5.5. Creating the image signature config map


Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.

If you are upgrading from version 4.4.8 or later, you can use the oc CLI to create the config map. If you are upgrading from an earlier version, you must use the manual method.

5.5.1. Creating the config map for image signature verification by using the oc CLI

Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.

注意

If you are upgrading from a release prior to version 4.4.8, you must use the manual method for creating the config map instead of this procedure. The commands that this procedure uses are not in earlier versions of the oc command-line interface (CLI).

Prerequisites

  • Install the OpenShift CLI (oc), version 4.4.8 or later.

Procedure

  1. Obtain the image signature for the version that you are upgrading to from either mirror.openshift.com or Google Cloud Storage (GCS).
  2. Use oc command-line interface (CLI) to log into the cluster that you are upgrading.
  3. Apply the mirrored release image signature config map to the connected cluster:

    $ oc apply -f <image_signature_file> 1
    1
    For <image_signature_file>, specify the path and name of the file, for example, mirror/config/signature-sha256-81154f5c03294534.yaml.

5.5.2. Creating an image signature config map manually

Create and apply the image signature config map to the cluster that you want to update.

注意

You must perform following steps each time that you update a cluster.

Procedure

  1. Review the OpenShift Container Platform upgrade paths knowledge base article to determine a valid upgrade path for your cluster.
  2. Add the version to the OCP_RELEASE_NUMBER environment variable:

    $ OCP_RELEASE_NUMBER=<release_version> 1
    1
    For <release_version>, specify the tag that corresponds to the version of OpenShift Container Platform you want to update the cluster, such as 4.4.0.
  3. Add the system architecture for your cluster to ARCHITECTURE environment variable:

    $ ARCHITECTURE=<server_architecture> 1
    1
    For server_architecture, specify the architecture of the server, such as x86_64.
  4. Get the release image digest from Quay:

    $ DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-${ARCHITECTURE} | sed -n 's/Pull From: .*@//p')"
  5. Set the digest algorithm:

    $ DIGEST_ALGO="${DIGEST%%:*}"
  6. Set the digest signature:

    $ DIGEST_ENCODED="${DIGEST#*:}"
  7. Get the image signature from mirror.openshift.com website.

    $ SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/${DIGEST_ALGO}=${DIGEST_ENCODED}/signature-1" | base64 -w0 && echo)
  8. Create the config map:

    $ cat >checksum-${OCP_RELEASE_NUMBER}.yaml <<EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: release-image-${OCP_RELEASE_NUMBER}
      namespace: openshift-config-managed
      labels:
        release.openshift.io/verification-signatures: ""
    binaryData:
      ${DIGEST_ALGO}-${DIGEST_ENCODED}: ${SIGNATURE_BASE64}
    EOF
  9. Apply the config map to the cluster to update:

    $ oc apply -f checksum-${OCP_RELEASE_NUMBER}.yaml
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.