Skip to content

RHOAIENG-21668: chore(gha): run GitHub Actions CI for our RHEL-based workbenches #514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Mar 18, 2025
Merged

RHOAIENG-21668: chore(gha): run GitHub Actions CI for our RHEL-based workbenches #514

merged 7 commits into from
Mar 18, 2025

Conversation

jiridanek
Copy link
Member

@jiridanek jiridanek commented Mar 3, 2025
edited
Loading

https://issues.redhat.com/browse/RHOAIENG-21668

previously discussed on slack

depends on @andyatmiami 's rstudio work in

How tested

Notes

There does not seem a way to prevent the build to invalidate the stored secret by mistake, and then I get

[3/3] STEP 8/38: RUN subscription-manager status && touch /var/tmp/.subscription-initially-present
+-------------------------------------------+
   System Status Details
+-------------------------------------------+
Consumer profile "4064ef48-aa03-49c2-b449-8dffc941015c" has been deleted from the server. You can use command clean or unregister to remove local profile.
Error: building at STEP "RUN subscription-manager status && touch /var/tmp/.subscription-initially-present": while running runtime: exit status 69

docs

subscription-manager usage in containers

UBI and RHEL subscription considerations discussions

@openshift-ci openshift-ci bot requested review from andyatmiami and harshad16 March 3, 2025 13:02
@jiridanek
Copy link
Member Author

jiridanek commented Mar 3, 2025
edited
Loading

After andy's unchaining of build gets into RHDS, I'll update the pr; for now it builds, runs some tests, but deploy9 fails https://github.com/jiridanek/notebooks/actions/runs/13636395252/job/38116170177

@jiridanek
Copy link
Member Author

The main magic there is

      - name: Unlock encrypted secrets with git-crypt
        if: ${{ inputs.subscription }}
        run: |
          sudo apt-get update
          sudo apt-get install git-crypt
          echo "${GIT_CRYPT_KEY}" | base64 --decode > ./git-crypt-key
          git-crypt unlock ./git-crypt-key
          rm ./git-crypt-key
        env:
          GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY }}

and then

      - name: Add subscriptions from GitHub secret
        if: ${{ inputs.subscription }}
        run: |
          sudo mkdir -p /etc/pki/
          sudo cp -R ${PWD}/ci/secrets/pki/* /etc/pki/
          printf "${PWD}/ci/secrets/pki/consumer:/etc/pki/consumer\n${PWD}/ci/secrets/pki/entitlement:/etc/pki/entitlement" | sudo tee /usr/share/containers/mounts.conf

          mkdir -p $HOME/.config/containers/
          sudo cp ${PWD}/ci/secrets/pull-secret.txt $HOME/.config/containers/auth.json

@jiridanek jiridanek changed the title Jd rhel9 build our rhel-based images in github actions Mar 3, 2025
@atheo89
Copy link
Member

atheo89 commented Mar 7, 2025

Hey @jiridanek in case that we include that pr on main could you fix the commits before?

@jiridanek
Copy link
Member Author

jiridanek commented Mar 7, 2025
edited
Loading

I'll be taking a look later today as i do the necessary rebase

andyatmiami
andyatmiami reviewed Mar 7, 2025
View reviewed changes
Copy link

@andyatmiami andyatmiami left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ℹ️
will (likely/possibly) be "obvious" when it comes time to do the rebase...

but a lot of the "leaf" logic in the gen matrix script can be discarded - and instead the all-images Makefile target simply needs updated to add the targets we want to build..

@jiridanek
Copy link
Member Author

jiridanek commented Mar 7, 2025
edited
Loading

but a lot of the "leaf" logic in the gen matrix script can be discarded - and instead the all-images Makefile target simply needs updated to add the targets we want to build..

all of it can be discarded and the gha "matrix" can build everything

now there is no reason to build pushes and prs differently, the way it used to be the case

atheo89
atheo89 previously requested changes Mar 10, 2025
View reviewed changes
@jiridanek jiridanek force-pushed the jd_rhel9 branch 7 times, most recently from 061252d to 5f146bd Compare March 14, 2025 16:35
jstourac
jstourac reviewed Mar 14, 2025
View reviewed changes
@jiridanek jiridanek changed the title build our rhel-based images in github actions RHOAIENG-21668: Run GitHub Actions CI for our RHEL-based workbenches Mar 14, 2025
@jiridanek jiridanek force-pushed the jd_rhel9 branch 3 times, most recently from c4b5211 to 090a470 Compare March 14, 2025 17:48
@jiridanek jiridanek mentioned this pull request Mar 14, 2025
Open
@jiridanek jiridanek dismissed atheo89’s stale review March 14, 2025 18:10

fixed, thanks!

@jiridanek jiridanek requested a review from atheo89 March 14, 2025 18:10
@jiridanek jiridanek force-pushed the jd_rhel9 branch 2 times, most recently from e4c8380 to d471320 Compare March 17, 2025 17:36
@jiridanek
RHOAIENG-21668: chore(gha): mount Red Hat subscription in GitHub Actions
241d260 
Here's how this is supposed to work.

On a subscribed machine, podman mounts the secrets directory into the container as a volume.

```
$ cat /usr/share/containers/mounts.conf
/usr/share/rhel/secrets:/run/secrets
```

Furthermore, there may be ``/run/secrets/etc-pki-entitlement` and ``/run/secrets/rhsm`.

The approach that actually worked for me is https://access.redhat.com/solutions/5558771

First, `subscription-manager` detects a container and behaves differently there.
So, run `subscription-manager` with `SMDEV_CONTAINER_OFF=1` to subscribe container as if it was a physical machine.

Then, look into `/etc/pki/entitlement` for certificates as suggested in https://grep.be/blog//en/work/The_future_of_the_eID_on_RHEL/

```
podman run --platform=linux/amd64 -v/Users/jdanek/IdeaProjects/notebooks/ci/secrets/run/secrets:/mnt  --rm -it registry.access.redhat.com/ubi9/ubi

    1  subscription-manager register --username
    3  cp -R /etc/pki/entitlement /mnt/etc-pki-entitlement
    5  cp -R /etc/rhsm /mnt/rhsm
    7  cp /etc/yum.repos.d/redhat.repo /mnt/redhat.repo
```

Finally, copy out and store the certificates as CI secrets for reuse in jobs.
@jiridanek jiridanek force-pushed the jd_rhel9 branch 8 times, most recently from df27bf5 to 457aecb Compare March 17, 2025 19:02
@jiridanek
RHOAIENG-21668: chore(gha): securely commit encrypted subscription-ma…
fc6667d 
…nager credentials using `git-crypt`

```
git-crypt init
git-crypt export-key git-crypt-key
base64 git-crypt-key | gh secret set GIT_CRYPT_KEY --repo red-hat-data-services/notebook
```

Implement the security check to only allow builds for project contributors
@jiridanek jiridanek force-pushed the jd_rhel9 branch 2 times, most recently from b959192 to 9803a77 Compare March 17, 2025 19:47
@jstourac
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Mar 18, 2025
@jiridanek
Copy link
Member Author

Did one final check in cluster, rstudio workbench seems to be unharmed by these changes,

image

@jiridanek
Copy link
Member Author

/approve

but that won't work since we don't have tide any more?

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Mar 18, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jiridanek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jiridanek jiridanek added tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. tide/merge-method-rebase and removed tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. labels Mar 18, 2025
@jiridanek jiridanek merged commit e634724 into red-hat-data-services:main Mar 18, 2025
11 checks passed
@jiridanek
Copy link
Member Author

They key is in Bitwarden

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jstourac jstourac jstourac left review comments

@andyatmiami andyatmiami andyatmiami left review comments

@harshad16 harshad16 Awaiting requested review from harshad16

@atheo89 atheo89 Awaiting requested review from atheo89

Assignees

@jstourac jstourac

@atheo89 atheo89

Labels
approved lgtm tide/merge-method-rebase
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jiridanek @atheo89 @jstourac @andyatmiami @openshift-merge-robot