sync: Report whether updates are verified and allow admin override

For safety, all unverified images are considered untrusted and the
CVO should not apply them. An admin may override this safe default
with force (which would be mapped to oc adm upgrade --force). When
this happens, we should communicate clearly which updates were
verified and which were not.

The CVO, unless configured otherwise, assumes everything is unverified.
The payload retriever uses the verifier to check the incoming image -
both tags or failed verification is reported to the user. If the admin
then sets allowUnverifiedImages, the sync loop continues.

Periodically in the background recheck any reconciling payload that
is unverified against the verifier, just in case it was a temporary
state.

Author: smarterclayton

pkg/autoupdate/autoupdate.go

@@ -178,7 +178,7 @@ func (ctrl *Controller) sync(key string) error {
 
 	_, updated, err := resourceapply.ApplyClusterVersionFromCache(ctrl.cvLister, ctrl.client.ConfigV1(), clusterversion)
 	if updated {
-		glog.Infof("Auto Update set to %s", up)
+		glog.Infof("Auto Update set to %v", up)
 	}
 	return err
 }

pkg/autoupdate/autoupdate_test.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/openshift/api/config/v1"
+	v1 "github.com/openshift/api/config/v1"
 )
 
 func TestNextUpdate(t *testing.T) {
@@ -36,7 +36,7 @@ func TestNextUpdate(t *testing.T) {
 
 			got := nextUpdate(ups)
 			if got.Version != test.want {
-				t.Fatalf("mismatch: got %s want: %s", got, test.want)
+				t.Fatalf("mismatch: got %v want: %v", got, test.want)
 			}
 		})
 	}