Entitled builds and OpenShift 4¶
With entitled builds, we have to cover two main topics:
-
How to get the entitlement and refresh the entitlement
-
How to provide/attach the entitlement to the build.
Let’s elaborate on the first one: How to get the entitlement.¶
Technically, the entitlement is a certificate to get access to specific Red Hat Enterprise Linux content and have to refresh regularly. Red Hat introduce Simple Content Access to simplify the access, for example for container builds.
With openssl
or rct
command you can get some information from your entitlement:
How to get the entitlement certificate? If simple content access is enabled at your organisation/redhat account, the insights Operatos automatically provide and refresh and entitlement to your OpenShift 4 Cluster.
You can enable and check the Simple content access at https://access.redhat.com/management, it should look like this:
At your OpenShift 4 Cluster you can take a look your entitlement via:
Relevant documentation part: Importing simple content access certificates with Insights Operator
Another option to get an entitlement from your Red Hat Satellite installation in your environment. Or copy the entitlement from a subscribed Red Hat Enterprise Linux - this is not recommended, and I assume this is against Red Hat Terms and conditions.
Let’s elaborate on the second one: How to provide/attach the entitlement to the build.¶
There are three options to attach the entitlement to a build – build pod at the end:
-
Simple attaches a secret with the entitlement to the build. Documentation: Adding subscription entitlements as a build secret
-
Leverage the Shared Resource CSI Driver Operator (Technology Preview) to share the etc-pki-entitlement secrets from openshift-config-managed namespace provided by the Insights Operator.
-
Rollout entitlement cluster-wide via MachineConfigOperator. Not recommend because it changes every single build behavior in the OpenShift Cluster, additional you have to update the MachineConfig to the new entitlement regularly.
Let’s take a more in-depth look at the Shared Resource CSI solution:¶
First enable the Shared Resource CSI Driver Operator via FeatureGates:
Then wait for the MachineConfigPool is updated and shared resources objects are available:
Create an sharedsecrets object (cluster scoped):¶
Create a project/namespace¶
Grant access to SharedSecret etc-pki-entitlement
¶
Create ImageStream and BuildConfig with access to entitlement¶
Additional Resources
- https://cloud.redhat.com/blog/how-to-build-images-with-rhel-subscriptions-on-openshift
- https://cloud.redhat.com/blog/the-path-to-improving-the-experience-with-rhel-entitlements-on-openshift
- https://github.com/openshift/enhancements/blob/master/enhancements/subscription-content/subscription-injection.md
- https://issues.redhat.com/browse/OCPBU-141