Skip to content

Add RHUI support for cloud instance authentication #2208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
brandonrc wants to merge 2 commits into
base: main
Choose a base branch
from
+28 −6
Open

Add RHUI support for cloud instance authentication #2208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2c4a6c4
rpmmd,osbuild: add RHUI field and curl source support
brandonrc Feb 18, 2026
8bae706
depsolvednf: wire RHUI flag through solver request and response
brandonrc Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions pkg/depsolvednf/depsolvednf.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -506,11 +506,13 @@ func validatePackageSetRepoChain(pkgSets []rpmmd.PackageSet) error {
}

// validateSubscriptionsForRepos checks that RHSM subscriptions are available
// for any repositories that require them.
// for any repositories that require them. Repositories with RHUI set to true
// are skipped since they use cloud instance identity for authentication
// instead of RHSM entitlement certificates.
func validateSubscriptionsForRepos(pkgSets []rpmmd.PackageSet, haveSubscriptions bool, subsErr error) error {
for _, ps := range pkgSets {
for _, repo := range ps.Repositories {
if repo.RHSM && !haveSubscriptions {
if repo.RHSM && !repo.RHUI && !haveSubscriptions {
return fmt.Errorf("This system does not have any valid subscriptions. Subscribe it before specifying rhsm: true in sources (error details: %w)", subsErr)
}
}
Expand Down
20 changes: 16 additions & 4 deletions pkg/depsolvednf/v2.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ type v2Repository struct {
MetadataExpire string `json:"metadata_expire,omitempty"`
ModuleHotfixes *bool `json:"module_hotfixes,omitempty"`
RHSM bool `json:"rhsm,omitempty"`
RHUI bool `json:"rhui,omitempty"`
}

// v2Package represents an RPM package with full metadata.
Expand Down Expand Up @@ -429,7 +430,12 @@ func (h *v2Handler) reposFromRPMMD(cfg *solverConfig, rpmRepos []rpmmd.RepoConfi
dr.SSLVerify = common.ToPtr(!*rr.IgnoreSSL)
}

if rr.RHSM {
if rr.RHUI {
// RHUI repos delegate secret discovery to osbuild-depsolve-dnf.
// The Python solver reads the host RHUI repo files and discovers
// SSL certs from /etc/pki/rhui/ directly.
dr.RHUI = true
} else if rr.RHSM {
// TODO: Enable V2 RHSM secrets discovery by setting dr.RHSM = true
// and removing the client-side secrets resolution below.
// This requires functional testing to ensure RHSM secrets discovery
Expand Down Expand Up @@ -539,9 +545,14 @@ func (h *v2Handler) toRPMMDPackage(pkg v2Package, repo *rpmmd.RepoConfig) (rpmmd
rpmPkg.IgnoreSSL = *repo.IgnoreSSL
}

// Set mTLS secrets if SSLClientKey is set.
// The Solver will override secrets to 'org.osbuild.rhsm' if the repo needs RHSM secrets.
if repo.SSLClientKey != "" {
// Set secrets based on the repository's authentication type.
// The solver response includes rhui/rhsm flags indicating which
// secrets provider to use for packages from this repo.
if repo.RHUI {
rpmPkg.Secrets = "org.osbuild.rhui"
} else if repo.RHSM {
rpmPkg.Secrets = "org.osbuild.rhsm"
} else if repo.SSLClientKey != "" {
rpmPkg.Secrets = "org.osbuild.mtls"
}

Expand Down Expand Up @@ -604,6 +615,7 @@ func (h *v2Handler) toRPMMDRepoConfig(repo v2Repository) rpmmd.RepoConfig {
SSLClientKey: repo.SSLClientKey,
SSLClientCert: repo.SSLClientCert,
RHSM: repo.RHSM,
RHUI: repo.RHUI,
}
}

Expand Down
4 changes: 4 additions & 0 deletions pkg/osbuild/curl_source.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ func NewCurlPackageItem(pkg rpmmd.Package) (CurlSourceItem, error) {
item.Secrets = &URLSecrets{
Name: "org.osbuild.rhsm",
}
case "org.osbuild.rhui":
item.Secrets = &URLSecrets{
Name: "org.osbuild.rhui",
}
case "org.osbuild.mtls":
item.Secrets = &URLSecrets{
Name: "org.osbuild.mtls",
Expand Down
4 changes: 4 additions & 0 deletions pkg/rpmmd/repository.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ type repository struct {
CheckGPG bool `json:"check_gpg,omitempty"`
IgnoreSSL bool `json:"ignore_ssl,omitempty"`
RHSM bool `json:"rhsm,omitempty"`
RHUI bool `json:"rhui,omitempty"`
ModuleHotfixes *bool `json:"module_hotfixes,omitempty"`
MetadataExpire string `json:"metadata_expire,omitempty"`
ImageTypeTags []string `json:"image_type_tags,omitempty"`
Expand Down Expand Up @@ -83,6 +84,7 @@ type RepoConfig struct {
MetadataExpire string `json:"metadata_expire,omitempty"`
ModuleHotfixes *bool `json:"module_hotfixes,omitempty"`
RHSM bool `json:"rhsm,omitempty"`
RHUI bool `json:"rhui,omitempty"`
Enabled *bool `json:"enabled,omitempty"`
ImageTypeTags []string `json:"image_type_tags,omitempty"`
PackageSets []string `json:"package_sets,omitempty"`
Expand Down Expand Up @@ -119,6 +121,7 @@ func (r *RepoConfig) Hash() string {
bpts(r.IgnoreSSL)+
r.MetadataExpire+
bts(r.RHSM)+
bts(r.RHUI)+
bpts(r.ModuleHotfixes)+
r.SSLCACert+
r.SSLClientKey+
Expand Down Expand Up @@ -164,6 +167,7 @@ func LoadRepositoriesFromReader(r io.Reader) (map[string][]RepoConfig, error) {
GPGKeys: keys,
CheckGPG: &repo.CheckGPG,
RHSM: repo.RHSM,
RHUI: repo.RHUI,
MetadataExpire: repo.MetadataExpire,
ModuleHotfixes: repo.ModuleHotfixes,
ImageTypeTags: repo.ImageTypeTags,
Expand Down