Major 1. Proposed title of this feature request
Add sigstore configuration support to the cluster wide Image CR.
2. What is the nature and description of the request?
The steps to set up sigstore in a OCP 4.x cluster (https://access.redhat.com/verify-images-ocp4) requires modifying the /etc/containers/registries.conf and /etc/containers/policy.json files on the node. However, if the cluster wide Image CR also modifies the same registries.conf and policy.json file when it is used to configure the insecure, allowed, and blocked registries. This causes the sigstore configuration to not take effect as the Image CR has a higher priority.
3. Why does the customer need this? (List the business requirements here)
A common place to configure both sigstore and registries would be more user friendly. The proposal is to modify the Image CRD so that users can use the cluster wide Image CR to set up sigstore on the cluster.
4. List any affected packages or components.
The registries configuration from the cluster wide image CR is used by node/MCO, builds, imagesteam imports, and registry pull-through.
Note: The current workaround for this is to update the sigstore configuration doc to say that you cannot use the cluster wide Image CR for any registries configuration when using sigstore.
- relates to
-
OCPSTRAT-453 Re-validation of sigstore signed image at cluster level
-
- In Progress
-