From e0f55cc1a42bbd40ff8c4802cf86939319685118 Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Wed, 12 Nov 2025 10:47:21 -0500 Subject: [PATCH 1/4] OSDOCS 17320 Enable sigstore 'openshift' clusterimagepolicy by default --- ...des-sigstore-configure-cluster-policy.adoc | 5 +---- modules/nodes-sigstore-configure.adoc | 19 +++++++------------ 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/modules/nodes-sigstore-configure-cluster-policy.adoc b/modules/nodes-sigstore-configure-cluster-policy.adoc index 66a5a4247a92..606fda3a33f2 100644 --- a/modules/nodes-sigstore-configure-cluster-policy.adoc +++ b/modules/nodes-sigstore-configure-cluster-policy.adoc @@ -10,10 +10,7 @@ A `ClusterImagePolicy` custom resource (CR) enables a cluster administrator to c The following example shows general guidelines on how to configure a `ClusterImagePolicy` object. For more details on the parameters, see "About cluster and image policy parameters." -The default `openshift` cluster image policy provides sigstore support for the required {product-title} images. This cluster image policy is active only in clusters that have enabled Technology Preview features. You must not remove or modify this cluster image policy object. Cluster image policy names beginning with `openshift` are reserved for future system use. - -:FeatureName: The default `openshift` cluster image policy -include::snippets/technology-preview.adoc[] +The default `openshift` cluster image policy provides sigstore support for the required {product-title} images. You must not remove or modify this cluster image policy object. Cluster image policy names beginning with `openshift` are reserved for future system use. .Prerequisites // Taken from https://issues.redhat.com/browse/OCPSTRAT-918 diff --git a/modules/nodes-sigstore-configure.adoc b/modules/nodes-sigstore-configure.adoc index 24d29a5f0cba..08706c0a91cc 100644 --- a/modules/nodes-sigstore-configure.adoc +++ b/modules/nodes-sigstore-configure.adoc @@ -10,19 +10,9 @@ You can use the `ClusterImagePolicy` and `ImagePolicy` custom resource (CR) obje * Cluster image policy. A cluster image policy object enables a cluster administrator to configure a sigstore signature verification policy for the entire cluster. When enabled, the Machine Config Operator (MCO) watches the `ClusterImagePolicy` object and updates the `/etc/containers/policy.json` and `/etc/containers/registries.d/sigstore-registries.yaml` files on all nodes in the cluster. + -[IMPORTANT] +[NOTE] ==== -The default `openshift` cluster image policy provides sigstore support for the required {product-title} images. You must not remove or modify this cluster image policy object. This cluster image policy is Technology Preview and is active only in clusters that have enabled Technology Preview features. Cluster image policy names beginning with `openshift` are reserved for future system use. - -If registry mirrors are configured for the {product-title} release image repositories, `quay.io/openshift-release-dev/ocp-release` and `quay.io/openshift-release-dev/ocp-v4.0-art-dev`, before enabling the Technology Preview feature set, you must mirror the sigstore signatures for the {product-title} release images into your mirror registry. Otherwise, the default `openshift` cluster image policy, which enforces signature verification for the release repository, blocks the ability of the Cluster Version Operator to move the CVO pod to new nodes, preventing the node update that results from the feature set change. - -You can use the `oc image mirror` command to mirror the signatures. For example: - -[source,terminal] ----- -$ oc image mirror quay.io/openshift-release-dev/ocp-release:sha256-1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef.sig \ -mirror.com/image/repo:sha256-1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef.sig ----- +The default `openshift` cluster image policy provides sigstore support for the required {product-title} images in the `quay.io/openshift-release-dev/ocp-release` repository. ==== * Image policy. An image policy enables a cluster administrator or application developer to configure a sigstore signature verification policy for a specific namespace. The MCO watches an `ImagePolicy` instance in different namespaces and creates or updates the `/etc/crio/policies/.json` and `/etc/containers/registries.d/sigstore-registries.yaml` files on all nodes in the cluster. @@ -98,6 +88,11 @@ You can modify or remove a cluster image policy or an image policy by using the You can modify an existing policy by editing the policy YAML and running an `oc apply` command on the file or directly editing the `ClusterImagePolicy` or `ImagePolicy` object. Both methods apply the changes in the same manner. +[NOTE] +==== +The default `openshift` cluster image policy provides sigstore support for the required {product-title} images. You must not remove or modify this cluster image policy object. Cluster image policy names beginning with `openshift` are reserved for future system use. +==== + You can create multiple policies for a cluster or namespace. This allows you to create different policies for different images or repositories. You can remove a policy by deleting the `ClusterImagePolicy` and `ImagePolicy` objects. From e8d010b3b174c8dd73d2b6dc3e519292cac01272 Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Wed, 12 Nov 2025 10:59:41 -0500 Subject: [PATCH 2/4] OSDOCS 17320 Enable sigstore 'openshift' clusterimagepolicy by default --- modules/nodes-sigstore-configure-cluster-policy.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nodes-sigstore-configure-cluster-policy.adoc b/modules/nodes-sigstore-configure-cluster-policy.adoc index 606fda3a33f2..9c55266df1ab 100644 --- a/modules/nodes-sigstore-configure-cluster-policy.adoc +++ b/modules/nodes-sigstore-configure-cluster-policy.adoc @@ -10,7 +10,7 @@ A `ClusterImagePolicy` custom resource (CR) enables a cluster administrator to c The following example shows general guidelines on how to configure a `ClusterImagePolicy` object. For more details on the parameters, see "About cluster and image policy parameters." -The default `openshift` cluster image policy provides sigstore support for the required {product-title} images. You must not remove or modify this cluster image policy object. Cluster image policy names beginning with `openshift` are reserved for future system use. +The default `openshift` cluster image policy provides sigstore support for the required {product-title} images in the `quay.io/openshift-release-dev/ocp-release` repository. You must not remove or modify this cluster image policy object. Cluster image policy names beginning with `openshift` are reserved for future system use. .Prerequisites // Taken from https://issues.redhat.com/browse/OCPSTRAT-918 @@ -27,7 +27,7 @@ $ oc image mirror quay.io/openshift-release-dev/ocp-release:sha256-1234567890abc mirror.com/image/repo:sha256-1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef.sig ---- -* If you are using a BYOPKI certificate as the root of trust, you enabled the required Technology Preview features for your cluster by editing the `FeatureGate` CR named `cluster`: +* If you are using a BYOPKI certificate as the root of trust, you enabled the required Technology Preview features for your cluster by editing the `FeatureGate` CR named `cluster` + [source,terminal] ---- From 3b2c3db5791d9eca4d31e3162444f11c70fbf0a3 Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Wed, 12 Nov 2025 13:31:21 -0500 Subject: [PATCH 3/4] edit --- modules/nodes-sigstore-configure-cluster-policy.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/nodes-sigstore-configure-cluster-policy.adoc b/modules/nodes-sigstore-configure-cluster-policy.adoc index 9c55266df1ab..22fafcdaef7b 100644 --- a/modules/nodes-sigstore-configure-cluster-policy.adoc +++ b/modules/nodes-sigstore-configure-cluster-policy.adoc @@ -10,7 +10,10 @@ A `ClusterImagePolicy` custom resource (CR) enables a cluster administrator to c The following example shows general guidelines on how to configure a `ClusterImagePolicy` object. For more details on the parameters, see "About cluster and image policy parameters." +[NOTE] +==== The default `openshift` cluster image policy provides sigstore support for the required {product-title} images in the `quay.io/openshift-release-dev/ocp-release` repository. You must not remove or modify this cluster image policy object. Cluster image policy names beginning with `openshift` are reserved for future system use. +==== .Prerequisites // Taken from https://issues.redhat.com/browse/OCPSTRAT-918 From 2adb9bd00385cb3449e305bee6cb9648c0c29a3e Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Wed, 12 Nov 2025 15:26:56 -0500 Subject: [PATCH 4/4] prroofread --- modules/nodes-sigstore-configure-cluster-policy.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nodes-sigstore-configure-cluster-policy.adoc b/modules/nodes-sigstore-configure-cluster-policy.adoc index 22fafcdaef7b..8fc3eacc056d 100644 --- a/modules/nodes-sigstore-configure-cluster-policy.adoc +++ b/modules/nodes-sigstore-configure-cluster-policy.adoc @@ -12,7 +12,7 @@ The following example shows general guidelines on how to configure a `ClusterIma [NOTE] ==== -The default `openshift` cluster image policy provides sigstore support for the required {product-title} images in the `quay.io/openshift-release-dev/ocp-release` repository. You must not remove or modify this cluster image policy object. Cluster image policy names beginning with `openshift` are reserved for future system use. +The default `openshift` cluster image policy provides sigstore support for the required {product-title} images, which are stored in the `quay.io/openshift-release-dev/ocp-release` repository. You must not remove or modify this cluster image policy object. Cluster image policy names beginning with `openshift` are reserved for future system use. ==== .Prerequisites