Containers

RedHat OpenShift and private repositories

Michael Mikhailidi

Jan 2, 2020 • 3 min read

For a while, I play around with RedHat CodeReady Containers and one thing annoyed me most - access to private repositories. My pet projects are GitLab and I'm not ready to expose them as public ones. So, whenever I create an application, the first build fails, due to no access to the code. Normally, I get to the Admin console, created a new code secret and updated build descriptor with the codeSecret parameter. It's boring and time-consuming, so why don't do it the right way?

By the right way, I mean automatically, from a Shell script or from an Ansible playbook.

Make sure that our containers are up and running and start with the new Quarkus Java project.

$ crc status
CRC VM:          Running
OpenShift:       Running (v4.2.10)
Disk Usage:      15.87GB of 32.2GB (Inside the CRC VM)
Cache Usage:     13.75GB
Cache Directory: /home/mmikhailidi/.crc/cache
$ oc login api.crc.testing:6443 --username=developer --password=developer
Login successful.

You dont have any projects. You can try to create a new project, by running

   oc new-project <projectname>

$ oc new-project quarkus-project
Now using project "quarkus-project" on server "https://api.crc.testing:6443".

You can add applications to this project with the 'new-app' command. For example, ry:

    oc new-app django-psql-example

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node
$

Now let's create a basic secret with the GitLab username and token (could be account password). I used literals as a source to make it more clear.

$ oc create secret generic my-gitlab-code --type=kubernetes.io/basic-auth \
--from-literal=username=mikhailidim --from-literal=password=****************
secret/my-gitlab-code created
$ oc annotate secret my-gitlab-code \
> 'build.openshift.io/source-secret-match-uri-1=https://gitlab.com/mikhailidim/*'
secret/my-gitlab-code annotated
$ oc secrets link builder my-gitlab-code
$

The interesting part here is the annotation. With this entry, OpenShift will use this secret every time, when source URI matches the annotation mask. A secret may have more than one annotation to reuse the same credentials for different repositories/sites. the last preparation step allows the builder to access our new secret entity.
Now, your project is ready for the first build

$ oc new-app quay.io/quarkus/ubi-quarkus-native-s2i:19.2.1~https://gitlab.com/mikhailidim/quarkus-hello.git \
--name=quarkus-hello
-> Found container image 5583407 (2 months old) from quay.io for "quay.io/quarkus/ubi-quarkus-native-s2i:19.2.1"

    Quarkus.io S2I (GraalVM Native)
    -------------------------------
    Quarkus.io S2I image for building Kubernetes Native Java GraalVM applications and running its Native Executables

    Tags: builder, java, quarkus, native

    * An image stream tag will be created as "ubi-quarkus-native-s2i:19.2.1" that will track the source image
    * A source build using source code from https://gitlab.com/mikhailidim/quarkus-hello.git will be created
      * The resulting image will be pushed to image stream tag "quarkus-hello:latest"
      * Every time "ubi-quarkus-native-s2i:19.2.1" changes a new build will be triggered
    * This image will be deployed in deployment config "quarkus-hello"
    * Port 8080/tcp will be load balanced by service "quarkus-hello"
      * Other containers can access this service through the hostname "quarkus-hello"

--> Creating resources ...
    imagestream.image.openshift.io "ubi-quarkus-native-s2i" created
    imagestream.image.openshift.io "quarkus-hello" created
    buildconfig.build.openshift.io "quarkus-hello" created
    deploymentconfig.apps.openshift.io "quarkus-hello" created
    service "quarkus-hello" created
--> Success
    Build scheduled, use 'oc logs -f bc/quarkus-hello' to track its progress.
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose svc/quarkus-hello'
    Run 'oc status' to view your app.

$oc logs -f bc/quarkus-hello

The last command allows you to watch the progress, but as you can see on screenshot this time builder has no problem with accessing private source code repository.

On my laptop, the new image build takes about 5 minutes. When our application container is ready, let's expose the service and test it out.

$ oc expose service quarkus-hello
route.route.openshift.io/quarkus-hello exposed
$ curl http://quarkus-hello-quarkus-project.apps-crc.testing/hello -v
* About to connect() to quarkus-hello-quarkus-project.apps-crc.testing port 80 (#0)
*   Trying 192.168.130.11...
* Connected to quarkus-hello-quarkus-project.apps-crc.testing (192.168.130.11) port 80 (#0)
> GET /hello HTTP/1.1
> User-Agent: curl/7.29.0
> Host: quarkus-hello-quarkus-project.apps-crc.testing
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Length: 5
< Content-Type: text/plain;charset=UTF-8
< Set-Cookie: baf6177ebae8ba28e68f6fe44e4918f0=8a52f39652e28461b5925530449430f0; path=/; HttpOnly
< Cache-control: private
<
* Connection #0 to host quarkus-hello-quarkus-project.apps-crc.testing left intact
hello
$