OCPBUGS-85519: Add Agent IRI credentials to global pull secret

[sadasu]

The IRI credentials were being added to /var/lib/kubelet/config.json which gave only kubelet the necessary credentials to pull images from the IRI registry.
Fix now adds the IRI credentials to the global pull secret so that other components like the MCO could also pull images from this internal registry.

- What I did

- How to verify it

- Description for the changelog

Summary by CodeRabbit

• New Features
  • Controller now syncs IRI registry credentials into the configured cluster-wide global pull secret and uses finer-grained event triggers to requeue only relevant changes.
• Bug Fixes
  • Avoids unnecessary updates by modifying the global pull secret only when its content actually changes.
• Behavior Change
  • Template rendering no longer injects IRI credentials at render time; it relies on the global pull secret.
• Tests
  • Tests updated to validate rendering when IRI credentials originate from the global pull secret.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@sadasu: This pull request references Jira Issue OCPBUGS-85519, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The IRI credentials were being added to /var/lib/kubelet/config.json which gave only kubelet the necessary credentials to pull images from the IRI registry.
Fix now adds the IRI credentials to the global pull secret so that other components like the MCO could also pull images from this internal registry.

- What I did

- How to verify it

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c9b624b9-4da9-4679-8fba-eff1f723a364

📥 Commits

Reviewing files that changed from the base of the PR and between 2c82ee0 and 28bb4db.

📒 Files selected for processing (1)

• pkg/controller/internalreleaseimage/internalreleaseimage_controller.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/controller/internalreleaseimage/internalreleaseimage_controller.go

---

Walkthrough

Exports IRI credential helpers; InternalReleaseImage controller now syncs IRI credentials into the configured global pull secret and refactors event/filter logic; template controller no longer merges at render time; tests updated to expect creds already present in the global pull secret.

Changes

IRI Credentials Migration to InternalReleaseImage Controller

Layer / File(s)	Summary
Export IRI secret helper functions pkg/controller/common/iri_secret_merger.go	ExtractIRICredentials and MergeIRIRegistryCredentialsIntoPullSecret are renamed from unexported to exported; callers in NewIRISecretMerger, NewIRISecretMergerFromObjects, and (*IRISecretMerger).Merge are updated to use the public names.
Add global pull secret syncing to InternalReleaseImage controller pkg/controller/internalreleaseimage/internalreleaseimage_controller.go	Controller gains a kubeClient field wired in the constructor. New syncGlobalPullSecret helper is called during syncInternalReleaseImage to fetch the configured global pull secret, validate its type, extract IRI credentials, merge them into the dockerconfigjson payload, and update the secret when changes are detected. Event handlers and ControllerConfig update handling now only requeue on relevant changes.
Remove IRI merging from template controller pkg/controller/template/template_controller.go	iriMerger field and its initialization are removed; runtime merge call and error path in syncControllerConfig are eliminated. filterSecret is updated to watch the IRI auth secret and the ControllerConfig-specified pull secret.
Update template controller tests pkg/controller/template/template_controller_test.go	Removed the old merge-at-render test and added TestRendersIRIRegistryCredentialsFromGlobalPullSecret, which supplies a global pull secret containing IRI auth entries and verifies the rendered kubelet config preserves all expected hosts and base64 auth values. Unused imports removed.

Sequence Diagram(s)

sequenceDiagram
  participant InternalReleaseImageController
  participant KubeAPI
  participant GlobalPullSecret
  participant IRIAuthSecret
  InternalReleaseImageController->>KubeAPI: Get ControllerConfig (resolve pullSecret ref)
  InternalReleaseImageController->>KubeAPI: Get GlobalPullSecret
  InternalReleaseImageController->>KubeAPI: Get IRIAuthSecret
  InternalReleaseImageController->>InternalReleaseImageController: ExtractIRICredentials(IRIAuthSecret, ControllerConfig)
  InternalReleaseImageController->>InternalReleaseImageController: MergeIRIRegistryCredentialsIntoPullSecret(GlobalPullSecret.data, password, baseDomain)
  InternalReleaseImageController->>KubeAPI: Update GlobalPullSecret (if changed)

