feat: working mirror config

Signed-off-by: Chris Butler <chris.butler@redhat.com>

Author: butler54

rhdp-isolated/bastion/imageset-config.yaml

@@ -23,22 +23,22 @@ mirror:
       # OpenShift Sandboxed Containers (CoCo runtime)
       - name: sandboxed-containers-operator
         channels:
-          - name: stable-1.10
+          - name: stable
 
       # OpenShift GitOps (ArgoCD for patterns)
       - name: openshift-gitops-operator
         channels:
           - name: latest
 
-      # Advanced Cluster Management
+      # Advanced Cluster Management (using latest stable channel)
       - name: advanced-cluster-management
         channels:
-          - name: release-2.12
+          - name: release-2.14
 
-      # Multicluster Engine
+      # Multicluster Engine (compatible with ACM 2.14)
       - name: multicluster-engine
         channels:
-          - name: stable-2.7
+          - name: stable-2.9
 
       # Cert Manager (for certificate management)
       - name: cert-manager
@@ -63,6 +63,7 @@ mirror:
   # Base images
   - name: registry.redhat.io/ubi9/ubi-minimal:latest
   - name: registry.redhat.io/ubi9/ubi:latest
+  - name: registry.access.redhat.com/ubi9/ubi:latest
   - name: registry.redhat.io/ubi8/ubi-minimal:latest
   - name: registry.access.redhat.com/ubi8/httpd-24:1-226
 
@@ -75,24 +76,21 @@ mirror:
   # Ansible Automation Platform (for imperative jobs)
   - name: registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:latest
 
-  # Validated Patterns Helm Charts (explicit versions)
+  # Validated Patterns Helm Charts and Container Images
   - name: quay.io/hybridcloudpatterns/acm:0.1.4
   - name: quay.io/hybridcloudpatterns/clustergroup:0.9.6
   - name: quay.io/hybridcloudpatterns/gitea:0.0.3
   - name: quay.io/hybridcloudpatterns/golang-external-secrets:0.1.4
   - name: quay.io/hybridcloudpatterns/hashicorp-vault:0.1.4
-  - name: quay.io/hybridcloudpatterns/utility-container:v0.2.0
-  - name: quay.io/hybridcloudpatterns/imperative-container:v1.0.0
+  - name: quay.io/hybridcloudpatterns/utility-container:latest
+  - name: quay.io/hybridcloudpatterns/imperative-container:latest
   - name: quay.io/hybridcloudpatterns/pattern-install:0.0.4
 
   # Gitea (internal git server for patterns)
   - name: docker.io/gitea/gitea:1.21.11-rootless
 
-  # Trustee (Key Broker Service for CoCo)
-  # Note: These are approximate image references, adjust based on actual trustee release
-  - name: quay.io/confidential-containers/staged-images/kbs:latest
-  - name: quay.io/confidential-containers/staged-images/kbs-client:latest
-  - name: quay.io/confidential-containers/staged-images/attestation-agent:latest
+  # CoCo/KBS Application Images (for pattern testing)
+  - name: ghcr.io/butler54/kbs-access-app:latest
 
   # CoCo Images from quay.io
   - name: quay.io/confidential-containers/peer-pods-webhook:latest

rhdp-isolated/bastion/mirror.sh

@@ -81,9 +81,24 @@ fi
 
 log_info "oc-mirror found: $(oc-mirror version 2>&1 | head -n1 || echo 'v2')"
 
-# Login to ACR using podman
+# Create merged auth file in XDG_RUNTIME_DIR for oc-mirror v2
+log_step "Setting up authentication for oc-mirror v2"
+
+# oc-mirror v2 expects auth in standard locations: ${XDG_RUNTIME_DIR}/containers/auth.json
+# Create the directory structure
+AUTH_DIR="${HOME}/.docker"
+mkdir -p "${AUTH_DIR}"
+MERGED_AUTH_FILE="${AUTH_DIR}/config.json"
+
+# Start with the Red Hat pull secret
+cp "${PULL_SECRET}" "${MERGED_AUTH_FILE}"
+
+# Login to ACR using podman with the merged auth file
 log_step "Authenticating to ACR: ${ACR_LOGIN_SERVER}"
-echo "${ACR_PASSWORD}" | podman login "${ACR_LOGIN_SERVER}" --username "${ACR_USERNAME}" --password-stdin
+echo "${ACR_PASSWORD}" | podman login "${ACR_LOGIN_SERVER}" \
+    --username "${ACR_USERNAME}" \
+    --password-stdin \
+    --authfile="${MERGED_AUTH_FILE}"
 
 if [ $? -eq 0 ]; then
     log_info "Successfully authenticated to ACR"
@@ -94,19 +109,21 @@ fi
 
 # Test connectivity
 log_info "Testing ACR connectivity..."
-if podman search "${ACR_LOGIN_SERVER}/test" --limit 1 &>/dev/null; then
+if podman search "${ACR_LOGIN_SERVER}/test" --limit 1 --authfile="${MERGED_AUTH_FILE}" &>/dev/null; then
     log_info "ACR is accessible"
 else
     log_warn "ACR search test returned non-zero, but this may be normal for empty registry"
 fi
 
 # Verify Red Hat registry access
 log_step "Verifying Red Hat registry access with pull secret"
-if ! podman login registry.redhat.io --authfile="${PULL_SECRET}" --get-login &>/dev/null; then
+if ! podman login registry.redhat.io --authfile="${MERGED_AUTH_FILE}" --get-login &>/dev/null; then
     log_warn "Could not verify registry.redhat.io access"
     log_warn "Continuing anyway, oc-mirror will use the pull secret"
 fi
 
+log_info "Authentication configured at: ${MERGED_AUTH_FILE}"
+
 # Display disk space
 log_info "Available disk space:"
 df -h "${MIRROR_WORKSPACE}"
@@ -128,8 +145,9 @@ log_info "Source: Red Hat registries (quay.io, registry.redhat.io)"
 log_info "Destination: ${ACR_LOGIN_SERVER}"
 log_info "Workspace: ${MIRROR_WORKSPACE}"
 
-# Set registry credentials for oc-mirror
-export REGISTRY_AUTH_FILE="${PULL_SECRET}"
+# Note: oc-mirror v2 uses standard Docker/Podman auth locations automatically
+# We don't set REGISTRY_AUTH_FILE as it causes parsing errors in v2
+log_info "oc-mirror will use auth from: ${MERGED_AUTH_FILE}"
 
 # Run oc-mirror with v2 flag
 START_TIME=$(date +%s)

rhdp-isolated/configure-bastion.sh

@@ -169,8 +169,8 @@ export ACR_NAME="${ACR_NAME}"
 export ACR_USERNAME="${ACR_USERNAME}"
 export ACR_PASSWORD="${ACR_PASSWORD}"
 
-# Ensure local bin is in PATH
-export PATH="\${HOME}/.local/bin:\${PATH}"
+# Add OpenShift tools from data disk to PATH
+export PATH="/var/cache/oc-mirror/bin:\${PATH}"
 EOF
 )
 

rhdp-isolated/provision.sh

@@ -46,6 +46,14 @@ done
 
 log_info "All required environment variables are set"
 
+# Export ARM_ variables for Terraform Azure provider
+export ARM_CLIENT_ID="${CLIENT_ID}"
+export ARM_CLIENT_SECRET="${PASSWORD}"
+export ARM_TENANT_ID="${TENANT}"
+export ARM_SUBSCRIPTION_ID="${SUBSCRIPTION}"
+
+log_info "Azure authentication configured for Terraform"
+
 # Check for SSH key
 SSH_KEY_PATH="${HOME}/.ssh/id_rsa"
 SSH_PUB_KEY_PATH="${HOME}/.ssh/id_rsa.pub"