openstack-k8s-operators · mnietoji · Feb 18, 2026 · Mar 10, 2026
diff --git a/playbooks/06-deploy-architecture.yml b/playbooks/06-deploy-architecture.yml
@@ -163,6 +163,43 @@
                 msg: >-
                   Error detected. Check debugging output above.
 
+    - name: Extract registry credentials from OpenShift pull-secret
+      tags:
+        - always
+      when:
+        - cifmw_sync_pullsecret_credentials | default(true) | bool
+      block:
+        - name: Extract credentials for each configured registry
+          loop: "{{ cifmw_reproducer_registry_list | default(['registry.stage.redhat.io']) }}"
+          loop_control:
+            loop_var: registry
+          ansible.builtin.include_role:
+            name: edpm_pullsecret_sync
+          vars:
+            cifmw_edpm_pullsecret_sync_registry: "{{ registry }}"
+            cifmw_edpm_pullsecret_sync_fact_name: "cifmw_reproducer_registry_{{ registry | replace('.', '_') | replace('-', '_') }}_creds"
+
+        - name: Build registry credentials dictionary for templates
+          ansible.builtin.set_fact:
+            cifmw_ci_gen_kustomize_values_registry_logins: >-
+              {%- set result = {} -%}
+              {%- for registry in (cifmw_reproducer_registry_list | default(['registry.stage.redhat.io'])) -%}
+                {%- set fact_name = 'cifmw_reproducer_registry_' + (registry | replace('.', '_') | replace('-', '_')) + '_creds_dict' -%}
+                {%- if vars[fact_name] is defined -%}
+                  {%- set _ = result.update({registry: vars[fact_name]}) -%}
+                {%- endif -%}
+              {%- endfor -%}
+              {{ result }}
+
+        - name: Log extracted registry credentials
+          ansible.builtin.debug:
+            msg: "Registry credentials extracted for: {{ cifmw_ci_gen_kustomize_values_registry_logins.keys() | list }}"
+
+      rescue:
+        - name: Log pull-secret extraction failure
+          ansible.builtin.debug:
+            msg: "Failed to extract credentials from pull-secret, templates will not include registry credentials"
+
     - name: Set cifmw_architecture_automation_file if not set before
       when: cifmw_architecture_automation_file is not defined
       ansible.builtin.set_fact:

diff --git a/roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2
@@ -43,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in instances_names                                                     %}
       edpm-{{ instance }}:

diff --git a/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2
@@ -37,6 +37,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in instances_names                                                     %}
       edpm-{{ instance }}:

diff --git a/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2
@@ -39,6 +39,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                               %}
 {% endif                                                                                  %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in instances_names                                                        %}
       edpm-{{ instance }}:

diff --git a/..._gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2 b/..._gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2
@@ -4,6 +4,7 @@
 {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %}
 {% set _original_nodes = _original_nodeset.nodes | default({})                         %}
 {% set _original_services = _original_nodeset['services'] | default([])                %}
+{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %}
 {% for _inst in cifmw_baremetal_hosts.keys()                                           %}
 {%   set _ = instances_names.append(_inst)                                             %}
 {% endfor                                                                              %}
@@ -29,6 +30,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in instances_names                                                     %}
       edpm-{{ instance }}:
@@ -43,3 +66,11 @@ data:
       - "{{ svc }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% if cifmw_kustomize_deploy_metal3_node is defined                                    %}
+  baremetalSetTemplate:
+{%   for key, value in _original_baremetal_template.items()                            %}
+    {{ key }}: {{ value }}
+{%   endfor                                                                            %}
+    provisionServerNodeSelector:
+      kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}"
+{% endif                                                                               %}
diff --git a/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2
@@ -43,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in nodeset_one_instances                                               %}
       edpm-{{ instance }}:

diff --git a/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2
@@ -43,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in nodeset_two_instances                                               %}
       edpm-{{ instance }}:

diff --git a/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2
@@ -43,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in nodeset_one_instances                                               %}
       edpm-{{ instance }}:

diff --git a/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2
@@ -43,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in nodeset_two_instances                                               %}
       edpm-{{ instance }}:

diff --git a/roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2
@@ -38,12 +38,26 @@ data:
 
           # see https://access.redhat.com/solutions/253273
           dnf -y install conntrack-tools
+{% if cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool %}
+
+          # Container policy.json
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{% endif %}
 {% if cifmw_ci_gen_kustomize_values_sshd_ranges | default([]) | length > 0             %}
         edpm_sshd_allowed_ranges:
 {%   for range in cifmw_ci_gen_kustomize_values_sshd_ranges                            %}
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
 
 {% if cifmw_baremetal_hosts | default({}) | length > 0                                 %}
   # source roles/deploy_bmh/template/bmh.yml.j2, but it patches kustomize built outputs

diff --git a/...en_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset-values/values.yaml.j2 b/...en_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset-values/values.yaml.j2
@@ -4,6 +4,7 @@
 {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %}
 {% set _original_nodes = _original_nodeset.nodes | default({})                         %}
 {% set _original_services = _original_nodeset['services'] | default([])                %}
+{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %}
 {% if cifmw_baremetal_hosts | default([]) | length > 0                                 %}
 {%   for _inst in cifmw_baremetal_hosts.keys()                                         %}
 {%     if (('label' in cifmw_baremetal_hosts[_inst]) and
@@ -42,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in instances_names                                                     %}
       edpm-{{ instance }}:
@@ -56,3 +79,11 @@ data:
       - "{{ svc }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% if cifmw_kustomize_deploy_metal3_node is defined                                    %}
+  baremetalSetTemplate:
+{%   for key, value in _original_baremetal_template.items()                            %}
+    {{ key }}: {{ value }}
+{%   endfor                                                                            %}
+    provisionServerNodeSelector:
+      kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}"
+{% endif                                                                               %}