open-cluster-management-io
diff --git a/‎deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml‎
Lines changed: 1 addition & 0 deletions b/‎deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎deploy/cluster-manager/config/rbac/cluster_role.yaml‎
Lines changed: 1 addition & 0 deletions b/‎deploy/cluster-manager/config/rbac/cluster_role.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml‎
Lines changed: 2 additions & 1 deletion b/‎deploy/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml‎
Lines changed: 1 addition & 1 deletion b/‎deploy/klusterlet/olm-catalog/latest/manifests/klusterlet.clusterserviceversion.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎manifests/cluster-manager/hub/registration/clusterrole.yaml‎
Lines changed: 8 additions & 0 deletions b/‎manifests/cluster-manager/hub/registration/clusterrole.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎pkg/registration/hub/importer/importer.go‎
Lines changed: 14 additions & 5 deletions b/‎pkg/registration/hub/importer/importer.go‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎pkg/registration/hub/importer/options/options.go‎
Lines changed: 55 additions & 5 deletions b/‎pkg/registration/hub/importer/options/options.go‎
Lines changed: 55 additions & 5 deletions
diff --git a/‎pkg/registration/hub/importer/options/options_test.go‎
Lines changed: 99 additions & 0 deletions b/‎pkg/registration/hub/importer/options/options_test.go‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎pkg/registration/hub/importer/renderers.go‎
Lines changed: 32 additions & 4 deletions b/‎pkg/registration/hub/importer/renderers.go‎
Lines changed: 32 additions & 4 deletions
@@ -32,6 +32,7 @@ rules:
     - "work-driver-config"
     - "open-cluster-management-image-pull-credentials"
     - "grpc-server-serving-cert"
+    - "cluster-import-config"
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["create"]
 
@@ -34,6 +34,7 @@ rules:
     - "work-driver-config"
     - "open-cluster-management-image-pull-credentials"
     - "grpc-server-serving-cert"
+    - "cluster-import-config"
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["create"]
 
@@ -59,7 +59,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2025-09-03T08:04:12Z"
+    createdAt: "2025-09-08T08:15:29Z"
     description: Manages the installation and upgrade of the ClusterManager.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -158,6 +158,7 @@ spec:
           - work-driver-config
           - open-cluster-management-image-pull-credentials
           - grpc-server-serving-cert
+          - cluster-import-config
           resources:
           - secrets
           verbs:
 
@@ -31,7 +31,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2025-09-03T08:04:12Z"
+    createdAt: "2025-09-08T08:15:29Z"
     description: Manages the installation and upgrade of the Klusterlet.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
 
@@ -115,6 +115,14 @@ rules:
 - apiGroups: ["cluster.x-k8s.io"]
   resources: ["clusters"]
   verbs: ["get", "list", "watch"]
+  # Allow registration to render the klusterlet manifests from the cluster-import-config 
+  # or the iimage-pull-credentials secret when import a CAPI cluster.
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+  resourceNames:
+    - "open-cluster-management-image-pull-credentials"
+    - "cluster-import-config"
 {{end}}
 {{if .ClusterProfileEnabled}}
 # Allow hub to manage clusterprofile
 
@@ -39,8 +39,13 @@ import (
 )
 
 const (
-	kluterletNamespace              = "open-cluster-management-agent"
+	klusterletNamespace             = "open-cluster-management-agent"
 	ManagedClusterConditionImported = "ManagedClusterImportSucceeded"
+
+	// clusterImportConfigSecret is the name of the secret containing cluster import configuration
+	clusterImportConfigSecret = "cluster-import-config"
+	// valuesYamlKey is the key for the values.yaml data in the cluster import config secret
+	valuesYamlKey = "values.yaml"
 )
 
 var (
@@ -55,9 +60,13 @@ func init() {
 	utilruntime.Must(operatorv1.Install(genericScheme))
 }
 
