User Story

As a developer building applications on OpenShift
I want to use RHEL entitlements in my builds
So that I can add RHEL subscription content to my container image

Acceptance Criteria

Cluster admins should be able to do the following:

• Create a SharedSecret object on the cluster, referencing the entitlement secret that the insights operator places on the cluster (etc-pki-entitlement in the openshift-config-managed)
• Create a Role/RoleBinding for the builder service account in a specific namespace, granting it permission to "use" the SharedSecret.

Developers should then be able to do the following:

• The shared entitlement can be added to a Build
• The build can consume the entitlement and access subscription content, example `dnf install -y kernel-devel`

Docs Impact

The current guidance on consuming RHEL entitlements in builds should be extended to add instructions that:

1. Enable tech preview on the cluster
2. Create a `SharedSecret` using the cluster-wide entitlement
3. Create a `RoleBinding` which allows the `builder` ServiceAccount to use the cluster entitlement
4. Add the CSI volume to a BuildConfig which uses the shared secret and mounts the secret in the correct location

QE Impact

QE should verify this procedure works

PX Impact

Deferred to BUILD-397

Notes

For RBAC, there are alternatives to creating a namespaced role/rolebinding:

• Create a ClusterRole/ClusterRoleBinding which grants "use" permission for the SharedSecret for all builder service accounts can access it.
• Create a ClusterRole that aggregates to the "edit" role.

Zvanko's blog post: https://cloud.redhat.com/blog/how-to-use-entitled-image-builds-to-build-drivercontainers-with-ubi-on-openshift