From 60665bd6d8b2c2752be5028951addaa58e99eadc Mon Sep 17 00:00:00 2001 From: Brian Cook Date: Fri, 13 Dec 2024 09:20:43 -0500 Subject: [PATCH] disable red hat subsciption logic when build is in hermetic mode Closes issue-1754 Signed-off-by: Brian Cook --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 6 +++--- task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 6 +++--- task/buildah-remote/0.2/buildah-remote.yaml | 8 +++----- task/buildah/0.2/buildah.yaml | 8 +++----- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 65f9cdd091..f17a7d0003 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -433,6 +433,7 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" + # 0. if hermetic=true, skip all subscription related stuff # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. @@ -441,7 +442,7 @@ spec: # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced # container. - if [ -e /activation-key/org ]; then + if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir -p /shared/rhsm/etc/pki/entitlement mkdir -p /shared/rhsm/etc/pki/consumer @@ -465,8 +466,7 @@ spec: VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z) fi - # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then - elif find /entitlement -name "*.pem" >>null; then + elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >>null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement) echo "Adding the entitlement to the build" diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index c9650451b3..b33515659b 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -467,6 +467,7 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" + # 0. if hermetic=true, skip all subscription related stuff # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. @@ -475,7 +476,7 @@ spec: # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced # container. - if [ -e /activation-key/org ]; then + if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir -p /shared/rhsm/etc/pki/entitlement mkdir -p /shared/rhsm/etc/pki/consumer @@ -499,8 +500,7 @@ spec: VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z) fi - # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then - elif find /entitlement -name "*.pem" >>null; then + elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >>null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement) echo "Adding the entitlement to the build" diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index e4362df69a..1fac1f5c27 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -444,7 +444,7 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" - + # 0. if hermetic=true, skip all subscription related stuff # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. @@ -453,7 +453,7 @@ spec: # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced # container. - if [ -e /activation-key/org ]; then + if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir -p /shared/rhsm/etc/pki/entitlement mkdir -p /shared/rhsm/etc/pki/consumer @@ -463,7 +463,6 @@ spec: -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z) echo "Adding activation key to the build" - if ! grep -E "^[^#]*subscription-manager.[^#]*register" "$dockerfile_path"; then # user is not running registration in the Containerfile: pre-register. echo "Pre-registering with subscription manager." @@ -478,8 +477,7 @@ spec: VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z) fi - # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then - elif find /entitlement -name "*.pem" >> null; then + elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >> null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement) echo "Adding the entitlement to the build" diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 53c0896edf..ebe4c5d4e0 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -365,7 +365,7 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" - + # 0. if hermetic=true, skip all subscription related stuff # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. @@ -374,7 +374,7 @@ spec: # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced # container. - if [ -e /activation-key/org ]; then + if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir -p /shared/rhsm/etc/pki/entitlement mkdir -p /shared/rhsm/etc/pki/consumer @@ -384,7 +384,6 @@ spec: -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z) echo "Adding activation key to the build" - if ! grep -E "^[^#]*subscription-manager.[^#]*register" "$dockerfile_path"; then # user is not running registration in the Containerfile: pre-register. echo "Pre-registering with subscription manager." @@ -399,8 +398,7 @@ spec: VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z) fi - # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then - elif find /entitlement -name "*.pem" >> null; then + elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >> null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement) echo "Adding the entitlement to the build"