Uploaded image for project: 'Insights Experiences'
  1. Insights Experiences
  2. HMS-9818

Remove RHSM secrets discovery from osbuild/images and delegate to depsolver

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • Image Builder
    • None
    • Remove RHSM secrets discovery from osbuild/images and delegate to depsolver
    • To Do
    • False

      Summary

      https://github.com/osbuild/images/issues/2055

      The RHSM (Red Hat Subscription Manager) secrets discovery logic is duplicated between osbuild/images (Go) and osbuild (Python). This proposal suggests removing the discovery from osbuild/images and letting the depsolver handle it using osbuild's existing implementation.

      Current Behavior

      1. osbuild/images discovers RHSM secrets in pkg/rhsm/secrets.go and passes the certificate paths to the depsolver request
      2. The depsolver (osbuild-depsolve-dnf) uses these paths directly without doing any discovery
      3. After depsolving, osbuild/images sets Secrets = "org.osbuild.rhsm" on packages from RHSM repos
      4. When generating the manifest, sources are configured with just {{ {name: "org.osbuild.rhsm"}

        }} — no paths

      5. osbuild discovers RHSM secrets again at runtime using nearly identical logic in osbuild/util/rhsm.py

      Problem

      • Duplicated RHSM discovery code exists in both Go (pkg/rhsm/secrets.go) and Python (osbuild/util/rhsm.py)
      • The paths discovered by osbuild/images are only used for the depsolver request; they're not included in the manifest
      • osbuild already has this discovery logic and uses it for downloading sources

      Proposed Solution

      1. Remove RHSM secrets discovery from osbuild/images
      2. Have osbuild/images mark repos as requiring RHSM (e.g., via a flag) instead of providing paths
      3. Let the depsolver perform the discovery using osbuild's existing osbuild/util/rhsm.py

      This aligns the depsolving flow with how sources already work — both would use osbuild's RHSM discovery at runtime.

      Benefits

      • Removes duplicated code between Go and Python implementations
      • Simplifies the depsolver interface in osbuild/images
      • Single source of truth for RHSM discovery logic (osbuild)
      • Consistent behavior between depsolving and source downloading

      Tradeoffs

      • Errors about unsubscribed hosts would occur later (at depsolve time) instead of earlier (during request construction in Go)
      • Requires changes to both osbuild/images and osbuild repositories

      Related

      • osbuild RHSM discovery: osbuild/util/rhsm.py
      • osbuild/images RHSM discovery: pkg/rhsm/secrets.go
      • Depsolver integration: pkg/depsolvednf/depsolvednf.go

              Unassigned Unassigned
              thozza@redhat.com Tomas Hozza
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: