Fix flatpak domain compatibility and CI TLS setup

- Add domain prefix to flatpak index Name field via get_full_path
- Fix FlatpakIndexStaticCache key to include host, preventing cross-domain cache collisions
- Fix OS/architecture filters being silently dropped in recurse_through_manifest_lists
- Make test_flatpak_install domain-aware using the full_path fixture
- Fix CI TLS setup to use cp + update-ca-trust extract so flatpak/OSTree trusts the Pulp CA

Made-with: Cursor

Author: gerrod3

.github/workflows/scripts/post_before_script.sh

@@ -2,13 +2,10 @@ SCENARIOS=("pulp" "performance" "azure" "gcp" "s3" "generate-bindings" "lowerbou
 if [[ " ${SCENARIOS[*]} " =~ " ${TEST} " ]]; then
   # Needed by pulp_container/tests/functional/api/test_flatpak.py:
   cmd_prefix dnf install -yq dbus-daemon flatpak
-fi
 
-# This allows flatpak to trust Pulp, but currently it breaks the trust for bindings
-# TODO: Figure out another command to fix this
-# add the copied certificates from install.sh to the container's trusted certificates list
-# if [[ "$TEST" = "azure" ]]; then
-#   cmd_prefix trust anchor /etc/pki/tls/cert.pem
-# else
-#   cmd_prefix trust anchor /etc/pulp/certs/pulp_webserver.crt
-# fi
+  # Add the Pulp CA cert to the system trust store inside the container so that
+  # flatpak/OSTree (which uses GLib/GIO) trusts the Pulp registry's TLS certificate.
+  # Using cp + update-ca-trust extract (the standard RHEL9 approach) rather than
+  # "trust anchor", which behaved unexpectedly when given the full CA bundle path.
+  cmd_prefix bash -c "cp /etc/pulp/certs/pulp_webserver.crt /etc/pki/ca-trust/source/anchors/ && update-ca-trust extract"
+fi

CHANGES/+flatpak-cache-key.bugfix

@@ -0,0 +1 @@
+Fixed a cache key collision in the flatpak static index that could serve incorrect results across domains.

CHANGES/+flatpak-domain-name.bugfix

@@ -0,0 +1 @@
+Fixed flatpak index response to include the domain prefix in image names when domains are enabled.

CHANGES/+flatpak-manifest-list-filter.bugfix

@@ -0,0 +1 @@
+Fixed OS and architecture filters being silently ignored when filtering manifest lists in the flatpak index.

pulp_container/app/cache.py

@@ -97,14 +97,15 @@ def find_base_path_cached(request, cached):
 
 class FlatpakIndexStaticCache(SyncContentCache):
     def __init__(self, expires_ttl=None, auth=None):
-        updated_keys = (QUERY_KEY,)
+        updated_keys = (CacheKeys.host, QUERY_KEY)
         super().__init__(
             base_key="/index/static", expires_ttl=expires_ttl, keys=updated_keys, auth=auth
         )
 
     def make_key(self, request):
-        """Make a key composed of the request's query."""
+        """Make a key composed of the request's host and query."""
         all_keys = {
+            CacheKeys.host: request.get_host(),
             QUERY_KEY: request.query_params.urlencode(),
         }
         key = ":".join(all_keys[k] for k in self.keys)

pulp_container/app/registry_api.py

@@ -596,9 +596,9 @@ def recurse_through_manifest_lists(self, tag, manifest, oss, architectures, mani
         elif manifest.media_type in (models.MEDIA_TYPE.MANIFEST_LIST, models.MEDIA_TYPE.INDEX_OCI):
             mlms = manifest.listed_manifests.through.objects.filter(image_manifest__pk=manifest.pk)
             if oss:
-                mlms.filter(os__in=oss)
+                mlms = mlms.filter(os__in=oss)
             if architectures:
-                mlms.filter(architecture__in=architectures)
+                mlms = mlms.filter(architecture__in=architectures)
             for mlm in mlms:
                 self.recurse_through_manifest_lists(
                     tag, mlm.manifest_list, oss, architectures, manifests
@@ -717,7 +717,7 @@ def get(self, request):
                     }
                 )
             if images:
-                results.append({"Name": distribution.base_path, "Images": images})
+                results.append({"Name": get_full_path(distribution.base_path, distribution.pulp_domain), "Images": images})
 
         host = settings.CONTENT_ORIGIN or request.get_host()
         return Response(data={"Registry": host, "Results": results})

pulp_container/tests/functional/api/test_flatpak.py

@@ -64,16 +64,21 @@ def test_flatpak_install(
     container_manifest_api,
     pulp_settings,
     bindings_cfg,
+    full_path,
 ):
     if not pulp_settings.FLATPAK_INDEX:
         pytest.skip("This test requires FLATPAK_INDEX to be enabled")
 
     image_path1 = f"{REGISTRY_V2}/pulp/oci-net.fishsoup.busyboxplatform:latest"
     registry_client.pull(image_path1)
-    local_registry.tag_and_push(image_path1, "pulptest/oci-net.fishsoup.busyboxplatform:latest")
+    local_registry.tag_and_push(
+        image_path1, full_path("pulptest/oci-net.fishsoup.busyboxplatform") + ":latest"
+    )
     image_path2 = f"{REGISTRY_V2}/pulp/oci-net.fishsoup.hello:latest"
     registry_client.pull(image_path2)
-    local_registry.tag_and_push(image_path2, "pulptest/oci-net.fishsoup.hello:latest")
+    local_registry.tag_and_push(
+        image_path2, full_path("pulptest/oci-net.fishsoup.hello") + ":latest"
+    )
     namespace = container_namespace_api.list(name="pulptest").results[0]
     add_to_cleanup(container_namespace_api, namespace.pulp_href)