How to Build Images with RHEL Subscriptions on OpenShift

OpenShift 4 introduced a self-managing platform for the hybrid cloud by providing a cloud-like experience for installation and upgrading the platform through streamlined full-stack installation and automatic software updates and lifecycle management. One of the key enablers for this enhanced process is moving from node-based entitlements for OpenShift clusters to cluster-based entitlements. Red Hat subscription model enables customers to download Red Hat-tested and certified enterprise software. This way, customers are supplied with the latest patches, bug fixes, updates, and upgrades for the trusted software provided by Red Hat. Moving to a cluster-based entitlement model allows admins to subscribe an entire OpenShift cluster to Red Hat to receive automatic updates, fixes, and security patches instead of having to subscribe to every single host and managing their entitlements individually across the cluster. This not only simplifies the lifecycle management of subscriptions for customers, but also reduces the operational overhead of subscription management for admins operating the OpenShift platforms.

A consequence of the simplified subscription management for OpenShift clusters is that when developers build container images on the OpenShift platform using a Dockerfile and need to install packages (RPMs) from Red Hat Enterprise Linux (RHEL) repositories and app streams that are included in the OpenShift subscription, they have to make sure the build process has access to valid RHEL entitlements. This can be done either by providing the RHEL entitlements directly to the BuildConfigs on OpenShift or making them available to all pods through modifications to the MachineConfig.

While consuming RHEL content through the above process has been useful on OpenShift 4, the feedback we have received from customers is that the workflow for retrieving the RHEL entitlements to make them available through the above-mentioned process is cumbersome and causes friction. In addition, since RHEL entitlements are rotated and must be refreshed regularly, the workflow for retrieving RHEL entitlements needs to be repeated regularly, which adds to the overhead.

Simplifying access to RHEL entitlements

To improve the experience of installing RHEL content in Dockerfile builds on OpenShift, we have been taking steps to address the challenges that customers have expressed and are moving toward a fully automated process that removes the overhead from the admins and transparently makes these entitlements available to the cluster. This enhancement is composed of the following workstreams:

1. Automatic placement and rotation of RHEL entitlements included in an OpenShift subscription on the cluster as a Kubernetes secret
2. Adding support for mounting Kubernetes secrets and ConfigMaps in BuildConfig to enable developers to mount the RHEL entitlement secret directly into builds
3. Controlled access to shared secrets across namespaces (read more in this blog post) to allow mounting a single RHEL entitlement secret into pods in other namespaces, provided the specified RBAC by admin allows it (Developer Preview)

The combination of above enhancements enables OpenShift clusters to provide a streamlined path for enabling access to RHEL entitlements on the cluster to teams that require it for building images using RHEL content.

We are thrilled to announce that automatic management of RHEL entitlements on OpenShift clusters (Tech Preview) (1) and support for mounting Kubernetes secrets and ConfigMaps into BuildConfigs (2) is now available in OpenShift Container Platform 4.9.

Automatic management of RHEL entitlements on OpenShift

To remove the overhead of downloading RHEL entitlements from Red Hat Customer Portal and placing them on the OpenShift cluster or nodes on a regular basis (due to entitlements expirations), OpenShift clusters offer this capability through providing an automated flow for this workflow to happen on a schedule by the cluster itself.

A prerequisite for using this capability is to enable Simple Content Access (SCA) on your personal or organization’s Red Hat account in the Red Hat Customer Portal. SCA allows you to access Red Hat software content without attaching a subscription to a particular system or environment. Separating subscriptions and content management makes it easier for admins to fully use their RHEL subscriptions efficiently and in particular on OpenShift clusters for using RHEL content when building images. You can read more about SCA benefits and how to enable it in Red Hat Customer Portal in this blog post.

Once SCA is enabled, the SCA entitlement certificates for your organization are pulled from Red Hat cloud infrastructure (OpenShift Cluster Manager at console.redhat.com) to the OpenShift cluster by the Insights Operator. Insights Operator is a component of OpenShift that is responsible for gathering configuration data relevant to the cluster health, which is further analyzed and used to proactively inform customers about potential issues. Insights Operator refreshes the SCA entitlements every eight hours by default by retrieving a new SCA entitlement and exposing them as a Kubernetes Secret named “etc-pki-entitlement” in the “openshift-config-managed” namespace. This namespace is only accessible to the cluster admins, and they can decide how they want to distribute this secret and make it available to the workloads in accordance with their organization's operational and security requirements.

This feature is Tech Preview in the OpenShift 4.9.0 and thus it can be enabled only by enabling the corresponding feature set in the cluster’s feature gate. See the OpenShift documentation for more information:

Mount RHEL entitlements in Builds

The Kubernetes Secret that is placed on the cluster by the Insights Operator can be consumed for installing RHEL RPMs during builds on OpenShift in a variety of ways, depending on how the build is performed on OpenShift. Most OpenShift customers use BuildConfigs to execute a Dockerfile build. For those customers, you can mount the Kubernetes Secret as a volume on the BuildConfig in order for the subscription-manager to find and use the RHEL entitlements when RPMs are installed through the Dockerfile.  

What’s next

Looking forward, we will continue improving the experience of building images on OpenShift. In the coming releases, we will facilitate the distribution of RHEL entitlement secrets across namespaces through Shared Resource CSI Driver and help cluster admins to make RHEL entitlements available across the cluster for eligible users.