Bug 1722568 - Increase the limit on the number of signatures in openshift.io/image-signature-import controller
Summary: Increase the limit on the number of signatures in openshift.io/image-signatur...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: ImageStreams
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.2.0
Assignee: Oleg Bulatov
QA Contact: Wenjing Zheng
URL:
Whiteboard:
Depends On: 1724108
Blocks: 1705984 1722569 1722581
TreeView+ depends on / blocked
 
Reported: 2019-06-20 16:24 UTC by Oleg Bulatov
Modified: 2019-12-23 06:07 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: importer can import up to 3 signatures, but the registry.redhat.io often has more than 3 signatures Consequence: signatures can't be imported Fix: increase the limit Result: signatures can be imported
Clone Of:
: 1722569 1722581 (view as bug list)
Environment:
Last Closed: 2019-10-16 06:32:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:32:31 UTC

Description Oleg Bulatov 2019-06-20 16:24:53 UTC
This bug was initially created from Bug #1705984

There is a limit of 3 signatures on import and when this limit is exceeded, no signatures are imported. The limit should be higher.

Comment 1 Oleg Bulatov 2019-06-21 11:33:09 UTC
https://github.com/openshift/origin/pull/23230

Comment 3 Wenjing Zheng 2019-06-26 09:34:22 UTC
Bug verification is blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1724108.

QE has reproduced this bug on 3.11 with below steps, will go on verification after above bug is verified:
1. cat /etc/containers/registries.d/registry.access.redhat.com.yaml
docker:
  registry.access.redhat.com:
    sigstore: https://access.redhat.com/webassets/docker/content/sigstore
2. oc import-image registry.access.redhat.com/rhel7/etcd:3.2.22-28 --confirm
3. oc import-image registry.access.redhat.com/rhel7/etcd:latest --confirm
4. oc get istag
5. oc describe istag etcd:3.2.22-28 | grep -A3 Signatures
6. oc describe istag etcd:latest | grep -A3 Signatures

Comment 4 Adam Kaplan 2019-06-26 13:53:00 UTC
@Wenjing - blocker issue has been moved to JIRA: https://jira.coreos.com/browse/DEVEXP-380

Comment 5 Adam Kaplan 2019-06-26 14:33:10 UTC
@Wenjing can you try providing the sig store file to the machine config operator [1]?

[1] https://github.com/openshift/machine-config-operator/blob/master/docs/MachineConfiguration.md

Comment 6 Wenjing Zheng 2019-06-27 10:07:16 UTC
@Adam, thanks for your suggestion, I tried as below, but still cannot see imported signature. Below are my steps:
1. Encode content of /etc/containers/registries.d/registry.access.redhat.com.yaml to base64 encoded file contents:
sh-4.4# cat /etc/containers/registries.d/registry.access.redhat.com.yaml | base64 -w0
ZG9ja2VyOgogIHJlZ2lzdHJ5LmFjY2Vzcy5yZWRoYXQuY29tOgogICAgc2lnc3RvcmU6IGh0dHBzOi8vYWNjZXNzLnJlZGhhdC5jb20vd2ViYXNzZXRzL2RvY2tlci9jb250ZW50L3NpZ3N0b3JlCg==sh-4.4#

2. Create two machine-config file and create, one for master, one for worker. Here is sample for worker:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 50-examplecorp-chrony
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:text/plain;charset=utf;base64,ZG9ja2VyOgogIHJlZ2lzdHJ5LmFjY2Vzcy5yZWRoYXQuY29tOgogICAgc2lnc3RvcmU6IGh0dHBzOi8vYWNjZXNzLnJlZGhhdC5jb20vd2ViYXNzZXRzL2RvY2tlci9jb250ZW50L3NpZ3N0b3JlCg==
        filesystem: root
        mode: 0644
        path: /etc/containers/registries.d/registry.access.redhat.com.yaml

