Revert "OCPNODE-3611: manifests.rhel/0000_90_openshift-cluster-image-policy: Drop TechPreviewNoUpgrade limitation"

[wking]

Reverts #82

This was tripping up CI by causing a new MachineConfigPool rollout late in the update. For example, this run, had:

1. 0:55:22 UTC, rendered-master-5d3ab69b0a03bc70fa37249f040c06b4 MachineConfig created to push out the version bump.

2. 1:19:15 (and 1:19:20?) UTC, OperatorVersionChanged Events claimed the machine-config ClusterOperator finished its transition.

3. 1:19:47 UTC, ClusterVersion claimed the update completed.

4. 1:19:49 UTC, rendered-master-975808f8abad8954df577f74c6809db3 MachineConfig created.

5. CI fails with:

   : [sig-arch][Feature:ClusterUpgrade] Cluster should remain functional during upgrade [Disruptive] [Serial]	1h14m13s
   {  fail [github.com/openshift/origin/test/e2e/upgrade/upgrade.go:187]: during upgrade to registry.build11.ci.openshift.org/ci-op-cy2jcwgs/release@sha256:8cf00e640f46548e76028aa258ddddaaad987edb39e8399fc791b305321b4877: the "master" pool should be updated before the CVO reports available at the new version}
   

Confirming that the difference between those MachineConfig is the openshift ClusterImagePolicy:

$ diff -U3 <(curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.20-e2e-aws-ovn-upgrade-fips/1960838341934977024/artifacts/e2e-aws-ovn-upgrade-fips/gather-extra/artifacts/inspect/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigs/rendered-master-5d3ab69b0a03bc70fa37249f040c06b4.yaml | yaml2json | jq -r '.spec.config.storage.files[] | select(.path == "/etc/containers/policy.json").contents.source | split(",")[-1]' | python3 -c 'import urllib.parse, sys; print(urllib.parse.unquote(sys.stdin.read()))') <(curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.20-e2e-aws-ovn-upgrade-fips/1960838341934977024/artifacts/e2e-aws-ovn-upgrade-fips/gather-extra/artifacts/inspect/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigs/rendered-master-975808f8abad8954df577f74c6809db3.yaml | yaml2json | jq -r '.spec.config.storage.files[] | select(.path == "/etc/containers/policy.json").contents.source | split(",")[-1] | @base64d')
--- /dev/fd/63  2025-08-28 00:44:33.542232745 -0700
+++ /dev/fd/62  2025-08-28 00:44:33.547232745 -0700
@@ -1,15 +1,38 @@
 {
-    "default": [
+  "default": [
+    {
+      "type": "insecureAcceptAnything"
+    }
+  ],
+  "transports": {
+    "atomic": {
+      "quay.io/openshift-release-dev/ocp-release": [
         {
...

[openshift-ci-robot]

@wking: This pull request references OCPNODE-3611 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

Details

In response to this:

Reverts #82

This was tripping up CI by causing a new MachineConfigPool rollout late in the update. For example, this run, had:

1. 0:55:22 UTC, rendered-master-5d3ab69b0a03bc70fa37249f040c06b4 MachineConfig created to push out the version bump.

2. 1:19:15 (and 1:19:20?) UTC, OperatorVersionChanged Events claimed the machine-config ClusterOperator finished its transition.

3. 1:19:47 UTC, ClusterVersion claimed the update completed.

4. 1:19:49 UTC, rendered-master-975808f8abad8954df577f74c6809db3 MachineConfig created.

5. CI fails with:

   : [sig-arch][Feature:ClusterUpgrade] Cluster should remain functional during upgrade [Disruptive] [Serial]	1h14m13s
   {  fail [github.com/openshift/origin/test/e2e/upgrade/upgrade.go:187]: during upgrade to registry.build11.ci.openshift.org/ci-op-cy2jcwgs/release@sha256:8cf00e640f46548e76028aa258ddddaaad987edb39e8399fc791b305321b4877: the "master" pool should be updated before the CVO reports available at the new version}
   

Confirming that the difference between those MachineConfig is the openshift ClusterImagePolicy:

$ diff -U3 <(curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.20-e2e-aws-ovn-upgrade-fips/1960838341934977024/artifacts/e2e-aws-ovn-upgrade-fips/gather-extra/artifacts/inspect/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigs/rendered-master-5d3ab69b0a03bc70fa37249f040c06b4.yaml | yaml2json | jq -r '.spec.config.storage.files[] | select(.path == "/etc/containers/policy.json").contents.source | split(",")[-1]' | python3 -c 'import urllib.parse, sys; print(urllib.parse.unquote(sys.stdin.read()))') <(curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.20-e2e-aws-ovn-upgrade-fips/1960838341934977024/artifacts/e2e-aws-ovn-upgrade-fips/gather-extra/artifacts/inspect/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigs/rendered-master-975808f8abad8954df577f74c6809db3.yaml | yaml2json | jq -r '.spec.config.storage.files[] | select(.path == "/etc/containers/policy.json").contents.source | split(",")[-1] | @base64d')
--- /dev/fd/63  2025-08-28 00:44:33.542232745 -0700
+++ /dev/fd/62  2025-08-28 00:44:33.547232745 -0700
@@ -1,15 +1,38 @@
{
-    "default": [
+  "default": [
+    {
+      "type": "insecureAcceptAnything"
+    }
+  ],
+  "transports": {
+    "atomic": {
+      "quay.io/openshift-release-dev/ocp-release": [
        {
...

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stbenjam]

/lgtm
/label approved

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: stbenjam, wking
Once this PR has been reviewed and has the lgtm label, please assign sdodson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stbenjam]

This is HEAD of the repo, we can safely force it in

/override ci/prow/e2e-aws
/override ci/prow/e2e-aws-upgrade
/override ci/prow/okd-scos-e2e-aws-ovn

[openshift-ci]

@stbenjam: Overrode contexts on behalf of stbenjam: ci/prow/e2e-aws, ci/prow/e2e-aws-upgrade, ci/prow/okd-scos-e2e-aws-ovn

Details

In response to this:

This is HEAD of the repo, we can safely force it in

/override ci/prow/e2e-aws
/override ci/prow/e2e-aws-upgrade
/override ci/prow/okd-scos-e2e-aws-ovn

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[stbenjam]

/label approved

[stbenjam]

/label acknowledge-critical-fixes-only

[openshift-ci]

@wking: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.