Uploaded image for project: 'OpenShift BuildConfig'
  1. OpenShift BuildConfig
  2. OCPBUILD-96

Verify that builds work with RHEL subscriptions

XMLWordPrintable

    • 3
    • False
    • False
    • Hide
      * With this update, you can run entitled builds with `SharedSecret` objects as a Technology Preview feature. This feature relies on the newly-introduced OpenShift Shared Resources feature and the Insights Operator to import {op-system-base} Simple Content Access (SCA) certificates. By using this feature, you can install entitled RPM packages during builds without the extra effort of copying your {op-system-base} subscription credentials and certificates into the builds' namespaces. (link:https://issues.redhat.com/browse/BUILD-347[BUILD-347])
      +
      [IMPORTANT]
      ====
      The `SharedSecret` objects and OpenShift Shared Resources feature are only available if you enable the `TechPreviewNoUpgrade` feature set. These Technology Preview features are not part of the default features. Enabling this feature set cannot be undone and prevents upgrades. This feature set is not recommended on production clusters. See xref:../post_installation_configuration/cluster-tasks.adoc#post-install-tp-tasks[Enabling Technology Preview features using FeatureGates].
      ====
      Show
      * With this update, you can run entitled builds with `SharedSecret` objects as a Technology Preview feature. This feature relies on the newly-introduced OpenShift Shared Resources feature and the Insights Operator to import {op-system-base} Simple Content Access (SCA) certificates. By using this feature, you can install entitled RPM packages during builds without the extra effort of copying your {op-system-base} subscription credentials and certificates into the builds' namespaces. (link: https://issues.redhat.com/browse/BUILD-347 [ BUILD-347 ]) + [IMPORTANT] ==== The `SharedSecret` objects and OpenShift Shared Resources feature are only available if you enable the `TechPreviewNoUpgrade` feature set. These Technology Preview features are not part of the default features. Enabling this feature set cannot be undone and prevents upgrades. This feature set is not recommended on production clusters. See xref:../post_installation_configuration/cluster-tasks.adoc#post-install-tp-tasks[Enabling Technology Preview features using FeatureGates]. ====

      User Story

      As a developer building applications on OpenShift
      I want to use RHEL entitlements in my builds
      So that I can add RHEL subscription content to my container image

      Acceptance Criteria

      Cluster admins should be able to do the following:

      • Create a SharedSecret object on the cluster, referencing the entitlement secret that the insights operator places on the cluster (etc-pki-entitlement in the openshift-config-managed)
      • Create a Role/RoleBinding for the builder service account in a specific namespace, granting it permission to "use" the SharedSecret.

      Developers should then be able to do the following:

      • The shared entitlement can be added to a Build
      • The build can consume the entitlement and access subscription content, example `dnf install -y kernel-devel`

      The steps to accomplish this should be documented in GitHub, including actions that need to be taken outside of the OpenShift cluster. Example - attaching subscriptions to a cluster.

      Docs Impact

      The current guidance on consuming RHEL entitlements in builds should be extended to add instructions that:

      1. Enable tech preview on the cluster
      2. Create a `SharedSecret` using the cluster-wide entitlement
      3. Create a `RoleBinding` which allows the `builder` ServiceAccount to use the cluster entitlement
      4. Add the CSI volume to a BuildConfig which uses the shared secret and mounts the secret in the correct location

      QE Impact

      QE should verify this procedure works. For smoke tests, they can create a feature file that is tagged "manual" so it is not run on automated/CI systems.

      PX Impact

      Deferred to BUILD-397

      Notes

      For RBAC, there are alternatives to creating a namespaced role/rolebinding:

      • Create a ClusterRole/ClusterRoleBinding which grants "use" permission for the SharedSecret for all builder service accounts can access it.
      • Create a ClusterRole that aggregates to the "edit" role.

      We won't be able to do this on CI or with cluster-bot clusters - an actual cluster associated with a Red Hat account is needed for this.

      Zvanko's blog post: https://cloud.redhat.com/blog/how-to-use-entitled-image-builds-to-build-drivercontainers-with-ubi-on-openshift

            gmontero@redhat.com Gabe Montero
            adkaplan@redhat.com Adam Kaplan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: