prowgen: use preset for registry pull credentials volume

Move the pull-secret volume and volumeMount from the hardcoded
defaultPodSpec to a Prow preset (preset-ci-operator-image-pull).

This is a proof of concept for using compositional Prow presets to
deduplicate the ~28 lines of boilerplate volumes/mounts that are
inlined into every one of the 126K+ generated Prowjob definitions.

The preset is defined in openshift/release and matched via a new
label added to all prowgen-generated jobs. The --image-import-pull-secret
arg remains inline since presets cannot inject container args.

Requires the corresponding preset definition in openshift/release:
https://github.com/openshift/release/pull/XXXXX

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: petr-muller

cmd/ci-operator-prowgen/testdata/zz_fixture_postsubmit_TestFromCIOperatorConfigToProwYaml_Custom_test_timeout.yaml

@@ -29,6 +29,7 @@ postsubmits:
     labels:
       ci-operator.openshift.io/is-promotion: "true"
       ci.openshift.io/generator: prowgen
+      preset-ci-operator-image-pull: "true"
     max_concurrency: 1
     name: branch-ci-super-duper-branch-images
     spec:
@@ -55,9 +56,6 @@ postsubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/push-secret
           name: push-secret
           readOnly: true
@@ -69,9 +67,6 @@ postsubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: push-secret
         secret:
           secretName: registry-push-credentials-ci-central

cmd/ci-operator-prowgen/testdata/zz_fixture_postsubmit_TestFromCIOperatorConfigToProwYaml_Input_is_YAML_and_it_is_correctly_processed.yaml

@@ -29,6 +29,7 @@ postsubmits:
     labels:
       ci-operator.openshift.io/is-promotion: "true"
       ci.openshift.io/generator: prowgen
+      preset-ci-operator-image-pull: "true"
     max_concurrency: 1
     name: branch-ci-super-duper-branch-images
     spec:
@@ -55,9 +56,6 @@ postsubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/push-secret
           name: push-secret
           readOnly: true
@@ -69,9 +67,6 @@ postsubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: push-secret
         secret:
           secretName: registry-push-credentials-ci-central

cmd/ci-operator-prowgen/testdata/zz_fixture_postsubmit_TestFromCIOperatorConfigToProwYaml_Using_a_variant_config__one_test_and_images__one_existing_job._Expect_one_presubmit__pre_post_submit_images_jobs._Existing_job_should_not_be_changed..yaml

@@ -32,6 +32,7 @@ postsubmits:
       ci-operator.openshift.io/is-promotion: "true"
       ci-operator.openshift.io/variant: rhel
       ci.openshift.io/generator: prowgen
+      preset-ci-operator-image-pull: "true"
     max_concurrency: 1
     name: branch-ci-super-duper-branch-rhel-images
     spec:
@@ -59,9 +60,6 @@ postsubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/push-secret
           name: push-secret
           readOnly: true
@@ -73,9 +71,6 @@ postsubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: push-secret
         secret:
           secretName: registry-push-credentials-ci-central

cmd/ci-operator-prowgen/testdata/zz_fixture_postsubmit_TestFromCIOperatorConfigToProwYaml_one_test_and_images__no_previous_jobs._Expect_test_presubmit__pre_post_submit_images_jobs.yaml

@@ -10,6 +10,7 @@ postsubmits:
     labels:
       ci-operator.openshift.io/is-promotion: "true"
       ci.openshift.io/generator: prowgen
+      preset-ci-operator-image-pull: "true"
     max_concurrency: 1
     name: branch-ci-super-duper-branch-images
     spec:
@@ -36,9 +37,6 @@ postsubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/push-secret
           name: push-secret
           readOnly: true
@@ -50,9 +48,6 @@ postsubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: push-secret
         secret:
           secretName: registry-push-credentials-ci-central

cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_Custom_test_timeout.yaml

@@ -12,6 +12,7 @@ presubmits:
     labels:
       ci.openshift.io/generator: prowgen
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
+      preset-ci-operator-image-pull: "true"
     name: pull-ci-super-duper-branch-images
     rerun_command: /test images
     spec:
@@ -36,9 +37,6 @@ presubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/report
           name: result-aggregator
           readOnly: true
@@ -47,9 +45,6 @@ presubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator
@@ -67,6 +62,7 @@ presubmits:
     labels:
       ci.openshift.io/generator: prowgen
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
+      preset-ci-operator-image-pull: "true"
     name: pull-ci-super-duper-branch-unit
     rerun_command: /test unit
     spec:
@@ -91,9 +87,6 @@ presubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/report
           name: result-aggregator
           readOnly: true
@@ -102,9 +95,6 @@ presubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator

cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_Input_is_YAML_and_it_is_correctly_processed.yaml

