Subscription benefits for secure deployments

Entitlements add security to deployments in Red Hat services and Red Hat OpenShift. However, entitled builds require extra work. This article details the process step-by-step. We will start with getting the entitlements, certificate authority (CA), and configuration files, and end with a BuildConfig in OpenShift.

Recently, I was engaged in a project where I had to create a Jenkins Maven agent with Selenium Server and Google Chrome. I realized that to install the Chrome client, I needed several repositories on Red Hat Enterprise Linux or CentOS. I followed the official OpenShift documentation and did other research to achieve the deployment. This article shows my process.

Subscription entitlements

Subscriptions and systems are managed globally through the Red Hat entitlement service, which is integrated with the Customer Portal. Whenever a subscription is attached to a system, the system is entitled to support services and content for that product. The subscription certificates attached to a system are in a certificate file located in the /etc/pki/entitlement/ directory.

Entitlement certificates contain additional information about available products and configured content repositories.
A system is allocated a product subscription by subscribing to the entitlement pool that makes that product available, and unsubscribing a machine removes it from the product or entitlement pool, which releases that entitlement subscription it had consumed.

Getting the entitlements, CA, and configuration

There are two ways to get the entitlements: through the Red Hat Subscription Management console or from an image. This article covers the second method.

Download a Universal Base Image (UBI) from the Red Hat Ecosystem Catalog as follows:

$ podman pull registry.access.redhat.com/ubi8/ubi:latest

Run the following command to create a new container:

$ podman run --name ubi8 registry.access.redhat.com/ubi8/ubi:latest tail -f /dev/null

Execute a new terminal inside the container and subscribe it with your credentials:

$ podman exec -ti ubi8 /bin/bash
$ subscription-manager register --username=<USERNAME> --password=<PASSWORD>

Get the certificates from the container file system and save them on your computer:

$ podman cp ubi8:/etc/rhsm rhsm -> conf + ca
$ podman cp ubi8:/etc/pki/entitlement -> entitlement file

From the files copied, the ones that you need are:

• Entitlements: /etc/pki/entitlement

   -> XXXXX.pem
   -> XXXXX-key.pem
  

• Configuration: /etc/rhsm/

   -> rhsm.conf
  

• CA: /etc/rhsm/ca

   -> redhat-entitlement-authority.pem
   -> redhat-uep.pem

Creating the Dockerfile

I used the following Dockerfile to cover all the requirements from the client. The Dockerfile contains some comments to help you understand it. All the files except the entitlements can be retrieved from my GitHub repository. The file is:

FROM registry.redhat.io/openshift4/ose-jenkins-agent-maven:v4.9

USER root

# Copy entitlements
COPY ./etc-pki-entitlement /etc/pki/entitlement
# Copy subscription manager configurations
COPY ./rhsm-conf /etc/rhsm
COPY ./rhsm-ca /etc/rhsm/ca
# Add Chrome Repo
COPY google-chrome.repo /etc/yum.repos.d/google-chrome.repo
# Add chrome-driver installation script
COPY install-chrome-driver.sh .
# Copy Selenium server
COPY selenium-server-standalone-3.141.59.jar .
# Copy Init Script
COPY init.sh .

# Delete /etc/rhsm-host to use entitlements from the build container
RUN rm /etc/rhsm-host && \
    # Initialize /etc/yum.repos.d/redhat.repo
    # See https://access.redhat.com/solutions/1443553
    yum repolist --disablerepo=* && \
    subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms && \
    yum -y update && \
    yum -y install google-chrome-stable && \
    # Remove entitlements and Subscription Manager configs
    rm -rf /etc/pki/entitlement && \
    rm -rf /etc/rhsm

# Install Chrome & chromedriver
RUN ./install-chrome-driver.sh

USER 1001

ENTRYPOINT [ "sh", "./init.sh" ]

Deployment on OpenShift

This section covers the commands you need to run the final BuildConfig.

Secrets

This PKI entitlements secret will be injected into the container when the BuildConfig runs. Create the secret as follows :

$ oc create secret generic etc-pki-entitlement \
--from-file <location>/<-key.pem>.pem \
--from-file <location>/<number>-key.pem

Create the configuration secret:

$ oc create secret generic rhsm-conf --from-file <location>/rhsm.conf

Finally, create the secret with the CA:

$ oc create secret generic rhsm-ca \
--from-file <location>/redhat-entitlement-authority.pem  \
--from-file <location>/redhat-uep.pem

BuildConfig

Now we'll create the BuildConfig with the right build secrets mapped to the desired location. If you are using the Jenkins Source-to-Image (S2I) image, you can also add the label that appears in the following command to allow the OpenShift Sync plugin to automatically create the slave:

$ oc new-build https://github.com/misanche/jenkins-slave-selenium.git#ocp \
--name=jenkins-slave-chrome1 -e GIT_SSL_NO_VERIFY=true \
--build-secret "etc-pki-entitlement:etc-pki-entitlement" \
--build-secret "rhsm-conf:rhsm-conf" --build-secret "rhsm-ca:rhsm-ca" \
--labels=role=jenkins-slave -n <namespace>

These steps should allow you to create entitled builds in OpenShift.

Additional resources

To summarize, the process can be hard at first, but it is easier to do it once you know the concepts. Here are a few other useful resources to explore:

• How to use entitled image builds to build DriverContainers with UBI on OpenShift
• Entitled builds on OpenShift 4