Set the default rhel-9 repos for 4.22 and 5.0 to 9.8

[sdodson]

The base images that ART produces for CI builds now include 9.8 content so using repos prior to 9.8 creates dependency issues.

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

Summary by CodeRabbit

• Chores
  • Updated repository configuration for RHEL 9.8 support across OpenShift 4.22 and 5.0 deployments.
  • Refreshed package source URLs and authentication methods to align with OpenShift mirror infrastructure.
  • Added new repository channels for high availability and kernel package management.

[coderabbitai]

Walkthrough

Updated two repository configuration files to target RHEL 9.8 and OCP versions 4.22 and 5.0 by renaming repo section names from rhel-9-* to rhel-9.8-*, updating mirror URLs, switching authentication from SSL certificates to username/password files, and adding new repository sections for NFV, high availability, and early kernel packages.

Changes

Cohort / File(s)

Summary

RHEL 9.8 Repository Configuration Updates core-services/release-controller/_repos/ocp-4.22-rhel9.repo, core-services/release-controller/_repos/ocp-5.0-rhel9.repo

Renamed repo sections from rhel-9-* to rhel-9.8-* across all architectures (x86_64, ppc64le, s390x, aarch64). Updated baseURLs to point to new mirror reposync endpoints. Changed authentication from SSL certificates (sslclientkey/sslclientcert) to basic auth files (username_file/password_file). Added skip_if_unavailable = true to most sections. Introduced new sections for rhel-9.8-nfv, rhel-9.8-highavailability, and rhel-9.8-early-kernel with package inclusion/exclusion filters. Version-specific OSE section names: rhel-9.8-server-ose-4.22-* (OCP 4.22) and rhel-9.8-server-ose-5.0-* (OCP 5.0).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Set the default rhel-9 repos for 4.22 and 5.0 to 9.8' accurately summarizes the main change: updating RHEL-9 repository configurations to target RHEL 9.8 for OpenShift versions 4.22 and 5.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	Pull request modifies only YUM/DNF repository configuration files, not any Ginkgo test suites, so this check is not applicable.
Test Structure And Quality	✅ Passed	Pull request contains only repository configuration files (.repo files), not Ginkgo test code.
Microshift Test Compatibility	✅ Passed	PR modifies only repository configuration files (.repo files), not Go test files with Ginkgo patterns. No new e2e tests are present.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only repository configuration files (.repo files) with no Ginkgo e2e tests added or modified.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only yum/dnf repository configuration files (.repo files), which are infrastructure configuration, not Kubernetes deployment manifests, operators, or controllers. The topology-aware scheduling check does not apply to repository configuration changes.
Ote Binary Stdout Contract	✅ Passed	PR modifies only static .repo configuration files (INI-format repository metadata), not executable code or binaries, so OTE Binary Stdout Contract check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not add any new Ginkgo e2e tests. The PR exclusively modifies two YUM/DNF repository configuration files, which are plain-text configuration files containing package repository settings, not Go test code. Since the custom check specifically applies to new Ginkgo e2e tests and this PR contains no such tests, the check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clusters/build-clusters/common/release-controller/rpms-ocp-4.22.yaml`:
- Around line 1461-1462: The vsphere02 release-controller manifest has a repo
name mismatch (deployment id base-4-22-rhel9) where rpms-ocp-4.22.yaml mounts
ocp-4.22-rhel9.repo but the common manifest uses ocp-4.22-rhel98.repo (the same
divergence exists for 5.0); fix by regenerating the release-controller manifests
with the release-controllers generator (generate-release-controllers.py), update
the vsphere02 rpms-ocp-4.22.yaml and rpms-ocp-5.0.yaml outputs so the repo
keys/paths match the common files (ocp-4.22-rhel98.repo / ocp-5.0-rhel98.repo),
and commit the regenerated manifests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: e913b4a5-ddc8-4181-9498-e0a3afc96f91

📥 Commits

Reviewing files that changed from the base of the PR and between 5463534 and 691c941.

📒 Files selected for processing (2)

• clusters/build-clusters/common/release-controller/rpms-ocp-4.22.yaml
• clusters/build-clusters/common/release-controller/rpms-ocp-5.0.yaml

[sdodson]

/hold

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@sdodson: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@core-services/release-controller/_repos/ocp-5.0-rhel9.repo`:
- Around line 1-2: The repo section names were renamed (e.g., [rhel-9.8-baseos],
[rhel-9.8-appstream], arch-specific variants) which breaks callers expecting the
original IDs; revert the bracketed repo IDs back to the original names
(rhel-9-baseos, rhel-9-appstream, rhel-9-fast-datapath,
rhel-9-codeready-builder-rpms and their -ppc64le/-s390x/-aarch64 variants and
server-ose names) and instead update only the baseurl/name/display lines to
point to RHEL 9.8 content so callers that enable repos by ID continue to work.
Ensure the same change is applied for the arch-specific stanzas and server-ose
entries mentioned (lines referenced around the diff).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 7743e543-e2b2-4dff-876d-f8f5a01dcfac

📥 Commits

Reviewing files that changed from the base of the PR and between 691c941 and c2c2a90.

📒 Files selected for processing (2)

• core-services/release-controller/_repos/ocp-4.22-rhel9.repo
• core-services/release-controller/_repos/ocp-5.0-rhel9.repo

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Keep the existing repo IDs unless every caller is updated.

These bracketed section names are the repo IDs. Renaming them from rhel-9-* to rhel-9.8-* / rhel-98-* makes this a breaking config change for any job that still enables repos by the old names. If the goal is only to repoint 5.0 to RHEL 9.8 content, preserve the existing IDs and only retarget the URLs/display names. The same risk repeats in the arch-specific stanzas below.

#!/bin/bash
set -euo pipefail

# Verify that nothing outside the edited repo files still refers to the old repo IDs.
rg -n -C2 --fixed-strings \
  --glob '!core-services/release-controller/_repos/ocp-5.0-rhel9.repo' \
  --glob '!core-services/release-controller/_repos/ocp-4.22-rhel9.repo' \
  -e 'rhel-9-baseos' \
  -e 'rhel-9-appstream' \
  -e 'rhel-9-fast-datapath' \
  -e 'rhel-9-codeready-builder-rpms' \
  -e 'rhel-9-baseos-ppc64le' \
  -e 'rhel-9-appstream-ppc64le' \
  -e 'rhel-9-fast-datapath-ppc64le' \
  -e 'rhel-9-codeready-builder-rpms-ppc64le' \
  -e 'rhel-9-baseos-s390x' \
  -e 'rhel-9-appstream-s390x' \
  -e 'rhel-9-fast-datapath-s390x' \
  -e 'rhel-9-codeready-builder-rpms-s390x' \
  -e 'rhel-9-baseos-aarch64' \
  -e 'rhel-9-appstream-aarch64' \
  -e 'rhel-9-fast-datapath-aarch64' \
  -e 'rhel-9-codeready-builder-rpms-aarch64' \
  -e 'rhel-9-server-ose' \
  -e 'rhel-9-server-ose-5.0' \
  -e 'rhel-9-server-ose-4.22' \
  .

# Expected result: no matches outside the edited files. Any hit here needs either
# a caller update or preservation of the old repo IDs.

Also applies to: 13-14, 62-63, 74-75

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core-services/release-controller/_repos/ocp-5.0-rhel9.repo` around lines 1 -
2, The repo section names were renamed (e.g., [rhel-9.8-baseos],
[rhel-9.8-appstream], arch-specific variants) which breaks callers expecting the
original IDs; revert the bracketed repo IDs back to the original names
(rhel-9-baseos, rhel-9-appstream, rhel-9-fast-datapath,
rhel-9-codeready-builder-rpms and their -ppc64le/-s390x/-aarch64 variants and
server-ose names) and instead update only the baseurl/name/display lines to
point to RHEL 9.8 content so callers that enable repos by ID continue to work.
Ensure the same change is applied for the arch-specific stanzas and server-ose
entries mentioned (lines referenced around the diff).

[sdodson]

I believe that this will be fine if not I'll quickly change things.

[coderabbitai]

🧩 Analysis chain

Let me run the verification script to give you a definitive answer.

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify that nothing outside the edited repo files still refers to the old repo IDs.
rg -n -C2 --fixed-strings \
  --glob '!core-services/release-controller/_repos/ocp-5.0-rhel9.repo' \
  --glob '!core-services/release-controller/_repos/ocp-4.22-rhel9.repo' \
  -e 'rhel-9-baseos' \
  -e 'rhel-9-appstream' \
  -e 'rhel-9-fast-datapath' \
  -e 'rhel-9-codeready-builder-rpms' \
  -e 'rhel-9-server-ose' \
  . || echo "No matches found - old repo IDs are not referenced elsewhere."

Length of output: 197880

---

@sdodson, ran the verification — you're right. The search found many references to rhel-9-* IDs elsewhere, but none of them are external consumers of the specific ocp-5.0-rhel9.repo or ocp-4.22-rhel9.repo files changed in this PR. The hits fall into three safe categories:

1. Other branch-specific .repo files (ocp-4.16-rhel9.repo, ocp-4.17-rhel9.repo, etc.) — independent files for different branches, completely unaffected.
2. workers-rhel-repos-commands.sh — generates its own separate repo files using templated names and ci-deps-path URLs, not consuming the release-controller repos.
3. openshift-ansible ci-operator configs — inline heredoc definitions pointing to http://base-4-16-rhel9.ocp.svc/rhel-9-server-ose, a different internal service endpoint entirely.

No script or job was found that explicitly enables repos by the old IDs (rhel-9-baseos, rhel-9-appstream, etc.) from the 4.22/5.0 release-controller repo files. The change looks safe. 👍

[sdodson]

@danilo-gemoli Do you know if this is a valid concern?

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[danilo-gemoli]

I didn't recall us having such a issue in the past, I'll LGTM this.

[danilo-gemoli]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danilo-gemoli, sdodson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• core-services/release-controller/OWNERS [danilo-gemoli]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sdodson]

/hold cancel

[openshift-ci]

@sdodson: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

@sdodson: Updated the following 14 configmaps:

• base-repos configmap in namespace ocp at cluster build01 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build06 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build02 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build03 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build04 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build05 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build10 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster core-ci using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster app.ci using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build07 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build08 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build09 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster build11 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo
• base-repos configmap in namespace ocp at cluster vsphere02 using the following files:
  • key ocp-4.22-rhel9.repo using file core-services/release-controller/_repos/ocp-4.22-rhel9.repo
  • key ocp-5.0-rhel9.repo using file core-services/release-controller/_repos/ocp-5.0-rhel9.repo

Details

In response to this:

The base images that ART produces for CI builds now include 9.8 content so using repos prior to 9.8 creates dependency issues.

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

Summary by CodeRabbit

• Chores
• Updated repository configuration for RHEL 9.8 support across OpenShift 4.22 and 5.0 deployments.
• Refreshed package source URLs and authentication methods to align with OpenShift mirror infrastructure.
• Added new repository channels for high availability and kernel package management.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.