diff --git a/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 000000000..221728dca
--- /dev/null
+++ b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,263 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+	internal "github.com/openshift/client-go/config/applyconfigurations/internal"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CRIOCredentialProviderConfigApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfig type for use
+// with apply.
+type CRIOCredentialProviderConfigApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *CRIOCredentialProviderConfigSpecApplyConfiguration   `json:"spec,omitempty"`
+	Status                           *CRIOCredentialProviderConfigStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// CRIOCredentialProviderConfig constructs a declarative configuration of the CRIOCredentialProviderConfig type for use with
+// apply.
+func CRIOCredentialProviderConfig(name string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b := &CRIOCredentialProviderConfigApplyConfiguration{}
+	b.WithName(name)
+	b.WithKind("CRIOCredentialProviderConfig")
+	b.WithAPIVersion("config.openshift.io/v1alpha1")
+	return b
+}
+
+// ExtractCRIOCredentialProviderConfig extracts the applied configuration owned by fieldManager from
+// cRIOCredentialProviderConfig. If no managedFields are found in cRIOCredentialProviderConfig for fieldManager, a
+// CRIOCredentialProviderConfigApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// cRIOCredentialProviderConfig must be a unmodified CRIOCredentialProviderConfig API object that was retrieved from the Kubernetes API.
+// ExtractCRIOCredentialProviderConfig provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+// Experimental!
+func ExtractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string) (*CRIOCredentialProviderConfigApplyConfiguration, error) {
+	return extractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig, fieldManager, "")
+}
+
+// ExtractCRIOCredentialProviderConfigStatus is the same as ExtractCRIOCredentialProviderConfig except
+// that it extracts the status subresource applied configuration.
+// Experimental!
+func ExtractCRIOCredentialProviderConfigStatus(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string) (*CRIOCredentialProviderConfigApplyConfiguration, error) {
+	return extractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig, fieldManager, "status")
+}
+
+func extractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string, subresource string) (*CRIOCredentialProviderConfigApplyConfiguration, error) {
+	b := &CRIOCredentialProviderConfigApplyConfiguration{}
+	err := managedfields.ExtractInto(cRIOCredentialProviderConfig, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(cRIOCredentialProviderConfig.Name)
+
+	b.WithKind("CRIOCredentialProviderConfig")
+	b.WithAPIVersion("config.openshift.io/v1alpha1")
+	return b, nil
+}
+func (b CRIOCredentialProviderConfigApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithKind(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithAPIVersion(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithName(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithGenerateName(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithNamespace(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithUID(value types.UID) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithResourceVersion(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithGeneration(value int64) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithLabels(entries map[string]string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithAnnotations(entries map[string]string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithFinalizers(values ...string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *CRIOCredentialProviderConfigApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithSpec(value *CRIOCredentialProviderConfigSpecApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithStatus(value *CRIOCredentialProviderConfigStatusApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.Status = value
+	return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetKind() *string {
+	return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetAPIVersion() *string {
+	return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetNamespace() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Namespace
+}
diff --git a/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go
new file mode 100644
index 000000000..e6588c608
--- /dev/null
+++ b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go
@@ -0,0 +1,29 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+)
+
+// CRIOCredentialProviderConfigSpecApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfigSpec type for use
+// with apply.
+type CRIOCredentialProviderConfigSpecApplyConfiguration struct {
+	MatchImages []configv1alpha1.MatchImage `json:"matchImages,omitempty"`
+}
+
+// CRIOCredentialProviderConfigSpecApplyConfiguration constructs a declarative configuration of the CRIOCredentialProviderConfigSpec type for use with
+// apply.
+func CRIOCredentialProviderConfigSpec() *CRIOCredentialProviderConfigSpecApplyConfiguration {
+	return &CRIOCredentialProviderConfigSpecApplyConfiguration{}
+}
+
+// WithMatchImages adds the given value to the MatchImages field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the MatchImages field.
+func (b *CRIOCredentialProviderConfigSpecApplyConfiguration) WithMatchImages(values ...configv1alpha1.MatchImage) *CRIOCredentialProviderConfigSpecApplyConfiguration {
+	for i := range values {
+		b.MatchImages = append(b.MatchImages, values[i])
+	}
+	return b
+}
diff --git a/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go
new file mode 100644
index 000000000..a243b281d
--- /dev/null
+++ b/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go
@@ -0,0 +1,32 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CRIOCredentialProviderConfigStatusApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfigStatus type for use
+// with apply.
+type CRIOCredentialProviderConfigStatusApplyConfiguration struct {
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+}
+
+// CRIOCredentialProviderConfigStatusApplyConfiguration constructs a declarative configuration of the CRIOCredentialProviderConfigStatus type for use with
+// apply.
+func CRIOCredentialProviderConfigStatus() *CRIOCredentialProviderConfigStatusApplyConfiguration {
+	return &CRIOCredentialProviderConfigStatusApplyConfiguration{}
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *CRIOCredentialProviderConfigStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *CRIOCredentialProviderConfigStatusApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithConditions")
+		}
+		b.Conditions = append(b.Conditions, *values[i])
+	}
+	return b
+}
diff --git a/config/applyconfigurations/internal/internal.go b/config/applyconfigurations/internal/internal.go
index 0d49eb95f..5eec79f5b 100644
--- a/config/applyconfigurations/internal/internal.go
+++ b/config/applyconfigurations/internal/internal.go
@@ -4042,6 +4042,46 @@ var schemaYAML = typed.YAMLObject(`types:
         elementType:
           namedType: __untyped_deduced_
         elementRelationship: separable
+- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig
+  map:
+    fields:
+    - name: apiVersion
+      type:
+        scalar: string
+    - name: kind
+      type:
+        scalar: string
+    - name: metadata
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+      default: {}
+    - name: spec
+      type:
+        namedType: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec
+      default: {}
+    - name: status
+      type:
+        namedType: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus
+- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec
+  map:
+    fields:
+    - name: matchImages
+      type:
+        list:
+          elementType:
+            scalar: string
+          elementRelationship: associative
+- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus
+  map:
+    fields:
+    - name: conditions
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
+          elementRelationship: associative
+          keys:
+          - type
 - name: com.github.openshift.api.config.v1alpha1.ClusterImagePolicy
   map:
     fields:
diff --git a/config/applyconfigurations/utils.go b/config/applyconfigurations/utils.go
index 048895c11..c84b5b8e4 100644
--- a/config/applyconfigurations/utils.go
+++ b/config/applyconfigurations/utils.go
@@ -476,6 +476,12 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1alpha1.ClusterMonitoringSpecApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("ContainerResource"):
 		return &configv1alpha1.ContainerResourceApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfig"):
+		return &configv1alpha1.CRIOCredentialProviderConfigApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfigSpec"):
+		return &configv1alpha1.CRIOCredentialProviderConfigSpecApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfigStatus"):
+		return &configv1alpha1.CRIOCredentialProviderConfigStatusApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("EtcdBackupSpec"):
 		return &configv1alpha1.EtcdBackupSpecApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("FulcioCAWithRekor"):
diff --git a/config/clientset/versioned/typed/config/v1alpha1/config_client.go b/config/clientset/versioned/typed/config/v1alpha1/config_client.go
index 2530a4a64..58cf671dc 100644
--- a/config/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/config/clientset/versioned/typed/config/v1alpha1/config_client.go
@@ -13,6 +13,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	BackupsGetter
+	CRIOCredentialProviderConfigsGetter
 	ClusterImagePoliciesGetter
 	ClusterMonitoringsGetter
 	ImagePoliciesGetter
@@ -28,6 +29,10 @@ func (c *ConfigV1alpha1Client) Backups() BackupInterface {
 	return newBackups(c)
 }
 
+func (c *ConfigV1alpha1Client) CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInterface {
+	return newCRIOCredentialProviderConfigs(c)
+}
+
 func (c *ConfigV1alpha1Client) ClusterImagePolicies() ClusterImagePolicyInterface {
 	return newClusterImagePolicies(c)
 }
diff --git a/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go b/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 000000000..3c4962155
--- /dev/null
+++ b/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,62 @@
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	context "context"
+
+	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+	applyconfigurationsconfigv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1"
+	scheme "github.com/openshift/client-go/config/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	gentype "k8s.io/client-go/gentype"
+)
+
+// CRIOCredentialProviderConfigsGetter has a method to return a CRIOCredentialProviderConfigInterface.
+// A group's client should implement this interface.
+type CRIOCredentialProviderConfigsGetter interface {
+	CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInterface
+}
+
+// CRIOCredentialProviderConfigInterface has methods to work with CRIOCredentialProviderConfig resources.
+type CRIOCredentialProviderConfigInterface interface {
+	Create(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.CreateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+	Update(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.UpdateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+	UpdateStatus(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.UpdateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+	List(ctx context.Context, opts v1.ListOptions) (*configv1alpha1.CRIOCredentialProviderConfigList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *configv1alpha1.CRIOCredentialProviderConfig, err error)
+	Apply(ctx context.Context, cRIOCredentialProviderConfig *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration, opts v1.ApplyOptions) (result *configv1alpha1.CRIOCredentialProviderConfig, err error)
+	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+	ApplyStatus(ctx context.Context, cRIOCredentialProviderConfig *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration, opts v1.ApplyOptions) (result *configv1alpha1.CRIOCredentialProviderConfig, err error)
+	CRIOCredentialProviderConfigExpansion
+}
+
+// cRIOCredentialProviderConfigs implements CRIOCredentialProviderConfigInterface
+type cRIOCredentialProviderConfigs struct {
+	*gentype.ClientWithListAndApply[*configv1alpha1.CRIOCredentialProviderConfig, *configv1alpha1.CRIOCredentialProviderConfigList, *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration]
+}
+
+// newCRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigs
+func newCRIOCredentialProviderConfigs(c *ConfigV1alpha1Client) *cRIOCredentialProviderConfigs {
+	return &cRIOCredentialProviderConfigs{
+		gentype.NewClientWithListAndApply[*configv1alpha1.CRIOCredentialProviderConfig, *configv1alpha1.CRIOCredentialProviderConfigList, *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration](
+			"criocredentialproviderconfigs",
+			c.RESTClient(),
+			scheme.ParameterCodec,
+			"",
+			func() *configv1alpha1.CRIOCredentialProviderConfig {
+				return &configv1alpha1.CRIOCredentialProviderConfig{}
+			},
+			func() *configv1alpha1.CRIOCredentialProviderConfigList {
+				return &configv1alpha1.CRIOCredentialProviderConfigList{}
+			},
+		),
+	}
+}
diff --git a/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
index dd57e4a2c..e807c2314 100644
--- a/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@@ -16,6 +16,10 @@ func (c *FakeConfigV1alpha1) Backups() v1alpha1.BackupInterface {
 	return newFakeBackups(c)
 }
 
+func (c *FakeConfigV1alpha1) CRIOCredentialProviderConfigs() v1alpha1.CRIOCredentialProviderConfigInterface {
+	return newFakeCRIOCredentialProviderConfigs(c)
+}
+
 func (c *FakeConfigV1alpha1) ClusterImagePolicies() v1alpha1.ClusterImagePolicyInterface {
 	return newFakeClusterImagePolicies(c)
 }
diff --git a/config/clientset/versioned/typed/config/v1alpha1/fake/fake_criocredentialproviderconfig.go b/config/clientset/versioned/typed/config/v1alpha1/fake/fake_criocredentialproviderconfig.go
new file mode 100644
index 000000000..588ce179c
--- /dev/null
+++ b/config/clientset/versioned/typed/config/v1alpha1/fake/fake_criocredentialproviderconfig.go
@@ -0,0 +1,37 @@
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "github.com/openshift/api/config/v1alpha1"
+	configv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1"
+	typedconfigv1alpha1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1"
+	gentype "k8s.io/client-go/gentype"
+)
+
+// fakeCRIOCredentialProviderConfigs implements CRIOCredentialProviderConfigInterface
+type fakeCRIOCredentialProviderConfigs struct {
+	*gentype.FakeClientWithListAndApply[*v1alpha1.CRIOCredentialProviderConfig, *v1alpha1.CRIOCredentialProviderConfigList, *configv1alpha1.CRIOCredentialProviderConfigApplyConfiguration]
+	Fake *FakeConfigV1alpha1
+}
+
+func newFakeCRIOCredentialProviderConfigs(fake *FakeConfigV1alpha1) typedconfigv1alpha1.CRIOCredentialProviderConfigInterface {
+	return &fakeCRIOCredentialProviderConfigs{
+		gentype.NewFakeClientWithListAndApply[*v1alpha1.CRIOCredentialProviderConfig, *v1alpha1.CRIOCredentialProviderConfigList, *configv1alpha1.CRIOCredentialProviderConfigApplyConfiguration](
+			fake.Fake,
+			"",
+			v1alpha1.SchemeGroupVersion.WithResource("criocredentialproviderconfigs"),
+			v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfig"),
+			func() *v1alpha1.CRIOCredentialProviderConfig { return &v1alpha1.CRIOCredentialProviderConfig{} },
+			func() *v1alpha1.CRIOCredentialProviderConfigList { return &v1alpha1.CRIOCredentialProviderConfigList{} },
+			func(dst, src *v1alpha1.CRIOCredentialProviderConfigList) { dst.ListMeta = src.ListMeta },
+			func(list *v1alpha1.CRIOCredentialProviderConfigList) []*v1alpha1.CRIOCredentialProviderConfig {
+				return gentype.ToPointerSlice(list.Items)
+			},
+			func(list *v1alpha1.CRIOCredentialProviderConfigList, items []*v1alpha1.CRIOCredentialProviderConfig) {
+				list.Items = gentype.FromPointerSlice(items)
+			},
+		),
+		fake,
+	}
+}
diff --git a/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
index ab5198cce..9f530ae22 100644
--- a/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@@ -4,6 +4,8 @@ package v1alpha1
 
 type BackupExpansion interface{}
 
+type CRIOCredentialProviderConfigExpansion interface{}
+
 type ClusterImagePolicyExpansion interface{}
 
 type ClusterMonitoringExpansion interface{}
diff --git a/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go b/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 000000000..b349ee0ed
--- /dev/null
+++ b/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,85 @@
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	context "context"
+	time "time"
+
+	apiconfigv1alpha1 "github.com/openshift/api/config/v1alpha1"
+	versioned "github.com/openshift/client-go/config/clientset/versioned"
+	internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces"
+	configv1alpha1 "github.com/openshift/client-go/config/listers/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CRIOCredentialProviderConfigInformer provides access to a shared informer and lister for
+// CRIOCredentialProviderConfigs.
+type CRIOCredentialProviderConfigInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() configv1alpha1.CRIOCredentialProviderConfigLister
+}
+
+type cRIOCredentialProviderConfigInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewCRIOCredentialProviderConfigInformer constructs a new informer for CRIOCredentialProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCRIOCredentialProviderConfigInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCRIOCredentialProviderConfigInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCRIOCredentialProviderConfigInformer constructs a new informer for CRIOCredentialProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCRIOCredentialProviderConfigInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().List(context.Background(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().Watch(context.Background(), options)
+			},
+			ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().List(ctx, options)
+			},
+			WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().Watch(ctx, options)
+			},
+		},
+		&apiconfigv1alpha1.CRIOCredentialProviderConfig{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *cRIOCredentialProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredCRIOCredentialProviderConfigInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cRIOCredentialProviderConfigInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&apiconfigv1alpha1.CRIOCredentialProviderConfig{}, f.defaultInformer)
+}
+
+func (f *cRIOCredentialProviderConfigInformer) Lister() configv1alpha1.CRIOCredentialProviderConfigLister {
+	return configv1alpha1.NewCRIOCredentialProviderConfigLister(f.Informer().GetIndexer())
+}
diff --git a/config/informers/externalversions/config/v1alpha1/interface.go b/config/informers/externalversions/config/v1alpha1/interface.go
index 893d2db0a..10cc930b8 100644
--- a/config/informers/externalversions/config/v1alpha1/interface.go
+++ b/config/informers/externalversions/config/v1alpha1/interface.go
@@ -10,6 +10,8 @@ import (
 type Interface interface {
 	// Backups returns a BackupInformer.
 	Backups() BackupInformer
+	// CRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigInformer.
+	CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInformer
 	// ClusterImagePolicies returns a ClusterImagePolicyInformer.
 	ClusterImagePolicies() ClusterImagePolicyInformer
 	// ClusterMonitorings returns a ClusterMonitoringInformer.
@@ -36,6 +38,11 @@ func (v *version) Backups() BackupInformer {
 	return &backupInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }
 
+// CRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigInformer.
+func (v *version) CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInformer {
+	return &cRIOCredentialProviderConfigInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
+
 // ClusterImagePolicies returns a ClusterImagePolicyInformer.
 func (v *version) ClusterImagePolicies() ClusterImagePolicyInformer {
 	return &clusterImagePolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
diff --git a/config/informers/externalversions/generic.go b/config/informers/externalversions/generic.go
index 59c98ea77..1f715d637 100644
--- a/config/informers/externalversions/generic.go
+++ b/config/informers/externalversions/generic.go
@@ -89,6 +89,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		// Group=config.openshift.io, Version=v1alpha1
 	case v1alpha1.SchemeGroupVersion.WithResource("backups"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().Backups().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("criocredentialproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CRIOCredentialProviderConfigs().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("clusterimagepolicies"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().ClusterImagePolicies().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("clustermonitorings"):
diff --git a/config/listers/config/v1alpha1/criocredentialproviderconfig.go b/config/listers/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 000000000..cc5dfa388
--- /dev/null
+++ b/config/listers/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,32 @@
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	listers "k8s.io/client-go/listers"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CRIOCredentialProviderConfigLister helps list CRIOCredentialProviderConfigs.
+// All objects returned here must be treated as read-only.
+type CRIOCredentialProviderConfigLister interface {
+	// List lists all CRIOCredentialProviderConfigs in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*configv1alpha1.CRIOCredentialProviderConfig, err error)
+	// Get retrieves the CRIOCredentialProviderConfig from the index for a given name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+	CRIOCredentialProviderConfigListerExpansion
+}
+
+// cRIOCredentialProviderConfigLister implements the CRIOCredentialProviderConfigLister interface.
+type cRIOCredentialProviderConfigLister struct {
+	listers.ResourceIndexer[*configv1alpha1.CRIOCredentialProviderConfig]
+}
+
+// NewCRIOCredentialProviderConfigLister returns a new CRIOCredentialProviderConfigLister.
+func NewCRIOCredentialProviderConfigLister(indexer cache.Indexer) CRIOCredentialProviderConfigLister {
+	return &cRIOCredentialProviderConfigLister{listers.New[*configv1alpha1.CRIOCredentialProviderConfig](indexer, configv1alpha1.Resource("criocredentialproviderconfig"))}
+}
diff --git a/config/listers/config/v1alpha1/expansion_generated.go b/config/listers/config/v1alpha1/expansion_generated.go
index 09b4d206d..75ba32823 100644
--- a/config/listers/config/v1alpha1/expansion_generated.go
+++ b/config/listers/config/v1alpha1/expansion_generated.go
@@ -6,6 +6,10 @@ package v1alpha1
 // BackupLister.
 type BackupListerExpansion interface{}
 
+// CRIOCredentialProviderConfigListerExpansion allows custom methods to be added to
+// CRIOCredentialProviderConfigLister.
+type CRIOCredentialProviderConfigListerExpansion interface{}
+
 // ClusterImagePolicyListerExpansion allows custom methods to be added to
 // ClusterImagePolicyLister.
 type ClusterImagePolicyListerExpansion interface{}
diff --git a/go.mod b/go.mod
index b673dfbeb..000bd36e1 100644
--- a/go.mod
+++ b/go.mod
@@ -66,3 +66,5 @@ retract v3.9.0+incompatible
 // To make go aware of the retraction, we need to tag a new version that can be
 // retracted by itself.
 retract v0.0.1
+
+replace github.com/openshift/api => github.com/QiWang19/api v0.0.0-20251204232509-5086a5249b02
diff --git a/go.sum b/go.sum
index 96df6fd37..1cbe034e0 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
+github.com/QiWang19/api v0.0.0-20251204232509-5086a5249b02 h1:AatkJOk7B+A66PUpR02ZvtEafkaL8Mzn9vC6wqJrOgo=
+github.com/QiWang19/api v0.0.0-20251204232509-5086a5249b02/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -57,8 +59,6 @@ github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM
 github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
 github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/api v0.0.0-20251204164930-cd2e40c5883a h1:v/W0YkbADTv9bfubadSNIOftvDIA/JwN8zaK79K5Wyc=
-github.com/openshift/api v0.0.0-20251204164930-cd2e40c5883a/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+Sp5GGnjHDhT/a/nQ1xdp43UscBMr7G5wxsYotyhzJ4=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/register.go b/vendor/github.com/openshift/api/config/v1alpha1/register.go
index 4b30ea380..c90962495 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/register.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/register.go
@@ -40,6 +40,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ImagePolicyList{},
 		&ClusterImagePolicy{},
 		&ClusterImagePolicyList{},
+		&CRIOCredentialProviderConfig{},
+		&CRIOCredentialProviderConfigList{},
 	)
 	metav1.AddToGroupVersion(scheme, GroupVersion)
 	return nil
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go b/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go
new file mode 100644
index 000000000..6abdb2123
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go
@@ -0,0 +1,179 @@
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+// For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+// CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+// Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+//
+// The resource is a singleton named "cluster".
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=criocredentialproviderconfigs,scope=Cluster
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1929
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=CRIOCredentialProviderConfig
+// +openshift:compatibility-gen:level=4
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="criocredentialproviderconfig is a singleton, .metadata.name must be 'cluster'"
+type CRIOCredentialProviderConfig struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata"`
+
+	// spec defines the desired configuration of the CRI-O Credential Provider.
+	// This field is required and must be provided when creating the resource.
+	// +required
+	Spec CRIOCredentialProviderConfigSpec `json:"spec,omitzero"`
+
+	// status represents the current state of the CRIOCredentialProviderConfig.
+	// When omitted or nil, it indicates that the status has not yet been set by the controller.
+	// The controller will populate this field with validation conditions and operational state.
+	// +optional
+	Status *CRIOCredentialProviderConfigStatus `json:"status,omitempty"`
+}
+
+// CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.
+type CRIOCredentialProviderConfigSpec struct {
+	// matchImages is a required list of string patterns used to determine whether
+	// the CRI-O credential provider should be invoked for a given image. This list is
+	// passed to the kubelet CredentialProviderConfig, and if any pattern matches
+	// the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+	// that image or its mirrors.
+	//
+	// This field is required and must contain between 1 and 50 entries.
+	// The list is treated as a set, so duplicate entries are not allowed.
+	//
+	// For more details, see:
+	// - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+	// - https://github.com/cri-o/crio-credential-provider#architecture
+	//
+	// Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters.
+	// Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+	// and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+	// A global wildcard '*' (matching any domain) is not allowed.
+	// Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+	// For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+	// Each wildcard matches only a single domain label,
+	// so '*.io' does **not** match '*.k8s.io'.
+	//
+	// A match exists between an image and a matchImage when all of the below are true:
+	// Both contain the same number of domain parts and each part matches.
+	// The URL path of an matchImages must be a prefix of the target image URL path.
+	// If the matchImages contains a port, then the port must match in the image as well.
+	//
+	// Example values of matchImages:
+	//
+	// - 123456789.dkr.ecr.us-east-1.amazonaws.com
+	//
+	// - *.azurecr.io
+	//
+	// - gcr.io
+	//
+	// - *.*.registry.io
+	//
+	// - registry.io:8080/path
+	//
+	// +kubebuilder:validation:MaxItems=50
+	// +kubebuilder:validation:MinItems=1
+	// +listType=set
+	// +required
+	MatchImages []MatchImage `json:"matchImages,omitempty"`
+}
+
+// MatchImage is a string pattern used to match container image registry addresses.
+// It must be a valid fully qualified domain name with optional wildcard, port, and path.
+// The maximum length is 512 characters.
+//
+// Wildcards ('*') are supported for full subdomain labels and top-level domains.
+// Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+// Wildcards are not allowed in the port or path portions.
+//
+// Examples:
+// - "registry.io" - matches exactly registry.io
+// - "*.azurecr.io" - matches any single subdomain of azurecr.io
+// - "registry.io:8080/path" - matches with specific port and path prefix
+//
+// +kubebuilder:validation:MaxLength=512
+// +kubebuilder:validation:XValidation:rule="self != '*'",message="global wildcard '*' is not allowed"
+// +kubebuilder:validation:XValidation:rule=`self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')`,message="invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+type MatchImage string
+
+// +k8s:deepcopy-gen=true
+// CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig
+type CRIOCredentialProviderConfigStatus struct {
+	// conditions represent the latest available observations of the configuration state.
+	// When omitted or empty, it indicates that no conditions have been reported yet.
+	// The maximum number of conditions is 4.
+	// Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+	//
+	// Expected condition types include:
+	// "Validated": indicates whether the matchImages configuration is valid
+	// +optional
+	// +kubebuilder:validation:MaxItems=4
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+type CRIOCredentialProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []CRIOCredentialProviderConfig `json:"items"`
+}
+
+const (
+	// ConditionTypeValidated is a condition type that indicates whether the CRIOCredentialProviderConfig
+	// matchImages configuration has been validated successfully.
+	// When True, all matchImage patterns are valid and have been applied.
+	// When False, the configuration contains errors (see Reason for details).
+	// Possible reasons for False status:
+	// - ValidationFailed: matchImages contains invalid patterns
+	// - ConfigurationPartiallyApplied: some matchImage entries were ignored due to conflicts
+	ConditionTypeValidated = "Validated"
+
+	// ReasonValidationFailed is a condition reason used with ConditionTypeValidated=False
+	// to indicate that the matchImages configuration contains one or more invalid registry patterns
+	// that do not conform to the required format (valid FQDN with optional wildcard, port, and path).
+	ReasonValidationFailed = "ValidationFailed"
+
+	// ReasonConfigurationPartiallyApplied is a condition reason used with ConditionTypeValidated=False
+	// to indicate that some matchImage entries were ignored due to conflicts or overlapping patterns.
+	// The condition message will contain details about which entries were ignored and why.
+	ReasonConfigurationPartiallyApplied = "ConfigurationPartiallyApplied"
+
+	// ConditionTypeMachineConfigRendered is a condition type that indicates whether
+	// the CRIOCredentialProviderConfig has been successfully rendered into a
+	// MachineConfig object.
+	// When True, the corresponding MachineConfig is present in the cluster.
+	// When False, rendering failed.
+	ConditionTypeMachineConfigRendered = "MachineConfigRendered"
+
+	// ReasonMachineConfigRenderingSucceeded is a condition reason used with ConditionTypeMachineConfigRendered=True
+	// to indicate that the MachineConfig was successfully created/updated in the API server.
+	ReasonMachineConfigRenderingSucceeded = "MachineConfigRenderingSucceeded"
+
+	// ReasonMachineConfigRenderingFailed is a condition reason used with ConditionTypeMachineConfigRendered=False
+	// to indicate that the MachineConfig creation/update failed.
+	// The condition message will contain details about the failure.
+	ReasonMachineConfigRenderingFailed = "MachineConfigRenderingFailed"
+)
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
index 6549f6cbe..8fecc97f9 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
@@ -192,6 +192,115 @@ func (in *BackupStatus) DeepCopy() *BackupStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfig) DeepCopyInto(out *CRIOCredentialProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(CRIOCredentialProviderConfigStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfig.
+func (in *CRIOCredentialProviderConfig) DeepCopy() *CRIOCredentialProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CRIOCredentialProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigList) DeepCopyInto(out *CRIOCredentialProviderConfigList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CRIOCredentialProviderConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigList.
+func (in *CRIOCredentialProviderConfigList) DeepCopy() *CRIOCredentialProviderConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CRIOCredentialProviderConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigSpec) DeepCopyInto(out *CRIOCredentialProviderConfigSpec) {
+	*out = *in
+	if in.MatchImages != nil {
+		in, out := &in.MatchImages, &out.MatchImages
+		*out = make([]MatchImage, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigSpec.
+func (in *CRIOCredentialProviderConfigSpec) DeepCopy() *CRIOCredentialProviderConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigStatus) DeepCopyInto(out *CRIOCredentialProviderConfigStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigStatus.
