🤖 Generated by the Codex Daily AI Engineer instance.
Description
Production Talos nodes still take their host-level ghcr.io registry credential from the separate Actions GHCR_TOKEN, even though k8s/bases/bootstrap/secret.enc.yaml now contains the validated authoritative pull credential. A newly autoscaled node therefore received stale host auth and cannot verify or pull a private first-party image.
The live ksail-operator/ksail-operator-5f6c87b8cb-4lx8b pod on autoscale-cx43-293a3c3e6986bf96 fails while Talos resolves ghcr.io/devantler-tech/ksail:v7.169.0: GHCR's token endpoint returns HTTP 403 for repository pull scope. The Git/SOPS credential independently completes authenticated manifest reads for the KSail package, so package availability is not the failure.
Steps to Reproduce
- Rotate the Git/SOPS GHCR pull credential without rotating the separate Actions
GHCR_TOKEN to the same pull token.
- Create or autoscale a Talos node from the current production machine configuration.
- Schedule an uncached private first-party image on that node.
- Observe Talos image verification fail at the GHCR token exchange with HTTP 403 and the pod enter
ImagePullBackOff.
Expected Behavior
Talos host registry authentication is derived from the same Git/SOPS Docker config that the deploy validates and distributes to Flux, OpenBao, tenant workloads, and Kyverno. Existing and newly created/autoscaled nodes can verify and pull every required private first-party package after a single pull-credential rotation.
Actual Behavior
talos/cluster/authenticate-ghcr-pulls.yaml expands ${GHCR_TOKEN}, while the deploy's credential bridge never updates Talos nodes. The stale node credential gets HTTP 403 even though the authoritative SOPS pull token is healthy.
Environment
Acceptance Criteria
Proposed Direction and Size
Extract the Docker-config username/password into mode-restricted temporary files, render the supported Talos registry-auth configuration, and apply it through the Talos API. Reuse the same extraction when KSail renders production machine configuration so autoscaler templates cannot retain the push credential. Synchronize existing nodes in a controlled, observable sequence and verify an authenticated host pull before declaring recovery.
Rough size: M. This is the live Talos child of #2613 and extends the incident recovery in #2624 / PR #2625.
Description
Production Talos nodes still take their host-level
ghcr.ioregistry credential from the separate ActionsGHCR_TOKEN, even thoughk8s/bases/bootstrap/secret.enc.yamlnow contains the validated authoritative pull credential. A newly autoscaled node therefore received stale host auth and cannot verify or pull a private first-party image.The live
ksail-operator/ksail-operator-5f6c87b8cb-4lx8bpod onautoscale-cx43-293a3c3e6986bf96fails while Talos resolvesghcr.io/devantler-tech/ksail:v7.169.0: GHCR's token endpoint returns HTTP 403 for repository pull scope. The Git/SOPS credential independently completes authenticated manifest reads for the KSail package, so package availability is not the failure.Steps to Reproduce
GHCR_TOKENto the same pull token.ImagePullBackOff.Expected Behavior
Talos host registry authentication is derived from the same Git/SOPS Docker config that the deploy validates and distributes to Flux, OpenBao, tenant workloads, and Kyverno. Existing and newly created/autoscaled nodes can verify and pull every required private first-party package after a single pull-credential rotation.
Actual Behavior
talos/cluster/authenticate-ghcr-pulls.yamlexpands${GHCR_TOKEN}, while the deploy's credential bridge never updates Talos nodes. The stale node credential gets HTTP 403 even though the authoritative SOPS pull token is healthy.Environment
ksail.prod.yamlghcr.io/devantler-tech/ksail:v7.169.0Acceptance Criteria
ghcr.ioregistry auth fromstringData.ghcr_dockerconfigjsonwithout placing plaintext, encoded credentials, or tokens in argv/logs.GHCR_TOKENscoped to OCI publication/signing compatibility; it must no longer be the Talos pull source.ksail-operatorrollout and verify no pods remain inErrImagePullorImagePullBackOff.Proposed Direction and Size
Extract the Docker-config username/password into mode-restricted temporary files, render the supported Talos registry-auth configuration, and apply it through the Talos API. Reuse the same extraction when KSail renders production machine configuration so autoscaler templates cannot retain the push credential. Synchronize existing nodes in a controlled, observable sequence and verify an authenticated host pull before declaring recovery.
Rough size: M. This is the live Talos child of #2613 and extends the incident recovery in #2624 / PR #2625.