From 7e2b49d8763bd9e727dcf24ff37a9f5908469dec Mon Sep 17 00:00:00 2001
From: Brian Cook <bcook@redhat.com>
Date: Fri, 1 Nov 2024 13:31:45 -0400
Subject: [PATCH] always unregister system from red hat subscription manager

---
 task/buildah-oci-ta/0.2/buildah-oci-ta.yaml   | 25 +++++++++++--------
 .../0.2/buildah-remote-oci-ta.yaml            | 25 +++++++++++--------
 task/buildah-remote/0.2/buildah-remote.yaml   | 25 +++++++++++--------
 task/buildah/0.2/buildah.yaml                 | 25 +++++++++++--------
 4 files changed, 56 insertions(+), 44 deletions(-)

diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
index 2813d70a0..e8610d44a 100644
--- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
+++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
@@ -441,20 +441,25 @@ spec:
         #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
         #    container.
 
-        REGISTERED="false"
         if [ -e /activation-key/org ]; then
           cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
-          mkdir /shared/rhsm-tmp
-          VOLUME_MOUNTS+=(--volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z)
+          mkdir -p /shared/rhsm/etc/pki/entitlement
+          mkdir -p /shared/rhsm/etc/pki/consumer
+
+          VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key
+            -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z
+            -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)
           echo "Adding activation key to the build"
 
           if ! grep subscription-manager "$dockerfile_path" | grep -q register; then
             # user is not running registration in the Containerfile: pre-register.
             echo "Pre-registering with subscription manager."
             subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)"
-            REGISTERED=$?
-            # copy generated certificates to /shared/rhsm-tmp
-            cp /etc/pki/entitlement/*.pem /shared/rhsm-tmp
+            trap 'subscription-manager unregister || true' EXIT
+
+            # copy generated certificates to /shared volume
+            cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement
+            cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer
 
             # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca
             VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/run/secrets/rhsm/ca/redhat-uep.pem)
@@ -507,6 +512,9 @@ spec:
           command="$buildah_cmd"
         fi
 
+        # disable host subcription manager integration
+        find /usr/share/rhel/secrets -type l -exec unlink {} \;
+
         unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
 
         container=$(buildah from --pull-never "$IMAGE")
@@ -527,11 +535,6 @@ spec:
 
         # Needed to generate base images SBOM
         echo "$BASE_IMAGES" >/shared/base_images_from_dockerfile
-
-        # unregister pod from subscription manager
-        if [ "$REGISTERED" == "0" ]; then
-          subscription-manager unregister
-        fi
       computeResources:
         limits:
           cpu: "4"
diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
index a66c5f038..b8c141324 100644
--- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
+++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
@@ -475,20 +475,25 @@ spec:
       #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
       #    container.
 
-      REGISTERED="false"
       if [ -e /activation-key/org ]; then
         cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
-        mkdir /shared/rhsm-tmp
-        VOLUME_MOUNTS+=(--volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z)
+        mkdir -p /shared/rhsm/etc/pki/entitlement
+        mkdir -p /shared/rhsm/etc/pki/consumer
+
+        VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key
+          -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z
+          -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)
         echo "Adding activation key to the build"
 
         if ! grep subscription-manager "$dockerfile_path" | grep -q register; then
           # user is not running registration in the Containerfile: pre-register.
           echo "Pre-registering with subscription manager."
           subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)"
-          REGISTERED=$?
-          # copy generated certificates to /shared/rhsm-tmp
-          cp /etc/pki/entitlement/*.pem /shared/rhsm-tmp
+          trap 'subscription-manager unregister || true' EXIT
+
+          # copy generated certificates to /shared volume
+          cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement
+          cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer
 
           # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca
           VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/run/secrets/rhsm/ca/redhat-uep.pem)
@@ -541,6 +546,9 @@ spec:
         command="$buildah_cmd"
       fi
 
+      # disable host subcription manager integration
+      find /usr/share/rhel/secrets -type l -exec unlink {} \;
+
       unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
 
       container=$(buildah from --pull-never "$IMAGE")
@@ -562,11 +570,6 @@ spec:
       # Needed to generate base images SBOM
       echo "$BASE_IMAGES" >/shared/base_images_from_dockerfile
 
-      # unregister pod from subscription manager
-      if [ "$REGISTERED" == "0" ]; then
-        subscription-manager unregister
-      fi
-
       buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE"
       REMOTESSHEOF
       chmod +x scripts/script-build.sh
diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml
index 6e89e166d..473823696 100644
--- a/task/buildah-remote/0.2/buildah-remote.yaml
+++ b/task/buildah-remote/0.2/buildah-remote.yaml
@@ -452,20 +452,25 @@ spec:
       #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
       #    container.
 
-      REGISTERED="false"
       if [ -e /activation-key/org ]; then
         cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
-        mkdir /shared/rhsm-tmp
-        VOLUME_MOUNTS+=(--volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z)
+        mkdir -p /shared/rhsm/etc/pki/entitlement
+        mkdir -p /shared/rhsm/etc/pki/consumer
+
+        VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \
+                        -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \
+                        -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)
         echo "Adding activation key to the build"
 
         if ! grep subscription-manager "$dockerfile_path" | grep -q register; then
           # user is not running registration in the Containerfile: pre-register.
           echo "Pre-registering with subscription manager."
           subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)"
-          REGISTERED=$?
-          # copy generated certificates to /shared/rhsm-tmp
-          cp /etc/pki/entitlement/*.pem /shared/rhsm-tmp
+          trap 'subscription-manager unregister || true' EXIT
+
+          # copy generated certificates to /shared volume
+          cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement
+          cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer
 
           # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca
           VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/run/secrets/rhsm/ca/redhat-uep.pem)
@@ -518,6 +523,9 @@ spec:
         command="$buildah_cmd"
       fi
 
+      # disable host subcription manager integration
+      find /usr/share/rhel/secrets -type l -exec unlink {} \;
+
       unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
 
       container=$(buildah from --pull-never "$IMAGE")
@@ -539,11 +547,6 @@ spec:
       # Needed to generate base images SBOM
       echo "$BASE_IMAGES" > /shared/base_images_from_dockerfile
 
-      # unregister pod from subscription manager
-      if [ "$REGISTERED" == "0" ]; then
-        subscription-manager unregister
-      fi
-
       buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE"
       REMOTESSHEOF
       chmod +x scripts/script-build.sh
diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml
index 5570efe64..467ecd5b9 100644
--- a/task/buildah/0.2/buildah.yaml
+++ b/task/buildah/0.2/buildah.yaml
@@ -373,20 +373,25 @@ spec:
       #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
       #    container.
 
-      REGISTERED="false"
       if [ -e /activation-key/org ]; then
         cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
-        mkdir /shared/rhsm-tmp
-        VOLUME_MOUNTS+=(--volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z)
+        mkdir -p /shared/rhsm/etc/pki/entitlement
+        mkdir -p /shared/rhsm/etc/pki/consumer
+
+        VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \
+                        -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \
+                        -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)
         echo "Adding activation key to the build"
 
         if ! grep subscription-manager "$dockerfile_path" | grep -q register; then
           # user is not running registration in the Containerfile: pre-register.
           echo "Pre-registering with subscription manager."
           subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)"
-          REGISTERED=$?
-          # copy generated certificates to /shared/rhsm-tmp
-          cp /etc/pki/entitlement/*.pem /shared/rhsm-tmp
+          trap 'subscription-manager unregister || true' EXIT
+
+          # copy generated certificates to /shared volume
+          cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement
+          cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer
 
           # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca
           VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/run/secrets/rhsm/ca/redhat-uep.pem)
@@ -439,6 +444,9 @@ spec:
         command="$buildah_cmd"
       fi
 
+      # disable host subcription manager integration
+      find /usr/share/rhel/secrets -type l -exec unlink {} \;
+
       unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
 
       container=$(buildah from --pull-never "$IMAGE")
@@ -460,11 +468,6 @@ spec:
       # Needed to generate base images SBOM
       echo "$BASE_IMAGES" > /shared/base_images_from_dockerfile
 
-      # unregister pod from subscription manager
-      if [ "$REGISTERED" == "0" ]; then
-        subscription-manager unregister
-      fi
-
     securityContext:
       capabilities:
         add: