Bug 1805172
Summary: | Signatures cannot be verified in airgapped environments or if the remote endpoint goes down | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | W. Trevor King <wking> |
Component: | Cluster Version Operator | Assignee: | W. Trevor King <wking> |
Status: | CLOSED ERRATA | QA Contact: | Johnny Liu <jialiu> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.4 | CC: | aos-bugs, asakala, ccoleman, jack.ottofaro, jialiu, jokerman, susuresh, wking |
Target Milestone: | --- | ||
Target Release: | 4.5.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: |
Feature: The Cluster Version Operator can now load release image signatures from local ConfigMaps.
Reason: On restricted networks, the Cluster Version Operator may not be able to reach the usual signature stores to retrieve release image signatures. That left it unable to verify release image signatures on updates, and users had to use --force to bypass the checks after performing signature verification manually.
Result: With this change, users on restricted networks may instead provide the signatures by pushing ConfigMaps into the cluster, and the Cluster Version Operator can find those signatures and verify the target release image. Users will no longer need to --force updates.
|
Story Points: | --- |
Clone Of: | 1782982 | Environment: | |
Last Closed: | 2020-07-13 17:16:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1782982 |
Description
W. Trevor King
2020-02-20 12:27:54 UTC
Run an upgrade from 4.4.0-0.nightly-2020-03-24-225110 to 4.5.0-0.nightly-2020-03-24-224409 to verify this bug, succeed. Create a signature configmap file: apiVersion: v1 kind: ConfigMap metadata: name: c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4 namespace: openshift-config-managed labels: release.openshift.io/verification-signatures: "" binaryData: sha256-c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4-1: owGbwMvMwME4uavh1CdRx9eMaxkdksTiiwpyizPTdYtSC3WNPd3L/Fz1kjLz4qo2H65WSi7KLMlMTsxRslKoVsrMTUxPBbNS8pOzU4t0cxPzMtNSi0t0UzLTgRRQSqk4I9HI1Mwq2STNzMTM3NLEwMLIzNzIzAjIs0w0MDEzSTYwTk42TDMzSrZMNk8ysDQzszBLNjE2Nk1LNEkzTEszMrA0SDNRqtVRUCqpLABZp5RYkp+bmayQnJ9XkpiZl1qkAHRtXmJJaVGqElBVZkpqXklmSSWyw4pS01KLUvOSwdoLSxMr9TLz9fMLUvOKMzLTSoDSOamJxam6Kall+vnJBXB+XmZ6RklOpZWJnqmega6BHpSva2RgBOQa6xqZ6BoZmZgYWOpWWJjFmwFdWVvbySTKzMoACi14qHKkvBVgaPzGrGHx41yMi2Lz5tklTi+/isZOu8vuc20J78odqiX3kphYchyFPjMceHy9tqK32CZmkfP7noVHH2gcd747hWHK5gOL81PLZj+40tR56UtvWbNPQeGf8vdhDw1+sv0+x/n76aVrJ1ZNDLW9pP452TP49VNuYc9En8LIsKWM0XvmlJjXdWiV3Lo90a3oVgN/e8uzLzzzDX13lk8Km7vwfvc149jz93ZpdbHIyk97KF+98M5METsJ4cnhP3eavVgTclK6KiB2kppJsg77nTd/mnzsGe721nlM5nl5fkIzs8Kcw1dTDxe+aJ1yJOugXt+mO56m757dNXzW3ex75OhR9WMn8lmuPS8WZzew7xSdHRH8uuuq7jPTzgRusf8On4ykNpheu7Nf6PJrrWvWuydfOtT3sXGy8z6tjh8b6pxupx18WNYmY7WrxrxRe4LgXtOCz4wc1oE3Pi878Cjt7+8L9+b21z/Vel+0rfz83w7NP7G3rnK2LGg7+VHr2DMTq69BxZrmPHxMZ3RF35s/u3rxhNKOKeEX/gqLuki4ab3q3peUvDV/1ZPD2lvurequjVFdf9v2+bKPQpKxHFc//j7yPPiWYtuOtRc3MhReF8zmW8B1oOrNqXmfVn7+GxM6aYvz0iVsCydpTsk8ncvOsmFPxIrrnlMyFkeuVwz9dtrgT3D6Zxu5yD3GX8WEzU+sTrt8ep6Arw7XQbOu8mUd+bkA $ oc create -f /home/installer-auto/workspace/installer-auto-test@2/assets_dir/OCP-27986_692941/signature_config_map.yaml configmap/c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4 created $ oc adm upgrade --allow-explicit-upgrade --to-image upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release@sha256:c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4 Updating to release image upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release@sha256:c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4 The upgrade is completed successfully Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |