• Strategic Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-10Install and update OpenShift on Infrastructure Providers
    • 0% To Do, 0% In Progress, 100% Done
    • 0

      Feature Overview (aka. Goal Summary)  

      Support Serving OpenShift release signatures via Cincinnati. This can serve mostly disconnected use case.
      Currently for disconnected OCP image mirroring we need to create and configure a configmap as mentioned here

       

      Goals (aka. expected user outcomes)

      • Remove the need of creating configmap by mirroring signatures from their upstream locations
      • Restricted-network/disconnected Cincinnati can construct the graph-data tarball via a request to Cincinnati instance that already has signature access (e.g. because it's a connected Cincinnati). 

       

      Use Cases (Optional):

      Connected/disconnected Cincinnati can mirror signatures from their upstream locations without creating configmap using oc-mirror command.
      Also, load signatures from a graph-data container image, for the restricted/disconnected-network case.

       

      Background

      In the process of mirroring images for a disconnected installation using the "oc-mirror" command, currently signature files located in the release-signatures folder are missing. Currently the files are manually applied to the "openshift-config-managed" namespace. Without this manual step any cluster trying to upgrade  fails due to the error the versions are not signed/verified.

      Serving OpenShift release signatures via Cincinnati would allow us to have a single service for update related metadata, namely a Cincinnati deployment on the local network, which the CVO will be configured to poll.  This would make restricted/disconnected-network updates easier, by reducing the amount of pre-update cluster adjustments (no more need to create signature ConfigMaps in each cluster being updated).

      Connected Cincinnati can mirror signatures from their upstream locations
      Cincinnati can also be taught to load signatures from a graph-data container image, for the restricted/disconnected-network case.

       

      Documentation Considerations

      Update documentation to remove the need for configmaps

       

      Interoperability Considerations

      This impacts oc mirror . There are 2 ways to mirror images as mentioned here .

              rh-ee-smodeel Subin M
              lmohanty@redhat.com Lalatendu Mohanty
              Jia Liu Jia Liu
              Sebastian Kopacz Sebastian Kopacz
              Scott Dodson Scott Dodson (Inactive)
              Lalatendu Mohanty Lalatendu Mohanty
              Eric Rich Eric Rich
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: