Skip to content

NO-JIRA: Set agent DISABLE_IMAGE_POLICY for local installs#1867

Open
bfournie wants to merge 1 commit intoopenshift-metal3:masterfrom
bfournie:local-disable-image-policy
Open

NO-JIRA: Set agent DISABLE_IMAGE_POLICY for local installs#1867
bfournie wants to merge 1 commit intoopenshift-metal3:masterfrom
bfournie:local-disable-image-policy

Conversation

@bfournie
Copy link
Contributor

@bfournie bfournie commented Mar 18, 2026

In CI, for agent-based installations the environment variable OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY is set and this is passed down to assisted-service. When doing local testing we also need to set this environment variable.

@openshift-ci openshift-ci bot requested review from dtantsur and mkowalski March 18, 2026 17:02
@openshift-ci
Copy link

openshift-ci bot commented Mar 18, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tdomnesc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pawanpinjarkar
Copy link
Contributor

pawanpinjarkar commented Mar 18, 2026

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 18, 2026
andfasano
andfasano reviewed Mar 19, 2026
View reviewed changes
common.sh
# Disable image policy verification for local development
# In CI, this is set via the test configuration (see https://github.com/openshift/installer/pull/10379)
if [ "${OPENSHIFT_CI}" != "true" ]; then
export OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY="true"
Copy link
Member

@andfasano andfasano Mar 19, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not seem correct for all the situation. In particular for the release jobs (or nightly) we want to test a signed payload, isn't it? (I mean locally)

Copy link
Contributor Author

@bfournie bfournie Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For nightly builds we'll get a failure if we don't set this. This is required to be set because nightly images are not signed. It is set in CI.

For CI builds this setting is not needed. I can add a clause in to only use for nightly builds.

Copy link
Member

@andfasano andfasano Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't be required also for the stable stream? Or viceversa, it could be applied only for the CI stream

Copy link
Contributor Author

@bfournie bfournie Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean stable e.g. quay.io/openshift-release-dev/ocp-release:4.21.7-x86_64 ?
No we don't need to disable the signature checking on that, only on nightly builds when we are testing locally

@bfournie bfournie force-pushed the local-disable-image-policy branch from 16b77c1 to 37ad98f Compare March 24, 2026 00:35
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 24, 2026
@openshift-ci
Copy link

openshift-ci bot commented Mar 24, 2026

New changes are detected. LGTM label has been removed.

@openshift-ci
Copy link

openshift-ci bot commented Mar 24, 2026
edited
Loading

@bfournie: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-agent-compact-ipv4-iso-no-registry 37ad98f link false /test e2e-agent-compact-ipv4-iso-no-registry
ci/prow/e2e-metal-ipi-ovn-dualstack 37ad98f link false /test e2e-metal-ipi-ovn-dualstack

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@bfournie
Copy link
Contributor Author

bfournie commented Mar 24, 2026
edited
Loading

I've tested this with:
1.

export OPENSHIFT_RELEASE_STREAM=4.22
export OPENSHIFT_RELEASE_TYPE=ci

OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY is not set and not needed for install.

export OPENSHIFT_RELEASE_IMAGE=quay.io/openshift-release-dev/ocp-release:4.22.0-ec.3-x86_64
OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY is not set and not needed for install.

export OPENSHIFT_RELEASE_STREAM=4.21
export OPENSHIFT_RELEASE_TYPE=nightly

OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY not needed for install.

export OPENSHIFT_RELEASE_STREAM=4.22
export OPENSHIFT_RELEASE_TYPE=nightly

OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY set and needed for install, otherwise installation will fail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dtantsur dtantsur Awaiting requested review from dtantsur

@mkowalski mkowalski Awaiting requested review from mkowalski

1 more reviewer

@andfasano andfasano andfasano left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@pawanpinjarkar pawanpinjarkar

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bfournie @pawanpinjarkar @andfasano