From cfd030ad9c2484f9e0cbfd2e433d1beccc6dfc57 Mon Sep 17 00:00:00 2001
From: David Sariel <dsariel@redhat.com>
Date: Fri, 17 Apr 2026 16:35:21 +0300
Subject: [PATCH] [openshift_setup] Replace ICSP with IDMS/ITMS for modern
 mirror configuration

- Migrate from deprecated ImageContentSourcePolicy to ImageDigestMirrorSet
- Add ImageTagMirrorSet for tag-based image pulls
- Support both digest and tag-based image resolution
- Enable NeverContactSource in the corresponding downstream patch that
  contains rbac-proxy registry
- Improve granular control over mirror selection order

Signed-off-by: David Sariel <dsariel@redhat.com>

[1]
https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/config_apis/imagetagmirrorset-config-openshift-io-v1

[2]
https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/config_apis/imagedigestmirrorset-config-openshift-io-v1

ANVIL-58
---
 .../tasks/configure_registries.yml            | 28 ++++++++++++++++---
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/roles/openshift_setup/tasks/configure_registries.yml b/roles/openshift_setup/tasks/configure_registries.yml
index 549805055..600d2f514 100644
--- a/roles/openshift_setup/tasks/configure_registries.yml
+++ b/roles/openshift_setup/tasks/configure_registries.yml
@@ -37,7 +37,7 @@
             - "{{ cifmw_update_containers_registry }}"
           allowedRegistries: "{{ all_registries }}"
 
-- name: Create a ICSP with repository digest mirrors
+- name: Create ImageDigestMirrorSet repository digest mirrors
   when:
     - cifmw_openshift_setup_digest_mirrors is defined
     - cifmw_openshift_setup_digest_mirrors | length > 0
@@ -46,9 +46,29 @@
     api_key: "{{ cifmw_openshift_token | default(omit)}}"
     context: "{{ cifmw_openshift_context | default(omit)}}"
     definition:
-      apiVersion: operator.openshift.io/v1alpha1
-      kind: ImageContentSourcePolicy
+      apiVersion: config.openshift.io/v1
+      kind: ImageDigestMirrorSet
       metadata:
         name: registry-digest-mirrors
       spec:
-        repositoryDigestMirrors: "{{ cifmw_openshift_setup_digest_mirrors }}"
+        imageDigestMirrors: "{{ cifmw_openshift_setup_digest_mirrors }}"
+
+#  If both ImageDigestMirrorSet and ImageTagMirrorSet are applied to the registries,
+# ITMS acts as a fallback for tag-based pulls, while IDMS provides the primary
+# secure source for digests
+- name: Create ImageTagMirrorSet for tag-based pulls
+  when:
+    - cifmw_openshift_setup_tag_mirrors is defined
+    - cifmw_openshift_setup_tag_mirrors | length > 0
+  kubernetes.core.k8s:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    api_key: "{{ cifmw_openshift_token | default(omit)}}"
+    context: "{{ cifmw_openshift_context | default(omit)}}"
+    definition:
+      apiVersion: config.openshift.io/v1
+      kind: ImageTagMirrorSet
+      metadata:
+        name: registry-tag-mirrors
+      spec:
+        imageTagMirrors: "{{ cifmw_openshift_setup_digest_mirrors }}"
+