+++ This bug was initially created as a clone of Bug #1782982 +++ Currently clusters verify signatures before proceeding with an upgrade. However, in an airgapped environment or if the upstream endpoint goes down the cluster would be unable to start or restart the upgrade process. The CVO should: 1. Cache recently verified signatures as long as the payload doesn't change to avoid transient failures 2. Keep an on cluster cache of verified signatures for the current release and any others that may be relevant for use across upgrades 3. Allow an admin to create or update that config map manually ...
Run an upgrade from 4.4.0-0.nightly-2020-03-24-225110 to 4.5.0-0.nightly-2020-03-24-224409 to verify this bug, succeed. Create a signature configmap file: apiVersion: v1 kind: ConfigMap metadata: name: c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4 namespace: openshift-config-managed labels: release.openshift.io/verification-signatures: "" binaryData: sha256-c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4-1: owGbwMvMwME4uavh1CdRx9eMaxkdksTiiwpyizPTdYtSC3WNPd3L/Fz1kjLz4qo2H65WSi7KLMlMTsxRslKoVsrMTUxPBbNS8pOzU4t0cxPzMtNSi0t0UzLTgRRQSqk4I9HI1Mwq2STNzMTM3NLEwMLIzNzIzAjIs0w0MDEzSTYwTk42TDMzSrZMNk8ysDQzszBLNjE2Nk1LNEkzTEszMrA0SDNRqtVRUCqpLABZp5RYkp+bmayQnJ9XkpiZl1qkAHRtXmJJaVGqElBVZkpqXklmSSWyw4pS01KLUvOSwdoLSxMr9TLz9fMLUvOKMzLTSoDSOamJxam6Kall+vnJBXB+XmZ6RklOpZWJnqmega6BHpSva2RgBOQa6xqZ6BoZmZgYWOpWWJjFmwFdWVvbySTKzMoACi14qHKkvBVgaPzGrGHx41yMi2Lz5tklTi+/isZOu8vuc20J78odqiX3kphYchyFPjMceHy9tqK32CZmkfP7noVHH2gcd747hWHK5gOL81PLZj+40tR56UtvWbNPQeGf8vdhDw1+sv0+x/n76aVrJ1ZNDLW9pP452TP49VNuYc9En8LIsKWM0XvmlJjXdWiV3Lo90a3oVgN/e8uzLzzzDX13lk8Km7vwfvc149jz93ZpdbHIyk97KF+98M5METsJ4cnhP3eavVgTclK6KiB2kppJsg77nTd/mnzsGe721nlM5nl5fkIzs8Kcw1dTDxe+aJ1yJOugXt+mO56m757dNXzW3ex75OhR9WMn8lmuPS8WZzew7xSdHRH8uuuq7jPTzgRusf8On4ykNpheu7Nf6PJrrWvWuydfOtT3sXGy8z6tjh8b6pxupx18WNYmY7WrxrxRe4LgXtOCz4wc1oE3Pi878Cjt7+8L9+b21z/Vel+0rfz83w7NP7G3rnK2LGg7+VHr2DMTq69BxZrmPHxMZ3RF35s/u3rxhNKOKeEX/gqLuki4ab3q3peUvDV/1ZPD2lvurequjVFdf9v2+bKPQpKxHFc//j7yPPiWYtuOtRc3MhReF8zmW8B1oOrNqXmfVn7+GxM6aYvz0iVsCydpTsk8ncvOsmFPxIrrnlMyFkeuVwz9dtrgT3D6Zxu5yD3GX8WEzU+sTrt8ep6Arw7XQbOu8mUd+bkA $ oc create -f /home/installer-auto/workspace/installer-auto-test@2/assets_dir/OCP-27986_692941/signature_config_map.yaml configmap/c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4 created $ oc adm upgrade --allow-explicit-upgrade --to-image upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release@sha256:c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4 Updating to release image upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release@sha256:c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4 The upgrade is completed successfully
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409