Auto-detect sigstore ClusterImagePolicy for EDPM signature verification

[rabi]

When a disconnected environment has a ClusterImagePolicy configured with sigstore (cosign) signature verification for a mirror registry, the openstack-operator now auto-detects it and passes the necessary ansible variables to edpm-ansible for configuring signature verification on EDPM data plane nodes.

if ClusterImagePolicy CRD is not installed or no relevant policy exists, the operator continues without enabling signature verification. This maintains backward compatibility.

Requires OCP 4.20+ (sigstore GA) and oc-mirror v2.

There would be a follow-up edpm-ansible patch to use these ansible vars.

jira: OSPRH-28352

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rabi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rabi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

OpenStackControlPlane CRD Size Report

Metric	Value
CRD JSON size	322464 bytes (315KB)
Base branch size	322464 bytes
Change	+0.00%
Status	yellow — growing

Threshold reference

Color	Range	Meaning
🟢 green	< 300KB	Comfortable
🟡 yellow	300–400KB	Growing
🟠 orange	400–750KB	Concerning
🔴 red	> 750KB	Approaching 1.5MB etcd limit (cut in half to allow space for update)

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/7ffc78da13894b58ba0d051e04959802

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 48m 10s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 27m 17s
❌ cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 22m 44s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 41m 17s
❌ openstack-operator-edpm-baremetal-minor-update RETRY_LIMIT in 3h 00m 39s

[openshift-ci]

@rabi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/openstack-operator-build-deploy-kuttl-4-18	860cfb9	link	true	/test openstack-operator-build-deploy-kuttl-4-18
ci/prow/precommit-check	132e79f	link	true	/test precommit-check

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.