When you set spec.release.image in a HostedCluster to a disconnected registry (for instance: lmcnaugh-infra.cloud.lab.eng.bos.redhat.com:8443/openshift/release-images:4.12.1-x86_64), the Hypershift Operator container returns this error:

Failed to lookup release image: failed to extract release metadata: failed to get repo setup: failed to create repository client for https://lmcnaugh-infra.cloud.lab.eng.bos.redhat.com:8443: Get \"https://lmcnaugh-infra.cloud.lab.eng.bos.redhat.com:8443/v2/\": x509: certificate signed by unknown authority"

This is because the Hypershift Operator does not use the CA Cert specified in spec.AdditionalTrustBundle of the HostedCluster.

Additionally, once I hack around that by manually mounting the CA cert to the operator pod, it returns another error about not being authorized to access quay.io: failed to obtain root manifest for quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:effb80784684165621459457653e756b869746f149327734e2278a49a9fbc52c: unauthorized: access to the requested resource is not authorized

It seems that it is not honoring the ImageContentSources either, and trying to access quay.io directly, rather than going through the mirror

MCE 2.2, OCP 4.12

Every time

1. Set spec.release.image in a HostedClusted object to a disconnected registry
2. Configure spec.additionalTrustBundle with your mirror CA cert
3. Configure spec.imageContentSources with mirrors for quay.io/openshift-release-dev/ocp-v4.0-art-dev and quay.io/openshift-release-dev/ocp-release 

Self signed cert not trusted, image content sources not used

Operator should trust certs that are specified in spec.AdditionalTrustBundle, and it should use the mirror settings in spec.ImageContentSources when trying to read the manifests