Problem Statement

Currently, the wasm-shim image download process is not aware of disconnected (air-gapped) cluster configurations. When installing Kuadrant in these environments, the Gateway fails to pull the wasm-shim image because it attempts to reach external registries instead of utilizing the internal mirror registry.

Current Behavior

The installation ignores cluster-wide mirror settings (e.g., ImageContentSourcePolicy or ImageDigestMirrorSet).

The process fails unless specific manual overrides are applied.

It does not automatically handle TLS configurations (CA bundles) for custom internal registries.

Desired Behavior

The process should be transparent and "disconnected-aware." RHCL should automatically:

Detect the disconnected environment settings.
Map the wasm-shim image to the correct internal mirror registry.
Respect TLS settings (CA bundles) without requiring insecure skip verification.

Impact

This creates significant friction for customers running high-security or air-gapped clusters, particularly for:

• LLM-D: Difficulties installing Large Language Model deployments. Slack Thread
• MaaS: Roadblocks for "Models as a Service" in disconnected environments. Slack Thread

Workaround (see also attached script)

Currently, users must manually intervene by:

Specifying the exact wasm-shim image SHA in the RHCL subscription variable RELATED_IMAGE_WASMSHIM (requires prior knowledge of the SHA).
Manually configuring the CA bundle or enabling insecure-skip-verify depending on the registry's TLS configuration.

Acceptance Criteria

[ ] Kuadrant installation succeeds in a fully disconnected environment without setting RELATED_IMAGE_WASMSHIM.

[ ] The operator correctly resolves the wasm-shim image from the configured internal mirror registry.

[ ] Custom CA bundles for the mirror registry are respected (no x509 errors).

Notes

• for testing, it seems OCP test infra can help there, I see a few references in the config repo https://github.com/search?q=repo%3Aopenshift%2Frelease%20disconnected&type=code