Auto-detect sigstore ClusterImagePolicy for EDPM signature verification

[rabi]

When a disconnected environment has a ClusterImagePolicy configured with sigstore (cosign) signature verification for a mirror registry, the openstack-operator now auto-detects it and passes the necessary ansible variables to edpm-ansible for configuring signature verification on EDPM data plane nodes.

if ClusterImagePolicy CRD is not installed or no relevant policy exists, the operator continues without enabling signature verification. This maintains backward compatibility.

Requires OCP 4.20+ (sigstore GA) and oc-mirror v2.

There would be a follow-up edpm-ansible patch to use these ansible vars.

jira: OSPRH-28352

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rabi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rabi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

OpenStackControlPlane CRD Size Report

Metric	Value
CRD JSON size	322464 bytes (315KB)
Base branch size	322464 bytes
Change	+0.00%
Status	yellow — growing

Threshold reference

Color	Range	Meaning
🟢 green	< 300KB	Comfortable
🟡 yellow	300–400KB	Growing
🟠 orange	400–750KB	Concerning
🔴 red	> 750KB	Approaching 1.5MB etcd limit (cut in half to allow space for update)

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/7ffc78da13894b58ba0d051e04959802

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 48m 10s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 27m 17s
❌ cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 22m 44s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 41m 17s
❌ openstack-operator-edpm-baremetal-minor-update RETRY_LIMIT in 3h 00m 39s

[rabi]

/test openstack-operator-build-deploy-kuttl-4-18

[rabi]

recheck

[centosinfra-prod-github-app]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdo/buildset/ad76148b6ef446169a9e021d29be27a4

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 54m 00s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 24m 36s
❌ cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 26s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 39m 59s
❌ openstack-operator-edpm-baremetal-minor-update RETRY_LIMIT in 26s

[centosinfra-prod-github-app]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdo/buildset/ad7ceae5da864eb3bfd3860119d54920

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 51m 28s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 23m 16s
❌ cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 26s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 37m 28s
❌ openstack-operator-edpm-baremetal-minor-update RETRY_LIMIT in 29s