internal/osbuild: contenturl and rhsm secrets for ostree sources

Schutzfile

@@ -2,7 +2,7 @@
   "fedora-35": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -79,7 +79,7 @@
   "fedora-36": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -156,7 +156,7 @@
   "fedora-37": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -233,21 +233,21 @@
   "rhel-8.4": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     }
   },
   "rhel-8.6": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     }
   },
   "rhel-8.7": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -334,14 +334,14 @@
   "rhel-9.0": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     }
   },
   "rhel-9.1": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -428,21 +428,21 @@
   "centos-8": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     }
   },
   "centos-9": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     }
   },
   "centos-stream-9": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [
@@ -488,7 +488,7 @@
   "centos-stream-8": {
     "dependencies": {
       "osbuild": {
-        "commit": "8a7b6d382de16b7be30c4d37e10f24c416a294f8"
+        "commit": "976fbe178ac66ee0ba64c983d754dc4672921958"
       }
     },
     "repos": [

internal/distro/distro.go

@@ -131,8 +131,8 @@ type ImageOptions struct {
 	Facts        *FactsImageOptions
 }
 
-// The OSTreeImageOptions specify an ostree ref, checksum, and URL. The meaning
-// of each parameter depends on the image type being built.
+// The OSTreeImageOptions specify an ostree ref, checksum, URL, ContentURL, and RHSM. The meaning of
+// each parameter depends on the image type being built.
 type OSTreeImageOptions struct {
 	// For ostree commit and container types: The ref of the new commit to be
 	// built.
@@ -148,6 +148,13 @@ type OSTreeImageOptions struct {
 
 	// The URL from which to fetch the commit specified by the checksum.
 	URL string
+
+	// If specified, the URL will be used only for metadata.
+	ContentURL string
+
+	// Indicate if the 'org.osbuild.rhsm.consumer' secret should be added when pulling from the
+	// remote.
+	RHSM bool
 }
 
 // The SubscriptionImageOptions specify subscription-specific image options

internal/distro/fedora/images.go

@@ -196,6 +196,7 @@ func iotCommitImage(workload workload.Workload,
 		img.OSTreeParent = &ostree.CommitSpec{
 			Checksum:   options.OSTree.FetchChecksum,
 			URL:        options.OSTree.URL,
+			ContentURL: options.OSTree.ContentURL,
 		}
 	}
 
@@ -225,6 +226,7 @@ func iotContainerImage(workload workload.Workload,
 		img.OSTreeParent = &ostree.CommitSpec{
 			Checksum:   options.OSTree.FetchChecksum,
 			URL:        options.OSTree.URL,
+			ContentURL: options.OSTree.ContentURL,
 		}
 	}
 
@@ -249,6 +251,7 @@ func iotInstallerImage(workload workload.Workload,
 	commit := ostree.CommitSpec{
 		Ref:        options.OSTree.ImageRef,
 		URL:        options.OSTree.URL,
+		ContentURL: options.OSTree.ContentURL,
 		Checksum:   options.OSTree.FetchChecksum,
 	}
 	img := image.NewOSTreeInstaller(commit)
@@ -280,6 +283,7 @@ func iotRawImage(workload workload.Workload,
 	commit := ostree.CommitSpec{
 		Ref:        options.OSTree.ImageRef,
 		URL:        options.OSTree.URL,
+		ContentURL: options.OSTree.ContentURL,
 		Checksum:   options.OSTree.FetchChecksum,
 	}
 	img := image.NewOSTreeRawImage(commit)

internal/distro/rhel8/distro.go

@@ -548,7 +548,11 @@ func (t *imageType) Manifest(customizations *blueprint.Customizations,
 	// handle OSTree commit inputs
 	var commits []ostree.CommitSpec
 	if options.OSTree.FetchChecksum != "" && options.OSTree.URL != "" {
-		commits = []ostree.CommitSpec{{Checksum: options.OSTree.FetchChecksum, URL: options.OSTree.URL}}
+		commit := ostree.CommitSpec{Checksum: options.OSTree.FetchChecksum, URL: options.OSTree.URL, ContentURL: options.OSTree.ContentURL}
+		if options.OSTree.RHSM {
+			commit.Secrets = "org.osbuild.rhsm.consumer"
+		}
+		commits = []ostree.CommitSpec{commit}
 	}
 
 	// handle inline sources

internal/distro/rhel9/distro.go

@@ -514,7 +514,11 @@ func (t *imageType) Manifest(customizations *blueprint.Customizations,
 	// handle OSTree commit inputs
 	var commits []ostree.CommitSpec
 	if options.OSTree.FetchChecksum != "" && options.OSTree.URL != "" {
-		commits = []ostree.CommitSpec{{Checksum: options.OSTree.FetchChecksum, URL: options.OSTree.URL}}
+		commit := ostree.CommitSpec{Checksum: options.OSTree.FetchChecksum, URL: options.OSTree.URL, ContentURL: options.OSTree.ContentURL}
+		if options.OSTree.RHSM {
+			commit.Secrets = "org.osbuild.rhsm.consumer"
+		}
+		commits = []ostree.CommitSpec{commit}
 	}
 
 	// handle inline sources

internal/osbuild/ostree_source.go

@@ -14,6 +14,12 @@ type OSTreeSourceItem struct {
 type OSTreeSourceRemote struct {
 	// URL of the repository.
 	URL        string `json:"url"`
+	ContentURL string `json:"contenturl,omitempty"`
 	// GPG keys to verify the commits
 	GPGKeys []string                   `json:"gpgkeys,omitempty"`
+	Secrets *OSTreeSourceRemoteSecrets `json:"secrets,omitempty"`
+}
+
+type OSTreeSourceRemoteSecrets struct {
+	Name string `json:"name"`
 }

internal/osbuild/source.go

@@ -80,6 +80,12 @@ func GenSources(packages []rpmmd.PackageSpec, ostreeCommits []ostree.CommitSpec,
 	for _, commit := range ostreeCommits {
 		item := new(OSTreeSourceItem)
 		item.Remote.URL = commit.URL
+		item.Remote.ContentURL = commit.ContentURL
+		if commit.Secrets == "org.osbuild.rhsm.consumer" {
+			item.Remote.Secrets = &OSTreeSourceRemoteSecrets{
+				Name: "org.osbuild.rhsm.consumer",
+			}
+		}
 		ostree.Items[commit.Checksum] = *item
 	}
 	if len(ostree.Items) > 0 {

internal/ostree/ostree.go

@@ -27,6 +27,10 @@ type CommitSpec struct {
 	// URL of the repo where the commit can be fetched, if available.
 	URL string
 
+	ContentURL string
+
+	Secrets string
+
 	// Checksum of the commit.
 	Checksum string
 }

osbuild-composer.spec

@@ -306,10 +306,10 @@ The core osbuild-composer binary. This is suitable both for spawning in containe
 Summary:    The worker for osbuild-composer
 Requires:   systemd
 Requires:   qemu-img
-Requires:   osbuild >= 69
-Requires:   osbuild-ostree >= 69
-Requires:   osbuild-lvm2 >= 69
-Requires:   osbuild-luks2 >= 69
+Requires:   osbuild >= 70
+Requires:   osbuild-ostree >= 70
+Requires:   osbuild-lvm2 >= 70
+Requires:   osbuild-luks2 >= 70
 Requires:   %{name}-dnf-json = %{version}-%{release}
 
 %description worker