Red Hat Summit 2020 is fast approaching, and if you missed it last year, you would have also missed Microsoft CEO Satya Nadella and former Red Hat CEO Jim Whitehurst announcing Red Hat and Microsoft's first joint offering: Azure Red Hat OpenShift (ARO).

Azure Red Hat OpenShift (ARO) is a fully managed service of Red Hat OpenShift on Azure, jointly engineered, operated and supported by Microsoft and Red Hat. 

Did you know that it is possible for both new and existing Red Hat customers to build Red Hat Enterprise Linux (RHEL) based container images on Azure Red Hat OpenShift?

In this blog I will demonstrate how to perform the following on Azure Red Hat OpenShift:

  • Build a RHEL based container with a Dockerfile using your existing Red Hat subscription, and;
  • Build a freely redistributable RHEL based container with a Dockerfile using the Red Hat Universal Base Image (UBI). 

Both of these methods will work on the current Azure Red Hat OpenShift offering, the next iteration of which will be based on OpenShift 4. 

Provisioning an Azure Red Hat OpenShift cluster

Let’s start with provisioning an Azure Red Hat OpenShift cluster. There are some prerequisites to complete. An existing Azure subscription is required, and users need to be created in Azure Active Directory. Follow the documentation to set environment variables and using the Azure cli create a resource group and provision the cluster.

$ az openshift create --resource-group $CLUSTER_NAME --name $CLUSTER_NAME -l $LOCATION --aad-client-app-id $APPID --aad-client-app-secret $SECRET --aad-tenant-id $TENANT --customer-admin-group-id $GROUPID

After about 10 - 15 minutes, the deployment process should have completed and the public URL for your fully managed Azure Red Hat OpenShift cluster is displayed. Log in to the console with your Active Directory credentials and copy the login command by clicking on your username and selecting “Copy login command.” This string will be used to login to the cluster using the command line.

Using an existing Red Hat subscription

For this section I highly recommend using an existing RHEL machine which holds a valid subscription. This will make creating the OpenShift prerequisites required for the Dockerfile build much easier. The OpenShift command line tool ‘oc’ is also required to be installed on this machine. For those without an existing subscription skip ahead to the section titled “Using the Universal Base Image (UBI)”.

Login to the ARO cluster using the copied login command. It will look similar to below.

$ oc login https://osa{ID}.{REGION}.cloudapp.azure.com --token={ARO TOKEN}

Create a new OpenShift project

$ oc new-project rhel-build

If you do not have one already, create a registry service account to ensure that you can pull a RHEL image from registry.redhat.io using your credentials. In a browser go to catalog.redhat.com, login and select “Service Accounts” and then “New Service Account”. Download the generated OpenShift secret. Create the secret in your OpenShift project.

$ oc create -f {SECRET_FILE}.yaml -n rhel-build

Create a secret that contains the entitlements

$ oc create secret generic etc-pki-entitlement --from-file /etc/pki/entitlement/{ID}.pem --from-file /etc/pki/entitlement/{ID}-key.pem -n rhel-build

Create a configmap that contains the subscription manager configuration.

$ oc create configmap rhsm-conf --from-file /etc/rhsm/rhsm.conf -n rhel-build

Create a configmap for the certificate authority.

$ oc create configmap rhsm-ca --from-file /etc/rhsm/ca/redhat-uep.pem -n rhel-build

Create a build configuration in the project.

$ oc new-build https://github.com/grantomation/rhel-build.git --context-dir sub-build --name rhel-build -n rhel-build
$ oc get buildconfig rhel-build -n rhel-build
NAME         TYPE FROM     LATEST
rhel-build   Docker Git     1

List the secrets in the project

$ oc get secrets -n rhel-build
NAME                    TYPE               DATA AGE
{SERVICE PULL SECRET}   kubernetes.io/dockerconfigjson        1 2m

Set the registry pull credentials as a secret on the buildConfig

$ oc set build-secret --pull bc/rhel-build {SECRET CREATED BY REGISTRY SERVICE ACCOUNT FILE}

Patch the build configuration

$ oc patch buildconfig rhel-build -p '{"spec":{"source":{"configMaps":[{"configMap":{"name":"rhsm-conf"},"destinationDir":"rhsm-conf"},{"configMap":{"name":"rhsm-ca"},"destinationDir":"rhsm-ca"}],"secrets":[{"destinationDir":"etc-pki-entitlement","secret":{"name":"etc-pki-entitlement"}}]}}}' -n rhel-build

Start the Dockerfile build on OpenShift.

$ oc start-build rhel-build --follow -n rhel-build

Following a successful build, the new image is pushed to the internal OpenShift registry and an image stream is created in the project. To confirm that the image build worked correctly, the imagestream can be used to create an OpenShift application.

$ oc new-app rhel -n rhel-build

Create an edge route which will use the digicert certificate included on ARO.

$ oc create route edge --port 8080 --service rhel-build -n rhel-build

Curl the route to the application

$ curl https://$(oc get route rhel -o go-template='{{.spec.host}}')
Azure Red Hat OpenShift

Using the Universal Base Image (UBI)

Red Hat UBI provides complementary runtime languages and packages that are freely redistributable. If you’re new to the UBI, you can check out Scott McCarty’s excellent blog and demo as a primer. Using the UBI as a base for your next containerised application is a great way to build and deploy on Azure Red Hat OpenShift. The following steps demonstrate how to use UBI based on RHEL 8. 

Create a new OpenShift project.

$ oc new-project ubi-build

Create a build configuration in the project.

$ oc new-build https://github.com/grantomation/rhel-build.git --context-dir ubi-build --name ubi-build -n ubi-build

Follow the container build.

$ oc logs -f build/ubi-build-1

To confirm that the image build worked correctly, the generated imagestream can be used to create an OpenShift application.

$ oc new-app ubi

Create an edge route which will use the digicert certificate included on ARO.

$ oc create route edge --port 8080 --service ubi -n ubi-build

Curl the route to the application.

$ curl https://$(oc get route ubi -o go-template='{{.spec.host}}')

And with that done, you've got an OpenShift cluster up and running in Azure, running RHEL based containers.