CNF-18836 / CNF-20367: Reconfigure repo to allow mintmaker rpm updates to work with ubi9 images

fontivan · fontivan · commit 77bec012f723 · 2025-11-12T14:56:18.000-05:00
- Update container_build_args.conf to use the new ubi9 image - Update Makefile to parse the new images correctly and update the targets invoking the rpm-lock tooling - Update rpms.in.yaml - Remove now unnecessary ssl configuration - Remove context on Dockerfile - Add varsFromImage with reference to the same image in container_build_args.conf - Update rpms.lock.yaml with outputs from the rpm-lock script - Update pipeline on-cel-expressions Assisted-by: Cursor/claude-4-sonnet AI-attribution: AIA,Primarily human-created,Human-initiated,Reviewed,Cursor/claude-4-sonnet,v1.0 For more information on AI attribution statements, see: https://aiattribution.github.io/
diff --git a/.konflux/.gitignore b/.konflux/.gitignore
@@ -0,0 +1 @@
+lock-runtime/*
diff --git a/.konflux/Dockerfile.catalog b/.konflux/Dockerfile.catalog
@@ -35,7 +35,7 @@ ENV REGISTRY_AUTH_FILE=$HOME/.docker/config.json
 RUN SKIP_SUBMODULE_SYNC=yes make konflux-generate-catalog-production && \
     rm -f $HOME/.docker/config.json
 
-# run the catalog
+# Run the catalog
 FROM ${OPM_IMAGE}
 
 ENTRYPOINT ["/bin/opm"]
diff --git a/.konflux/container_build_args.conf b/.konflux/container_build_args.conf
@@ -18,7 +18,8 @@ OPENSHIFT_CLI_IMAGE=registry.redhat.io/openshift4/ose-cli-rhel9:v4.20@sha256:5f1
 #
 
 # The runtime image is used to run the binaries
-RUNTIME_IMAGE=registry.redhat.io/rhel9-6-els/rhel-minimal:9.6@sha256:9d598db1de300ae0b319b2d2b8b0f9459cc289f76f11dc8a659c13bab0d66393
+# This should match the varsFromImage in the rpms.in.yaml file
+RUNTIME_IMAGE=registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
 #
 
 # The yq image is used at build time to manipulate yaml
diff --git a/.konflux/lock-runtime/.gitignore b/.konflux/lock-runtime/.gitignore
diff --git a/.konflux/lock-runtime/rpms.in.yaml b/.konflux/lock-runtime/rpms.in.yaml
diff --git a/.konflux/rpms.in.yaml b/.konflux/rpms.in.yaml
@@ -0,0 +1,90 @@
+---
+arches:
+  - x86_64
+  - aarch64
+contentOrigin:
+  # Repos defined in this list must exactly match the repos defined in the conforma configuration
+  # See https://github.com/release-engineering/rhtap-ec-policy/blob/main/data/known_rpm_repositories.yml
+  repos:
+    - repoid: ubi-9-for-$basearch-appstream-rpms
+      name: Red Hat Universal Base Image 9 for $basearch - AppStream (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os
+      enabled: "1"
+      gpgcheck: "1"
+      gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+      sslverify: "1"
+      sslverifystatus: "1"
+      metadata_expire: "86400"
+      enabled_metadata: "1"
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
+      #
+    - repoid: ubi-9-for-$basearch-appstream-eus-rpms
+      name: Red Hat Universal Base Image 9 for $basearch - AppStream EUS (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os
+      enabled: "1"
+      gpgcheck: "1"
+      gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+      sslverify: "1"
+      sslverifystatus: "1"
+      metadata_expire: "86400"
+      enabled_metadata: "1"
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
+      #
+    - repoid: ubi-9-for-$basearch-baseos-rpms
+      name: Red Hat Universal Base Image 9 for $basearch - BaseOS (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os
+      enabled: "1"
+      gpgcheck: "1"
+      gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+      sslverify: "1"
+      sslverifystatus: "1"
+      metadata_expire: "86400"
+      enabled_metadata: "1"
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
+      #
+    - repoid: ubi-9-for-$basearch-baseos-eus-rpms
+      name: Red Hat Universal Base Image 9 for $basearch - BaseOS EUS (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os
+      enabled: "1"
+      gpgcheck: "1"
+      gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+      sslverify: "1"
+      sslverifystatus: "1"
+      metadata_expire: "86400"
+      enabled_metadata: "1"
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
+      #
+    - repoid: codeready-builder-for-ubi-9-$basearch-rpms
+      name: Red Hat CodeReady Linux Builder for UBI 9 $basearch (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os/
+      enabled: "1"
+      gpgcheck: "1"
+      gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+      sslverify: "1"
+      sslverifystatus: "1"
+      metadata_expire: "86400"
+      enabled_metadata: "1"
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
+      #
+    - repoid: codeready-builder-for-ubi-9-$basearch-eus-rpms
+      name: Red Hat CodeReady Linux Builder for UBI 9 $basearch EUS (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os/
+      enabled: "1"
+      gpgcheck: "1"
+      gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+      sslverify: "1"
+      sslverifystatus: "1"
+      metadata_expire: "86400"
+      enabled_metadata: "1"
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
+      #
+packages:
+  - util-linux-core
+  - rsync
+  - tar
diff --git a/.konflux/rpms.lock.yaml b/.konflux/rpms.lock.yaml
@@ -4,22 +4,22 @@ lockfileVendor: redhat
 arches:
 - arch: aarch64
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/aarch64/baseos/os/Packages/r/rsync-3.2.5-3.el9.aarch64.rpm
-    repoid: rhel-9-for-aarch64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/r/rsync-3.2.5-3.el9.aarch64.rpm
+    repoid: ubi-9-for-aarch64-baseos-rpms
     size: 416293
     checksum: sha256:99235a7555f6454898ebbcdcf927ebed68e3a60599c9226b9d1d60578d292878
     name: rsync
     evr: 3.2.5-3.el9
     sourcerpm: rsync-3.2.5-3.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/aarch64/baseos/os/Packages/t/tar-1.34-7.el9.aarch64.rpm
-    repoid: rhel-9-for-aarch64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/t/tar-1.34-7.el9.aarch64.rpm
+    repoid: ubi-9-for-aarch64-baseos-rpms
     size: 900197
     checksum: sha256:44552dea889d350403c3074a33d7cb274b3f57553e47db998745df13f931b458
     name: tar
     evr: 2:1.34-7.el9
     sourcerpm: tar-1.34-7.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/aarch64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.aarch64.rpm
-    repoid: rhel-9-for-aarch64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.aarch64.rpm
+    repoid: ubi-9-for-aarch64-baseos-rpms
     size: 476169
