From 499eb7492b62f5e7ae215f0b1612c232dd39fa4f Mon Sep 17 00:00:00 2001
From: Michael Vogt <michael.vogt@gmail.com>
Date: Thu, 11 Dec 2025 14:47:50 +0100
Subject: [PATCH] bib: fix anaconda-iso mTLS key extraction

There was a (subtle) bug in the ibcli version of the mTLS
key exaction. It was happening too late, i.e. when the
bootc container was already unmounted.

This commit moves the extraction into the `Depsolve`
function which is run while the container is mounted
which means we can extract the mTLS config.

Note that this was not discovered earlier because we
lack and end-to-end test for RHEL based bootc images :(
---
 cmd/image-builder/bib_main.go | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/cmd/image-builder/bib_main.go b/cmd/image-builder/bib_main.go
index 6df44eda..e9543af5 100644
--- a/cmd/image-builder/bib_main.go
+++ b/cmd/image-builder/bib_main.go
@@ -160,6 +160,7 @@ func bibManifestFromCobraFor(imgref, buildImgref, installerPayloadRef, imgTypeSt
 	if useLibrepo {
 		rpmDownloader = osbuild.RpmDownloaderLibrepo
 	}
+	var mTLS *mTLSConfig
 	mg, err := manifestgen.New(repos, &manifestgen.Options{
 		// XXX: hack to skip repo loading for the bootc image.
 		// We need to add a SkipRepositories or similar to
@@ -172,6 +173,15 @@ func bibManifestFromCobraFor(imgref, buildImgref, installerPayloadRef, imgTypeSt
 		RpmDownloader: rpmDownloader,
 		Depsolve: func(solver *depsolvednf.Solver, cacheDir string, depsolveWarningsOutput io.Writer, packageSets map[string][]rpmmd.PackageSet, d distro.Distro, arch string) (map[string]depsolvednf.DepsolveResult, error) {
 			depsolveResult, err = manifestgen.DefaultDepsolve(solver, cacheDir, depsolveWarningsOutput, packageSets, d, arch)
+			// extracting needs to happen while container is mounted
+			depsolvedRepos := make(map[string][]rpmmd.RepoConfig)
+			for k, v := range depsolveResult {
+				depsolvedRepos[k] = v.Repos
+			}
+			mTLS, err = extractTLSKeys(depsolvedRepos)
+			if err != nil {
+				return nil, err
+			}
 			return depsolveResult, err
 		},
 		// this turns (blueprint validation) warnings into
@@ -191,15 +201,6 @@ func bibManifestFromCobraFor(imgref, buildImgref, installerPayloadRef, imgTypeSt
 		return nil, nil, err
 	}
 
-	depsolvedRepos := make(map[string][]rpmmd.RepoConfig)
-	for k, v := range depsolveResult {
-		depsolvedRepos[k] = v.Repos
-	}
-	mTLS, err := extractTLSKeys(depsolvedRepos)
-	if err != nil {
-		return nil, nil, err
-	}
-
 	return manifest, mTLS, nil
 }