mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
131 lines
4.8 KiB
Plaintext
131 lines
4.8 KiB
Plaintext
:_mod-docs-content-type: PROCEDURE
|
|
[id="builds-running-entitled-builds-with-sharedsecret-objects_{context}"]
|
|
= Running builds using SharedSecret objects
|
|
|
|
You can use a `SharedSecret` object to securely access the entitlement keys of a cluster in builds.
|
|
|
|
The `SharedSecret` object allows you to share and synchronize secrets across namespaces.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
The Shared Resource CSI Driver feature is now generally available in link:https://docs.redhat.com/en/documentation/builds_for_red_hat_openshift/1.1[{builds-v2title} 1.1]. This feature is now removed in {product-title} 4.18 and later. To use this feature, ensure that you are using {builds-v2title} 1.1 or later.
|
|
====
|
|
|
|
.Prerequisites
|
|
|
|
* You have enabled the `TechPreviewNoUpgrade` feature set by using the feature gates. For more information, see xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling[Enabling features using feature gates].
|
|
* You must have permission to perform the following actions:
|
|
** Create build configs and start builds.
|
|
** Discover which `SharedSecret` CR instances are available by entering the `oc get sharedsecrets` command and getting a non-empty list back.
|
|
** Determine if the `builder` service account available to you in your namespace is allowed to use the given `SharedSecret` CR instance. In other words, you can run `oc adm policy who-can use <identifier of specific SharedSecret>` to see if the `builder` service account in your namespace is listed.
|
|
|
|
[NOTE]
|
|
====
|
|
If neither of the last two prerequisites in this list are met, establish, or ask someone to establish, the necessary role-based access control (RBAC) so that you can discover `SharedSecret` CR instances and enable service accounts to use `SharedSecret` CR instances.
|
|
====
|
|
|
|
.Procedure
|
|
|
|
. Use `oc apply` to create a `SharedSecret` object instance with the cluster's entitlement secret.
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
You must have cluster administrator permissions to create `SharedSecret` objects.
|
|
====
|
|
+
|
|
.Example `oc apply -f` command with YAML `Role` object definition
|
|
[source,terminal]
|
|
----
|
|
$ oc apply -f - <<EOF
|
|
kind: SharedSecret
|
|
apiVersion: sharedresource.openshift.io/v1alpha1
|
|
metadata:
|
|
name: etc-pki-entitlement
|
|
spec:
|
|
secretRef:
|
|
name: etc-pki-entitlement
|
|
namespace: openshift-config-managed
|
|
EOF
|
|
----
|
|
|
|
. Create a role to grant the `builder` service account permission to access the `SharedSecret` object:
|
|
+
|
|
.Example `oc apply -f` command
|
|
[source,terminal]
|
|
----
|
|
$ oc apply -f - <<EOF
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: builder-etc-pki-entitlement
|
|
namespace: build-namespace
|
|
rules:
|
|
- apiGroups:
|
|
- sharedresource.openshift.io
|
|
resources:
|
|
- sharedsecrets
|
|
resourceNames:
|
|
- etc-pki-entitlement
|
|
verbs:
|
|
- use
|
|
EOF
|
|
----
|
|
|
|
. Create a `RoleBinding` object that grants the `builder` service account permission to access the `SharedSecret` object by running the following command:
|
|
+
|
|
.Example `oc create rolebinding` command
|
|
[source,terminal]
|
|
----
|
|
$ oc create rolebinding builder-etc-pki-entitlement --role=builder-etc-pki-entitlement --serviceaccount=build-namespace:builder
|
|
----
|
|
|
|
. Add the entitlement secret to your `BuildConfig` object by using a CSI volume mount:
|
|
+
|
|
.Example YAML `BuildConfig` object definition
|
|
[source,yaml]
|
|
----
|
|
apiVersion: build.openshift.io/v1
|
|
kind: BuildConfig
|
|
metadata:
|
|
name: uid-wrapper-rhel9
|
|
namespace: build-namespace
|
|
spec:
|
|
runPolicy: Serial
|
|
source:
|
|
dockerfile: |
|
|
FROM registry.redhat.io/ubi9/ubi:latest
|
|
RUN rm -rf /etc/rhsm-host <1>
|
|
RUN yum --enablerepo=codeready-builder-for-rhel-9-x86_64-rpms install \ <2>
|
|
nss_wrapper \
|
|
uid_wrapper -y && \
|
|
yum clean all -y
|
|
RUN ln -s /run/secrets/rhsm /etc/rhsm-host <3>
|
|
strategy:
|
|
type: Docker
|
|
dockerStrategy:
|
|
volumes:
|
|
- mounts:
|
|
- destinationPath: "/etc/pki/entitlement"
|
|
name: etc-pki-entitlement
|
|
source:
|
|
csi:
|
|
driver: csi.sharedresource.openshift.io
|
|
readOnly: true <4>
|
|
volumeAttributes:
|
|
sharedSecret: etc-pki-entitlement <5>
|
|
type: CSI
|
|
----
|
|
+
|
|
<1> You must include the command to remove the `/etc/rhsm-host` directory and all its contents in the Dockerfile before executing any `yum` or `dnf` commands.
|
|
<2> Use the link:https://access.redhat.com/downloads/content/package-browser[Red Hat Package Browser] to find the correct repositories for your installed packages.
|
|
<3> You must restore the `/etc/rhsm-host` symbolic link to keep your image compatible with other Red Hat container images.
|
|
<4> You must set `readOnly` to `true` to mount the shared resource in the build.
|
|
<5> Reference the name of the `SharedSecret` object to include it in the build.
|
|
|
|
. Start a build from the `BuildConfig` object and follow the logs using the `oc` command.
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc start-build uid-wrapper-rhel9 -n build-namespace -F
|
|
----
|