update ci _repo for ocp 4.22 / 5.0

[fgallott]

follows
openshift-eng/ocp-build-data#10081
openshift-eng/ocp-build-data#10082

Summary by CodeRabbit

Chores

• Updated RHEL 9 package repository sources to OpenShift mirrors for OpenShift 4.22 and 5.0
• Changed repository authentication from TLS client certificates to credential-file-based authentication
• Added new high availability repository section
• Enabled automatic failover and improved package availability handling across repository configurations
• Updated CodeReady Builder repository endpoints

[coderabbitai]

Walkthrough

Two repository configuration files are updated to migrate from Red Hat CDN to OpenShift mirror endpoints, replace TLS client authentication with HTTP basic auth file credentials, introduce the new rhel-9-highavailability section, and add package exclusions and failover settings.

Changes

Cohort / File(s)

Summary

Repository Configuration Migration core-services/release-controller/_repos/ocp-4.22-rhel9.repo, core-services/release-controller/_repos/ocp-5.0-rhel9.repo

Updated baseurl endpoints from Red Hat CDN (cdn.redhat.com/content/dist/rhel9/9/...) to OpenShift mirror (mirror2.openshift.com/enterprise/reposync/...). Replaced TLS client authentication (sslclientkey/sslclientcert) with HTTP basic auth (username_file/password_file). Added skip_if_unavailable = true to affected sections. Introduced new [rhel-9-highavailability] repository section with mirror configuration. Updated CodeReady Builder URLs to EUS paths (content/eus/rhel9/9.8/...). Added excludepkgs=toolbox* to rhel-9-appstream sections.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating repository configurations for OCP 4.22 and 5.0 versions, which aligns with the substantial modifications to both ocp-4.22-rhel9.repo and ocp-5.0-rhel9.repo files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The custom check for Stable and Deterministic Test Names is not applicable to this PR as it modifies YUM/DNF repository configuration files in INI format, not Ginkgo test files.
Test Structure And Quality	✅ Passed	This PR modifies repository configuration files (.repo files) for OCP versions, not Ginkgo test code. The test structure quality check is not applicable.
Microshift Test Compatibility	✅ Passed	PR modifies only repository configuration files, not Ginkgo e2e tests, making this check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The custom check for SNO test compatibility is not applicable; this PR modifies only repository configuration files, not Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request modifies only Yum/DNF repository configuration files (.repo files) used for CI infrastructure package management. These contain no Kubernetes objects, scheduling constraints, affinity rules, topology configurations, replica counts, node selectors, tolerations, or PodDisruptionBudgets.
Ote Binary Stdout Contract	✅ Passed	The custom check for OTE Binary Stdout Contract is not applicable to this PR as it exclusively modifies repository configuration files (.repo files in INI format) with no executable code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This custom check is not applicable to the provided pull request. The check is specifically designed to assess Ginkgo e2e tests for IPv6 and disconnected network compatibility, but this PR only modifies Yum/DNF repository configuration files (.repo files) with no e2e tests added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@fgallott: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

core-services/release-controller/_repos/ocp-4.22-rhel9.repo (1)

74-84: ⚠️ Potential issue | 🟠 Major

Migrate CodeReady Builder sections to mirror2 basic-auth like BaseOS/AppStream.

All four CodeReady Builder sections (rhel-9-codeready-builder-rpms, -ppc64le, -s390x, -aarch64) still use https://cdn.redhat.com/content/eus/... with /tmp/key/rh-cdn.pem client-cert auth, while the BaseOS and AppStream sections have already migrated to https://mirror2.openshift.com/enterprise/reposync/4.22/... with username_file and password_file basic-auth. Update all four CRB sections to follow the same pattern:

baseurl = https://mirror2.openshift.com/enterprise/reposync/4.22/rhel-98-codeready-builder-rpms
username_file = /tmp/mirror-enterprise-basic-auth/username
password_file = /tmp/mirror-enterprise-basic-auth/password

Remove sslclientkey and sslclientcert lines and adjust architecture paths (e.g., rhel-98-codeready-builder-rpms-ppc64le for ppc64le) to match the BaseOS/AppStream auth model.

Applies to all four CRB sections: x86_64 (lines 74–84), ppc64le (134–144), s390x (194–204), aarch64 (254–264).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core-services/release-controller/_repos/ocp-4.22-rhel9.repo` around lines 74
- 84, Update each CodeReady Builder repo section (rhel-9-codeready-builder-rpms,
rhel-9-codeready-builder-rpms-ppc64le, rhel-9-codeready-builder-rpms-s390x,
rhel-9-codeready-builder-rpms-aarch64) to use the mirror2 basic-auth pattern
used by BaseOS/AppStream: replace the baseurl that points to
https://cdn.redhat.com/... with the mirror2 URL format
https://mirror2.openshift.com/enterprise/reposync/4.22/<arch-specific-path>
(e.g., rhel-98-codeready-builder-rpms or rhel-98-codeready-builder-rpms-ppc64le
for ppc64le), add username_file = /tmp/mirror-enterprise-basic-auth/username and
password_file = /tmp/mirror-enterprise-basic-auth/password, and remove the
sslclientkey and sslclientcert lines and any client-cert usage; keep
enabled/gpgcheck/sslverify/failovermethod settings consistent with the other
migrated sections.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@core-services/release-controller/_repos/ocp-4.22-rhel9.repo`:
- Around line 50-60: Add architecture-specific HighAvailability repo sections
for aarch64, ppc64le, and s390x by duplicating the existing
rhel-9-highavailability block and updating the repo id/name and baseurl to the
architecture-specific variants (e.g., rhel-9-highavailability-aarch64,
rhel-9-highavailability-ppc64le, rhel-9-highavailability-s390x) following the
same format and settings (enabled, gpgkey, sslverify, gpgcheck, username_file,
password_file, failovermethod, skip_if_unavailable) as the existing
rhel-9-highavailability section and ensure baseurl mirrors the pattern used by
the architecture-specific BaseOS/AppStream entries.

In `@core-services/release-controller/_repos/ocp-5.0-rhel9.repo`:
- Around line 50-60: The new HighAvailability repo section
[rhel-9-highavailability] only targets the default architecture; add equivalent
architecture-specific repo sections for aarch64, ppc64le, and s390x (e.g.,
[rhel-9-highavailability-aarch64], [rhel-9-highavailability-ppc64le],
[rhel-9-highavailability-s390x]) mirroring the existing keys (name, baseurl,
enabled, gpgkey, sslverify, gpgcheck, username_file, password_file,
failovermethod, skip_if_unavailable) but adjusting the baseurl path to the
corresponding arch-specific repo (same pattern used by the BaseOS/AppStream arch
variants) so builds for aarch64/ppc64le/s390x include the HA repository.

---

Outside diff comments:
In `@core-services/release-controller/_repos/ocp-4.22-rhel9.repo`:
- Around line 74-84: Update each CodeReady Builder repo section
(rhel-9-codeready-builder-rpms, rhel-9-codeready-builder-rpms-ppc64le,
rhel-9-codeready-builder-rpms-s390x, rhel-9-codeready-builder-rpms-aarch64) to
use the mirror2 basic-auth pattern used by BaseOS/AppStream: replace the baseurl
that points to https://cdn.redhat.com/... with the mirror2 URL format
https://mirror2.openshift.com/enterprise/reposync/4.22/<arch-specific-path>
(e.g., rhel-98-codeready-builder-rpms or rhel-98-codeready-builder-rpms-ppc64le
for ppc64le), add username_file = /tmp/mirror-enterprise-basic-auth/username and
password_file = /tmp/mirror-enterprise-basic-auth/password, and remove the
sslclientkey and sslclientcert lines and any client-cert usage; keep
enabled/gpgcheck/sslverify/failovermethod settings consistent with the other
migrated sections.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 39c2b312-27bf-4920-a40d-0128234824bd

📥 Commits

Reviewing files that changed from the base of the PR and between c7a6294 and 3c62360.

📒 Files selected for processing (2)

• core-services/release-controller/_repos/ocp-4.22-rhel9.repo
• core-services/release-controller/_repos/ocp-5.0-rhel9.repo

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify HighAvailability repo coverage for all architectures in the 4.22 repo file.

python3 - <<'PY'
from pathlib import Path
import re

path = Path("core-services/release-controller/_repos/ocp-4.22-rhel9.repo")
text = path.read_text()
headers = set(re.findall(r"^\[(.+?)\]", text, flags=re.M))
expected = {
    "rhel-9-highavailability",
    "rhel-9-highavailability-ppc64le",
    "rhel-9-highavailability-s390x",
    "rhel-9-highavailability-aarch64",
}
missing = sorted(expected - headers)
print("missing:", missing)
PY

Repository: openshift/release

Length of output: 173

---

Add HighAvailability repo sections for the non-x86 architectures.

The repo file currently includes only the default rhel-9-highavailability section but is missing architecture-specific variants for aarch64, ppc64le, and s390x. The file already contains architecture-specific BaseOS/AppStream sections for these architectures, so architecture-specific HighAvailability sections are also needed for consistent coverage across all supported architectures.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core-services/release-controller/_repos/ocp-4.22-rhel9.repo` around lines 50
- 60, Add architecture-specific HighAvailability repo sections for aarch64,
ppc64le, and s390x by duplicating the existing rhel-9-highavailability block and
updating the repo id/name and baseurl to the architecture-specific variants
(e.g., rhel-9-highavailability-aarch64, rhel-9-highavailability-ppc64le,
rhel-9-highavailability-s390x) following the same format and settings (enabled,
gpgkey, sslverify, gpgcheck, username_file, password_file, failovermethod,
skip_if_unavailable) as the existing rhel-9-highavailability section and ensure
baseurl mirrors the pattern used by the architecture-specific BaseOS/AppStream
entries.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify HighAvailability repo coverage for all architectures in the 5.0 repo file.

python3 - <<'PY'
from pathlib import Path
import re

path = Path("core-services/release-controller/_repos/ocp-5.0-rhel9.repo")
text = path.read_text()
headers = set(re.findall(r"^\[(.+?)\]", text, flags=re.M))
expected = {
    "rhel-9-highavailability",
    "rhel-9-highavailability-ppc64le",
    "rhel-9-highavailability-s390x",
    "rhel-9-highavailability-aarch64",
}
missing = sorted(expected - headers)
print("missing:", missing)
PY

Repository: openshift/release

Length of output: 173

---

🏁 Script executed:

#!/bin/bash
# Check what sections exist in the repo file to understand the pattern
python3 - <<'PY'
from pathlib import Path
import re

path = Path("core-services/release-controller/_repos/ocp-5.0-rhel9.repo")
text = path.read_text()
headers = sorted(set(re.findall(r"^\[(.+?)\]", text, flags=re.M)))

# Group by base name
baseos_sections = [h for h in headers if "baseos" in h]
appstream_sections = [h for h in headers if "appstream" in h]
ha_sections = [h for h in headers if "highavailability" in h]

print("BaseOS sections:")
for h in baseos_sections:
    print(f"  {h}")
print("\nAppStream sections:")
for h in appstream_sections:
    print(f"  {h}")
print("\nHighAvailability sections:")
for h in ha_sections:
    print(f"  {h}")
PY

Repository: openshift/release

Length of output: 336

---

Add HighAvailability repo sections for the non-x86 architectures.

The new section only covers the default rhel-9-highavailability repo, but missing architecture-specific variants for aarch64, ppc64le, and s390x. The file already carries architecture-specific BaseOS/AppStream sections for all these architectures, so ppc64le/s390x/aarch64 builds will miss the HA repo without corresponding sections.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core-services/release-controller/_repos/ocp-5.0-rhel9.repo` around lines 50 -
60, The new HighAvailability repo section [rhel-9-highavailability] only targets
the default architecture; add equivalent architecture-specific repo sections for
aarch64, ppc64le, and s390x (e.g., [rhel-9-highavailability-aarch64],
[rhel-9-highavailability-ppc64le], [rhel-9-highavailability-s390x]) mirroring
the existing keys (name, baseurl, enabled, gpgkey, sslverify, gpgcheck,
username_file, password_file, failovermethod, skip_if_unavailable) but adjusting
the baseurl path to the corresponding arch-specific repo (same pattern used by
the BaseOS/AppStream arch variants) so builds for aarch64/ppc64le/s390x include
the HA repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fgallott
Once this PR has been reviewed and has the lgtm label, please assign jupierce for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• core-services/release-controller/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@fgallott: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[fgallott]

superseded by #77982