Bug 2071998: pkg/cvo/updatepayload: Event when forcing through a sig-verification failure

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/imdario/mergo v0.3.8 // indirect
 	github.com/openshift/api v0.0.0-20220504105152-6f735e7109c8
 	github.com/openshift/client-go v0.0.0-20220504114320-6aec01bb0754
-	github.com/openshift/library-go v0.0.0-20220512194226-3c66b317b110
+	github.com/openshift/library-go v0.0.0-20220523142556-5bcfed822fc6
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.1
 	github.com/prometheus/client_model v0.2.0

go.sum

@@ -488,8 +488,8 @@ github.com/openshift/api v0.0.0-20220504105152-6f735e7109c8/go.mod h1:F/eU6jgr6Q
 github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/client-go v0.0.0-20220504114320-6aec01bb0754 h1:E/SORtM8rYRq5vp7zlSyxUeH1v71QZAFXW7FkAggw0Q=
 github.com/openshift/client-go v0.0.0-20220504114320-6aec01bb0754/go.mod h1:0KyRH70L+vAGs8wkOkqbsE9qR4lgjW2ugJsCzl1nj5w=
-github.com/openshift/library-go v0.0.0-20220512194226-3c66b317b110 h1:5lgF3YD1XwaJVtasYsWKFTwI3ZUwuVMcMAwJf2x4YSY=
-github.com/openshift/library-go v0.0.0-20220512194226-3c66b317b110/go.mod h1:1QSdymJBGXSOgBj7tWhj4cV+i1+AvkQ/Tq78ebWjXCU=
+github.com/openshift/library-go v0.0.0-20220523142556-5bcfed822fc6 h1:HSmUjhgHhwxdNPvq8xPf19BV67wf1GIepefPOl7dsIU=
+github.com/openshift/library-go v0.0.0-20220523142556-5bcfed822fc6/go.mod h1:1QSdymJBGXSOgBj7tWhj4cV+i1+AvkQ/Tq78ebWjXCU=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=

pkg/cvo/sync_worker.go

@@ -2,6 +2,7 @@ package cvo
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"math/rand"
 	"reflect"
@@ -14,7 +15,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"golang.org/x/time/rate"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/util/errors"
+	apierrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/tools/record"
@@ -283,6 +284,19 @@ func (w *SyncWorker) syncPayload(ctx context.Context, work *SyncWork,
 			})
 			return nil, err
 		}
+		if info.VerificationError != nil {
+			msg := ""
+			for err := info.VerificationError; err != nil; err = errors.Unwrap(err) {
+				details := err.Error()
+				if !strings.Contains(msg, details) {
+					// library-go/pkg/verify wraps the details, but does not include them
+					// in the top-level error string.  If we have an error like that,
+					// include the details here.
+					msg = fmt.Sprintf("%s\n%s", msg, details)
+				}
+			}
+			w.eventRecorder.Eventf(cvoObjectRef, corev1.EventTypeWarning, "RetrievePayload", msg)
+		}
 
 		w.eventRecorder.Eventf(cvoObjectRef, corev1.EventTypeNormal, "LoadPayload", "Loading payload version=%q image=%q", desired.Version, desired.Image)
 		payloadUpdate, err := payload.LoadUpdate(info.Directory, desired.Image, w.exclude, w.includeTechPreview, w.clusterProfile,
@@ -1081,12 +1095,12 @@ func summarizeTaskGraphErrors(errs []error) error {
 	// we ignore context errors (canceled or timed out) since they don't
 	// provide good feedback to users and are an internal detail of the
 	// server
-	err := errors.FilterOut(errors.NewAggregate(errs), isContextError)
+	err := apierrors.FilterOut(apierrors.NewAggregate(errs), isContextError)
 	if err == nil {
 		klog.V(2).Infof("All errors were context errors: %v", errs)
 		return nil
 	}
-	agg, ok := err.(errors.Aggregate)
+	agg, ok := err.(apierrors.Aggregate)
 	if !ok {
 		errs = []error{err}
 	} else {
@@ -1181,7 +1195,7 @@ func newClusterOperatorsNotAvailable(errs []error) error {
 	sort.Strings(names)
 	name := strings.Join(names, ", ")
 	return &payload.UpdateError{
-		Nested:       errors.NewAggregate(errs),
+		Nested:       apierrors.NewAggregate(errs),
 		UpdateEffect: updateEffect,
 		Reason:       "ClusterOperatorsNotAvailable",
 		Message:      fmt.Sprintf("Some cluster operators are still updating: %s", name),
@@ -1228,7 +1242,7 @@ func newMultipleError(errs []error) error {
 		return errs[0]
 	}
 	return &payload.UpdateError{
-		Nested:  errors.NewAggregate(errs),
+		Nested:  apierrors.NewAggregate(errs),
 		Reason:  "MultipleErrors",
 		Message: fmt.Sprintf("Multiple errors are preventing progress:\n* %s", strings.Join(messages, "\n* ")),
 	}

pkg/cvo/updatepayload.go

@@ -113,7 +113,8 @@ func (r *payloadRetriever) RetrievePayload(ctx context.Context, update configv1.
 		if !update.Force {
 			return PayloadInfo{}, vErr
 		}
-		klog.Warningf("An image was retrieved from %q that failed verification: %v", update.Image, vErr)
+		vErr.Message = fmt.Sprintf("Target release version=%q image=%q cannot be verified, but continuing anyway because the update was forced: %v", update.Version, update.Image, err)
+		klog.Warning(vErr)
 		info.VerificationError = vErr
 	} else {
 		info.Verified = true

pkg/payload/task.go

@@ -178,10 +178,20 @@ func (e *UpdateError) Error() string {
 	return e.Message
 }
 
+// Cause supports github.com/pkg/errors.Cause [1].
+//
+// [1]: https://pkg.go.dev/github.com/pkg/errors#readme-retrieving-the-cause-of-an-error
 func (e *UpdateError) Cause() error {
 	return e.Nested
 }
 
+// Unwrap supports errors.Unwrap [1].
+//
+// [1]: https://pkg.go.dev/errors#Unwrap
+func (e *UpdateError) Unwrap() error {
+	return e.Nested
+}
+
 // reasonForUpdateError provides a succint explanation of a known error type for use in a human readable
 // message during update. Since all objects in the image should be successfully applied, messages
 // should direct the reader (likely a cluster administrator) to a possible cause in their own config.

vendor/modules.txt

@@ -84,7 +84,7 @@ github.com/openshift/client-go/image/clientset/versioned/scheme
 github.com/openshift/client-go/image/clientset/versioned/typed/image/v1
 github.com/openshift/client-go/security/clientset/versioned/scheme
 github.com/openshift/client-go/security/clientset/versioned/typed/security/v1
-# github.com/openshift/library-go v0.0.0-20220512194226-3c66b317b110
+# github.com/openshift/library-go v0.0.0-20220523142556-5bcfed822fc6
 ## explicit
 github.com/openshift/library-go/pkg/config/clusterstatus
 github.com/openshift/library-go/pkg/config/leaderelection