[release-4.18] OCPBUGS-48577: Enable sigstore-based verification in MicroShift CI

[ggiguash]

This is a manual cherry-pick of the following PRs:

• OCPBUGS-44695: Port mirror registry to use Quay #4402
• OCPBUGS-44695: Optimize Quay configuration procedure #4413
• OCPBUGS-44695: Add signature copy and verification support when working with local Quay registry #4426

Note that the last PR in the main branch is still open. This is because we can only test the signatures in z-stream branches where all container images are signed.

So, to complete this work, we need to show that the system is fully functional in 4.18 branch before merging any final changes to main.

In the main branch, the signature check will be disabled because not all the MicroShift and Red Hat container images are signed.

NOTES TO REVIEWERS

• It might be convenient to look at OCPBUGS-44695: Add signature copy and verification support when working with local Quay registry #4426 to see the diffs on what exactly needs to be done for enabling sigstore verification without the "noise" of Quay setup.
• As image verification was disabled in all bootc upgrade / downgrade tests, I created USHIFT-5290 as a follow-up
• As image verification was disabled in optional tests, I created USHIFT-5289 as a follow-up

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[ggiguash]

/test e2e-aws-tests-bootc
/test e2e-aws-tests-bootc-arm

[ggiguash]

/test e2e-aws-tests-bootc-periodic
/test e2e-aws-tests-bootc-periodic-arm
/test verify

[ggiguash]

/test ?

[openshift-ci]

@ggiguash: The following commands are available to trigger required jobs:

/test e2e-aws-footprint-and-performance

/test e2e-aws-tests

/test e2e-aws-tests-arm

/test e2e-aws-tests-bootc

/test e2e-aws-tests-bootc-arm

/test e2e-aws-tests-bootc-periodic

/test e2e-aws-tests-bootc-periodic-arm

/test e2e-aws-tests-cache

/test e2e-aws-tests-cache-arm

/test e2e-aws-tests-periodic

/test e2e-aws-tests-periodic-arm

/test images

/test ocp-full-conformance-rhel-eus

/test ocp-full-conformance-serial-rhel-eus

/test test-rpm

/test test-unit

/test verify

The following commands are available to trigger optional jobs:

/test security

/test test-rebase

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-microshift-release-4.18-e2e-aws-tests

pull-ci-openshift-microshift-release-4.18-e2e-aws-tests-arm

pull-ci-openshift-microshift-release-4.18-e2e-aws-tests-bootc

pull-ci-openshift-microshift-release-4.18-e2e-aws-tests-bootc-arm

pull-ci-openshift-microshift-release-4.18-e2e-aws-tests-bootc-periodic

pull-ci-openshift-microshift-release-4.18-e2e-aws-tests-bootc-periodic-arm

pull-ci-openshift-microshift-release-4.18-e2e-aws-tests-periodic

pull-ci-openshift-microshift-release-4.18-e2e-aws-tests-periodic-arm

pull-ci-openshift-microshift-release-4.18-images

pull-ci-openshift-microshift-release-4.18-security

pull-ci-openshift-microshift-release-4.18-test-unit

pull-ci-openshift-microshift-release-4.18-verify

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ggiguash]

/test e2e-aws-tests security test-unit verify

[openshift-ci]

@ggiguash: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pacevedom]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ggiguash, pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ggiguash,pacevedom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ggiguash]

/label backport-risk-assessed
/label cherry-pick-approved
/label jira/valid-bug

[ggiguash]

/jira refresh

[openshift-ci-robot]

@ggiguash: This pull request references Jira Issue OCPBUGS-48577, which is invalid:

• expected dependent Jira Issue OCPBUGS-44695 to be in one of the following states: MODIFIED, ON_QA, VERIFIED, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Retaining the jira/valid-bug label as it was manually added.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ggiguash]

/jira refresh

[openshift-ci-robot]

@ggiguash: This pull request references Jira Issue OCPBUGS-48577, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.0) matches configured target version for branch (4.18.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-44695 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
• dependent Jira Issue OCPBUGS-44695 targets the "4.19.0" version, which is one of the valid target versions: 4.19.0
• bug has dependents

Requesting review from QA contact:
/cc @jogeo

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ggiguash: Jira Issue OCPBUGS-48577 is in an unrecognized state (Verified) and will not be moved to the MODIFIED state.

In response to this:

This is a manual cherry-pick of the following PRs:

• OCPBUGS-44695: Port mirror registry to use Quay #4402
• OCPBUGS-44695: Optimize Quay configuration procedure #4413
• OCPBUGS-44695: Add signature copy and verification support when working with local Quay registry #4426

Note that the last PR in the main branch is still open. This is because we can only test the signatures in z-stream branches where all container images are signed.

So, to complete this work, we need to show that the system is fully functional in 4.18 branch before merging any final changes to main.

In the main branch, the signature check will be disabled because not all the MicroShift and Red Hat container images are signed.

NOTES TO REVIEWERS

• It might be convenient to look at OCPBUGS-44695: Add signature copy and verification support when working with local Quay registry #4426 to see the diffs on what exactly needs to be done for enabling sigstore verification without the "noise" of Quay setup.
• As image verification was disabled in all bootc upgrade / downgrade tests, I created USHIFT-5290 as a follow-up
• As image verification was disabled in optional tests, I created USHIFT-5289 as a follow-up

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.