@@ -12,6 +12,7 @@ presubmits:
     labels:
       ci.openshift.io/generator: prowgen
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
+      preset-ci-operator-image-pull: "true"
     name: pull-ci-super-duper-branch-images
     rerun_command: /test images
     spec:
@@ -36,9 +37,6 @@ presubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/report
           name: result-aggregator
           readOnly: true
@@ -47,9 +45,6 @@ presubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator
@@ -66,6 +61,7 @@ presubmits:
     labels:
       ci.openshift.io/generator: prowgen
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
+      preset-ci-operator-image-pull: "true"
     name: pull-ci-super-duper-branch-unit
     rerun_command: /test unit
     spec:
@@ -90,9 +86,6 @@ presubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/report
           name: result-aggregator
           readOnly: true
@@ -101,9 +94,6 @@ presubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator

cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_Using_a_variant_config__one_test_and_images__one_existing_job._Expect_one_presubmit__pre_post_submit_images_jobs._Existing_job_should_not_be_changed..yaml

@@ -13,6 +13,7 @@ presubmits:
       ci-operator.openshift.io/variant: rhel
       ci.openshift.io/generator: prowgen
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
+      preset-ci-operator-image-pull: "true"
     name: pull-ci-super-duper-branch-rhel-images
     rerun_command: /test rhel-images
     spec:
@@ -38,9 +39,6 @@ presubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/report
           name: result-aggregator
           readOnly: true
@@ -49,9 +47,6 @@ presubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator
@@ -69,6 +64,7 @@ presubmits:
       ci-operator.openshift.io/variant: rhel
       ci.openshift.io/generator: prowgen
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
+      preset-ci-operator-image-pull: "true"
     name: pull-ci-super-duper-branch-rhel-unit
     rerun_command: /test rhel-unit
     spec:
@@ -94,9 +90,6 @@ presubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/report
           name: result-aggregator
           readOnly: true
@@ -105,9 +98,6 @@ presubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator

cmd/ci-operator-prowgen/testdata/zz_fixture_presubmit_TestFromCIOperatorConfigToProwYaml_one_test_and_images__no_previous_jobs._Expect_test_presubmit__pre_post_submit_images_jobs.yaml

@@ -12,6 +12,7 @@ presubmits:
     labels:
       ci.openshift.io/generator: prowgen
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
+      preset-ci-operator-image-pull: "true"
     name: pull-ci-super-duper-branch-images
     rerun_command: /test images
     spec:
@@ -36,9 +37,6 @@ presubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/report
           name: result-aggregator
           readOnly: true
@@ -47,9 +45,6 @@ presubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator
@@ -66,6 +61,7 @@ presubmits:
     labels:
       ci.openshift.io/generator: prowgen
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
+      preset-ci-operator-image-pull: "true"
     name: pull-ci-super-duper-branch-unit
     rerun_command: /test unit
     spec:
@@ -90,9 +86,6 @@ presubmits:
         - mountPath: /secrets/manifest-tool
           name: manifest-tool-local-pusher
           readOnly: true
-        - mountPath: /etc/pull-secret
-          name: pull-secret
-          readOnly: true
         - mountPath: /etc/report
           name: result-aggregator
           readOnly: true
@@ -101,9 +94,6 @@ presubmits:
       - name: manifest-tool-local-pusher
         secret:
           secretName: manifest-tool-local-pusher
-      - name: pull-secret
-        secret:
-          secretName: registry-pull-credentials
       - name: result-aggregator
         secret:
           secretName: result-aggregator

pkg/api/constant.go

@@ -37,6 +37,10 @@ const (
 	NoBuildsLabel = "ci.openshift.io/no-builds"
 	NoBuildsValue = "true"
 
+	// PresetImagePullLabel is the label that triggers the preset-ci-operator-image-pull
+	// Prow preset, which provides the registry pull credentials volume and mount.
+	PresetImagePullLabel = "preset-ci-operator-image-pull"
+
 	// HiveCluster is the cluster where Hive is deployed
 	HiveCluster = ClusterHive
 

pkg/prowgen/jobbase.go

@@ -61,7 +61,9 @@ func NewProwJobBaseBuilder(configSpec *cioperatorapi.ReleaseBuildConfiguration,
 		PodSpec: podSpecGenerator,
 		base: prowconfig.JobBase{
 			Agent:  string(prowv1.KubernetesAgent),
-			Labels: map[string]string{},
+			Labels: map[string]string{
+				cioperatorapi.PresetImagePullLabel: "true",
+			},
 			UtilityConfig: prowconfig.UtilityConfig{
 				Decorate: utilpointer.Bool(true),
 			},