Merge pull request #89487 from stevsmit/OCPBUGS-52219-ir-bug

Updates imagepullsecret field in IR docs

Author: stevsmit

modules/creating-pull-secrets.adoc

@@ -0,0 +1,40 @@
+// Module included in the following assemblies:
+// * openshift_images/using-image-pull-secrets
+// * openshift_images/managing-image-streams.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="creating-pull-secret_{context}"]
+= Creating a pull secret
+
+.Procedure
+
+* Create a secret from an existing authentication file:
+
+** For Docker clients using `.docker/config.json`, enter the following command:
++
+[source,terminal]
+----
+$ oc create secret generic <pull_secret_name> \
+    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
+    --type=kubernetes.io/dockerconfigjson
+----
+
+** For Podman clients using `.config/containers/auth.json`, enter the following command:
++
+[source,terminal]
+----
+$ oc create secret generic <pull_secret_name> \
+     --from-file=<path/to/.config/containers/auth.json> \
+     --type=kubernetes.io/podmanconfigjson
+----
+
+* If you do not already have a Docker credentials file for the secured registry, you can create a secret by running the following command:
++
+[source,terminal]
+----
+$ oc create secret docker-registry <pull_secret_name> \
+    --docker-server=<registry_server> \
+    --docker-username=<user_name> \
+    --docker-password=<password> \
+    --docker-email=<email>
+----

modules/images-allow-pods-to-reference-images-from-secure-registries.adoc

@@ -55,44 +55,4 @@ metadata:
   resourceVersion: "37676"
   uid: e2851531-01bc-48ba-878c-de96cfe31020
 type: Opaque
-----
-
-.Procedure
-
-* Create a secret from an existing authentication file:
-
-** For Docker clients using `.docker/config.json`, enter the following command:
-+
-[source,terminal]
-----
-$ oc create secret generic <pull_secret_name> \
-    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
-    --type=kubernetes.io/dockerconfigjson
-----
-
-** For Podman clients using `.config/containers/auth.json`, enter the following command:
-+
-[source,terminal]
-----
-$ oc create secret generic <pull_secret_name> \
-     --from-file=<path/to/.config/containers/auth.json> \
-     --type=kubernetes.io/podmanconfigjson
-----
-
-* If you do not already have a Docker credentials file for the secured registry, you can create a secret by running:
-+
-[source,terminal]
-----
-$ oc create secret docker-registry <pull_secret_name> \
-    --docker-server=<registry_server> \
-    --docker-username=<user_name> \
-    --docker-password=<password> \
-    --docker-email=<email>
-----
-
-* To use a secret for pulling images for pods, you must add the secret to your service account. The name of the service account in this example should match the name of the service account the pod uses. The default service account is `default`:
-+
-[source,terminal]
-----
-$ oc secrets link default <pull_secret_name> --for=pull
 ----

modules/using-pull-secret.adoc

@@ -0,0 +1,83 @@
+// Module included in the following assemblies:
+// * openshift_images/using-image-pull-secrets
+// * openshift_images/managing-image-streams.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="using-pull-secret_{context}"]
+= Using a pull secret in a workload
+
+You can use a pull secret to allow workloads to pull images from a private registry with one of the following methods:
+
+* By linking the secret to a `ServiceAccount`, which automatically applies the secret to all pods using that service account.
+* By defining `imagePullSecrets` directly in workload configurations, which is useful for environments like GitOps or ArgoCD.
+
+.Procedure
+
+* You can use a secret for pulling images for pods by adding the secret to your service account. Note that the name of the service account should match the name of the service account that pod uses. The default service account is `default`.
+
+** Enter the following command to link the pull secret to a `ServiceAccount`:
++
+[source,terminal]
+----
+$ oc secrets link default <pull_secret_name> --for=pull
+----
+
+** To verify the change, enter the following command:
++
+[source,terminal]
+----
+$ oc get serviceaccount default -o yaml
+----
++
+.Example output
++
+[source,yaml]
+----
+apiVersion: v1
+imagePullSecrets:
+- name: default-dockercfg-123456
+- name: <pull_secret_name>
+kind: ServiceAccount
+metadata:
+  annotations:
+    openshift.io/internal-registry-pull-secret-ref: <internal_registry_pull_secret>
+  creationTimestamp: "2025-03-03T20:07:52Z"
+  name: default
+  namespace: default
+  resourceVersion: "13914"
+  uid: 9f62dd88-110d-4879-9e27-1ffe269poe3
+secrets:
+- name: <pull_secret_name>
+----
+
+* Instead of linking the secret to a service account, you can alternatively reference it directly in your pod or workload definition. This is useful for GitOps workflows such as ArgoCD. For example:
++
+.Example pod specification
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: <secure_pod_name>
+spec:
+  containers:
+  - name: <container_name>
+    image: quay.io/my-private-image
+  imagePullSecrets:
+  - name: <pull_secret_name>
+----
++
+.Example ArgoCD workflow
++
+[source,yaml]
+----
+apiVersion: argoproj.io/v1alpha1
+kind: Workflow
+metadata:
+  generateName: <example_workflow>
+spec:
+  entrypoint: <main_task>
+  imagePullSecrets:
+  - name: <pull_secret_name>
+----

openshift_images/image-streams-manage.adoc

@@ -39,7 +39,7 @@ include::modules/images-imagestream-import.adoc[leveloffset=+2]
 The following sections describe how to import, and work with, image streams.
 
 include::modules/images-imagestream-import-images-private-registry.adoc[leveloffset=+2]
-include::modules/images-allow-pods-to-reference-images-from-secure-registries.adoc[leveloffset=+3]
+//include::modules/images-allow-pods-to-reference-images-from-secure-registries.adoc[leveloffset=+3]
 
 
 include::modules/images-imagestream-import-import-mode.adoc[leveloffset=+2]

openshift_images/managing_images/using-image-pull-secrets.adoc

@@ -17,6 +17,8 @@ You use this pull secret to authenticate with the services that are provided by
 include::modules/images-allow-pods-to-reference-images-across-projects.adoc[leveloffset=+1]
 
 include::modules/images-allow-pods-to-reference-images-from-secure-registries.adoc[leveloffset=+1]
+include::modules/creating-pull-secrets.adoc[leveloffset=+2]
+include::modules/using-pull-secret.adoc[leveloffset=+2]
 
 include::modules/images-pulling-from-private-registries.adoc[leveloffset=+2]