[openshift_setup] Replace ICSP with IDMS/ITMS for modern mirror configuration

dsariel · dsariel · commit bd38ca8de5ae · 2026-05-03T15:52:38.000+03:00
- Migrate from deprecated ImageContentSourcePolicy to ImageDigestMirrorSet - Add ImageTagMirrorSet for tag-based image pulls - Support both digest and tag-based image resolution - Enable NeverContactSource in the corresponding downstream patch that contains rbac-proxy registry - Improve granular control over mirror selection order Signed-off-by: David Sariel <dsariel@redhat.com> [1] https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/config_apis/imagetagmirrorset-config-openshift-io-v1 [2] https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/config_apis/imagedigestmirrorset-config-openshift-io-v1 ANVIL-58
diff --git a/roles/openshift_setup/tasks/configure_registries.yml b/roles/openshift_setup/tasks/configure_registries.yml
@@ -37,7 +37,7 @@
             - "{{ cifmw_update_containers_registry }}"
           allowedRegistries: "{{ all_registries }}"
 
-- name: Create a ICSP with repository digest mirrors
+- name: Create ImageDigestMirrorSet repository digest mirrors
   when:
     - cifmw_openshift_setup_digest_mirrors is defined
     - cifmw_openshift_setup_digest_mirrors | length > 0
@@ -46,9 +46,28 @@
     api_key: "{{ cifmw_openshift_token | default(omit)}}"
     context: "{{ cifmw_openshift_context | default(omit)}}"
     definition:
-      apiVersion: operator.openshift.io/v1alpha1
-      kind: ImageContentSourcePolicy
+      apiVersion: config.openshift.io/v1
+      kind: ImageDigestMirrorSet
       metadata:
         name: registry-digest-mirrors
       spec:
-        repositoryDigestMirrors: "{{ cifmw_openshift_setup_digest_mirrors }}"
+        imageDigestMirrors: "{{ cifmw_openshift_setup_digest_mirrors }}"
+
+#  If both ImageDigestMirrorSet and ImageTagMirrorSet are applied to the registries,
+# ITMS acts as a fallback for tag-based pulls, while IDMS provides the primary
+# secure source for digests
+- name: Create ImageTagMirrorSet for tag-based pulls
+  when:
+    - cifmw_openshift_setup_tag_mirrors is defined
+    - cifmw_openshift_setup_tag_mirrors | length > 0
+  kubernetes.core.k8s:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    api_key: "{{ cifmw_openshift_token | default(omit)}}"
+    context: "{{ cifmw_openshift_context | default(omit)}}"
+    definition:
+      apiVersion: config.openshift.io/v1
+      kind: ImageTagMirrorSet
+      metadata:
+        name: registry-tag-mirrors
+      spec:
+        imageTagMirrors: "{{ cifmw_openshift_setup_digest_mirrors }}"
