OTA-1773: manifests*/0000_90_cluster-update-keys_configmap: New release-repository-*

[wking]

Preparation for Sigstore, as described in the README text I'm adding:

• release-repository-*: In addition to checking for valid OpenPGP signatures, the cluster-version operator will also require the that target release image pullspec matches one of these expected registries.
  This supports an eventual transition from OpenPGP signatures to Sigstore signatures, where:
  • ClusterImagePolicies such as the openshift policy cover authentication ("yes, the configured policy for that scope asserts that the image is actually quay.io/openshift-release-dev/ocp-release@sha256:a29b..." vs. "no, the configured policy for that scope fails on quay.io/openshift-release-dev/ocp-release@sha256:0000..., it might be malicious or corrupted").
  • The release pullspec check covers authorization ("yes, quay.io/openshift-release-dev/ocp-release is the expected repository for OCP releases" vs. "no, quay.io/okd/scos-release is not the expected repository for OCP release, you probably don't want to update your OCP cluster to an OKD release image").

Also some other modernization of README text; details in the commit messages :)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wking
Once this PR has been reviewed and has the lgtm label, please assign mrunalp for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@wking: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[mtrmac]

On the principle of the thing: From an earlier discussion I understand

• We can extract / authenticate the version number from the release image of the update target (or from a verified signature of the update target?), in a way the update graph can’t affect
• CVO will refuse to downgrade to earlier (even if correctly signed) versions

LGTM assuming the above.

---

On form:

• If the thing we are trying to protect against is the update graph pointing at out-of-product images, that might be worth noting here.
• I’m not sure about the authentication/authorization phrasing of the concepts (I tend to think it applies to principals, not to objects), but it works well enough and I don’t have a good short replacement for the latter one.

[QiWang19]

ACK I agree we can keep image pullspec lockdown separate from signature verification. ClusterImagePolicy can provide scoped verification at the digest level that the CVO can consume and trust.

[wking]

We can extract / authenticate the version number from the release image of the update target (or from a verified signature of the update target?), in a way the update graph can’t affect

Yes, that happens here, for users who set ClusterVersion's spec.desired.version to let us know which version they're expecting to retrieve.

CVO will refuse to downgrade to earlier (even if correctly signed) versions

Yes, that happens here, with a narrow carve-out for rolling back to the previous target version, if that previous target version is in the same z-stream as the current target version.

If the thing we are trying to protect against is the update graph pointing at out-of-product images, that might be worth noting here.

The update-service might have been the one recommending the update, but it's also possible that the cluster admin used a different pipeline, including passing around pullspecs via word-of-mouth, or whatever. This new guard is trying to stiffen cluster protection for all sources of next-hop update advice, under the assumption that no tooling in that space will ever be so reliable that we can trust it without guard-rails.

[openshift-ci-robot]

@wking: This pull request references OTA-1773 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Preparation for Sigstore, as described in the README text I'm adding:

• release-repository-*: In addition to checking for valid OpenPGP signatures, the cluster-version operator will also require the that target release image pullspec matches one of these expected registries.
  This supports an eventual transition from OpenPGP signatures to Sigstore signatures, where:
  • ClusterImagePolicies such as the openshift policy cover authentication ("yes, the configured policy for that scope asserts that the image is actually quay.io/openshift-release-dev/ocp-release@sha256:a29b..." vs. "no, the configured policy for that scope fails on quay.io/openshift-release-dev/ocp-release@sha256:0000..., it might be malicious or corrupted").
  • The release pullspec check covers authorization ("yes, quay.io/openshift-release-dev/ocp-release is the expected repository for OCP releases" vs. "no, quay.io/okd/scos-release is not the expected repository for OCP release, you probably don't want to update your OCP cluster to an OKD release image").

Also some other modernization of README text; details in the commit messages :)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtrmac]

Thanks for the references, LGTM. (I’ll leave formal / tool-visible approvals to specialist maintainers of this repo.)

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: feab6245-84c6-48d7-8e4c-b578b387cd52

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}