-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
rhc-worker-playbook-0.2.7-1.el10
-
None
-
Moderate
-
insights-ops-1
-
5
-
False
-
False
-
-
No
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Description/Background:
On RHEL 10, rhc-worker-playbook catches signature validation errors, but those errors are not surfaced to Insights Remediations users.
On RHEL 9, the resolution was to make the client not only log the signature validation failure, but also capture and report that failure to Insights, in RedHatInsights/rhc-worker-playbook#58. The same must be done for RHEL 10, which uses Go instead of Python.
Acceptance Criteria:
Share the list of tasks to be accomplished to be able to successfully complete this task
- Fix this issue in the main branch of the rhc-worker-playbook repository.
- Validate that the new rhc-worker-playbook code captures playbook validation errors, and those errors are surfaced to Insights Remediations users.
- New RPMs are built and shipped.
- CCT QE verification passes
- Remediations QE verification passes
Additional info:
I created a remediation plan by POSTing this to the Insights Remediations API, for a RHEL 10 system:
{
"name": "jaudet-test:invalidSignatureTasks",
"auto_reboot": false,
"archived": false,
"add": {
"issues": [
{
"id": "test:invalidSignatureTasks",
"resolution": "fix",
"systems": ["7ff524a7-f35b-4091-9bc9-ce16aa921398"]
}
]
}
}
I then executed the remediation plan. journalctl -fu yggdrasil.service logged this (trimmed):
sending HTTP request: GET https://cert.cloud.redhat.com/api/remediations/v1/remediations/ebec4cfd-fb0c-4c7e-a7bc-04286b0037dd/playbook?hosts=7ff524a7-f35b-4091-9bc9-ce16aa921398&localhost
emitted event: {Worker:rhc_worker_playbook Name:STARTED MessageID: ResponseTo: Data:map[]}
received HTTP response: &{200 OK 200 HTTP/2.0 2 0 map[Cache-Control:[private] Content-Disposition:[attachment;filename="jaudet-testinvalidsignaturetasks-1759267563648.yml"] Content-Type:[text/vnd.yaml; charset=utf-8] Date:[Tue, 30 Sep 2025 21:26:03 GMT] Etag:[W/"1127-8P1ExJQyolIbCW2Ow0z8FETkabM"] Server:[openresty] Set-Cookie:[3ba1432eca9ab72ebcff858daecadbf5=0ada61822e8f901e4327fed90af7b60d; path=/; HttpOnly; Secure; SameSite=None] Strict-Transport-Security:[max-age=31536000; includeSubDomains] Vary:[Accept-Encoding] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN] X-Powered-By:[Express] X-Rh-Edge-Cache-Status:[NotCacheable from child] X-Rh-Edge-Reference-Id:[0.3109c617.1759267563.58cb4327] X-Rh-Edge-Request-Id:[58cb4327] X-Rh-Insights-Request-Id:[216b00f2298c4fa6bcfd71211271b3b3]] 0xc000192930 -1 [] false true map[] 0xc000290640 0xc000292900}
emitted event: {Worker:rhc_worker_playbook Name:BEGIN MessageID:b5a839de-7a1c-47ff-8aee-1f62f405dd52 ResponseTo: Data:map[]}
send message b5a839de-7a1c-47ff-8aee-1f62f405dd52 to worker rhc_worker_playbook
emitted event: {Worker:rhc_worker_playbook Name:END MessageID:b5a839de-7a1c-47ff-8aee-1f62f405dd52 ResponseTo: Data:map[]}
journalctl -fu com.redhat.Yggdrasil1.Worker1.rhc_worker_playbook.service logged this (trimmed):
message received: message-id=b5a839de-7a1c-47ff-8aee-1f62f405dd52 cannot verify playbook: code=1 stdout= stderr=Play 'ping' has invalid signature cannot call rx: cannot verify playbook: err=cannot verify playbook: exit status 1 emitting event END
Meanwhile, the Insights Remediations end user sees this:
- links to
-
RHBA-2026:158419
rhc-worker-playbook update