forked from quay/quay-docs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbuilders-virtual
94 lines (78 loc) · 2.23 KB
/
builders-virtual
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
[[red-hat-quay-quota-builders-establishment]]
= Setting up a {productname} builders environment
The following procedure describes how you can implement the builders feature in {productname}.
.Prerequisites
* Builders require SSL certificates. For more information link:https://access.redhat.com/documentation/en-us/red_hat_quay/2.9/html/manage_red_hat_quay/adding-tls-certificates-to-the-quay-enterprise-container[Adding TLS certificates to the {productname} container].
.Procedure
[NOTE]
====
* This procedure assumes you already have a cluster provisioned.
* This procedure is for setting up virtual builders.
====
. Log in to your {productname} cluster using your specified username and password:
+
----
$ oc login -u $KUBE_USER -p $KUBE_PASSWORD $KUBE_API
----
. Create a new namespace for your virtual builders:
+
----
$ oc create ns virtual-builders
----
. Create a new project for your virtual builders:
+
----
$ oc project virtual-builders
----
. Create a service account for your virtual builder:
+
----
$ oc create sa quay-builder
----
. Provide the created service account with editing permissions so that it can run the build:
+
----
$ oc adm policy add-role-to-user edit system:serviceaccount:virtual-builders:quay-builder
----
. Grant the Quay builder `anyuid scc` permissions:
+
----
$ oc adm polcy add-scc-to-user anyuid -z quay-builder
----
+
[NOTE]
====
This action requires cluster admin privileges and is required because for unprivileged or rootless builds to work, they must run as the Podman user.
====
. Obtain token for the Quay builder service account:
+
----
$ export VIRTUAL_SA_TOKEN=$(oc sa get-token quay-builder -n virtual-builders) \
yq -i e '.BUILD_MANAGER[1].EXECUTORS[0].SERVICE_ACCOUNT_TOKEN = strenv(VIRTUAL_SA_TOKEN)' ./quay-configs/quay-config.build.virtual.yaml
----
+
[NOTE]
+
====
Using the `yq` yaml parser extracts the token to the specified Quay configuration file.
====
. Install the Quay Operator with a subscription:
+
----
$ oc apply -f ./k8s-objects/quay-operator-subscription.yaml -n openshift-opertors
----
+
[NOTE]
====
This step can also be accomplished on the Quay UI.
====
. Create a namespace for the Quay deployment:
+
----
$ oc create ns quay
----
. Set the project context:
+
----
$ oc project quay
----