Loading...

XML

Word

Printable

Details

Type: Story
Resolution: Done
Priority: Undefined
Fix Version/s: openshift-4.10
Affects Version/s: None
Component/s: None
Labels:
- groomed

Story Points:
5
Blocked:
False
Ready:
False

SFDC Cases Links:
SFDC Cases Counter:

Description

User Story

As a developer building applications on OpenShift
I want to use RHEL entitlements in my builds
So that I can add RHEL subscription content to my container image

Acceptance Criteria

Defintion of done: Draft a Google Doc that will be a "polished draft" of the blog post, with equivalents of engineering code review, QE validation, and docs review. Post should demonstrate for CEE/customers how to use RHEL entitlements in builds. This includes:

Cluster admins should be able to do the following:

Create a SharedSecret object on the cluster, referencing the entitlement secret that the insights operator places on the cluster (etc-pki-entitlement in the openshift-config-managed)
Create a Role/RoleBinding for the builder service account in a specific namespace, granting it permission to "use" the SharedSecret.

Developers should then be able to do the following:

The shared entitlement can be added to a Build
The build can consume the entitlement and access subscription content, example `dnf install -y kernel-devel`

Docs Impact

Rolfe may be involved in editing the blog post. The materials will be a re-packaging of what is in ~~BUILD-347~~.

QE Impact

QE should still re-verify the procedure in the blog post. Chances are that this will repeat any testing in ~~BUILD-347~~.

PX Impact

Blog post - a follow up to https://cloud.redhat.com/blog/the-path-to-improving-the-experience-with-rhel-entitlements-on-openshift that outlines the process for granting builds permission to use the RHEL entitlement (and potentially other workloads!).

Notes

Blog post - a follow up to https://cloud.redhat.com/blog/the-path-to-improving-the-experience-with-rhel-entitlements-on-openshift that outlines the process for granting builds permission to use the RHEL entitlement (and potentially other workloads!).

For RBAC, there are alternatives to creating a namespaced role/rolebinding:

Create a ClusterRole/ClusterRoleBinding which grants "use" permission for the SharedSecret for all builder service accounts can access it.
Create a ClusterRole that aggregates to the "edit" role.

Zvanko's blog post: https://cloud.redhat.com/blog/how-to-use-entitled-image-builds-to-build-drivercontainers-with-ubi-on-openshift

Attachments

Issue Links

clones

OCPBUILD-96 Verify that builds work with RHEL subscriptions

Closed

Activity

People

Assignee:: Gabe Montero

Reporter:: Adam Kaplan

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022/01/06 2:46 PM

Updated:: 2024/04/03 8:32 AM

Resolved:: 2022/02/15 1:50 PM

Blog Post - Builds work with RHEL subscriptions