[release-4.20] CNF-18836 / CNF-20367: Reconfigure repo to allow mintmaker rpm updates to work with ubi9 images

.konflux/Dockerfile.catalog

@@ -35,7 +35,7 @@ ENV REGISTRY_AUTH_FILE=$HOME/.docker/config.json
 RUN SKIP_SUBMODULE_SYNC=yes make konflux-generate-catalog-production && \
     rm -f $HOME/.docker/config.json
 
-# run the catalog
+# Run the catalog
 FROM ${OPM_IMAGE}
 
 ENTRYPOINT ["/bin/opm"]

.konflux/container_build_args.conf

@@ -17,7 +17,9 @@ OPENSHIFT_CLI_IMAGE=registry.redhat.io/openshift4/ose-cli-rhel9:v4.20@sha256:5f1
 #
 
 # The runtime image is used to run the binaries
-RUNTIME_IMAGE=registry.redhat.io/rhel9-6-els/rhel-minimal:9.6@sha256:f62b9615bdda046bf7c10743448639ec665650502472f79d81813b194a978d35
+# This should match the varsFromImage in the rpms.in.yaml file
+# Mintmaker should keep these in sync automatically when it performs updates
+RUNTIME_IMAGE=registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7
 #
 
 # The yq image is used at build time to manipulate yaml

.konflux/lock-runtime/.gitignore

@@ -1,4 +1 @@
-Dockerfile
-podman_script.sh
-redhat.repo
-rpms.out.yaml
+tmp/

.konflux/lock-runtime/rpms.in.yaml

@@ -6,94 +6,90 @@ contentOrigin:
   # Repos defined in this list must exactly match the repos defined in the conforma configuration
   # See https://github.com/release-engineering/rhtap-ec-policy/blob/main/data/known_rpm_repositories.yml
   repos:
-    - repoid: rhel-9-for-$basearch-appstream-rpms
-      name: Red Hat Enterprise Linux 9 for $basearch - AppStream (RPMs)
-      baseurl: https://cdn.redhat.com/content/dist/rhel9/{version}/$basearch/appstream/os
+    - repoid: ubi-9-for-$basearch-appstream-rpms
+      name: Red Hat Universal Base Image 9 for $basearch - AppStream (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os
       enabled: "1"
       gpgcheck: "1"
       gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
       sslverify: "1"
-      sslcacert: /etc/rhsm/ca/redhat-uep.pem
-      sslclientkey: /etc/pki/entitlement/placeholder-key.pem
-      sslclientcert: /etc/pki/entitlement/placeholder.pem
       sslverifystatus: "1"
       metadata_expire: "86400"
       enabled_metadata: "1"
-      varsFromContainerfile: Dockerfile
-    - repoid: rhel-9-for-$basearch-appstream-eus-rpms
-      name: Red Hat Enterprise Linux 9 for $basearch - AppStream EUS (RPMs)
-      baseurl: https://cdn.redhat.com/content/eus/rhel9/{version}/$basearch/appstream/os
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      # Mintmaker should keep these in sync automatically when it performs updates
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7
+      #
+    - repoid: ubi-9-for-$basearch-appstream-eus-rpms
+      name: Red Hat Universal Base Image 9 for $basearch - AppStream EUS (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/appstream/os
       enabled: "1"
       gpgcheck: "1"
       gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
       sslverify: "1"
-      sslcacert: /etc/rhsm/ca/redhat-uep.pem
-      sslclientkey: /etc/pki/entitlement/placeholder-key.pem
-      sslclientcert: /etc/pki/entitlement/placeholder.pem
       sslverifystatus: "1"
       metadata_expire: "86400"
       enabled_metadata: "1"
-      varsFromContainerfile: Dockerfile
-    - repoid: rhel-9-for-$basearch-baseos-rpms
-      name: Red Hat Enterprise Linux 9 for $basearch - BaseOS (RPMs)
-      baseurl: https://cdn.redhat.com/content/dist/rhel9/{version}/$basearch/baseos/os
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      # Mintmaker should keep these in sync automatically when it performs updates
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7
+      #
+    - repoid: ubi-9-for-$basearch-baseos-rpms
+      name: Red Hat Universal Base Image 9 for $basearch - BaseOS (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os
       enabled: "1"
       gpgcheck: "1"
       gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
       sslverify: "1"
-      sslcacert: /etc/rhsm/ca/redhat-uep.pem
-      sslclientkey: /etc/pki/entitlement/placeholder-key.pem
-      sslclientcert: /etc/pki/entitlement/placeholder.pem
       sslverifystatus: "1"
       metadata_expire: "86400"
       enabled_metadata: "1"
-      varsFromContainerfile: Dockerfile
-    - repoid: rhel-9-for-$basearch-baseos-eus-rpms
-      name: Red Hat Enterprise Linux 9 for $basearch - BaseOS EUS (RPMs)
-      baseurl: https://cdn.redhat.com/content/eus/rhel9/{version}/$basearch/baseos/os
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      # Mintmaker should keep these in sync automatically when it performs updates
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7
+      #
+    - repoid: ubi-9-for-$basearch-baseos-eus-rpms
+      name: Red Hat Universal Base Image 9 for $basearch - BaseOS EUS (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/baseos/os
       enabled: "1"
       gpgcheck: "1"
       gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
       sslverify: "1"
-      sslcacert: /etc/rhsm/ca/redhat-uep.pem
-      sslclientkey: /etc/pki/entitlement/placeholder-key.pem
-      sslclientcert: /etc/pki/entitlement/placeholder.pem
       sslverifystatus: "1"
       metadata_expire: "86400"
       enabled_metadata: "1"
-      varsFromContainerfile: Dockerfile
-    - repoid: codeready-builder-for-rhel-9-$basearch-rpms
-      name: Red Hat CodeReady Linux Builder for RHEL 9 $basearch (RPMs)
-      baseurl: https://cdn.redhat.com/content/dist/rhel9/{version}/$basearch/codeready-builder/os
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      # Mintmaker should keep these in sync automatically when it performs updates
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7
+      #
+    - repoid: codeready-builder-for-ubi-9-$basearch-rpms
+      name: Red Hat CodeReady Linux Builder for UBI 9 $basearch (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os/
       enabled: "1"
       gpgcheck: "1"
       gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
       sslverify: "1"
-      sslcacert: /etc/rhsm/ca/redhat-uep.pem
-      sslclientkey: /etc/pki/entitlement/placeholder-key.pem
-      sslclientcert: /etc/pki/entitlement/placeholder.pem
       sslverifystatus: "1"
       metadata_expire: "86400"
       enabled_metadata: "1"
-      varsFromContainerfile: Dockerfile
-    - repoid: codeready-builder-for-rhel-9-$basearch-eus-rpms
-      name: Red Hat CodeReady Linux Builder for RHEL 9 $basearch EUS (RPMs)
-      baseurl: https://cdn.redhat.com/content/eus/rhel9/{version}/$basearch/codeready-builder/os
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      # Mintmaker should keep these in sync automatically when it performs updates
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7
+      #
+    - repoid: codeready-builder-for-ubi-9-$basearch-eus-rpms
+      name: Red Hat CodeReady Linux Builder for UBI 9 $basearch EUS (RPMs)
+      baseurl: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/$basearch/codeready-builder/os/
       enabled: "1"
       gpgcheck: "1"
       gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
       sslverify: "1"
-      sslcacert: /etc/rhsm/ca/redhat-uep.pem
-      sslclientkey: /etc/pki/entitlement/placeholder-key.pem
-      sslclientcert: /etc/pki/entitlement/placeholder.pem
       sslverifystatus: "1"
       metadata_expire: "86400"
       enabled_metadata: "1"
-      varsFromContainerfile: Dockerfile
-context:
-  containerfile:
-    file: Dockerfile
-    stageName: runtime-image
+      # This should match the RUNTIME_IMAGE in container_build_args.conf
+      # Mintmaker should keep these in sync automatically when it performs updates
+      varsFromImage: registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:53ea1f6d835898acda5becdb3f8b1292038a480384bbcf994fc0bcf1f7e8eaf7
+      #
 packages:
   - util-linux-core
   - rsync

.konflux/lock-runtime/rpms.lock.yaml

@@ -4,22 +4,22 @@ lockfileVendor: redhat
 arches:
 - arch: aarch64
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/aarch64/baseos/os/Packages/r/rsync-3.2.5-3.el9.aarch64.rpm
-    repoid: rhel-9-for-aarch64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/r/rsync-3.2.5-3.el9.aarch64.rpm
+    repoid: ubi-9-for-aarch64-baseos-rpms
     size: 416293
     checksum: sha256:99235a7555f6454898ebbcdcf927ebed68e3a60599c9226b9d1d60578d292878
     name: rsync
     evr: 3.2.5-3.el9
     sourcerpm: rsync-3.2.5-3.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/aarch64/baseos/os/Packages/t/tar-1.34-7.el9.aarch64.rpm
-    repoid: rhel-9-for-aarch64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/t/tar-1.34-7.el9.aarch64.rpm
+    repoid: ubi-9-for-aarch64-baseos-rpms
     size: 900197
     checksum: sha256:44552dea889d350403c3074a33d7cb274b3f57553e47db998745df13f931b458
     name: tar
     evr: 2:1.34-7.el9
     sourcerpm: tar-1.34-7.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/aarch64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.aarch64.rpm
-    repoid: rhel-9-for-aarch64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.aarch64.rpm
+    repoid: ubi-9-for-aarch64-baseos-rpms
     size: 476169
     checksum: sha256:e1d6b36eaaa048d6cb22799d3c463c95d0aadf5dac83fdcf05e9c047eb396406
     name: util-linux-core
@@ -29,22 +29,22 @@ arches:
   module_metadata: []
 - arch: x86_64
   packages:
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/baseos/os/Packages/r/rsync-3.2.5-3.el9.x86_64.rpm
-    repoid: rhel-9-for-x86_64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/r/rsync-3.2.5-3.el9.x86_64.rpm
+    repoid: ubi-9-for-x86_64-baseos-rpms
     size: 421930
     checksum: sha256:b1d90c38b613f2d66dfe0c7c3d067a3ce429f7b2ec5224e560f326fc2fd8d1e5
     name: rsync
     evr: 3.2.5-3.el9
     sourcerpm: rsync-3.2.5-3.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/baseos/os/Packages/t/tar-1.34-7.el9.x86_64.rpm
-    repoid: rhel-9-for-x86_64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/t/tar-1.34-7.el9.x86_64.rpm
+    repoid: ubi-9-for-x86_64-baseos-rpms
     size: 910235
     checksum: sha256:17f2e592a2c04c050b690afeb9042e02521a0b5ee3288dad837463f4acf542c3
     name: tar
     evr: 2:1.34-7.el9
     sourcerpm: tar-1.34-7.el9.src.rpm
-  - url: https://cdn.redhat.com/content/dist/rhel9/9.6/x86_64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.x86_64.rpm
-    repoid: rhel-9-for-x86_64-baseos-rpms
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/u/util-linux-core-2.37.4-21.el9.x86_64.rpm
+    repoid: ubi-9-for-x86_64-baseos-rpms
     size: 480619
     checksum: sha256:36389814fcec56d9b9d4bd1a4a63efb1cefa00bc8bacab73f89ef8f8be04b1cd
     name: util-linux-core

.tekton/lifecycle-agent-4-20-pull-request.yaml

@@ -63,7 +63,7 @@ spec:
     - name: dev-package-managers
       value: "true"
     - name: prefetch-input
-      value: '[{"type": "rpm", "path": ".konflux/lock-runtime"}, {"type": "gomod", "path": "."}]'
+      value: '[{"type": "rpm", "path": ".konflux/lock-runtime/"}, {"type": "gomod", "path": "."}]'
     - name: build-source-image
       value: "true"
     - name: skip-sast-coverity

.tekton/lifecycle-agent-4-20-push.yaml

@@ -61,7 +61,7 @@ spec:
     - name: dev-package-managers
       value: "true"
     - name: prefetch-input
-      value: '[{"type": "rpm", "path": ".konflux/lock-runtime"}, {"type": "gomod", "path": "."}]'
+      value: '[{"type": "rpm", "path": ".konflux/lock-runtime/"}, {"type": "gomod", "path": "."}]'
     - name: build-source-image
       value: "true"
     - name: skip-sast-coverity

.yamllint.yaml

@@ -4,7 +4,7 @@ yamllint:
   ignore:
     - .konflux/catalog/catalog-template.out.yaml   # This is generated for Konflux builds
     - .konflux/catalog/lifecycle-agent/catalog.yaml  # This is generated for Konflux builds
-    - .konflux/lock-runtime/rpms.lock.yaml  # These are generated files so linting them is problematic
+    - .konflux/rpms.lock.yaml  # These are generated files so linting them is problematic
     - bin/
     - bundle/   # These are generated files so linting them is problematic
     - config/   # These are generated files so linting them is problematic

Dockerfile

@@ -1,7 +1,6 @@
-#####################################################################################################
 # Build arguments
 ARG BUILDER_IMAGE=quay.io/projectquay/golang:1.24
-ARG RUNTIME_IMAGE=registry.access.redhat.com/ubi9-minimal:9.6-1760515502
+ARG RUNTIME_IMAGE=registry.access.redhat.com/ubi9-minimal:latest
 ARG OPENSHIFT_CLI_IMAGE=registry.redhat.io/openshift4/ose-cli-rhel9:latest
 
 # Build the binaries

Makefile

@@ -5,14 +5,6 @@
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
 VERSION ?= 4.20.0
 
-# RHEL9_ACTIVATION_KEY defines the activation key to use for the rpm lock file for the runtime
-# This should be set in your environment prior to running the `konflux-update-rpm-lock-runtime` target
-RHEL9_ACTIVATION_KEY ?= ""
-
-# RHEL9_ORG_ID defines the organization to use for the rpm lock file for the runtime
-# This should be set in your environment prior to running the `konflux-update-rpm-lock-runtime` target
-RHEL9_ORG_ID ?= ""
-
 # BASHATE_VERSION defines the bashate version to download from GitHub releases.
 BASHATE_VERSION ?= 2.1.1
 
@@ -106,13 +98,6 @@ SHELL = /usr/bin/env GOFLAGS=$(GOFLAGS) bash -o pipefail
 
 .SHELLFLAGS = -ec
 
-# RHEL9_RELEASE defines the RHEL9 release version to update the rpm lock file for the runtime
-# This is automatically extracted from the RUNTIME_IMAGE in `.konflux/container_build_args.conf`
-RHEL9_RELEASE ?= $(shell awk -F'=' '/^RUNTIME_IMAGE=/ {split($$2, parts, /[:|@]/); print parts[2]}' $(PROJECT_DIR)/.konflux/container_build_args.conf)
-
-# Use make's built-in substitution function to replace the dot with a dash
-RHEL9_RELEASE_DASHED := $(subst .,-,$(RHEL9_RELEASE))
-
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable")
 # To re-generate a bundle for other specific channels without changing the standard setup, you can:
@@ -546,32 +531,20 @@ konflux-generate-catalog-production: sync-git-submodules yq opm ## generate a re
 
 .PHONY: konflux-update-rpm-lock-runtime
 konflux-update-rpm-lock-runtime: sync-git-submodules ## Update the rpm lock file for the runtime
+	@echo "Creating lock-runtime/tmp/ directory..."
+	mkdir -p $(PROJECT_DIR)/.konflux/lock-runtime/tmp/
+	@echo "Copying rpms.in.yaml to lock-runtime directory..."
+	cp $(PROJECT_DIR)/.konflux/lock-runtime/rpms.in.yaml $(PROJECT_DIR)/.konflux/lock-runtime/tmp/rpms.in.yaml
+	@cat $(PROJECT_DIR)/.konflux/lock-runtime/tmp/rpms.in.yaml
 	@echo "Updating rpm lock file for the runtime..."
-	@echo "Creating modified Dockerfile in lock-runtime directory..."
-	cp $(PROJECT_DIR)/Dockerfile $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile
-	@echo "Updating RUNTIME_IMAGE value in copied Dockerfile..."
-	RUNTIME_IMAGE_VALUE=$$(awk -F'=' '/^RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/container_build_args.conf); \
-	sed -i.bak \
-		-e "s|ARG RUNTIME_IMAGE=.*|ARG RUNTIME_IMAGE=$$RUNTIME_IMAGE_VALUE|g" \
-		-e "s|FROM \$${RUNTIME_IMAGE}|FROM $$RUNTIME_IMAGE_VALUE|g" \
-		-e "s|FROM --platform=linux/\$${GOARCH} \$${RUNTIME_IMAGE}|FROM --platform=linux/\$${GOARCH} $$RUNTIME_IMAGE_VALUE|g" \
-		$(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile; \
-	rm -f $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile.bak
 	$(MAKE) -C $(PROJECT_DIR)/telco5g-konflux/scripts/rpm-lock generate-rhel9-locks \
-		LOCK_SCRIPT_TARGET_DIR=$(PROJECT_DIR)/.konflux/lock-runtime \
-		RHEL9_RELEASE=$(RHEL9_RELEASE) \
-		RHEL9_ACTIVATION_KEY=$(RHEL9_ACTIVATION_KEY) \
-		RHEL9_ORG_ID=$(RHEL9_ORG_ID) \
-		RHEL9_EXECUTION_IMAGE=registry.redhat.io/rhel$(RHEL9_RELEASE_DASHED)-els/rhel:$(RHEL9_RELEASE) \
-		RHEL9_IMAGE_TO_LOCK=$$(awk -F'=' '/^RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/container_build_args.conf); \
-	result=$$?; \
-	echo "Cleaning up copied Dockerfile..."; \
-	rm -f $(PROJECT_DIR)/.konflux/lock-runtime/Dockerfile; \
-	if [ $$result -ne 0 ]; then \
-		echo "rpm lock file update failed."; \
-		exit $$result; \
-	fi
-	@echo "Rpm lock file updated successfully."
+		LOCK_SCRIPT_TARGET_DIR=$(PROJECT_DIR)/.konflux/lock-runtime/tmp/ \
+		RHEL9_EXECUTION_IMAGE=$$(awk -F'=' '/^RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/container_build_args.conf | sed 's|ubi-minimal|ubi|g' | sed 's|@.*||') \
+		RHEL9_IMAGE_TO_LOCK=$$(awk -F'=' '/^RUNTIME_IMAGE=/ {print $$2}' $(PROJECT_DIR)/.konflux/container_build_args.conf)
+	@echo "Update rpms.lock.yaml with new contents..."
+	cp $(PROJECT_DIR)/.konflux/lock-runtime/tmp/rpms.lock.yaml $(PROJECT_DIR)/.konflux/lock-runtime/rpms.lock.yaml
+	# intentionally keep lock-runtime/tmp/ directory for debugging purposes
+	@echo "RPM lock file updated successfully."
 
 .PHONY: konflux-update-tekton-task-refs
 konflux-update-tekton-task-refs: sync-git-submodules ## Update task references in Tekton pipeline files