1. Documentation
    2. history bug_report picture_as_pdf
×

Using Red Hat entitlements in pipelines

If you have Red Hat Enterprise Linux (RHEL) entitlements, you can use these entitlements to build container images in your pipelines.

The Insight Operator automatically manages your entitlements after you import them into this operator from Simple Common Access (SCA). This operator provides a secret named etc-pki-entitlement in the openshift-config-managed namespace.

You can use Red Hat entitlements in your pipelines in one of the following two ways:

  • Manually copy the secret into the namespace of the pipeline. This method is least complex if you have a limited number of pipeline namespaces.

  • Use the Shared Resources Container Storage Interface (CSI) Driver Operator to share the secret between namespaces automatically.

Prerequisites

  • You logged on to your OpenShift Container Platform cluster using the oc command line tool.

  • You enabled the Insights Operator feature on your OpenShift Container Platform cluster. If you want to use the Shared Resources CSI Driver operator to share the secret between namespaces, you must also enable the Shared Resources CSI driver. For information about enabling features, including the Insights Operator and Shared Resources CSI Driver, see Enabling features using feature gates.

    After you enable the Insights Operator, you must wait for some time to ensure that the cluster updates all the nodes with this operator. You can monitor the status of all nodes by entering the following command:

    $ oc get nodes -w

    To verify that the Insights Operator is active, check that the insights-operator pod is running in the openshift-insights namespace by entering the following command:

    $ oc get pods -n openshift-insights

  • You configured the importing of your Red Hat entitlements into the Insights Operator. For information about importing the entitlements, see Importing simple content access entitlements with Insights Operator.

    To verify that the Insights Operator made your entitlements available, is active, check that the etc-pki-entitlement secret is present in the openshift-config-managed namespace by entering the following command:

    $ oc get secret etc-pki-entitlement -n openshift-config-managed

Using Red Hat entitlements by manually copying the etc-pki-entitlement secret

You can copy the etc-pki-entitlement secret from the openshift-config-managed namespace into the namespace of your pipeline. You can then configure your pipeline to use this secret for the Buildah task.

Prerequisites

  • You installed the jq package on your system. This package is available in Red Hat Enterprise Linux (RHEL).

Procedure

  1. Copy the etc-pki-entitlement secret from the openshift-config-managed namespace into the namespace of your pipeline by running the following command:

    $ oc get secret etc-pki-entitlement -n openshift-config-managed -o json | \
  jq 'del(.metadata.resourceVersion)' | jq 'del(.metadata.creationTimestamp)' | \
  jq 'del(.metadata.uid)' | jq 'del(.metadata.namespace)' | \
  oc -n <pipeline_namespace> create -f - (1)
    1 Replace <pipeline_namespace> with the namespace of your pipeline.

  2. In your Buildah task definition, use the buildah task provided in the openshift-pipelines namespace or a copy of this task and define the rhel-entitlement workspace, as shown in the following example.

  3. In your task run or pipeline run that runs the Buildah task, assign the etc-pki-entitlement secret to the rhel-entitlement workspace, as in the following example.

Example pipeline run definition, including the pipeline and task definitions, that uses Red Hat entitlements
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: buildah-pr-test
spec:
  workspaces:
    - name: shared-workspace
      volumeClaimTemplate:
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 1Gi
    - name: dockerconfig
      secret:
        secretName: regred
    - name: rhel-entitlement  (1)
      secret:
        secretName: etc-pki-entitlement
  pipelineSpec:
    workspaces:
      - name: shared-workspace
      - name: dockerconfig
      - name: rhel-entitlement  (2)
    tasks:
# ...
      - name: buildah
        taskRef:
          resolver: cluster
          params:
          - name: kind
            value: task
          - name: name
            value: buildah
          - name: namespace
            value: openshift-pipelines
        workspaces:
        - name: source
          workspace: shared-workspace
        - name: dockerconfig
          workspace: dockerconfig
        - name: rhel-entitlement  (3)
          workspace: rhel-entitlement
        params:
        - name: IMAGE
          value: <image_where_you_want_to_push>
1 The definition of the rhel-entitlement workspace in the pipeline run, assigning the etc-pki-entitlement secret to the workspace
2 The definition of the rhel-entitlement workspace in the pipeline definition
3 The definition of the rhel-entitlement workspace in the task definition

