5.5. Creating the image signature config map


Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.

If you are upgrading from version 4.4.8 or later, you can use the oc CLI to create the config map. If you are upgrading from an earlier version, you must use the manual method.

Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.

注意

If you are upgrading from a release prior to version 4.4.8, you must use the manual method for creating the config map instead of this procedure. The commands that this procedure uses are not in earlier versions of the oc command-line interface (CLI).

Prerequisites

  • Install the OpenShift CLI (oc), version 4.4.8 or later.

Procedure

  1. Obtain the image signature for the version that you are upgrading to from either mirror.openshift.com or Google Cloud Storage (GCS).
  2. Use oc command-line interface (CLI) to log into the cluster that you are upgrading.
  3. Apply the mirrored release image signature config map to the connected cluster:

    $ oc apply -f <image_signature_file> 
    1
    Copy to Clipboard Toggle word wrap
    1
    For <image_signature_file>, specify the path and name of the file, for example, mirror/config/signature-sha256-81154f5c03294534.yaml.

5.5.2. Creating an image signature config map manually

Create and apply the image signature config map to the cluster that you want to update.

注意

You must perform following steps each time that you update a cluster.

Procedure

  1. Review the OpenShift Container Platform upgrade paths knowledge base article to determine a valid upgrade path for your cluster.
  2. Add the version to the OCP_RELEASE_NUMBER environment variable:

    $ OCP_RELEASE_NUMBER=<release_version> 
    1
    Copy to Clipboard Toggle word wrap
    1
    For <release_version>, specify the tag that corresponds to the version of OpenShift Container Platform you want to update the cluster, such as 4.4.0.
  3. Add the system architecture for your cluster to ARCHITECTURE environment variable:

    $ ARCHITECTURE=<server_architecture> 
    1
    Copy to Clipboard Toggle word wrap
    1
    For server_architecture, specify the architecture of the server, such as x86_64.
  4. Get the release image digest from Quay:

    $ DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-${ARCHITECTURE} | sed -n 's/Pull From: .*@//p')"
    Copy to Clipboard Toggle word wrap
  5. Set the digest algorithm:

    $ DIGEST_ALGO="${DIGEST%%:*}"
    Copy to Clipboard Toggle word wrap
  6. Set the digest signature:

    $ DIGEST_ENCODED="${DIGEST#*:}"
    Copy to Clipboard Toggle word wrap
  7. Get the image signature from mirror.openshift.com website.

    $ SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/${DIGEST_ALGO}=${DIGEST_ENCODED}/signature-1" | base64 -w0 && echo)
    Copy to Clipboard Toggle word wrap
  8. Create the config map:

    $ cat >checksum-${OCP_RELEASE_NUMBER}.yaml <<EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: release-image-${OCP_RELEASE_NUMBER}
      namespace: openshift-config-managed
      labels:
        release.openshift.io/verification-signatures: ""
    binaryData:
      ${DIGEST_ALGO}-${DIGEST_ENCODED}: ${SIGNATURE_BASE64}
    EOF
    Copy to Clipboard Toggle word wrap
  9. Apply the config map to the cluster to update:

    $ oc apply -f checksum-${OCP_RELEASE_NUMBER}.yaml
    Copy to Clipboard Toggle word wrap
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat