Feature Overview (aka. Goal Summary)

This is a backport request for OCPSTRAT-2426 to enable the Customer Global Pull Secret feature in Hosted Control Planes (HCP) for Managed OpenShift services (ROSA, ARO) starting from OpenShift 4.18.

In a managed Service context, customers need to be able to provide a cluster-wide pull secret to pull content from private registries (IBM registry, internal registries, etc.). This pull secret must be separated from the pull secret managed by the service to ensure cluster functionality. This feature provides a mechanism where customers can place a pull secret in their cluster which will be appended to the global pull secret.

Why is this backport critical?

This feature is required by multiple major enterprise customers across various strategic accounts.

Without this feature, customers must request SRE intervention to modify pull secrets, which:

• Creates operational overhead
• Exposes sensitive customer credentials to SRE teams
• Prevents customers from self-servicing critical infrastructure needs
• Blocks adoption of ODF and other operators requiring private registry access

Original Feature Context

The feature was originally implemented for OpenShift 4.21 in OCPSTRAT-2426. The scope has been narrowed to support only Managed OpenShift (ROSA, ARO) due to in-place upgrade challenges for self-managed deployments.

Key Capabilities

_ Customers can _append* the global pull secret without SRE intervention
_ Customers can _rotate* existing secrets within the global pull secret

• Customers can only remove their own pull secrets - they cannot remove/modify Red Hat's global pull secret
• Original pull secret entries always take precedence over user's pull secret entries
• Namespaced registry entries are supported to allow customers to use their own registry namespaces
• Compatible with existing features (zero-egress, shared-VPC, etc.)
• Supports integration with cloud provider secret managers (AWS Secrets Manager, Azure Key Vault, etc.)

Backport Scope

• Target versions: OpenShift 4.18.z, 4.19.z, and 4.20.z for Managed OpenShift only
• Platform support: ROSA (AWS), ARO (Azure)
• Includes security enhancements for pull secret merge precedence logic
• E2E test coverage for AWS platform

Related Work

• Original feature: OCPSTRAT-2426 (4.21)
• Customer request: ROSA-103
• Implementation stories: CNTRLPLANE-1364, CNTRLPLANE-1398, CNTRLPLANE-1020
• Documentation: OSDOCS-15964

Acceptance Criteria

• Feature works on ROSA HCP clusters running OpenShift 4.18.z, 4.19.z, and 4.20.z
• Security precedence logic ensures Red Hat pull secrets always take priority
• Integration with OCM for pull secret management
• E2E test coverage validates backported functionality
• Documentation updated for 4.18/4.19/4.20 versions