Loading...

XML

Word

Printable

Details

Type: Story
Resolution: Done
Priority: Undefined
Fix Version/s: openshift-4.10
Affects Version/s: None
Component/s: None
Labels:
- groomed

Story Points:
8
Blocked:
False
Ready:
False
Release Note Text:
Undefined

SFDC Cases Links:
SFDC Cases Counter:

Description

User Story

As a developer building applications with OpenShift
I want to mount CSI volumes into my build
So that I can use the projected resource CSI driver to access RHEL content access certs
And add RHEL content to my application via `yum install`

Acceptance Criteria

Builds can mount a `csi` volume, and the contents of the volume do not appear in the resulting image.
Clusters must have the TechPreviewNoUpgrade feature gate enabled to mount these volumes.
If the build controller doesn't have the CSI volume feature enabled, then builds should fail if they need a `csi` volume to run.

Docs Impact

Documentation for builds will need to be updated to enable this feature. This will include examples on how to add `csi` volumes to builds.
Our documentation for using entitlements in builds should also be updated to reference this as an example. Note that we can't replace the current guidance as CSI volumes in builds will be a tech preview feature. We can start with a shared Google Doc here, but we should try to adhere to "no feature freeze" process and submit docs PRs before anything merges.

QE Impact

QE can verify by testing the RHEL entitlement experience end to end - as specified in ~~BUILD-347~~

PX Impact

No additional PX needed beyond documentation at present.

Notes

openshift/api would need to be updated to include the new volume type
openshift/openshift-apiserver would need to have its "internal" API regenerated, and the validations for build volumes would need to be updated.
openshift/openshift-controller-manager would need to add logic to add CSI volume mounts in builds.
openshift/origin will need new tests added to the build suite.

We would need a separate `e2e-builds` suite which enables tech preview features. On a normal cluster, we need an e2e test which verifies that builds which reference CSI volumes fails.

Feature gating this capability will be addressed in ~~BUILD-280~~ and ~~BUILD-281~~.
Openshift-controller-manager must allow the feature gate to be wired through to the build controller. With respect to this, if you search for "~~BUILD-275~~" in the master branch of the OCM repo, you'll see these two hits:

./pkg/build/controller/strategy/util.go: //TODO for ~~BUILD-275~~, if csiVolumesEnabled, then we can honor req's to mount CSI volumes to leverage SharedConfigMaps and SharedSecrets
./pkg/build/controller/strategy/util_test.go: //TODO for ~~BUILD-275~~, add tests with buildCSIVolumes == true when we pull in csi volumes to leverage SharedConfigMaps and SharedSecrets

e2e test for build CSI volumes will need to utilize the Shared Resource CSI driver. This test should use the simplest form of the API to get either a SharedSecret or SharedConfigMap injected into a build.