ostree: configurable MTLS config for ostree resolve

[lzap]

To complete edge service Pulp migration, we need to be able to resolve and download ostree commits from Pulp running behind console.redhat.com proxy which only supports MTLS for authentication. I have found that some MTLS support is already present but it does not make much sense why RHSM is used. I cannot figure out a workflow why ostree repo would be published via RHSM cert. I am not aware of any RH ostree content hosted via RH CDN.

This this patch is a proposal to completely remove the RHSM from ostree pipeline and replace it with simple ENV variables for CA cert, client cert and key. We only need support for accessing Insights. This feature can be possibly used by anyone wanting MTLS for ostree from which ability to set a CA cert is I think pretty helpful feature for anyone.

Now, this will likely break things, when I search for org.osbuild.rhsm.consumer I see couple of places so please search with me and help me to find what else needs to be refactored. Thanks.

Reuses variables from osbuild/osbuild-composer#4412

[lzap]

For the record, we want to use the same cert which is used to access RPM content, maybe there already is an ENV variable for that? @croissanne

[croissanne]

The mtls secrets need to be passed in the same way as https://github.com/osbuild/osbuild-composer/blob/main/cmd/osbuild-worker/jobimpl-depsolve.go.

So they're set in the worker config, and then just pass them along to the ostree resolve job.

[croissanne]

Instead of using env variables here, I think you should be able to just pass a struct or something containing the mtls secrets. https://github.com/osbuild/osbuild-composer/blob/main/cmd/osbuild-worker/jobimpl-ostree-resolve.go is the entrypoint here

[lzap]

Good point, amending a change. I am trying hard not to break the API by introducing an option struct, but since the ResolveRef does not seem to be used in composer, I am taking the liberty on changing it. If you feel this is not okay and other components might be using that, I will introduce a complatibility function and leave the original untouched.

Edit: Fixed tests.

[lzap]

The Resolve function is kept compatible with the old codebase in composer, the options are completely optional therefore passing just spec will work and in fact not use any MTLS configuration.

[lzap]

Possible API break but composer does not appear to use this directly.

[croissanne]

It's fine to break the API, will just require a tweak in composer when updating images.

[lzap]

So I changed the code so the API contract is not broken. Tests are passing now, except I think unrelevant ones.

[lzap]

CentOS Stream 10 - BaseOS                       647  B/s | 3.9 kB     00:06    
Errors during downloading metadata for repository 'baseos':
  - Downloading successful, but checksum doesn't match. Calculated: 09f9f3040a68ccceb349f04463cad23b3af1dc36ccf61c1fada52b9955a441742d8434dcb66f265924aed2d2b9dee3edaf16e0534fe475c6a5faf45db021d9a1(sha512)  Expected: f3765f12125ff6f09532cd5e74a0ab0bf0b275aa28794c1171b11ed247ed46fe60a7869d2ddc4658e31ac155632b4def908fd473050e6f68c32322212b921f62(sha512) 
Error: Failed to download metadata for repo 'baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

[achilleas-k]

Just break the API. The mess of keeping deprecated functions around isn't worth the effort.

[lzap]

How about I do a followup PR once this is integrated into composer? Because if I remove this function tests immediately breaks, I feel like I would make my life harder by straight-up breaking it.

[achilleas-k]

Which tests break? The integration ones with composer? Those are non-required for a reason. They're meant as a warning to the PR creator that they will have to change osbuild-composer when updating.

How about I do a followup PR once this is integrated into composer?

I'd rather have one clean PR than two messy ones. The way it is now it's hard to review (though not too hard). I suspect that a single PR that makes the appropriate change would be easier for me to wrap my head around, rather than try to imagine what it will look like eventually.

[achilleas-k]

Could the mTLS configuration be added to the SourceSpec? I imagine that would make things simpler, but I haven't written it out to be sure.

[lzap]

Yeah well I thought that SourceSpec is a type I should not touch. Now that I think about it, I can add fields directly in there that is more simple. Let me try.

[achilleas-k]

This is a very odd pattern for something that could just be an extension of the SourceSpec struct.

[lzap]

Yeah well I thought that SourceSpec is a type I should not touch. Now that I think about it, I can add fields directly in there that is more simple.

[lzap]

Oh when working on the changes you proposed, I realized I completely missed this input type which maps to the SourceSpec:

// Input represents the user-provided inputs that will be used to resolve an
// ostree commit ID.
type Input struct {
	// URL of the repo where the commit can be fetched.
	URL string `json:"url"`

	// Ref to resolve.
	Ref string `json:"ref"`

	// Whether to use RHSM secrets when resolving and fetching the commit.
	RHSM bool `json:"rhsm,omitempty"`
}

So it was not complete at all, I fixed it. How about this?

The solution now properly reads these ENV variables, I hope they are available.