Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v2 does not generate usable release signatures #917

Open
germanovm opened this issue Sep 5, 2024 · 2 comments
Open

v2 does not generate usable release signatures #917

germanovm opened this issue Sep 5, 2024 · 2 comments

Comments

@germanovm
Copy link

germanovm commented Sep 5, 2024
edited
Loading

Version

$ oc-mirror version
oc-mirror version v2.0.0

What happened?

The mirroring works fine, I can even deploy the cincinatti operator with the graph, all is ok.
But I cannot upgrade my cluster because it does not recognize the release signatures.

What did you expect to happen?

The tool generates config-maps with signatures I can apply to the cluster, otherwise I can't use the mirror for upgrades via OSUS:

  • lastTransitionTime: "2024-09-04T05:23:39Z"
    message: 'Retrieving payload failed version="4.16.10" image="mirror.example.com:50000/openshift-release-dev/ocp-release@sha256:793bac91943944692d72a61c47a3102edb70fb2948cdf54019f06376a87298ad"
    failure=The update cannot be verified: unable to verify sha256:793bac91943944692d72a61c47a3102edb70fb2948cdf54019f06376a87298ad
    against keyrings: verifier-public-key-redhat'
    reason: RetrievePayload
    status: "False"
    type: ReleaseAccepted

How to reproduce it (as minimally and precisely as possible)?

  1. Mirror with graph for disconnected cluster
  2. Install cincinatti-operator
  3. Configure CVO to use cincinatti-operator
  4. Try to upgrade the cluster

Anything else we need to know?

The tool seems to generate the signatures

/shift/registry/workspace/working-dir/signatures# ls -l
total 24
-rwxr-xr-x. 1 root root 896 Sep  3 16:41 0d365611e78c5306975753975419851183536354273a6340021f9b1cdd2a34c3
-rwxr-xr-x. 1 root root 894 Sep  5 10:57 115bba6836b9feffb81ad9101791619edd5f19d333580b7f62bd6721eeda82d2
-rwxr-xr-x. 1 root root 896 Sep  3 16:41 24ea553ce2e79fab0ff9cf2917d26433cffb3da954583921926034b9d5d309bd
-rwxr-xr-x. 1 root root 896 Sep  3 16:41 5f1f16ecdc6429bafb437515a2bb131e367b3d98650599d735a2894cb0d0cddf
-rw-r--r--. 1 root root 899 Sep  5 10:57 793bac91943944692d72a61c47a3102edb70fb2948cdf54019f06376a87298ad
-rwxr-xr-x. 1 root root 899 Sep  3 16:41 ac78ebf77f95ab8ff52847ecd22592b545415e1ff6c7ff7f66bf81f158ae4f5e

But there are binary files that I cannot apply, V1 used to generate a nice config-map for these.
@sherine-k
Copy link
Contributor

Hello @germanovm
We're working on generating the signature configmaps in #924

@rectacoda
Copy link

Hello.

We have tested oc-mirror 4.18.0-202410011141.p0.g227a9c4 on stable-4.17 OCP channel
There are 2 files generated for the same signature, 1 json and 1 yaml, but the metadata.mane is missing on both so it can't be applied as is
Also it seems only one of these 2 files is necessary

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@germanovm @rectacoda @sherine-k