From 15f731b435145992c0e4317be13a943b6fb18f65 Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Fri, 20 May 2022 12:55:23 +0200 Subject: [PATCH 1/2] Add podman-entitlement GitHub Action. --- README.md | 1 + podman-entitlement/README.md | 43 +++++++++++++++++++++++++++++++++++ podman-entitlement/action.yml | 33 +++++++++++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100644 podman-entitlement/README.md create mode 100644 podman-entitlement/action.yml diff --git a/README.md b/README.md index b9bd6ca..2b45644 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ This repository contains the common Actions and config files for developing the - [action-io-generator](./action-io-generator) is an NPM package and (soon to be) Docker Action that makes sure your JavaScript action uses the same Inputs and Outputs defined in your `action.yml`. - [bundle-verifier](./bundle-verifier) is a JavaScript Action that makes sure your JavaScript action's committed distribution bundle is up-to-date. - [commit-data](./commit-data) is a Docker Action that outputs some commonly needed data about the current workflow's HEAD commit. +- [podman-entitlement](./podman-entitlement) is a composite Action which enables subsequent `podman build`s to consume Red Hat entitlements. - [config-files](./config-files) contains our shared TypeScript, ESLint, and Webpack configs. It is also used for tracking issues that don't fit into another, more specific repository. diff --git a/podman-entitlement/README.md b/podman-entitlement/README.md new file mode 100644 index 0000000..3492dc1 --- /dev/null +++ b/podman-entitlement/README.md @@ -0,0 +1,43 @@ +## Podman Entitlement GitHub Action + +When building container images that install Red Hat content +which is not part of Universal Base Image repositories, +Red Hat entitlements are needed to access the full Red Hat Enterprise Linux +repositories. + +To avoid modifying the Dockerfiles with extra steps that would +handle the registration, this Action registers a temporary system +using organization's activation key, and uses `/etc/containers/mounts.conf` +to configure subsequent `podman build` invocations to have access +to the entitlements. + +## Inputs + +| Input | Description | +| --- | --- | +| `org` | Red Hat account organization | +| `activationkey` | Red Hat account activation key | +| `image` | Container image to use to run `subscription-manager register` with the above parameters
Optional, defaults to `registry.access.redhat.com/ubi9` | + +## Usage + +On https://access.redhat.com/management/activation_keys, create +new Subscription Manager activation key. + +Set up secrets in your repository, for example `redhat_org` for your +Red Hat account organization and `redhat_activationkey` for your Red Hat +account activation key. Your Organization ID is shown on the above-mentioned +Activation Keys page on Red Hat portal. + +In your workflow YAML which calls `podman build`, add invocation +of `redhat-actions/common/podman-entitlement` before that `podman build` +step: + +```yaml + - uses: redhat-actions/common/podman-entitlement + with: + org: ${{ secrets.redhat_org }} + activationkey: ${{ secrets.redhat_activationkey }} + - run: podman build -t localhost/the-image:the-tag src +``` + diff --git a/podman-entitlement/action.yml b/podman-entitlement/action.yml new file mode 100644 index 0000000..09fd642 --- /dev/null +++ b/podman-entitlement/action.yml @@ -0,0 +1,33 @@ +name: 'Enable Red Hat entitled podman builds' +inputs: + org: + description: 'Red Hat account organization' + activationkey: + description: 'Red Hat account activation key' + image: + description: 'Container image to use to run subscription-manager register' + default: 'registry.access.redhat.com/ubi9' +runs: + using: 'composite' + steps: + - run: mkdir -p /tmp/{etc-pki-entitlement,rhsm}-${{ github.run_id }} + shell: bash + - run: | + NAME=$( echo "$run_url" | sed 's#^https://##;s#/#-#g' ) + podman run --rm --name="$NAME" \ + -v "/tmp/etc-pki-entitlement-${{ github.run_id }}":/etc/pki/entitlement-out:z \ + -v "/tmp/rhsm-${{ github.run_id }}":/etc/rhsm-out:z \ + -e SMDEV_CONTAINER_OFF=1 \ + "${{ inputs.image }}" \ + bash -c '/usr/sbin/subscription-manager register \ + --org="${{ inputs.org }}" \ + --activationkey="${{ inputs.activationkey }}" \ + --name="'$NAME'" \ + && cp /etc/pki/entitlement/* /etc/pki/entitlement-out/ \ + && cp -r /etc/rhsm/ca /etc/rhsm/rhsm.conf /etc/rhsm-out \ + && /usr/sbin/subscription-manager unregister' + env: + run_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + shell: bash + - run: for i in etc-pki-entitlement rhsm ; do echo "/tmp/$i-${{ github.run_id }}:/run/secrets/$i" ; done | sudo tee -a /etc/containers/mounts.conf + shell: bash From e7e34041ba3793f9ec591bfe0ea18aab2785809d Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Sat, 30 Mar 2024 13:18:24 +0100 Subject: [PATCH 2/2] With latest subscription-manager builds, SMDEV_CONTAINER_OFF=1 is not needed. Change was implemented in https://bugzilla.redhat.com/show_bug.cgi?id=2203096. --- podman-entitlement/action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/podman-entitlement/action.yml b/podman-entitlement/action.yml index 09fd642..c25a51d 100644 --- a/podman-entitlement/action.yml +++ b/podman-entitlement/action.yml @@ -17,7 +17,6 @@ runs: podman run --rm --name="$NAME" \ -v "/tmp/etc-pki-entitlement-${{ github.run_id }}":/etc/pki/entitlement-out:z \ -v "/tmp/rhsm-${{ github.run_id }}":/etc/rhsm-out:z \ - -e SMDEV_CONTAINER_OFF=1 \ "${{ inputs.image }}" \ bash -c '/usr/sbin/subscription-manager register \ --org="${{ inputs.org }}" \