Add tests for credential redaction and OCI ImagePullSecret provisioning

- Add image_pull_secret to sanitisedValue test coverage
- Add OCI provisioning tests with and without ImagePullSecret

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: mabulgu <mabulgu@gmail.com>

Author: mabulgu

pkg/provisioner/ironic/clients/updateopts_test.go

@@ -463,14 +463,16 @@ func TestSanitisedValue(t *testing.T) {
 	}
 
 	unsafe := map[string]any{
-		"foo":           "bar",
-		"password":      "secret",
-		"ipmi_password": "secret",
+		"foo":                "bar",
+		"password":           "secret",
+		"ipmi_password":      "secret",
+		"image_pull_secret":  "dXNlcjpwYXNz",
 	}
 	safe := map[string]any{
-		"foo":           "bar",
-		"password":      "<redacted>",
-		"ipmi_password": "<redacted>",
+		"foo":                "bar",
+		"password":           "<redacted>",
+		"ipmi_password":      "<redacted>",
+		"image_pull_secret":  "<redacted>",
 	}
 	assert.Exactly(t, safe, sanitisedValue(unsafe))
 }

pkg/provisioner/ironic/provision_test.go

@@ -1607,6 +1607,97 @@ func TestGetUpdateOptsForNodeSecureBoot(t *testing.T) {
 	}
 }
 
+func TestGetUpdateOptsForNodeOCIWithPullSecret(t *testing.T) {
+	eventPublisher := func(reason, message string) {}
+	auth := clients.AuthConfig{Type: clients.NoAuth}
+
+	host := makeHost()
+	host.Spec.Image.URL = "oci://quay.io/test/image:latest"
+	host.Spec.Image.Checksum = ""
+	host.Spec.Image.ChecksumType = ""
+
+	prov, err := newProvisionerWithSettings(host, bmc.Credentials{}, eventPublisher, "https://ironic.test", auth)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ironicNode := &nodes.Node{}
+
+	provData := provisioner.ProvisionData{
+		Image:           *host.Spec.Image,
+		BootMode:        metal3api.DefaultBootMode,
+		ImagePullSecret: "dXNlcjpwYXNz",
+	}
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+
+	t.Logf("patches: %v", patches)
+
+	expected := []struct {
+		Path  string
+		Value any
+	}{
+		{
+			Path:  "/instance_info/image_source",
+			Value: "oci://quay.io/test/image:latest",
+		},
+		{
+			Path:  "/instance_info/image_pull_secret",
+			Value: "dXNlcjpwYXNz",
+		},
+	}
+
+	for _, e := range expected {
+		t.Run(e.Path, func(t *testing.T) {
+			var update nodes.UpdateOperation
+			for _, patch := range patches {
+				u, ok := patch.(nodes.UpdateOperation)
+				require.True(t, ok, "expected patch to be UpdateOperation")
+				if u.Path == e.Path {
+					update = u
+					break
+				}
+			}
+			if update.Path != e.Path {
+				t.Errorf("did not find %q in updates", e.Path)
+				return
+			}
+			assert.Equal(t, e.Value, update.Value, "%s does not match", e.Path)
+		})
+	}
+}
+
+func TestGetUpdateOptsForNodeOCIWithoutPullSecret(t *testing.T) {
+	eventPublisher := func(reason, message string) {}
+	auth := clients.AuthConfig{Type: clients.NoAuth}
+
+	host := makeHost()
+	host.Spec.Image.URL = "oci://quay.io/test/image:latest"
+	host.Spec.Image.Checksum = ""
+	host.Spec.Image.ChecksumType = ""
+
+	prov, err := newProvisionerWithSettings(host, bmc.Credentials{}, eventPublisher, "https://ironic.test", auth)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ironicNode := &nodes.Node{}
+
+	provData := provisioner.ProvisionData{
+		Image:    *host.Spec.Image,
+		BootMode: metal3api.DefaultBootMode,
+	}
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+
+	t.Logf("patches: %v", patches)
+
+	for _, patch := range patches {
+		update, ok := patch.(nodes.UpdateOperation)
+		require.True(t, ok, "expected patch to be UpdateOperation")
+		if update.Path == "/instance_info/image_pull_secret" {
+			assert.Nil(t, update.Value, "image_pull_secret should be nil when no secret is provided")
+			return
+		}
+	}
+}
+
 func TestBuildCleanStepsForUpdateFirmware(t *testing.T) {
 	nodeUUID := "eec38659-4c68-7431-9535-d10766f07a58"
 	cases := []struct {