Add per-host OCI registry authentication for provisioning images

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: mabulgu <mabulgu@gmail.com>

Author: mabulgu

apis/metal3.io/v1alpha1/baremetalhost_types.go

@@ -648,14 +648,24 @@ type Image struct {
 	// be live-booted and not deployed to disk.
 	// +kubebuilder:validation:Enum=raw;qcow2;vdi;vmdk;live-iso
 	DiskFormat *string `json:"format,omitempty"`
+
+	// OCIAuthSecretName optionally names a Docker-config secret containing
+	// registry credentials for oci:// images. Must be in the same namespace
+	// as the BareMetalHost. Allowed types: kubernetes.io/dockerconfigjson|dockercfg.
+	// Only used when Image.URL has the oci:// scheme.
+	OCIAuthSecretName *string `json:"ociAuthSecretName,omitempty"`
 }
 
 func (image *Image) IsLiveISO() bool {
 	return image != nil && image.DiskFormat != nil && *image.DiskFormat == "live-iso"
 }
 
+// IsOCI returns true if the image URL uses the OCI scheme (oci://).
 func (image *Image) IsOCI() bool {
-	return image != nil && strings.HasPrefix(image.URL, "oci://")
+	if image == nil || image.URL == "" {
+		return false
+	}
+	return strings.HasPrefix(strings.ToLower(image.URL), "oci://")
 }
 
 // Custom deploy is a description of a customized deploy process.

apis/metal3.io/v1alpha1/zz_generated.deepcopy.go

@@ -291,6 +291,13 @@ spec:
                     - vmdk
                     - live-iso
                     type: string
+                  ociAuthSecretName:
+                    description: |-
+                      OCIAuthSecretName optionally names a Docker-config secret containing
+                      registry credentials for oci:// images. Must be in the same namespace
+                      as the BareMetalHost. Allowed types: kubernetes.io/dockerconfigjson|dockercfg.
+                      Only used when Image.URL has the oci:// scheme.
+                    type: string
                   url:
                     description: URL is a location of an image to deploy.
                     type: string
@@ -1092,6 +1099,13 @@ spec:
                         - vmdk
                         - live-iso
                         type: string
+                      ociAuthSecretName:
+                        description: |-
+                          OCIAuthSecretName optionally names a Docker-config secret containing
+                          registry credentials for oci:// images. Must be in the same namespace
+                          as the BareMetalHost. Allowed types: kubernetes.io/dockerconfigjson|dockercfg.
+                          Only used when Image.URL has the oci:// scheme.
+                        type: string
                       url:
                         description: URL is a location of an image to deploy.
                         type: string

config/base/crds/bases/metal3.io_baremetalhosts.yaml

@@ -184,6 +184,13 @@ spec:
                     - vmdk
                     - live-iso
                     type: string
+                  ociAuthSecretName:
+                    description: |-
+                      OCIAuthSecretName optionally names a Docker-config secret containing
+                      registry credentials for oci:// images. Must be in the same namespace
+                      as the BareMetalHost. Allowed types: kubernetes.io/dockerconfigjson|dockercfg.
+                      Only used when Image.URL has the oci:// scheme.
+                    type: string
                   url:
                     description: URL is a location of an image to deploy.
                     type: string

config/base/crds/bases/metal3.io_hostclaims.yaml

@@ -291,6 +291,13 @@ spec:
                     - vmdk
                     - live-iso
                     type: string
+                  ociAuthSecretName:
+                    description: |-
+                      OCIAuthSecretName optionally names a Docker-config secret containing
+                      registry credentials for oci:// images. Must be in the same namespace
+                      as the BareMetalHost. Allowed types: kubernetes.io/dockerconfigjson|dockercfg.
+                      Only used when Image.URL has the oci:// scheme.
+                    type: string
                   url:
                     description: URL is a location of an image to deploy.
                     type: string
@@ -1092,6 +1099,13 @@ spec:
                         - vmdk
                         - live-iso
                         type: string
+                      ociAuthSecretName:
+                        description: |-
+                          OCIAuthSecretName optionally names a Docker-config secret containing
+                          registry credentials for oci:// images. Must be in the same namespace
+                          as the BareMetalHost. Allowed types: kubernetes.io/dockerconfigjson|dockercfg.
+                          Only used when Image.URL has the oci:// scheme.
+                        type: string
                       url:
                         description: URL is a location of an image to deploy.
                         type: string
@@ -2041,6 +2055,13 @@ spec:
                     - vmdk
                     - live-iso
                     type: string
+                  ociAuthSecretName:
+                    description: |-
+                      OCIAuthSecretName optionally names a Docker-config secret containing
+                      registry credentials for oci:// images. Must be in the same namespace
+                      as the BareMetalHost. Allowed types: kubernetes.io/dockerconfigjson|dockercfg.
+                      Only used when Image.URL has the oci:// scheme.
+                    type: string
                   url:
                     description: URL is a location of an image to deploy.
                     type: string

config/render/capm3.yaml

@@ -3,6 +3,7 @@ module github.com/metal3-io/baremetal-operator
 go 1.25.0
 
 require (
+	github.com/cpuguy83/dockercfg v0.3.2
 	github.com/go-logr/logr v1.4.3
 	github.com/google/safetext v0.0.0-20230106111101-7156a760e523
 	github.com/google/uuid v1.6.0

go.mod

@@ -12,6 +12,8 @@ github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1x
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
+github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

go.sum

@@ -39,6 +39,7 @@ import (
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/cluster-api/util/conditions"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -66,6 +67,7 @@ type BareMetalHostReconciler struct {
 	Log                logr.Logger
 	ProvisionerFactory provisioner.Factory
 	APIReader          client.Reader
+	Recorder           record.EventRecorder
 }
 
 // Instead of passing a zillion arguments to the action of a phase,
@@ -1321,13 +1323,20 @@ func (r *BareMetalHostReconciler) actionProvisioning(ctx context.Context, prov p
 		image = *info.host.Spec.Image.DeepCopy()
 	}
 
+	// Extract OCI auth secret credentials if needed
+	authSecret, err := r.getImageAuthSecret(ctx, info.host, &image)
+	if err != nil {
+		return recordActionFailure(info, metal3api.ProvisioningError, err.Error())
+	}
+
 	provResult, err := prov.Provision(ctx, provisioner.ProvisionData{
 		Image:           image,
 		CustomDeploy:    info.host.Spec.CustomDeploy.DeepCopy(),
 		HostConfig:      hostConf,
 		BootMode:        info.host.Status.Provisioning.BootMode,
 		HardwareProfile: hwProf,
 		RootDeviceHints: info.host.Status.Provisioning.RootDeviceHints.DeepCopy(),
+		ImagePullSecret: authSecret,
 	}, forceReboot)
 	if err != nil {
 		return actionError{fmt.Errorf("failed to provision: %w", err)}
@@ -2407,6 +2416,23 @@ func (r *BareMetalHostReconciler) getBMCSecretAndSetOwner(ctx context.Context, r
 	return bmcCredsSecret, nil
 }
 
+// getImageAuthSecret validates and extracts the OCI registry credentials for the image.
+// It returns the base64-encoded credentials in the format expected by Ironic, or an empty
+// string if no auth secret is configured.
+func (r *BareMetalHostReconciler) getImageAuthSecret(ctx context.Context, host *metal3api.BareMetalHost, image *metal3api.Image) (string, error) {
+	if image == nil || !image.IsOCI() {
+		return "", nil
+	}
+
+	if image.OCIAuthSecretName == nil || *image.OCIAuthSecretName == "" {
+		return "", nil
+	}
+
+	secretManager := r.secretManager(ctx, r.Log)
+	validator := NewImageAuthValidator(r.Recorder)
+	return validator.Validate(ctx, host, secretManager)
+}
+
 func credentialsFromSecret(bmcCredsSecret *corev1.Secret) *bmc.Credentials {
 	// We trim surrounding whitespace because those characters are
 	// unlikely to be part of the username or password and it is
@@ -2492,6 +2518,8 @@ func (r *BareMetalHostReconciler) updateEventHandler(e event.UpdateEvent) bool {
 
 // SetupWithManager registers the reconciler to be run by the manager.
 func (r *BareMetalHostReconciler) SetupWithManager(mgr ctrl.Manager, preprovImgEnable bool, maxConcurrentReconcile int) error {
+	r.Recorder = mgr.GetEventRecorderFor("baremetalhost-controller")
+
 	controller := ctrl.NewControllerManagedBy(mgr).
 		For(&metal3api.BareMetalHost{}).
 		WithEventFilter(

