[reproducer] Add task for overwriting pull secret

danpawlik · danpawlik · commit 6b479973f039 · 2026-04-08T09:57:01.000+02:00
The pull_secret.json might contain authentication to
necessary registries for CI job, that are not available during the
bootstrap process using PreMetal (earlier ZIronic).
diff --git a/reproducer.yml b/reproducer.yml
@@ -138,6 +138,13 @@
         name: reproducer
         tasks_from: overwrite_zuul_vars.yml
 
+    - name: Overwrite pull-secret.json and add missing registries
+      when:
+        - not cifmw_deploy_reproducer_env | default(true) | bool
+      ansible.builtin.include_role:
+        name: reproducer
+        tasks_from: overwrite_pull_secret.yml
+
     # NOTE(dpawlik): Since we use ZIronic, some variables are not
     # redirected to nested ansible execution - they needs to be
     # included on executing host - controller-0.
diff --git a/roles/reproducer/tasks/overwrite_pull_secret.yml b/roles/reproducer/tasks/overwrite_pull_secret.yml
@@ -0,0 +1,38 @@
+---
+# No log in that file are necessary and it should not use: cifmw_nolog var.
+- name: Slurp full pull-secret from secrets dir
+  ansible.builtin.slurp:
+    src: "{{ ansible_user_dir }}/secrets/pull_secret.json"
+  register: _full_pull_secret
+  no_log: true
+
+- name: Get current cluster pull-secret
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig | default(ansible_user_dir ~ '/.kube/config') }}"
+    kind: Secret
+    name: pull-secret
+    namespace: openshift-config
+  register: _cluster_pull_secret
+  delegate_to: controller-0
+  no_log: true
+
+- name: Merge and update cluster pull-secret
+  vars:
+    _full_auths: "{{ (_full_pull_secret.content | b64decode | from_json).auths }}"
+    _cluster_auths: "{{ (_cluster_pull_secret.resources[0].data['.dockerconfigjson'] | b64decode | from_json).auths }}"
+    _merged:
+      auths: "{{ _cluster_auths | combine(_full_auths, recursive=true) }}"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig | default(ansible_user_dir ~ '/.kube/config') }}"
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: pull-secret
+        namespace: openshift-config
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ _merged | to_json | b64encode }}"
+  delegate_to: controller-0
+  no_log: true
