+++ This bug was initially created as a clone of Bug #1782982 +++ Currently clusters verify signatures before proceeding with an upgrade. However, in an airgapped environment or if the upstream endpoint goes down the cluster would be unable to start or restart the upgrade process. The CVO should: 1. Cache recently verified signatures as long as the payload doesn't change to avoid transient failures 2. Keep an on cluster cache of verified signatures for the current release and any others that may be relevant for use across upgrades 3. Allow an admin to create or update that config map manually Second tier should haves: 1. CVO should report as a field on available updates whether it is verified 2. We should add oc adm release mirror support for getting the config map of signatures 3. oc adm release info should be able to verify signatures online
Verified this bug with 4.3.0-0.nightly-2020-04-07-094124, and pass. # cat cvo_sig_ConfigMap.yaml apiVersion: v1 kind: ConfigMap metadata: name: edb4364367cff4f751ffdc032bc830a469548f998127b523047a8dd518c472cd namespace: openshift-config-managed labels: release.openshift.io/verification-signatures: "" binaryData: sha256-edb4364367cff4f751ffdc032bc830a469548f998127b523047a8dd518c472cd-1: owGbwMvMwMEoOU9/4l9n2UDGtYyySWLxRQW5xZnpukWphbol/sGVBpl6SZl5cS0rzlQrJRdllmQmJ+YoWSlUK2XmJqanglkp+cnZqUW6uYl5mWmpxSW6KZnpQAoopVSckWhkamaVmpJkYmwGRObJaWkmaeamhmlpKckGxkZJyRbGBokmZpamJhZplpYWhkbmSaZGxgYm5okWKSmmhhbJJuZGySlKtToKSiWVBSDrlBJL8nMzkxWS8/NKEjPzUosUgK7NSywpLUpVAqrKTEnNK8ksqUR2WFFqWmpRal4yWHthaWKlXma+fn5Bal5xRmZaCVA6JzWxOFU3JbVMPz+5AMa3MtEz1jM00K2wMIs3M1Gqra3tZBJlZmUABQU8yDiKDvD/L9v1M4DBb85zpcni2y5OuNtS9rTN5+i9XkeLtS9N54fOkeWcdcHkqO7Cn5ynvgdGT3vsu8v/572A4KqWYvZ1z1fuyP8SNk92eaRVaSVzXWcBu0565Kowx7NaCxqFpatKAqfc17j474qrAMO23Z/SGLp9V6y33np9w7Z1lXMEH36a5fnieffElf5Vuhlb68SCzkhviFz98siJo6HtzlHvs8/eO/GgiVH13a2VW3o1RfgLN3p/5nyzM772yNOysGbxjMBlyibdR0917T57exfbnaK2RW136j/JLZ9uWVF9M37//0VLb1qnTn7LJ54SbPazefJGCe/AyOXeZW726dddjoZLnmuQvL/23J6N549+msMTJhYuvt1AS8R5rpvsjliHPhUn1dLlXacrBKtWz7vk/5k7O/XqzzS9OMGXc7n3fSpcypygI8CU1L05IYbzbeIOx8VrvB++SYpZ291QduhbrLDTuZrMZMeMzg3FfvEKVezhV8TKvQPeRR7nKw/nc9rFletw6oOxbkKZv4pw6/b3fy+zmhYwTozy3Zn/fnfzjQu5WjuTMuNWutk362z86zplTsVSRsEvnwJPern/2r4nXfB16gfJtWkKMXGbHVMlpy319clRv3lHJV7t5etnWTGCR9leFW3c/TbgAPdGx8tbZ+6v+BvpWVShHSghpHEtrWC++scFxRm/POc9+XHRvu/h/UMcDw5F7bDwZCwEAA== # oc create -f cvo_sig_ConfigMap.yaml configmap/edb4364367cff4f751ffdc032bc830a469548f998127b523047a8dd518c472cd created # oc adm upgrade --to-image=upshift.mirror-registry.qe.devcluster.openshift.com:5000/openshift-release-dev/ocp-release@sha256:edb4364367cff4f751ffdc032bc830a469548f998127b523047a8dd518c472cd --allow-explicit-upgrade Updating to release image upshift.mirror-registry.qe.devcluster.openshift.com:5000/openshift-release-dev/ocp-release@sha256:edb4364367cff4f751ffdc032bc830a469548f998127b523047a8dd518c472cd # oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.3.0-0.nightly-2020-04-07-094124 True True 10s Working towards 4.3.10: 1% complete # oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.3.0-0.nightly-2020-04-07-094124 True True 16m Working towards 4.3.10: 79% complete Upgrade get started successfully.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1393