openshift-docs/modules/builds-source-secrets-entitlements.adoc

// Module included in the following assemblies:
//
//* builds/running-entitled-builds.adoc

:_mod-docs-content-type: PROCEDURE
[id="builds-source-secrets-entitlements_{context}"]
= Adding subscription entitlements as a build secret

Builds that use Red Hat subscriptions to install content must include the entitlement keys as a build secret.

.Prerequisites

ifndef::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]
* You must have access to {op-system-base-full} package repositories through your subscription. The entitlement secret to access these repositories is automatically created by the {insights-operator} when your cluster is subscribed.
endif::openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]

* You must have access to the cluster as a user with the `cluster-admin` role or you have permission to access secrets in the `openshift-config-managed` project.

.Procedure

. Copy the entitlement secret from the `openshift-config-managed` namespace to the namespace of the build by entering the following commands:
+
[source,terminal]
----
$ cat << EOF > secret-template.txt
kind: Secret
apiVersion: v1
metadata:
  name: etc-pki-entitlement
type: Opaque
data: {{ range \$key, \$value := .data }}
  {{ \$key }}: {{ \$value }} {{ end }}
EOF
$ oc get secret etc-pki-entitlement -n openshift-config-managed -o=go-template-file --template=secret-template.txt | oc apply -f -
----

. Add the etc-pki-entitlement secret as a build volume in the build configuration's Docker strategy:
+
[source,yaml]
----
strategy:
  dockerStrategy:
    from:
      kind: ImageStreamTag
      name: ubi9:latest
    volumes:
    - name: etc-pki-entitlement
      mounts:
      - destinationPath: /etc/pki/entitlement
      source:
        type: Secret
        secret:
          secretName: etc-pki-entitlement
----