-// KlusterletConfigRenderer renders the config for klusterlet chart.
+// KlusterletConfigRenderer renders config for the klusterlet chart.
+// Contract:
+// - Overlay onto the provided config and return it; do not replace it with a fresh struct.
+// - Preserve fields already populated by the caller unless explicitly overridden.
+// - Must return a non-nil config if err is nil.
 type KlusterletConfigRenderer func(
-	ctx context.Context, config *chart.KlusterletChartConfig) (*chart.KlusterletChartConfig, error)
+	ctx context.Context, cluster *v1.ManagedCluster, config *chart.KlusterletChartConfig) (*chart.KlusterletChartConfig, error)
 
 type Importer struct {
 	providers     []cloudproviders.Interface
@@ -186,7 +195,7 @@ func (i *Importer) reconcile(
 		},
 	}
 	for _, renderer := range i.renders {
-		klusterletChartConfig, err = renderer(ctx, klusterletChartConfig)
+		klusterletChartConfig, err = renderer(ctx, cluster, klusterletChartConfig)
 		if err != nil {
 			meta.SetStatusCondition(&cluster.Status.Conditions, metav1.Condition{
 				Type:   ManagedClusterConditionImported,
@@ -198,7 +207,7 @@ func (i *Importer) reconcile(
 			return cluster, err
 		}
 	}
-	crdObjs, rawObjs, err := chart.RenderKlusterletChart(klusterletChartConfig, kluterletNamespace)
+	crdObjs, rawObjs, err := chart.RenderKlusterletChart(klusterletChartConfig, klusterletNamespace)
 	if err != nil {
 		return cluster, err
 	}
 
@@ -1,16 +1,32 @@
 package options
 
-import "github.com/spf13/pflag"
+import (
+	"fmt"
+
+	"github.com/spf13/pflag"
+	"k8s.io/client-go/kubernetes"
+
+	"open-cluster-management.io/ocm/pkg/registration/hub/importer"
+)
 
 type Options struct {
-	APIServerURL string
-	AgentImage   string
-	BootstrapSA  string
+	APIServerURL      string
+	AgentImage        string
+	BootstrapSA       string
+	ImporterRenderers []string
 }
 
+const (
+	// RenderFromConfigSecret renders klusterlet manifests using configuration from a config secret named cluster-import-config
+	RenderFromConfigSecret string = "render-from-config-secret"
+	// RenderAuto renders klusterlet manifests using automatic configuration including bootstrap kubeconfig, agent image, and image pull secret
+	RenderAuto string = "render-auto"
+)
+
 func New() *Options {
 	return &Options{
-		BootstrapSA: "open-cluster-management/agent-registration-bootstrap",
+		BootstrapSA:       "open-cluster-management/agent-registration-bootstrap",
+		ImporterRenderers: []string{RenderFromConfigSecret},
 	}
 }
 
@@ -23,4 +39,38 @@ func (m *Options) AddFlags(fs *pflag.FlagSet) {
 			"image is needed.")
 	fs.StringVar(&m.BootstrapSA, "bootstrap-serviceaccount", m.BootstrapSA,
 		"Service account used to bootstrap the agent.")
+	fs.StringSliceVar(&m.ImporterRenderers, "import-renderers", m.ImporterRenderers,
+		"Ordered list of import renderers applied sequentially to render klusterlet manifests. "+
+			"Allowed: render-auto, render-from-config-secret. Later renderers may override earlier values.")
+}
+
+func GetImporterRenderers(options *Options, kubeClient kubernetes.Interface,
+	operatorNamespace string) ([]importer.KlusterletConfigRenderer, error) {
+	var renderers []importer.KlusterletConfigRenderer
+	if len(options.ImporterRenderers) == 0 {
+		renderers = append(renderers,
+			importer.RenderBootstrapHubKubeConfig(kubeClient, options.APIServerURL, options.BootstrapSA),
+			importer.RenderImage(options.AgentImage),
+			importer.RenderImagePullSecret(kubeClient, operatorNamespace),
+		)
+		return renderers, nil
+	}
+
+	for _, renderer := range options.ImporterRenderers {
+		switch renderer {
+		case RenderAuto:
+			renderers = append(renderers,
+				importer.RenderBootstrapHubKubeConfig(kubeClient, options.APIServerURL, options.BootstrapSA),
+				importer.RenderImage(options.AgentImage),
+				importer.RenderImagePullSecret(kubeClient, operatorNamespace),
+			)
+		case RenderFromConfigSecret:
+			renderers = append(renderers,
+				importer.RenderFromConfigSecret(kubeClient),
+			)
+		default:
+			return renderers, fmt.Errorf("unknown importer renderer %s", renderer)
+		}
+	}
+	return renderers, nil
 }
@@ -0,0 +1,99 @@
+package options
+
+import (
+	"testing"
+
+	"k8s.io/client-go/kubernetes"
+)
+
+func TestGetImporterRenderers(t *testing.T) {
+	type args struct {
+		options           *Options
+		operatorNamespace string
+	}
+	tests := []struct {
+		name       string
+		args       args
+		wantNum    int
+		wantErr    bool
+		wantErrMsg string
+	}{
+		{
+			name: "empty ImporterRenderers returns default renderers",
+			args: args{
+				options: &Options{
+					APIServerURL:      "https://hub.example.com",
+					AgentImage:        "test-image",
+					BootstrapSA:       "test-sa",
+					ImporterRenderers: []string{},
+				},
+				operatorNamespace: "test-ns",
+			},
+			wantNum: 3,
+			wantErr: false,
+		},
+		{
+			name: "ImporterRenderers contains RenderAuto",
+			args: args{
+				options: &Options{
+					APIServerURL:      "https://hub.example.com",
+					AgentImage:        "test-image",
+					BootstrapSA:       "test-sa",
+					ImporterRenderers: []string{RenderAuto},
+				},
+				operatorNamespace: "test-ns",
+			},
+			wantNum: 3,
+			wantErr: false,
+		},
+		{
+			name: "ImporterRenderers contains RenderFromConfigSecret",
+			args: args{
+				options: &Options{
+					ImporterRenderers: []string{RenderFromConfigSecret},
+				},
+				operatorNamespace: "test-ns",
+			},
+			wantNum: 1,
+			wantErr: false,
+		},
+		{
+			name: "ImporterRenderers contains unknown renderer",
+			args: args{
+				options: &Options{
+					ImporterRenderers: []string{"unknown-renderer"},
+				},
+				operatorNamespace: "test-ns",
+			},
+			wantNum:    0,
+			wantErr:    true,
+			wantErrMsg: "unknown importer renderer unknown-renderer",
+		},
+	}
+
+	// Use a nil kubeClient since the renderer functions do not call methods in these tests
+	var kubeClient kubernetes.Interface = nil
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			renderers, err := GetImporterRenderers(tt.args.options, kubeClient, tt.args.operatorNamespace)
+			if tt.wantErr {
+				if err == nil {
+					t.Errorf("expected error, got nil")
+				} else if tt.wantErrMsg != "" && err.Error() != tt.wantErrMsg {
+					t.Errorf("expected error message %q, got %q", tt.wantErrMsg, err.Error())
+				}
+				if len(renderers) != tt.wantNum {
+					t.Errorf("expected %d renderers, got %d", tt.wantNum, len(renderers))
+				}
+			} else {
+				if err != nil {
+					t.Errorf("unexpected error: %v", err)
+				}
+				if len(renderers) != tt.wantNum {
+					t.Errorf("expected %d renderers, got %d", tt.wantNum, len(renderers))
+				}
+			}
+		})
+	}
+}
@@ -14,6 +14,7 @@ import (
 	clientcmdapiv1 "k8s.io/client-go/tools/clientcmd/api/v1"
 	"k8s.io/utils/ptr"
 
+	v1 "open-cluster-management.io/api/cluster/v1"
 	sdkhelpers "open-cluster-management.io/sdk-go/pkg/helpers"
 
 	"open-cluster-management.io/ocm/pkg/operator/helpers/chart"
@@ -23,7 +24,7 @@ const imagePullSecretName = "open-cluster-management-image-pull-credentials"
 
 func RenderBootstrapHubKubeConfig(
 	kubeClient kubernetes.Interface, apiServerURL, bootstrapSA string) KlusterletConfigRenderer {
-	return func(ctx context.Context, config *chart.KlusterletChartConfig) (*chart.KlusterletChartConfig, error) {
+	return func(ctx context.Context, _ *v1.ManagedCluster, config *chart.KlusterletChartConfig) (*chart.KlusterletChartConfig, error) {
 		// get bootstrap token
 		bootstrapSANamespace, bootstrapSAName, err := cache.SplitMetaNamespaceKey(bootstrapSA)
 		if err != nil {
@@ -39,7 +40,7 @@ func RenderBootstrapHubKubeConfig(
 			}, metav1.CreateOptions{})
 		if err != nil {
 			return config, fmt.Errorf(
-				"failed to get token from sa %s/%s: %v", bootstrapSANamespace, bootstrapSA, err)
+				"failed to get token from sa %s/%s: %v", bootstrapSANamespace, bootstrapSAName, err)
 		}
 
 		// get apisever url
@@ -102,7 +103,7 @@ func RenderBootstrapHubKubeConfig(
 }
 
 func RenderImage(image string) KlusterletConfigRenderer {
-	return func(ctx context.Context, config *chart.KlusterletChartConfig) (*chart.KlusterletChartConfig, error) {
+	return func(ctx context.Context, _ *v1.ManagedCluster, config *chart.KlusterletChartConfig) (*chart.KlusterletChartConfig, error) {
 		if len(image) == 0 {
 			return config, nil
 		}
@@ -114,7 +115,7 @@ func RenderImage(image string) KlusterletConfigRenderer {
 }
 
 func RenderImagePullSecret(kubeClient kubernetes.Interface, namespace string) KlusterletConfigRenderer {
-	return func(ctx context.Context, config *chart.KlusterletChartConfig) (*chart.KlusterletChartConfig, error) {
+	return func(ctx context.Context, _ *v1.ManagedCluster, config *chart.KlusterletChartConfig) (*chart.KlusterletChartConfig, error) {
 		secret, err := kubeClient.CoreV1().Secrets(namespace).Get(ctx, imagePullSecretName, metav1.GetOptions{})
 		switch {
 		case errors.IsNotFound(err):
@@ -132,3 +133,30 @@ func RenderImagePullSecret(kubeClient kubernetes.Interface, namespace string) Kl
 		return config, nil
 	}
 }
+
+func RenderFromConfigSecret(kubeClient kubernetes.Interface) KlusterletConfigRenderer {
+	return func(ctx context.Context, cluster *v1.ManagedCluster,
+		config *chart.KlusterletChartConfig) (*chart.KlusterletChartConfig, error) {
+		if cluster == nil {
+			return nil, fmt.Errorf("cluster must not be nil")
+		}
+
+		configSecret, err := kubeClient.CoreV1().Secrets(cluster.Name).
+			Get(ctx, clusterImportConfigSecret, metav1.GetOptions{})
+		if err != nil {
+			return nil, err
+		}
+		valuesRaw := configSecret.Data[valuesYamlKey]
+		if len(valuesRaw) == 0 {
+			return nil, fmt.Errorf("no values found in secret %s/%s in namespace %s",
+				clusterImportConfigSecret, valuesYamlKey, cluster.Name)
+		}
+
+		err = yaml.Unmarshal(valuesRaw, config)
+		if err != nil {
+			return nil, fmt.Errorf("the values in the cluster import config secret is invalid: %v", err)
+		}
+
+		return config, nil
+	}
+}