Allow the container security operator to be effectively used in disconnected OpenShift clusters
Why is this important?
Today CSO only partially works in disconnected environments, because
cluster-wide pull secrets for disconnected registries are not taken into account
ImageContentSourcePolicies are not taken into account to scan Red Hat providers images used for OpenShift, Image Streams, any operators, etc
Proxy information cannot be specified
additional CAs need to be maintained explicitly for CSO instead of using the cluster CA
Scenarios
A customer wants to get scan results for OpenShift cluster components and operators when running air-gapped via a mirror of those images specified in an ImageContentSourcePolicy
A customer runs partially disconnected from the internet via an HTTPS proxy
A customer employs a private registry with self-signed certificates
A customer employs a private registry with pull-secrets stored in the cluster's global pull secrets
Acceptance Criteria
CSO respects ImageContentSourcePolicy
CSO allows to specify an HTTPS proxy
CSO allows to add additional custom CAs to trust self-signed/customer-provided certs
CSO allows to specify additional pull-secrets
Open questions::
We may want to introduce a CustomResourceDefinition for some of these configuration items