internal/controller/metal3.io/baremetalhost_controller.go

@@ -0,0 +1,77 @@
+package controllers
+
+import (
+	"context"
+	"fmt"
+
+	metal3api "github.com/metal3-io/baremetal-operator/apis/metal3.io/v1alpha1"
+	"github.com/metal3-io/baremetal-operator/pkg/secretutils"
+	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+)
+
+const (
+	// Events.
+	EventAuthSecretIrrelevant  = "ImageAuthIrrelevant"
+	EventAuthFormatUnsupported = "ImageAuthFormatUnsupported"
+	EventAuthParseError        = "ImageAuthParseError"
+)
+
+// ImageAuthValidator validates image authentication secrets.
+type ImageAuthValidator struct {
+	recorder record.EventRecorder
+}
+
+// NewImageAuthValidator creates a new ImageAuthValidator.
+func NewImageAuthValidator(recorder record.EventRecorder) *ImageAuthValidator {
+	return &ImageAuthValidator{recorder: recorder}
+}
+
+// Validate validates the image authentication secret for the given BMH and
+// returns the base64-encoded credentials in the format expected by Ironic.
+// Callers must ensure bmh.Spec.Image and OCIAuthSecretName are non-nil
+// (getImageAuthSecret already performs these checks).
+func (v *ImageAuthValidator) Validate(ctx context.Context, bmh *metal3api.BareMetalHost, secretMgr secretutils.SecretManager) (string, error) {
+	img := bmh.Spec.Image
+	ociRelevant := img.IsOCI()
+	secretName := *img.OCIAuthSecretName
+
+	if !ociRelevant {
+		if v.recorder != nil {
+			v.recorder.Eventf(bmh, corev1.EventTypeWarning, EventAuthSecretIrrelevant,
+				"ociAuthSecretName=%q is set but image URL is not oci:// (%s)", secretName, img.URL)
+		}
+		return "", nil
+	}
+
+	key := types.NamespacedName{Namespace: bmh.Namespace, Name: secretName}
+	sec, err := secretMgr.ObtainSecret(ctx, key)
+	if err != nil {
+		if k8serrors.IsNotFound(err) {
+			return "", fmt.Errorf("auth secret %q not found in namespace %q", secretName, bmh.Namespace)
+		}
+		return "", err
+	}
+
+	if sec.Type != corev1.SecretTypeDockerConfigJson && sec.Type != corev1.SecretTypeDockercfg {
+		if v.recorder != nil {
+			v.recorder.Eventf(bmh, corev1.EventTypeWarning, EventAuthFormatUnsupported,
+				"Secret %q has unsupported type %q", secretName, sec.Type)
+		}
+		return "", fmt.Errorf("secret %q has unsupported type %q (expected %s or %s)",
+			secretName, sec.Type, corev1.SecretTypeDockerConfigJson, corev1.SecretTypeDockercfg)
+	}
+
+	credentials, err := secretutils.ExtractRegistryCredentials(sec, img.URL)
+	if err != nil {
+		if v.recorder != nil {
+			v.recorder.Eventf(bmh, corev1.EventTypeWarning, EventAuthParseError,
+				"Failed to extract credentials from secret %q: %v", secretName, err)
+		}
+		return "", fmt.Errorf("failed to extract credentials from secret %q: %w", secretName, err)
+	}
+
+	return credentials, nil
+}

internal/controller/metal3.io/image_auth_validator.go

@@ -84,7 +84,7 @@ func sanitisedValue(data any) any {
 
 	for _, k := range value.MapKeys() {
 		safeDatumValue := value.MapIndex(k)
-		if strings.Contains(k.String(), "password") {
+		if strings.Contains(k.String(), "password") || strings.Contains(k.String(), "secret") {
 			safeDatumValue = reflect.ValueOf("<redacted>")
 		}
 		safeValue.SetMapIndex(k, safeDatumValue)
@@ -93,19 +93,31 @@ func sanitisedValue(data any) any {
 	return safeValue.Interface()
 }
 
+func isSensitiveOption(name string) bool {
+	return strings.Contains(name, "password") || strings.Contains(name, "secret")
+}
+
 func getUpdateOperation(name string, currentData map[string]any, desiredValue any, path string, log logr.Logger) *nodes.UpdateOperation {
 	current, present := currentData[name]
 
 	desiredValue = deref(desiredValue)
 	if desiredValue != nil {
 		if !(present && optionValueEqual(deref(current), desiredValue)) {
+			logValue := sanitisedValue(desiredValue)
+			if isSensitiveOption(name) {
+				logValue = "<redacted>"
+			}
 			if present {
+				oldLogValue := sanitisedValue(current)
+				if isSensitiveOption(name) {
+					oldLogValue = "<redacted>"
+				}
 				log.Info("updating option data",
-					"value", sanitisedValue(desiredValue),
-					"oldValue", current)
+					"value", logValue,
+					"oldValue", oldLogValue)
 			} else {
 				log.Info("adding option data",
-					"value", sanitisedValue(desiredValue))
+					"value", logValue)
 			}
 			return &nodes.UpdateOperation{
 				Op:    nodes.AddOp, // Add also does replace