Skip to content

OCPNODE-3611: manifests.rhel/0000_90_openshift-cluster-image-policy: Drop TechPreviewNoUpgrade limitation #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 27, 2025
Merged

OCPNODE-3611: manifests.rhel/0000_90_openshift-cluster-image-policy: Drop TechPreviewNoUpgrade limitation #82

merged 1 commit into from
Aug 27, 2025

Conversation

@wking
Copy link
Member

@wking wking commented Aug 26, 2025

Now that ClusterImagePolicy is v1 and in the default feature set, we can remove the annotation that limites the openshift ClusterImagePolicy to the TechPreviewNoUpgrade feature set. No CI impact is expected, because even 4.y.z release-controller jobs like 4.19.8 -> 4.19.9 use imported-into-CI-registry versions of the target release like registry.ci.openshift.org/ocp/release:4.19.9. But it sets us up for being able to drop OpenPGP/GPG signature verification in future releases, and avoids the risk that a 4.20 customer creates their own openshift ClusterImagePolicy and the resulting de-conflicting guards we'd need on 4.20-to-4.21 updates.

@wking
manifests.rhel/0000_90_openshift-cluster-image-policy: Drop TechPrevi…
8c17c5e 
…ewNoUpgrade limitation

Now that ClusterImagePolicy is v1 and in the default feature set, we
can remove the annotation that limites the openshift
ClusterImagePolicy to the TechPreviewNoUpgrade feature set.  No CI
impact is expected, because even 4.y.z release-controller jobs [1]
like 4.19.8 -> 4.19.9 [2] use imported-into-CI-registry versions of
the target release like registry.ci.openshift.org/ocp/release:4.19.9
[3]. But it sets us up for being able to drop OpenPGP/GPG signature
verification in future releases, and avoids the risk that a 4.20
customer creates their own openshift ClusterImagePolicy and the
resulting de-conflicting guards we'd need on 4.20-to-4.21 updates.

[1]: https://amd64.ocp.releases.ci.openshift.org/releasestream/4-stable/release/4.19.9
[2]: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/release-openshift-origin-installer-e2e-aws-upgrade/1956054636976672768
[3]: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/release-openshift-origin-installer-e2e-aws-upgrade/1956054636976672768/artifacts/e2e-aws-upgrade/clusterversion.json
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Aug 26, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Aug 26, 2025
edited by openshift-ci bot
Loading

@wking: This pull request references OCPNODE-3611 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Now that ClusterImagePolicy is v1 and in the default feature set, we can remove the annotation that limites the openshift ClusterImagePolicy to the TechPreviewNoUpgrade feature set. No CI impact is expected, because even 4.y.z release-controller jobs like 4.19.8 -> 4.19.9 use imported-into-CI-registry versions of the target release like registry.ci.openshift.org/ocp/release:4.19.9. But it sets us up for being able to drop OpenPGP/GPG signature verification in future releases, and avoids the risk that a 4.20 customer creates their own openshift ClusterImagePolicy and the resulting de-conflicting guards we'd need on 4.20-to-4.21 updates.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from mrunalp and sdodson August 26, 2025 00:42
@wking
Copy link
Member Author

wking commented Aug 26, 2025

/retest-required

@jupierce jupierce added the acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. label Aug 26, 2025
@jupierce
Copy link

jupierce commented Aug 26, 2025

/lgtm
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 26, 2025
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 26, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 26, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jupierce, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 26, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 26, 2025

@wking: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jupierce
Copy link

jupierce commented Aug 27, 2025

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 27, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit 94f7582 into openshift:main Aug 27, 2025
6 checks passed
@wking wking deleted the default-feature-set-openshift-ClusterImagePolicy branch August 27, 2025 15:38
@wking wking mentioned this pull request Aug 28, 2025
Merged
wking added a commit to wking/cluster-update-keys that referenced this pull request Nov 19, 2025
@wking
Revert "Revert "Merge pull request openshift#85 from QiWang19/default…
e489285 
…-openshift-cip""

This reverts commit 7a5dcee.

This one has taken us some time:

* 2025-08-27, 94f7582, openshift#82 was our first attempt at enabling the
  ClusterImagePolicy.
* ...but it tripped up the origin test suite, so it was reverted in
  2025-08-28, c40e7b9, openshift#83.
* Qi then hardened the test suite with openshift/origin@d3af51e4acb
  (not fail upgrade checks if all nodes are ready, 2025-09-29,
  openshift/origin#30318) and openshift/origin@2fd0d8e242 (Upgrade
  test add 2min grace period allow non-drain updates to complete,
  2025-11-12, openshift/origin#30480).
* With the tougher CI in place, we tried a second time with
  2025-11-17, 1f89a67, openshift#85.
* ...but still tripped up origin, with runs like [1] taking 2.25m
  (more than the 2m grace period):

    I1119 17:26:21.890667 1511 upgrade.go:629] Waiting on pools to be upgraded
    I1119 17:26:21.939178 1511 upgrade.go:792] Pool master is still reporting (Updated: false, Updating: true, Degraded: false)
    I1119 17:26:21.939259 1511 upgrade.go:666] Invariant violation detected: master pool requires update but nodes not ready. Waiting up to 2m0s for non-draining updates to complete
    I1119 17:26:31.984116 1511 upgrade.go:792] Pool master is still reporting (Updated: false, Updating: true, Degraded: false)
    ...
    I1119 17:28:21.981438 1511 upgrade.go:792] Pool master is still reporting (Updated: false, Updating: true, Degraded: false)
    I1119 17:28:21.981514 1511 upgrade.go:673] Invariant violation detected: the "master" pool should be updated before the CVO reports available at the new version

  and:

    $ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-release-master-ci-4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-rt-upgrade/1991158541779472384/artifacts/e2e-gcp-ovn-rt-upgrade/gather-extra/artifacts/inspect/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigpools/master.yaml | yaml2json | jq -r '.status.conditions[] | select(.type == "Updating") | .lastTransitionTime + " " + .status'
    2025-11-19T17:28:36Z False

  28:36 - 26:21 = 135s = 2.25m, which overshot the 2m grace period.
  The second attempt was reverted in 7a5dcee, openshift#87.

* Qi then hardened the test suite further with
  openshift/origin@c17e560263 (Update grace period for cluster upgrade
  to 10 minutes, 2025-11-19, #openshift/origin#30506).
* This commit is taking a third attempt at enabling the
  ClusterImagePolicy.

[1]: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-release-master-ci-4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-rt-upgrade/1991158541779472384
@wking wking mentioned this pull request Nov 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp

@sdodson sdodson Awaiting requested review from sdodson

Assignees

@jupierce jupierce

Labels

acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wking @openshift-ci-robot @jupierce