OpenShift: Create/manage internal-registry-secret with dockerconfigjson for AgentBuild (Tekton buildah)

[akram]

Summary

When kagenti-operator creates AgentBuilds with Tekton pipelines that push images to the OpenShift internal registry, the buildah step requires a secret in dockerconfigjson format. OpenShift automatically creates builder-dockercfg secrets in each namespace, but those are in dockercfg format, which buildah cannot use directly.

Epic reference: kagenti/kagenti#518 - TODO 3: internal-registry-secret in kagenti-operator

---

Problem

• AgentBuild pipelines push images to the OpenShift internal registry.
• The buildah step needs a dockerconfigjson-format secret for registry auth.
• OpenShift provides builder-dockercfg secrets in dockercfg format only.
• buildah does not consume dockercfg format directly, so the pipeline fails without a converted secret.

---

Current workaround

The Ansible installer creates internal-registry-secret in each agent namespace by converting the builder-dockercfg secret from dockercfg to dockerconfigjson. This is environment-specific and should be handled by the operator or Helm chart.

---

Proposed fix

The kagenti-operator (or kagenti Helm chart) should:

1. Detect OpenShift environment — e.g. presence of OpenShift-specific APIs or namespace annotations.
2. Create and manage internal-registry-secret in agent namespaces where AgentBuilds run (or where the operator creates pipeline resources).
3. Convert dockercfg → dockerconfigjson automatically (e.g. read builder-dockercfg, transform, and create/update internal-registry-secret).

---

Repos affected

• github.com/kagenti/kagenti-operator (primary)
• github.com/kagenti/kagenti (Helm chart — if secret creation is done there instead)

---

References

• Epic: OpenShift AI deployment issues list · Issue #518 · kagenti/kagenti
• Source of current workaround: main.yml (Ansible) L620–L655 (as referenced in the epic)