Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-28240

cvo log does not describe correct custom signaturestore config

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

        Trigger upgrade against a cluster with custom signaturestore set. But after upgrade, the cvo log about "Verifying release authenticity" indicated "serial signature store wrapping ClusterVersion signatureStores unset, falling back to default stores"

# ./oc -n openshift-cluster-version logs cluster-version-operator-7d8c75bd4d-2hl2j|grep signature
I0126 05:02:05.705444       1 cvo.go:309] Verifying release authenticity: All release image digests must have GPG signatures from verifier-public-key-redhat (567E347AD0044ADE55BA8A5F199E2F91FD431D51: Red Hat, Inc. (release key 2) <security@redhat.com>, B08B659EE86AF623BC90E8DB938A80CAF21541EB: Red Hat, Inc. (beta key 2) <security@redhat.com>) - will check for signatures in containers/image format at serial signature store wrapping config maps in openshift-config-managed with label "release.openshift.io/verification-signatures", serial signature store wrapping ClusterVersion signatureStores unset, falling back to default stores, parallel signature store wrapping containers/image signature store under https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release, containers/image signature store under https://storage.googleapis.com/openshift-release/official/signatures/openshift/release


# ./oc get clusterversion version -ojson|jq .spec
{
  "channel": "stable-4.15",
  "clusterID": "a2c9359d-955d-461b-8b65-2b3dd7fba68e",
  "desiredUpdate": {
    "architecture": "",
    "force": false,
    "image": "quay.io/openshift-release-dev/ocp-release@sha256:8d75c2f67cc8beebcc3e7155297614f238987708fae4cf1393d116765b72e05f",
    "version": ""
  },
  "signatureStores": [
    {
      "url": "https://raw.githubusercontent.com/jiajliu/8raph_t2st/master/signtest"
    }
  ]
}


# ./oc get clusterversion version -ojson|jq .status.history
[
  {
    "acceptedRisks": "Precondition \"ClusterVersionRecommendedUpdate\" failed because of \"UnknownUpdate\": RetrievedUpdates=False (VersionNotFound), so the recommended status of updating from 4.15.0-rc.2 to 4.15.0-rc.3 is unknown.",
    "completionTime": "2024-01-26T05:12:52Z",
    "image": "quay.io/openshift-release-dev/ocp-release@sha256:8d75c2f67cc8beebcc3e7155297614f238987708fae4cf1393d116765b72e05f",
    "startedTime": "2024-01-26T04:13:27Z",
    "state": "Completed",
    "verified": true,
    "version": "4.15.0-rc.3"
  },
  {
    "completionTime": "2024-01-26T03:32:24Z",
    "image": "quay.io/openshift-release-dev/ocp-release@sha256:baed442e1faf17a500b0f0952ecbcfad66e03074c33fb4f08fa95f49bd8fc4ff",
    "startedTime": "2024-01-26T03:00:37Z",
    "state": "Completed",
    "verified": false,
    "version": "4.15.0-rc.2"
  }
]

      Version-Release number of selected component (if applicable):

          4.15.0-rc.3

      How reproducible:

          always

      Steps to Reproduce:

          1. trigger an upgrade from rc.2 to rc.3. the cluster is with custom signature store set 
    2.
    3.

      Actual results:

          cvo log does not reflect correct custom signaturestore config

      Expected results:

          cvo log should reflect correct custom signaturestore config

      Additional info:

            pratikam Pratik Mahajan
            rhn-support-jiajliu Jia Liu
            Jia Liu Jia Liu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: