$ oc get nodes -w
×
Using Red Hat entitlements in pipelines
If you have Red Hat Enterprise Linux (RHEL) entitlements, you can use these entitlements to build container images in your pipelines.
The Insight Operator automatically manages your entitlements after you import them into this operator from Simple Common Access (SCA). This operator provides a secret named etc-pki-entitlement in the openshift-config-managed namespace.
You can use Red Hat entitlements in your pipelines in one of the following two ways:
-
Manually copy the secret into the namespace of the pipeline. This method is least complex if you have a limited number of pipeline namespaces.
-
Use the Shared Resources Container Storage Interface (CSI) Driver Operator to share the secret between namespaces automatically.
Prerequisites
-
You logged on to your OpenShift Container Platform cluster using the
occommand line tool. -
You enabled the Insights Operator feature on your OpenShift Container Platform cluster. If you want to use the Shared Resources CSI Driver operator to share the secret between namespaces, you must also enable the Shared Resources CSI driver. For information about enabling features, including the Insights Operator and Shared Resources CSI Driver, see Enabling features using feature gates.
After you enable the Insights Operator, you must wait for some time to ensure that the cluster updates all the nodes with this operator. You can monitor the status of all nodes by entering the following command:
To verify that the Insights Operator is active, check that the
insights-operatorpod is running in theopenshift-insightsnamespace by entering the following command:$ oc get pods -n openshift-insights -
You configured the importing of your Red Hat entitlements into the Insights Operator. For information about importing the entitlements, see Importing simple content access entitlements with Insights Operator.
To verify that the Insights Operator made your entitlements available, is active, check that the
etc-pki-entitlementsecret is present in theopenshift-config-managednamespace by entering the following command:$ oc get secret etc-pki-entitlement -n openshift-config-managed
Using Red Hat entitlements by manually copying the etc-pki-entitlement secret
You can copy the etc-pki-entitlement secret from the openshift-config-managed namespace into the namespace of your pipeline. You can then configure your pipeline to use this secret for the Buildah task.
Prerequisites
-
You installed the
jqpackage on your system. This package is available in Red Hat Enterprise Linux (RHEL).
Procedure
-
Copy the
etc-pki-entitlementsecret from theopenshift-config-managednamespace into the namespace of your pipeline by running the following command:$ oc get secret etc-pki-entitlement -n openshift-config-managed -o json | \ jq 'del(.metadata.resourceVersion)' | jq 'del(.metadata.creationTimestamp)' | \ jq 'del(.metadata.uid)' | jq 'del(.metadata.namespace)' | \ oc -n <pipeline_namespace> create -f - (1)1 Replace <pipeline_namespace>with the namespace of your pipeline. -
In your Buildah task definition, use the
buildahcluster task or a copy of this cluster task and define therhel-entitlementworkspace, as in the following example. -
In your task run or pipeline run that runs the Buildah task, assign the
etc-pki-entitlementsecret to therhel-entitlementworkspace, as in the following example.
Example pipeline run definition, including the pipeline and task definitions, that uses Red Hat entitlements
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: buildah-pr-test
spec:
workspaces:
- name: shared-workspace
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: dockerconfig
secret:
secretName: regred
- name: rhel-entitlement (1)
secret:
secretName: etc-pki-entitlement
pipelineSpec:
workspaces:
- name: shared-workspace
- name: dockerconfig
- name: rhel-entitlement (2)
tasks:
# ...
- name: buildah
taskRef:
name: buildah
kind: ClusterTask
workspaces:
- name: source
workspace: shared-workspace
- name: dockerconfig
workspace: dockerconfig
- name: rhel-entitlement (3)
workspace: rhel-entitlement
params:
- name: IMAGE
value: <image_where_you_want_to_push>| 1 | The definition of the rhel-entitlement workspace in the pipeline run, assigning the etc-pki-entitlement secret to the workspace |
| 2 | The definition of the rhel-entitlement workspace in the pipeline definition |
| 3 | The definition of the rhel-entitlement workspace in the task definition |
Using Red Hat entitlements by sharing the secret using the Shared Resources CSI driver operator
You can set up sharing of the etc-pki-entitlement secret from the openshift-config-managed namespace to other namespaces using the Shared Resources Container Storage Interface (CSI) Driver Operator. You can then configure your pipeline to use this secret for the Buildah task.
Prerequisites
-
You are logged on to your OpenShift Container Platform cluster using the
occommand line utility as a user with cluster administrator permissions. -
You enabled the Shared Resources CSI Driver operator on your OpenShift Container Platform cluster.
Procedure
-
Create a
SharedSecretcustom resource (CR) for sharing theetc-pki-entitlementsecret by running the following command:$ oc apply -f - <<EOF apiVersion: sharedresource.openshift.io/v1alpha1 kind: SharedSecret metadata: name: shared-rhel-entitlement spec: secretRef: name: etc-pki-entitlement namespace: openshift-config-managed EOF -
Create an RBAC role that permits access to the shared secret by running the following command:
$ oc apply -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: shared-resource-rhel-entitlement namespace: <pipeline_namespace> (1) rules: - apiGroups: - sharedresource.openshift.io resources: - sharedsecrets resourceNames: - shared-rhel-entitlement verbs: - use EOF1 Replace <pipeline_namespace>with the namespace of your pipeline. -
Assign the role to the
pipelineservice account by running the following command:$ oc create rolebinding shared-resource-rhel-entitlement --role=shared-shared-resource-rhel-entitlement \ --serviceaccount=<pipeline-namespace>:pipeline (1)1 Replace <pipeline-namespace>with the namespace of your pipeline.If you changed the default service account for OpenShift Pipelines or if you define a custom service account in the pipeline run or task run, assign the role to this account instead of the
pipelineaccount. -
In your Buildah task definition, use the
buildahcluster task or a copy of this cluster task and define therhel-entitlementworkspace, as in the following example. -
In your task run or pipeline run that runs the Buildah task, assign the shared secret to the
rhel-entitlementworkspace, as in the following example.
Example pipeline run definition, including the pipeline and task definitions, that uses Red Hat entitlements
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: buildah-pr-test-csi
spec:
workspaces:
- name: shared-workspace
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- name: dockerconfig
secret:
secretName: regred
- name: rhel-entitlement (1)
csi:
readOnly: true
driver: csi.sharedresource.openshift.io
volumeAttributes:
sharedSecret: shared-rhel-entitlement
pipelineSpec:
workspaces:
- name: shared-workspace
- name: dockerconfig
- name: rhel-entitlement (2)
tasks:
# ...
- name: buildah
taskRef:
name: buildah
kind: ClusterTask
workspaces:
- name: source
workspace: shared-workspace
- name: dockerconfig
workspace: dockerconfig
- name: rhel-entitlement (3)
workspace: rhel-entitlement
params:
- name: IMAGE
value: <image_where_you_want_to_push>| 1 | The definition of the rhel-entitlement workspace in the pipeline run, assigning the shared-rhel-entitlement CSI shared secret to the workspace |
| 2 | The definition of the rhel-entitlement workspace in the pipeline definition |
| 3 | The definition of the rhel-entitlement workspace in the task definition |