Goal

Backport the Customer Global Pull Secret feature to OpenShift 4.20.z to enable Managed OpenShift customers (ROSA, ARO) to self-service their global pull secrets without SRE intervention.

Background

This story is part of CNTRLPLANE-1707 epic and OCPSTRAT-2557. The feature enables customers to append their own pull secrets to the cluster's global pull secret, which is critical for private registry access, ODF deployments, and operator installations requiring private registries.

Technical Details

Cherry-pick the following work to release-4.20 branch:

• Customer pull secret merge logic from CNTRLPLANE-1364 (ROSA enablement)
• Security enhancements from CNTRLPLANE-1398 (precedence logic)
• Platform detection for ROSA and ARO managed services
• E2E test coverage updates

The implementation ensures:

• Red Hat pull secret entries always take precedence over customer entries
• Namespaced registry entries are supported
• Customer secrets cannot override Red Hat infrastructure secrets
• Compatible with existing features (zero-egress, shared-VPC)

Acceptance Criteria

• All relevant commits successfully cherry-picked to release-4.20 branch
• E2E tests pass on 4.20.z
• Security precedence logic validated (Red Hat secrets always win)
• No regressions introduced in existing functionality
• QE validation completed
• Backport PR merged to release-4.20