Importing RHEL Simple Content Access certificates with Insights Operator

Insights Operator can import your RHEL Simple Content Access (SCA) certificates from Red Hat OpenShift Cluster Manager. SCA is a capability in Red Hat’s subscription tools which simplifies the behavior of the entitlement tooling. It is easier to consume the content provided by your Red Hat subscriptions without the complexity of configuring subscription tooling. After importing the certificates, they are stored in the etc-pki-entitlement secret in the openshift-config-managed namespace.

Insights Operator imports SCA certificates every 8 hours by default, but can be configured or disabled using the support secret in the openshift-config namespace.

In OKD 4.9, this feature is in Technology Preview and must be enabled using the TechPreviewNoUpgrade Feature Set. See Enabling OpenShift Container Platform features using FeatureGates for more information.

For more information about Simple Content Access certificates see the Simple Content Access article in the Red Hat Knowledgebase.

InsightsOperatorPullingSCA is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.

Configuring Simple Content Access import interval

You can configure how often the Insights Operator imports the RHEL Simple Content Access (SCA) certificates using the support secret in the openshift-config namespace. The certificate import normally occurs every 8 hours, but you may want to shorten this interval if you update your SCA configuration in Red Hat Subscription Management.

This procedure describes how to update the import interval to one hour.

Prerequisites

  • You are logged in to the OKD web console as cluster-admin.

Procedure

  1. Navigate to WorkloadsSecrets.

  2. Select the openshift-config project.

  3. Search for the support secret using the Search by name field. If it does not exist, click CreateKey/value secret to create it.

  4. Click the Options menu kebab, and then click Edit Secret.

  5. Click Add Key/Value.

  6. Create a key named ocmInterval with a value of 1h, and click Save.

    The interval 1h can also be entered as 60m for 60 minutes.

  7. Navigate to WorkloadsPods

  8. Select the openshift-insights project.

  9. Find the insights-operator pod.

  10. To restart the insights-operator pod, click the Options menu kebab, and then click Delete Pod.

Disabling Simple Content Access import

You can disable the import of RHEL Simple Content Access certificates using the support secret in the openshift-config namespace.

Prerequisites

  • You are logged in to the OKD web console as cluster-admin.

Procedure

  1. Navigate to WorkloadsSecrets.

  2. Select the openshift-config project.

  3. Search for the support secret using the Search by name field. If it does not exist, click CreateKey/value secret to create it.

  4. Click the Options menu kebab, and then click Edit Secret.

  5. Click Add Key/Value.

  6. Create a key named ocmPullDisabled with a value of true, and click Save.

  7. Navigate to WorkloadsPods

  8. Select the openshift-insights project.

  9. Find the insights-operator pod.

  10. To restart the insights-operator pod, click the Options menu kebab, and then click Delete Pod.