-
Bug
-
Resolution: Duplicate
-
Critical
-
None
-
builds-1.1
-
False
-
None
-
False
-
Bug Fix
-
-
-
Builds Sprint #17
-
Critical
Description of problem:
Build fails with `UndefinedVolumes` reason while mounting rhel entitlement secrets via CSI Shared Resources as volumes.
Workaround
- Use a custom buildStrategy with volumes defined, and deploy a build using this custom buildStrategy.
Prerequisites (if any, like setup, operators/versions):
Installed Builds for OpenShift operator v1.1.0
Steps to Reproduce
- Create a sharedSecret using etc-pki-entitlement of openshift-config-managed project:
```
$ oc apply -f - <<EOF
apiVersion: sharedresource.openshift.io/v1alpha1
kind: SharedSecret
metadata:
name: share-entitlement-secret
spec:
secretRef:
name: etc-pki-entitlement
namespace: openshift-config-managed
EOF
``` - Add ClusterRole & ClusterRoleBindings to provide permissions for use of SharedSecret:
~~~
$ oc apply -f - <<EOF
—
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: shared-resource-secret-configmap-share-watch-sar-create
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["shared-config"]
verbs: ["get", "list", "watch"]
- apiGroups: ["sharedresource.openshift.io"]
resources: ["sharedconfigmaps", "sharedsecrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
—
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: shared-resource-secret-configmap-share-watch-sar-create
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: shared-resource-secret-configmap-share-watch-sar-create
subjects:
- kind: ServiceAccount
name: csi-driver-shared-resource
namespace: openshift-builds
EOF
~~~ - Create a project for builds test & then create the required roles & roleBindings:
~~~
$ oc new-project entitlement-build-test
$ oc apply -f - <<EOF
—
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: use-shared-default-resource
namespace: entitlement-build-test
rules:
– apiGroups:
– sharedresource.openshift.io
resources:
– sharedsecrets
resourceNames:
– share-entitlement-secret
verbs:
– use
—
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: use-shared-default-resource-binding
namespace: entitlement-build-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: use-shared-default-resource
subjects:
– kind: ServiceAccount
name: pipeline
namespace: entitlement-build-test
EOF~~~
- Create the build with CSI volume details:
~~~
$ oc apply -f - <<EOF
apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
name: buildah-golang-build
spec:
source:
type: Git
git:
url: https://github.com/shipwright-io/sample-go
contextDir: docker-build
strategy:
name: buildah
kind: ClusterBuildStrategy
paramValues:
– name: dockerfile
value: Dockerfile
volumes:
– name: shared-entitlement
csi:
readOnly: true
driver: csi.sharedresource.openshift.io
volumeAttributes:
sharedSecret: share-entitlement-secret
output:
image: image-registry.openshift-image-registry.svc:5000/entitlement-build/sample-go-app
EOF
~~~
The above build will report Failure in registration with "UndefinedVolume" as the reason.
Actual results:
Build fails due to Volume not defined in the Shipwright BuildStrategy.
Expected results:
Build should reported successful Registration & buildRun should spin up pods with volume mounted at expected entitlement location.
Reproducibility (Always/Intermittent/Only Once):
Always
Acceptance criteria:
Definition of Done:
Build Details:
Additional info (Such as Logs, Screenshots, etc):
*
- is incorporated by
-
BUILD-1135 Add RHEL Entitlement Volumes to Build Strategies
- Release Pending