New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MCO-1100: enable RHEL entitlements in on-cluster layering with OCL API #4333
MCO-1100: enable RHEL entitlements in on-cluster layering with OCL API #4333
Conversation
@cheesesashimi: This pull request references MCO-1100 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Skipping CI for Draft Pull Request. |
33f46cf
to
f412d68
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cheesesashimi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-gcp-op-techpreview |
/test test-unit |
/test e2e-gcp-op-techpreview |
@cheesesashimi: This pull request references MCO-1100 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
264be15
to
9561562
Compare
Verified here: #4312 (comment) We add the qe-approved label /label qe-approved |
@cheesesashimi: This pull request references MCO-1100 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
9561562
to
679440f
Compare
/test e2e-gcp-op-techpreview |
@cheesesashimi: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/test e2e-gcp-op-techpreview |
@cheesesashimi: This pull request references MCO-1100 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
3429252
to
2c5bd22
Compare
/test e2e-gcp-op-techpreview |
@cheesesashimi: This pull request references MCO-1100 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
@cheesesashimi: This pull request references MCO-1100 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
This adds the capability for BuildController to use the RHEL entitlement secrets to allow cluster admins to inject RHEL content into their builds that they are entitled to receive. This also allows the injection / consumption of content into /etc/yum.repos.d as well as /etc/pki/rpm-gpg. There are a few notes about the implementation that I would like to have at a higher level: - Because we run rootless Buildah, we're more prone to running into SELinux complications. This makes it more difficult to directly mount the contents of /etc/yum.repos.d, /etc/pki/entitlement, and /etc/pki/rpm-gpg directly into the build context. With that in mind, we copy everything into a series of temp directories first, and then mount those temp directories into the build context as a volume. - We also create an emptyDir which is mounted into the build pod at /home/build/.local/share/containers. It is unclear why this is necessary, but as mentioned before, I suspect that this is due to SELinux issues. - The e2e test suite now has the capability to stream the container logs from the build pod to the filesystem as there is useful information contained within those logs if the e2e test fails. In OpenShift CI, this location will be determined by the ARTIFACT_DIR env var. If this env var is not present, it will default the current directory. - For right now, etc-pki-entitlement flow (specifically, the TestEntitledBuild test) is being skipped in OpenShift CI because the test clusters do not have that cred available. The test suite will automatically detect the presence (or lack thereof) of that cred in the openshift-config-managed namespace and run the test if it is available. However, the TestYumRepos test targets a very similar flow and can do its own setup and teardown regardless of creds preexisting. Additionally, I took care to ensure that this does not break OKD by taking the following actions: - I observed that the addition of the /home/build/.local/share/containers volume mount to the build pod prevented the wait-for-done container to start when running on FCOS. With this in mind, I modified the build pod instantiation to not connect this volume mount to the wait-for-done container. - I added a TestOnClusterBuildsOnOKD e2e test which will only run against an OKD cluster. Conversely, I excluded other tests from running against an OKD cluster since those tests make assumptions about things that would only be present within an OCP cluster.
c0d2223
to
7fdce62
Compare
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I tried to run this on my local AWS cluster (4.16.0-ec.6) with updating MCO pre-built image quay.io/zzlotnik/machine-config-operator:ocl-api-and-rhel-entitlements . Everything went fine until fetching rhel beta repo which looks like was able to fetch 0 packages.
Applied MachineOSConfig was
Did I miss something. Tried later with cowsay as well but same result. |
Further testing worked. Commented in the PR where this will get merged #4327 (comment) |
These changes were incorporated into #4327, so this PR can be closed. |
- What I did
This adds the capability for BuildController to use the RHEL entitlement secrets to allow cluster admins to inject RHEL content into their builds that they are entitled to receive. This also allows the injection / consumption of content into
/etc/yum.repos.d
as well as/etc/pki/rpm-gpg
. There are a few notes about the implementation that I would like to have at a higher level:/etc/yum.repos.d
,/etc/pki/entitlement
, and/etc/pki/rpm-gpg
directly into the build context. With that in mind, we copy everything into a series of temp directories first, and then mount those temp directories into the build context as a volume.emptyDir
which is mounted into the build pod at/home/build/.local/share/containers
. It is unclear why this is necessary, but as mentioned before, I suspect that this is due to SELinux issues.ARTIFACT_DIR
env var. If this env var is not present, it will default the current directory.etc-pki-entitlement
flow (specifically, theTestEntitledBuild
test) is being skipped in OpenShift CI because the test clusters do not have that cred available. The test suite will automatically detect the presence (or lack thereof) of that cred in theopenshift-config-managed
namespace and run the test if it is available. However, theTestYumRepos
test targets a very similar flow and can do its own setup and teardown regardless of creds preexisting.I took care to ensure that this does not break OKD by taking the following actions:
/home/build/.local/share/containers
volume mount to the build pod prevented thewait-for-done
container to start when running on FCOS. With this in mind, I modified the build pod instantiation to not connect this volume mount to thewait-for-done
container.TestOnClusterBuildsOnOKD
e2e test which will only run against an OKD cluster. Conversely, I excluded other tests from running against an OKD cluster since those tests make assumptions about things that would only be present within an OCP cluster.The difference between this PR and #4312 is that this one is based upon both the on-cluster layering PR (#4327) and the on-cluster layering e2e PR (#4328).
- How to verify it
Automated verification:
etc-pki-entitlement
exists in theopenshift-config-managed
namespace. If this secret is not present,TestEntitledBuilds
andTestEntitledBuildsRollsOutImage
will be skipped.$ go test -count=1 -v ./test/e2e-techpreview/...
(Note: Because we have not landed #4284, the cleanup / teardown will delete the node and its underlying machine, causing the Machine API to provision a replacement node.)
Manual verification:
etc-pki-entitlement
exists in theopenshift-config-managed
namespace.etc-pki-entitlement
secret into theopenshift-machine-config-operator
namespace. Here's a small script you can use:machine-os-builder
pod to start. Shortly afterward, the build pod should start. It should complete without any errors. Seeing the following lines in the build pod content will verify that we've successfully ingested content:- Description for the changelog
Enables RHEL entitlements in on-cluster layering