Currently, when anyone wants to access the Red Hat Flatpak Registry, they have to use `podman login` and provide their redhat.com credentials to login (as documented in the official documentation). This is a suboptimal UX and it could lead into situation, where Anaconda would preinstall Flatpaks, but they won't be updated unless the user would log in. Improve the situation by doing the following (quoted from this document):

Patch the flatpak client in RHEL 10, so that in addition to the standard handing of /etc/containers/certs.d, it additionally has the logic:

If the host is registry.redhat.io or registry.stage.redhat.io, and no cert is found in /etc/

Unknown macro: {docker/containers}

/certs.
then load the first (readdir order) pem/-key.pem pair from /etc/pki/entitlement an duse that

This should be reliable because the planned behavior for cert-registry.redhat.io is that any valid Red Hat entitlement or client certificate is treated as evidence of accepting the terms of use.

otaylor@redhat.com has prepared a patch for this and jgrulich@redhat.com has promised to do a scratch build of it for regression testing purposes. To test the feature as proposed we have to wait on until at least registry.stage.redhat.io has the cert handling enabled, which didn't happen yet, but we're in the contact with the relevant team. Once it's enabled, the testing procedure should be the following:

1. Clean installation of RHEL 10.0
2. Add staging registry with !TBD!
3. Making sure to NOT run `podman login registry.stage.redhat.io`
4. Making sure that new build of flatpak is installed
5. Using `flatpak install rhel-stage org.mozilla.Firefox` should fail (upper case Firefox is used on purpose as it was renamed for 10.0 after beta which is not available on public facing registry)
6. Subscribing the system
7. Using `flatpak install rhel-stage org.mozilla.Firefox` should succeed now