Feature Overview (aka. Goal Summary)  

This feature enables OpenShift users to leverage project-level imagePullSecrets for authenticating with mirrored image registries configured via ImageContentSourcePolicy (ICSP), ImageDigestMirrorSet (IDMS), and ImageTagMirrorSet (ITMS). This will enhance security by allowing granular access control to mirrored images within multi-tenant clusters, eliminating the need to expose sensitive credentials globally.

Why is this important?

The outlined scenario below demonstrates how admins can create secrets for certain mirrors within a Kubernetes namespace. Users can then create workloads without caring about the mirror itself, even when the resolved registry requires authentication.

Scenario

1. Admin creates the mirror configuration using IDMS/ITMS/ICSP to map registry.local to mirror.local
2. Admin creates an image pull secret for mirror.local 
3. User creates pod to pull image from registry.local
4. Credential provider resolves auth data for mirror.local and provides that to the kubelet
5. CRI-O will use the credentials for mirror.local and also pull from that registry