Loading

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels: lgtm, verified

Suggested reviewers:

• dkhater-redhat

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors)

Check name	Status	Explanation	Resolution
No-Weak-Crypto	❌ Error	Non-constant-time string comparison of base64-encoded credentials in pullSecretHasAuth using == operator instead of crypto/subtle.	Replace e["auth"] == expected with subtle.ConstantTimeCompare([]byte(e["auth"].(string)), []byte(expected)) == 1 and import crypto/subtle.
No-Sensitive-Data-In-Logs	❌ Error	PR adds 3 logging statements that log entire Secret objects with %v, exposing all sensitive data fields including passwords and credentials in debug logs.	Replace logging Secret objects with %v formatter with logging only metadata (namespace/name) to prevent credential exposure in logs.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding Agent IRI credentials to the global pull secret.
Docstring Coverage	✅ Passed	Docstring coverage is 87.50% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test functions use stable, deterministic names with no dynamic information. No Ginkgo patterns found; only standard Go tests with descriptive static names.
Test Structure And Quality	✅ Passed	Test meets all quality criteria: single responsibility, proper fixture-based setup/cleanup, appropriate timeouts, descriptive assertions, and follows existing Go test patterns.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. The test changes are limited to traditional Go unit tests in template_controller_test.go, which are outside the scope of this MicroShift compatibility check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR changes are limited to controller code and standard Go unit tests; SNO compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR manages credentials/configuration only. No scheduling constraints (affinity, topology spread, nodeSelector, replicas, PDB) or deployment manifests are introduced. Topology-agnostic.
Ote Binary Stdout Contract	✅ Passed	PR modifies only controller methods and test code; no process-level functions (main/init/TestMain/BeforeSuite/etc.) with stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds no new Ginkgo e2e tests. The changes are controller implementations and standard Go unit tests, not Ginkgo e2e tests, so the IPv6/disconnected network compatibility check does not apply.
Container-Privileges	✅ Passed	PR only modifies Go controller code. No container privilege flags found in any Kubernetes manifests, YAML, or security configurations.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sadasu
Once this PR has been reviewed and has the lgtm label, please assign yuqi-zhang for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@sadasu: This pull request references Jira Issue OCPBUGS-85519, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

The IRI credentials were being added to /var/lib/kubelet/config.json which gave only kubelet the necessary credentials to pull images from the IRI registry.
Fix now adds the IRI credentials to the global pull secret so that other components like the MCO could also pull images from this internal registry.

- What I did

- How to verify it

- Description for the changelog

Summary by CodeRabbit

• Bug Fixes
• Improved IRI registry credential management by syncing credentials to the global pull secret earlier in the process, ensuring credentials are available when needed for configuration rendering.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/internalreleaseimage/internalreleaseimage_controller.go`:
- Around line 414-417: The reconcile only calls syncGlobalPullSecret but the
controller doesn't requeue on all resources that can stale the global pull
secret; update the controller's watches (SetupWithManager / Setup) so Reconcile
is triggered when the cluster pull secret (the Kubernetes Secret used as the
global pull secret) is created/updated/deleted, when ControllerConfig changes
(spec.pullSecret and spec.dns.baseDomain), and when any resource that can rotate
credentials (e.g., DockerRegistryKey) changes in addition to the existing
IRI-owned secrets. Concretely: add a watch for the cluster/global pull Secret
(by name/namespace or label) to enqueue affected InternalReleaseImage objects,
add a watch on ControllerConfig and filter to requeue when Spec.PullSecret or
Spec.DNS.BaseDomain changes, and ensure DockerRegistryKey and the two IRI-owned
secret watches remain; keep syncGlobalPullSecret as-is and rely on these
additional watches to ensure it runs whenever the global pull secret can become
stale.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0a3af203-7768-4e8d-b9bc-30a62398657d

📥 Commits

Reviewing files that changed from the base of the PR and between 75c3b83 and 21b8d9e.

