enhancements/update/configurable-clusterversion-signature-stores: Tec…

…h-preview first Instead of being born into GA, be born into tech-preview. Add a new periodic, because David Eads floated the following as a tech-preview to GA condition: > Link to automated tests preferred, QE sign off acceptable.
copejon · Nov 29, 2023 · 30906de · 30906de
1 parent aa0cbb7
commit 30906de
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/enhancements/update/configurable-clusterversion-signature-stores.md b/enhancements/update/configurable-clusterversion-signature-stores.md
@@ -92,6 +92,7 @@ type ClusterVersionSpec struct {
 	// Items in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738.
 	// +kubebuilder:validation:XValidation:rule="self.all(x, isURL(x))",message="signatureStores must contain only valid absolute URLs per the Go net/url standard"
 	// +kubebuilder:validation:MaxItems=32
+	// +openshift:enable:FeatureSets=TechPreviewNoUpgrade
 	// +listType=set
 	// +optional
 	SignatureStores []string `json:"signatureStores"`
@@ -119,18 +120,25 @@ N/A.
 * We'll be using unit tests to check if CVO's default stores are replaced with custom ones. 
 * QE will be testing upgrading the cluster in a disconnected environment with custom signatures served using 
   OpenShift Update Service
+* New periodics will be created testing the new feature against the most recent `candidate-4.y` Engineering Candidate releases, because those are the first point where we have CVO-trusted signatures to test with.
+  The periodics will:
+  1. Configure a custom signature store in ClusterVersion.
+  1. Request the cluster update to a pinned older release.
+  1. Confirm that the update request is rejected because no signature is found in the custom store.
+  1. Add the target's signature to the custom store.
+  1. Confirm that the update request is rejected because the version of the requested target is older than the Engineering Candidate being tested.
 
 ### Graduation Criteria
 
-GA. When it works, we ship it.
+The plan is to introduce the first version of the new API behind the `TechPreviewNoUpgrade` feature gate, and later promote to GA.
 
 #### Dev Preview -> Tech Preview
 
 N/A. This is not expected to be released as Dev Preview.
 
 #### Tech Preview -> GA
 
-N/A. This is not expected to be released as Tech Preview.
+Once tech-preview periodics discussed in [the Test Plan section](#test-plan) are passing, the feature will be promoted to GA.
 
 #### Removing a deprecated feature
 
@@ -196,4 +204,4 @@ With this alternative method, every cluster that needs the release image verific
 
 [cluster-update-keys]: https://github.com/openshift/cluster-update-keys/blob/master/manifests.rhel/0000_90_cluster-update-keys_configmap.yaml#L4-L5
 [serve image signatures for disconnected environments]: https://issues.redhat.com/browse/OTA-946
-[oc-mirror]: https://github.com/openshift/oc-mirror
+[oc-mirror]: https://github.com/openshift/oc-mirror