openshift · openshift-merge-robot · Jan 6, 2023 · Jan 6, 2023 · deads2k · Jan 6, 2023
diff --git a/pkg/cvo/updatepayload.go b/pkg/cvo/updatepayload.go
@@ -89,12 +89,22 @@ func (r *payloadRetriever) RetrievePayload(ctx context.Context, update configv1.
 	if index := strings.LastIndex(update.Image, "@"); index != -1 {
 		releaseDigest = update.Image[index+1:]
 	}
+	verifyCtx := ctx
+
+	// if 'force' specified, ensure call to verify payload signature times out well before parent context
+	// to allow time to perform forced update
+	if update.Force {
+		timeout := time.Minute * 2
+		if deadline, deadlineSet := ctx.Deadline(); deadlineSet {
+			timeout = time.Until(deadline) / 2
+		}
+		klog.V(2).Infof("Forced update so reducing payload signature verification timeout to %s", timeout)
+		var cancel context.CancelFunc
+		verifyCtx, cancel = context.WithTimeout(ctx, timeout)
+		defer cancel()
+	}
 
-	// set up a new context with reasonable timeout for signature and payload retrieval
-	retrieveCtx, cancel := context.WithTimeout(ctx, time.Minute*4)
-	defer cancel()
-
-	if err := r.verifier.Verify(retrieveCtx, releaseDigest); err != nil {
+	if err := r.verifier.Verify(verifyCtx, releaseDigest); err != nil {
 		vErr := &payload.UpdateError{
 			Reason:  "ImageVerificationFailed",
 			Message: fmt.Sprintf("The update cannot be verified: %v", err),
@@ -112,7 +122,7 @@ func (r *payloadRetriever) RetrievePayload(ctx context.Context, update configv1.
 
 	// download the payload to the directory
 	var err error
-	info.Directory, err = r.targetUpdatePayloadDir(retrieveCtx, update)
+	info.Directory, err = r.targetUpdatePayloadDir(ctx, update)
 	if err != nil {
 		return PayloadInfo{}, &payload.UpdateError{
 			Reason:  "UpdatePayloadRetrievalFailed",