Entitled builds and OpenShift 4¶

What is an entitlement¶

Technically, the entitlement is a certificate to get access to specific Red Hat Enterprise Linux content and has to be refreshed regularly. Red Hat introduced Simple Content Access to simplify the access, for example for container builds.

With openssl or rct command you can get some information from your entitlement:

$ rct stat-cert /etc/pki/entitlement/entitlement.pem
Type: Entitlement Certificate
Version: 3.4
DER size: 1610b
Subject Key ID size: 20b
Content sets: 5835
$ openssl x509 -in /etc/pki/entitlement/entitlement.pem -noout -issuer
issuer=C = US, ST = North Carolina, O = "Red Hat, Inc.", OU = Red Hat Network, CN = Red Hat Candlepin Authority, emailAddress = ca-support@redhat.com
$ rct cat-cert  /etc/pki/entitlement/entitlement.pem  | head -n15

+-------------------------------------------+
    Entitlement Certificate
+-------------------------------------------+

Certificate:
    Path: /etc/pki/entitlement/entitlement.pem
    Version: 3.4
    Serial: <Cert Serial>
    Start Date: 2022-07-10 03:19:11+00:00
    End Date: 2023-07-10 03:19:11+00:00
    Pool ID: Not Available

Subject:
    CN: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx

How to get the entitlement certificate? If simple content access is enabled at your organisation/redhat account, the insights Operatos automatically provide and refresh and entitlement to your OpenShift 4 Cluster.

You can enable and check the Simple content access at https://access.redhat.com/management, it should look like this:

At your OpenShift 4 Cluster you can take a look your entitlement via:

$ oc get secrets etc-pki-entitlement -n openshift-config-managed  -o jsonpath="{.data.entitlement\.pem}" | base64 -d > entitlement.pem

$ rct cat-cert entitlement.pem | head -n15

+-------------------------------------------+
    Entitlement Certificate
+-------------------------------------------+

Certificate:
    Path: entitlement.pem
    Version: 3.4
    Serial: <Cert Serial>
    Start Date: 2022-07-10 05:06:45+00:00
    End Date: 2023-07-10 05:06:45+00:00
    Pool ID: Not Available

Subject:
    CN: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
$

Relevant documentation part: Importing simple content access certificates with Insights Operator

Another option to get an entitlement from your Red Hat Satellite installation in your environment. Or copy the entitlement from a subscribed Red Hat Enterprise Linux - this is not recommended, and I assume this is against Red Hat Terms and conditions.

Prerequisites to run an entitled build¶

Install Operator¶

Install Builds for Red Hat OpenShift Operator (tested with v1.4.0)

OCsharedsecret.yaml

oc apply -f https://examples.openshift.pub/build/entitled/sharedsecret.yaml

apiVersion: sharedresource.openshift.io/v1alpha1
kind: SharedSecret
metadata:
  name: etc-pki-entitlement
spec:
  secretRef:
    name: etc-pki-entitlement
    namespace: openshift-config-managed

OCsharedsecret-permissions.yaml

oc apply -f https://examples.openshift.pub/build/entitled/sharedsecret-permissions.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: share-etc-pki-entitlement
  namespace: openshift-config-managed
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - etc-pki-entitlement
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: share-etc-pki-entitlement
  namespace: openshift-config-managed
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: share-etc-pki-entitlement
subjects:
  - kind: ServiceAccount
    name: csi-driver-shared-resource
    namespace: openshift-builds
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: use-share-etc-pki-entitlement
rules:
  - apiGroups:
      - sharedresource.openshift.io
    resources:
      - sharedsecrets
    resourceNames:
      - etc-pki-entitlement
    verbs:
      - use

Create a project/namespace¶

OC

1	`oc new-project entitled-build-demo`

Allow access to shared secrets¶

In case you want to roll out automaticly for every new project, please use the project request tempalte.

OCsharedsecret-allow-namespace.yaml

oc apply -f https://examples.openshift.pub/build/entitled/sharedsecret-allow-namespace.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: use-share-etc-pki-entitlement
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: use-share-etc-pki-entitlement
subjects:
  - kind: ServiceAccount
    name: pipeline
  - kind: ServiceAccount
    name: builder

Let's create a build¶

build.yamlOC

apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
  name: buildah-rhel
  namespace: entitled-build-demo
spec:
  output:
    image: 'image-registry.openshift-image-registry.svc:5000/entitled-build-demo/demo:latest'
  paramValues:
    - name: dockerfile
      value: Containerfile
  source:
    contextDir: entitled-build
    git:
      url: 'https://github.com/openshift-examples/container-build'
    type: Git
  strategy:
    kind: ClusterBuildStrategy
    name: buildah
  volumes:
    - csi:
        driver: csi.sharedresource.openshift.io
        readOnly: true
        volumeAttributes:
          sharedSecret: etc-pki-entitlement
      name: etc-pki-entitlement

oc apply -f https://examples.openshift.pub/build/entitled/build.yaml

Start the build¶

build-run.yamlOC

apiVersion: shipwright.io/v1beta1
kind: BuildRun
metadata:
  generateName: buildah-rhel-
  namespace: entitled-build-demo
spec:
  build:
    name: buildah-rhel

oc apply -f https://examples.openshift.pub/build/entitled/build-run.yaml

Additional resources¶

https://shipwright.io/

2025-06-13 2020-05-12 Contributors: