (default "false").
+                    type: boolean
+                  installNerdCtl:
+                    description: InstallNerdCtl installs nerdctl (default "false").
+                    type: boolean
                   logLevel:
                     description: LogLevel controls the logging details [trace, debug,
                       info, warn, error, fatal, panic] (default "info").
 
@@ -33,6 +33,11 @@ type CrictlBuilder struct {
 var _ fi.NodeupModelBuilder = &CrictlBuilder{}
 
 func (b *CrictlBuilder) Build(c *fi.NodeupModelBuilderContext) error {
+	if b.skipInstall() {
+		klog.V(8).Info("won't install crictl")
+		return nil
+	}
+
 	assets := b.Assets.FindMatches(regexp.MustCompile(`^crictl$`))
 	if len(assets) == 0 {
 		klog.Warning("unable to find any crictl binaries in assets")
@@ -65,3 +70,13 @@ func (b *CrictlBuilder) binaryPath() string {
 	}
 	return path
 }
+
+func (b *CrictlBuilder) skipInstall() bool {
+	containerd := b.NodeupConfig.ContainerdConfig
+
+	if containerd == nil {
+		return false
+	}
+
+	return containerd.SkipInstall && !containerd.InstallCriCtl
+}
@@ -18,6 +18,7 @@ package model
 
 import (
 	"path/filepath"
+	"regexp"
 
 	"k8s.io/klog/v2"
 	"k8s.io/kops/upup/pkg/fi"
@@ -33,24 +34,28 @@ var _ fi.NodeupModelBuilder = &NerdctlBuilder{}
 
 func (b *NerdctlBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 	if b.skipInstall() {
-		klog.Info("containerd.skipInstall is set to true; won't install nerdctl")
+		klog.V(8).Info("won't install nerdctl")
 		return nil
 	}
 
-	assetName := "nerdctl"
-	assetPath := ""
-	asset, err := b.Assets.Find(assetName, assetPath)
-	if err != nil {
-		klog.Warningf("unable to locate asset %q: %v", assetName, err)
+	assets := b.Assets.FindMatches(regexp.MustCompile(`^nerdctl$`))
+	if len(assets) == 0 {
+		klog.Warning("unable to find any nerdctl binaries in assets")
+		return nil
+	}
+	if len(assets) > 1 {
+		klog.Warning("multiple nerdctl binaries are found")
 		return nil
 	}
 
-	c.AddTask(&nodetasks.File{
-		Path:     b.nerdctlPath(),
-		Contents: asset,
-		Type:     nodetasks.FileType_File,
-		Mode:     s("0755"),
-	})
+	for k, v := range assets {
+		c.AddTask(&nodetasks.File{
+			Path:     filepath.Join(b.binaryPath(), k),
+			Contents: v,
+			Type:     nodetasks.FileType_File,
+			Mode:     s("0755"),
+		})
+	}
 
 	return nil
 }
@@ -64,19 +69,14 @@ func (b *NerdctlBuilder) binaryPath() string {
 		path = "/home/kubernetes/bin"
 	}
 	return path
-
-}
-
-func (b *NerdctlBuilder) nerdctlPath() string {
-	return filepath.Join(b.binaryPath(), "nerdctl")
 }
 
 func (b *NerdctlBuilder) skipInstall() bool {
-	d := b.NodeupConfig.ContainerdConfig
+	containerd := b.NodeupConfig.ContainerdConfig
 
-	if d == nil {
+	if containerd == nil {
 		return false
 	}
 
-	return d.SkipInstall
+	return containerd.SkipInstall && !containerd.InstallNerdCtl
 }
@@ -60,6 +60,10 @@ type ContainerdConfig struct {
 	NRI *NRIConfig `json:"nri,omitempty"`
 	// Enables Kubelet ECR Credential helper to pass credentials to containerd mirrors, to use ECR as a pull-through cache
 	UseECRCredentialsForMirrors bool `json:"useECRCredentialsForMirrors,omitempty"`
+	// InstallCriCtl installs crictl (default "false").
+	InstallCriCtl bool `json:"installCriCtl,omitempty"`
+	// InstallNerdCtl installs nerdctl (default "false").
+	InstallNerdCtl bool `json:"installNerdCtl,omitempty"`
 }
 
 type NRIConfig struct {
 
@@ -53,6 +53,10 @@ type ContainerdConfig struct {
 	NRI *NRIConfig `json:"nri,omitempty"`
 	// Enables Kubelet ECR Credential helper to pass credentials to containerd mirrors, to use ECR as a pull-through cache
 	UseECRCredentialsForMirrors bool `json:"useECRCredentialsForMirrors,omitempty"`
+	// InstallCriCtl installs crictl (default "false").
+	InstallCriCtl bool `json:"installCriCtl,omitempty"`
+	// InstallNerdCtl installs nerdctl (default "false").
+	InstallNerdCtl bool `json:"installNerdCtl,omitempty"`
 }
 
 type NRIConfig struct {
 
@@ -53,6 +53,10 @@ type ContainerdConfig struct {
 	NRI *NRIConfig `json:"nri,omitempty"`
 	// Enables Kubelet ECR Credential helper to pass credentials to containerd mirrors, to use ECR as a pull-through cache
 	UseECRCredentialsForMirrors bool `json:"useECRCredentialsForMirrors,omitempty"`
+	// InstallCriCtl installs crictl (default "false").
+	InstallCriCtl bool `json:"installCriCtl,omitempty"`
+	// InstallNerdCtl installs nerdctl (default "false").
+	InstallNerdCtl bool `json:"installNerdCtl,omitempty"`
 }
 
 type NRIConfig struct {