Using Red Hat subscriptions in builds

Use the following sections to run entitled builds on OKD.

Creating an image stream tag for the Red Hat Universal Base Image

To use Red Hat subscriptions within a build, you create an image stream tag to reference the Universal Base Image (UBI).

To make the UBI available in every project in the cluster, you add the image stream tag to the openshift namespace. Otherwise, to make it available in a specific project, you add the image stream tag to that project.

The benefit of using image stream tags this way is that doing so grants access to the UBI based on the registry.redhat.io credentials in the install pull secret without exposing the pull secret to other users. This is more convenient than requiring each developer to install pull secrets with registry.redhat.io credentials in each project.

Procedure

  • To create an ImageStreamTag in the openshift namespace, so it is available to developers in all projects, enter:

    1. $ oc tag --source=docker registry.redhat.io/ubi8/ubi:latest ubi:latest -n openshift

    You can alternatively apply the following YAML to create an ImageStreamTag in the openshift namespace:

    1. apiVersion: image.openshift.io/v1
    2. kind: ImageStream
    3. metadata:
    4.   name: ubi
    5.   namespace: openshift
    6. spec:
    7.   tags:
    8.   - from:
    9.       kind: DockerImage
    10.       name: registry.redhat.io/ubi8/ubi:latest
    11.     name: latest
    12.     referencePolicy:
    13.       type: Source

  • To create an ImageStreamTag in a single project, enter:

    1. $ oc tag --source=docker registry.redhat.io/ubi8/ubi:latest ubi:latest

    You can alternatively apply the following YAML to create an ImageStreamTag in a single project:

    1. apiVersion: image.openshift.io/v1
    2. kind: ImageStream
    3. metadata:
    4.   name: ubi
    5. spec:
    6.   tags:
    7.   - from:
    8.       kind: DockerImage
    9.       name: registry.redhat.io/ubi8/ubi:latest
    10.     name: latest
    11.     referencePolicy:
    12.       type: Source

Adding subscription entitlements as a build secret

Builds that use Red Hat subscriptions to install content must include the entitlement keys as a build secret.

Prerequisites

You must have access to Red Hat entitlements through your subscription, and the entitlements must have separate public and private key files.

Procedure

  1. Create a secret containing your entitlements, ensuring that there are separate files containing the public and private keys:

    1. $  oc create secret generic etc-pki-entitlement --from-file /path/to/entitlement/{ID}.pem \
    2. > --from-file /path/to/entitlement/{ID}-key.pem ...

  2. Add the secret as a build volume in the build configuration’s Docker strategy:

    1. strategy:
    2.   dockerStrategy:
    3.     from:
    4.       kind: ImageStreamTag
    5.       name: ubi:latest
    6.     volumes:
    7.     - name: etc-pki-entitlement
    8.       mounts:
    9.       - destinationPath: /etc/pki/entitlement
    10.       source:
    11.         type: Secret
    12.         secret:
    13.           secretName: etc-pki-entitlement

Running builds with Subscription Manager

Docker builds using Subscription Manager

Docker strategy builds can use the Subscription Manager to install subscription content.

Prerequisites

The entitlement keys must be added as build strategy volumes.

Procedure

Use the following as an example Dockerfile to install content with the Subscription Manager:

  1. FROM registry.redhat.io/ubi8/ubi:latest
  2. RUN dnf search kernel-devel --showduplicates && \
  3.         dnf install -y kernel-devel

Running builds with Red Hat Satellite subscriptions

Adding Red Hat Satellite configurations to builds

Builds that use Red Hat Satellite to install content must provide appropriate configurations to obtain content from Satellite repositories.

Prerequisites

  • You must provide or create a yum-compatible repository configuration file that downloads content from your Satellite instance.

    Sample repository configuration

    1. [test-<name>]
    2. name=test-<number>
    3. baseurl = https://satellite.../content/dist/rhel/server/7/7Server/x86_64/os
    4. enabled=1
    5. gpgcheck=0
    6. sslverify=0
    7. sslclientkey = /etc/pki/entitlement/...-key.pem
    8. sslclientcert = /etc/pki/entitlement/....pem

Procedure

  1. Create a ConfigMap containing the Satellite repository configuration file:

    1. $ oc create configmap yum-repos-d --from-file /path/to/satellite.repo

  2. Add the Satellite repository configuration and entitlement key as a build volumes:

    1. strategy:
    2.   dockerStrategy:
    3.     from:
    4.       kind: ImageStreamTag
    5.       name: ubi:latest
    6.     volumes:
    7.     - name: yum-repos-d
    8.       mounts:
    9.       - destinationPath: /etc/yum.repos.d
    10.       source:
    11.         type: ConfigMap
    12.         configMap:
    13.           name: yum-repos-d
    14.     - name: etc-pki-entitlement
    15.       mounts:
    16.       - destinationPath: /etc/pki/entitlement
    17.       source:
    18.         type: Secret
    19.         secret:
    20.           secretName: etc-pki-entitlement

Docker builds using Red Hat Satellite subscriptions

Docker strategy builds can use Red Hat Satellite repositories to install subscription content.

Prerequisites

  • You have added the entitlement keys and Satellite repository configurations as build volumes.

Procedure

Use the following as an example Dockerfile to install content with Satellite:

  1. FROM registry.redhat.io/ubi8/ubi:latest
  2. RUN dnf search kernel-devel --showduplicates && \
  3.         dnf install -y kernel-devel

Additional resources

Running entitled builds using SharedSecret objects

You can configure and perform a build in one namespace that securely uses RHEL entitlements from a Secret object in another namespace.

You can still access RHEL entitlements from OpenShift Builds by creating a Secret object with your subscription credentials in the same namespace as your Build object. However, now, in OKD 4.10 and later, you can access your credentials and certificates from a Secret object in one of the OKD system namespaces. You run entitled builds with a CSI volume mount of a SharedSecret custom resource (CR) instance that references the Secret object.

This procedure relies on the newly introduced Shared Resources CSI Driver feature, which you can use to declare CSI Volume mounts in OKD Builds. It also relies on the OKD Insights Operator.

The Shared Resources CSI Driver and The Build CSI Volumes are both Technology Preview features, which are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.

The Shared Resources CSI Driver and the Build CSI Volumes features also belong to the TechPreviewNoUpgrade feature set, which is a subset of the current Technology Preview features. You can enable the TechPreviewNoUpgrade feature set on test clusters, where you can fully test them while leaving the features disabled on production clusters. Enabling this feature set cannot be undone and prevents minor version updates. This feature set is not recommended on production clusters. See “Enabling Technology Preview features using feature gates” in the following “Additional resources” section.

Prerequisites

  • You have enabled the TechPreviewNoUpgrade feature set by using the feature gates.

  • You have a SharedSecret custom resource (CR) instance that references the Secret object where the Insights Operator stores the subscription credentials.

  • You must have permission to perform the following actions:

    • Create build configs and start builds.

    • Discover which SharedSecret CR instances are available by entering the oc get sharedsecrets command and getting a non-empty list back.

    • Determine if the builder service account available to you in your namespace is allowed to use the given SharedSecret CR instance. In other words, you can run oc adm policy who-can use <identifier of specific SharedSecret> to see if the builder service account in your namespace is listed.

If neither of the last two prerequisites in this list are met, establish, or ask someone to establish, the necessary role-based access control (RBAC) so that you can discover SharedSecret CR instances and enable service accounts to use SharedSecret CR instances.

Procedure

  1. Grant the builder service account RBAC permissions to use the SharedSecret CR instance by using oc apply with YAML content:

    Currently, kubectl and oc have hard-coded special case logic restricting the use verb to roles centered around pod security. Therefore, you cannot use oc create role …​ to create the role needed for consuming SharedSecret CR instances.

    Example oc apply -f command with YAML Role object definition

    1. $ oc apply -f - <<EOF
    2. apiVersion: rbac.authorization.k8s.io/v1
    3. kind: Role
    4. metadata:
    5.   name: shared-resource-my-share
    6.   namespace: my-namespace
    7. rules:
    8.   - apiGroups:
    9.       - sharedresource.openshift.io
    10.     resources:
    11.       - sharedsecrets
    12.     resourceNames:
    13.       - my-share
    14.     verbs:
    15.       - use
    16. EOF

  2. Create the RoleBinding associated with the role by using the oc command:

    Example oc create rolebinding command

    1. $ oc create rolebinding shared-resource-my-share --role=shared-resource-my-share --serviceaccount=my-namespace:builder

  3. Create a BuildConfig object that accesses the RHEL entitlements.

    Example YAML BuildConfig object definition

    1. apiVersion: build.openshift.io/v1
    2. kind: BuildConfig
    3. metadata:
    4.   name: my-csi-bc
    5.   namespace: my-csi-app-namespace
    6. spec:
    7.   runPolicy: Serial
    8.   source:
    9.     dockerfile: |
    10.       FROM registry.redhat.io/ubi8/ubi:latest
    11.       RUN ls -la /etc/pki/entitlement
    12.       RUN rm /etc/rhsm-host
    13.       RUN yum repolist --disablerepo=*
    14.       RUN subscription-manager repos --enable rhocp-4.9-for-rhel-8-x86_64-rpms
    15.       RUN yum -y update
    16.       RUN yum install -y openshift-clients.x86_64
    17.   strategy:
    18.     type: Docker
    19.     dockerStrategy:
    20.       volumes:
    21.         - mounts:
    22.             - destinationPath: "/etc/pki/entitlement"
    23.           name: my-csi-shared-secret
    24.           source:
    25.             csi:
    26.               driver: csi.sharedresource.openshift.io
    27.               readOnly: true
    28.               volumeAttributes:
    29.                 sharedSecret: my-share-bc
    30.             type: CSI

  4. Start a build from the BuildConfig object and follow the logs with the oc command.

    Example oc start-build command

    1. $ oc start-build my-csi-bc -F

    Example output from the oc start-build command

    Some sections of the following output have been replaced with …​

    ``` build.build.openshift.io/my-csi-bc-1 started Caching blobs under “/var/cache/blobs”.

