Using Red Hat subscriptions in builds

Use the following sections to run entitled builds on OKD.

Creating an image stream tag for the Red Hat Universal Base Image

To use Red Hat subscriptions within a build, you create an image stream tag to reference the Universal Base Image (UBI).

To make the UBI available in every project in the cluster, you add the image stream tag to the openshift namespace. Otherwise, to make it available in a specific project, you add the image stream tag to that project.

The benefit of using image stream tags this way is that doing so grants access to the UBI based on the registry.redhat.io credentials in the install pull secret without exposing the pull secret to other users. This is more convenient than requiring each developer to install pull secrets with registry.redhat.io credentials in each project.

Procedure

  • To create an ImageStreamTag in the openshift namespace, so it is available to developers in all projects, enter:

    1. $ oc tag --source=docker registry.redhat.io/ubi8/ubi:latest ubi:latest -n openshift

    You can alternatively apply the following YAML to create an ImageStreamTag in the openshift namespace:

    1. apiVersion: image.openshift.io/v1
    2. kind: ImageStream
    3. metadata:
    4.   name: ubi
    5.   namespace: openshift
    6. spec:
    7.   tags:
    8.   - from:
    9.       kind: DockerImage
    10.       name: registry.redhat.io/ubi8/ubi:latest
    11.     name: latest
    12.     referencePolicy:
    13.       type: Source

  • To create an ImageStreamTag in a single project, enter:

    1. $ oc tag --source=docker registry.redhat.io/ubi8/ubi:latest ubi:latest

    You can alternatively apply the following YAML to create an ImageStreamTag in a single project:

    1. apiVersion: image.openshift.io/v1
    2. kind: ImageStream
    3. metadata:
    4.   name: ubi
    5. spec:
    6.   tags:
    7.   - from:
    8.       kind: DockerImage
    9.       name: registry.redhat.io/ubi8/ubi:latest
    10.     name: latest
    11.     referencePolicy:
    12.       type: Source

Adding subscription entitlements as a build secret

Builds that use Red Hat subscriptions to install content must include the entitlement keys as a build secret.

Prerequisites

You must have access to Red Hat entitlements through your subscription, and the entitlements must have separate public and private key files.

Procedure

  1. Create a secret containing your entitlements, ensuring that there are separate files containing the public and private keys:

    1. $  oc create secret generic etc-pki-entitlement --from-file /path/to/entitlement/{ID}.pem \
    2. > --from-file /path/to/entitlement/{ID}-key.pem ...

  2. Add the secret as a build volume in the build configuration’s Docker strategy:

    1. strategy:
    2.   dockerStrategy:
    3.     from:
    4.       kind: ImageStreamTag
    5.       name: ubi:latest
    6.     volumes:
    7.     - name: etc-pki-entitlement
    8.       mounts:
    9.       - destinationPath: /etc/pki/entitlement
    10.       source:
    11.         type: Secret
    12.         secret:
    13.           secretName: etc-pki-entitlement

Running builds with Subscription Manager

Docker builds using Subscription Manager

Docker strategy builds can use the Subscription Manager to install subscription content.

Prerequisites

The entitlement keys must be added as build strategy volumes.

Procedure

Use the following as an example Dockerfile to install content with the Subscription Manager:

  1. FROM registry.redhat.io/ubi8/ubi:latest
  2. RUN dnf search kernel-devel --showduplicates && \
  3.         dnf install -y kernel-devel

Running builds with Red Hat Satellite subscriptions

Adding Red Hat Satellite configurations to builds

Builds that use Red Hat Satellite to install content must provide appropriate configurations to obtain content from Satellite repositories.

Prerequisites

  • You must provide or create a yum-compatible repository configuration file that downloads content from your Satellite instance.

    Sample repository configuration

    1. [test-<name>]
    2. name=test-<number>
    3. baseurl = https://satellite.../content/dist/rhel/server/7/7Server/x86_64/os
    4. enabled=1
    5. gpgcheck=0
    6. sslverify=0
    7. sslclientkey = /etc/pki/entitlement/...-key.pem
    8. sslclientcert = /etc/pki/entitlement/....pem

Procedure

  1. Create a ConfigMap containing the Satellite repository configuration file:

    1. $ oc create configmap yum-repos-d --from-file /path/to/satellite.repo

  2. Add the Satellite repository configuration and entitlement key as a build volumes:

    1. strategy:
    2.   dockerStrategy:
    3.     from:
    4.       kind: ImageStreamTag
    5.       name: ubi:latest
    6.     volumes:
    7.     - name: yum-repos-d
    8.       mounts:
    9.       - destinationPath: /etc/yum.repos.d
    10.       source:
    11.         type: ConfigMap
    12.         configMap:
    13.           name: yum-repos-d
    14.     - name: etc-pki-entitlement
    15.       mounts:
    16.       - destinationPath: /etc/pki/entitlement
    17.       source:
    18.         type: Secret
    19.         secret:
    20.           secretName: etc-pki-entitlement

Docker builds using Red Hat Satellite subscriptions

Docker strategy builds can use Red Hat Satellite repositories to install subscription content.

Prerequisites

  • You have added the entitlement keys and Satellite repository configurations as build volumes.

Procedure

Use the following as an example Dockerfile to install content with Satellite:

  1. FROM registry.redhat.io/ubi8/ubi:latest
  2. RUN dnf search kernel-devel --showduplicates && \
  3.         dnf install -y kernel-devel

Additional resources