AGENT-1193: Add mirror-path and registry-cert support for OVE ISO builds

Add support for using pre-mirrored images and custom registry
certificates when building OVE ISOs, enabling disconnected
deployments with custom registries.

Changes for mirror-path:
- Pass --mirror-path to build-ove-image.sh when MIRROR_IMAGES is enabled
- Appliance skips oc-mirror and uses pre-mirrored images when --mirror-path is provided

Changes for registry-cert:
- Add --registry-cert parameter for custom registry TLS certificates
- Support both script build method (faster for development/debugging) and container build method
- Use unified mechanism across both build methods
- Convert to REGISTRY_CERT make variable for containerized builds

Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: rwsu

agent/04_agent_prepare_release.sh

@@ -13,9 +13,43 @@ source $SCRIPTDIR/agent/common.sh
 source $SCRIPTDIR/ocp_install_env.sh
 source $SCRIPTDIR/oc_mirror.sh
 
-# Temporarily skip preparing the custom local release in case of OVE ISO
-if [[ "${AGENT_E2E_TEST_BOOT_MODE}" == "ISO_NO_REGISTRY" ]]; then
-    exit 0
+early_deploy_validation
+write_pull_secret
+
+# Release mirroring could be required by the subsequent steps
+# even if the current one will be skipped
+if [[ ! -z "${MIRROR_IMAGES}" && "${MIRROR_IMAGES,,}" != "false" ]]; then
+   setup_release_mirror
+fi
+
+# Prepare registry directory for appliance if using ISO_NO_REGISTRY
+if [[ ! -z "${MIRROR_IMAGES}" && "${MIRROR_IMAGES,,}" != "false" && "${AGENT_E2E_TEST_BOOT_MODE}" == "ISO_NO_REGISTRY" ]]; then
+    echo "Preparing registry directory structure for appliance..."
+
+    # Create the cache directory structure expected by appliance
+    # Appliance expects: mirror-path/cache/<version-arch> (ISO output)
+    # Appliance will read registry data directly from mirror-path/data
+
+    # Extract version from release image to create cache subdirectory
+    # Appliance creates cache dir in format: cache/<version>-<arch>
+    VERSION=$(skopeo inspect --authfile ${PULL_SECRET_FILE} docker://${OPENSHIFT_RELEASE_IMAGE} | jq -r '.Labels["io.openshift.release"]')
+    ARCH=$(uname -m)
+    CACHE_SUBDIR="${VERSION}-${ARCH}"
+    mkdir -p ${REGISTRY_DIR}/cache/${CACHE_SUBDIR}
+
+    # Copy YAML files and mapping.txt to registry directory so appliance can find them
+    if [[ -d ${WORKING_DIR}/working-dir ]]; then
+        cp -r ${WORKING_DIR}/working-dir ${REGISTRY_DIR}/
+    fi
+
+    # Copy results directory containing mapping.txt
+    for results_dir in ${WORKING_DIR}/results-*; do
+        if [[ -d "$results_dir" ]]; then
+            cp -r "$results_dir" ${REGISTRY_DIR}/
+        fi
+    done
+
+    echo "Registry directory prepared for appliance"
 fi
 
 # To replace an image entry in the openshift release image, set <ENTRYNAME>_LOCAL_REPO so that:
@@ -34,15 +68,6 @@ fi
 # export ASSISTED_SERVICE_DOCKERFILE=Dockerfile.assisted-service.ocp
 # export ASSISTED_SERVICE_IMAGE=agent-installer-api-server
 
-early_deploy_validation
-write_pull_secret
-
-# Release mirroring could be required by the subsequent steps
-# even if the current one will be skipped
-if [[ ! -z "${MIRROR_IMAGES}" && "${MIRROR_IMAGES,,}" != "false" ]]; then
-   setup_release_mirror
-fi
-
 function build_local_release() {
     # Sanity checks
     if [[ -z "${MIRROR_IMAGES}" || "${MIRROR_IMAGES,,}" == "false" ]]; then

agent/06_agent_create_cluster.sh

@@ -85,23 +85,66 @@ function create_config_image() {
 function create_agent_iso_no_registry() {
   local asset_dir=${1}
 
