Skip to content

Commit 95ccf3f

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #9940 from tthvo/CORS-3550
CORS-3550: add ability to opt out of the sigstore signing requirement
2 parents e593707 + d684216 commit 95ccf3f

File tree

1 file changed

+25
-0
lines changed

1 file changed

+25
-0
lines changed

pkg/asset/ignition/bootstrap/cvoignore.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,10 @@ import (
44
"context"
55
"encoding/json"
66
"fmt"
7+
"os"
78

89
"github.com/pkg/errors"
10+
"github.com/sirupsen/logrus"
911
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
1012
"sigs.k8s.io/yaml"
1113

@@ -98,6 +100,8 @@ func (a *CVOIgnore) Generate(_ context.Context, dependencies asset.Parents) erro
98100
if !ok && originalOverridesAsInterface != nil {
99101
return errors.Errorf("unexpected type (%T) for .spec.overrides in clusterversion", originalOverridesAsInterface)
100102
}
103+
originalOverrides = append(originalOverrides, getClusterVersionOperatorOverrides()...)
104+
101105
originalOverridesPatch := map[string]interface{}{
102106
"spec": map[string]interface{}{
103107
"overrides": originalOverrides,
@@ -135,3 +139,24 @@ func (a *CVOIgnore) Files() []*asset.File {
135139
func (a *CVOIgnore) Load(f asset.FileFetcher) (bool, error) {
136140
return false, nil
137141
}
142+
143+
// getClusterVersionOperatorOverrides returns Cluster Version Operator (CVO) overrides if any.
144+
// The CVO overrides allow disabling CVO management of specified resources.
145+
func getClusterVersionOperatorOverrides() []interface{} {
146+
var overrides []interface{}
147+
148+
// OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY, if set non-empty, will instruct the installer
149+
// to include an entry for the cluster-scoped "openshift" ClusterImagePolicy in the CVO overrides.
150+
// This enables internal testing to opt out of the sigstore signing requirement for release images.
151+
if disableImagePolicy, ok := os.LookupEnv("OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY"); ok && disableImagePolicy != "" {
152+
logrus.Warn("OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY is set, opting out of the sigstore signing requirement for release images")
153+
overrides = append(overrides, configv1.ComponentOverride{
154+
Group: configv1.GroupVersion.Group,
155+
Kind: "ClusterImagePolicy",
156+
Name: "openshift",
157+
Unmanaged: true,
158+
})
159+
}
160+
161+
return overrides
162+
}

0 commit comments

Comments
 (0)