Merge pull request #40993 from rolfedh/RHDEVDOCS-3631

RHDEVDOCS-3631 Verify that builds work with RHEL subscriptions

Author: JStickler

cicd/builds/running-entitled-builds.adoc

@@ -22,8 +22,16 @@ include::modules/builds-source-input-satellite-config.adoc[leveloffset=+2]
 
 include::modules/builds-strategy-docker-entitled-satellite.adoc[leveloffset=+2]
 
+// Beginning of "Running entitled builds with SharedSecret objects" section
+
+include::modules/builds-running-entitled-builds-with-sharedsecret-objects.adoc[leveloffset=+1]
+
+// End of "Running entitled builds with SharedSecret objects" section
+
 [role="_additional-resources"]
 == Additional resources
 
+* xref:../../support/remote_health_monitoring/insights-operator-simple-access.adoc#insights-operator-simple-access[Importing simple content access certificates with Insights Operator]
+* xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc[Enabling features using feature gates]
 * xref:../../openshift_images/image-streams-manage.adoc#image-streams-managing[Managing image streams]
 * xref:../../cicd/builds/build-strategies.adoc#build-strategies[build strategy]

modules/builds-running-entitled-builds-with-sharedsecret-objects.adoc

@@ -0,0 +1,205 @@
+// Used in cicd/builds/running-entitled-builds.adoc
+
+[id="builds-running-entitled-builds-with-sharedsecret-objects_{context}"]
+= Running entitled builds using SharedSecret objects
+
+[role="_abstract"]
+You can configure and perform a build in one namespace that securely uses RHEL entitlements from a `Secret` object in another namespace.
+
+You can still access RHEL entitlements from OpenShift Builds by creating a `Secret` object with your subscription credentials in the same namespace as your `Build` object. However, now, in {product-title} 4.10 and later, you can access your credentials and certificates from a `Secret` object in one of the {product-title} system namespaces. You run entitled builds with a CSI volume mount of a `SharedSecret` custom resource (CR) instance that references the `Secret` object.
+
+This procedure relies on the newly introduced Shared Resources CSI Driver feature, which you can use to declare CSI Volume mounts in {product-title} Builds. It also relies on the {product-title} Insights Operator.
+
+[IMPORTANT]
+====
+[subs="attributes+"]
+The Shared Resources CSI Driver and The Build CSI Volumes are both Technology Preview features, which are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
+
+For more information about the support scope of Red Hat Technology Preview
+features, see https://access.redhat.com/support/offerings/techpreview/.
+
+The Shared Resources CSI Driver and the Build CSI Volumes features also belong to the `TechPreviewNoUpgrade` feature set, which is a subset of the current Technology Preview features. You can enable the `TechPreviewNoUpgrade` feature set on test clusters, where you can fully test them while leaving the features disabled on production clusters. Enabling this feature set cannot be undone and prevents updates. This feature set is not recommended on production clusters. See "Enabling Technology Preview features using feature gates" in the following "Additional resources" section.
+====
+
+.Prerequisites
+
+* You have enabled the  `TechPreviewNoUpgrade` feature set by using the feature gates.
+* You have a `SharedSecret` custom resource (CR) instance that references the `Secret` object where the Insights Operator stores the subscription credentials.
+* You must have permission to perform the following actions:
+** Create build configs and start builds.
+** Discover which `SharedSecret` CR instances are available by entering the `oc get sharedsecrets` command and getting a non-empty list back.
+** Determine if the `builder` service account available to you in your namespace is allowed to use the given `SharedSecret` CR instance. In other words, you can run `oc adm policy who-can use <identifier of specific SharedSecret>` to see if the `builder` service account in your namespace is listed.
+
+[NOTE]
+====
+If neither of the last two prerequisites in this list are met, establish, or ask someone to establish, the necessary role-based access control (RBAC) so that you can discover `SharedSecret` CR instances and enable service accounts to use `SharedSecret` CR instances.
+====
+
+.Procedure
+
+. Grant the `builder` service account RBAC permissions to use the `SharedSecret` CR instance by using `oc apply` with YAML content:
++
+[NOTE]
+====
+Currently, `kubectl` and `oc` have hard-coded special case logic restricting the `use` verb to roles centered around pod security. Therefore, you cannot use `oc create role ...` to create the role needed for consuming `SharedSecret` CR instances.
+====
++
+.Example `oc apply -f` command with YAML `Role` object definition
+[source,terminal]
+----
+$ oc apply -f - <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: shared-resource-my-share
+  namespace: my-namespace
+rules:
+  - apiGroups:
+      - sharedresource.openshift.io
+    resources:
+      - sharedsecrets
+    resourceNames:
+      - my-share
+    verbs:
+      - use
+EOF
+----
+
+. Create the `RoleBinding` associated with the role by using the `oc` command:
++
+.Example `oc create rolebinding` command
+[source,terminal]
+----
+$ oc create rolebinding shared-resource-my-share --role=shared-resource-my-share --serviceaccount=my-namespace:builder
+----
+
+. Create a `BuildConfig` object that accesses the RHEL entitlements.
++
+.Example YAML `BuildConfig` object definition
+[source,yaml]
+----
+apiVersion: build.openshift.io/v1
+kind: BuildConfig
+metadata:
+  name: my-csi-bc
+  namespace: my-csi-app-namespace
+spec:
+  runPolicy: Serial
+  source:
+    dockerfile: |
+      FROM registry.redhat.io/ubi8/ubi:latest
+      RUN ls -la /etc/pki/entitlement
+      RUN rm /etc/rhsm-host
+      RUN yum repolist --disablerepo=*
+      RUN subscription-manager repos --enable rhocp-4.9-for-rhel-8-x86_64-rpms
+      RUN yum -y update
+      RUN yum install -y openshift-clients.x86_64
+  strategy:
+    type: Docker
+    dockerStrategy:
+      volumes:
+        - mounts:
+            - destinationPath: "/etc/pki/entitlement"
+          name: my-csi-shared-secret
+          source:
+            csi:
+              driver: csi.sharedresource.openshift.io
+              readOnly: true
+              volumeAttributes:
+                sharedSecret: my-share-bc
+            type: CSI
+----
+
+. Start a build from the `BuildConfig` object and follow the logs with the `oc` command.
++
+.Example oc start-build command
+[source,terminal]
+----
+$ oc start-build my-csi-bc -F
+----
++
+.Example output from the oc start-build command
+[%collapsible]
+====
+[NOTE]
+=====
+Some sections of the following output have been replaced with `...`
+=====
+[source,terminal]
+----
+build.build.openshift.io/my-csi-bc-1 started
+Caching blobs under "/var/cache/blobs".
+
+Pulling image registry.redhat.io/ubi8/ubi:latest ...
+Trying to pull registry.redhat.io/ubi8/ubi:latest...
+Getting image source signatures
+Copying blob sha256:5dcbdc60ea6b60326f98e2b49d6ebcb7771df4b70c6297ddf2d7dede6692df6e
+Copying blob sha256:8671113e1c57d3106acaef2383f9bbfe1c45a26eacb03ec82786a494e15956c3
+Copying config sha256:b81e86a2cb9a001916dc4697d7ed4777a60f757f0b8dcc2c4d8df42f2f7edb3a
+Writing manifest to image destination
+Storing signatures
+Adding transient rw bind mount for /run/secrets/rhsm
+STEP 1/9: FROM registry.redhat.io/ubi8/ubi:latest
+STEP 2/9: RUN ls -la /etc/pki/entitlement
+total 360
+drwxrwxrwt. 2 root root 	80 Feb  3 20:28 .
+drwxr-xr-x. 10 root root	154 Jan 27 15:53 ..
+-rw-r--r--. 1 root root   3243 Feb  3 20:28 entitlement-key.pem
+-rw-r--r--. 1 root root 362540 Feb  3 20:28 entitlement.pem
+time="2022-02-03T20:28:32Z" level=warning msg="Adding metacopy option, configured globally"
+--> 1ef7c6d8c1a
+STEP 3/9: RUN rm /etc/rhsm-host
+time="2022-02-03T20:28:33Z" level=warning msg="Adding metacopy option, configured globally"
+--> b1c61f88b39
+STEP 4/9: RUN yum repolist --disablerepo=*
+Updating Subscription Management repositories.
+
+
+...
+
+--> b067f1d63eb
+STEP 5/9: RUN subscription-manager repos --enable rhocp-4.9-for-rhel-8-x86_64-rpms
+Repository 'rhocp-4.9-for-rhel-8-x86_64-rpms' is enabled for this system.
+time="2022-02-03T20:28:40Z" level=warning msg="Adding metacopy option, configured globally"
+--> 03927607ebd
+STEP 6/9: RUN yum -y update
+Updating Subscription Management repositories.
+
+...
+
+Upgraded:
+  systemd-239-51.el8_5.3.x86_64      	systemd-libs-239-51.el8_5.3.x86_64
+  systemd-pam-239-51.el8_5.3.x86_64
+Installed:
+  diffutils-3.6-6.el8.x86_64           	libxkbcommon-0.9.1-1.el8.x86_64
+  xkeyboard-config-2.28-1.el8.noarch
+
+Complete!
+time="2022-02-03T20:29:05Z" level=warning msg="Adding metacopy option, configured globally"
+--> db57e92ff63
+STEP 7/9: RUN yum install -y openshift-clients.x86_64
+Updating Subscription Management repositories.
+
+...
+
+Installed:
+  bash-completion-1:2.7-5.el8.noarch
+  libpkgconf-1.4.2-1.el8.x86_64
+  openshift-clients-4.9.0-202201211735.p0.g3f16530.assembly.stream.el8.x86_64
+  pkgconf-1.4.2-1.el8.x86_64
+  pkgconf-m4-1.4.2-1.el8.noarch
+  pkgconf-pkg-config-1.4.2-1.el8.x86_64
+
+Complete!
+time="2022-02-03T20:29:19Z" level=warning msg="Adding metacopy option, configured globally"
+--> 609507b059e
+STEP 8/9: ENV "OPENSHIFT_BUILD_NAME"="my-csi-bc-1" "OPENSHIFT_BUILD_NAMESPACE"="my-csi-app-namespace"
+--> cab2da3efc4
+STEP 9/9: LABEL "io.openshift.build.name"="my-csi-bc-1" "io.openshift.build.namespace"="my-csi-app-namespace"
+COMMIT temp.builder.openshift.io/my-csi-app-namespace/my-csi-bc-1:edfe12ca
+--> 821b582320b
+Successfully tagged temp.builder.openshift.io/my-csi-app-namespace/my-csi-bc-1:edfe12ca
+821b582320b41f1d7bab4001395133f86fa9cc99cc0b2b64c5a53f2b6750db91
+Build complete, no image push requested
+----
+====