devscripts: Restore pull-secret post-installation when mirror_images is enabled

When mirror_images is enabled in dev-scripts (either explicitly or
automatically for IPv6 deployments), the pull-secret is replaced with
only the local mirror registry credentials during installation. This
causes operator installation and workload deployments to fail because
the cluster cannot authenticate to external registries like quay.io,
registry.redhat.io, etc.

This change adds post-installation logic to:
- Merge the original pull-secret with the local mirror credentials
- Update the cluster's pull-secret in openshift-config namespace
- Re-enable OperatorHub default sources (disabled during mirroring)
- Preserve ImageContentSourcePolicy manifests for mirror preference

The merged pull-secret allows the cluster to pull from both the local
mirror (when available) and external registries (as fallback), enabling
operator installation while maintaining the benefits of image mirroring.

This particularly helps IPv6 deployments where dev-scripts automatically
sets MIRROR_IMAGES=true by default.

Changes:
- roles/devscripts/tasks/320_restore_pull_secret.yml (new)
- roles/devscripts/tasks/300_post.yml
- roles/devscripts/README.md

Goal:
  The goal is to improve stability, especially for IPv6 jobs that
operate behind the nat64-appliance VM for all external traffic.

Assisted-By: Claude Code/claude-4.5-sonnet
Signed-off-by: Harald Jensås <[email protected]>

Author: hjensas

docs/dictionary/en-custom.txt

@@ -238,6 +238,7 @@ IDM
 IdP
 Idempotency
 idrac
+imagecontentsourcepolicy
 iface
 igfsbg
 igmp
@@ -419,6 +420,7 @@ openstackprovisioner
 openstacksdk
 openstackversion
 operatorgroup
+operatorhub
 opn
 orchestrator
 osd

roles/devscripts/README.md

@@ -16,7 +16,6 @@ networks.
   building the various needed files.
 * `devscripts_deploy`: Overlaps with the previous tag, and adds the actual
   deployment of devscripts managed services.
-* `devscripts_post`: Only runs the post-installation tasks.
 
 ## Parameters
 
@@ -136,6 +135,18 @@ Allowed values can be found [here](https://mirror.openshift.com/pub/openshift-v4
 | extra_worker_disk | | The disk size to be set for each extra nodes. |
 | extra_worker_vcpu | | The number of vCPUs to be configured for each extra nodes. |
 
+#### Registry and Image Mirroring
+
+| Key | Default Value | Description |
+| --- | ------------- | ----------- |
+| mirror_images | `false` | When set to `true`, enables image mirroring to a local registry. This is useful for disconnected/air-gapped environments. **Note:** When enabled, the pull-secret and OperatorHub sources are automatically restored after installation to allow pulling images from external registries for operators and other workloads. |
+
+**Important:** When `mirror_images` is enabled:
+- During installation, only the local mirror registry credentials are used
+- Post-installation, the original pull-secret is automatically merged with the local mirror credentials
+- OperatorHub default sources are re-enabled to allow operator installation
+- ImageContentSourcePolicy manifests remain in place to prefer the local mirror when available, with fallback to external registries
+
 ### Support keys in cifmw_devscripts_external_net
 
 | Key | Description |

roles/devscripts/tasks/300_post.yml

@@ -26,6 +26,13 @@
     - not cifmw_devscripts_ocp_online | bool
   ansible.builtin.import_tasks: set_cluster_fact.yml
 
+- name: Restore pull-secret if mirror_images is enabled
+  when:
+    - cifmw_devscripts_config.mirror_images | default(false) | bool
+  tags:
+    - devscripts_deploy
+  ansible.builtin.include_tasks: 320_restore_pull_secret.yml
+
 - name: Prepare for disk overlay configuration
   when:
     - not cifmw_devscripts_ocp_comply | bool

roles/devscripts/tasks/320_restore_pull_secret.yml

@@ -0,0 +1,93 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# When mirror_images is enabled in dev-scripts, the pull-secret is replaced
+# with only the local mirror registry credentials during installation.
+# This task restores the original pull-secret post-installation to allow
+# pulling images from external registries for operators and other workloads.
+
+- name: Get original pull-secret content
+  no_log: true
+  ansible.builtin.slurp:
+    src: "{{ cifmw_devscripts_repo_dir }}/pull_secret.json"
+  register: _original_pull_secret
+
+- name: Get current cluster pull-secret
+  no_log: true
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    api_key: "{{ cifmw_openshift_token | default(omit) }}"
+    context: "{{ cifmw_openshift_context | default(omit) }}"
+    kind: Secret
+    name: pull-secret
+    namespace: openshift-config
+  register: _cluster_pull_secret_raw
+
+- name: Update cluster pull-secret
+  no_log: true
+  vars:
+    _original_auths: "{{ (_original_pull_secret.content | b64decode | from_json).auths }}"
+    _cluster_auths: "{{ (_cluster_pull_secret_raw.resources[0].data['.dockerconfigjson'] | b64decode | from_json).auths }}"
+    _merged_pull_secret:
+      auths: "{{ _cluster_auths | combine(_original_auths, recursive=true) }}"
+  kubernetes.core.k8s:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    api_key: "{{ cifmw_openshift_token | default(omit) }}"
+    context: "{{ cifmw_openshift_context | default(omit) }}"
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: pull-secret
+        namespace: openshift-config
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ _merged_pull_secret | to_json | b64encode }}"
+
+- name: Wait for nodes to stabilize after pull-secret update
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    api_key: "{{ cifmw_openshift_token | default(omit) }}"
+    context: "{{ cifmw_openshift_context | default(omit) }}"
+    kind: Node
+  register: _nodes
+  retries: 20
+  delay: 30
+  until: >-
+    _nodes.resources | length > 0 and
+    _nodes.resources | selectattr('status.conditions', 'defined') |
+    map(attribute='status.conditions') | flatten |
+    selectattr('type', 'equalto', 'Ready') |
+    selectattr('status', 'equalto', 'True') |
+    list | length == (_nodes.resources | length)
+
+- name: Re-enable OperatorHub default sources
+  kubernetes.core.k8s_json_patch:
+    kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+    api_version: config.openshift.io/v1
+    kind: OperatorHub
+    name: cluster
+    patch:
+      - op: replace
+        path: /spec/disableAllDefaultSources
+        value: false
+
+- name: Display pull-secret restoration status
+  ansible.builtin.debug:
+    msg: >-
+      Pull-secret has been restored with original credentials while keeping local mirror registry access.
+      OperatorHub default sources have been re-enabled to allow operator installation.