New option --need-oci-registry-auth-token #1709
Description
/kind feature
When downloading bare-metal machine images from OCI, caph may require the environment variable OCI_REGISTRY_AUTH_TOKEN.
Currently, this token is optional because you might not use OCI for bare-metal images, or you might use images that don’t require credentials.
If your caph deployment does require OCI_REGISTRY_AUTH_TOKEN, it’s better to get immediate feedback. Otherwise, you only discover the problem when provisioning the first machine.
This issue proposes adding --need-oci-registry-auth-token. When set, caph checks at startup whether the token is available; if not, it fails and restarts, enabling early error detection.
The person responsible for the deployment can add this option, if needed. By default, it is not set.
At the moment, you only get a log message, no Condition or Event is created.
level: ERROR
time: "2025-11-06T08:40:54.052Z"
file: controller/controller.go:324
message: Reconciler error
controller: hetznerbaremetalhost
controllerGroup: infrastructure.cluster.x-k8s.io
controllerKind: HetznerBareMetalHost
HetznerBareMetalHost:
name: bm-1
namespace: org-testing
namespace: org-testing
name: bm-1
reconcileID: e7442adf-efc9-43e0-aa8c-e678527a7297
error: |-
failed to reconcile HetznerBareMetalHost org-testing/bm-1: action "image-installing" failed: failed to download image: download with token (OCI_REGISTRY_AUTH_TOKEN set)
Using OCI_REGISTRY_AUTH_TOKEN directly (no colon in token)
Failed to get digest from container registry. Manifest: {"errors":[{"code":"UNAUTHORIZED","message":"authentication required"}]}
failed to perform ssh command: stdout "download with token (OCI_REGISTRY_AUTH_TOKEN set)\nUsing OCI_REGISTRY_AUTH_TOKEN directly (no colon in token)\nFailed to get digest from container registry. Manifest: {\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"authentication required\"}]}\n". stderr "". Process exited with status 1
stacktrace: |-
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:324
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222