openshift · openshift-merge-bot · Nov 4, 2025 · Aug 1, 2025 · Sep 9, 2025 · Oct 17, 2025
diff --git a/apis/hive/v1/aws/metadata.go b/apis/hive/v1/aws/metadata.go
@@ -4,5 +4,7 @@ package aws
 type Metadata struct {
 	// HostedZoneRole is the role to assume when performing operations
 	// on a hosted zone owned by another account.
+	// Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+	// may stop populating this section in the future.
 	HostedZoneRole *string `json:"hostedZoneRole,omitempty"`
 }
diff --git a/apis/hive/v1/azure/metadata.go b/apis/hive/v1/azure/metadata.go
@@ -3,5 +3,7 @@ package azure
 // Metadata contains Azure metadata (e.g. for uninstalling the cluster).
 type Metadata struct {
 	// ResourceGroupName is the name of the resource group in which the cluster resources were created.
+	// Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+	// may stop populating this section in the future.
 	ResourceGroupName *string `json:"resourceGroupName"`
 }
diff --git a/apis/hive/v1/clusterdeployment_types.go b/apis/hive/v1/clusterdeployment_types.go
@@ -308,7 +308,13 @@ type ClusterMetadata struct {
 	// +optional
 	AdminPasswordSecretRef *corev1.LocalObjectReference `json:"adminPasswordSecretRef,omitempty"`
 
-	// Platform holds platform-specific cluster metadata
+	// MetadataJSONSecretRef references the secret containing the metadata.json emitted by the
+	// installer, potentially scrubbed for sensitive data.
+	MetadataJSONSecretRef *corev1.LocalObjectReference `json:"metadataJSONSecretRef,omitempty"`
+
+	// Platform holds platform-specific cluster metadata.
+	// Deprecated. Use the Secret referenced by MetadataJSONSecretRef instead. We may stop
+	// populating this section in the future.
 	// +optional
 	Platform *ClusterPlatformMetadata `json:"platform,omitempty"`
 }

diff --git a/apis/hive/v1/clusterdeprovision_types.go b/apis/hive/v1/clusterdeprovision_types.go
@@ -24,6 +24,10 @@ type ClusterDeprovisionSpec struct {
 	// BaseDomain is the DNS base domain.
 	BaseDomain string `json:"baseDomain,omitempty"`
 
+	// MetadataJSONSecretRef references the secret containing the metadata.json emitted by the
+	// installer, potentially scrubbed for sensitive data.
+	MetadataJSONSecretRef *corev1.LocalObjectReference `json:"metadataJSONSecretRef,omitempty"`
+
 	// Platform contains platform-specific configuration for a ClusterDeprovision
 	Platform ClusterDeprovisionPlatform `json:"platform,omitempty"`
 }

