How to build an EAP 7 image in OCP and send to Quay?

Solution Verified - Updated 7 Sept 2023

Environment

Red Hat Enterprise Application Platform
- 7.x
Red hat OpenShift Container Platform (OCP)
- 4.x
- buildconfig

Issue

How do I build an EAP image in OCP and send to Quay?
How do I build an EAP image in OCP and send to an external registry?
How do I build an DG image in OCP and send to an external registry?

Resolution

Below are the instructions to build an application in OCP and send it to Quay or private registry;

Steps:

Create a new namespace: $oc new-project build-example
Get your config.json from your local podman: $ cat $HOME/.docker/config.json
Copy that to a file and make sure to remove other registries on the file, for security reasons* call this copy: config.json; *the passwords there are not encrypted necessarily.
Create a secret with that config.json: $ oc create secret generic dockerhub --from-file=./config.json

Add the secret above on the builder SA: $ oc edit sa builder
The result will be:

kind: ServiceAccount
apiVersion: v1
metadata:
  name: builder
  namespace: build-example
secrets:
  - name: builder-dockercfg-t2685
  - name: dockerhub

Create a buildconfig with the output for the registry you would like:

  output:
    to:
      kind: DockerImage
      name: 'quay.io/fdemeloj1/mytime:latest'
    pushSecret:
      name: dockerhub

Build the image: $ oc start-build time

User can verify that the build will send the image to quay on the build logs:

Pushing image quay.io/fdemeloj1/mytime:latest ... <---
40 Getting image source signatures
41 Copying blob sha256:e53ae0a7a486542d2f6cae62f64823187075e6a0cc25dc9c5c72281352985857
...

Therefore user can build in OCP and send to Quay's container registry - just forward the output to the outside docker registry.

Here the OCP Documentation on it OCP 4.10 - Using docker credentials for private registries

Using nodeSelector

Builds can be targeted to run on specific nodes by specifying labels in the nodeSelector field of a build configuration, where the default is spec.nodeSelector: null, meaning it can do the build in any OCP node.
Default:

spec: 
 nodeSelector: null

Example setting for one of the nodes:

### get nodes
$ oc get nodes
NAME                         STATUS   ROLES    AGE    VERSION
Node-10.internal   Ready    worker   173m   v1.25.11+1485cc9
Node-11.internal   Ready    worker   170m   v1.25.11+1485cc9
...
### set label (to unset $ oc label node/<node-name> keypair- <-- minus removes)
$ oc label node/Node-10.internal fdemeloj-only=true
node/Node-10.internal labeled
### confirm the label:
$ oc get node/ip-10-0-1-131.ec2.internal -o yaml | grep fdemeloj
    fdemeloj-only: "true"
...
### set the buildconfig for that label:
$ oc get bc -o yaml
apiVersion: v1
items:
- apiVersion: build.openshift.io/v1
  kind: BuildConfig
...
  spec:
    failedBuildsHistoryLimit: 5
    nodeSelector:
      fdemeloj-only: "true" <------------------------- nodeSelector
### start build
oc start-build $build_name
...
### And confirm the assign:
$ oc describe build build_name
Name:		build_name
Namespace:	namespace
....
Events:
  Type		Reason		Age	From			Message
  ----		------		----	----			-------
  Normal	Scheduled	26s	default-scheduler	Successfully assigned build/build_pod to Node-10.internal <-------------------- CONFIRMING THE NODE SELECTOR WORKED;

Issues

Issue - input image without registry:

If the input image is added on the BuildConfig without any registry qualification so the build will run through all the registries in the /etc/containers/registries.conf trying to find that image. In the example below the image example-image:1.0.0 cannot be found in the registries:

Pulling image example-image:1.0.0 ...
Resolving "example-image:1.0.0" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull registry.redhat.io/example-image:1.0.0
Trying to pull registry/example-image:1.0.0
Trying to pull quay.io/example-image:1.0.0
Trying to pull docker.io/example-image:1.0.0

Root Cause

Build Process

On the process above, the buildconfig yaml creates as output an DockerImage, which is sent from local to the remote registry without passing through a ImageStream (IS), as long as the dockerimage is able to be sent (i.e. the image is built) and the repository is accessible (via container registry details added on the builder SA) so the image will be correctly sent. For troubleshooting specific issues, verify the build logs. The common issues are access to the initial image, access to the external registry.

Build on local ( explanation of imagestream absence)

The build of an image to send to an outside registry, as done above, does not rely on an ImageStream to be done - hence no ImageStream is required.
For localbuild (OCP internal container registry) the IS (ImageStream) must be created first. For fetching from other namespaces the specific role and the rolebinding must be set correctly to be able to fetch from other namespaces. So for example for local builds, where IS and RoleBindings are required accordingly for other namespace fetching.

Diagnostic Steps

to get buildconfig: $ oc get bc
to get build: $ oc get build
to get build description: $oc describe build $build_name
to get build pod logs $ oc logs $name_build_pod

SBR

JBoss Base AS

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Customize or extend

Tags

eap
jboss

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.