From 6203102648150daf4dad8d922cbd7632c4e1f9ce Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Thu, 13 Nov 2025 12:41:30 -0500 Subject: [PATCH 1/2] check ClusterImagePolicy conflicts only on default clusters Signed-off-by: Qi Wang --- pkg/operator/status.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkg/operator/status.go b/pkg/operator/status.go index e9d24f68d6..ff5c62b244 100644 --- a/pkg/operator/status.go +++ b/pkg/operator/status.go @@ -280,6 +280,23 @@ func (optr *Operator) syncUpgradeableStatus(co *configv1.ClusterOperator) error coStatusCondition.Reason = "ClusterOnCgroupV1" coStatusCondition.Message = "Cluster is using deprecated cgroup v1 and is not upgradable. Please update the `CgroupMode` in the `nodes.config.openshift.io` object to 'v2'. Once upgraded, the cluster cannot be changed back to cgroup v1" } + + // Check for ClusterImagePolicy named "openshift" which conflicts with the cluster default ClusterImagePolicy object + // Only check for Default featureSet clusters allowing 4.20 ci techpreview builds upgrades + fg, err := optr.configClient.ConfigV1().FeatureGates().Get(context.TODO(), "cluster", metav1.GetOptions{}) + if err != nil && !apierrors.IsNotFound(err) { + return err + } + if fg.Spec.FeatureSet == configv1.Default { + if _, err = optr.configClient.ConfigV1().ClusterImagePolicies().Get(context.TODO(), "openshift", metav1.GetOptions{}); err == nil { + coStatusCondition.Status = configv1.ConditionFalse + coStatusCondition.Reason = "ConflictingClusterImagePolicy" + coStatusCondition.Message = "ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed" + } else if !apierrors.IsNotFound(err) { + return err + } + } + var degraded, interrupted bool for _, pool := range pools { interrupted = isPoolStatusConditionTrue(pool, mcfgv1.MachineConfigPoolBuildInterrupted) From e285e21f6de03944c9c522df568077fb93b92256 Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Mon, 17 Nov 2025 15:04:44 -0500 Subject: [PATCH 2/2] featureset signal workaround Signed-off-by: Qi Wang --- pkg/operator/status.go | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/pkg/operator/status.go b/pkg/operator/status.go index ff5c62b244..9aef14e01f 100644 --- a/pkg/operator/status.go +++ b/pkg/operator/status.go @@ -283,12 +283,11 @@ func (optr *Operator) syncUpgradeableStatus(co *configv1.ClusterOperator) error // Check for ClusterImagePolicy named "openshift" which conflicts with the cluster default ClusterImagePolicy object // Only check for Default featureSet clusters allowing 4.20 ci techpreview builds upgrades - fg, err := optr.configClient.ConfigV1().FeatureGates().Get(context.TODO(), "cluster", metav1.GetOptions{}) - if err != nil && !apierrors.IsNotFound(err) { - return err - } - if fg.Spec.FeatureSet == configv1.Default { - if _, err = optr.configClient.ConfigV1().ClusterImagePolicies().Get(context.TODO(), "openshift", metav1.GetOptions{}); err == nil { + // Use SigstoreImageVerificationPKI as an featureset indicator: if it's disabled, the cluster is on Default feature set + // (SigstoreImageVerificationPKI is only enabled in TechPreview/DevPreview in 4.20, not in Default, and thefeature set changes won’t be backported, making this method stable for 4.20.). + // This avoids the API call to get the FeatureGate resource + if optr.fgHandler != nil && !optr.fgHandler.Enabled(features.FeatureGateSigstoreImageVerificationPKI) { + if _, err := optr.configClient.ConfigV1().ClusterImagePolicies().Get(context.TODO(), "openshift", metav1.GetOptions{}); err == nil { coStatusCondition.Status = configv1.ConditionFalse coStatusCondition.Reason = "ConflictingClusterImagePolicy" coStatusCondition.Message = "ClusterImagePolicy resource named 'openshift' conflicts with the cluster default ClusterImagePolicy object and blocks upgrades. Please delete the 'openshift' ClusterImagePolicy resource and reapply it with a different name if needed"