search

BCDevOps / OpenShift4-Migration

Scripts and info for Ministry teams migration from OpenShift 3.11 to 4.x
Apache License 2.0
3 stars 0 forks source link

Build Entitlements #15

Closed StevenBarre closed 3 years ago

StevenBarre commented 4 years ago

When building container images based on RHEL images and using yum or dnf to install packages you might get an error like.

This system is not receiving updates. You can use subscription-manager on the host to register and assign subscriptions.

This is a known issue with Red Hat and the Platform Team is tracking the solution in ZenHub

Until its fixed in OCP, the platform team can create a set of Secrets and ConfigMaps in your namespace to inject into your builds.

Have a Platform Team member create the needed ConfigMaps and Secrets for Subscription Manager. Stored in a private repo https://github.com/bcgov-c/platform-tools/blob/ocp4-base/ocp4/entitlement.yaml

oc -n <namespace> create -f entitlement.yaml

On the todo list is to have the Project Registry auto-create these for all *-tools namespaces`. The rest of the steps will need to be done by the developers.

The Project Registry now creates the config maps and secrets for you in your -tools namespace.

Edit the BuildConfig to load the files.

    source:
      secrets:
      - secret:
          name: platform-services-controlled-etc-pki-entitlement
        destinationDir: etc-pki-entitlement
      configMaps:
      - configMap:
          name: rhsm-conf
        destinationDir: platform-services-controlled-rhsm-conf
      - configMap:
          name: rhsm-ca
        destinationDir: platform-services-controlled-rhsm-ca

Edit the BuildConfig to squash all the layers, else the private key will stay in the image layer.

    strategy:
      type: Docker
      dockerStrategy:
        imageOptimizationPolicy: SkipLayers

Ensure the Dockerfile loads the files and uses them.

# Copy entitlements
COPY ./etc-pki-entitlement /etc/pki/entitlement

# Copy subscription manager configurations
COPY ./rhsm-conf /etc/rhsm
COPY ./rhsm-ca /etc/rhsm/ca

# Install some packages and clean up
RUN INSTALL_PKGS="space separated list of packages" && \
    # Initialize /etc/yum.repos.d/redhat.repo
    # See https://access.redhat.com/solutions/1443553
    rm /etc/rhsm-host && \
    yum repolist --disablerepo=* && \
    yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
    rpm -V $INSTALL_PKGS && \
    yum -y clean all --enablerepo='*' && \
    # Remove entitlements and Subscription Manager configs
    rm -rf /etc/pki/entitlement && \
    rm -rf /etc/rhsm
WadeBarnes commented 4 years ago

The rm /etc/rhsm-host && \ line is significant. It's needed to initialize the subscription manager configurations.

WadeBarnes commented 4 years ago

Here is an example of what these changes look like when applied to a project: https://github.com/bcgov/openshift-postgresql-oracle_fdw/pull/11

garywong-bc commented 3 years ago

Update to this thread. entitlements.yaml is deprecated now. Upon request (via https://chat.developer.gov.bc.ca/channel/general), Platform Services team will create

Your Build config should reference these three resources. A good example is at: https://github.com/bcgov/von-bc-registries-agent-configurations/blob/878001e765c1052625393fda93355f5cd9ab1179/openshift/templates/bc-reg-fdw/bc-reg-fdw-build.yaml#L35-L45

TL;DR You cannot self-provision these.. you MUST go via Platform Services team.

j-pye commented 3 years ago

Update to this thread. entitlements.yaml is deprecated now. Upon request (via https://chat.developer.gov.bc.ca/channel/general), Platform Services team will create

  • platform-services-controlled-etc-pki-entitlement Secret
  • platform-services-controlled-rhsm-ca ConfigMap
  • platform-services-controlled-rhsm-conf ConfigMap

Your Build config should reference these three resources. A good example is at: https://github.com/bcgov/von-bc-registries-agent-configurations/blob/878001e765c1052625393fda93355f5cd9ab1179/openshift/templates/bc-reg-fdw/bc-reg-fdw-build.yaml#L35-L45

TL;DR You cannot self-provision these.. you MUST go via Platform Services team.

Just to add a little more info.

We provide the entitlements through the project registry. All teams have these in their tools namespaces by default. Sometimes the entitlements expire. I don't believe any of our projects are actually using entitlements so there's a chance we will not notice. There is some work that's either being done or was recently finished to monitor for new entitlements. Once we've been notified and the template for the entitlements has been updated it takes about an hour to roll out the changes to all tools namespaces.

garywong-bc commented 3 years ago

Thanks for the new docs.. hey can an admin update this part to NOT have the strikeout? It led to confusion on the RC threads as looked like this was a self-serve thing but obviously it's not. It's not so much the entitlement.yaml as it is the process.

~Until its fixed in OCP, the platform team can create a set of Secrets and ConfigMaps in your namespace to inject into your builds.~

~Have a Platform Team member create the needed ConfigMaps and Secrets for Subscription Manager. Stored in a private repo https://github.com/bcgov-c/platform-tools/blob/ocp4-base/ocp4/entitlement.yaml~