no-jira: Fix registry authentication in ipi-conf-gcp-oidc-creds-deprovision step

[barbacbd]

The step was failing with "unauthorized: authentication required" when extracting credentials requests from the CI registry. Added the standard authentication pattern (copy pull-secret, oc registry login, use --registry-config) that all other credential provision/deprovision steps use to authenticate to the registry before extracting release images.

Summary by CodeRabbit

• Bug Fixes
  • Improved handling of pull secrets during credential extraction to make the process more robust.
  • Added automatic cleanup of temporary pull-secret copies to prevent leftover sensitive data.
• Chores
  • Increased the deprovision step grace period to 10 minutes to reduce premature termination.

[openshift-ci-robot]

@barbacbd: This pull request explicitly references no jira issue.

Details

In response to this:

The step was failing with "unauthorized: authentication required" when extracting credentials requests from the CI registry. Added the standard authentication pattern (copy pull-secret, oc registry login, use --registry-config) that all other credential provision/deprovision steps use to authenticate to the registry before extracting release images.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1a8b0a9b-7584-489f-b9a8-1fcc76462309

📥 Commits

Reviewing files that changed from the base of the PR and between 390eedc and 3742315.

📒 Files selected for processing (2)

• ci-operator/step-registry/ipi/conf/gcp/oidc-creds-deprovision/ipi-conf-gcp-oidc-creds-deprovision-commands.sh
• ci-operator/step-registry/ipi/conf/gcp/oidc-creds-deprovision/ipi-conf-gcp-oidc-creds-deprovision-ref.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/ipi/conf/gcp/oidc-creds-deprovision/ipi-conf-gcp-oidc-creds-deprovision-commands.sh

---

Walkthrough

A shell step now extracts GCP credentials-requests from RELEASE_IMAGE_LATEST_FROM_BUILD_FARM inside a temporary directory: it copies the cluster pull-secret there, runs oc registry login --to pull-secret, invokes oc adm release extract --registry-config pull-secret --credentials-requests, and traps EXIT to remove temp files.

Changes

Credential Extraction Workflow

Layer / File(s)	Summary
Setup & Preparation ci-operator/step-registry/ipi/conf/gcp/oidc-creds-deprovision/ipi-conf-gcp-oidc-creds-deprovision-commands.sh	Creates a temporary directory with mktemp -d, pushd into it, and defines cleanup registered via trap ... EXIT.
Local Pull-Secret Placement .../ipi-conf-gcp-oidc-creds-deprovision-commands.sh	Copies ${CLUSTER_PROFILE_DIR}/pull-secret into the temp directory for use as --registry-config.
Credential Authentication .../ipi-conf-gcp-oidc-creds-deprovision-commands.sh	Runs oc registry login --to pull-secret to populate credentials in the copied pull-secret.
Release Extraction .../ipi-conf-gcp-oidc-creds-deprovision-commands.sh	Replaces prior direct extraction with oc adm release extract --credentials-requests --registry-config pull-secret --to=/tmp/credrequests targeting RELEASE_IMAGE_LATEST_FROM_BUILD_FARM.
Cleanup & Metadata .../ipi-conf-gcp-oidc-creds-deprovision-commands.sh, ...-ref.yaml	cleanup removes temp pull-secret, popd, and deletes temp dir. The ref YAML adds grace_period: 10m. A comment whitespace was adjusted.

sequenceDiagram
  participant Script as Script (step script)
  participant FS as Filesystem
  participant Registry as oc registry
  participant Release as oc adm release

  Script->>FS: mktemp & pushd (create temp dir)
  Script->>FS: copy ${CLUSTER_PROFILE_DIR}/pull-secret -> temp/pull-secret
  Script->>Registry: oc registry login --to pull-secret
  Registry-->>Script: write auth into temp/pull-secret
  Script->>Release: oc adm release extract --registry-config pull-secret --credentials-requests --to=/tmp/credrequests RELEASE_IMAGE_LATEST_FROM_BUILD_FARM
  Release-->>FS: writes /tmp/credrequests
  Script->>FS: cleanup (remove pull-secret, popd, rmdir)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main fix: adding proper registry authentication to the ipi-conf-gcp-oidc-creds-deprovision step.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies CI/CD step registry files (bash script and YAML config), not Ginkgo tests. Custom check for test naming is not applicable to non-test code.
Test Structure And Quality	✅ Passed	The custom check for Ginkgo test code quality is not applicable. The PR modifies a shell script and YAML configuration file, not Ginkgo Go test code.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The changes only modify CI step registry files (shell script and YAML config). The MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies CI infrastructure scripts and YAML configuration files, not e2e test code. No Ginkgo tests are added, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies CI step-registry configurations and a shell script, not deployment manifests or operator code. No Kubernetes object definitions with scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	The OTE stdout contract check applies only to Go test binaries. This PR modifies shell scripts and YAML configuration files, not test code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. The changes are limited to shell script and YAML configuration updates for a GCP credential deprovision CI step. The custom check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: barbacbd
Once this PR has been reviewed and has the lgtm label, please assign jstuever for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/ipi/conf/gcp/oidc-creds-deprovision/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/ipi/conf/gcp/oidc-creds-deprovision/ipi-conf-gcp-oidc-creds-deprovision-commands.sh`:
- Around line 30-36: The script can leave temporary files if a command fails and
should also quote CLUSTER_PROFILE_DIR; add a cleanup routine (e.g., a
trap-registered function) that removes the temporary directory and the copied
pull-secret and always runs on exit, replace unquoted ${CLUSTER_PROFILE_DIR}
with a quoted "${CLUSTER_PROFILE_DIR}" when copying pull-secret, and ensure
pushd/popd are balanced inside the trap so the temporary directory created with
dir=$(mktemp -d) is removed and no pull-secret remains on any exit path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6abd9261-d64f-4fc2-9901-a0f7c28d375c

📥 Commits

Reviewing files that changed from the base of the PR and between 639f0af and 2545756.

📒 Files selected for processing (1)

• ci-operator/step-registry/ipi/conf/gcp/oidc-creds-deprovision/ipi-conf-gcp-oidc-creds-deprovision-commands.sh

[barbacbd]

This was originally observed here. The problem was in the ipi-conf-gcp-oidc-creds-deprovision step. We could see the error

error: unable to read image <registry>: unauthorized: authentication required

This was causing the service accounts for OIDC steps to be leaked.

[barbacbd]

/cc @patrickdillon
/cc @tthvo

[openshift-merge-bot]

@barbacbd, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not determine changed registry steps: could not load step registry: test `ipi-conf-gcp-oidc-creds-deprovision` has `commands` containing `trap` command, but test step is missing grace_period

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[tthvo]

/retest-required

[barbacbd]

/retest-required

[barbacbd]

/pj-rehearse test

[openshift-merge-bot]

@barbacbd: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[barbacbd]

/test ?

[openshift-ci]

@barbacbd: The following commands are available to trigger required jobs:

/test app-ci-config-dry

/test boskos-config

/test boskos-config-generation

/test build03-dry

/test build04-dry

/test build05-dry

/test build06-dry

/test build07-dry

/test build08-dry

/test build09-dry

/test build10-dry

/test build11-dry

/test check-gh-automation

/test check-gh-automation-tide

/test check-trigger-trusted-apps

/test ci-operator-config

/test ci-operator-config-metadata

/test ci-operator-registry

/test ci-secret-bootstrap-config-validation

/test ci-testgrid-allow-list

/test clusterimageset-validate

/test config

/test core-ci-config-dry

/test core-valid

/test generated-config

/test generated-dashboards

/test hosted-mgmt-dry

/test image-mirroring-config-validation

/test jira-lifecycle-config

/test labels

/test openshift-image-mirror-mappings

/test ordered-prow-config

/test owners

/test pr-reminder-config

/test prow-config

/test prow-config-filenames

/test prow-config-semantics

/test pylint

/test release-config

/test release-controller-config

/test rover-groups-config-validation

/test secret-generator-config-valid

/test services-valid

/test stackrox-stackrox-stackrox-stackrox-check

/test step-registry-metadata

/test step-registry-shellcheck

/test sync-rover-groups

/test verified-config

/test vsphere02-dry

/test yamllint

The following commands are available to trigger optional jobs:

/test build12-dry

/test check-cluster-profiles-config

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-release-main-ci-operator-config

pull-ci-openshift-release-main-ci-operator-registry

pull-ci-openshift-release-main-core-valid

pull-ci-openshift-release-main-owners

pull-ci-openshift-release-main-release-controller-config

pull-ci-openshift-release-main-step-registry-metadata

pull-ci-openshift-release-main-step-registry-shellcheck

pull-ci-openshift-release-openshift-image-mirror-mappings

pull-ci-openshift-release-yamllint

Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[barbacbd]

/pj-rehearse openshift-cloud-credential-operator-release-4.22__periodics.yaml

[openshift-merge-bot]

@barbacbd: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[tthvo]

/pj-rehearse auto-ack

[openshift-merge-bot]

@tthvo: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@barbacbd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/installer/release-4.22/gcp-custom-endpoints-proxy-wif	3742315	link	unknown	/pj-rehearse pull-ci-openshift-installer-release-4.22-gcp-custom-endpoints-proxy-wif
ci/rehearse/openshift/installer/release-5.0/gcp-custom-endpoints-proxy-wif	3742315	link	unknown	/pj-rehearse pull-ci-openshift-installer-release-5.0-gcp-custom-endpoints-proxy-wif
ci/rehearse/openshift/installer/release-5.1/gcp-custom-endpoints-proxy-wif	3742315	link	unknown	/pj-rehearse pull-ci-openshift-installer-release-5.1-gcp-custom-endpoints-proxy-wif
ci/rehearse/openshift/installer/release-4.23/gcp-custom-endpoints-proxy-wif	3742315	link	unknown	/pj-rehearse pull-ci-openshift-installer-release-4.23-gcp-custom-endpoints-proxy-wif
ci/rehearse/openshift/installer/main/gcp-custom-endpoints-proxy-wif	3742315	link	unknown	/pj-rehearse pull-ci-openshift-installer-main-gcp-custom-endpoints-proxy-wif

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tthvo]

Looks good to me! Just a small comment about the current failure :D

[tthvo]

Looks like you need to unset the KUBECONFIG env var.

release/ci-operator/step-registry/ipi/conf/azure/osimage/ipi-conf-azure-osimage-commands.sh

Lines 45 to 48 in eb34031

	# After cluster is set up, ci-operator make KUBECONFIG pointing to the installed cluster,
	# to make "oc registry login" interact with the build farm, set KUBECONFIG to empty,
	# so that the credentials of the build farm registry can be saved in docker client config file.
	KUBECONFIG="" oc registry login --to pull-secret

Otherwise, oc will try to auth with the build cluster 🤷 For example, the rehearsal showed:

RELEASE_IMAGE_LATEST_FROM_BUILD_FARM: registry.build04.ci.openshift.org/ci-op-j5gvr51h/release@sha256:6319e6701dc278166aaa34d733ec15715202f8ddd7460554d371d497135fafd2
Extract gcp credentials requests from the release image
error: no token is currently in use for this session