Description of problem: - When we run oc adm migrate storage, we got following error. # oc adm --config=/etc/origin/master/admin.kubeconfig migrate storage --include=* --confirm E0315 10:11:30.026186 error: images/sha256:0270334c4d7adaa8a5dcd592cb219efd13b3c00631184b3a594b329dfd331eec: Image "sha256:0270334c4d7adaa8a5dcd592cb219efd13b3c00631184b3a594b329dfd331eec" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set E0315 10:11:30.057761 error: images/sha256:0677366367b1f1a736bdb50b926559c1bdeed02de1bce477f8fe7ed53336a572: Image "sha256:0677366367b1f1a736bdb50b926559c1bdeed02de1bce477f8fe7ed53336a572" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set E0315 10:11:30.156449 error: images/sha256:1104dcdacfa9c40222e9256029cafe0b084c8dcc911ab8e816c3f39bd5a4dad1: Image "sha256:1104dcdacfa9c40222e9256029cafe0b084c8dcc911ab8e816c3f39bd5a4dad1" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set E0315 10:11:30.275157 error: images/sha256:263c5a1107b6703b3db87f1cb7481a74aa7b7d1138a2da49cb692fa1ec05a42b: Image "sha256:263c5a1107b6703b3db87f1cb7481a74aa7b7d1138a2da49cb692fa1ec05a42b" is invalid: signatures[0].metadata.annotations: Forbidden: signature annotations cannot be set ... - The image contains `image.openshift.io/managed-signature: "true"` # oc get images ... signatures: - content: xxxxx metadata: annotations: image.openshift.io/managed-signature: "true" creationTimestamp: 2018-02-12T03:51:53Z name: sha256:xxxx type: AtomicImageV1 Version-Release number of selected component (if applicable): - OCP 3.7 How reproducible: 100% Steps to Reproduce: 1. Actual results: - Please refer to above error Expected results: - No error output. Additional info: - proposal patch: https://github.com/openshift/origin/pull/19011
Fix: https://github.com/openshift/origin/pull/19037
OSE 3.7 PR: https://github.com/openshift/ose/pull/1154
Test with openshift v3.7.42 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 Reproduce steps: 1.Build an image, get the image digest id $ oc get images 2.Create image signature for this image $ cat <<EOF | { "kind": "ImageSignature", "schemaVersion": 2, "type": "AtomicImageV1", "metadata": { "annotations": { "image.openshift.io/managed-signature": "true"}, "name": "sha256:cb6fd4551f05ff04aedada6e11be38e92861cfedf490d136b8004cee31803569@cddeb7006d914716e2728000746a0b23"}, "content": "owGbw......" } EOF oc create -f - 3.Migrate image $ oc adm migrate storage --include=images --confirm Result: fail in step2 # oc create -f sig.json The ImageSignature "sha256:cb6fd4551f05ff04aedada6e11be38e92861cfedf490d136b8004cee31803569@cddeb7006d914716e2728000746a0b23" is invalid: metadata.annotations: Forbidden: signature annotations cannot be set Could you help give some suggestions how to add an annotation into imageSignature? Thanks
You're trying to create ImageSignature kind which which is not a native resource. It exists and can be modified only on image object. You can either a) create a new image with the signature attached b) add a signature to an existing image Since b) is more complex than a), let me just describe the a): - save the image object from comment 1 into img.yaml - import it with oc create -f img.yaml However, if you test just with the latest oc server version, the annotation gets dropped before the image is saved into etcd. If you want to test the migration command with the annotation set on the image/signature, you'll have to: 1. launch an older version of OCP master (withought the patch) 2. create an image **without** the signature 3. do b) from above: - add the "signatures: ..." part with the annotation using oc edit image sha256:... 4. tear down the OCP master while preserving etcd and configuration 5. launch a new version of OCP master (with the pach) 6. continue with the migration ... The b) is necessary here because the api refuses the annotation just on Create(image, not on Update(image) - only this way can the annotation be propagated. Hope it helps.
Michal Minar, thanks try with a) and b), do not reproduce error with openshift v3.7.42 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 move to verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0636
*** Bug 1585876 has been marked as a duplicate of this bug. ***