3. I can see rendered machineconfig is updated as below:
rendered-master-3111700e4f7767ddd37438dd402f1494            3f050a0a389fb2b4af4cdbc856b3a7dc6b44b92d   2.2.0             8s
rendered-master-403c3da41f7fa76d0a7d93d1ab1d68e4            3f050a0a389fb2b4af4cdbc856b3a7dc6b44b92d   2.2.0             30h
rendered-worker-34e12c98d48b7198cb2f10c56b7ffdfd            3f050a0a389fb2b4af4cdbc856b3a7dc6b44b92d   2.2.0             37s
rendered-worker-4ad53a952897355db702d40556865701            3f050a0a389fb2b4af4cdbc856b3a7dc6b44b92d   2.2.0             30h

4. Wait for a while for cluster restart, all master and node are using new machine config:
$ oc describe node | grep machineconfig
                    machineconfiguration.openshift.io/currentConfig: rendered-master-3111700e4f7767ddd37438dd402f1494
                    machineconfiguration.openshift.io/desiredConfig: rendered-master-3111700e4f7767ddd37438dd402f1494
                    machineconfiguration.openshift.io/reason: 
                    machineconfiguration.openshift.io/state: Done
                    machineconfiguration.openshift.io/currentConfig: rendered-worker-34e12c98d48b7198cb2f10c56b7ffdfd
                    machineconfiguration.openshift.io/desiredConfig: rendered-worker-34e12c98d48b7198cb2f10c56b7ffdfd
                    machineconfiguration.openshift.io/reason: 
                    machineconfiguration.openshift.io/state: Done
5. Confirm signature is imported, but nothing returns:
$oc import-image registry.access.redhat.com/rhel7/etcd:3.2.22-28 --confirm
$oc describe istag etcd:3.2.22-28 | grep -A3 Signatures

Comment 8 Wenjing Zheng 2019-07-18 01:52:07 UTC
This bug is blocked by https://jira.coreos.com/browse/DEVEXP-380 , so changing state to POST.

Comment 9 Adam Kaplan 2019-07-25 16:50:39 UTC
Moving back to ON_QA

@Wenjing please use procedure in https://bugzilla.redhat.com/show_bug.cgi?id=1722569#c9 to verify.

Comment 10 XiuJuan Wang 2019-07-26 02:38:56 UTC
Verified this bug in 4.2.0-0.nightly-2019-07-25-161751 version.

Verified steps:
1.Change openshift-controller-manager-operator to unmanaged state
$oc patch  openshiftcontrollermanagers.operator.openshift.io/cluster -p '{"spec":{"managementState": "Unmanaged"}}' --type=merge

2.Create configmap under openshift-controller-manager project
$oc create cm sigstore-config --from-file=$PATH/registry.access.redhat.com.yaml  -n openshift-controller-manager

3.Configure controller-manager to load this configmap
$oc set volume ds/controller-manager --add --type=configmap --configmap-name=sigstore-config -m /etc/containers/registries.d/ --name=sigstore-config

4.Wait pods restart, import istag.
$oc import-image registry.access.redhat.com/openshift3/ose:latest  --confirm 
$ oc describe istag ose:latest | grep  -A3 Sig
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@0d5a0afb4af55b5992c0d02e85f8dba1a4269c38614d6fa4da4b2b92fa08dd4a
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@5819adcad7b3d6484886630a95f8c0480af9529edb2686fe03ff0fe123df0520
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@fed589ab8275118b9cb4ef16685d05cd13b58f9bf3eb1cf8b0567a1310e18997
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@3b9cc3c19092d5cfef87f0852ef8197ec955546e2692348b981f103cc5bbbfa3
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@5686d0246cd09f2a009e889cc17c76a3eadd4018c3d421745cd9d21bc67c3d04
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@379079c97c068abb32c672f0d8f2cdae5b967db6b732cd0d5fc670d55147455f
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@f194a14ce0a93b1263bece12b9a18e190f4ea6c29702576137ca75798aeb0511
			Type:	AtomicImageV1
			Status:	Unverified
Image Signatures:	 
			Name:	sha256:196cd6d1761d270bcaf3aa72666b6526585b4fe8271e2e5463078490b56e60c7@3d207a74b09a39c20f1e22688a81b1f71ff33bff4b5e4cd196e186a116f9c6b8
			Type:	AtomicImageV1
			Status:	Unverified

Comment 11 errata-xmlrpc 2019-10-16 06:32:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922


Note You need to log in before you can comment on or make changes to this bug.