From ad06f9b652a792fc32cd8953f9a9b829de226cfc Mon Sep 17 00:00:00 2001
From: Luis Sanchez <sanchezl@redhat.com>
Date: Fri, 1 Aug 2025 09:27:11 -0400
Subject: [PATCH] use dockerconfigjson format for pull secrets

---
 .../controllers/image_pull_secret_controller.go    | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pkg/internalregistry/controllers/image_pull_secret_controller.go b/pkg/internalregistry/controllers/image_pull_secret_controller.go
index 6b00204ef..61b1cb0fd 100644
--- a/pkg/internalregistry/controllers/image_pull_secret_controller.go
+++ b/pkg/internalregistry/controllers/image_pull_secret_controller.go
@@ -268,6 +268,20 @@ func dockerConfig(token string, urls []string) any {
 	return auth
 }
 
+func dockerConfigJSON(token string, urls []string) any {
+	// not using credentialprovider.DockerConfigJSON to keep redundant username/password/email out of secret
+	auths := map[string]map[string]string{}
+	entry := map[string]string{
+		"auth": base64.StdEncoding.EncodeToString([]byte("<token>:" + token)),
+	}
+	for _, url := range urls {
+		auths[url] = entry
+	}
+	return map[string]map[string]map[string]string{
+		"auths": auths,
+	}
+}
+
 func isSecretRefreshNeeded(secret *corev1.Secret, urls, kids []string, now time.Time) (bool, *time.Time) {
 	valid, refreshAt := registryAuthenticationFileValid(secret, urls, kids, now)
 	return !valid, refreshAt