Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25664

no detail log on signature verification failure

    XMLWordPrintable

Details

    • No
    • 1
    • OTA 246
    • 1
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required

    Description

      This is a clone of issue OCPBUGS-25055. The following is the description of the original issue:

      Description of problem:

          No detail failure on signature verification while failing to validate signature of the target release payload during upgrade. It's unclear for user to know which action could be taken for the failure. For example, checking if any wrong configmap set, or default store is not available or any issue on custom store?
       
      # ./oc adm upgrade
      Cluster version is 4.15.0-0.nightly-2023-12-08-202155
      Upgradeable=False  
      
        Reason: FeatureGates_RestrictedFeatureGates_TechPreviewNoUpgrade
        Message: Cluster operator config-operator should not be upgraded between minor versions: FeatureGatesUpgradeable: "TechPreviewNoUpgrade" does not allow updates
      
      ReleaseAccepted=False  
        Reason: RetrievePayload
        Message: Retrieving payload failed version="4.15.0-0.nightly-2023-12-09-012410" image="registry.ci.openshift.org/ocp/release@sha256:0bc9978f420a152a171429086853e80f033e012e694f9a762eee777f5a7fb4f7" failure=The update cannot be verified: unable to verify sha256:0bc9978f420a152a171429086853e80f033e012e694f9a762eee777f5a7fb4f7 against keyrings: verifier-public-key-redhat
      
      Upstream: https://amd64.ocp.releases.ci.openshift.org/graph
      Channel: stable-4.15
      Recommended updates:  
        VERSION                            IMAGE
        4.15.0-0.nightly-2023-12-09-012410 registry.ci.openshift.org/ocp/release@sha256:0bc9978f420a152a171429086853e80f033e012e694f9a762eee777f5a7fb4f7
       
      # ./oc -n openshift-cluster-version logs cluster-version-operator-6b7b5ff598-vxjrq|grep "verified"|tail -n4
      I1211 09:28:22.755834       1 sync_worker.go:434] loadUpdatedPayload syncPayload err=The update cannot be verified: unable to verify sha256:0bc9978f420a152a171429086853e80f033e012e694f9a762eee777f5a7fb4f7 against keyrings: verifier-public-key-redhat
      I1211 09:28:22.755974       1 event.go:298] Event(v1.ObjectReference{Kind:"ClusterVersion", Namespace:"openshift-cluster-version", Name:"version", UID:"", APIVersion:"config.openshift.io/v1", ResourceVersion:"", FieldPath:""}): type: 'Warning' reason: 'RetrievePayloadFailed' Retrieving payload failed version="4.15.0-0.nightly-2023-12-09-012410" image="registry.ci.openshift.org/ocp/release@sha256:0bc9978f420a152a171429086853e80f033e012e694f9a762eee777f5a7fb4f7" failure=The update cannot be verified: unable to verify sha256:0bc9978f420a152a171429086853e80f033e012e694f9a762eee777f5a7fb4f7 against keyrings: verifier-public-key-redhat
      I1211 09:28:37.817102       1 sync_worker.go:434] loadUpdatedPayload syncPayload err=The update cannot be verified: unable to verify sha256:0bc9978f420a152a171429086853e80f033e012e694f9a762eee777f5a7fb4f7 against keyrings: verifier-public-key-redhat
      I1211 09:28:37.817488       1 event.go:298] Event(v1.ObjectReference{Kind:"ClusterVersion", Namespace:"openshift-cluster-version", Name:"version", UID:"", APIVersion:"config.openshift.io/v1", ResourceVersion:"", FieldPath:""}): type: 'Warning' reason: 'RetrievePayloadFailed' Retrieving payload failed version="4.15.0-0.nightly-2023-12-09-012410" image="registry.ci.openshift.org/ocp/release@sha256:0bc9978f420a152a171429086853e80f033e012e694f9a762eee777f5a7fb4f7" failure=The update cannot be verified: unable to verify sha256:0bc9978f420a152a171429086853e80f033e012e694f9a762eee777f5a7fb4f7 against keyrings: verifier-public-key-redhat
      
      

      Version-Release number of selected component (if applicable):

          4.15.0-0.nightly-2023-12-08-202155

      How reproducible:

          always

      Steps to Reproduce:

          1. trigger an fresh installation with tp enabled(no spec.signaturestores property set by default) 
      
          2.trigger an upgrade against a nightly build(no signature available in default signature store)
      
          3.
          

      Actual results:

          no detail log on signature verification failure

      Expected results:

          include detail failure on signature verification in the cvo log

      Additional info:

          https://github.com/openshift/cluster-version-operator/pull/1003

      Attachments

        Issue Links

          Activity

            People

              trking W. Trevor King
              openshift-crt-jira-prow OpenShift Prow Bot
              Jia Liu Jia Liu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: