Rewrite RPM lockfile README for full arch support

dfarrell07 · tpantelis · commit c09bab892860 · 2026-02-03T16:30:56.000-05:00
Update documentation to reflect that all 4 architectures (x86_64,
aarch64, ppc64le, s390x) are now working with standard RHEL repos.

Changes:
- Remove outdated "Current Status" table showing 403/EUS issues
- Remove "s390x EUS Solution" section (no longer needed)
- Remove "Blocking Issues" section for ppc64le
- Add numbered step-by-step workflow
- Add Konflux activation key upload instructions
- Update expected output examples to show all arches OK
- Reorganize into Prerequisites, Verification, Updating, Reference

Signed-off-by: Daniel Farrell &lt;dfarrell@redhat.com&gt;
diff --git a/.rpm-lockfiles/README.md b/.rpm-lockfiles/README.md
@@ -4,127 +4,174 @@ This directory contains RPM lockfiles and tooling for Konflux hermetic container
 
 **Directory Structure:**
 
-- Scripts and docs (this README) live on `devel`
+- Scripts and docs (this README) live on the `devel` branch
 - Component configs (`<component>/rpms.in.yaml`, `.repo` files) live on release branches
 
 ## Prerequisites
 
-Red Hat entitlement certificates are required to run the lockfile scripts.
+### 1. Red Hat Customer Portal Login ID
 
-### Activation Key Setup
+This is a separate account from your normal Red Hat SSO/Kerberos credentials.
+The login ID must follow a specific naming convention. See
+[Slack thread](https://redhat-internal.slack.com/archives/CKPULPXL3/p1767769916219789)
+for details on how to request one.
 
-Go to [Red Hat Console](https://console.redhat.com) → RHEL → Inventory → System Configuration →
-Activation Keys. These are RHEL activation keys; BaseOS and AppStream are auto-enabled for
-supported arches.
+### 2. Create Activation Key
 
-### Register Your System
+Log in with your Customer Portal credentials (not SSO) and create an activation key:
+
+https://console.redhat.com/insights/connector/activation-keys/
+
+**Note:** The activation key name is used as a secret. Keep the random default
+and add something like `yourname-yourproject-randomstring`.
+
+### 3. Add Repos to Activation Key
+
+RHEL 9 BaseOS and AppStream are auto-enabled - these are all that nettest requires.
+
+**Note:** UBI repos are public and don't require activation keys, but nettest
+needs `iperf3` and `tcpdump` which are only available in RHEL AppStream.
+
+### 4. Register Your System
 
 Red Hat VPN may be required.
 
 ```bash
-# If switching keys, unregister and clean first:
 sudo subscription-manager unregister
 sudo subscription-manager clean
-
-sudo subscription-manager register --org="YOUR_ORG_ID" --activationkey="YOUR_KEY_NAME"
+sudo subscription-manager register --org='<ORG_ID>' --activationkey='<KEY_NAME>'
 ```
 
-### Verify Access
+Find your org ID on the [activation key page](https://console.redhat.com/insights/connector/activation-keys/).
+
+### 5. Registry Login
 
 ```bash
-.rpm-lockfiles/check-repo-access.sh
+podman login registry.redhat.io
 ```
 
-## Current Status
-
-| Component | x86_64 | aarch64 | ppc64le | s390x |
-|-----------|--------|---------|---------|-------|
-| nettest   | OK     | OK      | 403     | EUS   |
+This uses your Red Hat account (not the new Customer Portal account).
 
-**Legend:**
+## Verification
 
-- OK = working with standard RHEL 9 repos
-- EUS = working with Extended Update Support repos (see s390x EUS Solution)
-- 403 = repos inaccessible with current subscription (see Blocking Issues)
+### 6. Verify Repository Access
 
-## s390x EUS Solution
-
-Standard RHEL 9 repos return 403 for s390x with self-serve subscriptions. However,
-**EUS (Extended Update Support) repos are accessible** and contain all required packages.
+```bash
+.rpm-lockfiles/check-repo-access.sh
+```
 
-The solution (implemented on release branches for nettest):
+Expected output (all OK):
 
-1. Add `skip_if_unavailable = 1` to standard repo entries (allows graceful fallback)
-2. Add s390x-specific EUS repo entries pointing to `content/eus/rhel9/9.4/s390x/`
-3. Add s390x to `rpms.in.yaml` arches and regenerate lockfile
-4. Add `linux/s390x` to Tekton pipeline build-platforms
+```text
+Shipyard RPM Dependency Status
+===============================
 
-See release branch `.rpm-lockfiles/nettest/` for working implementation.
+Component  Packages                        Repository        x86_64  aarch64 ppc64le s390x
+---------  ------------------------------  ----------------  ------  ------- ------- -----
+nettest    iperf3,tcpdump                  RHEL 9 AppStream  OK      OK      OK      OK
+nettest    bind-utils,curl,iproute,...     UBI (public)      OK      OK      OK      OK
 
-## Blocking Issues
+Legend: OK=accessible  403=subscription lacks this arch
+```
 
-### ppc64le (all components)
+### 7. Verify Packages (Optional)
 
-All RHEL 9 repos for ppc64le return 403 with self-serve activation keys:
-- Standard repos: 403
-- EUS repos: 403
-- TUS/E4S/AUS repos: 403
+```bash
+.rpm-lockfiles/verify-packages.sh <branch>
+```
 
-May require OpenShift Platform Plus or enterprise subscription with ppc64le entitlements.
+Runs dnf inside a container to verify each package is available for each architecture.
+Branch is required since component configs live on release branches, not devel.
 
-## Component Details
+Expected output:
 
-### nettest
+```text
+nettest (repos: rhel-9-for-appstream-rpms rhel-9-for-baseos-rpms)
+  x86_64   OK: bind-utils@rhel-appstream curl@rhel-baseos iperf3@rhel-appstream iproute@rhel-baseos iputils@rhel-baseos nmap-ncat@rhel-appstream tcpdump@rhel-appstream
+  aarch64  OK: bind-utils@rhel-appstream curl@rhel-baseos iperf3@rhel-appstream iproute@rhel-baseos iputils@rhel-baseos nmap-ncat@rhel-appstream tcpdump@rhel-appstream
+  ppc64le  OK: bind-utils@rhel-appstream curl@rhel-baseos iperf3@rhel-appstream iproute@rhel-baseos iputils@rhel-baseos nmap-ncat@rhel-appstream tcpdump@rhel-appstream
+  s390x    OK: bind-utils@rhel-appstream curl@rhel-baseos iperf3@rhel-appstream iproute@rhel-baseos iputils@rhel-baseos nmap-ncat@rhel-appstream tcpdump@rhel-appstream
+```
 
-| Package | Available In |
-|---------|--------------|
-| iperf3, tcpdump | RHEL 9 AppStream |
-| bind-utils, curl, iproute, iputils, nmap-ncat | UBI (public) |
+## Updating Lockfiles
 
-iperf3 and tcpdump are **not in UBI** - only RHEL 9 AppStream. s390x can use EUS repos; ppc64le requires a different subscription.
+### 8. Generate Lockfiles
 
-## Verification Scripts
+```bash
+.rpm-lockfiles/update-lockfile.sh <branch> [component]
+```
 
-### Quick Access Check
+Generates `rpms.lock.yaml` from component configs on the specified branch.
 
+Example:
 ```bash
-.rpm-lockfiles/check-repo-access.sh
+.rpm-lockfiles/update-lockfile.sh release-0.19 nettest
 ```
 
-Example output (actual results depend on your subscription):
+### 9. Update Tekton Pipeline Architectures
 
