-
Bug
-
Resolution: Done
-
Major
-
rhel-10.0.beta
-
librhsm-0.0.3-14.el10
-
Yes
-
Moderate
-
Regression
-
rhel-swm
-
ssg_core_services
-
16
-
18
-
2
-
False
-
False
-
-
No
-
None
-
Approved Blocker
-
-
Pass
-
Automated
-
Bug Fix
-
-
-
All
-
None
What were you trying to do that didn't work?
When running entitled builds using SharedSecret objects according to https://docs.openshift.com/container-platform/4.13/cicd/builds/running-entitled-builds.html#builds-running-entitled-builds-with-sharedsecret-objects_running-entitled-builds with rhcos container, rpm-ostree can not access to the repos. The workaround is remove /etc/rhsm-host.
Please provide the package NVR for which bug is seen:
librhsm-0.0.3-7.el9.x86_64
How reproducible:
100%
Steps to reproduce
1. Create 4.13.1 cluster
2. Enable TechPreviewNoUpgrade FeatureGate featureset refer to doc
$ oc get FeatureGate cluster -ojson | jq '.spec' { "featureSet": "TechPreviewNoUpgrade" }
Check etc-pki-entitlement secret was created
$ oc get secret --namespace openshift-config-managed etc-pki-entitlement Opaque 2 6m16s
3. Create test namespace
$ oc new-project entitlement-test $ oc project Using project "entitlement-test" on server "https://api.ci-ln-v6y7jf2-76ef8.aws-2.ci.openshift.org:6443".
4. Create SharedSecret
# cat my-entitlement.yaml
apiVersion: sharedresource.openshift.io/v1alpha1
kind: SharedSecret
metadata:
name: my-entitlement
spec:
secretRef:
name: etc-pki-entitlement
namespace: openshift-config-managed
$ oc apply -f my-entitlement.yaml
$ oc get sharedsecret
NAME AGE
my-entitlement 18s
5. Create Role and RoleBinding
# cat my-role-shared.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: shared-resource-my-share
namespace: entitlement-test
rules:
- apiGroups:
- sharedresource.openshift.io
resources:
- sharedsecrets
resourceNames:
- my-entitlement
verbs:
- use
$ oc apply -f my-role-shared.yaml
$ oc create rolebinding shared-resource-my-share --role=shared-resource-my-share --serviceaccount=entitlement-test:builder
rolebinding.rbac.authorization.k8s.io/shared-resource-my-share created
6. Create BuildConfig
$ cat my-csi-bc-coreos.yaml
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
name: my-csi-bc-coreos
namespace: entitlement-test
spec:
runPolicy: Serial
source:
dockerfile: |
# oc adm release info 4.13.1 --image-for=rhel-coreos
FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d2aa8899d6ec5cd40bbe7b843027148b768f0a5b8ab091aa46958c4893814306
RUN ls -la /etc/pki/entitlement/
RUN sleep infinity
RUN rpm-ostree install libreswan
strategy:
type: Docker
dockerStrategy:
volumes:
- mounts:
- destinationPath: "/etc/pki/entitlement"
name: entitlement-pv
source:
csi:
driver: csi.sharedresource.openshift.io
readOnly: true
volumeAttributes:
sharedSecret: my-entitlement
type: CSI
$ oc apply -f my-csi-bc-coreos.yaml
buildconfig.build.openshift.io/my-csi-bc-coreos created
$ oc start-build my-csi-bc-coreos -F
Expected results
Entitled builds can access the repo successfully.
Actual results
Entitled builds can not access the repo with error:
bash-5.1# rpm-ostree install libreswan ... Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error setting certificate file: /etc/rhsm-host-host/ca/redhat-uep.pem]
RHEL 10 (librhsm-0.0.3-13.el10.x86_64) is affected.
- clones
-
-
- Closed
-
- links to
-
RHBA-2024:132912
DNF stack bug fix and enhancement update
