[Feature] Global image pull secrets injection (#1196)

[yansun1996]

Motivation

Add Global Image Pull Secrets Support

Summary

Adds global.imagePullSecrets field to configure image pull secrets once and automatically apply them across all GPU operator components. Simplifies deployment in air-gapped environments and with private registries.

Motivation

Previously, users needed to configure image pull secrets individually for 10+ components (controller, hooks, DeviceConfig components, KMM, NFD). This was verbose, error-prone, and difficult to manage during secret rotation.

Changes

CRD

• Added spec.commonConfig.imageRegistrySecrets field (array type)
• Automatically applied to all operator-managed components

Controller

• Updated 6 component handlers (plugin, metrics exporter, test runner, config manager, node labeller) to merge global + component-specific secrets
• Enhanced secret watching to trigger reconciliation on global secret updates

Helm Chart

• Added global.imagePullSecrets field in values.yaml
• Applied to: controller deployment, remediation deployment, all hooks (pre-upgrade, pre-delete, post-delete)
• Updated default DeviceConfig template to pass global secrets to CR

KMM Subchart

• Automatically inherits global secrets for controller/webhook deployments
• Builder/signer/worker images use first global secret as fallback

Hack Templates

• Applied identical changes to source templates in hack/k8s-patch/ (9 files)

Documentation & Testing

• Added installation guide and examples to docs
• Added TestGlobalImagePullSecrets E2E test

Usage

Basic:

helm install amd-gpu-operator . \
  --set global.imagePullSecrets[0].name=my-secret

Technical Details

Test Plan

Added 2 new e2e test cases to verify that the global image pull secrets could be forwarded correctly.

Test Result

Submission Checklist

• Look over the contributing guidelines at https://github.com/ROCm/ROCm/blob/develop/CONTRIBUTING.md#pull-requests.