diff --git a/apis/hive/v1/gcp/metadata.go b/apis/hive/v1/gcp/metadata.go
@@ -3,6 +3,8 @@ package gcp
 // Metadata contains GCP metadata (e.g. for uninstalling the cluster).
 type Metadata struct {
 	// NetworkProjectID is used for shared VPC setups
+	// Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+	// may stop populating this section in the future.
 	// +optional
 	NetworkProjectID *string `json:"networkProjectID,omitempty"`
 }
diff --git a/apis/hive/v1/zz_generated.deepcopy.go b/apis/hive/v1/zz_generated.deepcopy.go
diff --git a/config/crds/hive.openshift.io_clusterdeployments.yaml b/config/crds/hive.openshift.io_clusterdeployments.yaml
@@ -180,8 +180,27 @@ spec:
                     infraID:
                       description: InfraID is an identifier for this cluster generated during installation and used for tagging/naming resources in cloud providers.
                       type: string
+                    metadataJSONSecretRef:
+                      description: |-
+                        MetadataJSONSecretRef references the secret containing the metadata.json emitted by the
+                        installer, potentially scrubbed for sensitive data.
+                      properties:
+                        name:
+                          default: ""
+                          description: |-
+                            Name of the referent.
+                            This field is effectively required, but due to backwards compatibility is
+                            allowed to be empty. Instances of this type with an empty value here are
+                            almost certainly wrong.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                      type: object
+                      x-kubernetes-map-type: atomic
                     platform:
-                      description: Platform holds platform-specific cluster metadata
+                      description: |-
+                        Platform holds platform-specific cluster metadata.
+                        Deprecated. Use the Secret referenced by MetadataJSONSecretRef instead. We may stop
+                        populating this section in the future.
                       properties:
                         aws:
                           description: AWS holds AWS-specific cluster metadata
@@ -190,13 +209,18 @@ spec:
                               description: |-
                                 HostedZoneRole is the role to assume when performing operations
                                 on a hosted zone owned by another account.
+                                Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                                may stop populating this section in the future.
                               type: string
                           type: object
                         azure:
                           description: Azure holds azure-specific cluster metadata
                           properties:
                             resourceGroupName:
-                              description: ResourceGroupName is the name of the resource group in which the cluster resources were created.
+                              description: |-
+                                ResourceGroupName is the name of the resource group in which the cluster resources were created.
+                                Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                                may stop populating this section in the future.
                               type: string
                           required:
                             - resourceGroupName
@@ -205,7 +229,10 @@ spec:
                           description: GCP holds GCP-specific cluster metadata
                           properties:
                             networkProjectID:
-                              description: NetworkProjectID is used for shared VPC setups
+                              description: |-
+                                NetworkProjectID is used for shared VPC setups
+                                Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                                may stop populating this section in the future.
                               type: string
                           type: object
                       type: object

diff --git a/config/crds/hive.openshift.io_clusterdeprovisions.yaml b/config/crds/hive.openshift.io_clusterdeprovisions.yaml
@@ -68,6 +68,22 @@ spec:
                 infraID:
                   description: InfraID is the identifier generated during installation for a cluster. It is used for tagging/naming resources in cloud providers.
                   type: string
+                metadataJSONSecretRef:
+                  description: |-
+                    MetadataJSONSecretRef references the secret containing the metadata.json emitted by the
+                    installer, potentially scrubbed for sensitive data.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
                 platform:
                   description: Platform contains platform-specific configuration for a ClusterDeprovision
                   properties:

diff --git a/config/crds/hiveinternal.openshift.io_fakeclusterinstalls.yaml b/config/crds/hiveinternal.openshift.io_fakeclusterinstalls.yaml
@@ -92,8 +92,27 @@ spec:
                     infraID:
                       description: InfraID is an identifier for this cluster generated during installation and used for tagging/naming resources in cloud providers.
                       type: string
+                    metadataJSONSecretRef:
+                      description: |-
+                        MetadataJSONSecretRef references the secret containing the metadata.json emitted by the
+                        installer, potentially scrubbed for sensitive data.
+                      properties:
+                        name:
+                          default: ""
+                          description: |-
+                            Name of the referent.
+                            This field is effectively required, but due to backwards compatibility is
+                            allowed to be empty. Instances of this type with an empty value here are
+                            almost certainly wrong.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                      type: object
+                      x-kubernetes-map-type: atomic
                     platform:
-                      description: Platform holds platform-specific cluster metadata
+                      description: |-
+                        Platform holds platform-specific cluster metadata.
+                        Deprecated. Use the Secret referenced by MetadataJSONSecretRef instead. We may stop
+                        populating this section in the future.
                       properties:
                         aws:
                           description: AWS holds AWS-specific cluster metadata
@@ -102,13 +121,18 @@ spec:
                               description: |-
                                 HostedZoneRole is the role to assume when performing operations
                                 on a hosted zone owned by another account.
+                                Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                                may stop populating this section in the future.
                               type: string
                           type: object
                         azure:
                           description: Azure holds azure-specific cluster metadata
                           properties:
                             resourceGroupName:
-                              description: ResourceGroupName is the name of the resource group in which the cluster resources were created.
+                              description: |-
+                                ResourceGroupName is the name of the resource group in which the cluster resources were created.
+                                Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                                may stop populating this section in the future.
                               type: string
                           required:
                             - resourceGroupName
@@ -117,7 +141,10 @@ spec:
                           description: GCP holds GCP-specific cluster metadata
                           properties:
                             networkProjectID:
-                              description: NetworkProjectID is used for shared VPC setups
+                              description: |-
+                                NetworkProjectID is used for shared VPC setups
+                                Deprecated. Use the Secret referenced by ClusterMetadata.MetadataJSONSecretRef instead. We
+                                may stop populating this section in the future.
                               type: string
                           type: object
                       type: object

diff --git a/contrib/pkg/createcluster/create.go b/contrib/pkg/createcluster/create.go
@@ -158,6 +158,7 @@ type Options struct {
 	AdoptAdminKubeConfig              string
 	AdoptInfraID                      string
 	AdoptClusterID                    string
+	AdoptMetadataJSON                 string
 	AdoptAdminUsername                string
 	AdoptAdminPassword                string
 	MachineNetwork                    string
@@ -337,6 +338,7 @@ OpenShift Installer publishes all the services of the cluster like API server an
 	flags.StringVar(&opt.AdoptAdminKubeConfig, "adopt-admin-kubeconfig", "", "Path to a cluster admin kubeconfig file for a cluster being adopted. (required if using --adopt)")
 	flags.StringVar(&opt.AdoptInfraID, "adopt-infra-id", "", "Infrastructure ID for this cluster's cloud provider. (required if using --adopt)")
 	flags.StringVar(&opt.AdoptClusterID, "adopt-cluster-id", "", "Cluster UUID used for telemetry. (required if using --adopt)")
+	flags.StringVar(&opt.AdoptMetadataJSON, "adopt-metadata-json", "", "Path to a metadata.json file for a cluster being adopted. (optional)")
 	flags.StringVar(&opt.AdoptAdminUsername, "adopt-admin-username", "", "Username for cluster web console administrator. (optional)")
 	flags.StringVar(&opt.AdoptAdminPassword, "adopt-admin-password", "", "Password for cluster web console administrator. (optional)")
 
@@ -486,13 +488,19 @@ func (o *Options) Validate(cmd *cobra.Command) error {
 			return fmt.Errorf("--adopt-admin-kubeconfig does not exist: %s", o.AdoptAdminKubeConfig)
 		}
 
+		if o.AdoptMetadataJSON != "" {
+			if _, err := os.Stat(o.AdoptMetadataJSON); os.IsNotExist(err) {
+				return fmt.Errorf("--adopt-metadata-json does not exist: %s", o.AdoptMetadataJSON)
+			}
+		}
+
 		// Admin username and password must both be specified if either are.
 		if (o.AdoptAdminUsername != "" || o.AdoptAdminPassword != "") && !(o.AdoptAdminUsername != "" && o.AdoptAdminPassword != "") {
 			return fmt.Errorf("--adopt-admin-username and --adopt-admin-password must be used together")
 		}
 	} else {
-		if o.AdoptAdminKubeConfig != "" || o.AdoptInfraID != "" || o.AdoptClusterID != "" || o.AdoptAdminUsername != "" || o.AdoptAdminPassword != "" {
-			return fmt.Errorf("cannot use adoption options without --adopt: --adopt-admin-kube-config, --adopt-infra-id, --adopt-cluster-id, --adopt-admin-username, --adopt-admin-password")
+		if o.AdoptAdminKubeConfig != "" || o.AdoptInfraID != "" || o.AdoptClusterID != "" || o.AdoptMetadataJSON != "" || o.AdoptAdminUsername != "" || o.AdoptAdminPassword != "" {
+			return fmt.Errorf("cannot use adoption options without --adopt: --adopt-admin-kube-config, --adopt-infra-id, --adopt-cluster-id, --adopt-metadata-json, --adopt-admin-username, --adopt-admin-password")
 		}
 	}
 
@@ -638,6 +646,13 @@ func (o *Options) GenerateObjects() ([]runtime.Object, error) {
 		if err != nil {
 			return nil, err
 		}
+		if o.AdoptMetadataJSON != "" {
+			metadataJSONBytes, err := os.ReadFile(o.AdoptMetadataJSON)
+			if err != nil {
+				return nil, err
+			}
+			builder.AdoptMetadataJSON = metadataJSONBytes
+		}
 		builder.Adopt = o.Adopt
 		builder.AdoptInfraID = o.AdoptInfraID
 		builder.AdoptClusterID = o.AdoptClusterID

diff --git a/contrib/pkg/deprovision/awstagdeprovision.go b/contrib/pkg/deprovision/awstagdeprovision.go
@@ -13,7 +13,6 @@ import (
 )
 
 // NewDeprovisionAWSWithTagsCommand is the entrypoint to create the 'aws-tag-deprovision' subcommand
-// TODO: Port to a sub-command of deprovision.
 func NewDeprovisionAWSWithTagsCommand() *cobra.Command {
 	opt := &aws.ClusterUninstaller{}
 	var credsDir string
@@ -66,7 +65,7 @@ func completeAWSUninstaller(o *aws.ClusterUninstaller, logLevel string, args []s
 			"This is expected when in standalone mode. "+
 			"We expect to find your AWS credentials in one of the usual places.", err)
 	}
-	awsutils.ConfigureCreds(client)
+	awsutils.ConfigureCreds(client, nil)
 
 	return nil
 }

diff --git a/contrib/pkg/deprovision/azure.go b/contrib/pkg/deprovision/azure.go
@@ -23,8 +23,10 @@ type AzureOptions struct {
 }
 
 // NewDeprovisionAzureCommand is the entrypoint to create the azure deprovision subcommand
-func NewDeprovisionAzureCommand() *cobra.Command {
-	opt := &AzureOptions{}
+func NewDeprovisionAzureCommand(logLevel string) *cobra.Command {
+	opt := &AzureOptions{
+		logLevel: logLevel,
+	}
 	cmd := &cobra.Command{
 		Use:   "azure INFRAID [--azure-cloud-name CLOUDNAME] [--azure-resource-group-name RG] [--azure-base-domain-resource-group-name BDRG]",
 		Short: "Deprovision Azure assets (as created by openshift-installer)",
@@ -46,7 +48,6 @@ func NewDeprovisionAzureCommand() *cobra.Command {
 		},
 	}
 	flags := cmd.Flags()
-	flags.StringVar(&opt.logLevel, "loglevel", "info", "log level, one of: debug, info, warn, error, fatal, panic")
 	flags.StringVar(&opt.cloudName, "azure-cloud-name", installertypesazure.PublicCloud.Name(), "The name of the Azure cloud environment used to configure the Azure SDK")
 	flags.StringVar(&opt.resourceGroupName, "azure-resource-group-name", "", "The name of the custom Azure resource group in which the cluster was created when not using the default installer-created resource group")
 	flags.StringVar(&opt.baseDomainResourceGroupName, "azure-base-domain-resource-group-name", "", "The name of the custom Azure resource group in which the cluster's DNS records were created when not using the default installer-created resource group or custom resource group")
@@ -73,7 +74,7 @@ func (opt *AzureOptions) completeAzureUninstaller(args []string) (providers.Dest
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to get client")
 	}
-	azureutils.ConfigureCreds(client)
+	azureutils.ConfigureCreds(client, nil)
 
 	metadata := &types.ClusterMetadata{
 		InfraID: args[0],