Registry Mirror in a completely sealed-off air-gapped environment

[realjump]

Hello everyone,

I don't want to open an issue for the time being because I'm not sure whether we are really the only ones for whom this feature makes sense.

From my point of view, it is not possible to set a global registry mirror in an air-gapped environment in the current state of implementation for the trivy scan jobs.
I do have the option of defining mirrors in the trivy section, but as far as I understand it, each individual registry really has to be specified and set to the corresponding internal registry.

In my opinion, this is very cumbersome in this environment, as these must first be determined and maintained when new registries are added.
If the registry is not specified, the scan job stops immediately, as no images can be obtained from the Internet from our isolated environment.

Basically I would have imagined something like - I can specify a global default mirror and if there are exceptions that are specified in the current solution, then this global mirror is simply overwritten. Otherwise the default mirror is always assumed. For people who don't need this, you can simply disable this feature globally.

In order to still be able to use the operator and the scan jobs easily, we have written a webhook in Go as a workaround, which scans the trivy argument in the scan jobs and mutates it to our default registry accordingly. It is functional, but I think that this could affect several people.

What is your opinion on this?

[ge1sterfahrer]

In an environment in which IT securities' prying eyes are always watching from the shadows using webhooks as a workaround is a risky endeavor. So not only does it save us this headache, being able to set a global mirror also saves us a lot of time and it really is about giving back the power to the people. @realjump I agree!