DPTP-4833: Disable sigstore verification for 4.22 hive clusterpools

[2uasimojo]

...until they are no longer using nightlies.

Summary by CodeRabbit

• Chores
  • Updated cluster provisioning configuration across multiple cluster pools to adjust image policy settings.

[openshift-ci-robot]

@2uasimojo: This pull request references DPTP-4833 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

...until they are no longer using nightlies.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[deepsm007]

/label priority/ci-critical

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, deepsm007

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• clusters/hosted-mgmt/hive/pools/openshift-ci/OWNERS [deepsm007]
• clusters/hosted-mgmt/hive/pools/openshift-observability/OWNERS [deepsm007]
• clusters/hosted-mgmt/hive/pools/rh-openshift-ecosystem/OWNERS [deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds installerEnv configuration with OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY="true" to five ClusterPool manifests across different clusters, enabling the experimental image policy setting during cluster provisioning.

Changes

Cohort / File(s)

Summary

ClusterPool Configuration clusters/hosted-mgmt/hive/pools/openshift-ci/ci-ocp-4-22-0-amd64-aws-us-east-1_clusterpool.yaml, clusters/hosted-mgmt/hive/pools/openshift-observability/obs-ocp-4-22-0-amd64-aws-us-east-2_clusterpool.yaml, clusters/hosted-mgmt/hive/pools/openshift-observability/obs-ocp-4-22-0-fips-amd64-aws-us-east-1_clusterpool.yaml, clusters/hosted-mgmt/hive/pools/rh-openshift-ecosystem/rhoe-ocp-4-22-amd64-aws-us-west-1_clusterpool.yaml, clusters/hosted-mgmt/hive/pools/rh-openshift-ecosystem/rhoe-ocp-4-22-amd64-aws-us-west-2_clusterpool.yaml

Identical addition of spec.installerEnv block setting OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY to "true" across all five ClusterPool manifests.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: disabling sigstore verification for 4.22 hive clusterpools, with a reference to the Jira ticket.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check for stable test names is not applicable to YAML configuration files; PR contains only Kubernetes ClusterPool manifests.
Test Structure And Quality	✅ Passed	This check is not applicable to the PR as it only modifies YAML configuration files for OpenShift ClusterPool resources, not Ginkgo test code.
Microshift Test Compatibility	✅ Passed	PR modifies only YAML ClusterPool manifest files with installerEnv configuration; no Ginkgo e2e tests are introduced, making MicroShift compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This custom check is not applicable to the provided pull request. The check is designed to assess new Ginkgo e2e tests for Single Node OpenShift compatibility, but this PR only modifies YAML ClusterPool configuration files to disable sigstore verification for 4.22 hive clusterpools. No new e2e tests are being added, so the SNO test compatibility check does not apply to these configuration-only changes.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only ClusterPool infrastructure provisioning resources adding an installer environment variable, with no topology-aware scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check is not applicable to this pull request as it exclusively modifies YAML configuration files for Kubernetes/OpenShift ClusterPool resources with no source code changes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only YAML ClusterPool manifest files with installerEnv configuration; no Ginkgo e2e tests or Go test files are added or modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@clusters/hosted-mgmt/hive/pools/openshift-observability/obs-ocp-4-22-0-amd64-aws-us-east-2_clusterpool.yaml`:
- Around line 26-28: Add a sunset guardrail by documenting the temporary bypass
for installer image policy: annotate or comment near the installerEnv entry
referencing OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY with the
tracking ticket (e.g., JIRA/ISSUE-1234) and an explicit removal condition and/or
date (e.g., "remove when image policy verification fixed or by 2026-07-01").
Prefer adding a metadata.annotations key like temporary-bypass.ticket and
temporary-bypass.expiry (or a YAML comment immediately above the env entry) so
reviewers and automation can detect the intended removal criteria; keep the env
value until the stated condition/date is met.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 66b2b310-a25a-47de-8795-f7c2bbaacc2d

📥 Commits

Reviewing files that changed from the base of the PR and between 1766dcc and deb2e6b.

📒 Files selected for processing (5)

• clusters/hosted-mgmt/hive/pools/openshift-ci/ci-ocp-4-22-0-amd64-aws-us-east-1_clusterpool.yaml
• clusters/hosted-mgmt/hive/pools/openshift-observability/obs-ocp-4-22-0-amd64-aws-us-east-2_clusterpool.yaml
• clusters/hosted-mgmt/hive/pools/openshift-observability/obs-ocp-4-22-0-fips-amd64-aws-us-east-1_clusterpool.yaml
• clusters/hosted-mgmt/hive/pools/rh-openshift-ecosystem/rhoe-ocp-4-22-amd64-aws-us-west-1_clusterpool.yaml
• clusters/hosted-mgmt/hive/pools/rh-openshift-ecosystem/rhoe-ocp-4-22-amd64-aws-us-west-2_clusterpool.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a sunset guardrail for this temporary security bypass.

Line 26 disables installer image policy verification, and the PR states this is temporary. Please encode removal criteria (ticket + condition/date) in-file so this doesn’t silently persist.

Suggested minimal change

+  # TEMP(DPTP-4833): disable sigstore/image policy verification for 4.22 nightlies only.
+  # Remove when these pool image sets are no longer nightly-based.
   installerEnv:
   - name: OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY
     value: "true"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	installerEnv:
	- name: OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY
	value: "true"
	# TEMP(DPTP-4833): disable sigstore/image policy verification for 4.22 nightlies only.
	# Remove when these pool image sets are no longer nightly-based.
	installerEnv:
	- name: OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY
	value: "true"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@clusters/hosted-mgmt/hive/pools/openshift-observability/obs-ocp-4-22-0-amd64-aws-us-east-2_clusterpool.yaml`
around lines 26 - 28, Add a sunset guardrail by documenting the temporary bypass
for installer image policy: annotate or comment near the installerEnv entry
referencing OPENSHIFT_INSTALL_EXPERIMENTAL_DISABLE_IMAGE_POLICY with the
tracking ticket (e.g., JIRA/ISSUE-1234) and an explicit removal condition and/or
date (e.g., "remove when image policy verification fixed or by 2026-07-01").
Prefer adding a metadata.annotations key like temporary-bypass.ticket and
temporary-bypass.expiry (or a YAML comment immediately above the env entry) so
reviewers and automation can detect the intended removal criteria; keep the env
value until the stated condition/date is met.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@2uasimojo: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[openshift-ci]

@2uasimojo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.