OSDOCS 16124: Node add statment that cluster image policy is TP #98786
Conversation
openshift-ci
bot
added
the
size/XS
mburke5678
force-pushed
the
node-openshift-cluster-image-policy-tp
branch
from
1d23fe8 to
6155e28
Compare
|
🤖 Wed Sep 10 20:25:40 - Prow CI generated the docs preview: https://98786--ocpdocs-pr.netlify.app/openshift-enterprise/latest/nodes/nodes-sigstore-using.html |
mburke5678
force-pushed
the
node-openshift-cluster-image-policy-tp
branch
2 times, most recently
from
734b27a to
92027c6
Compare
| * You have a signing process in place to sign your images. | ||
| * You have access to a registry that supports Cosign signatures, if you are using Cosign signatures. | ||
| * If registry mirrors are configured for the {product-title} release image repositories, `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev`, before enabling the Technology Preview feature set, you must mirror the sigstore signatures for the {product-title} release images into your mirror registry. Otherwise, the default `openshift` cluster image policy, which enforces signature verification for the release repository, will block the ability of the Cluster Version Operator to move the CVO Pod to new nodes, which prevents the node update that results from the feature set change. | ||
| * If registry mirrors are configured for the {product-title} release image repositories, `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev`, before enabling the Technology Preview feature set, you must mirror the sigstore signatures for the {product-title} release images into your mirror registry. Otherwise, the default `openshift` cluster image policy, which enforces signature verification for the release repository, will block the ability of the Cluster Version Operator to move the CVO Pod to new nodes, which prevents the node update that results from the feature set change. This cluster image policy is Technology Preview and is active only in clusters that have enabled Technology Preview features. |
There was a problem hiding this comment.
I don't understand us talking about ClusterImagePolicies here in this ImagePolicy section. Maybe we can drop this line entirely?
There was a problem hiding this comment.
#86087 (comment) This seems originally, we want to provide guidance on the clusters that don't have access to signatures, or need verification against their own signature and the openshift official signature through the mirrors. I see it's a bit confusing, we can wait for feedback and provide more document if needed.
There was a problem hiding this comment.
I was wondering the same thing as @wking. I wonder if I intended to add it to the cluster image policy module instead.
There was a problem hiding this comment.
Here is the source of the text, from a conversation between @wking and @QiWang19 in the original PR.
There was a problem hiding this comment.
Thanks for finding that! I think for me at least, my interest in having the openshift ClusterImagePolicy mentioned in the ImagePolicy portion of the doc was based on "if readers find ImagePolicy interesting and enable TechPreviewNoUpgrade to access it, we should warn them that it will pull in the openshift ClusterImagePolicy, and they'll need to have a plan to access those Red Hat release image signatures". Now that ImagePolicy is GA, but the openshift ClusterImagePolicy is still TechPreview, I think we can safely drop this entry from this file (we should keep it in the ClusterImagePolicy file, where it provides context for our reserving the openshift name prefix). And it's maybe interesting enough to keep in the Sigstore-config file?
|
@anahas-redhat Can you PTAL? Thank you. |
|
/lgtm |
mburke5678
force-pushed
the
node-openshift-cluster-image-policy-tp
branch
from
0e48046 to
e057d2f
Compare
openshift-ci
bot
added
size/M
mburke5678
changed the title
|
@mburke5678: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
mburke5678
added
the
merge-review-needed
ShaunaDiaz
added
ok-to-merge
and removed
merge-review-needed
| * You have a sigstore-supported public key infrastructure (PKI) or a link:https://docs.sigstore.dev/cosign/[Cosign public and private key pair] for signing operations. | ||
| * You have a signing process in place to sign your images. | ||
| * You have access to a registry that supports Cosign signatures, if you are using Cosign signatures. | ||
| * If registry mirrors are configured for the {product-title} release image repositories, `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev`, before enabling the Technology Preview feature set, you must mirror the sigstore signatures for the {product-title} release images into your mirror registry. Otherwise, the default `openshift` cluster image policy, which enforces signature verification for the release repository, blocks the ability of the Cluster Version Operator to move the CVO pod to new nodes, preventing the node update that results from the feature set change. |
There was a problem hiding this comment.
| * If registry mirrors are configured for the {product-title} release image repositories, `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev`, before enabling the Technology Preview feature set, you must mirror the sigstore signatures for the {product-title} release images into your mirror registry. Otherwise, the default `openshift` cluster image policy, which enforces signature verification for the release repository, blocks the ability of the Cluster Version Operator to move the CVO pod to new nodes, preventing the node update that results from the feature set change. | |
| * If registry mirrors are configured for the {product-title} release image repositories, `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev`, you must mirror the sigstore signatures for the {product-title} release images into your mirror registry before enabling the Technology Preview feature set. Otherwise, the default `openshift` cluster image policy, which enforces signature verification for the release repository, blocks the ability of the Cluster Version Operator to move the CVO pod to new nodes, preventing the node update that results from the feature set change. |
IMHO moving the clause simplifies the sentence, but not remotely a merge blocker, just a thought for later consideration.
|
/cherrypick enterprise-4.20 |
|
@ShaunaDiaz: new pull request created: #98872 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
7 participants
https://issues.redhat.com/browse/OSDOCS-16124
Preview
About configuring sigstore support -- Added to the Important admontion. Current docs.
Creating a cluster image policy CR -- Added paragraph 3, Tech Preview snippet, and prerequisite 4.
Creating an image policy CR -- Removed prerequisite 4. Current docs.
QE review: