XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Critical
Fix Version/s: openshift-4.10
Affects Version/s: None
Component/s: None
Labels:
- doc-ack
- groomed
- px-ack
- qe-ack

Epic Name:
Build CSI Volume Mounts
Blocked:
False
Ready:
False
Epic Status:
Done
Feature Link:
OCPSTRAT-475 - Enable sharing ConfigMaps and Secrets across namespaces [Tech Preview]
Parent Link:
OCPSTRAT-475Enable sharing ConfigMaps and Secrets across namespaces [Tech Preview]
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done
Release Note Text:

Hide
* With this update, you can run entitled builds with `SharedSecret` objects as a Technology Preview feature. This feature relies on the newly-introduced a new Shared Resource driver and the Insights Operator to import {op-system-base} Simple Content Access (SCA) certificates. By using this feature, you can install entitled RPM packages during builds without the extra effort of copying your {op-system-base} subscription credentials and certificates into the builds' namespaces. (link:https://issues.redhat.com/browse/BUILD-274[~~BUILD-274~~])
+
[IMPORTANT]
====
The `SharedSecret` objects and OpenShift Shared Resources feature are only available if you enable the `TechPreviewNoUpgrade` feature set. These Technology Preview features are not part of the default features. Enabling this feature set cannot be undone and prevents upgrades. This feature set is not recommended on production clusters. See xref:../post_installation_configuration/cluster-tasks.adoc#post-install-tp-tasks[Enabling Technology Preview features using FeatureGates].
====

Show
* With this update, you can run entitled builds with `SharedSecret` objects as a Technology Preview feature. This feature relies on the newly-introduced a new Shared Resource driver and the Insights Operator to import {op-system-base} Simple Content Access (SCA) certificates. By using this feature, you can install entitled RPM packages during builds without the extra effort of copying your {op-system-base} subscription credentials and certificates into the builds' namespaces. (link: https://issues.redhat.com/browse/BUILD-274 [ BUILD-274 ]) + [IMPORTANT] ==== The `SharedSecret` objects and OpenShift Shared Resources feature are only available if you enable the `TechPreviewNoUpgrade` feature set. These Technology Preview features are not part of the default features. Enabling this feature set cannot be undone and prevents upgrades. This feature set is not recommended on production clusters. See xref:../post_installation_configuration/cluster-tasks.adoc#post-install-tp-tasks[Enabling Technology Preview features using FeatureGates]. ====

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Market:

OCP/Telco Definition of Done
Epic Template descriptions and documentation.

<--- Cut-n-Paste the entire contents of this description into your new Epic --->

Epic Goal

Allow CSI volumes to be mounted into a build

Why is this important?

CSI volumes allow data to be mounted into containers via ephemeral CSI Volumes
Ephemeral CSI volumes are provided by CSI drivers that support this feature. Such drivers include:
- The secret-store CSI driver, which allows access to sealed secrets in Vault and other cloud providers (GCP, Azure).
- The projected resource CSI driver, which will be used to share RHEL content access certs across the cluster.
When using sensitive credentials in a build, accessing secrets as a mounted volume ensure that these credentials are not present in the resulting container image.

Scenarios

Access private artifact repositories (Artifactory, jFrog, Mavein)
Download RHEL packages in a build

Acceptance Criteria

Builds can mount a CSI volume in a build
Content in the CSI volume is not present in the resulting container image.
If SCCs do not support fine controls over CSI volumes, provide this feature on a TechPreview basis with a feature gate.

Dependencies (internal and external)

Buildah - support mounting of volumes when building with a Dockerfile
(optional) Auth - use SCCs to control which CSI drivers are allowed to be used with ephemeral CSI volumes.

Previous Work (Optional):

~~BUILD-257~~ - Build Resource Volume Mounts

Open questions::

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

clones

OCPBUILD-27 Build Resource Volume Mounts

Closed

is documented by

RHDEVDOCS-3163 Document mounting data using CSI volumes into build

Closed

links to

openshift/enhancements#683: Insights Operator pulling and exposing data from the OCM API

openshift/openshift-docs#37586: OCP 4.10 Release Notes Tracker

openshift/openshift-docs#40899: [WIP]RHDEVDOCS-3410 Build release notes, Known Issues and Bug Fixes for 4.10

Assignee:: Unassigned

Reporter:: Adam Kaplan

QA Contact:: Jitendar Singh

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2021/05/14 12:46 PM

Updated:: 2024/04/03 8:32 AM

Resolved:: 2022/01/31 6:28 PM

Details

Description

Epic Goal

Why is this important?

Scenarios

Acceptance Criteria

Dependencies (internal and external)

Previous Work (Optional):

Open questions::

Done Checklist

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty