introduce internal registry

api/v1alpha1/imagebuild_types.go

@@ -120,6 +120,10 @@ type ExportSpec struct {
 	// Container is the OCI registry URL to push the bootc container image
 	Container string `json:"container,omitempty"`
 
+	// UseServiceAccountAuth indicates the build should authenticate to the registry
+	// using a service account token instead of explicit credentials
+	UseServiceAccountAuth bool `json:"useServiceAccountAuth,omitempty"`
+
 	// Disk contains configuration for disk image export
 	Disk *DiskExport `json:"disk,omitempty"`
 }
@@ -322,6 +326,11 @@ func (s *ImageBuildSpec) GetExportOCI() string {
 	return ""
 }
 
+// GetUseServiceAccountAuth returns whether service account auth is enabled for registry push
+func (s *ImageBuildSpec) GetUseServiceAccountAuth() bool {
+	return s.Export != nil && s.Export.UseServiceAccountAuth
+}
+
 // HasDiskExport returns true if any disk export is configured
 // Includes backward compatibility for legacy ImageBuilds
 func (s *ImageBuildSpec) HasDiskExport() bool {

cmd/caib/README.md

@@ -77,7 +77,7 @@ bin/caib build <manifest.aib.yml> [flags]
 **Required flags:**
 | Flag | Description |
 |------|-------------|
-| `--push` | Push bootc container to registry (e.g., `quay.io/org/image:tag`) |
+| `--push` or `--internal-registry` | Push destination (external registry URL or OpenShift internal registry) |
 
 **Optional flags:**
 | Flag | Default | Description |
@@ -100,6 +100,9 @@ bin/caib build <manifest.aib.yml> [flags]
 | `--timeout` | `60` | Timeout in minutes |
 | `-w`, `--wait` | `false` | Wait for build to complete |
 | `-f`, `--follow` | `false` | Follow build logs |
+| `--internal-registry` | `false` | Push to OpenShift internal registry (no credentials needed) |
+| `--image-name` | (build name) | Override image name in internal registry |
+| `--image-tag` | (build name) | Override tag in internal registry |
 
 **Examples:**
 
@@ -120,6 +123,27 @@ bin/caib build my-manifest.aib.yml \
   -o ./my-image.qcow2 \
   --follow
 
+# Push to OpenShift internal registry (no credentials required)
+bin/caib build my-manifest.aib.yml \
+  --arch arm64 \
+  --internal-registry \
+  --follow
+
+# Internal registry with custom image name and tag
+bin/caib build my-manifest.aib.yml \
+  --arch arm64 \
+  --internal-registry \
+  --image-name my-automotive-os \
+  --image-tag v1.0 \
+  --follow
+
+# Internal registry with disk image
+bin/caib build my-manifest.aib.yml \
+  --arch arm64 \
+  --internal-registry \
+  --disk \
+  --follow
+
 # Use custom builder image
 bin/caib build my-manifest.aib.yml \
   --arch amd64 \
@@ -275,6 +299,10 @@ For registry authentication (`--push`, `--push-disk`):
 1. `REGISTRY_USERNAME` / `REGISTRY_PASSWORD` environment variables
 2. Docker/Podman auth files (`~/.docker/config.json`, `~/.config/containers/auth.json`)
 
+For the OpenShift internal registry (`--internal-registry`):
+
+No credentials are needed. The system automatically creates a short-lived service account token for the `pipeline` SA and uses it to authenticate to the internal registry. The `pipeline` SA must have `registry-editor` permissions (applied automatically by the operator's RBAC).
+
 ## Manifest File References
 
 The CLI automatically handles local file references in manifests. Relative paths in `source_path` are uploaded to the build workspace.