Entitled Builds using the SCA instructions as documented do not work.

4.9+

Always

1. Configure the SCA option in your account. 
2. Check your OpenShift cluster to confirm the entitlement secret was created. https://docs.openshift.com/container-platform/4.12/support/remote_health_monitoring/insights-operator-simple-access.html
3. Copy the secret to the namespace you are working in.
4. Attempt to build with something that requires the entitlement.

[root@borg ~]# oc new-build -D $'FROM registry.redhat.io/rhel7/rhel:latest\nRUN yum install -y kernel-devel' --name test-rhel7 --to test-rhel7
--> Found container image dc2f776 (2 days old) from registry.redhat.io for "registry.redhat.io/rhel7/rhel:latest"    Red Hat Enterprise Linux 7 
    -------------------------- 
    The Red Hat Enterprise Linux Base image is designed to be a fully supported foundation for your containerized applications. This base image provides your operations and application teams with the packages, language runtimes and tools necessary to run, maintain, and troubleshoot all of your applications. This image is maintained by Red Hat and updated regularly. It is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. When used as the source for all of your containers, only one copy will ever be downloaded and cached in your production environment. Use this image just like you would a regular Red Hat Enterprise Linux distribution. Tools like yum, gzip, and bash are provided by default. For further information on how this image was built look at the /root/anacanda-ks.cfg file.    Tags: base rhel7    * An image stream tag will be created as "rhel:latest" that will track the source image
    * A Docker build using a predefined Dockerfile will be created
      * The resulting image will be pushed to image stream tag "test-rhel7:latest"
      * Every time "rhel:latest" changes a new build will be triggered--> Creating resources with label build=test-rhel7 ...
    imagestream.image.openshift.io "rhel" created
    imagestream.image.openshift.io "test-rhel7" created
    buildconfig.build.openshift.io "test-rhel7" created
--> Success
[root@borg ~]# oc patch buildconfig.build.openshift.io/test-rhel7 --type merge --patch '{"spec":{"strategy":{"dockerStrategy":{"volumes":[{"mounts":[{"destinationPath":"/etc/pki/entitlement"}],"name":"etc-pki-entitlement","source":{"secret":{"defaultMode":420,"secretName":"etc-pki-entitlement"},"type":"Secret"}}]}}}}'
buildconfig.build.openshift.io/test-rhel7 patched
[root@borg ~]# oc start-build test-rhel7 --follow
build.build.openshift.io/test-rhel7-2 started
Replaced Dockerfile FROM image registry.redhat.io/rhel7/rhel:latest
time="2023-03-22T18:48:31Z" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled"
I0322 18:48:31.362231       1 defaults.go:112] Defaulting to storage driver "overlay" with options [mountopt=metacopy=on].
Caching blobs under "/var/cache/blobs".Pulling image registry.redhat.io/rhel7/rhel@sha256:49b77845b1f101cf37d2f1afdaf0748a365ff7f9c7bf81f7f1214bb45f46bfa5 ...
Trying to pull registry.redhat.io/rhel7/rhel@sha256:49b77845b1f101cf37d2f1afdaf0748a365ff7f9c7bf81f7f1214bb45f46bfa5...
Getting image source signatures
Copying blob sha256:3840fdda5b0af7d845fe3540f5ca8b094b19617bcd7837701270a6cefc68811f
Copying config sha256:dc2f776f25d99ab569ae289c3cf1d1fc670ec5e3d4f71215e7763bccd86c8a67
Writing manifest to image destination
Storing signatures
Adding transient rw bind mount for /run/secrets/rhsm
STEP 1/4: FROM registry.redhat.io/rhel7/rhel@sha256:49b77845b1f101cf37d2f1afdaf0748a365ff7f9c7bf81f7f1214bb45f46bfa5
STEP 2/4: RUN yum install -y kernel-devel
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-managerThis system is not receiving updates. You can use subscription-manager on the host to register and assign subscriptions.Repo rhel-7-server-rpms forced skip_if_unavailable=True due to: %(ca_cert_dir)sredhat-uep.pem
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] curl#77 - "Problem with the SSL CA cert (path? access rights?)"
Trying other mirror.
No package kernel-devel available.
Error: Nothing to do
error: build error: error building at STEP "RUN yum install -y kernel-devel": error while running runtime: exit status 1
[root@borg ~]# oc delete all -l build=test-rhel7
buildconfig.build.openshift.io "test-rhel7" deleted
build.build.openshift.io "test-rhel7-1" deleted
imagestream.image.openshift.io "rhel" deleted
imagestream.image.openshift.io "test-rhel7" deleted
[root@borg ~]# oc new-build -D $'FROM registry.redhat.io/ubi8/ubi:latest\nRUN dnf install -y kernel-devel' --name test-ubi8 --to test-ubi8
--> Found container image 270f760 (5 weeks old) from registry.redhat.io for "registry.redhat.io/ubi8/ubi:latest"    Red Hat Universal Base Image 8 
    ------------------------------ 
    The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.    Tags: base rhel8    * An image stream tag will be created as "ubi:latest" that will track the source image
    * A Docker build using a predefined Dockerfile will be created
      * The resulting image will be pushed to image stream tag "test-ubi8:latest"
      * Every time "ubi:latest" changes a new build will be triggered--> Creating resources with label build=test-ubi8 ...
    imagestream.image.openshift.io "ubi" created
    imagestream.image.openshift.io "test-ubi8" created
    buildconfig.build.openshift.io "test-ubi8" created
--> Success
[root@borg ~]# oc patch buildconfig.build.openshift.io/test-ubi8 --type merge --patch '{"spec":{"strategy":{"dockerStrategy":{"volumes":[{"mounts":[{"destinationPath":"/etc/pki/entitlement"}],"name":"etc-pki-entitlement","source":{"secret":{"defaultMode":420,"secretName":"etc-pki-entitlement"},"type":"Secret"}}]}}}}'
buildconfig.build.openshift.io/test-ubi8 patched
[root@borg ~]# oc start-build test-ubi8 --follow
build.build.openshift.io/test-ubi8-2 started
Replaced Dockerfile FROM image registry.redhat.io/ubi8/ubi:latest
time="2023-03-22T18:50:35Z" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled"
I0322 18:50:35.840248       1 defaults.go:112] Defaulting to storage driver "overlay" with options [mountopt=metacopy=on].
Caching blobs under "/var/cache/blobs".Pulling image registry.redhat.io/ubi8/ubi@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13 ...
Trying to pull registry.redhat.io/ubi8/ubi@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13...
Getting image source signatures
Copying blob sha256:b92727ef7443d73bb77323e5a969bf02187286fccf53930e83dc82be60a36529
Copying config sha256:270f760d3d046dabd97e0b0f172ea326cb9afac988e3f2a74e8833eec21817b6
Writing manifest to image destination
Storing signatures
Adding transient rw bind mount for /run/secrets/rhsm
STEP 1/4: FROM registry.redhat.io/ubi8/ubi@sha256:b7e686e30346e9ace664fa09c0275262f8b9a443ed56d22165a0e201f6488c13
STEP 2/4: RUN dnf install -y kernel-devel
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.This system is not registered with an entitlement server. You can use subscription-manager to register.Red Hat Enterprise Linux 8 for x86_64 - AppStre 0.0  B/s |   0  B     00:00    
Errors during downloading metadata for repository 'rhel-8-for-x86_64-appstream-rpms':
  - Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml [error setting certificate verify locations:
  CAfile: %(ca_cert_dir)sredhat-uep.pem
  CApath: none]
Error: Failed to download metadata for repo 'rhel-8-for-x86_64-appstream-rpms': Cannot download repomd.xml: Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml [error setting certificate verify locations:
  CAfile: %(ca_cert_dir)sredhat-uep.pem
  CApath: none]
error: build error: error building at STEP "RUN dnf install -y kernel-devel": error while running runtime: exit status 1
[root@borg ~]# oc delete all -l build=test-ubi8
buildconfig.build.openshift.io "test-ubi8" deleted
build.build.openshift.io "test-ubi8-1" deleted
build.build.openshift.io "test-ubi8-2" deleted
imagestream.image.openshift.io "test-ubi8" deleted
imagestream.image.openshift.io "ubi" deleted
(reverse-i-search)`new': oc ^Cw-project my2
[root@borg ~]# oc new-build -D $'FROM registry.redhat.io/ubi9/ubi:latest\nRUN dnf install -y kernel-devel' --name test-ubi9 --to test-ubi9
--> Found container image 9877f06 (4 weeks old) from registry.redhat.io for "registry.redhat.io/ubi9/ubi:latest"    Red Hat Universal Base Image 9 
    ------------------------------ 
    The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.    Tags: base rhel9    * An image stream tag will be created as "ubi:latest" that will track the source image
    * A Docker build using a predefined Dockerfile will be created
      * The resulting image will be pushed to image stream tag "test-ubi9:latest"
      * Every time "ubi:latest" changes a new build will be triggered--> Creating resources with label build=test-ubi9 ...
    imagestream.image.openshift.io "ubi" created
    imagestream.image.openshift.io "test-ubi9" created
    buildconfig.build.openshift.io "test-ubi9" created
--> Success
[root@borg ~]# oc patch buildconfig.build.openshift.io/test-ubi9 --type merge --patch '{"spec":{"strategy":{"dockerStrategy":{"volumes":[{"mounts":[{"destinationPath":"/etc/pki/entitlement"}],"name":"etc-pki-entitlement","source":{"secret":{"defaultMode":420,"secretName":"etc-pki-entitlement"},"type":"Secret"}}]}}}}'
buildconfig.build.openshift.io/test-ubi9 patched
[root@borg ~]# oc start-build test-ubi9 --follow
build.build.openshift.io/test-ubi9-2 started
Replaced Dockerfile FROM image registry.redhat.io/ubi9/ubi:latest
time="2023-03-22T18:52:08Z" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled"
I0322 18:52:08.210205       1 defaults.go:112] Defaulting to storage driver "overlay" with options [mountopt=metacopy=on].
Caching blobs under "/var/cache/blobs".Pulling image registry.redhat.io/ubi9/ubi@sha256:d03c30dddefc59229303f49a94105d537ac324c86df9177ec5be37d30d44672d ...
Trying to pull registry.redhat.io/ubi9/ubi@sha256:d03c30dddefc59229303f49a94105d537ac324c86df9177ec5be37d30d44672d...
Getting image source signatures
Copying blob sha256:2a625e4afab51b49edb0e5f4ff37d8afbb20ec644ed1e68641358a6305557de3
Copying config sha256:9877f06ecc6f0d76ab8bfba1495a6dd1fd00aa3df13b1c1434c9ae65443f0feb
Writing manifest to image destination
Storing signatures
Adding transient rw bind mount for /run/secrets/rhsm
STEP 1/4: FROM registry.redhat.io/ubi9/ubi@sha256:d03c30dddefc59229303f49a94105d537ac324c86df9177ec5be37d30d44672d
STEP 2/4: RUN dnf install -y kernel-devel
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.This system is not registered with an entitlement server. You can use subscription-manager to register.Red Hat Enterprise Linux 9 for x86_64 - BaseOS  0.0  B/s |   0  B     00:00    
Errors during downloading metadata for repository 'rhel-9-for-x86_64-baseos-rpms':
  - Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error setting certificate file: %(ca_cert_dir)sredhat-uep.pem]
Error: Failed to download metadata for repo 'rhel-9-for-x86_64-baseos-rpms': Cannot download repomd.xml: Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error setting certificate file: %(ca_cert_dir)sredhat-uep.pem]
error: build error: error building at STEP "RUN dnf install -y kernel-devel": error while running runtime: exit status 1

Successful builds

Adding /etc/rhsm/rshm.conf on the host OR performing rm -rf /etc/rhsm-host inside the container before the package install are two workarounds for this issue.  

For whatever reason the variable "%(ca_cert_dir)s" is not resolving correctly when the pod does not have rhsm.conf mapped into /etc/rhsm-host/rhsm.conf. Adding the config file or removing the directory appear to get things working again.

There are some very recent changes in this following BZ that I believe were attempting to resolve this issue for UBI9, but I think this needs a wider review:
https://bugzilla.redhat.com/show_bug.cgi?id=2108549#c29