This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.5.5. Creating the image signature config map
Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.
If you are upgrading from version 4.4.8 or later, you can use the oc
CLI to create the config map. If you are upgrading from an earlier version, you must use the manual method.
Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.
If you are upgrading from a release prior to version 4.4.8, you must use the manual method for creating the config map instead of this procedure. The commands that this procedure uses are not in earlier versions of the oc
command-line interface (CLI).
Prerequisites
-
Install the OpenShift CLI (
oc
), version 4.4.8 or later.
Procedure
- Obtain the image signature for the version that you are upgrading to from either mirror.openshift.com or Google Cloud Storage (GCS).
-
Use
oc
command-line interface (CLI) to log into the cluster that you are upgrading. Apply the mirrored release image signature config map to the connected cluster:
oc apply -f <image_signature_file>
$ oc apply -f <image_signature_file>
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- For
<image_signature_file>
, specify the path and name of the file, for example,mirror/config/signature-sha256-81154f5c03294534.yaml
.
5.5.2. Creating an image signature config map manually 复制链接链接已复制到粘贴板!
Create and apply the image signature config map to the cluster that you want to update.
You must perform following steps each time that you update a cluster.
Procedure
- Review the OpenShift Container Platform upgrade paths knowledge base article to determine a valid upgrade path for your cluster.
Add the version to the
OCP_RELEASE_NUMBER
environment variable:OCP_RELEASE_NUMBER=<release_version>
$ OCP_RELEASE_NUMBER=<release_version>
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- For
<release_version>
, specify the tag that corresponds to the version of OpenShift Container Platform you want to update the cluster, such as4.4.0
.
Add the system architecture for your cluster to
ARCHITECTURE
environment variable:ARCHITECTURE=<server_architecture>
$ ARCHITECTURE=<server_architecture>
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- For
server_architecture
, specify the architecture of the server, such asx86_64
.
Get the release image digest from Quay:
DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-${ARCHITECTURE} | sed -n 's/Pull From: .*@//p')"
$ DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-${ARCHITECTURE} | sed -n 's/Pull From: .*@//p')"
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Set the digest algorithm:
DIGEST_ALGO="${DIGEST%%:*}"
$ DIGEST_ALGO="${DIGEST%%:*}"
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Set the digest signature:
DIGEST_ENCODED="${DIGEST#*:}"
$ DIGEST_ENCODED="${DIGEST#*:}"
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Get the image signature from mirror.openshift.com website.
SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/${DIGEST_ALGO}=${DIGEST_ENCODED}/signature-1" | base64 -w0 && echo)
$ SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/${DIGEST_ALGO}=${DIGEST_ENCODED}/signature-1" | base64 -w0 && echo)
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create the config map:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the config map to the cluster to update:
oc apply -f checksum-${OCP_RELEASE_NUMBER}.yaml
$ oc apply -f checksum-${OCP_RELEASE_NUMBER}.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow