bib: fix anaconda-iso mTLS key extraction

mvo5 · ondrejbudai · commit 873234170590 · 2025-12-12T08:16:04.000Z
There was a (subtle) bug in the ibcli version of the mTLS
key exaction. It was happening too late, i.e. when the
bootc container was already unmounted.

This commit moves the extraction into the `Depsolve`
function which is run while the container is mounted
which means we can extract the mTLS config.

Note that this was not discovered earlier because we
lack and end-to-end test for RHEL based bootc images :(
diff --git a/cmd/image-builder/bib_main.go b/cmd/image-builder/bib_main.go
@@ -155,6 +155,7 @@ func bibManifestFromCobra(cmd *cobra.Command, args []string, pbar progress.Progr
 	if useLibrepo {
 		rpmDownloader = osbuild.RpmDownloaderLibrepo
 	}
+	var mTLS *mTLSConfig
 	mg, err := manifestgen.New(repos, &manifestgen.Options{
 		Cachedir: rpmCacheRoot,
 		// XXX: hack to skip repo loading for the bootc image.
@@ -168,6 +169,15 @@ func bibManifestFromCobra(cmd *cobra.Command, args []string, pbar progress.Progr
 		RpmDownloader: rpmDownloader,
 		Depsolve: func(solver *depsolvednf.Solver, cacheDir string, depsolveWarningsOutput io.Writer, packageSets map[string][]rpmmd.PackageSet, d distro.Distro, arch string) (map[string]depsolvednf.DepsolveResult, error) {
 			depsolveResult, err = manifestgen.DefaultDepsolve(solver, cacheDir, depsolveWarningsOutput, packageSets, d, arch)
+			// extracting needs to happen while container is mounted
+			depsolvedRepos := make(map[string][]rpmmd.RepoConfig)
+			for k, v := range depsolveResult {
+				depsolvedRepos[k] = v.Repos
+			}
+			mTLS, err = extractTLSKeys(depsolvedRepos)
+			if err != nil {
+				return nil, err
+			}
 			return depsolveResult, err
 		},
 		// this turns (blueprint validation) warnings into
@@ -187,15 +197,6 @@ func bibManifestFromCobra(cmd *cobra.Command, args []string, pbar progress.Progr
 		return nil, nil, err
 	}
 
-	depsolvedRepos := make(map[string][]rpmmd.RepoConfig)
-	for k, v := range depsolveResult {
-		depsolvedRepos[k] = v.Repos
-	}
-	mTLS, err := extractTLSKeys(depsolvedRepos)
-	if err != nil {
-		return nil, nil, err
-	}
-
 	return manifest, mTLS, nil
 }
 
