Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-74236

Image pull fails with SignatureValidationFailed

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Undefined Undefined
    • None
    • 4.21.0
    • Cluster Version Operator
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • x86_64
    • None
    • Proposed
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      On the cluster installed with image 4.21.0-rc.2, if trying to pull another OCP release image, it fails with SignatureValidationFailed.

      Version-Release number of selected component (if applicable):

      4.21.0-rc.0-x86_64 and higher    

      How reproducible:

      Always

      Steps to Reproduce:

          1.Install a cluster with quay.io/openshift-release-dev/ocp-release:4.21.0-rc.0-x86_64
    2.Deploy hive on that cluster
    3.Try to install any OCP cluster via hive
    4.Watch the clusterimageset pod to see if the image pull succeeded

      Actual results:

          clusterimageset pod will fail(ImagePullBackOff) with SignatureValidationFailed

      Expected results:

          clusterimageset pod succeeds, and the cluster provision begins

      Additional info:

      While this was observed with hive, it isn't related to hive at all. When we try to install a cluster via hive, the code first pulls in the image via clusterimageset pod, and then it invokes the installer to provision a cluster. A regular OCP cluster in an non-disconnected environment should succeed in pulling another public OCP release image.
I also verified this by trying the following:
- On the present cluster with 4.21.0-rc.0 cluster version, try the same experiment with both the current Hive master as well as a more stable commit from a month ago. Also tried to install the cluster with different OCP releases. This SignatureValidationFailed is observed every time.
- On a cluster with version 4.17.41, install latest hive, use it to create a cluster with 4.19.12-x86_64 image, the image pull as well as the cluster installation succeeds.

Please note, all the clusters installed here are regular/default IPI AWS installs, with no special configurations.

Also, on the cluster with 4.21.0-rc.0, all cluster operators are healthy.
      The clusterimageset object looks like this:
{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "hive.openshift.io/v1",
            "kind": "ClusterImageSet",
            "metadata": {
                "annotations": {
                    "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"hive.openshift.io/v1\",\"kind\":\"ClusterImageSet\",\"metadata\":{\"annotations\":{},\"name\":\"try-imageset\"},\"spec\":{\"releaseImage\":\"quay.io/openshift-release-dev/ocp-release:4.21.0-rc.2-x86_64\"},\"status\":{}}\n"
                },
                "creationTimestamp": "2026-01-22T07:34:21Z",
                "generation": 1,
                "name": "try-imageset",
                "resourceVersion": "50709",
                "uid": "b6e248bb-a45e-4b5e-9a39-4fb3057bd9e2"
            },
            "spec": {
                "releaseImage": "quay.io/openshift-release-dev/ocp-release:4.21.0-rc.2-x86_64"
            }
        }
    ],
    "kind": "List",
    "metadata": {
        "resourceVersion": ""
    }
}

              qiwan233 Qi Wang
              sumehta Suhani Mehta
              None
              None
              Jia Liu Jia Liu
              None
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: