Merge pull request #6459 from ggiguash/cert-manager-sigstore-4.21

[release-4.21] OCPBUGS-81681: Remove cert manager sigstore exception in tests

Author: openshift-merge-bot[bot]

assets/optional/cert-manager/manager/images-aarch64.yaml

@@ -4,9 +4,9 @@ metadata:
   name: cert-manager-images
   namespace: cert-manager
 data:
-  cert-manager-webhook: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d
-  cert-manager-ca-injector: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d
-  cert-manager-controller: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d
-  cert-manager-acmesolver: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:b001612ad6362a1b7273e178d9870ab3d020a40ee3339a0f95fef1cd3913356e
-  cert-manager-istiocsr: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:78564158857ed7f1534597f3ee7faaee23b692f9ed5aa0259e19196f5400167d
-  controller: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:9f37a838089d2e3c199a4fd97bea028cb6b66b4214e8233884716efe0a998298
+  cert-manager-webhook: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:f1b903ff69100fa938d6bdf4d730d35158eec905351344a246e30ef14c847222
+  cert-manager-ca-injector: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:f1b903ff69100fa938d6bdf4d730d35158eec905351344a246e30ef14c847222
+  cert-manager-controller: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:f1b903ff69100fa938d6bdf4d730d35158eec905351344a246e30ef14c847222
+  cert-manager-acmesolver: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3258027c0fb9426c9ee3567f6dc0d02b85cb661c23300b230f5b1400b43bac25
+  cert-manager-istiocsr: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:95f5dfa4331fcfb96357ed28f4d7f0fd00d9419d9252e3cff3962aec6cedbeb9
+  controller: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:22f4e686a81fc809e70e3f73206ec221f8081e842243f173308dc1fbc7f02a3e

assets/optional/cert-manager/manager/images-x86_64.yaml

@@ -4,9 +4,9 @@ metadata:
   name: cert-manager-images
   namespace: cert-manager
 data:
-  cert-manager-webhook: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b
-  cert-manager-ca-injector: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b
-  cert-manager-controller: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b
-  cert-manager-acmesolver: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a40eb434e032fb2135f369b6fc65266ae0f409db92fd65d12cf13c7f32b5020
-  cert-manager-istiocsr: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:0f20d178f980a3fa4527bc1613b8639385e36c367e30c93b4cbb4c4a434d3405
-  controller: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:8eecb53c8c81c0fa8f198260acb273759c0d12b5c01642a128923c5716df19d2
+  cert-manager-webhook: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:09c857f0c20721d6b447f5f567182befc1ca6157128225849117a5c830feab23
+  cert-manager-ca-injector: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:09c857f0c20721d6b447f5f567182befc1ca6157128225849117a5c830feab23
+  cert-manager-controller: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:09c857f0c20721d6b447f5f567182befc1ca6157128225849117a5c830feab23
+  cert-manager-acmesolver: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:155383c4664ea3ed18d0f079be720ad68a5de044448a744d7579af7ff0fc7e0a
+  cert-manager-istiocsr: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:41df7aabbce42599bad7fdc721cd12aa6e12d17e1c0658fb3294a1f68483d656
+  controller: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:57a1aea49d7cc275b37b8f52d602a3a9d1601ec6a21a3268dd4903566cb2e335

assets/optional/cert-manager/release-cert-manager-aarch64.json

@@ -1,13 +1,13 @@
 {
   "release": {
-    "base": "1.18.0"
+    "base": "1.18.1"
   },
   "images": {
-    "cert-manager-operator": "registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:9f37a838089d2e3c199a4fd97bea028cb6b66b4214e8233884716efe0a998298",
-    "cert-manager-istiocsr": "registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:78564158857ed7f1534597f3ee7faaee23b692f9ed5aa0259e19196f5400167d",
-    "cert-manager-acmesolver": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:b001612ad6362a1b7273e178d9870ab3d020a40ee3339a0f95fef1cd3913356e",
-    "cert-manager-webhook": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d",
-    "cert-manager-ca-injector": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d",
-    "cert-manager-controller": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:8227c8925d00d1c81c95e7017209fdc6b5b1925cde2fa4fe3752fb6c81510a2d"
+    "cert-manager-operator": "registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:22f4e686a81fc809e70e3f73206ec221f8081e842243f173308dc1fbc7f02a3e",
+    "cert-manager-istiocsr": "registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:95f5dfa4331fcfb96357ed28f4d7f0fd00d9419d9252e3cff3962aec6cedbeb9",
+    "cert-manager-acmesolver": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3258027c0fb9426c9ee3567f6dc0d02b85cb661c23300b230f5b1400b43bac25",
+    "cert-manager-webhook": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:f1b903ff69100fa938d6bdf4d730d35158eec905351344a246e30ef14c847222",
+    "cert-manager-ca-injector": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:f1b903ff69100fa938d6bdf4d730d35158eec905351344a246e30ef14c847222",
+    "cert-manager-controller": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:f1b903ff69100fa938d6bdf4d730d35158eec905351344a246e30ef14c847222"
   }
 }

assets/optional/cert-manager/release-cert-manager-x86_64.json

@@ -1,13 +1,13 @@
 {
   "release": {
-    "base": "1.18.0"
+    "base": "1.18.1"
   },
   "images": {
-    "cert-manager-operator": "registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:8eecb53c8c81c0fa8f198260acb273759c0d12b5c01642a128923c5716df19d2",
-    "cert-manager-istiocsr": "registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:0f20d178f980a3fa4527bc1613b8639385e36c367e30c93b4cbb4c4a434d3405",
-    "cert-manager-acmesolver": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:3a40eb434e032fb2135f369b6fc65266ae0f409db92fd65d12cf13c7f32b5020",
-    "cert-manager-webhook": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b",
-    "cert-manager-ca-injector": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b",
-    "cert-manager-controller": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:40b47054e42363a365b491ccfe0d86f109e19fc317058ba834ffe0f5c733880b"
+    "cert-manager-operator": "registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:57a1aea49d7cc275b37b8f52d602a3a9d1601ec6a21a3268dd4903566cb2e335",
+    "cert-manager-istiocsr": "registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:41df7aabbce42599bad7fdc721cd12aa6e12d17e1c0658fb3294a1f68483d656",
+    "cert-manager-acmesolver": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:155383c4664ea3ed18d0f079be720ad68a5de044448a744d7579af7ff0fc7e0a",
+    "cert-manager-webhook": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:09c857f0c20721d6b447f5f567182befc1ca6157128225849117a5c830feab23",
+    "cert-manager-ca-injector": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:09c857f0c20721d6b447f5f567182befc1ca6157128225849117a5c830feab23",
+    "cert-manager-controller": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:09c857f0c20721d6b447f5f567182befc1ca6157128225849117a5c830feab23"
   }
 }

scripts/auto-rebase/last_rebase_cert_manager.sh

@@ -1,2 +1,2 @@
 #!/bin/bash -x
-./scripts/auto-rebase/rebase_cert_manager.sh to "registry.redhat.io/redhat/redhat-operator-index:v4.20"
+./scripts/auto-rebase/rebase_cert_manager.sh to "registry.redhat.io/redhat/redhat-operator-index:v4.21"

test/kickstart-templates/includes/post-containers-sigstore.cfg

@@ -34,18 +34,6 @@ cat > /etc/containers/policy.json <<'EOF'
     ],
     "transports": {
         "docker": {
-            "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9": [{
-                "type": "insecureAcceptAnything"
-            }],
-            "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9": [{
-                "type": "insecureAcceptAnything"
-            }],
-            "registry.redhat.io/cert-manager/cert-manager-operator-rhel9": [{
-                "type": "insecureAcceptAnything"
-            }],
-            "registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9": [{
-                "type": "insecureAcceptAnything"
-            }],
             "quay.io/modh/kserve-controller": [{
                 "type": "insecureAcceptAnything"
             }],
@@ -90,6 +78,17 @@ cat > /etc/containers/policy.json <<'EOF'
 EOF
 
 # Configure the MicroShift remote and local registries to use sigstore attachments
+if [ -e /etc/containers/registries.d/registry.redhat.io.yaml ] && [ ! -e /etc/containers/registries.d/registry.redhat.io.yaml.orig ]; then
+    mv /etc/containers/registries.d/registry.redhat.io.yaml /etc/containers/registries.d/registry.redhat.io.yaml.orig
+fi
+
+cat > /etc/containers/registries.d/registry.redhat.io.yaml <<'EOF'
+docker:
+    registry.redhat.io:
+        use-sigstore-attachments: true
+        sigstore: https://registry.redhat.io/containers/sigstore
+EOF
+
 cat > /etc/containers/registries.d/registry.quay.io.yaml <<'EOF'
 docker:
     quay.io/openshift-release-dev:

test/scenarios-bootc/periodics/el96-crel@optional-sigstore.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Sourced from scenario.sh and uses functions defined there.
+
+# Enable container signature verification for current release images,
+# including the optional components.
+# These are ec / rc / z-stream, thus must all to be signed.
+# shellcheck disable=SC2034  # used elsewhere
+IMAGE_SIGSTORE_ENABLED=true
+
+start_image=rhel96-bootc-crel-optionals
+
+scenario_create_vms() {
+    exit_if_image_not_found "${start_image}"
+
+    prepare_kickstart host1 kickstart-bootc.ks.template "${start_image}"
+    launch_vm --boot_blueprint rhel96-bootc
+}
+
+scenario_remove_vms() {
+    exit_if_image_not_found "${start_image}"
+
+	remove_vm host1
+}
+
+scenario_run_tests() {
+    exit_if_image_not_found "${start_image}"
+
+    # Run a minimal test for this scenario as its main functionality is
+    # to verify container image signature check is enabled
+	run_tests host1 \
+        --variable "EXPECTED_OS_VERSION:9.6" \
+        --variable "IMAGE_SIGSTORE_ENABLED:True" \
+        suites/standard1/containers-policy.robot
+}