mockgen deprecated: use uber-go/mock instead

.tekton/appliance-pull-request.yaml

@@ -229,7 +229,7 @@ spec:
         - name: name
           value: buildah-remote-oci-ta
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.6@sha256:ac05dabe8b6b446f974cf2b6ef1079cfaa9443d7078c2ebe3ec79aa650e1b5b2
+          value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.6@sha256:b7b13a3c812daf08c7c92bbededc0c0bc1a63b64f7f6949b04c228bf383fb5da
         - name: kind
           value: task
         resolver: bundles
@@ -453,7 +453,7 @@ spec:
         - name: name
           value: rpms-signature-scan
         - name: bundle
-          value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:78c8d7960c6db284356d94aaae64d1fca34fff4de6a6e20d897a088af0c81cf5
+          value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:0b10508c82ccb0f5a06a66ce7af56e9bfd40651ddefdf0f499988e897771ee28
         - name: kind
           value: task
         resolver: bundles

.tekton/appliance-push.yaml

@@ -226,7 +226,7 @@ spec:
         - name: name
           value: buildah-remote-oci-ta
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.6@sha256:ac05dabe8b6b446f974cf2b6ef1079cfaa9443d7078c2ebe3ec79aa650e1b5b2
+          value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.6@sha256:b7b13a3c812daf08c7c92bbededc0c0bc1a63b64f7f6949b04c228bf383fb5da
         - name: kind
           value: task
         resolver: bundles
@@ -450,7 +450,7 @@ spec:
         - name: name
           value: rpms-signature-scan
         - name: bundle
-          value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:78c8d7960c6db284356d94aaae64d1fca34fff4de6a6e20d897a088af0c81cf5
+          value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:0b10508c82ccb0f5a06a66ce7af56e9bfd40651ddefdf0f499988e897771ee28
         - name: kind
           value: task
         resolver: bundles

Dockerfile.openshift-appliance

@@ -1,5 +1,5 @@
 # Build appliance
-FROM registry.access.redhat.com/ubi9/go-toolset:1.24 AS builder
+FROM registry.access.redhat.com/ubi9/go-toolset:1.25 AS builder
 COPY go.mod go.mod
 COPY go.sum go.sum
 RUN go mod download
@@ -10,7 +10,7 @@ RUN cd cmd && CGO_ENABLED=1 GOFLAGS="" GO111MODULE=on go build -o /tmp/openshift
 RUN cd registry && CGO_ENABLED=1 GOFLAGS="" GO111MODULE=on go build -o /tmp/registry
 
 # Create final image
-FROM registry.access.redhat.com/ubi9/ubi:9.6-1760340943
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7
 
 # Create/Mount assets 
 ARG ASSETS_DIR=/assets
@@ -19,7 +19,9 @@ VOLUME $ASSETS_DIR
 ENV ASSETS_DIR=$ASSETS_DIR
 
 # Install skopeo/podman/libguestfs
-RUN dnf -y install skopeo podman guestfs-tools genisoimage coreos-installer syslinux && dnf clean all
+RUN DNF=$(command -v microdnf || command -v dnf) && \
+    $DNF -y install skopeo podman guestfs-tools genisoimage coreos-installer syslinux && \
+    $DNF clean all
 
 # Config libguestfs
 ENV LIBGUESTFS_BACKEND=direct

Dockerfile.openshift-appliance-build

@@ -1,8 +1,8 @@
-FROM registry.access.redhat.com/ubi9/go-toolset:1.24 AS golang
+FROM registry.access.redhat.com/ubi9/go-toolset:1.25 AS golang
 
 ENV GOFLAGS=""
 
-RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.64.8 && \
+RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.7.2 && \
         go install golang.org/x/tools/cmd/goimports@v0.1.0 && \
         go install github.com/onsi/ginkgo/ginkgo@v1.16.1 && \
         go install github.com/golang/mock/mockgen@v1.6.0 && \

Dockerfile.openshift-appliance.ds

@@ -1,5 +1,5 @@
 # Build appliance
-FROM registry.access.redhat.com/ubi9/go-toolset:1.24 AS builder
+FROM registry.access.redhat.com/ubi9/go-toolset:1.25 AS builder
 COPY go.mod go.mod
 COPY go.sum go.sum
 RUN go mod download
@@ -16,7 +16,7 @@ FROM registry.redhat.io/openshift4/ose-cli AS oc
 FROM registry.redhat.io/openshift4/oc-mirror-plugin-rhel9 AS oc-mirror
 
 # Create final image
-FROM registry.access.redhat.com/ubi9/ubi:9.6-1760340943
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7
 
 # Create/Mount assets 
 ARG ASSETS_DIR=/assets
@@ -25,7 +25,7 @@ VOLUME $ASSETS_DIR
 ENV ASSETS_DIR=$ASSETS_DIR
 
 # Install skopeo/podman/libguestfs
-RUN dnf -y install skopeo podman guestfs-tools genisoimage coreos-installer syslinux && dnf clean all
+RUN microdnf -y install skopeo podman guestfs-tools genisoimage coreos-installer syslinux && microdnf clean all
 
 # Config libguestfs
 ENV LIBGUESTFS_BACKEND=direct

data/scripts/bin/deploy.sh.template

@@ -20,7 +20,13 @@ output_issue=/etc/issue.d/90_output.issue
 printf '\\e{yellow}Preparing to start appliance disk image cloning...\\e{reset}\n' | tee $prepare_issue
 
 # Load appliance image
-podman load -q -i /run/media/iso/deploy/{{.ApplianceImageTar}}
+podman load -i /run/media/iso/deploy/{{.ApplianceImageTar}}
+
+# Tag the loaded image to a consistent name
+IMAGE_ID=$(podman images --quiet | head -1)
+podman tag "$IMAGE_ID" {{.ApplianceImageName}}
+
+printf '\\e{cyan}Tagged appliance image: {{.ApplianceImageName}}\\e{reset}\n'
 
 # Create a loop device for each appliance part
 APPLIANCE_FILES="/run/media/iso/deploy/{{.ApplianceFileName}}*"
@@ -44,14 +50,44 @@ done
 ) | dmsetup create appliance
 
 rm -rf $prepare_issue
-printf '\\e{cyan}Cloning appliance disk image to {{.TargetDevice}}...\\e{reset}\n' | tee $start_issue
+
+# Resolve target device path (handles symlinks like /dev/disk/by-path/*)
+TARGET_DEVICE="{{.TargetDevice}}"
+
+# Wait for udev to settle and ensure all disk symlinks are created
+udevadm settle --timeout=60
+
+# Wait for the target device to become available (up to 60 seconds)
+wait_count=0
+while [ ! -e "$TARGET_DEVICE" ] && [ $wait_count -lt 30 ]; do
+  printf '\\e{yellow}Waiting for target device %s to become available...\\e{reset}\n' "$TARGET_DEVICE"
+  udevadm settle --timeout=5
+  sleep 2
+  ((wait_count++))
+done
+
+if [ ! -e "$TARGET_DEVICE" ]; then
+  printf '\\e{red}Error: Target device %s not found after waiting.\\e{reset}\n' "$TARGET_DEVICE" | tee $clone_issue
+  printf '\\e{red}\nAppliance disk image cloning failed.\\e{reset}\n' | tee $done_issue
+  agetty --reload
+  exit 1
+fi
+
+# If the target device is a symlink, resolve it to the actual device
+if [ -L "$TARGET_DEVICE" ]; then
+  RESOLVED_DEVICE=$(readlink -f "$TARGET_DEVICE")
+  printf '\\e{cyan}Resolved symlink %s -> %s\\e{reset}\n' "$TARGET_DEVICE" "$RESOLVED_DEVICE"
+  TARGET_DEVICE="$RESOLVED_DEVICE"
+fi
+
+printf '\\e{cyan}Cloning appliance disk image to %s...\\e{reset}\n' "$TARGET_DEVICE" | tee $start_issue
 
 # Run virt-resize
 sparse="--no-sparse"
 if [ "{{.SparseClone}}" = "true" ]; then
   sparse=""
 fi
-podman run --rm -t --privileged --entrypoint virt-resize {{.ApplianceImageName}} --expand /dev/sda4 /dev/dm-0 {{.TargetDevice}} $sparse 2>&1 | tee $clone_issue
+podman run --rm -t --privileged --pull=never --entrypoint virt-resize {{.ApplianceImageName}} --expand /dev/sda4 /dev/dm-0 "$TARGET_DEVICE" $sparse 2>&1 | tee $clone_issue
 
 # Handle clone failure/success
 if [ "$?" -eq 0 ]; then

data/scripts/bin/load-registry-image.sh.template

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Source registry environment variables
+source /etc/assisted/registry.env
+
+# Load registry image from dir format
+podman pull dir:/mnt/agentdata/images/{{.RegistryFilePath}}
+
+# Tag the pulled image with the reference from REGISTRY_IMAGE
+# The dir: transport doesn't automatically create tags, so we must tag explicitly
+if [[ "$REGISTRY_IMAGE" == *"@sha256:"* ]]; then
+    # When using OCP docker-registry image from the release payload, REGISTRY_IMAGE contains
+    # a digest reference (e.g., registry.ci.openshift.org/ocp/4.21-2025-12-15-160423@sha256:abc123...)
+    # We need to tag it with :latest so that podman run can reference the original digest.
+    # This is because:
+    # 1. The dir: transport preserves the digest but podman pull doesn't create a :latest tag automatically
+    # 2. podman run with containers-storage: requires a tag reference to resolve the digest
+    # 3. By tagging as <base-image>:latest, podman can resolve the original @sha256:... reference
+    # 4. The digest ensures we're tagging the exact image that was pulled from the release
+
+    # Extract base image name (everything before @sha256:)
+    BASE_IMAGE="${REGISTRY_IMAGE%@sha256:*}"
+    # Extract the digest (everything after @)
+    DIGEST="${REGISTRY_IMAGE#*@}"
+    # Get the image ID that matches this digest
+    IMAGE_ID=$(podman images --digests --filter "digest=${DIGEST}" --format '{{"{{"}} .ID {{"}}"}}')
+
+    if [[ -n "$IMAGE_ID" ]]; then
+        # Tag the pulled image with :latest using the image ID
+        podman tag "$IMAGE_ID" "${BASE_IMAGE}:latest"
+        echo "Tagged registry image $IMAGE_ID (digest: $DIGEST) as ${BASE_IMAGE}:latest"
+    else
+        echo "Warning: Could not find image with digest $DIGEST"
+    fi
+else
+    # REGISTRY_IMAGE without digest (e.g., localhost/registry:latest for internally built registry)
+    # Tag the most recently pulled image with the REGISTRY_IMAGE reference
+    IMAGE_ID=$(podman images -q --no-trunc | head -1)
+    if [[ -n "$IMAGE_ID" ]]; then
+        podman tag "$IMAGE_ID" "$REGISTRY_IMAGE"
+        echo "Tagged registry image $IMAGE_ID as $REGISTRY_IMAGE"
+    else
+        echo "Warning: Could not find recently pulled image to tag"
+    fi
+fi

data/scripts/bin/mount-agent-data.sh.template

@@ -1,13 +1,15 @@
 #!/usr/bin/env bash
 
 ISO_DIR=/run/media/iso
+REGISTRY_DATA_DIR=/var/lib/iri-registry
+
 # The name must NOT start with "agent"
-DEV_NAME=ocpregistrydata
+DEV_NAME=ocp-registry-data
 MNT_DIR=/mnt/agentdata
+DATA_FILES=$ISO_DIR/registry/data*
 
 create_data_device() {
     # Create a loop device for each data file part
-    DATA_FILES="$ISO_DIR/data/data*"
     loop_sizes=()
     for f in $DATA_FILES
     do
@@ -36,15 +38,24 @@ wait_for_iso_mount() {
 }
 
 mount_registry_data_iso() {
-    registry_data_iso=/home/core/registry_data.iso
+    # Mount the registry data directory if exists (>=4.21)
+    if [ -d "$REGISTRY_DATA_DIR" ]; then
+        # Create a symlink to the registry data directory if it doesn't exist
+        if [ ! -L "$MNT_DIR" ]; then
+            rm -rf $MNT_DIR
+            ln -s $REGISTRY_DATA_DIR $MNT_DIR
+        fi
+        return
+    fi
 
     # If the registry data iso does not exist, create it
+    registry_data_iso=/home/core/registry_data.iso
     if [ ! -f "$registry_data_iso" ]; then
         # Wait for the mount to be ready
         wait_for_iso_mount
 
-        # Create the registry data iso
-        cat $ISO_DIR/data/data* > $registry_data_iso
+        # Copy the registry data iso to the disk
+        cat $DATA_FILES > $registry_data_iso
     fi
 
     # Mount the registry data iso
@@ -61,10 +72,10 @@ if [ "{{.IsLiveISO}}" = "true" ]; then
         # Create virtual device for the registry data
         create_data_device
 
-        # Mount data iso
+        # Mount data device
         mount -o ro "/dev/mapper/${DEV_NAME}" $MNT_DIR
     else
-        # Mount the registry data iso
+        # Mount the registry data iso (copy from media to disk if necessary)
         mount_registry_data_iso
     fi
 else # Disk image mode

data/scripts/bin/reconfigure-local-registry-iri-tls.sh.template

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -e
+
+CERT_PATH="/opt/openshift/tls/internal-release-image.crt"
+KEY_PATH="/opt/openshift/tls/internal-release-image.key"
+DEST_DIR="/etc/iri-registry/certs"
+REGISTRY_SERVICE="start-local-registry.service"
+
+echo "IRI TLS certificate and key detected"
+
+# Verify both files exist and have content
+if [[ ! -f "${CERT_PATH}" ]]; then
+    echo "Error: Certificate not found at ${CERT_PATH}"
+    exit 1
+fi
+
+if [[ ! -s "${CERT_PATH}" ]]; then
+    echo "Error: Certificate file is empty at ${CERT_PATH}"
+    exit 1
+fi
+
+if [[ ! -f "${KEY_PATH}" ]]; then
+    echo "Error: Key not found at ${KEY_PATH}"
+    exit 1
+fi
+
+if [[ ! -s "${KEY_PATH}" ]]; then
+    echo "Error: Key file is empty at ${KEY_PATH}"
+    exit 1
+fi
+
+echo "Copying IRI TLS certificate and key to ${DEST_DIR}..."
+
+# Copy the certificate and key
+cp "${CERT_PATH}" "${DEST_DIR}/tls.crt"
+cp "${KEY_PATH}" "${DEST_DIR}/tls.key"
+
+# Set appropriate permissions
+chmod 644 "${DEST_DIR}/tls.crt"
+chmod 600 "${DEST_DIR}/tls.key"
+
+echo "Restarting ${REGISTRY_SERVICE}..."
+systemctl restart "${REGISTRY_SERVICE}"
+
+echo "Registry successfully reconfigured with IRI TLS certificate"
+
+# Disable the path unit to prevent retriggering
+echo "Disabling watch-iri-tls-certs.path to prevent retriggering..."
+systemctl disable --now watch-iri-tls-certs.path

data/scripts/bin/set-env-files.sh.template

@@ -4,7 +4,7 @@ assistedServiceEnvFile=/usr/local/share/assisted-service/assisted-service.env
 imagesEnvFile=/usr/local/share/assisted-service/images.env
 
 # Add registry domain to assisted-service.env
-sed -i 's/PUBLIC_CONTAINER_REGISTRIES=.*/&,{{.RegistryDomain}}:5000/g' $assistedServiceEnvFile
+sed -i 's/PUBLIC_CONTAINER_REGISTRIES=.*/&,{{.RegistryDomain}}:22625/g' $assistedServiceEnvFile
 
 # Set RELEASE_IMAGES in assisted-service.env
 sed -i '/^RELEASE_IMAGES/s|=.*$|={{.ReleaseImages}}|' $assistedServiceEnvFile

data/scripts/bin/setup-local-registry.sh.template

@@ -2,22 +2,29 @@
 
 source "mount-agent-data.sh"
 
-# Load registry image
-podman load -q -i /mnt/agentdata/images/{{.RegistryFilePath}}
+# Load and tag the registry image
+source "load-registry-image.sh"
 
 # Create certificate for the local registry
-mkdir -p /tmp/certs
-openssl req -newkey rsa:4096 -nodes -sha256 -keyout /tmp/certs/domain.key \
-    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN={{.RegistryDomain}}" \
-    -addext "subjectAltName=DNS:{{.RegistryDomain}},DNS:quay.io" \
-    -x509 -days 36500 -out /tmp/certs/domain.crt
+mkdir -p /etc/iri-registry/certs
+
+# Only generate self-signed certs if they don't already exist (e.g., from IRI TLS)
+if [[ ! -s /etc/iri-registry/certs/tls.crt ]] || [[ ! -s /etc/iri-registry/certs/tls.key ]]; then
+    echo "Generating self-signed certificate for local registry"
+    openssl req -newkey rsa:4096 -nodes -sha256 -keyout /etc/iri-registry/certs/tls.key \
+        -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN={{.RegistryDomain}}" \
+        -addext "subjectAltName=DNS:{{.RegistryDomain}},DNS:quay.io" \
+        -x509 -days 36500 -out /etc/iri-registry/certs/tls.crt
+else
+    echo "Using existing certificates at /etc/iri-registry/certs/"
+fi
 
 # Apply certificates
-mkdir -p /etc/docker/certs.d/{{.RegistryDomain}}:5000
-mkdir -p /etc/containers/certs.d/{{.RegistryDomain}}:5000
-cp /tmp/certs/domain.crt /etc/docker/certs.d/{{.RegistryDomain}}:5000
-cp /tmp/certs/domain.crt /etc/containers/certs.d/{{.RegistryDomain}}:5000
-cp /tmp/certs/domain.crt /etc/pki/ca-trust/source/anchors/
+mkdir -p /etc/docker/certs.d/{{.RegistryDomain}}:22625
+mkdir -p /etc/containers/certs.d/{{.RegistryDomain}}:22625
+cp /etc/iri-registry/certs/tls.crt /etc/docker/certs.d/{{.RegistryDomain}}:22625
+cp /etc/iri-registry/certs/tls.crt /etc/containers/certs.d/{{.RegistryDomain}}:22625
+cp /etc/iri-registry/certs/tls.crt /etc/pki/ca-trust/source/anchors/
 update-ca-trust extract
 
 # Config registry local dns

data/services/bootstrap/update-hosts.service

@@ -1,7 +1,6 @@
 [Unit]
 Description=Service that updates ignition on all hosts
-Wants=network-online.target
-Requires=apply-host-config.service
+Wants=network-online.target apply-host-config.service
 After=network-online.target apply-host-config.service
 ConditionPathExists=/etc/assisted/node0
 

data/services/install/reconfigure-local-registry-iri-tls.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Reconfigure local registry with IRI TLS certificate
+After=start-local-registry.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/reconfigure-local-registry-iri-tls.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target