fix(edgeclusters.sh): Workaround BZ 2073197 issue with signatures on containers

[iranzo]

Description

Override for BZ 2073197 to override permissions https://bugzilla.redhat.com/show_bug.cgi?id=2073197#c19

Related: openshift/machine-config-operator#1349

Apparently, by mistake, a change in RHCOS image does try to verify signatures for the images, which are not currently mirrored or even provided, and this causes an issue.

There's an upstream issue listed to get this solved, but as a workaround we're disabling verification in Edge clusters via an ignition file and might in addition require a change in the installer image being used until RHCOS has the changes reverted and the related tooling is updated to mirror signatures, etc.

[alknopfler]

/LGTM

[achuzhoy]

maybe we should instead change the quay.io/ztpfw/pipeline:latest image.

[root@seal10 ~]# podman run  --name sasha4 quay.io/ztpfw/pipeline:latest cat /etc/containers/policy.json
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports": {
        "docker": {
	    "registry.access.redhat.com": [
		{
		    "type": "signedBy",
		    "keyType": "GPGKeys",
		    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
		}
	    ],
	    "registry.redhat.io": [
		{
		    "type": "signedBy",
		    "keyType": "GPGKeys",
		    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
		}
	    ]
	},
        "docker-daemon": {
	    "": [
		{
		    "type": "insecureAcceptAnything"
		}
	    ]
	}
    }
}

[flaper87]

Could you please add more info to the PR description? It would be useful to know how that BZ affects us, why it affects us, and what the contents of the override in this PR are.

[iranzo]

maybe we should instead change the quay.io/ztpfw/pipeline:latest image.

[root@seal10 ~]# podman run  --name sasha4 quay.io/ztpfw/pipeline:latest cat /etc/containers/policy.json
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports": {
        "docker": {
	    "registry.access.redhat.com": [
		{
		    "type": "signedBy",
		    "keyType": "GPGKeys",
		    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
		}
	    ],
	    "registry.redhat.io": [
		{
		    "type": "signedBy",
		    "keyType": "GPGKeys",
		    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
		}
	    ]
	},
        "docker-daemon": {
	    "": [
		{
		    "type": "insecureAcceptAnything"
		}
	    ]
	}
    }
}

Why doing only now when we can do both for the double of price (https://www.imdb.com/title/tt0118884/characters/nm0000457)

[flaper87]

/lgtm

[iranzo]

[iranzo]

Same failure in 'deploy-metallb' as 'main'

[iranzo]

https://github.com/rh-ecosystem-edge/ztp-pipeline-relocatable/runs/7018153911?check_suite_focus=true

[flaper87]

it's curious that the CI job is being re-triggered.

[alknopfler]

regarding the issue with metallb and mirror, in the afternoons I don't know why we're getting this kinds of "retries" with some images...but this is something temporal

The PR is LGTM

[alknopfler]

LGTM

[iranzo]

🎉 This PR is included in version 1.9.3 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