-```text
-Component  Packages                        Repository        x86_64  aarch64 ppc64le s390x
----------  ------------------------------  ----------------  ------  ------- ------- -----
-nettest    iperf3,tcpdump                  RHEL 9 AppStream  OK      OK      403     403
-nettest    bind-utils,curl,iproute,...     UBI (public)      OK      OK      OK      OK
+Ensure the `build-platforms` in `.tekton/<component>-*-push.yaml` and
+`.tekton/<component>-*-pull-request.yaml` match the arches in `rpms.in.yaml`.
+
+Example from a push pipeline:
+```yaml
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    - linux/arm64
+    - linux/ppc64le
+    - linux/s390x
 ```
 
-**Note:** nettest s390x shows 403 because the script tests standard repos. EUS repos
-are accessible and can be configured in `.repo` files - see s390x EUS Solution.
+**Note:** Tekton uses `arm64` while lockfiles use `aarch64` - these refer to the same architecture.
+
+### 10. Upload Activation Key to Konflux
 
-### Detailed Package Verification
+Once local validation is complete, create a secret in your Konflux tenant namespace
+so builds can access subscription content.
 
+Login to the Konflux cluster:
 ```bash
-.rpm-lockfiles/verify-packages.sh [branch]
+oc login --web https://api.kflux-prd-rh02.0fk9.p1.openshiftapps.com:6443/
 ```
 
-Example output (actual results depend on your subscription and branch configuration):
-
-```text
-nettest (repos: rhel-9-for-appstream-rpms rhel-9-for-baseos-rpms rhel-9-for-s390x-appstream-eus-rpms ...)
-  x86_64   OK: bind-utils@rhel-appstream curl@rhel-baseos iperf3@rhel-appstream ...
-  aarch64  OK: bind-utils@rhel-appstream curl@rhel-baseos iperf3@rhel-appstream ...
-  ppc64le  NO REPO ACCESS (subscription lacks ppc64le)
-  s390x    OK: bind-utils@rhel-appstream-eus curl@rhel-baseos-eus iperf3@rhel-appstream-eus ...
+Check current state (record existing values before making changes):
+```bash
+oc get secret activation-key -n submariner-tenant -o yaml 2>/dev/null || echo "Secret does not exist yet"
 ```
 
-### Update Lockfiles
+Create or update the activation key secret:
+```bash
+oc create secret generic activation-key -n submariner-tenant \
+  --from-literal=org='<ORG_ID>' \
+  --from-literal=activationkey='<KEY_NAME>' \
+  --dry-run=client -o yaml | oc apply -f -
+```
 
+Verify both fields match what you set:
 ```bash
-.rpm-lockfiles/update-lockfile.sh <branch> [component]
+oc get secret activation-key -n submariner-tenant -o jsonpath='{.data.org}' | base64 -d && echo
+oc get secret activation-key -n submariner-tenant -o jsonpath='{.data.activationkey}' | base64 -d && echo
 ```
 
-Generates `rpms.lock.yaml` from component configs on the specified branch.
+Confirm the output matches `<ORG_ID>` and `<KEY_NAME>` from the create command above.
+
+Using the default name `activation-key` applies it to all builds in the namespace.
+
+See [Konflux activation key docs](https://konflux-ci.dev/docs/building/activation-keys-subscription/).
+
+---
+
+## Reference
+
+### Component Details
+
+#### nettest
+
+| Package | Source |
+|---------|--------|
+| iperf3, tcpdump | RHEL 9 AppStream |
+| bind-utils, curl, iproute, iputils, nmap-ncat | RHEL 9 BaseOS |
 
-**Additional prerequisite:** `podman login registry.redhat.io`
+**Note:** `iperf3` and `tcpdump` are NOT available in UBI repos - only in RHEL AppStream.
+This is why nettest requires RHEL subscription entitlements.
diff --git a/.rpm-lockfiles/check-repo-access.sh b/.rpm-lockfiles/check-repo-access.sh
@@ -68,4 +68,3 @@ echo
 echo -e "${B}Legend:${N} ${G}OK${N}=accessible  ${R}403${N}=subscription lacks this arch"
 echo
 echo -e "${B}Note:${N} iperf3 and tcpdump are NOT in UBI - only in RHEL AppStream."
-echo "      s390x: EUS repos are accessible (see README). ppc64le: blocked."
