Issue:

Currently, deploying Red Hat Advanced Cluster Security (RHACS) in disconnected or air-gapped environments using Helm charts presents a challenge when attempting to mirror the necessary images with the `oc mirror` tool.  Customers rely on the Helm Chart for non OpenShift-Clusters, where the Operator method might not be available (i.e. CNCF-compatible clusters).

The `oc mirror` command and RHACS Helm charts, do not fully work together regarding the mirroring of images required for RHACS when it is deployed via Helm charts. This limitation forces users to manually identify and mirror each individual image dependency for RHACS Helm chart deployments, which is a time-consuming and error-prone process.

Currently the RHACS Docs also suggest to MANUALLY retag the images. https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.7/html/configuring/enable-offline-mode#download-images-for-offline-use

Problem Statement:

Organizations operating in disconnected or air-gapped environments, particularly those with strict security requirements, rely heavily on tools like `oc mirror` for efficient and reliable image management. The lack of direct `oc mirror` support for RHACS Helm chart deployments hinders automated deployments and updates, increases operational overhead, and introduces potential for human error in critical security infrastructure deployments. 

Cause:

In upstream Registry, RHACS provides tags:

skopeo list-tags docker://registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-rhel8
{
    "Repository": "registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-rhel8",
    "Tags": [
        "4.4.0",
        "4.4.0-13",
        "4.4.0-13-source",
        "4.4.1",
        "4.4.1-4",
        "4.4.1-4-source",
        "4.4.2",
        "4.4.2-6",
        "4.4.3",
        "4.4.3-4",
        "4.4.3-4-source",
        "4.4.4",
        "4.4.4-2",
        "4.4.4-2-source",
        "4.4.5",
        "4.4.5-3",
        "4.4.5-3-source",
        "4.4.6",
        "4.4.6-2",
        "4.4.6-2-source",
        "4.4.7"
[...]
}

These are referenced in the helm chart (this is upstream, but verified with downstream helm charts):

https://github.com/stackrox/helm-charts/blob/main/4.7.4/secured-cluster-services/internal/defaults/50-images.yaml
stackrox-secured-cluster-services/internal/defaults/50-images.yaml:    tag: 4.7.4
stackrox-secured-cluster-services/internal/defaults/50-images.yaml:    tag: 4.7.4
stackrox-secured-cluster-services/internal/defaults/50-images.yaml:    tag: 4.7.4
stackrox-secured-cluster-services/internal/defaults/50-images.yaml:    tag: 4.7.4

When using oc-mirror, oc-mirror uses the operator-bundle to determine the images to mirror and mirrors them by digest.

# Config file for v2 and HEAD mirroring!
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v2alpha1
#archiveSize: 4
mirror:
  platform:
    channels:
      - name: stable-4.18
        type: ocp
        minVersion: '4.18.7'
        maxVersion: '4.18.7'
    graph: true
  operators:
    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.18
      packages:
        - name: rhacs-operator
          channels:
            - name: stable

This results in the following in the target (offline/disconnected) registry

skopeo list-tags docker://registry.disconnected.fqdn/advanced-cluster-security/rhacs-scanner-v4-rhel8
{
    "Repository": "registry.disconnected.fqdn/advanced-cluster-security/rhacs-scanner-v4-rhel8",
    "Tags": [
"sha256-8cf9d001e5e7e1d3c5e0ffbe10dca959dba939cd546cf949ffc5add3164b4a6e"
]
}

Oc-mirror also creates IDMS (Image Digest Mirror Set) for the mirrored Images, which allows customers to not fiddle with the "Registry" values of the helm chart, as they are automatically mapped to the offline/disconnected registry in the offline/disconnected cluster.

But the helm charts now reference `registry.disconnected.fqdn/advanced-cluster-security/rhacs-scanner-v4-rhel8:4.7.4` which is not available in the offline/disconnected registry, because it was "retagged" by oc-mirror.

Operator-based deployments are not affected by this, as they reference images by digest anyway.

Desired Outcome:

Allow RHACS Helm Charts to be working out of the box in disconnected environments which rely on oc-mirror, without manually replacing the tags with the oc-mirrored created auto-tags.

Proposal:

This can be achieved by referencing images by digest in the helm charts instead of tags.

Why does the customer need this? (List the business requirements here)

Customers strive for maximal Automation. Especially in disconnected environments, where per definition additional often manual work has to be done. Currently every customer needs to invent an automation to either replace the tags with digests or retag the images in the offline-registry. 

Providing Helm-Charts with digest - or alternatively oc-mirror capabilities to mirror tags. will give the customer a solid way of using the charts in disconnected environments without manual fiddeling in the images, which may change over time (deprecation of components/images or new features) and thus break their own automation.