search

openshift / oc-mirror

Lifecycle manager for internet-disconnected OpenShift environments
Apache License 2.0
82 stars 80 forks source link

OCPBUGS-31536:OCPBUGS-33554: Fix mirroring operators on fedora systems - no sig verification #852

Closed sherine-k closed 1 month ago

sherine-k commented 1 month ago

Description

2 issues are fixed here:

Fixes # OCPBUGS-31536

Type of change

Please delete options that are not relevant.

How Has This Been Tested?

$ ./bin/oc-mirror -c isc_31536.yaml file:///home/skhoury/31536 --enable-operator-secure-policy

Expected Outcome

Above test is no proof of fix: this needs to be tested on a fedora system

openshift-ci-robot commented 1 month ago

@sherine-k: This pull request references Jira Issue OCPBUGS-31536, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.16.0) matches configured target version for branch (4.16.0) * bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @kasturinarra

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/oc-mirror/pull/852): ># Description >2 issues are fixed here: >* catalog images are mirrored as manifest lists >* catalog images are mirrored without signature verification by default >* to enable signature verification, one can use the new flag `--enable-operator-secure-policy` >* existing flag `oci-insecure-signature-policy` marked deprecated > >Fixes # OCPBUGS-31536 > >## Type of change > >Please delete options that are not relevant. > >- [x] Bug fix (non-breaking change which fixes an issue) >- [ ] New feature (non-breaking change which adds functionality) >- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) >- [ ] This change requires a documentation update > ># How Has This Been Tested? >``` >$ ./bin/oc-mirror -c isc_31536.yaml file:///home/skhoury/31536 --enable-operator-secure-policy >``` > >## Expected Outcome >Above test is no proof of fix: this needs to be tested on a fedora system >* with no /etc/containers/policy.json >* AND without using the flag > to show that the mirroring is successful on systems that don't have the policy setup for checking image signatures from redhat. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Foc-mirror). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci[bot] commented 1 month ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sherine-k

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/oc-mirror/blob/main/OWNERS)~~ [sherine-k] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-ci[bot] commented 1 month ago

@sherine-k: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
zhouying7780 commented 1 month ago

/label qe-approved

openshift-ci-robot commented 1 month ago

@sherine-k: This pull request references Jira Issue OCPBUGS-31536, which is valid.

3 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.16.0) matches configured target version for branch (4.16.0) * bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @kasturinarra

In response to [this](https://github.com/openshift/oc-mirror/pull/852): ># Description >2 issues are fixed here: >* catalog images are mirrored as manifest lists >* catalog images are mirrored without signature verification by default >* to enable signature verification, one can use the new flag `--enable-operator-secure-policy` >* existing flag `oci-insecure-signature-policy` marked deprecated > >Fixes # OCPBUGS-31536 > >## Type of change > >Please delete options that are not relevant. > >- [x] Bug fix (non-breaking change which fixes an issue) >- [ ] New feature (non-breaking change which adds functionality) >- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) >- [ ] This change requires a documentation update > ># How Has This Been Tested? >``` >$ ./bin/oc-mirror -c isc_31536.yaml file:///home/skhoury/31536 --enable-operator-secure-policy >``` > >## Expected Outcome >Above test is no proof of fix: this needs to be tested on a fedora system >* with no /etc/containers/policy.json >* AND without using the flag > to show that the mirroring is successful on systems that don't have the policy setup for checking image signatures from redhat. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Foc-mirror). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
lmzuccarelli commented 1 month ago

/label acknowledge-critical-fixes-only /lgtm

openshift-ci-robot commented 1 month ago

@sherine-k: Jira Issue OCPBUGS-31536: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-31536 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/oc-mirror/pull/852): ># Description >2 issues are fixed here: >* catalog images are mirrored as manifest lists >* catalog images are mirrored without signature verification by default >* to enable signature verification, one can use the new flag `--enable-operator-secure-policy` >* existing flag `oci-insecure-signature-policy` marked deprecated > >Fixes # OCPBUGS-31536 > >## Type of change > >Please delete options that are not relevant. > >- [x] Bug fix (non-breaking change which fixes an issue) >- [ ] New feature (non-breaking change which adds functionality) >- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) >- [ ] This change requires a documentation update > ># How Has This Been Tested? >``` >$ ./bin/oc-mirror -c isc_31536.yaml file:///home/skhoury/31536 --enable-operator-secure-policy >``` > >## Expected Outcome >Above test is no proof of fix: this needs to be tested on a fedora system >* with no /etc/containers/policy.json >* AND without using the flag > to show that the mirroring is successful on systems that don't have the policy setup for checking image signatures from redhat. Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Foc-mirror). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-bot commented 1 month ago

[ART PR BUILD NOTIFIER]

This PR has been included in build oc-mirror-plugin-container-v4.17.0-202405151441.p0.g50e84e5.assembly.stream.el9 for distgit oc-mirror-plugin. All builds following this will include this PR.

openshift-merge-robot commented 1 month ago

Fix included in accepted release 4.16.0-0.nightly-2024-05-16-092402