Skip to content

Add RHUI support for cloud instance authentication#2208

Open
brandonrc wants to merge 2 commits intoosbuild:mainfrom
brandonrc:rhui-support
Open

Add RHUI support for cloud instance authentication#2208
brandonrc wants to merge 2 commits intoosbuild:mainfrom
brandonrc:rhui-support

Conversation

@brandonrc
Copy link

@brandonrc brandonrc commented Feb 17, 2026
edited
Loading

Summary

Adds RHUI (Red Hat Update Infrastructure) support so that cloud RHEL instances can build images using RHUI repos instead of requiring RHSM subscriptions.

All secrets discovery logic (SSL cert resolution, cloud identity headers) lives in the Python depsolve solver in osbuild/osbuild#2355 — this PR only adds the data model plumbing and request/response wiring needed for the Go side to pass rhui: true to the solver and consume its response. No depsolver secrets discovery logic is added here, per #2055.

Closes #2207
Related: osbuild/osbuild-composer#820 (original report), osbuild/osbuild#2355 (Python solver RHUI support), osbuild/osbuild-composer#5028

Changes

1. rpmmd,osbuild: add RHUI field and curl source support

  • Add RHUI bool field to RepoConfig and repository structs in pkg/rpmmd/repository.go
  • Include RHUI in RepoConfig.Hash() so RHUI repos get distinct cache keys
  • Wire RHUI through LoadRepositoriesFromReader()
  • Add case "org.osbuild.rhui" to NewCurlPackageItem() in pkg/osbuild/curl_source.go

2. depsolvednf: wire RHUI flag through solver request and response

  • Add RHUI bool to v2Repository and pass it through reposFromRPMMD() so the Python solver can discover RHUI SSL certs from host repo files
  • Propagate RHUI from solver response repos via toRPMMDRepoConfig()
  • Set org.osbuild.rhui secrets in toRPMMDPackage() based on the response repo's RHUI flag
  • Update validateSubscriptionsForRepos() to skip RHUI repos (they use cloud instance identity, not RHSM entitlement certs)
  • applyRHSMSecrets() is unchanged — it is still needed for the existing RHSM path since Go does not yet send rhsm=true to the solver (see TODO in reposFromRPMMD)

How it works

  1. osbuild-composer sets RHUI: true on repo configs for cloud RHEL repos
  2. Go passes rhui: true in the depsolve request to osbuild-depsolve-dnf
  3. The Python solver discovers SSL certs from /etc/pki/rhui/ and cloud identity headers (AWS/GCP) — all in Add native RHUI support for building images on cloud instances osbuild#2355
  4. The solver response returns rhui: true + secrets: "org.osbuild.rhui" on resolved repos
  5. Go reads the response flags and sets org.osbuild.rhui on packages from those repos
  6. The curl source uses org.osbuild.rhui secrets provider to download RPMs with cloud-specific auth

Test plan

  • End-to-end on AWS EC2 RHEL 8.10 — full qcow2 compose with 469 RPMs from RHUI repos
  • Existing TestApplyRHSMSecrets tests pass (function unchanged from main)

Stopgap

Until this is merged, users can use osbuild-rhui-shim as a workaround.

@brandonrc brandonrc requested a review from a team as a code owner February 17, 2026 17:07
@brandonrc brandonrc mentioned this pull request Feb 17, 2026
Draft
3 tasks
thozza
thozza requested changes Feb 18, 2026
View reviewed changes
Copy link
Member

@thozza thozza left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR.

However, due to #2055 I'll block this. I don't want the depsolver change to land in this repo, it should land in osbuild/osbuild instead. I'll look at the other PR.

@brandonrc
Copy link
Author

brandonrc commented Feb 18, 2026

Thank you for the PR.

However, due to #2055 I'll block this. I don't want the depsolver change to land in this repo, it should land in osbuild/osbuild instead. I'll look at the other PR.

Thanks for the udpate. I was worried about where that depsolver change should land myself.

@brandonrc
Copy link
Author

brandonrc commented Feb 18, 2026

I am working some changes now to see if everything builds and works in a fresh AWS E2C instance with my changes that remove this out of the images repo.

@brandonrc
rpmmd,osbuild: add RHUI field and curl source support
2c4a6c4 
Add RHUI bool field to repository and RepoConfig structs so that
repo definitions can mark repositories as using RHUI (Red Hat Update
Infrastructure) for cloud instance authentication.

- Add RHUI to repository, RepoConfig, Hash(), LoadRepositoriesFromReader()
- Add "org.osbuild.rhui" case to NewCurlPackageItem() for manifest generation
@brandonrc
depsolvednf: wire RHUI flag through solver request and response
8bae706 
Pass the RHUI flag to the Python depsolve solver so it can discover
SSL certificates from host RHUI repo files (/etc/pki/rhui/). The
actual secrets discovery is handled by osbuild-depsolve-dnf
(osbuild/osbuild#2355), not here — per osbuild#2055.

- v2Repository: add RHUI field for solver request/response
- reposFromRPMMD: pass RHUI=true to solver (no client-side cert resolution)
- toRPMMDRepoConfig: propagate RHUI from solver response
- toRPMMDPackage: set org.osbuild.rhui secrets from response repo flag
- validateSubscriptionsForRepos: skip RHUI repos (they don't need RHSM subs)
@schutzbot
Copy link
Contributor

schutzbot commented Feb 18, 2026

This PR changes the images API or behaviour causing integration failures with osbuild-composer. The next update of the images dependency in osbuild-composer will need work to adapt to these changes.

This is simply a notice. It will not block this PR from being merged.

@brandonrc
Copy link
Author

brandonrc commented Feb 18, 2026

Updated this PR based on @thozza's feedback about #2055.

What changed:

All depsolver secrets discovery logic has been moved to the Python solver in osbuild/osbuild#2355. This PR no longer modifies applyRHSMSecrets() or adds any secrets discovery logic — it only contains:

  • Data model: RHUI bool on RepoConfig/repository structs, Hash(), LoadRepositoriesFromReader()
  • Manifest generation: case "org.osbuild.rhui" in NewCurlPackageItem()
  • Solver plumbing: pass rhui: true to the Python solver, read the flag back from the response, set org.osbuild.rhui secrets on packages
  • Validation: skip RHUI repos in validateSubscriptionsForRepos() (1-line change)

Net diff is 28 insertions, 6 deletions across 4 files. applyRHSMSecrets() and its tests are untouched from main.

The companion osbuild PR (osbuild/osbuild#2355) handles all the heavy lifting: RHUI cert discovery from /etc/pki/rhui/, cloud identity headers for AWS/GCP, and the secrets field on the V2 solver response.

Tested end-to-end on AWS EC2 RHEL 8.10 — full qcow2 compose with 469 RPMs from RHUI repos.

@brandonrc brandonrc mentioned this pull request Feb 18, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thozza thozza thozza requested changes

@lzap lzap Awaiting requested review from lzap lzap is a code owner automatically assigned from osbuild/osbuild-reviewers

@achilleas-k achilleas-k Awaiting requested review from achilleas-k achilleas-k is a code owner automatically assigned from osbuild/osbuild-reviewers

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add RHUI support for building images on cloud instances

3 participants

@brandonrc @schutzbot @thozza