Bug 1805172 - Signatures cannot be verified in airgapped environments or if the remote endpoint goes down
Summary: Signatures cannot be verified in airgapped environments or if the remote endp...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cluster Version Operator
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.5.0
Assignee: W. Trevor King
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks: 1782982
TreeView+ depends on / blocked
 
Reported: 2020-02-20 12:27 UTC by W. Trevor King
Modified: 2020-07-13 17:16 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: The Cluster Version Operator can now load release image signatures from local ConfigMaps. Reason: On restricted networks, the Cluster Version Operator may not be able to reach the usual signature stores to retrieve release image signatures. That left it unable to verify release image signatures on updates, and users had to use --force to bypass the checks after performing signature verification manually. Result: With this change, users on restricted networks may instead provide the signatures by pushing ConfigMaps into the cluster, and the Cluster Version Operator can find those signatures and verify the target release image. Users will no longer need to --force updates.
Clone Of: 1782982
Environment:
Last Closed: 2020-07-13 17:16:23 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-version-operator pull 328 0 None closed Bug 1805172: pkg/verify/verifyconfigmap: Add klog logging 2020-12-08 20:31:59 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:16:48 UTC

Description W. Trevor King 2020-02-20 12:27:54 UTC
+++ This bug was initially created as a clone of Bug #1782982 +++

Currently clusters verify signatures before proceeding with an upgrade.  However, in an airgapped environment or if the upstream endpoint goes down the cluster would be unable to start or restart the upgrade process.

The CVO should:

1. Cache recently verified signatures as long as the payload doesn't change to avoid transient failures
2. Keep an on cluster cache of verified signatures for the current release and any others that may be relevant for use across upgrades
3. Allow an admin to create or update that config map manually

...

Comment 3 Johnny Liu 2020-03-25 08:36:13 UTC
Run an upgrade from 4.4.0-0.nightly-2020-03-24-225110 to 4.5.0-0.nightly-2020-03-24-224409 to verify this bug, succeed.

Create a signature configmap file:
apiVersion: v1
kind: ConfigMap
metadata:
  name: c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4
  namespace: openshift-config-managed
  labels:
    release.openshift.io/verification-signatures: ""
binaryData:
  sha256-c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4-1: owGbwMvMwME4uavh1CdRx9eMaxkdksTiiwpyizPTdYtSC3WNPd3L/Fz1kjLz4qo2H65WSi7KLMlMTsxRslKoVsrMTUxPBbNS8pOzU4t0cxPzMtNSi0t0UzLTgRRQSqk4I9HI1Mwq2STNzMTM3NLEwMLIzNzIzAjIs0w0MDEzSTYwTk42TDMzSrZMNk8ysDQzszBLNjE2Nk1LNEkzTEszMrA0SDNRqtVRUCqpLABZp5RYkp+bmayQnJ9XkpiZl1qkAHRtXmJJaVGqElBVZkpqXklmSSWyw4pS01KLUvOSwdoLSxMr9TLz9fMLUvOKMzLTSoDSOamJxam6Kall+vnJBXB+XmZ6RklOpZWJnqmega6BHpSva2RgBOQa6xqZ6BoZmZgYWOpWWJjFmwFdWVvbySTKzMoACi14qHKkvBVgaPzGrGHx41yMi2Lz5tklTi+/isZOu8vuc20J78odqiX3kphYchyFPjMceHy9tqK32CZmkfP7noVHH2gcd747hWHK5gOL81PLZj+40tR56UtvWbNPQeGf8vdhDw1+sv0+x/n76aVrJ1ZNDLW9pP452TP49VNuYc9En8LIsKWM0XvmlJjXdWiV3Lo90a3oVgN/e8uzLzzzDX13lk8Km7vwfvc149jz93ZpdbHIyk97KF+98M5METsJ4cnhP3eavVgTclK6KiB2kppJsg77nTd/mnzsGe721nlM5nl5fkIzs8Kcw1dTDxe+aJ1yJOugXt+mO56m757dNXzW3ex75OhR9WMn8lmuPS8WZzew7xSdHRH8uuuq7jPTzgRusf8On4ykNpheu7Nf6PJrrWvWuydfOtT3sXGy8z6tjh8b6pxupx18WNYmY7WrxrxRe4LgXtOCz4wc1oE3Pi878Cjt7+8L9+b21z/Vel+0rfz83w7NP7G3rnK2LGg7+VHr2DMTq69BxZrmPHxMZ3RF35s/u3rxhNKOKeEX/gqLuki4ab3q3peUvDV/1ZPD2lvurequjVFdf9v2+bKPQpKxHFc//j7yPPiWYtuOtRc3MhReF8zmW8B1oOrNqXmfVn7+GxM6aYvz0iVsCydpTsk8ncvOsmFPxIrrnlMyFkeuVwz9dtrgT3D6Zxu5yD3GX8WEzU+sTrt8ep6Arw7XQbOu8mUd+bkA
 
$ oc create -f /home/installer-auto/workspace/installer-auto-test@2/assets_dir/OCP-27986_692941/signature_config_map.yaml
configmap/c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4 created

$ oc adm upgrade --allow-explicit-upgrade --to-image upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release@sha256:c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4
Updating to release image upshift.mirror-registry.qe.devcluster.openshift.com:5000/ocp/release@sha256:c4f646794082672626469a0464c03cc1f62c9c7b096686c4335fa4f1ff2090f4


The upgrade is completed successfully

Comment 5 errata-xmlrpc 2020-07-13 17:16:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.