    Pulling image registry.redhat.io/ubi8/ubi:latest … Trying to pull registry.redhat.io/ubi8/ubi:latest… Getting image source signatures Copying blob sha256:5dcbdc60ea6b60326f98e2b49d6ebcb7771df4b70c6297ddf2d7dede6692df6e Copying blob sha256:8671113e1c57d3106acaef2383f9bbfe1c45a26eacb03ec82786a494e15956c3 Copying config sha256:b81e86a2cb9a001916dc4697d7ed4777a60f757f0b8dcc2c4d8df42f2f7edb3a Writing manifest to image destination Storing signatures Adding transient rw bind mount for /run/secrets/rhsm STEP 1/9: FROM registry.redhat.io/ubi8/ubi:latest STEP 2/9: RUN ls -la /etc/pki/entitlement total 360 drwxrwxrwt. 2 root root 80 Feb 3 20:28 . drwxr-xr-x. 10 root root 154 Jan 27 15:53 .. -rw-r—r—. 1 root root 3243 Feb 3 20:28 entitlement-key.pem -rw-r—r—. 1 root root 362540 Feb 3 20:28 entitlement.pem time=”2022-02-03T20:28:32Z” level=warning msg=”Adding metacopy option, configured globally” —> 1ef7c6d8c1a STEP 3/9: RUN rm /etc/rhsm-host time=”2022-02-03T20:28:33Z” level=warning msg=”Adding metacopy option, configured globally” —> b1c61f88b39 STEP 4/9: RUN yum repolist —disablerepo=* Updating Subscription Management repositories.

  1. ...
  3. --> b067f1d63eb
  4. STEP 5/9: RUN subscription-manager repos --enable rhocp-4.9-for-rhel-8-x86_64-rpms
  5. Repository 'rhocp-4.9-for-rhel-8-x86_64-rpms' is enabled for this system.
  6. time="2022-02-03T20:28:40Z" level=warning msg="Adding metacopy option, configured globally"
  7. --> 03927607ebd
  8. STEP 6/9: RUN yum -y update
  9. Updating Subscription Management repositories.
  11. ...
  13. Upgraded:
  14.   systemd-239-51.el8_5.3.x86_64          systemd-libs-239-51.el8_5.3.x86_64
  15.   systemd-pam-239-51.el8_5.3.x86_64
  16. Installed:
  17.   diffutils-3.6-6.el8.x86_64               libxkbcommon-0.9.1-1.el8.x86_64
  18.   xkeyboard-config-2.28-1.el8.noarch
  20. Complete!
  21. time="2022-02-03T20:29:05Z" level=warning msg="Adding metacopy option, configured globally"
  22. --> db57e92ff63
  23. STEP 7/9: RUN yum install -y openshift-clients.x86_64
  24. Updating Subscription Management repositories.
  26. ...
  28. Installed:
  29.   bash-completion-1:2.7-5.el8.noarch
  30.   libpkgconf-1.4.2-1.el8.x86_64
  31.   openshift-clients-4.9.0-202201211735.p0.g3f16530.assembly.stream.el8.x86_64
  32.   pkgconf-1.4.2-1.el8.x86_64
  33.   pkgconf-m4-1.4.2-1.el8.noarch
  34.   pkgconf-pkg-config-1.4.2-1.el8.x86_64
  36. Complete!
  37. time="2022-02-03T20:29:19Z" level=warning msg="Adding metacopy option, configured globally"
  38. --> 609507b059e
  39. STEP 8/9: ENV "OPENSHIFT_BUILD_NAME"="my-csi-bc-1" "OPENSHIFT_BUILD_NAMESPACE"="my-csi-app-namespace"
  40. --> cab2da3efc4
  41. STEP 9/9: LABEL "io.openshift.build.name"="my-csi-bc-1" "io.openshift.build.namespace"="my-csi-app-namespace"
  42. COMMIT temp.builder.openshift.io/my-csi-app-namespace/my-csi-bc-1:edfe12ca
  43. --> 821b582320b
  44. Successfully tagged temp.builder.openshift.io/my-csi-app-namespace/my-csi-bc-1:edfe12ca
  45. 821b582320b41f1d7bab4001395133f86fa9cc99cc0b2b64c5a53f2b6750db91
  46. Build complete, no image push requested
  47. ```

Additional resources