-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.15.0
-
Moderate
-
No
-
False
-
Description of problem:
Trigger upgrade against a cluster with custom signaturestore set. But after upgrade, the cvo log about "Verifying release authenticity" indicated "serial signature store wrapping ClusterVersion signatureStores unset, falling back to default stores" # ./oc -n openshift-cluster-version logs cluster-version-operator-7d8c75bd4d-2hl2j|grep signature I0126 05:02:05.705444 1 cvo.go:309] Verifying release authenticity: All release image digests must have GPG signatures from verifier-public-key-redhat (567E347AD0044ADE55BA8A5F199E2F91FD431D51: Red Hat, Inc. (release key 2) <security@redhat.com>, B08B659EE86AF623BC90E8DB938A80CAF21541EB: Red Hat, Inc. (beta key 2) <security@redhat.com>) - will check for signatures in containers/image format at serial signature store wrapping config maps in openshift-config-managed with label "release.openshift.io/verification-signatures", serial signature store wrapping ClusterVersion signatureStores unset, falling back to default stores, parallel signature store wrapping containers/image signature store under https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release, containers/image signature store under https://storage.googleapis.com/openshift-release/official/signatures/openshift/release # ./oc get clusterversion version -ojson|jq .spec { "channel": "stable-4.15", "clusterID": "a2c9359d-955d-461b-8b65-2b3dd7fba68e", "desiredUpdate": { "architecture": "", "force": false, "image": "quay.io/openshift-release-dev/ocp-release@sha256:8d75c2f67cc8beebcc3e7155297614f238987708fae4cf1393d116765b72e05f", "version": "" }, "signatureStores": [ { "url": "https://raw.githubusercontent.com/jiajliu/8raph_t2st/master/signtest" } ] } # ./oc get clusterversion version -ojson|jq .status.history [ { "acceptedRisks": "Precondition \"ClusterVersionRecommendedUpdate\" failed because of \"UnknownUpdate\": RetrievedUpdates=False (VersionNotFound), so the recommended status of updating from 4.15.0-rc.2 to 4.15.0-rc.3 is unknown.", "completionTime": "2024-01-26T05:12:52Z", "image": "quay.io/openshift-release-dev/ocp-release@sha256:8d75c2f67cc8beebcc3e7155297614f238987708fae4cf1393d116765b72e05f", "startedTime": "2024-01-26T04:13:27Z", "state": "Completed", "verified": true, "version": "4.15.0-rc.3" }, { "completionTime": "2024-01-26T03:32:24Z", "image": "quay.io/openshift-release-dev/ocp-release@sha256:baed442e1faf17a500b0f0952ecbcfad66e03074c33fb4f08fa95f49bd8fc4ff", "startedTime": "2024-01-26T03:00:37Z", "state": "Completed", "verified": false, "version": "4.15.0-rc.2" } ]
Version-Release number of selected component (if applicable):
4.15.0-rc.3
How reproducible:
always
Steps to Reproduce:
1. trigger an upgrade from rc.2 to rc.3. the cluster is with custom signature store set 2. 3.
Actual results:
cvo log does not reflect correct custom signaturestore config
Expected results:
cvo log should reflect correct custom signaturestore config
Additional info: