5.5. Creating the image signature config map
Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.
If you are upgrading from version 4.4.8 or later, you can use the oc CLI to create the config map. If you are upgrading from an earlier version, you must use the manual method.
5.5.1. Creating the config map for image signature verification by using the oc CLI
Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.
If you are upgrading from a release prior to version 4.4.8, you must use the manual method for creating the config map instead of this procedure. The commands that this procedure uses are not in earlier versions of the oc command-line interface (CLI).
Prerequisites
-
Install the OpenShift CLI (
oc), version 4.4.8 or later.
Procedure
- Obtain the image signature for the version that you are upgrading to from either mirror.openshift.com or Google Cloud Storage (GCS).
-
Use
occommand-line interface (CLI) to log into the cluster that you are upgrading. Apply the mirrored release image signature config map to the connected cluster:
$ oc apply -f <image_signature_file> 1- 1
- For
<image_signature_file>, specify the path and name of the file, for example,mirror/config/signature-sha256-81154f5c03294534.yaml.
5.5.2. Creating an image signature config map manually
Create and apply the image signature config map to the cluster that you want to update.
You must perform following steps each time that you update a cluster.
Procedure
- Review the OpenShift Container Platform upgrade paths knowledge base article to determine a valid upgrade path for your cluster.
Add the version to the
OCP_RELEASE_NUMBERenvironment variable:$ OCP_RELEASE_NUMBER=<release_version> 1- 1
- For
<release_version>, specify the tag that corresponds to the version of OpenShift Container Platform you want to update the cluster, such as4.4.0.
Add the system architecture for your cluster to
ARCHITECTUREenvironment variable:$ ARCHITECTURE=<server_architecture> 1- 1
- For
server_architecture, specify the architecture of the server, such asx86_64.
Get the release image digest from Quay:
$ DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-${ARCHITECTURE} | sed -n 's/Pull From: .*@//p')"Set the digest algorithm:
$ DIGEST_ALGO="${DIGEST%%:*}"Set the digest signature:
$ DIGEST_ENCODED="${DIGEST#*:}"Get the image signature from mirror.openshift.com website.
$ SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/${DIGEST_ALGO}=${DIGEST_ENCODED}/signature-1" | base64 -w0 && echo)Create the config map:
$ cat >checksum-${OCP_RELEASE_NUMBER}.yaml <<EOF apiVersion: v1 kind: ConfigMap metadata: name: release-image-${OCP_RELEASE_NUMBER} namespace: openshift-config-managed labels: release.openshift.io/verification-signatures: "" binaryData: ${DIGEST_ALGO}-${DIGEST_ENCODED}: ${SIGNATURE_BASE64} EOFApply the config map to the cluster to update:
$ oc apply -f checksum-${OCP_RELEASE_NUMBER}.yaml
