Background

ROSA HCP released a feature [1] in Q4 2024 that allows clusters to install Managed Openshift without needing a connection to the wider internet. It achieved this by mirroring all Openshift release images through a per-region ECR, allowing clusters to pull release images through the AWS backbone, without needing to contact quay.io.

One limitation that we ran into was that ECR pull secrets are only valid for a maximum of 12 hours, meaning that in a traditional implementation, the pull secret needs to be recycled every 12 hours to allow nodes to authenticate with ECR. 

To get around this, we used the new Kubelet Credential Provider API feature [2] introduced to MCO, which allows nodes to grab a pull secret on-demand, without needing to refresh/re-mint a token every 12 hours. 

Unfortunately, this feature does not yet work with the Openshift Image Registry, meaning that any pods that are created in a fully disconnected environment cannot import images.

Request

• Allow the Openshift image registry to use the credential provider binary built into nodes to pull images from ECR, Azure, or other credential provider capable providers without needing a pull secret. 

 [1] https://issues.redhat.com/browse/XCMSTRAT-940

 [2] https://github.com/openshift/machine-config-operator/pull/4103