+func (in *CRIOCredentialProviderConfigStatus) DeepCopy() *CRIOCredentialProviderConfigStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) {
 	*out = *in
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
index 2f79f801d..42e96ed45 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
@@ -21,6 +21,29 @@ backups.config.openshift.io:
   - AutomatedEtcdBackup
   Version: v1alpha1
 
+criocredentialproviderconfigs.config.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/1929
+  CRDName: criocredentialproviderconfigs.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - CRIOCredentialProviderConfig
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: CRIOCredentialProviderConfig
+  Labels: {}
+  PluralName: criocredentialproviderconfigs
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates:
+  - CRIOCredentialProviderConfig
+  Version: v1alpha1
+
 clusterimagepolicies.config.openshift.io:
   Annotations: {}
   ApprovedPRNumber: https://github.com/openshift/api/pull/1457
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
index 6ba6ad11f..731f33579 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -226,6 +226,44 @@ func (UserDefinedMonitoring) SwaggerDoc() map[string]string {
 	return map_UserDefinedMonitoring
 }
 
+var map_CRIOCredentialProviderConfig = map[string]string{
+	"":         "CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is \"cluster\". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation. Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec defines the desired configuration of the CRI-O Credential Provider. This field is required and must be provided when creating the resource.",
+	"status":   "status represents the current state of the CRIOCredentialProviderConfig. When omitted or nil, it indicates that the status has not yet been set by the controller. The controller will populate this field with validation conditions and operational state.",
+}
+
+func (CRIOCredentialProviderConfig) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfig
+}
+
+var map_CRIOCredentialProviderConfigList = map[string]string{
+	"":         "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (CRIOCredentialProviderConfigList) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigList
+}
+
+var map_CRIOCredentialProviderConfigSpec = map[string]string{
+	"":            "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.",
+	"matchImages": "matchImages is a required list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors.\n\nThis field is required and must contain between 1 and 50 entries. The list is treated as a set, so duplicate entries are not allowed.\n\nFor more details, see: - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ - https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). A global wildcard '*' (matching any domain) is not allowed. Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path. For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: Both contain the same number of domain parts and each part matches. The URL path of an matchImages must be a prefix of the target image URL path. If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages:\n\n- 123456789.dkr.ecr.us-east-1.amazonaws.com\n\n- *.azurecr.io\n\n- gcr.io\n\n- *.*.registry.io\n\n- registry.io:8080/path",
+}
+
+func (CRIOCredentialProviderConfigSpec) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigSpec
+}
+
+var map_CRIOCredentialProviderConfigStatus = map[string]string{
+	"":           "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig",
+	"conditions": "conditions represent the latest available observations of the configuration state. When omitted or empty, it indicates that no conditions have been reported yet. The maximum number of conditions is 4. Conditions are stored as a map keyed by condition type, ensuring uniqueness.\n\nExpected condition types include: \"Validated\": indicates whether the matchImages configuration is valid",
+}
+
+func (CRIOCredentialProviderConfigStatus) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigStatus
+}
+
 var map_FulcioCAWithRekor = map[string]string{
 	"":              "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.",
 	"fulcioCAData":  "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.",
diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md
index 7b858756d..c0b6f48c2 100644
--- a/vendor/github.com/openshift/api/features.md
+++ b/vendor/github.com/openshift/api/features.md
@@ -33,6 +33,7 @@
 | BootcNodeManagement| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | CBORServingAndStorage| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | CRDCompatibilityRequirementOperator| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| CRIOCredentialProviderConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClientsPreferCBOR| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClusterAPIInstallIBMCloud| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClusterAPIMachineManagement| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
index 0cc634a5f..4971990d5 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
@@ -425,7 +425,7 @@ type HostPlacement struct {
 	// When Affinity is set to AnyAvailable, and you stop and restart the instance, it can be restarted on any available host.
 	// +required
 	// +unionDiscriminator
-	Affinity *HostAffinity `json:"affinity,omitempty"`
+	Affinity HostAffinity `json:"affinity,omitempty"`
 
 	// dedicatedHost specifies the exact host that an instance should be restarted on if stopped.
 	// dedicatedHost is required when 'affinity' is set to DedicatedHost, and forbidden otherwise.
