Skip to content

Auto-detect sigstore ClusterImagePolicy for EDPM signature verification#1877

Open
rabi wants to merge 1 commit intoopenstack-k8s-operators:mainfrom
rabi:OSPRH-28852
Open

Auto-detect sigstore ClusterImagePolicy for EDPM signature verification#1877
rabi wants to merge 1 commit intoopenstack-k8s-operators:mainfrom
rabi:OSPRH-28852

Conversation

@rabi
Copy link
Copy Markdown
Contributor

@rabi rabi commented Apr 9, 2026
edited by openshift-ci bot
Loading

When a disconnected environment has a ClusterImagePolicy configured with sigstore (cosign) signature verification for a mirror registry, the openstack-operator now auto-detects it and passes the necessary ansible variables to edpm-ansible for configuring signature verification on EDPM data plane nodes.

if ClusterImagePolicy CRD is not installed or no relevant policy exists, the operator continues without enabling signature verification. This maintains backward compatibility.

Requires OCP 4.20+ (sigstore GA) and oc-mirror v2.

There would be a follow-up edpm-ansible patch to use these ansible vars.

jira: OSPRH-28852

@openshift-ci openshift-ci bot requested review from abays and rebtoor April 9, 2026 08:40
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Apr 9, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rabi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Apr 9, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026
edited
Loading

OpenStackControlPlane CRD Size Report

Metric Value
CRD JSON size 322325 bytes (315KB)
Base branch size 322325 bytes
Change +0.00%
Status yellow — growing
Threshold reference
Color Range Meaning
🟢 green < 300KB Comfortable
🟡 yellow 300–400KB Growing
🟠 orange 400–750KB Concerning
🔴 red > 750KB Approaching 1.5MB etcd limit (cut in half to allow space for update)

@rabi rabi mentioned this pull request Apr 9, 2026
Open
@rabi
Auto-detect sigstore ClusterImagePolicy for EDPM signature verification
cb4b072 
When a disconnected environment has a ClusterImagePolicy configured with
sigstore (cosign) signature verification for a mirror registry, the
openstack-operator now auto-detects it and passes the necessary ansible
variables to edpm-ansible for configuring signature verification on EDPM
data plane nodes.

if ClusterImagePolicy CRD is not installed or no relevant policy exists,
the operator continues without enabling signature verification.
This maintains backward compatibility.

Requires: OCP 4.20+ (sigstore GA) and oc-mirror v2.

There would be a follow-up edpm-ansible patch to use these ansible
vars.

jira: OSPRH-28852
Change-Id: I2cbc4e83884562bd17065ee7158e00e5c9b12160
Signed-off-by: rabi <ramishra@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abays abays Awaiting requested review from abays

@rebtoor rebtoor Awaiting requested review from rebtoor

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rabi