Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13043

ReleaseAccepted=False keeps complaining about the update cannot be verified after the upgrade is cleared

    XMLWordPrintable

Details

    Description

      This bug is a backport clone of [Bugzilla Bug 2094174](https://bugzilla.redhat.com/show_bug.cgi?id=2094174). The following is the description of the original bug:

      Created attachment 1887340
      CVO log file

      Description of problem:
      Clearing upgrade after signature verification fails, ReleaseAccepted=False keeps complaining about the update cannot be verified blah blah.

      1. oc get clusterversion/version -ojson | jq -r '.spec, .status.conditions'
        {
        "channel": "stable-4.11",
        "clusterID": "d740b8f3-bb49-40cf-86e8-5df4a755111a"
        }
        [
        { "lastTransitionTime": "2022-06-07T01:31:43Z", "message": "Unable to retrieve available updates: currently reconciling cluster version 4.11.0-0.nightly-2022-06-06-025509 not found in the \"stable-4.11\" channel", "reason": "VersionNotFound", "status": "False", "type": "RetrievedUpdates" }

        ,

        { "lastTransitionTime": "2022-06-07T01:31:43Z", "message": "Capabilities match configured spec", "reason": "AsExpected", "status": "False", "type": "ImplicitlyEnabledCapabilities" }

        ,

        { "lastTransitionTime": "2022-06-07T02:44:54Z", "message": "Retrieving payload failed version=\"\" image=\"registry.ci.openshift.org/ocp/release@sha256:5967359c2bfee0512030418af0f69faa3fa74a81a89ad64a734420e020e7f100\" failure=The update cannot be verified: unable to verify sha256:5967359c2bfee0512030418af0f69faa3fa74a81a89ad64a734420e020e7f100 against keyrings: verifier-public-key-redhat", "reason": "RetrievePayload", "status": "False", "type": "ReleaseAccepted" }

        ,

        { "lastTransitionTime": "2022-06-07T01:56:17Z", "message": "Done applying 4.11.0-0.nightly-2022-06-06-025509", "status": "True", "type": "Available" }

        ,

        { "lastTransitionTime": "2022-06-07T01:55:47Z", "status": "False", "type": "Failing" }

        ,

        { "lastTransitionTime": "2022-06-07T01:56:17Z", "message": "Cluster version is 4.11.0-0.nightly-2022-06-06-025509", "status": "False", "type": "Progressing" }

        ]

      Version-Release number of the following components:
      4.11.0-0.nightly-2022-06-06-025509

      How reproducible:
      1/1

      Steps to Reproduce:
      1. Upgrade to a fake release

      1. oc adm upgrade --to-image=registry.ci.openshift.org/ocp/release@sha256:5967359c2bfee0512030418af0f69faa3fa74a81a89ad64a734420e020e7f100 --allow-explicit-upgrade
        warning: The requested upgrade image is not one of the available updates.You have used --allow-explicit-upgrade for the update to proceed anyway
        Requesting update to release image registry.ci.openshift.org/ocp/release@sha256:5967359c2bfee0512030418af0f69faa3fa74a81a89ad64a734420e020e7f100

      2. Check ReleaseAccepted=False due to target image signature verification failure

      1. oc adm upgrade
        Cluster version is 4.11.0-0.nightly-2022-06-04-014713

      ReleaseAccepted=False

      Reason: RetrievePayload
      Message: Retrieving payload failed version="" image="registry.ci.openshift.org/ocp/release@sha256:5967359c2bfee0512030418af0f69faa3fa74a81a89ad64a734420e020e7f100" failure=The update cannot be verified: unable to verify sha256:5967359c2bfee0512030418af0f69faa3fa74a81a89ad64a734420e020e7f100 against keyrings: verifier-public-key-redhat

      Upstream is unset, so the cluster will use an appropriate default.
      Channel: stable-4.11
      warning: Cannot display available updates:
      Reason: VersionNotFound
      Message: Unable to retrieve available updates: currently reconciling cluster version 4.11.0-0.nightly-2022-06-04-014713 not found in the "stable-4.11" channel

      3. Clear the upgrade

      1. oc adm upgrade --clear
        Cancelled requested upgrade to registry.ci.openshift.org/ocp/release@sha256:5967359c2bfee0512030418af0f69faa3fa74a81a89ad64a734420e020e7f100

      4. Check oc adm upgrade info

      1. oc adm upgrade
        Cluster version is 4.11.0-0.nightly-2022-06-04-014713

      ReleaseAccepted=False

      Reason: RetrievePayload
      Message: Retrieving payload failed version="" image="registry.ci.openshift.org/ocp/release@sha256:5967359c2bfee0512030418af0f69faa3fa74a81a89ad64a734420e020e7f100" failure=The update cannot be verified: unable to verify sha256:5967359c2bfee0512030418af0f69faa3fa74a81a89ad64a734420e020e7f100 against keyrings: verifier-public-key-redhat

      Upstream is unset, so the cluster will use an appropriate default.
      Channel: stable-4.11
      warning: Cannot display available updates:
      Reason: VersionNotFound
      Message: Unable to retrieve available updates: currently reconciling cluster version 4.11.0-0.nightly-2022-06-04-014713 not found in the "stable-4.11" channel

      Actual results:
      After upgrade is cleared, cv condition ReleaseAccepted keeps to false with message The update cannot be verified

      Expected results:
      After upgrade is cleared, cv condition ReleaseAccepted should stop complaining about the target image

      Additional info:
      Please attach logs from ansible-playbook with the -vvv flag

      Attachments

        Activity

          People

            afri@afri.cz Petr Muller
            openshift-crt-jira-prow OpenShift Prow Bot
            Evgeni Vakhonin Evgeni Vakhonin
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: