Bug 1722569

Summary: [4.1] Increase the limit on the number of signatures in openshift.io/image-signature-import controller
Product: OpenShift Container Platform Reporter: Oleg Bulatov <obulatov>
Component: ImageAssignee: Oleg Bulatov <obulatov>
Status: CLOSED ERRATA QA Contact: Wenjing Zheng <wzheng>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, jokerman, mmccomas, sponnaga, wsun, wzheng, xiuwang
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: 4.1.8
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: importer can import up to 3 signatures, but the registry.redhat.io often has more than 3 signatures Consequence: signatures can't be imported Fix: increase the limit Result: signatures can be imported
Story Points: ---
Clone Of: 1722568 Environment:
Last Closed: 2019-07-31 02:44:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1722568    
Bug Blocks:    

Description Oleg Bulatov 2019-06-20 16:25:50 UTC
+++ This bug was initially created as a clone of Bug #1722568 +++

This bug was initially created from Bug #1705984

There is a limit of 3 signatures on import and when this limit is exceeded, no signatures are imported. The limit should be higher.

Comment 1 Oleg Bulatov 2019-06-25 09:29:41 UTC
https://github.com/openshift/origin/pull/23243

Comment 5 Wei Sun 2019-07-24 07:06:53 UTC
The fix is merged to 4.1.0-0.nightly-2019-07-24-051320 ,please check if we could verify it.

Comment 9 XiuJuan Wang 2019-07-25 06:25:51 UTC
Verified this bug in 4.1.0-0.nightly-2019-07-24-213555 version.

Verified steps´╝Ü
1.Change openshift-controller-manager-operator to unmanaged state
$oc patch  openshiftcontrollermanagers.operator.openshift.io/cluster -p '{"spec":{"managementState": "Unmanaged"}}' --type=merge

2.Create configmap under openshift-controller-manager project
$oc create cm sigstore-config --from-file=$PATH/registry.access.redhat.com.yaml  -n openshift-controller-manager

3.Configure controller-manager to load this configmap
$oc set volume ds/controller-manager --add --type=configmap --configmap-name=sigstore-config -m /etc/containers/registries.d/ --name=sigstore-config

4.Wait pods restart, import istag.
$oc import-image registry.access.redhat.com/openshift3/ose:latest  --confirm 
$ oc describe istag ose:latest | grep  -A3 Sig
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@0d5a0afb4af55b5992c0d02e85f8dba1a4269c38614d6fa4da4b2b92fa08dd4a
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@5819adcad7b3d6484886630a95f8c0480af9529edb2686fe03ff0fe123df0520
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@fed589ab8275118b9cb4ef16685d05cd13b58f9bf3eb1cf8b0567a1310e18997
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@3b9cc3c19092d5cfef87f0852ef8197ec955546e2692348b981f103cc5bbbfa3
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@5686d0246cd09f2a009e889cc17c76a3eadd4018c3d421745cd9d21bc67c3d04
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@379079c97c068abb32c672f0d8f2cdae5b967db6b732cd0d5fc670d55147455f
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@f194a14ce0a93b1263bece12b9a18e190f4ea6c29702576137ca75798aeb0511
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@3d207a74b09a39c20f1e22688a81b1f71ff33bff4b5e4cd196e186a116f9c6b8
			Type:	AtomicImageV1
			Status:	Unverified

If no these configuration, will no Image Signatures download.

Comment 11 errata-xmlrpc 2019-07-31 02:44:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1866