Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1139

UndefinedVolumes in BuildStrategy for rhel subscription entitlements

XMLWordPrintable

    • False
    • None
    • False
    • Bug Fix
    • Builds Sprint #17
    • Critical

      Description of problem:

      Build fails with `UndefinedVolumes` reason while mounting rhel entitlement secrets via CSI Shared Resources as volumes.

      Workaround

      • Use a custom buildStrategy with volumes defined, and deploy a build using this custom buildStrategy.

        Prerequisites (if any, like setup, operators/versions):

      Installed Builds for OpenShift operator v1.1.0

      Steps to Reproduce

      1. Create a sharedSecret using etc-pki-entitlement of openshift-config-managed project:
        ```
        $ oc apply -f - <<EOF 
        apiVersion: sharedresource.openshift.io/v1alpha1
        kind: SharedSecret
        metadata:
          name: share-entitlement-secret
        spec:
          secretRef:
            name: etc-pki-entitlement
            namespace: openshift-config-managed
        EOF
        ```
      2. Add ClusterRole & ClusterRoleBindings to provide permissions for use of SharedSecret:
        ~~~
        $ oc apply -f - <<EOF

        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRole
        metadata:
          name: shared-resource-secret-configmap-share-watch-sar-create
        rules:
          - apiGroups: [""]
            resources: ["configmaps"]
            resourceNames: ["shared-config"]
            verbs: ["get", "list", "watch"]
          - apiGroups: ["sharedresource.openshift.io"]
            resources: ["sharedconfigmaps", "sharedsecrets"]
            verbs: ["get", "list", "watch"]
          - apiGroups: ["authorization.k8s.io"]
            resources: ["subjectaccessreviews"]
            verbs: ["create"]

         apiVersion: rbac.authorization.k8s.io/v1
         kind: ClusterRoleBinding
         metadata:
           name: shared-resource-secret-configmap-share-watch-sar-create
         roleRef:
           apiGroup: rbac.authorization.k8s.io
           kind: ClusterRole
           name: shared-resource-secret-configmap-share-watch-sar-create
         subjects:
         - kind: ServiceAccount
           name: csi-driver-shared-resource
           namespace: openshift-builds
        EOF
        ~~~
      3. Create a project for builds test & then create the required roles & roleBindings:
        ~~~
        $ oc new-project entitlement-build-test
        $ oc apply -f - <<EOF

      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
      name: use-shared-default-resource
      namespace: entitlement-build-test
      rules:

      – apiGroups:
      – sharedresource.openshift.io
      resources:
      – sharedsecrets
      resourceNames:
      – share-entitlement-secret
      verbs:
      – use

      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
      name: use-shared-default-resource-binding
      namespace: entitlement-build-test
      roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: use-shared-default-resource
      subjects:
      – kind: ServiceAccount
      name: pipeline
      namespace: entitlement-build-test
      EOF~~~

      1. Create the build with CSI volume details:
        ~~~

      $ oc apply -f - <<EOF
      apiVersion: shipwright.io/v1beta1
      kind: Build
      metadata:
      name: buildah-golang-build
      spec:
      source:
      type: Git
      git:
      url: https://github.com/shipwright-io/sample-go
      contextDir: docker-build
      strategy:
      name: buildah
      kind: ClusterBuildStrategy
      paramValues:

      – name: dockerfile
      value: Dockerfile
      volumes:
      – name: shared-entitlement
      csi:
      readOnly: true
      driver: csi.sharedresource.openshift.io
      volumeAttributes:
      sharedSecret: share-entitlement-secret
      output:
      image: image-registry.openshift-image-registry.svc:5000/entitlement-build/sample-go-app
      EOF
      ~~~

      The above build will report Failure in registration with "UndefinedVolume" as the reason.

      Actual results:

      Build fails due to Volume not defined in the Shipwright BuildStrategy.

      Expected results:

      Build should reported successful Registration & buildRun should spin up pods with volume mounted at expected entitlement location.

      Reproducibility (Always/Intermittent/Only Once): 

      Always

      Acceptance criteria: 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

       

       *

              rh-ee-apjagtap Apoorva Jagtap
              rh-ee-apjagtap Apoorva Jagtap
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: