ART-18749: Use GA content for RHEL 9.8 repos in 4.22, 4.23, and 5.0

[locriandev]

Summary

This PR updates the RHEL 9 repository configurations for OpenShift 4.22, 4.23, and 5.0 to point directly to cdn.redhat.com instead of using the mirror2.openshift.com reposync URLs.

Context

• PR [openshift-5.0] ART-18749: Use 9.8 GA repos openshift-eng/ocp-build-data#10723 disabled reposync for RHEL 9.8 repositories in the 5.0 stream
• This means repos are no longer being synced to mirror2, causing package download failures and 404 errors in CI
• The CI jobs need to consume RHEL 9.8 GA content directly from CDN

Changes

Repository Source Migration to cdn.redhat.com

OCP 5.0 (ocp-5.0-rhel9.repo)

• Migrated 5 core RHEL 9.8 repositories to CDN E4S/EUS endpoints
• Updated all architectures: x86_64, ppc64le, s390x, aarch64

OCP 4.22 (ocp-4.22-rhel9.repo)

• Same 5 core RHEL 9.8 repositories migrated to CDN E4S/EUS endpoints
• Updated all architectures: x86_64, ppc64le, s390x, aarch64

OCP 4.23 (ocp-4.23-rhel9.repo)

• Same 5 core RHEL 9.8 repositories migrated to CDN E4S/EUS endpoints
• Updated all architectures: x86_64, ppc64le, s390x, aarch64

Authentication Changes

For all CDN-backed repos:

• Removed basic auth credentials (username_file, password_file)
• Added certificate-based authentication using sslclientkey and sslclientcert pointing to /tmp/key/rh-cdn.pem

Repositories Updated

• rhel-9-baseos (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/baseos/os/)
• rhel-9-appstream (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/appstream/os/)
• rhel-9-nfv (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/nfv/os/)
• rhel-9-highavailability (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/highavailability/os/)
• rhel-9-codeready-builder (EUS: cdn.redhat.com/content/eus/rhel9/9.8/{arch}/codeready-builder/os/)

Unchanged Repositories

• rhel-9-server-ose-rpms (OpenShift-specific, continues to use mirror2 reposync)
• rhel-9-fast-datapath (already using cdn.redhat.com)
• rhel-9.8-early-kernel (uses OSE plashet repo)

Benefits

• No sync lag - Direct access to GA content
• Eliminates package version mismatches - No more 404 errors from packages removed from GA repo while still in reposync mirror
• Simpler infrastructure - One less moving part to maintain

Related Issues

This fixes the CI failures reported in the Slack thread where packages like mtools were getting 404 errors:

• https://redhat-internal.slack.com/archives/CBN38N3MW/p1779868800010789

Example error:

error: Cannot download Packages/m/mtools-4.0.26-3.el9.x86_64.rpm: All mirrors were tried; Last error: Status code: 404

Related PRs

ocp-build-data PRs that disabled reposync for these repos:

• [openshift-5.0] ART-18749: Use 9.8 GA repos openshift-eng/ocp-build-data#10723 (openshift-5.0)
• ART-19090: Use rhel9-8-els/rhel-minimal base stream for 4.22 openshift-eng/ocp-build-data#10790 (openshift-4.22)
• ART-19090: Use rhel9-8-els/rhel-minimal base stream for 4.23 openshift-eng/ocp-build-data#10791 (openshift-4.23)

Similar pattern used in:

• ART-19228: Use E4S directly for RHEL 10.2 GA repos in OCP 4.22, 4.23, and 5.0 #79747 (RHEL 10.2 GA repos)

Summary by CodeRabbit

This PR updates the CI infrastructure's RHEL 9 repository configurations for three OpenShift streams (4.22, 4.23, and 5.0) to directly access Red Hat's CDN instead of relying on OpenShift's internal mirror infrastructure.

Problem Being Solved:
The OpenShift reposync service that mirrors content to mirror2.openshift.com was disabled for RHEL 9.8 content. This caused package repositories to stop syncing to the mirror, resulting in CI failures with 404 errors when trying to download packages (e.g., mtools in referenced examples). This PR eliminates the dependency on the reposync mirror for RHEL 9.8 by pointing directly to cdn.redhat.com.

Infrastructure Changes:
Three repository configuration files (ocp-4.22-rhel9.repo, ocp-4.23-rhel9.repo, and ocp-5.0-rhel9.repo) are updated to:

• Replace mirror2.openshift.com/enterprise/reposync/ URLs with direct CDN endpoints (cdn.redhat.com/content/e4s/rhel9/9.8/ and cdn.redhat.com/content/eus/rhel9/9.8/)
• Change authentication from basic auth (username_file/password_file) to certificate-based authentication (sslclientkey and sslclientcert pointing to /tmp/key/rh-cdn.pem)
• Apply these changes across all supported architectures (x86_64, ppc64le, s390x, aarch64)

Repositories Affected:
Five core RHEL 9.8 repositories are migrated: rhel-9-baseos, rhel-9-appstream, rhel-9-nfv, rhel-9-highavailability, and rhel-9-codeready-builder. Other repositories like rhel-9-server-ose-rpms (continues using mirror2 reposync), rhel-9-fast-datapath (already on CDN), and rhel-9.8-early-kernel (uses OSE plashet repo) remain unchanged.

Expected Benefits:
This eliminates sync lag, prevents package version mismatches and 404 errors in CI, and simplifies the infrastructure by removing dependency on the disabled reposync service.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 038fc3eb-0b58-4078-9ff7-1cf01e0aeb46

📥 Commits

Reviewing files that changed from the base of the PR and between 09e9bdf and d512392.

📒 Files selected for processing (3)

• core-services/release-controller/_repos/ocp-4.22-rhel9.repo
• core-services/release-controller/_repos/ocp-4.23-rhel9.repo
• core-services/release-controller/_repos/ocp-5.0-rhel9.repo

---

Walkthrough

Three OpenShift repository configuration files (OCP 4.22, 4.23, and 5.0 targeting RHEL 9) are updated to migrate from OpenShift reposync mirrors to Red Hat CDN endpoints, replacing HTTP basic-auth with TLS client certificate authentication across all CPU architectures and repository types.

Changes

CDN Repository Migration for OCP RHEL9

Layer / File(s)	Summary
OCP 4.22 RHEL9 repository migration core-services/release-controller/_repos/ocp-4.22-rhel9.repo	Baseos, appstream, nfv, highavailability, fast-datapath, and codeready-builder-rpms sections updated across x86_64, ppc64le, s390x, and aarch64: baseurl switched from mirror2.openshift.com reposync mirrors to Red Hat CDN endpoints; username_file/password_file removed; sslclientkey/sslclientcert pointing to /tmp/key/rh-cdn.pem added.
OCP 4.23 RHEL9 repository migration core-services/release-controller/_repos/ocp-4.23-rhel9.repo	All repo stanzas across all architectures updated with CDN endpoints, TLS client certificates, and auth method changes; prior RCM-65421 comments removed from fast-datapath sections.
OCP 5.0 RHEL9 repository migration core-services/release-controller/_repos/ocp-5.0-rhel9.repo	Repository configuration for all architectures and repo types migrated to cdn.redhat.com with rhel9/9.8 content paths, TLS client certificate authentication, and HTTP basic-auth removal across baseos, appstream, nfv, highavailability, fast-datapath, and codeready-builder variants.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/release#79747: Applies the same CDN endpoint and authentication pattern changes to RHEL 8 repository configurations across multiple OCP versions.

Suggested reviewers

• pruan-rht
• smg247
• joepvd

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	PR introduces gotest2junit binary with stdout write in process-level code (main→process). Line 56 writes XML to stdout via fmt.Fprintf(os.Stdout), violating OTE Binary Stdout Contract.	Redirect stdout output through os.Stdout after main() completion, use GinkgoWriter for suite setup, or document output as JSON-only. The gotest2junit tool must not emit non-JSON output during test discovery.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main change: migrating RHEL 9.8 repositories from mirror2.openshift.com to cdn.redhat.com for OCP versions 4.22, 4.23, and 5.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only YUM/DNF repository configuration files (.repo files), not Ginkgo test files. The check for stable/deterministic test names is not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code—only repository configuration files (.repo files). Check is not applicable; no test code to review.
Microshift Test Compatibility	✅ Passed	PR modifies only repository configuration files (.repo files), not test code. No Ginkgo e2e tests are added, so MicroShift compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only repository configuration file updates (.repo files), no Ginkgo e2e tests are added; SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only YUM/DNF repository configuration files (.repo files) with no deployment manifests, operator code, controllers, or scheduling constraints affecting topology compatibility.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only YUM/DNF repository configuration files (.repo format), not Ginkgo e2e tests. The custom check applies only to new e2e tests and is not applicable here.
No-Weak-Crypto	✅ Passed	PR modifies only .repo configuration files with no weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) references, custom crypto implementations, or non-constant-time secret comparisons detected.
Container-Privileges	✅ Passed	PR modifies only YUM/DNF repository configuration files (.repo), not Kubernetes manifests or container definitions. Container-privileges check is inapplicable here.
No-Sensitive-Data-In-Logs	✅ Passed	PR modifies only YUM/DNF .repo config files with no logging statements. Removes password_file references and replaces basic auth with certificate-based auth using file paths.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@locriandev: This pull request references ART-18749 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

This PR updates the RHEL 9 repository configurations for OpenShift 4.22, 4.23, and 5.0 to point directly to cdn.redhat.com instead of using the mirror2.openshift.com reposync URLs.

Context

• PR [openshift-5.0] ART-18749: Use 9.8 GA repos openshift-eng/ocp-build-data#10723 disabled reposync for RHEL 9.8 repositories in the 5.0 stream
• This means repos are no longer being synced to mirror2, causing package download failures and 404 errors in CI
• The CI jobs need to consume RHEL 9.8 GA content directly from CDN

Changes

Repository Source Migration to cdn.redhat.com

OCP 5.0 (ocp-5.0-rhel9.repo)

• Migrated 5 core RHEL 9.8 repositories to CDN E4S/EUS endpoints
• Updated all architectures: x86_64, ppc64le, s390x, aarch64

OCP 4.22 (ocp-4.22-rhel9.repo)

• Same 5 core RHEL 9.8 repositories migrated to CDN E4S/EUS endpoints
• Updated all architectures: x86_64, ppc64le, s390x, aarch64

OCP 4.23 (ocp-4.23-rhel9.repo)

• Same 5 core RHEL 9.8 repositories migrated to CDN E4S/EUS endpoints
• Updated all architectures: x86_64, ppc64le, s390x, aarch64

Authentication Changes

For all CDN-backed repos:

• Removed basic auth credentials (username_file, password_file)
• Added certificate-based authentication using sslclientkey and sslclientcert pointing to /tmp/key/rh-cdn.pem

Repositories Updated

• rhel-9-baseos (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/baseos/os/)
• rhel-9-appstream (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/appstream/os/)
• rhel-9-nfv (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/nfv/os/)
• rhel-9-highavailability (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/highavailability/os/)
• rhel-9-codeready-builder (EUS: cdn.redhat.com/content/eus/rhel9/9.8/{arch}/codeready-builder/os/)

Unchanged Repositories

• rhel-9-server-ose-rpms (OpenShift-specific, continues to use mirror2 reposync)
• rhel-9-fast-datapath (already using cdn.redhat.com)
• rhel-9.8-early-kernel (uses OSE plashet repo)

Benefits

• No sync lag - Direct access to GA content
• Eliminates package version mismatches - No more 404 errors from packages removed from GA repo while still in reposync mirror
• Simpler infrastructure - One less moving part to maintain

Related Issues

This fixes the CI failures reported in the Slack thread where packages like mtools were getting 404 errors:

• https://redhat-internal.slack.com/archives/CBN38N3MW/p1779868800010789

Example error:

error: Cannot download Packages/m/mtools-4.0.26-3.el9.x86_64.rpm: All mirrors were tried; Last error: Status code: 404

Related PRs

ocp-build-data PRs that disabled reposync for these repos:

• [openshift-5.0] ART-18749: Use 9.8 GA repos openshift-eng/ocp-build-data#10723 (openshift-5.0)
• ART-19090: Use rhel9-8-els/rhel-minimal base stream for 4.22 openshift-eng/ocp-build-data#10790 (openshift-4.22)
• ART-19090: Use rhel9-8-els/rhel-minimal base stream for 4.23 openshift-eng/ocp-build-data#10791 (openshift-4.23)

Similar pattern used in:

• ART-19228: Use E4S directly for RHEL 10.2 GA repos in OCP 4.22, 4.23, and 5.0 #79747 (RHEL 10.2 GA repos)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

@locriandev: pj-rehearse could not automatically process this event because the request waited in queue for longer than 5 minutes. Use /pj-rehearse to trigger rehearsals manually.

[openshift-merge-bot]

@coderabbitai[bot]: your /pj-rehearse request was not processed because the request waited in queue for longer than 5 minutes. Please retry in a few minutes.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@locriandev: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[elfosardo]

/lgtm

[elfosardo]

@sosiouxme please approve this when you have a moment, thanks!

[elfosardo]

/assign @sosiouxme

[danilo-gemoli]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danilo-gemoli, elfosardo, locriandev

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• core-services/release-controller/OWNERS [danilo-gemoli]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@locriandev: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

@locriandev: Updated the following 16 configmaps:

• base-repos configmap in namespace ocp at cluster build03 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build12 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build04 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build05 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build11 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build10 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build06 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster vsphere02 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster app.ci using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build09 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build13 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build02 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build08 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build07 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build01 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster core-ci using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-4.23-rhel9.repo using file core-services/release-controller/_repos/ocp-4.23-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo

Details

In response to this:

Summary

This PR updates the RHEL 9 repository configurations for OpenShift 4.22, 4.23, and 5.0 to point directly to cdn.redhat.com instead of using the mirror2.openshift.com reposync URLs.

Context

• PR [openshift-5.0] ART-18749: Use 9.8 GA repos openshift-eng/ocp-build-data#10723 disabled reposync for RHEL 9.8 repositories in the 5.0 stream
• This means repos are no longer being synced to mirror2, causing package download failures and 404 errors in CI
• The CI jobs need to consume RHEL 9.8 GA content directly from CDN

Changes

Repository Source Migration to cdn.redhat.com

OCP 5.0 (ocp-5.0-rhel9.repo)

• Migrated 5 core RHEL 9.8 repositories to CDN E4S/EUS endpoints
• Updated all architectures: x86_64, ppc64le, s390x, aarch64

OCP 4.22 (ocp-4.22-rhel9.repo)

• Same 5 core RHEL 9.8 repositories migrated to CDN E4S/EUS endpoints
• Updated all architectures: x86_64, ppc64le, s390x, aarch64

OCP 4.23 (ocp-4.23-rhel9.repo)

• Same 5 core RHEL 9.8 repositories migrated to CDN E4S/EUS endpoints
• Updated all architectures: x86_64, ppc64le, s390x, aarch64

Authentication Changes

For all CDN-backed repos:

• Removed basic auth credentials (username_file, password_file)
• Added certificate-based authentication using sslclientkey and sslclientcert pointing to /tmp/key/rh-cdn.pem

Repositories Updated

• rhel-9-baseos (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/baseos/os/)
• rhel-9-appstream (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/appstream/os/)
• rhel-9-nfv (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/nfv/os/)
• rhel-9-highavailability (E4S: cdn.redhat.com/content/e4s/rhel9/9.8/{arch}/highavailability/os/)
• rhel-9-codeready-builder (EUS: cdn.redhat.com/content/eus/rhel9/9.8/{arch}/codeready-builder/os/)

Unchanged Repositories

• rhel-9-server-ose-rpms (OpenShift-specific, continues to use mirror2 reposync)
• rhel-9-fast-datapath (already using cdn.redhat.com)
• rhel-9.8-early-kernel (uses OSE plashet repo)

Benefits

• No sync lag - Direct access to GA content
• Eliminates package version mismatches - No more 404 errors from packages removed from GA repo while still in reposync mirror
• Simpler infrastructure - One less moving part to maintain

Related Issues

This fixes the CI failures reported in the Slack thread where packages like mtools were getting 404 errors:

• https://redhat-internal.slack.com/archives/CBN38N3MW/p1779868800010789

Example error:

error: Cannot download Packages/m/mtools-4.0.26-3.el9.x86_64.rpm: All mirrors were tried; Last error: Status code: 404

Related PRs

ocp-build-data PRs that disabled reposync for these repos:

• [openshift-5.0] ART-18749: Use 9.8 GA repos openshift-eng/ocp-build-data#10723 (openshift-5.0)
• ART-19090: Use rhel9-8-els/rhel-minimal base stream for 4.22 openshift-eng/ocp-build-data#10790 (openshift-4.22)
• ART-19090: Use rhel9-8-els/rhel-minimal base stream for 4.23 openshift-eng/ocp-build-data#10791 (openshift-4.23)

Similar pattern used in:

• ART-19228: Use E4S directly for RHEL 10.2 GA repos in OCP 4.22, 4.23, and 5.0 #79747 (RHEL 10.2 GA repos)

Summary by CodeRabbit

This PR updates the CI infrastructure's RHEL 9 repository configurations for three OpenShift streams (4.22, 4.23, and 5.0) to directly access Red Hat's CDN instead of relying on OpenShift's internal mirror infrastructure.

Problem Being Solved:
The OpenShift reposync service that mirrors content to mirror2.openshift.com was disabled for RHEL 9.8 content. This caused package repositories to stop syncing to the mirror, resulting in CI failures with 404 errors when trying to download packages (e.g., mtools in referenced examples). This PR eliminates the dependency on the reposync mirror for RHEL 9.8 by pointing directly to cdn.redhat.com.

Infrastructure Changes:
Three repository configuration files (ocp-4.22-rhel9.repo, ocp-4.23-rhel9.repo, and ocp-5.0-rhel9.repo) are updated to:

• Replace mirror2.openshift.com/enterprise/reposync/ URLs with direct CDN endpoints (cdn.redhat.com/content/e4s/rhel9/9.8/ and cdn.redhat.com/content/eus/rhel9/9.8/)
• Change authentication from basic auth (username_file/password_file) to certificate-based authentication (sslclientkey and sslclientcert pointing to /tmp/key/rh-cdn.pem)
• Apply these changes across all supported architectures (x86_64, ppc64le, s390x, aarch64)

Repositories Affected:
Five core RHEL 9.8 repositories are migrated: rhel-9-baseos, rhel-9-appstream, rhel-9-nfv, rhel-9-highavailability, and rhel-9-codeready-builder. Other repositories like rhel-9-server-ose-rpms (continues using mirror2 reposync), rhel-9-fast-datapath (already on CDN), and rhel-9.8-early-kernel (uses OSE plashet repo) remain unchanged.

Expected Benefits:
This eliminates sync lag, prevents package version mismatches and 404 errors in CI, and simplifies the infrastructure by removing dependency on the disabled reposync service.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.