OCPBUGS-83401: add RootCA cert to the sysContextBuilder certs

[andfasano]

- What I did
Added the rootCA cert to the certs built by sysContextBuilder. This is required to support the OSStreams feature during the bootstrap when the NoRegistryClusterInstall feature is enabled (and thus the OCP release payload is stored internally in the IRI registries, all of them signed by using the rootCA cert)

- How to verify it
Run the iso-no-registry CI job

- Description for the changelog

Summary by CodeRabbit

• Bug Fixes
  • CA bundle construction now includes controller-provided root CA data when present, ensuring merged CA files contain those certificates and improving image registry certificate validation.
• Tests
  • Added a test verifying that controller-supplied root CA data triggers creation of certificate outputs and temporary context as expected.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@andfasano: This pull request references Jira Issue OCPBUGS-83401, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

- What I did
Added the rootCA cert to the certs built by sysContextBuilder. This is required to support the OSStreams feature during the bootstrap when the NoRegistryClusterInstall feature is enabled (and thus the OCP release payload is stored internally in the IRI registries, all of them signed by using the rootCA cert)

- How to verify it
Run the iso-no-registry CI job

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[andfasano]

/jira refresh

[openshift-ci-robot]

@andfasano: This pull request references Jira Issue OCPBUGS-83401, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (afasano@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Certificate-bundle construction now treats controllerConfig.Spec.RootCAData as an additional CA source: hasCerts() recognizes non-empty RootCAData, buildCerts() uses the merged-bundle path when AdditionalTrustBundle or RootCAData is present, and RootCAData is appended (with a trailing newline) into ca-bundle.crt.

Changes

Cohort / File(s)	Summary
CA bundle logic & test pkg/imageutils/sys_context.go, pkg/imageutils/sys_context_test.go	hasCerts() now returns true when controllerConfig.Spec.RootCAData is set; buildCerts() merges RootCAData into the created ca-bundle.crt (appended with newline) alongside existing bundle/AdditionalTrustBundle handling. Added unit test "WithControllerConfig only - just rootCA" to exercise the RootCA-only path (expects temp dir and cert outputs).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	The new test case follows the table-driven test pattern correctly and maintains single responsibility, testing only the WithControllerConfig scenario. However, the test framework's assertion validation loop lacks descriptive error messages.	Add descriptive error messages to assertions that include the test case name and detailed mismatch information to improve debuggability of test failures.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding RootCA cert to sysContextBuilder certs, which matches the core modification in both the implementation and test files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR uses standard Go testing with static, descriptive test names rather than Ginkgo tests, so the Ginkgo-specific check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR does not add Ginkgo e2e tests. The new test case is a standard Go unit test subtest within pkg/imageutils, not a Ginkgo e2e test.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only unit tests using Go's standard testing package, not Ginkgo e2e tests. The SNO compatibility check targets Ginkgo e2e tests specifically.
Topology-Aware Scheduling Compatibility	✅ Passed	Code changes only modify certificate bundle construction utilities and do not introduce any topology-aware scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	Modified test files contain only standard Go test functions with no process-level functions, and new test case uses standard t.Run() pattern. No stdout-writing operations present. Library code in pkg/imageutils/ not subject to OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds only standard Go unit tests, not Ginkgo e2e tests with IPv4 assumptions or external connectivity requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[andfasano]

/test ?

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/imageutils/sys_context.go`:
- Around line 231-235: The Root CA append (checking
controllerConfig.Spec.RootCAData and writing into certBundle) is currently
nested inside the AdditionalTrustBundle conditional so RootCAData is skipped
when AdditionalTrustBundle is empty; move the RootCAData handling out of the
outer if that checks controllerConfig.Spec.AdditionalTrustBundle so that the
block that checks len(controllerConfig.Spec.RootCAData) and calls
certBundle.Write(...) and certBundle.WriteString("\n") runs independently
(always executed when RootCAData is present), ensuring
controllerConfig.Spec.RootCAData is always appended to certBundle even if
AdditionalTrustBundle is empty.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 679c7a90-9973-4ee7-89d3-55fc453c56eb

📥 Commits

Reviewing files that changed from the base of the PR and between bf40a23 and f1916db.

📒 Files selected for processing (1)

• pkg/imageutils/sys_context.go

[andfasano]

/test e2e-agent-compact-ipv4-iso-no-registry

[andfasano]

/testwith openshift/release/4.22/e2e-agent-iso-no-registry-conformance-techpreview

[andfasano]

/jira refresh

[openshift-ci-robot]

@andfasano: This pull request references Jira Issue OCPBUGS-83401, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (afasano@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[andfasano]

/testwith openshift/release/4.22/e2e-agent-iso-no-registry-conformance-techpreview

[andfasano]

/retest

[andfasano]

/test ?

[andfasano]

/test e2e-agent-compact-ipv4-iso-no-registry

[andfasano]

/testwith openshift/release/4.22/nightly/e2e-agent-iso-no-registry-conformance-techpreview

[andfasano]

/testwith openshift/release/main/nightly/e2e-agent-iso-no-registry-conformance-techpreview

[bfournie]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[coderabbitai]

🧹 Nitpick comments (1)

pkg/imageutils/sys_context_test.go (1)

185-198: Strengthen this rootCA case to verify bundle contents, not just cert-dir creation.

At Line 196-197, this case currently proves only that cert handling is enabled. It does not verify the PR’s core behavior: RootCAData being written into ca-bundle.crt. Please add assertions that ca-bundle.crt exists and contains the configured root CA bytes.

Proposed test hardening

 import (
+	"os"
 	"path/filepath"
 	"testing"
@@
 			// Check certs expectations
 			if tc.expectCerts {
 				assert.NotEmpty(t, sysCtx.SysContext.DockerPerHostCertDirPath, "DockerPerHostCertDirPath should not be empty")
 				assert.DirExists(t, sysCtx.SysContext.DockerPerHostCertDirPath, "Certs directory should exist")
+
+				// When RootCAData is provided, ensure merged bundle is materialized and contains it.
+				if tc.controllerConfig != nil && len(tc.controllerConfig.Spec.RootCAData) > 0 {
+					bundlePath := filepath.Join(sysCtx.SysContext.DockerPerHostCertDirPath, "ca-bundle.crt")
+					assert.FileExists(t, bundlePath, "Merged CA bundle should exist")
+					bundleData, readErr := os.ReadFile(bundlePath)
+					require.NoError(t, readErr, "Reading merged CA bundle should not fail")
+					assert.Contains(t, string(bundleData), string(tc.controllerConfig.Spec.RootCAData), "Merged CA bundle should contain RootCAData")
+				}
 			} else {
 				assert.Empty(t, sysCtx.SysContext.DockerPerHostCertDirPath, "DockerPerHostCertDirPath should be empty")
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/imageutils/sys_context_test.go` around lines 185 - 198, The test case for
"WithControllerConfig only - just rootCA" currently only checks that a temp cert
dir was created; update the test to also assert that the ca-bundle.crt file was
created inside the generated cert directory and that its contents equal the
configured ControllerConfig.Spec.RootCAData bytes; locate the test case in
pkg/imageutils/sys_context_test.go (the table entry where controllerConfig is
set to &mcfgv1.ControllerConfig{Spec: mcfgv1.ControllerConfigSpec{RootCAData:
[]byte(...)}}) and add assertions that the path "<certDir>/ca-bundle.crt" exists
and that reading that file returns the exact RootCAData provided.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/imageutils/sys_context_test.go`:
- Around line 185-198: The test case for "WithControllerConfig only - just
rootCA" currently only checks that a temp cert dir was created; update the test
to also assert that the ca-bundle.crt file was created inside the generated cert
directory and that its contents equal the configured
ControllerConfig.Spec.RootCAData bytes; locate the test case in
pkg/imageutils/sys_context_test.go (the table entry where controllerConfig is
set to &mcfgv1.ControllerConfig{Spec: mcfgv1.ControllerConfigSpec{RootCAData:
[]byte(...)}}) and add assertions that the path "<certDir>/ca-bundle.crt" exists
and that reading that file returns the exact RootCAData provided.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: cfcbb889-8763-4668-9e1e-1493c69b39fc

📥 Commits

Reviewing files that changed from the base of the PR and between f1916db and 7aeb7b8.

📒 Files selected for processing (2)

• pkg/imageutils/sys_context.go
• pkg/imageutils/sys_context_test.go

✅ Files skipped from review due to trivial changes (1)

• pkg/imageutils/sys_context.go

[bfournie]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[andfasano]

/test e2e-agent-compact-ipv4-iso-no-registry

[pablintino]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andfasano, bfournie, pablintino

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pablintino]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[andfasano]

/verified by @andfasano

[openshift-ci-robot]

@andfasano: This PR has been marked as verified by @andfasano.

Details

In response to this:

/verified by @andfasano

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD c3a9db7 and 2 for PR HEAD 7aeb7b8 in total

[andfasano]

/test e2e-aws-ovn-upgrade

[andfasano]

/test e2e-aws-ovn-upgrade

@pablintino any chance to override this job? It looks permafailing for unrelated reasons

[openshift-ci]

@andfasano: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@andfasano: Jira Issue OCPBUGS-83401: All pull requests linked via external trackers have merged:

• openshift/assisted-service#10141
• openshift/assisted-service#10147
• openshift/machine-config-operator#5861

Jira Issue OCPBUGS-83401 has been moved to the MODIFIED state.

Details

In response to this:

- What I did
Added the rootCA cert to the certs built by sysContextBuilder. This is required to support the OSStreams feature during the bootstrap when the NoRegistryClusterInstall feature is enabled (and thus the OCP release payload is stored internally in the IRI registries, all of them signed by using the rootCA cert)

- How to verify it
Run the iso-no-registry CI job

- Description for the changelog

Summary by CodeRabbit

• Bug Fixes
• CA bundle construction now includes controller-provided root CA data when present, ensuring merged CA files contain those certificates and improving image registry certificate validation.
• Tests
• Added a test verifying that controller-supplied root CA data triggers creation of certificate outputs and temporary context as expected.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-04-24-121336