-
Notifications
You must be signed in to change notification settings - Fork 0
Building Execution Environments with Entitled Content
Sometimes, Ansible Automation Platform users will need to build EEs with entitled content - that is RPMs that are not in the publicly available UBI repositories
This page will walk through building EEs with entitled content in Dev Spaces
An OpenShift administrator creates a Secret containing the certificates and have them be automatically injected into the Dev Spaces workspace. An example is found below:
kind: Secret
apiVersion: v1
metadata:
name: rh-entitlement
labels:
controller.devfile.io/mount-to-devworkspace: 'true'
controller.devfile.io/watch-secret: 'true'
annotations:
controller.devfile.io/mount-path: /run/secrets/etc-pki-entitlement
stringData:
entitlement-key.pem: |
< CERTIFICATE content >
entitlement.pem:
< Certificate content >
type: Opaque
The values for the key and certificate may be found by the OpenShift administrator in the etc-pki-entitlement secret in the openshift-config-managed namespace.
The files contained in the Secret will be mounted in the /run/secrets/etc-pki-entitlement directory within the workspace
Some Red Hat base images, like UBI, have the redhat-uep.pem included in the image while others do not. It is recommended that this file also be added as a Secret into the workspace so that it may be available if needed:
kind: Secret
apiVersion: v1
metadata:
name: rhsm
labels:
controller.devfile.io/mount-to-devworkspace: 'true'
controller.devfile.io/watch-secret: 'true'
annotations:
controller.devfile.io/mount-path: /run/secrets/rhsm
stringData:
redhat-uep.pem: |
< Certificate content >
type: Opaque
Set up the directory where the EE will be built. Create the definition file and a files directory, then copy the certificates into the directory.
$ touch execution-environment.yml
$ mkdir files
$ cp /run/secrets/etc-pki-entitlement/entitlement{-key.pem,.pem} files/
$ cp /run/secrets/rhsm/redhat-uep.pem files/
Create the Ansible Execution Environment definition file. The example below is based on ubi8 minimal. Note how the certificates are copied into the needed locations for the container build. The kernel-devel package is only available to Red Hat subscribers in this example.
---
version: 3
dependencies:
system:
- kernel-devel [platform:rpm]
images:
base_image:
name: registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel8:latest
additional_build_files:
- src: files
dest: configs
additional_build_steps:
prepend_builder:
- COPY _build/configs/entitlement-key.pem _build/configs/entitlement.pem /etc/pki/entitlement/
- COPY _build/configs/redhat-uep.pem /etc/rhsm/ca/
prepend_final:
- COPY _build/configs/entitlement-key.pem _build/configs/entitlement.pem /etc/pki/entitlement/
- COPY _build/configs/redhat-uep.pem /etc/rhsm/ca/
append_final:
- RUN rm -f /etc/pki/entitlement/entitlement.pem /etc/pki/entitlement/entitlement-key.pem /etc/rhsm/ca/redhat-uep.pem
options:
package_manager_path: /usr/bin/microdnf
Once the build file and directory is created in configured, you should be able to build the Execution Environment with the entitled content:
ansible-builder -t <tag>