ocp-5.0-rhel98.repo: switch RHEL repos to CDN (9.8 GA)

[redhat-chai-bot]

rhel-9.8 has GA'd today, so the rhel-98-* entries in core-services/release-controller/_repos/ocp-5.0-rhel98.repo no longer need to be sourced from mirror2.openshift.com (which has stopped being populated for 9.8).

This PR converts the RHEL baseos/appstream/nfv/highavailability/codeready-builder sections (plus ppc64le/s390x/aarch64 variants) to point at cdn.redhat.com/content/eus/rhel9/9.8/<arch>/<repo>/os/ (nfv and highavailability use e4s/) with sslclientkey/sslclientcert auth - mirroring the structure of ocp-5.0-rhel96.repo.

Sections left unchanged:

• rhel-9.8-server-ose-5.0 and rhel-9.8-early-kernel (point at the OCP plashet, not the RHEL repo)
• rhel-9.8-fast-datapath* (already CDN)

excludepkgs=toolbox* on rhel-9.8-appstream is preserved.

Discussed in this Slack thread - follow-up to #79427.

---

Opened on behalf of a user via Chai Bot (service account: ship-help-github@redhat.com).

Repository Mirror Configuration Update for RHEL 9.8

Updated the release controller's RHEL 9.8 repository configuration to switch from the deprecated OpenShift mirror (mirror2.openshift.com) to Red Hat's CDN (cdn.redhat.com). This change ensures the OpenShift CI/CD infrastructure can reliably pull RHEL 9.8 packages during release builds.

Technical Changes

Modified core-services/release-controller/_repos/ocp-5.0-rhel98.repo to update repository definitions for:

• BasOS, AppStream, NFV, HighAvailability, and CodeReady-Builder repositories across x86_64, ppc64le, s390x, and aarch64 architectures
• Base URLs now point to cdn.redhat.com/eus/rhel9/9.8/<arch>/<repo>/os/ (NFV and HighAvailability use e4s/ paths)
• Authentication configured via SSL certificates (/tmp/key/rh-cdn.pem)
• Legacy auth settings removed (username_file, password_file) in favor of certificate-based authentication
• Existing security settings preserved (gpgcheck, gpgkey, sslverify)

Repositories not affected by this change:

• OCP-specific repos (rhel-9.8-server-ose-5.0, rhel-9.8-early-kernel) pointing to the OCP plashet
• Fast-datapath repos already configured for CDN

The configuration now mirrors the structure already in place for RHEL 9.6, ensuring consistency across release builds.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@redhat-chai-bot: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8c63230f-61a8-41af-8122-0789cd5c1651

📥 Commits

Reviewing files that changed from the base of the PR and between 9b66aed and a7f0fa7.

📒 Files selected for processing (1)

• core-services/release-controller/_repos/ocp-5.0-rhel98.repo

---

Walkthrough

Updated RHEL 9.8 Yum repository definitions across x86_64, ppc64le, s390x, and aarch64 architectures to migrate from OpenShift reposync mirrors to Red Hat CDN (cdn.redhat.com) EUS paths. Replaced username/password file-based authentication with certificate-based authentication using sslclientcert and sslclientkey entries.

Changes

RHEL 9.8 CDN Migration

Layer / File(s)	Summary
Migrate RHEL 9.8 repos from OpenShift mirror to Red Hat CDN with certificate authentication core-services/release-controller/_repos/ocp-5.0-rhel98.repo	For all RHEL 9.8 repository sections (baseos, appstream, nfv, highavailability, codeready-builder) across x86_64, ppc64le, s390x, and aarch64 architectures, switched baseurl from internal mirror paths to cdn.redhat.com eus/rhel9/9.8 endpoints; added sslclientcert and sslclientkey settings pointing to /tmp/key/rh-cdn.pem; removed username_file, password_file, and skip_if_unavailable entries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• openshift/release#79427: Modifies the same RHEL 9.8 repository configuration file with baseurl changes for codeready-builder and architecture-specific sections targeting alternative repo locations.
• openshift/release#79429: Updates yum/dnf authentication configuration in ocp-5.0-rhel repo stanzas, including switching between sslclientkey/sslclientcert and username_file/password_file credentials.

Suggested labels

lgtm, approved, rehearsals-ack

Suggested reviewers

• Prucek
• bear-redhat
• jmguzik

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change: switching RHEL repository configuration to use CDN instead of a mirror, with the version (9.8 GA) clearly specified.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies only a YUM/DNF repository configuration file (ocp-5.0-rhel98.repo). No Ginkgo test files are present. The test name stability check does not apply.
Test Structure And Quality	✅ Passed	Check is inapplicable. This PR modifies only a Yum repo config file with no test code. The check targets Ginkgo test quality but no tests are present.
Microshift Test Compatibility	✅ Passed	This PR modifies only a DNF/Yum repository configuration file (ocp-5.0-rhel98.repo), not test code. No Ginkgo e2e tests are added. MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies repository configuration files only (.repo files), not Ginkgo e2e tests. The custom check is not applicable as no e2e tests are being added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies a YUM/DNF repository configuration file, not Kubernetes manifests, operators, or controllers. The check for topology-aware scheduling is not applicable to repository configuration changes.
Ote Binary Stdout Contract	✅ Passed	PR modifies only ocp-5.0-rhel98.repo, a yum/dnf configuration file, not Go source code. OTE Binary Stdout Contract check only applies to Go code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This check applies only to Ginkgo e2e tests. The PR modifies a repository configuration file (ocp-5.0-rhel98.repo) containing only Yum/DNF repository settings, with no e2e tests added or modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @redhat-chai-bot. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jupierce]

/lgtm

[jupierce]

/ok-to-test

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jupierce, redhat-chai-bot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• core-services/release-controller/OWNERS [jupierce]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@redhat-chai-bot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

@redhat-chai-bot: Updated the following 15 configmaps:

• base-repos configmap in namespace ocp at cluster build04 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build09 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build03 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build05 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build08 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build01 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build11 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster core-ci using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster vsphere02 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build10 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build07 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build06 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build12 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster build02 using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo
• base-repos configmap in namespace ocp at cluster app.ci using the following files:
  • key ocp-5.0-rhel98.repo using file core-services/release-controller/_repos/ocp-5.0-rhel98.repo

Details

In response to this:

rhel-9.8 has GA'd today, so the rhel-98-* entries in core-services/release-controller/_repos/ocp-5.0-rhel98.repo no longer need to be sourced from mirror2.openshift.com (which has stopped being populated for 9.8).

This PR converts the RHEL baseos/appstream/nfv/highavailability/codeready-builder sections (plus ppc64le/s390x/aarch64 variants) to point at cdn.redhat.com/content/eus/rhel9/9.8/<arch>/<repo>/os/ (nfv and highavailability use e4s/) with sslclientkey/sslclientcert auth - mirroring the structure of ocp-5.0-rhel96.repo.

Sections left unchanged:

• rhel-9.8-server-ose-5.0 and rhel-9.8-early-kernel (point at the OCP plashet, not the RHEL repo)
• rhel-9.8-fast-datapath* (already CDN)

excludepkgs=toolbox* on rhel-9.8-appstream is preserved.

Discussed in this Slack thread - follow-up to #79427.

---

Opened on behalf of a user via Chai Bot (service account: ship-help-github@redhat.com).

Repository Mirror Configuration Update for RHEL 9.8

Updated the release controller's RHEL 9.8 repository configuration to switch from the deprecated OpenShift mirror (mirror2.openshift.com) to Red Hat's CDN (cdn.redhat.com). This change ensures the OpenShift CI/CD infrastructure can reliably pull RHEL 9.8 packages during release builds.

Technical Changes

Modified core-services/release-controller/_repos/ocp-5.0-rhel98.repo to update repository definitions for:

• BasOS, AppStream, NFV, HighAvailability, and CodeReady-Builder repositories across x86_64, ppc64le, s390x, and aarch64 architectures
• Base URLs now point to cdn.redhat.com/eus/rhel9/9.8/<arch>/<repo>/os/ (NFV and HighAvailability use e4s/ paths)
• Authentication configured via SSL certificates (/tmp/key/rh-cdn.pem)
• Legacy auth settings removed (username_file, password_file) in favor of certificate-based authentication
• Existing security settings preserved (gpgcheck, gpgkey, sslverify)

Repositories not affected by this change:

• OCP-specific repos (rhel-9.8-server-ose-5.0, rhel-9.8-early-kernel) pointing to the OCP plashet
• Fast-datapath repos already configured for CDN

The configuration now mirrors the structure already in place for RHEL 9.6, ensuring consistency across release builds.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.