Disconnected cluster installation to use external registry

[manojnkumar]

There are some customers who would prefer to mirror the OpenShift image once into their enterprise registry, and then re-use that registry for installation of multiple disconnected clusters.

For this purpose, there is an urgent request to update the automation to use an external registry instead of mirroring the images to the bastion node.

[cs-zhang]

the release_image_override can be used to point to external registry user want to use, and add the registry access token to pull-secret file.

[manojnkumar]

@sydefree @schabrolles : Does this work for you?

[yussufsh]

Here is my take on using OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE approach:

1. In addition to adding the token to pull-secret we will need to add additionalTrustBundle, imageContentSources as well in install-config.
2. Question: This will work for OpenShift install I am sure but then for workloads sources will it search in the internal registry?
3. NOTE: The use of OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE is not supported, hence not recommended for production use. ref: https://access.redhat.com/solutions/3880221

The main point above is adding the details in install-config which the user cannot customize during installation.

So my suggestion would be to make changes in Terraform code and use variables with registry details. If the user is providing these values then don't setup the registry on bastion (helpernode playbooks) but set the ocp4-playbooks vars to make use of given values in install-config.

[schabrolles]

Globally agree with this approach @yussufsh

I don't think we need OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE only add additionalTrustBundle, imageContentSources in install-config should be enough.

the user can also provide the path of the registry.crt (like we do with pull-secret).