RHOAIENG-21668: chore(gha): mount Red Hat subscription in GitHub Actions

jiridanek · jiridanek · commit 2462007745f3 · 2025-03-18T10:20:15.000+01:00
Here's how this is supposed to work. On a subscribed machine, podman mounts the secrets directory into the container as a volume. ``` $ cat /usr/share/containers/mounts.conf /usr/share/rhel/secrets:/run/secrets ``` Furthermore, there may be ``/run/secrets/etc-pki-entitlement` and ``/run/secrets/rhsm`. The approach that actually worked for me is https://access.redhat.com/solutions/5558771 First, `subscription-manager` detects a container and behaves differently there. So, run `subscription-manager` with `SMDEV_CONTAINER_OFF=1` to subscribe container as if it was a physical machine. Then, look into `/etc/pki/entitlement` for certificates as suggested in https://grep.be/blog//en/work/The_future_of_the_eID_on_RHEL/ ``` podman run --platform=linux/amd64 -v/Users/jdanek/IdeaProjects/notebooks/ci/secrets/run/secrets:/mnt --rm -it registry.access.redhat.com/ubi9/ubi 1 subscription-manager register --username 3 cp -R /etc/pki/entitlement /mnt/etc-pki-entitlement 5 cp -R /etc/rhsm /mnt/rhsm 7 cp /etc/yum.repos.d/redhat.repo /mnt/redhat.repo ``` Finally, copy out and store the certificates as CI secrets for reuse in jobs.
diff --git a/ci/cached-builds/mounts.conf b/ci/cached-builds/mounts.conf
@@ -0,0 +1,5 @@
+# /usr/share/containers/mounts.conf
+# https://github.com/containers/common/issues/1735
+
+/etc/pki/consumer:/etc/pki/consumer
+/etc/pki/entitlement:/etc/pki/entitlement
