Skip to content

Entitled builds and OpenShift 4

What is an entitlement

Technically, the entitlement is a certificate to get access to specific Red Hat Enterprise Linux content and has to be refreshed regularly. Red Hat introduced Simple Content Access to simplify the access, for example for container builds.

With openssl or rct command you can get some information from your entitlement:

$ rct stat-cert /etc/pki/entitlement/entitlement.pem
Type: Entitlement Certificate
Version: 3.4
DER size: 1610b
Subject Key ID size: 20b
Content sets: 5835
$ openssl x509 -in /etc/pki/entitlement/entitlement.pem -noout -issuer
issuer=C = US, ST = North Carolina, O = "Red Hat, Inc.", OU = Red Hat Network, CN = Red Hat Candlepin Authority, emailAddress = ca-support@redhat.com
$ rct cat-cert  /etc/pki/entitlement/entitlement.pem  | head -n15

+-------------------------------------------+
    Entitlement Certificate
+-------------------------------------------+

Certificate:
    Path: /etc/pki/entitlement/entitlement.pem
    Version: 3.4
    Serial: <Cert Serial>
    Start Date: 2022-07-10 03:19:11+00:00
    End Date: 2023-07-10 03:19:11+00:00
    Pool ID: Not Available

Subject:
    CN: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx

How to get the entitlement certificate? If simple content access is enabled at your organisation/redhat account, the insights Operatos automatically provide and refresh and entitlement to your OpenShift 4 Cluster.

You can enable and check the Simple content access at https://access.redhat.com/management, it should look like this:

At your OpenShift 4 Cluster you can take a look your entitlement via:

$ oc get secrets etc-pki-entitlement -n openshift-config-managed  -o jsonpath="{.data.entitlement\.pem}" | base64 -d > entitlement.pem

$ rct cat-cert entitlement.pem | head -n15

+-------------------------------------------+
    Entitlement Certificate
+-------------------------------------------+

Certificate:
    Path: entitlement.pem
    Version: 3.4
    Serial: <Cert Serial>
    Start Date: 2022-07-10 05:06:45+00:00
    End Date: 2023-07-10 05:06:45+00:00
    Pool ID: Not Available

Subject:
    CN: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
$

Relevant documentation part: Importing simple content access certificates with Insights Operator

Another option to get an entitlement from your Red Hat Satellite installation in your environment. Or copy the entitlement from a subscribed Red Hat Enterprise Linux - this is not recommended, and I assume this is against Red Hat Terms and conditions.

Prerequisites to run an entitled build

Install Operator

  • Install Builds for Red Hat OpenShift Operator (tested with v1.4.0)

Share the entitlement secrets

oc apply -f https://examples.openshift.pub/build/entitled/sharedsecret.yaml
1
2
3
4
5
6
7
8
apiVersion: sharedresource.openshift.io/v1alpha1
kind: SharedSecret
metadata:
  name: etc-pki-entitlement
spec:
  secretRef:
    name: etc-pki-entitlement
    namespace: openshift-config-managed

Add the permissions to share the secret

oc apply -f https://examples.openshift.pub/build/entitled/sharedsecret-permissions.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: share-etc-pki-entitlement
  namespace: openshift-config-managed
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - etc-pki-entitlement
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: share-etc-pki-entitlement
  namespace: openshift-config-managed
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: share-etc-pki-entitlement
subjects:
  - kind: ServiceAccount
    name: csi-driver-shared-resource
    namespace: openshift-builds
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: use-share-etc-pki-entitlement
rules:
  - apiGroups:
      - sharedresource.openshift.io
    resources:
      - sharedsecrets
    resourceNames:
      - etc-pki-entitlement
    verbs:
      - use

Create a project/namespace

oc new-project entitled-build-demo

Allow access to shared secrets

In case you want to roll out automaticly for every new project, please use the project request tempalte.

oc apply -f https://examples.openshift.pub/build/entitled/sharedsecret-allow-namespace.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: use-share-etc-pki-entitlement
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: use-share-etc-pki-entitlement
subjects:
  - kind: ServiceAccount
    name: pipeline
  - kind: ServiceAccount
    name: builder

Let's create a build

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: buildah-rhel
  namespace: entitled-build-demo
spec:
  output:
    image: 'image-registry.openshift-image-registry.svc:5000/entitled-build-demo/demo:latest'
  paramValues:
    - name: dockerfile
      value: Containerfile
  source:
    contextDir: entitled-build
    git:
      url: 'https://github.com/openshift-examples/container-build'
    type: Git
  strategy:
    kind: ClusterBuildStrategy
    name: buildah
  volumes:
    - csi:
        driver: csi.sharedresource.openshift.io
        readOnly: true
        volumeAttributes:
          sharedSecret: etc-pki-entitlement
      name: etc-pki-entitlement
oc apply -f https://examples.openshift.pub/build/entitled/build.yaml

Start the build

1
2
3
4
5
6
7
8
apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  generateName: buildah-rhel-
  namespace: entitled-build-demo
spec:
  build:
    name: buildah-rhel
oc apply -f https://examples.openshift.pub/build/entitled/build-run.yaml

Additional resources


2025-06-13 2020-05-12 Contributors: Robert Bohne