Use installer env var to disable image policy for mirrored non-GA releases#1865
Use installer env var to disable image policy for mirrored non-GA releases#1865honza wants to merge 1 commit intoopenshift-metal3:masterfrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
I tried this locally and while it does fix the image pull problem, it also leaves MCO in a degraded state such that the deployment never officially completes. Maybe we need to talk to them about handling this, since they "own" this file? |
honza
force-pushed
the
mirror-sig-policy
branch
from
8064430 to
0b523d1
Compare
|
I just did a couple of loops with Claude and this new fix seems to work better. No MCO degradation. |
For non-GA releases RHCOS ships a default policy.json that requires sigstoreSigned verification for quay.io/openshift-release-dev images. When deploying mirrored non-GA releases (nightly/CI), images are not signed, causing pull failures for both MCD firstboot and CRI-O. The installer supports OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY which adds a CVO override marking the ClusterImagePolicy as unmanaged. This prevents MCO from rendering a restrictive policy.json on nodes. Replace the previous MachineConfig-based workaround (permissive policy.json file + machine-config-daemon-pull.service dropin) with this single env var, set before `openshift-install create manifests`. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
honza
force-pushed
the
mirror-sig-policy
branch
from
0b523d1 to
9c9b7df
Compare
honza
changed the title
|
Well, @zaneb revealed to me that there is a way to disable the verification in the installer. This is much simpler for CI. |
|
@honza: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| # When mirroring non-GA releases, disable sigstore image policy verification. | ||
| # The installer adds a CVO override marking the ClusterImagePolicy as unmanaged, | ||
| # which prevents MCO from rendering a restrictive /etc/containers/policy.json. | ||
| if [[ ! -z "${MIRROR_IMAGES}" && "${MIRROR_IMAGES,,}" != "false" && "${OPENSHIFT_RELEASE_TYPE}" != "ga" ]]; then |
There was a problem hiding this comment.
Why only when mirroring? AIUI nightly releases in general are not signed and need the env var.
3 participants
RHCOS ships a default policy.json that requires sigstoreSigned
verification for quay.io/openshift-release-dev images. When deploying
mirrored non-GA releases (nightly/CI), images are not signed, causing
pull failures for both MCD firstboot and CRI-O.
The installer supports OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY
which adds a CVO override marking the ClusterImagePolicy as unmanaged.
This prevents MCO from rendering a restrictive policy.json on nodes.
Replace the previous MachineConfig-based workaround (permissive
policy.json file + machine-config-daemon-pull.service dropin) with
this single env var, set before
openshift-install create manifests.