Epic Goal

Backport the Customer Global Pull Secret feature to OpenShift 4.18.z, 4.19.z, and 4.20.z releases to enable Managed OpenShift customers (ROSA, ARO) to self-service their global pull secrets without SRE
intervention.

Background

This epic tracks the backport work for OCPSTRAT-2557 and the original feature work from OCPSTRAT-2426. The feature enables customers to append their own pull secrets to the cluster's global pull secret, which
is critical for:

• Private registry access (IBM registry, customer registries)
• ODF internal mode deployments
• Operator deployments requiring private registries
• Ownership transfers and secret rotations

Scope

• Backport to OpenShift 4.18.z, 4.19.z, and 4.20.z
• Platform support: ROSA (AWS)
• Includes security enhancements for pull secret merge precedence logic
• E2E test coverage for supported platforms

Technical Implementation

The backport includes:

• Customer pull secret merge logic with proper precedence (Red Hat secrets always win)
• Namespaced registry entry support
• Platform detection for ROSA and ARO managed services
• Security validations to prevent customer secrets from overriding Red Hat infrastructure secrets
• Adapt to pre-CPOv2 release
• E2E test coverage

Deliverables

• Backport PRs for each target release (4.18.z, 4.19.z, 4.20.z)
• Cherry-pick of security enhancements from CNTRLPLANE-1398
• Cherry-pick of ROSA enablement from CNTRLPLANE-1364
• Updated E2E tests for each release
• QE validation on target releases