5.5. Creating the image signature config map

Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.

If you are upgrading from version 4.4.8 or later, you can use the oc CLI to create the config map. If you are upgrading from an earlier version, you must use the manual method.

5.5.1. Creating the config map for image signature verification by using the oc CLI

Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.

注意

If you are upgrading from a release prior to version 4.4.8, you must use the manual method for creating the config map instead of this procedure. The commands that this procedure uses are not in earlier versions of the oc command-line interface (CLI).

Prerequisites

  • Install the OpenShift CLI (oc), version 4.4.8 or later.

Procedure

  1. Obtain the image signature for the version that you are upgrading to from either mirror.openshift.com or Google Cloud Storage (GCS).
  2. Use oc command-line interface (CLI) to log into the cluster that you are upgrading.

  3. Apply the mirrored release image signature config map to the connected cluster: 

    $ oc apply -f <image_signature_file> 1
    1
    For <image_signature_file>, specify the path and name of the file, for example, mirror/config/signature-sha256-81154f5c03294534.yaml.

5.5.2. Creating an image signature config map manually

Create and apply the image signature config map to the cluster that you want to update.

注意

You must perform following steps each time that you update a cluster.

Procedure

  1. Review the OpenShift Container Platform upgrade paths knowledge base article to determine a valid upgrade path for your cluster.

  2. Add the version to the OCP_RELEASE_NUMBER environment variable: 

    $ OCP_RELEASE_NUMBER=<release_version> 1
    1
    For <release_version>, specify the tag that corresponds to the version of OpenShift Container Platform you want to update the cluster, such as 4.4.0.

  3. Add the system architecture for your cluster to ARCHITECTURE environment variable: 

    $ ARCHITECTURE=<server_architecture> 1
    1
    For server_architecture, specify the architecture of the server, such as x86_64.

  4. Get the release image digest from Quay: 

    $ DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-${ARCHITECTURE} | sed -n 's/Pull From: .*@//p')"

  5. Set the digest algorithm: 

    $ DIGEST_ALGO="${DIGEST%%:*}"

  6. Set the digest signature: 

    $ DIGEST_ENCODED="${DIGEST#*:}"

  7. Get the image signature from mirror.openshift.com website. 

    $ SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/${DIGEST_ALGO}=${DIGEST_ENCODED}/signature-1" | base64 -w0 && echo)

  8. Create the config map: 

    $ cat >checksum-${OCP_RELEASE_NUMBER}.yaml <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: release-image-${OCP_RELEASE_NUMBER}
  namespace: openshift-config-managed
  labels:
    release.openshift.io/verification-signatures: ""
binaryData:
  ${DIGEST_ALGO}-${DIGEST_ENCODED}: ${SIGNATURE_BASE64}
EOF

  9. Apply the config map to the cluster to update: 

    $ oc apply -f checksum-${OCP_RELEASE_NUMBER}.yaml