Description of problem:

Build fails with `UndefinedVolumes` reason while mounting rhel entitlement secrets via CSI Shared Resources as volumes.

Workaround

• Use a custom buildStrategy with volumes defined, and deploy a build using this custom buildStrategy.

  Prerequisites (if any, like setup, operators/versions):

Installed Builds for OpenShift operator v1.1.0

Steps to Reproduce

1. Create a sharedSecret using etc-pki-entitlement of openshift-config-managed project:
   ```
   $ oc apply -f - <<EOF 
   apiVersion: sharedresource.openshift.io/v1alpha1
   kind: SharedSecret
   metadata:
     name: share-entitlement-secret
   spec:
     secretRef:
       name: etc-pki-entitlement
       namespace: openshift-config-managed
   EOF
   ```
2. Add ClusterRole & ClusterRoleBindings to provide permissions for use of SharedSecret:
   ~~~
   $ oc apply -f - <<EOF
   —
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: shared-resource-secret-configmap-share-watch-sar-create
   rules:
     - apiGroups: [""]
       resources: ["configmaps"]
       resourceNames: ["shared-config"]
       verbs: ["get", "list", "watch"]
     - apiGroups: ["sharedresource.openshift.io"]
       resources: ["sharedconfigmaps", "sharedsecrets"]
       verbs: ["get", "list", "watch"]
     - apiGroups: ["authorization.k8s.io"]
       resources: ["subjectaccessreviews"]
       verbs: ["create"]
   —
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: shared-resource-secret-configmap-share-watch-sar-create
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: shared-resource-secret-configmap-share-watch-sar-create
    subjects:
    - kind: ServiceAccount
      name: csi-driver-shared-resource
      namespace: openshift-builds
   EOF
   ~~~
3. Create a project for builds test & then create the required roles & roleBindings:
   ~~~
   $ oc new-project entitlement-build-test
   $ oc apply -f - <<EOF
   —

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: use-shared-default-resource
namespace: entitlement-build-test
rules:

– apiGroups:
– sharedresource.openshift.io
resources:
– sharedsecrets
resourceNames:
– share-entitlement-secret
verbs:
– use
—
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: use-shared-default-resource-binding
namespace: entitlement-build-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: use-shared-default-resource
subjects:
– kind: ServiceAccount
name: pipeline
namespace: entitlement-build-test
EOF~~~

1. Create the build with CSI volume details:
   ~~~

$ oc apply -f - <<EOF
apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
name: buildah-golang-build
spec:
source:
type: Git
git:
url: https://github.com/shipwright-io/sample-go
contextDir: docker-build
strategy:
name: buildah
kind: ClusterBuildStrategy
paramValues:

– name: dockerfile
value: Dockerfile
volumes:
– name: shared-entitlement
csi:
readOnly: true
driver: csi.sharedresource.openshift.io
volumeAttributes:
sharedSecret: share-entitlement-secret
output:
image: image-registry.openshift-image-registry.svc:5000/entitlement-build/sample-go-app
EOF
~~~

The above build will report Failure in registration with "UndefinedVolume" as the reason.

Actual results:

Build fails due to Volume not defined in the Shipwright BuildStrategy.

Expected results:

Build should reported successful Registration & buildRun should spin up pods with volume mounted at expected entitlement location.

Reproducibility (Always/Intermittent/Only Once): 

Always

Acceptance criteria: 

Definition of Done:

Build Details:

Additional info (Such as Logs, Screenshots, etc):

 *