+  # Update release_info.json as its needed by CI tests
+  save_release_info ${OPENSHIFT_RELEASE_IMAGE} ${OCP_DIR}
+
   AGENT_ISO_BUILDER_IMAGE=$(getAgentISOBuilderImage)
 
+  # Get agent-iso-builder source from container
   id=$(podman create --pull always --authfile "${PULL_SECRET_FILE}" "${AGENT_ISO_BUILDER_IMAGE}") &&  podman cp "${id}":/src "${asset_dir}" &&  podman rm "${id}"
 
-  # Update release_info.json as its needed by CI tests
-  save_release_info ${OPENSHIFT_RELEASE_IMAGE} ${OCP_DIR}
-
   # Create agent ISO without registry a.k.a. OVE ISO
   pushd .
   cd "${asset_dir}"/src
-  # Build the ISO in the container image
-  make build-ove-iso-container PULL_SECRET_FILE="${PULL_SECRET_FILE}" RELEASE_IMAGE_URL="${OPENSHIFT_RELEASE_IMAGE}" ARCH=${ARCH}
-  # Retrieve ISO from container
-  ./hack/iso-from-container.sh
-  local iso_name="agent-ove.${ARCH}.iso"
-  echo "Moving ${iso_name} to ${asset_dir}"
-  mv ./output-iso/${iso_name} "${asset_dir}"
+
+  # Prepare mirror path and registry cert arguments if MIRROR_IMAGES is enabled
+  local mirror_path_arg=""
+  local registry_cert_arg=""
+  if [[ ! -z "${MIRROR_IMAGES}" && "${MIRROR_IMAGES,,}" != "false" ]]; then
+    echo "Using pre-mirrored images from ${REGISTRY_DIR}"
+    mirror_path_arg="--mirror-path ${REGISTRY_DIR}"
+
+    # Check if using a custom registry (not upstream quay.io or registry.ci.openshift.org)
+    if [[ ! "${OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE}" =~ quay\.io ]] && [[ ! "${OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE}" =~ registry\.ci\.openshift\.org ]]; then
+      if [[ -f "${REGISTRY_DIR}/certs/${REGISTRY_CRT}" ]]; then
+        # Pass certificate path as argument (used by both script and container methods)
+        registry_cert_arg="--registry-cert ${REGISTRY_DIR}/certs/${REGISTRY_CRT}"
+      fi
+    fi
+  fi
+
+  # Determine which release image to use
+  local release_image_url="${OPENSHIFT_RELEASE_IMAGE}"
+  if [[ ! -z "${MIRROR_IMAGES}" && "${MIRROR_IMAGES,,}" != "false" ]]; then
+    release_image_url="${OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE}"
+    echo "Using mirrored release image: ${release_image_url}"
+  else
+    echo "Using upstream release image: ${release_image_url}"
+  fi
+
+  if [[ "${AGENT_ISO_NO_REGISTRY_BUILD_METHOD}" == "script" ]]; then
+    # Use the legacy build-ove-image.sh script
+    ./hack/build-ove-image.sh --pull-secret-file "${PULL_SECRET_FILE}" --release-image-url "${release_image_url}" --ssh-key-file "${SSH_KEY_FILE}" --dir "${asset_dir}" ${mirror_path_arg} ${registry_cert_arg}
+  else
+    # Use container-based build (default)
+    # Build the ISO in the container image
+    # Convert mirror path and registry cert arguments to make variable format
+    local mirror_args=""
+    if [[ ! -z "${mirror_path_arg}" ]]; then
+      mirror_args="MIRROR_PATH=${REGISTRY_DIR}"
+    fi
+    local registry_cert_make_arg=""
+    if [[ ! -z "${registry_cert_arg}" ]]; then
+      registry_cert_make_arg="REGISTRY_CERT=${REGISTRY_DIR}/certs/${REGISTRY_CRT}"
+    fi
+    make build-ove-iso-container PULL_SECRET_FILE="${PULL_SECRET_FILE}" RELEASE_IMAGE_URL="${release_image_url}" ARCH=${ARCH} ${mirror_args} ${registry_cert_make_arg}
+    # Retrieve ISO from container
+    ./hack/iso-from-container.sh
+    local iso_name="agent-ove.${ARCH}.iso"
+    echo "Moving ${iso_name} to ${asset_dir}"
+    mv ./output-iso/${iso_name} "${asset_dir}"
+  fi
+
   rm -rf "${asset_dir}"/src
   popd
 }
@@ -639,6 +682,13 @@ case "${AGENT_E2E_TEST_BOOT_MODE}" in
       cleanup_diskspace_agent_iso_noregistry ${asset_dir}
     fi
 
+    # Clean up registry data to save disk space after ISO is created
+    if [[ ! -z "${MIRROR_IMAGES}" && "${MIRROR_IMAGES,,}" != "false" ]]; then
+      echo "Cleaning up registry data at ${REGISTRY_DIR} to save disk space"
+      sudo rm -rf ${REGISTRY_DIR}/data
+      echo "Registry data cleanup complete"
+    fi
+
     attach_agent_iso_no_registry master $NUM_MASTERS
     attach_agent_iso_no_registry worker $NUM_WORKERS
     attach_agent_iso_no_registry arbiter $NUM_ARBITERS

agent/common.sh

@@ -15,6 +15,8 @@ export AGENT_ROOT_DEVICE_HINTS=${AGENT_ROOT_DEVICE_HINTS:-""}
 export AGENT_BM_HOSTS_IN_INSTALL_CONFIG=${AGENT_BM_HOSTS_IN_INSTALL_CONFIG:-"false"}
 
 export AGENT_MINIMAL_ISO=${AGENT_MINIMAL_ISO:-"false"}
+# OVE ISO build method: "script" uses build-ove-image.sh, "container" uses Dockerfile-based build
+export AGENT_ISO_NO_REGISTRY_BUILD_METHOD=${AGENT_ISO_NO_REGISTRY_BUILD_METHOD:-"container"}
 
 export BOND_CONFIG=${BOND_CONFIG:-"none"}
 

config_example.sh

@@ -870,11 +870,20 @@ set -x
 # AGENT_E2E_TEST_BOOT_MODE is set to ISO_NO_REGISTRY.
 # AGENT_CLEANUP_ISO_BUILDER_CACHE_LOCAL_DEV is useful for reclaiming disk space when building agent OVE ISO locally
 # by deleting all the files from the working directory, example ocp/ostest/iso_builder except the generated OVE ISO.
-# Set to 'true' to enable the cleanup. 
+# Set to 'true' to enable the cleanup.
 # Default behavior (unset or any value other than 'yes') is to skip cleanup.
 # Recommended to set to true for local dev/test purposes and unset in CI.
 # export AGENT_CLEANUP_ISO_BUILDER_CACHE_LOCAL_DEV=false
 
+# AGENT_ISO_NO_REGISTRY_BUILD_METHOD controls which method is used to build the OVE ISO when
+# AGENT_E2E_TEST_BOOT_MODE is set to ISO_NO_REGISTRY.
+# Options:
+#   'container' (default) - Uses containerized Dockerfile-based build (required for CI/build pipelines)
+#   'script'              - Uses build-ove-image.sh script directly (faster for local development/debugging)
+# The container method is required in CI/build pipeline environments where nested podman is not supported.
+# The script method is recommended for local development as it allows faster iteration and easier debugging.
+# export AGENT_ISO_NO_REGISTRY_BUILD_METHOD=container
+
 # Specifies the hostname of the node that should be identified and set as the rendezvous node 
 # during the OVE cluster installation process. This node acts as the bootstrap node in the cluster.
 # Accepts only master nodes.

ocp_install_env.sh

@@ -51,7 +51,8 @@ function extract_command() {
       cmd="oc"
     fi
 
-    mv "${extract_dir}/${cmd}" "${outdir}"
+    mkdir -p "${outdir}"
+    mv "${extract_dir}/${cmd}" "${outdir}/"
 }
 
 # Let's always grab the `oc` from the release we're using.