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go
index 0150060f4..abe5c4c97 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go
@@ -932,11 +932,6 @@ func (in *GCPShieldedInstanceConfig) DeepCopy() *GCPShieldedInstanceConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HostPlacement) DeepCopyInto(out *HostPlacement) {
 	*out = *in
-	if in.Affinity != nil {
-		in, out := &in.Affinity, &out.Affinity
-		*out = new(HostAffinity)
-		**out = **in
-	}
 	if in.DedicatedHost != nil {
 		in, out := &in.DedicatedHost, &out.DedicatedHost
 		*out = new(DedicatedHost)
diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_internalreleaseimage.go b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_internalreleaseimage.go
index cd888c967..456329838 100644
--- a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_internalreleaseimage.go
+++ b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_internalreleaseimage.go
@@ -86,7 +86,7 @@ type InternalReleaseImageStatus struct {
 	// +listMapKey=name
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=32
-	// +required
+	// +optional
 	Releases []InternalReleaseImageBundleStatus `json:"releases,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_osimagestream.go b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_osimagestream.go
index cb6163ddb..943af95a3 100644
--- a/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_osimagestream.go
+++ b/vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_osimagestream.go
@@ -51,11 +51,11 @@ type OSImageStreamStatus struct {
 	// availableStreams is required, must have at least one item, must not exceed
 	// 100 items, and must have unique entries keyed on the name field.
 	//
-	// +required
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	// +listType=map
 	// +listMapKey=name
+	// +optional
 	AvailableStreams []OSImageStreamSet `json:"availableStreams,omitempty"`
 
 	// defaultStream is the name of the stream that should be used as the default
@@ -65,10 +65,10 @@ type OSImageStreamStatus struct {
 	// consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'),
 	// and must reference the name of one of the streams in availableStreams.
 	//
-	// +required
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=253
 	// +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character."
+	// +optional
 	DefaultStream string `json:"defaultStream,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/api/openapi/openapi.json b/vendor/github.com/openshift/api/openapi/openapi.json
index e1ff54c9c..0726e3793 100644
--- a/vendor/github.com/openshift/api/openapi/openapi.json
+++ b/vendor/github.com/openshift/api/openapi/openapi.json
@@ -11721,6 +11721,103 @@
     "com.github.openshift.api.config.v1alpha1.BackupStatus": {
       "type": "object"
     },
+    "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig": {
+      "description": "CRIOCredentialProviderConfig holds cluster-wide configurations for CRI-O credential provider. CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+      "type": "object",
+      "required": [
+        "spec"
+      ],
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+          "default": {},
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+        },
+        "spec": {
+          "description": "spec defines the desired configuration of the CRIO Credential Provider.",
+          "default": {},
+          "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec"
+        },
+        "status": {
+          "description": "status represents the current state of the CRIOCredentialProviderConfig.",
+          "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus"
+        }
+      }
+    },
+    "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigList": {
+      "description": "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+      "type": "object",
+      "required": [
+        "metadata",
+        "items"
+      ],
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "items": {
+          "type": "array",
+          "items": {
+            "default": {},
+            "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig"
+          }
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+          "default": {},
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+        }
+      }
+    },
+    "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec": {
+      "description": "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.",
+      "type": "object",
+      "required": [
+        "matchImages"
+      ],
+      "properties": {
+        "matchImages": {
+          "description": "matchImages is a required list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors.\n\nFor more details, see: - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ - https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). Wildcards are not allowed in the port or path, nor may they appear in the middle of a hostname label. For example, '*.example.com' is valid, but 'example*.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: - Both contain the same number of domain parts and each part matches. - The URL path of an matchImages must be a prefix of the target image URL path. - If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages: - 123456789.dkr.ecr.us-east-1.amazonaws.com - *.azurecr.io - gcr.io - *.*.registry.io - registry.io:8080/path",
+          "type": "array",
+          "items": {
+            "type": "string",
+            "default": ""
+          },
+          "x-kubernetes-list-type": "set"
+        }
+      }
+    },
+    "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus": {
+      "description": "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig",
+      "type": "object",
+      "properties": {
+        "conditions": {
+          "description": "conditions represent the latest available observations of the configuration state",
+          "type": "array",
+          "items": {
+            "default": {},
+            "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+          },
+          "x-kubernetes-list-map-keys": [
+            "type"
+          ],
+          "x-kubernetes-list-type": "map"
+        }
+      }
+    },
     "com.github.openshift.api.config.v1alpha1.ClusterImagePolicy": {
       "description": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
       "type": "object",
diff --git a/vendor/modules.txt b/vendor/modules.txt
index b2ac8ff48..a79a33113 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -62,7 +62,7 @@ github.com/modern-go/reflect2
 # github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
 ## explicit
 github.com/munnerz/goautoneg
-# github.com/openshift/api v0.0.0-20251204164930-cd2e40c5883a
+# github.com/openshift/api v0.0.0-20251204164930-cd2e40c5883a => github.com/QiWang19/api v0.0.0-20251204232509-5086a5249b02
 ## explicit; go 1.24.0
 github.com/openshift/api
 github.com/openshift/api/apiserver
@@ -528,3 +528,4 @@ sigs.k8s.io/structured-merge-diff/v6/value
 # sigs.k8s.io/yaml v1.6.0
 ## explicit; go 1.22
 sigs.k8s.io/yaml
+# github.com/openshift/api => github.com/QiWang19/api v0.0.0-20251204232509-5086a5249b02