Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 10. Using Red Hat subscriptions in builds

Use the following sections to install Red Hat subscription content within OpenShift Container Platform builds.

To install Red Hat Enterprise Linux (RHEL) packages within a build, you can create an image stream tag to reference the Red Hat Universal Base Image (UBI).

To make the UBI available in every project in the cluster, add the image stream tag to the openshift namespace. Otherwise, to make it available in a specific project, add the image stream tag to that project.

Image stream tags grant access to the UBI by using the registry.redhat.io credentials that are present in the install pull secret, without exposing the pull secret to other users. This method is more convenient than requiring each developer to install pull secrets with registry.redhat.io credentials in each project.

Procedure

  • To create an ImageStreamTag resource in the openshift namespace, so it is available to developers in all projects, enter the following command: 

    $ oc tag --source=docker registry.redhat.io/ubi9/ubi:latest ubi9:latest -n openshift
    Copy to Clipboard Toggle word wrap
    Tip

    You can alternatively apply the following YAML to create an ImageStreamTag resource in the openshift namespace: 

    apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  name: ubi9
  namespace: openshift
spec:
  tags:
  - from:
      kind: DockerImage
      name: registry.redhat.io/ubi9/ubi:latest
    name: latest
    referencePolicy:
      type: Source
    Copy to Clipboard Toggle word wrap

  • To create an ImageStreamTag resource in a single project, enter the following command: 

    $ oc tag --source=docker registry.redhat.io/ubi9/ubi:latest ubi:latest
    Copy to Clipboard Toggle word wrap
    Tip

    You can alternatively apply the following YAML to create an ImageStreamTag resource in a single project: 

    apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  name: ubi9
spec:
  tags:
  - from:
      kind: DockerImage
      name: registry.redhat.io/ubi9/ubi:latest
    name: latest
    referencePolicy:
      type: Source
    Copy to Clipboard Toggle word wrap

Builds that use Red Hat subscriptions to install content must include the entitlement keys as a build secret.

Prerequisites

  • You must have access to Red Hat Enterprise Linux (RHEL) package repositories through your subscription. The entitlement secret to access these repositories is automatically created by the Insights Operator when your cluster is subscribed.
  • You must have access to the cluster as a user with the cluster-admin role or you have permission to access secrets in the openshift-config-managed project.

Procedure

  1. Copy the entitlement secret from the openshift-config-managed namespace to the namespace of the build by entering the following commands: 

    $ cat << EOF > secret-template.txt
kind: Secret
apiVersion: v1
metadata:
  name: etc-pki-entitlement
type: Opaque
data: {{ range \$key, \$value := .data }}
  {{ \$key }}: {{ \$value }} {{ end }}
EOF
$ oc get secret etc-pki-entitlement -n openshift-config-managed -o=go-template-file --template=secret-template.txt | oc apply -f -
    Copy to Clipboard Toggle word wrap

  2. Add the etc-pki-entitlement secret as a build volume in the build configuration’s Docker strategy: 

    strategy:
  dockerStrategy:
    from:
      kind: ImageStreamTag
      name: ubi9:latest
    volumes:
    - name: etc-pki-entitlement
      mounts:
      - destinationPath: /etc/pki/entitlement
      source:
        type: Secret
        secret:
          secretName: etc-pki-entitlement
    Copy to Clipboard Toggle word wrap

10.3. Running builds with Subscription Manager
Copy link

10.3.1. Docker builds using Subscription Manager
Copy link

Docker strategy builds can use yum or dnf to install additional Red Hat Enterprise Linux (RHEL) packages.

Prerequisites

  • The entitlement keys must be added as build strategy volumes.

Procedure

  • Use the following as an example Dockerfile to install content with the Subscription Manager: 

    FROM registry.redhat.io/ubi9/ubi:latest
RUN rm -rf /etc/rhsm-host
    1 
    
RUN yum --enablerepo=codeready-builder-for-rhel-9-x86_64-rpms install \
    2 
    
    nss_wrapper \
    uid_wrapper -y && \
    yum clean all -y
RUN ln -s /run/secrets/rhsm /etc/rhsm-host
    3
    Copy to Clipboard Toggle word wrap
    1
    You must include the command to remove the /etc/rhsm-host directory and all its contents in your Dockerfile before executing any yum or dnf commands.
    2
    Use the Red Hat Package Browser to find the correct repositories for your installed packages.
    3
    You must restore the /etc/rhsm-host symbolic link to keep your image compatible with other Red Hat container images.

Builds that use Red Hat Satellite to install content must provide appropriate configurations to obtain content from Satellite repositories.

Prerequisites

  • You must provide or create a yum-compatible repository configuration file that downloads content from your Satellite instance.

    Sample repository configuration

    [test-<name>]
name=test-<number>
baseurl = https://satellite.../content/dist/rhel/server/7/7Server/x86_64/os
enabled=1
gpgcheck=0
sslverify=0
sslclientkey = /etc/pki/entitlement/...-key.pem
sslclientcert = /etc/pki/entitlement/....pem
    Copy to Clipboard Toggle word wrap

Procedure

  1. Create a ConfigMap object containing the Satellite repository configuration file by entering the following command: 

    $ oc create configmap yum-repos-d --from-file /path/to/satellite.repo
    Copy to Clipboard Toggle word wrap

  2. Add the Satellite repository configuration and entitlement key as a build volumes: 

    strategy:
  dockerStrategy:
    from:
      kind: ImageStreamTag
      name: ubi9:latest
    volumes:
    - name: yum-repos-d
      mounts:
      - destinationPath: /etc/yum.repos.d
      source:
        type: ConfigMap
        configMap:
          name: yum-repos-d
    - name: etc-pki-entitlement
      mounts:
      - destinationPath: /etc/pki/entitlement
      source:
        type: Secret
        secret:
          secretName: etc-pki-entitlement
    Copy to Clipboard Toggle word wrap

Docker strategy builds can use Red Hat Satellite repositories to install subscription content.

Prerequisites

  • You have added the entitlement keys and Satellite repository configurations as build volumes.

Procedure

  • Use the following example to create a Dockerfile for installing content with Satellite: 

    FROM registry.redhat.io/ubi9/ubi:latest
RUN rm -rf /etc/rhsm-host
    1 
    
RUN yum --enablerepo=codeready-builder-for-rhel-9-x86_64-rpms install \
    2 
    
    nss_wrapper \
    uid_wrapper -y && \
    yum clean all -y
RUN ln -s /run/secrets/rhsm /etc/rhsm-host
    3
    Copy to Clipboard Toggle word wrap
    1
    You must include the command to remove the /etc/rhsm-host directory and all its contents in your Dockerfile before executing any yum or dnf commands.
    2
    Contact your Satellite system administrator to find the correct repositories for the build’s installed packages.
    3
    You must restore the /etc/rhsm-host symbolic link to keep your image compatible with other Red Hat container images.

10.5. Running builds using SharedSecret objects
Copy link

You can use a SharedSecret object to securely access the entitlement keys of a cluster in builds. The SharedSecret object allows you to share and synchronize secrets across namespaces.

Important

The Shared Resource CSI Driver feature is now generally available in Builds for Red Hat OpenShift 1.1. To use this feature, ensure that you have installed Builds for Red Hat OpenShift 1.1 or later.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat