OSDOCS 17653 GA-BYOPKI for image verification in OCP #103803
Conversation
openshift-ci
bot
added
the
size/M
|
@QiWang19 @lyman9966 For this PR, I only removed the Technology Preview statements, as I understand there are no user-facing changes in the TP to GA promotion. Can you please verify if this is correct? |
|
🤖 Thu Dec 11 15:58:26 - Prow CI generated the docs preview: https://103803--ocpdocs-pr.netlify.app/openshift-enterprise/latest/nodes/nodes-sigstore-using.html |
| * You have a sigstore-supported public key infrastructure (PKI) key, a Bring Your Own Public Key Infrastructure (BYOPKI) certificate, or provide a link:https://docs.sigstore.dev/cosign/signing/overview/[Cosign public and private key pair] for signing operations. | ||
| * You have a signing process in place to sign your images. | ||
| * You have access to a registry that supports Cosign signatures, if you are using Cosign signatures. | ||
| * If registry mirrors are configured for the {product-title} release image repositories, `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev`, before enabling the Technology Preview feature set, you must mirror the sigstore signatures for the {product-title} release images into your mirror registry. Otherwise, the default `openshift` cluster image policy, which enforces signature verification for the release repository, blocks the ability of the Cluster Version Operator to move the CVO pod to new nodes, preventing the node update that results from the feature set change. |
There was a problem hiding this comment.
Mirroring the sigstore signatures seems to still be valid guidance for air-gapped or disconnected environments. However, mentioning the Technology Preview feature set here might no longer be relevant. Would it make sense to adjust this section to focus on recommending signature mirroring explicitly for disconnected users? @wking What are your thoughts?
| * You have access to a registry that supports Cosign signatures, if you are using Cosign signatures. | ||
| * If registry mirrors are configured for the {product-title} release image repositories, `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev`, before enabling the Technology Preview feature set, you must mirror the sigstore signatures for the {product-title} release images into your mirror registry. Otherwise, the default `openshift` cluster image policy, which enforces signature verification for the release repository, blocks the ability of the Cluster Version Operator to move the CVO pod to new nodes, preventing the node update that results from the feature set change. | ||
| + | ||
| You can use the `oc image mirror` command to mirror the signatures. For example: |
There was a problem hiding this comment.
non-blocker: CLID-453 introduces the oc-mirror tool to mirror sigstore signatures by default and is currently in the testing phase for version 4.21. Once the documentation is ready, we could consider adding a follow-up PR to include the oc-mirror tool as an alternative method for mirroring signatures.
There was a problem hiding this comment.
Requested help from the writer associated with CLID-43.
|
🤖 Fri Dec 12 22:08:45 - Prow CI generated the docs preview: https://103803--ocpdocs-pr.netlify.app/openshift-enterprise/latest/nodes/nodes-sigstore-using.html |
|
@mburke5678: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
https://issues.redhat.com/browse/OSDOCS-17653
Link to docs preview:
QE review: