From d68421612ae8cf2e2fad6fa3d2bafcfc7c669fb2 Mon Sep 17 00:00:00 2001 From: Thuan Vo Date: Thu, 11 Sep 2025 16:52:35 -0700 Subject: [PATCH] CORS-3550: add ability to opt out of the sigstore signing requirement Introduce OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY env var. When set non-empty, it instructs the installer to include an entry for ClusterImagePolicy "openshift" in the CVO overrides. This override enables opting out of the sigstore signing requirement for release images. The change is part of OpenShift Image Policy EP [1]. References: [1] https://github.com/openshift/enhancements/blob/0f1e5f130b6b4d99e99d35191ea18b41ddef4168/enhancements/security/openshift-image-policy.md#installer --- pkg/asset/ignition/bootstrap/cvoignore.go | 25 +++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/pkg/asset/ignition/bootstrap/cvoignore.go b/pkg/asset/ignition/bootstrap/cvoignore.go index 1cf016a634..c5ac1c79b7 100644 --- a/pkg/asset/ignition/bootstrap/cvoignore.go +++ b/pkg/asset/ignition/bootstrap/cvoignore.go @@ -4,8 +4,10 @@ import ( "context" "encoding/json" "fmt" + "os" "github.com/pkg/errors" + "github.com/sirupsen/logrus" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "sigs.k8s.io/yaml" @@ -98,6 +100,8 @@ func (a *CVOIgnore) Generate(_ context.Context, dependencies asset.Parents) erro if !ok && originalOverridesAsInterface != nil { return errors.Errorf("unexpected type (%T) for .spec.overrides in clusterversion", originalOverridesAsInterface) } + originalOverrides = append(originalOverrides, getClusterVersionOperatorOverrides()...) + originalOverridesPatch := map[string]interface{}{ "spec": map[string]interface{}{ "overrides": originalOverrides, @@ -135,3 +139,24 @@ func (a *CVOIgnore) Files() []*asset.File { func (a *CVOIgnore) Load(f asset.FileFetcher) (bool, error) { return false, nil } + +// getClusterVersionOperatorOverrides returns Cluster Version Operator (CVO) overrides if any. +// The CVO overrides allow disabling CVO management of specified resources. +func getClusterVersionOperatorOverrides() []interface{} { + var overrides []interface{} + + // OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY, if set non-empty, will instruct the installer + // to include an entry for the cluster-scoped "openshift" ClusterImagePolicy in the CVO overrides. + // This enables internal testing to opt out of the sigstore signing requirement for release images. + if disableImagePolicy, ok := os.LookupEnv("OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY"); ok && disableImagePolicy != "" { + logrus.Warn("OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY is set, opting out of the sigstore signing requirement for release images") + overrides = append(overrides, configv1.ComponentOverride{ + Group: configv1.GroupVersion.Group, + Kind: "ClusterImagePolicy", + Name: "openshift", + Unmanaged: true, + }) + } + + return overrides +}