✨ Accept per-host pull secrets for external OCI registries by mabulgu · Pull Request #2745 · metal3-io/baremetal-operator

mabulgu · 2025-10-22T10:51:58Z

What this PR does / why we need it:

Adds per-host registry authentication for oci:// provisioning images.
New optional field on BareMetalHost:

spec:
  image:
    url: oci://<registry>/<repo>/<artifact>:<tag|digest>
    ociAuthSecretName: <k8s-secret-name>  # optional; same namespace as the BMH

When set, the controller validates the Kubernetes Docker-config secret (kubernetes.io/dockerconfigjson or kubernetes.io/dockercfg), selects the correct registry entry (supports exact host and host:port), and uses those credentials during provisioning so private OCI artefacts can be fetched on a per-host basis. Public images continue to work without credentials.
This removes a blocker for users who need different registries/accounts per machine.

Assisted-By: Claude-4.5-sonnet, Claude-opus-4.6

metal3-io-bot · 2025-10-22T10:52:12Z

Hi @mabulgu. Thanks for your PR.

I'm waiting for a metal3-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

dtantsur · 2025-10-27T09:51:45Z

/ok-to-test

MahnoorAsghar · 2025-10-27T16:50:46Z

It might be too much code to be squashing into one commit...what do we think?

tuminoid · 2025-10-28T10:29:57Z

It might be too much code to be squashing into one commit...what do we think?

10 is definitely not right either. One for implementation, one for tesrts, and one for docs? There is plenty of work left though, given the conditions need work per Dmitry's review.

mabulgu · 2025-11-03T11:07:02Z

Thanks for your comments!

@MahnoorAsghar > It might be too much code to be squashing into one commit...what do we think?

As soon as we itemize them and they are in the same context, I don't think so. I am going to remove everything related to conditions as they were like extra, but everything else share the same context and can be in the same squash commit IMO.

@tuminoid > One for implementation, one for tesrts, and one for docs

+1 for docs -1 for tests as tests are a part of the "implementation". Without tests, I would not count it as implemented.

What I will do is: seperating the code commit (which will have less changes than the current changes because of the condition revert) and the commit for docs.

tuminoid · 2025-11-03T11:42:46Z

Thanks for your comments!
@tuminoid > One for implementation, one for tesrts, and one for docs

+1 for docs -1 for tests as tests are a part of the "implementation". Without tests, I would not count it as implemented.

This is fine as well, but its quite common to implement tests in separate commit in same PR. Makes it maybe easier to manage, but like said, I'm 100% fine with code+tests in same commit.

tuminoid · 2025-11-09T16:38:48Z

/retest

mabulgu · 2025-11-11T15:23:04Z

@dtantsur I applied your suggestions. pls check when you have time. You will find the relevant commetns resolved but pls feel free to reopen them if you feel any of them are not implemented the way you suggested

mabulgu · 2025-11-12T09:05:50Z

Not sure if the e2e test filure is related to my changes as it seems to be related to the BMC management credentials

mabulgu · 2026-03-04T14:43:45Z

@mabulgu the linter failure looks real from a quick glance + a couple of minor comments

Thanks @dtantsur. I addressed the feedback + commented for one. Pls check when available.

tuminoid · 2026-03-18T09:58:30Z

This needs rebase due linter updates.
/hold

mabulgu · 2026-03-18T10:50:05Z

/retest

mabulgu · 2026-03-18T11:25:06Z

@tuminoid @dtantsur I will need an approval/lgtm for merging this along.

Copilot

Pull request overview

Copilot reviewed 15 out of 16 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

tuminoid

Please check Copilot nits.

I don't have other blockers, except the importing of basically unmaintained and not widely used dockercfg.

mabulgu · 2026-04-20T11:40:34Z

/retest

honza · 2026-04-20T14:27:13Z

/lgtm

Copilot

Pull request overview

Copilot reviewed 17 out of 18 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: mabulgu <mabulgu@gmail.com>

metal3-io-bot · 2026-04-22T11:54:10Z

New changes are detected. LGTM label has been removed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: mabulgu <mabulgu@gmail.com>

mabulgu · 2026-04-22T13:06:23Z

@honza can I get a re- /lgtm when you can, as I had to rebase this + got some copilot feedback via @tuminoid

metal3-io-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 22, 2025

metal3-io-bot requested review from iurygregory and zaneb October 22, 2025 10:52

metal3-io-bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Oct 22, 2025

metal3-io-bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Oct 22, 2025

mabulgu force-pushed the feature/bmo-per-host-oci-auth branch from 898fffc to 9594af2 Compare October 22, 2025 10:52

mabulgu marked this pull request as ready for review October 27, 2025 09:48

mabulgu changed the title ~~[WIP] ✨ Accept per-host pull secrets for customer OCI registries~~ ✨ Accept per-host pull secrets for customer OCI registries Oct 27, 2025

metal3-io-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 27, 2025

metal3-io-bot requested review from adilGhaffarDev and kashifest October 27, 2025 09:48

metal3-io-bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 27, 2025