📒 Files selected for processing (4)

• pkg/controller/common/iri_secret_merger.go
• pkg/controller/internalreleaseimage/internalreleaseimage_controller.go
• pkg/controller/template/template_controller.go
• pkg/controller/template/template_controller_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/template/template_controller.go`:
- Around line 584-586: The Secret filter currently hard-codes the name
"pull-secret" so changes to a differently named global pull secret won't
re-enqueue the template controller; update filterSecret to compare the incoming
Secret's name against the configured value from ControllerConfig.Spec.PullSecret
(accessed via the controller's config instance, e.g., c.config.Spec.PullSecret
or controllerConfig variable) and namespace as appropriate, falling back to
"pull-secret" only if Spec.PullSecret is empty; ensure you reference the
controller's config in filterSecret (filterSecret,
ControllerConfig.Spec.PullSecret) so the watch reacts to the actual configured
secret name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: eed7f0d9-2394-4efe-ac5d-d3d662b75431

📥 Commits

Reviewing files that changed from the base of the PR and between 21b8d9e and a2a957e.

📒 Files selected for processing (4)

• pkg/controller/common/iri_secret_merger.go
• pkg/controller/internalreleaseimage/internalreleaseimage_controller.go
• pkg/controller/template/template_controller.go
• pkg/controller/template/template_controller_test.go

[sadasu]

/retest-required

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/internalreleaseimage/internalreleaseimage_controller.go`:
- Around line 318-324: The deleteSecret handler does a direct type assertion on
the incoming obj which can be a cache.DeletedFinalStateUnknown tombstone and
will panic; update deleteSecret to detect if obj is a
cache.DeletedFinalStateUnknown, extract the actual Secret from tombstone.Obj (or
fall back when the cast fails), then proceed to call ctrl.filterSecret(secret)
and ctrl.queue.Add(ctrlcommon.InternalReleaseImageInstanceName) as before;
reference the deleteSecret function and reuse the existing filterSecret method
and ctrl.queue.Add call so behavior matches other delete handlers like
deleteInternalReleaseImage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 82ffd110-9096-496f-a2e8-260a8d8c61f5

📥 Commits

Reviewing files that changed from the base of the PR and between a2a957e and 3efb3e1.

📒 Files selected for processing (4)

• pkg/controller/common/iri_secret_merger.go
• pkg/controller/internalreleaseimage/internalreleaseimage_controller.go
• pkg/controller/template/template_controller.go
• pkg/controller/template/template_controller_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/controller/template/template_controller_test.go
• pkg/controller/common/iri_secret_merger.go

[sadasu]

/retest-required

[sadasu]

/verified with help from @bfournie.

The global pull secret on both the master and worker had contained the IRI credentials.

[openshift-ci-robot]

@sadasu: The /verified command must be used with one of the following actions: by, later, remove, or bypass. See https://docs.ci.openshift.org/docs/architecture/jira/#premerge-verification for more information.

Details

In response to this:

/verified with help from @bfournie.

The global pull secret on both the master and worker had contained the IRI credentials.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sadasu]

/verified by @bfournie.

The global pull secret on both the master and worker contain the IRI credentials after this fix.

[openshift-ci-robot]

@sadasu: This PR has been marked as verified by @bfournie..

Details

In response to this:

/verified by @bfournie.

The global pull secret on both the master and worker contain the IRI credentials after this fix.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sadasu]

/retest-required

[andfasano]

/test ?

[andfasano]

/test e2e-agent-compact-ipv4-iso-no-registry

Better to get a green run on this job for this PR

[andfasano]

nit: (not blocking) this looks like a little bit too over-engineered. I do not expect a lot of updates on the (singleton) controller config resource (a simpler but less complicated code here could work as well very likely)

[andfasano]

Is there really a chance to have a different name for the global pull-secret? If not I'd prefer to remove this code and use a simpler check by name

[andfasano]

I think this design has been already discarded previously (see this thread) due the regeneration.
To avoid that @rwsu implemented the current approach (modify directly /var/lib/kubelet/config.json) which does not work as we discussed.
So the merge should happen directly in the point of the code where the global pull-secret is rendered (template controller)

[openshift-ci]

@sadasu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.