Uploaded image for project: 'OpenShift BuildConfig'
  1. OpenShift BuildConfig
  2. OCPBUILD-126

Build CSI Volume Mounts


    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • openshift-4.10
    • None
    • None
    • 8
    • False
    • False
    • Undefined

      User Story

      As a developer building applications with OpenShift
      I want to mount CSI volumes into my build
      So that I can use the projected resource CSI driver to access RHEL content access certs
      And add RHEL content to my application via `yum install`

      Acceptance Criteria

      • Builds can mount a `csi` volume, and the contents of the volume do not appear in the resulting image.
      • Clusters must have the TechPreviewNoUpgrade feature gate enabled to mount these volumes.
      • If the build controller doesn't have the CSI volume feature enabled, then builds should fail if they need a `csi` volume to run.

      Docs Impact

      Documentation for builds will need to be updated to enable this feature. This will include examples on how to add `csi` volumes to builds.
      Our documentation for using entitlements in builds should also be updated to reference this as an example. Note that we can't replace the current guidance as CSI volumes in builds will be a tech preview feature. We can start with a shared Google Doc here, but we should try to adhere to "no feature freeze" process and submit docs PRs before anything merges.

      QE Impact

      QE can verify by testing the RHEL entitlement experience end to end - as specified in BUILD-347

      PX Impact

      No additional PX needed beyond documentation at present.


      openshift/api would need to be updated to include the new volume type
      openshift/openshift-apiserver would need to have its "internal" API regenerated, and the validations for build volumes would need to be updated.
      openshift/openshift-controller-manager would need to add logic to add CSI volume mounts in builds.
      openshift/origin will need new tests added to the build suite.

      We would need a separate `e2e-builds` suite which enables tech preview features. On a normal cluster, we need an e2e test which verifies that builds which reference CSI volumes fails.

      Feature gating this capability will be addressed in BUILD-280 and BUILD-281.
      Openshift-controller-manager must allow the feature gate to be wired through to the build controller.  With respect to this, if you search for "BUILD-275" in the master branch of the OCM repo, you'll see these two hits:


      ./pkg/build/controller/strategy/util.go: //TODO for BUILD-275, if csiVolumesEnabled, then we can honor req's to mount CSI volumes to leverage SharedConfigMaps and SharedSecrets
      ./pkg/build/controller/strategy/util_test.go: //TODO for BUILD-275, add tests with buildCSIVolumes == true when we pull in csi volumes to leverage SharedConfigMaps and SharedSecrets

      e2e test for build CSI volumes will need to utilize the Shared Resource CSI driver. This test should use the simplest form of the API to get either a SharedSecret or SharedConfigMap injected into a build.

            jkhelil jawed khelil
            adkaplan@redhat.com Adam Kaplan
            0 Vote for this issue
            2 Start watching this issue