Implement flux create secret oci

[stefanprodan]

Add a new command for generating image pull secrets of type kubernetes.io/dockerconfigjson:

flux create secret oci ghcr \
 --username=<github-username> \
 --password=<github-token> \
 --url=<ghcr-URL>

The implementation PR should be made agains the oci branch, ref: #2856

[somtochiama]

/assign

[stefanprodan]

Implemented in #2920

[aabmets]

@stefanprodan
Why does flux create secret oci produce a secret in which the .data.dockerconfigjson value is not base64-encoded?

In your documentation, and I quote: "The secret is expected to be in the same format as the docker config secrets, usually created by kubectl create secret docker-registry". The kubectl command produces a base64-encoded .data.dockerconfigjson value.

If you state that Flux expects the secret to be in the format produced by the kubectl command, then how is the flux create secret oci command supposed to produce a valid docker-registry secret, if it does not produce a base64-encoded .data.dockerconfigjson value?

This is confusing and undocumented behavior. Either the documentation should be improved to explain this deviation from the behavior of the kubectl command, or the flux command should be fixed to conform to the output of the kubectl command.

EDIT: The .data.dockerconfigjson value created by the flux create secret oci command is not base64-encoded, when the command is invoked with the --export > repo-auth.yaml option. When invoked without the option, the command creates a secret in the cluster which conforms to the kubectl command and has the field base64-encoded. It would still be beneficial to document this behavior adequately.

[stefanprodan]

We use stringData, so secret scanners and humans would see that you are committing unencrypted sensitive information to Git.