Summary
Add support for provisioning disconnected (air-gapped) OpenShift clusters for testing layered products in environments without direct internet access.
Use Case
Layered product teams (CNV, MTA, MTC, OADP, etc.) need to test their products in disconnected environments to validate:
- Installation from mirror registries
- Image pull behavior with custom CA certificates
- Operator catalog mirroring
- Upgrade workflows in disconnected mode
- Network policy restrictions
Current Status
Partial Foundation Exists:
- ✅ Custom pull secret support (can add mirror registry credentials)
- ✅ Pull secret merging logic in worker
- ❌ No support for
imageContentSources (registry mirroring configuration)
- ❌ No support for
additionalTrustBundle (custom CA certificates)
Implementation Options
Option 1: Full Dynamic Support (Recommended)
- Maximum flexibility - users specify mirror registry per-cluster
- Requires database schema changes
- Estimated effort: ~5 days
Option 2: Profile-Based Quick Win
- No database schema changes
- Leverages existing profile system
- Less flexible - requires predefined profiles
- Estimated effort: ~1 day
Key Changes Required
- Database Schema: Add
image_content_sources (JSONB) and additional_trust_bundle (TEXT) columns
- Type Definitions: Add
ImageContentSource type and cluster fields
- API Handler: Update
CreateClusterRequest with validation
- Install-Config Renderer: Template support for new fields
- Documentation: User guide for disconnected clusters
Detailed Design
See complete implementation plan in: docs/issues/disconnected-cluster-support.md
Success Criteria
- ✅ Disconnected clusters provision successfully with mirrored images
- ✅ Custom CA certificates are trusted by cluster nodes
- ✅ Image pulls occur from mirror registry
- ✅ Post-deployment addons work with mirrored operator catalogs
- ✅ Complete end-to-end documentation
References
Summary
Add support for provisioning disconnected (air-gapped) OpenShift clusters for testing layered products in environments without direct internet access.
Use Case
Layered product teams (CNV, MTA, MTC, OADP, etc.) need to test their products in disconnected environments to validate:
Current Status
Partial Foundation Exists:
imageContentSources(registry mirroring configuration)additionalTrustBundle(custom CA certificates)Implementation Options
Option 1: Full Dynamic Support (Recommended)
Option 2: Profile-Based Quick Win
Key Changes Required
image_content_sources(JSONB) andadditional_trust_bundle(TEXT) columnsImageContentSourcetype and cluster fieldsCreateClusterRequestwith validationDetailed Design
See complete implementation plan in:
docs/issues/disconnected-cluster-support.mdSuccess Criteria
References
docs/issues/disconnected-cluster-support.md