     checksum: sha256:e1d6b36eaaa048d6cb22799d3c463c95d0aadf5dac83fdcf05e9c047eb396406
     name: util-linux-core
@@ -29,22 +29,22 @@ arches:
   module_metadata: []
 - arch: x86_64
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/baseos/os/Packages/r/rsync-3.2.5-3.el9.x86_64.rpm
-    repoid: rhel-9-for-x86_64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/r/rsync-3.2.5-3.el9.x86_64.rpm
+    repoid: ubi-9-for-x86_64-baseos-rpms
     size: 421930
     checksum: sha256:b1d90c38b613f2d66dfe0c7c3d067a3ce429f7b2ec5224e560f326fc2fd8d1e5
     name: rsync
     evr: 3.2.5-3.el9
     sourcerpm: rsync-3.2.5-3.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/baseos/os/Packages/t/tar-1.34-7.el9.x86_64.rpm
-    repoid: rhel-9-for-x86_64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/t/tar-1.34-7.el9.x86_64.rpm
+    repoid: ubi-9-for-x86_64-baseos-rpms
     size: 910235
     checksum: sha256:17f2e592a2c04c050b690afeb9042e02521a0b5ee3288dad837463f4acf542c3
     name: tar
     evr: 2:1.34-7.el9
     sourcerpm: tar-1.34-7.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.x86_64.rpm
-    repoid: rhel-9-for-x86_64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.x86_64.rpm
+    repoid: ubi-9-for-x86_64-baseos-rpms
     size: 480619
     checksum: sha256:36389814fcec56d9b9d4bd1a4a63efb1cefa00bc8bacab73f89ef8f8be04b1cd
     name: util-linux-core
diff --git a/.tekton/lifecycle-agent-4-21-pull-request.yaml b/.tekton/lifecycle-agent-4-21-pull-request.yaml
@@ -63,7 +63,7 @@ spec:
     - name: dev-package-managers
       value: "true"
     - name: prefetch-input
-      value: '[{"type": "rpm", "path": ".konflux/lock-runtime"}, {"type": "gomod", "path": "."}]'
+      value: '[{"type": "rpm", "path": ".konflux/"}, {"type": "gomod", "path": "."}]'
     - name: build-source-image
       value: "true"
     - name: skip-sast-coverity
diff --git a/.tekton/lifecycle-agent-4-21-push.yaml b/.tekton/lifecycle-agent-4-21-push.yaml
@@ -61,7 +61,7 @@ spec:
     - name: dev-package-managers
       value: "true"
     - name: prefetch-input
-      value: '[{"type": "rpm", "path": ".konflux/lock-runtime"}, {"type": "gomod", "path": "."}]'
+      value: '[{"type": "rpm", "path": ".konflux/"}, {"type": "gomod", "path": "."}]'
     - name: build-source-image
       value: "true"
     - name: skip-sast-coverity
diff --git a/.tekton/lifecycle-agent-fbc-4-21-pull-request.yaml b/.tekton/lifecycle-agent-fbc-4-21-pull-request.yaml
@@ -15,10 +15,10 @@ metadata:
       (
         '.konflux/catalog/***'.pathChanged() ||
         '.konflux/container_build_args.conf'.pathChanged() ||
-        '.konflux/Dockerfile.catalog'.pathChanged() ||
         '.tekton/fbc-pipeline.yaml'.pathChanged() ||
         '.tekton/images-mirror-set.yaml'.pathChanged() ||
         '.tekton/lifecycle-agent-fbc-4-21-pull-request.yaml'.pathChanged() ||
+        'Dockerfile.catalog'.pathChanged() ||
         'telco5g-konflux'.pathChanged() ||
         'telco5g-konflux/***'.pathChanged()
       )
diff --git a/.tekton/lifecycle-agent-fbc-4-21-push.yaml b/.tekton/lifecycle-agent-fbc-4-21-push.yaml
@@ -14,10 +14,10 @@ metadata:
       (
         '.konflux/catalog/***'.pathChanged() ||
         '.konflux/container_build_args.conf'.pathChanged() ||
-        '.konflux/Dockerfile.catalog'.pathChanged() ||
         '.tekton/fbc-pipeline.yaml'.pathChanged() ||
         '.tekton/images-mirror-set.yaml'.pathChanged() ||
         '.tekton/lifecycle-agent-fbc-4-21-push.yaml'.pathChanged() ||
+        'Dockerfile.catalog'.pathChanged() ||
         'telco5g-konflux'.pathChanged() ||
         'telco5g-konflux/***'.pathChanged()
       )
diff --git a/.yamllint.yaml b/.yamllint.yaml
@@ -4,7 +4,7 @@ yamllint:
   ignore:
     - .konflux/catalog/catalog-template.out.yaml   # This is generated for Konflux builds
     - .konflux/catalog/lifecycle-agent/catalog.yaml  # This is generated for Konflux builds
-    - .konflux/lock-runtime/rpms.lock.yaml  # These are generated files so linting them is problematic
+    - .konflux/rpms.lock.yaml  # These are generated files so linting them is problematic
     - bin/
     - bundle/   # These are generated files so linting them is problematic
     - config/   # These are generated files so linting them is problematic
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,6 @@
-#####################################################################################################
 # Build arguments
 ARG BUILDER_IMAGE=quay.io/projectquay/golang:1.24
-ARG RUNTIME_IMAGE=registry.access.redhat.com/ubi9-minimal:9.6-1760515502
+ARG RUNTIME_IMAGE=registry.access.redhat.com/ubi9-minimal:latest
 ARG OPENSHIFT_CLI_IMAGE=registry.redhat.io/openshift4/ose-cli-rhel9:latest
 
 # Build the binaries
diff --git a/Makefile b/Makefile
@@ -106,13 +106,6 @@ SHELL = /usr/bin/env GOFLAGS=$(GOFLAGS) bash -o pipefail
 
 .SHELLFLAGS = -ec
 
-# RHEL9_RELEASE defines the RHEL9 release version to update the rpm lock file for the runtime
-# This is automatically extracted from the RUNTIME_IMAGE in `.konflux/container_build_args.conf`
-RHEL9_RELEASE ?= $(shell awk -F'=' '/^RUNTIME_IMAGE=/ {split($$2, parts, /[:|@]/); print parts[2]}' $(PROJECT_DIR)/.konflux/container_build_args.conf)
-
-# Use make's built-in substitution function to replace the dot with a dash
-RHEL9_RELEASE_DASHED := $(subst .,-,$(RHEL9_RELEASE))
-
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable")
 # To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -546,32 +539,22 @@ konflux-generate-catalog-production: sync-git-submodules yq opm ## generate a re
 
 .PHONY: konflux-update-rpm-lock-runtime
 konflux-update-rpm-lock-runtime: sync-git-submodules ## Update the rpm lock file for the runtime
+	@echo "Creating lock-runtime directory..."
+	mkdir -p $(PROJECT_DIR)/.konflux/lock-runtime/
+	@echo "Copying rpms.in.yaml to lock-runtime directory..."
+	cp $(PROJECT_DIR)/.konflux/rpms.in.yaml $(PROJECT_DIR)/.konflux/lock-runtime/rpms.in.yaml
+	@cat $(PROJECT_DIR)/.konflux/lock-runtime/rpms.in.yaml
 	@echo "Updating rpm lock file for the runtime..."
-	@echo "Creating modified Dockerfile in lock-runtime directory..."
-	cp $(PROJECT_DIR)/Dockerfile $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile
-	@echo "Updating RUNTIME_IMAGE value in copied Dockerfile..."
-	RUNTIME_IMAGE_VALUE=$$(awk -F'=' '/^RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/container_build_args.conf); \
-	sed -i.bak \
-		-e "s|ARG RUNTIME_IMAGE=.*|ARG RUNTIME_IMAGE=$$RUNTIME_IMAGE_VALUE|g" \
-		-e "s|FROM \$${RUNTIME_IMAGE}|FROM $$RUNTIME_IMAGE_VALUE|g" \
-		-e "s|FROM --platform=linux/\$${GOARCH} \$${RUNTIME_IMAGE}|FROM --platform=linux/\$${GOARCH} $$RUNTIME_IMAGE_VALUE|g" \
-		$(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile; \
-	rm -f $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile.bak
 	$(MAKE) -C $(PROJECT_DIR)/telco5g-konflux/scripts/rpm-lock generate-rhel9-locks \
-		LOCK_SCRIPT_TARGET_DIR=$(PROJECT_DIR)/.konflux/lock-runtime \
-		RHEL9_RELEASE=$(RHEL9_RELEASE) \
+		LOCK_SCRIPT_TARGET_DIR=$(PROJECT_DIR)/.konflux/lock-runtime/ \
 		RHEL9_ACTIVATION_KEY=$(RHEL9_ACTIVATION_KEY) \
 		RHEL9_ORG_ID=$(RHEL9_ORG_ID) \
-		RHEL9_EXECUTION_IMAGE=registry.redhat.io/rhel$(RHEL9_RELEASE_DASHED)-els/rhel:$(RHEL9_RELEASE) \
-		RHEL9_IMAGE_TO_LOCK=$$(awk -F'=' '/^RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/container_build_args.conf); \
-	result=$$?; \
-	echo "Cleaning up copied Dockerfile..."; \
-	rm -f $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile; \
-	if [ $$result -ne 0 ]; then \
-		echo "rpm lock file update failed."; \
-		exit $$result; \
-	fi
-	@echo "Rpm lock file updated successfully."
+		RHEL9_EXECUTION_IMAGE=$$(awk -F'=' '/^ARG RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile | sed 's|ubi-minimal|ubi|g' | sed 's|@.*||') \
+		RHEL9_IMAGE_TO_LOCK=$$(awk -F'=' '/^ARG RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile)
+	@echo "Update rpms.lock.yaml with new contents..."
+	cp $(PROJECT_DIR)/.konflux/lock-runtime/rpms.lock.yaml $(PROJECT_DIR)/.konflux/rpms.lock.yaml
+	# intentionally keep lock-runtime directory for debugging purposes
+	@echo "RPM lock file updated successfully."
 
 .PHONY: konflux-update-tekton-task-refs
 konflux-update-tekton-task-refs: sync-git-submodules ## Update task references in Tekton pipeline files

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,8 @@ OPENSHIFT_CLI_IMAGE=registry.redhat.io/openshift4/ose-cli-rhel9:v4.20@sha256:5f1`
`18`	`18`	`#`
`19`	`19`
`20`	`20`	`# The runtime image is used to run the binaries`
`21`		`-RUNTIME_IMAGE=registry.redhat.io/rhel9-6-els/rhel-minimal:9.6@sha256:9d598db1de300ae0b319b2d2b8b0f9459cc289f76f11dc8a659c13bab0d66393`
	`21`	`+# This should match the varsFromImage in the rpms.in.yaml file`
	`22`	`+RUNTIME_IMAGE=registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7`
`22`	`23`	`#`
`23`	`24`
`24`	`25`	`# The yq image is used at build time to manipulate yaml`
Original file line number	Diff line number	Diff line change
`@@ -15,10 +15,10 @@ metadata:`
`15`	`15`	`(`
`16`	`16`	`'.konflux/catalog/***'.pathChanged() \|\|`
`17`	`17`	`'.konflux/container_build_args.conf'.pathChanged() \|\|`
`18`		`- '.konflux/Dockerfile.catalog'.pathChanged() \|\|`
`19`	`18`	`'.tekton/fbc-pipeline.yaml'.pathChanged() \|\|`
`20`	`19`	`'.tekton/images-mirror-set.yaml'.pathChanged() \|\|`
`21`	`20`	`'.tekton/lifecycle-agent-fbc-4-21-pull-request.yaml'.pathChanged() \|\|`
	`21`	`+ 'Dockerfile.catalog'.pathChanged() \|\|`
`22`	`22`	`'telco5g-konflux'.pathChanged() \|\|`
`23`	`23`	`'telco5g-konflux/***'.pathChanged()`
`24`	`24`	`)`