Using Red Hat entitlements by sharing the secret using the Shared Resources CSI driver operator

You can set up sharing of the etc-pki-entitlement secret from the openshift-config-managed namespace to other namespaces using the Shared Resources Container Storage Interface (CSI) Driver Operator. You can then configure your pipeline to use this secret for the Buildah task.

Prerequisites

  • You are logged on to your OpenShift Container Platform cluster using the oc command line utility as a user with cluster administrator permissions.

  • You enabled the Shared Resources CSI Driver operator on your OpenShift Container Platform cluster.

Procedure

  1. Create a SharedSecret custom resource (CR) for sharing the etc-pki-entitlement secret by running the following command:

    $ oc apply -f - <<EOF
apiVersion: sharedresource.openshift.io/v1alpha1
kind: SharedSecret
metadata:
  name: shared-rhel-entitlement
spec:
  secretRef:
    name: etc-pki-entitlement
    namespace: openshift-config-managed
EOF

  2. Create an RBAC role that permits access to the shared secret by running the following command:

    $ oc apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: shared-resource-rhel-entitlement
  namespace: <pipeline_namespace> (1)
rules:
  - apiGroups:
      - sharedresource.openshift.io
    resources:
      - sharedsecrets
    resourceNames:
      - shared-rhel-entitlement
    verbs:
      - use
EOF
    1 Replace <pipeline_namespace> with the namespace of your pipeline.

  3. Assign the role to the pipeline service account by running the following command:

    $ oc create rolebinding shared-resource-rhel-entitlement --role=shared-shared-resource-rhel-entitlement \
  --serviceaccount=<pipeline-namespace>:pipeline (1)
    1 Replace <pipeline-namespace> with the namespace of your pipeline.

    If you changed the default service account for OpenShift Pipelines or if you define a custom service account in the pipeline run or task run, assign the role to this account instead of the pipeline account.

  4. In your Buildah task definition, use the buildah task provided in the openshift-pipelines namespace or a copy of this task and define the rhel-entitlement workspace, as shown in the following example.

  5. In your task run or pipeline run that runs the Buildah task, assign the shared secret to the rhel-entitlement workspace, as in the following example.

Example pipeline run definition, including the pipeline and task definitions, that uses Red Hat entitlements
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
  name: buildah-pr-test-csi
spec:
  workspaces:
    - name: shared-workspace
      volumeClaimTemplate:
        spec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 1Gi
    - name: dockerconfig
      secret:
        secretName: regred
    - name: rhel-entitlement  (1)
      csi:
        readOnly: true
        driver: csi.sharedresource.openshift.io
        volumeAttributes:
          sharedSecret: shared-rhel-entitlement
  pipelineSpec:
    workspaces:
    - name: shared-workspace
    - name: dockerconfig
    - name: rhel-entitlement  (2)
    tasks:
# ...
    - name: buildah
      taskRef:
        resolver: cluster
        params:
        - name: kind
          value: task
        - name: name
          value: buildah
        - name: namespace
          value: openshift-pipelines
      workspaces:
      - name: source
        workspace: shared-workspace
      - name: dockerconfig
        workspace: dockerconfig
      - name: rhel-entitlement  (3)
        workspace: rhel-entitlement
      params:
      - name: IMAGE
        value: <image_where_you_want_to_push>
1 The definition of the rhel-entitlement workspace in the pipeline run, assigning the shared-rhel-entitlement CSI shared secret to the workspace
2 The definition of the rhel-entitlement workspace in the pipeline definition
3 The definition of the rhel-entitlement workspace in the task definition

Additional resources