Apollo, Errata, & You: a CIQ OSPO request for comment

damangold · September 4, 2025, 11:23am

I wanted to check if there had been any progress or news. Is there anything we can do to help? And of course, thank you very much for your work.

leigh · September 4, 2025, 4:59pm

Hi!

Yes, @sthornton has done a lot of work here so that when Apollo runs, errata is correctly processed. The next step was to make it easier and faster to run Apollo, and Sam just submitted a PR for exactly that. You can have a look at this here:

github.com/resf/distro-tools

Feature/api workflow triggers

main ← rockythorn:feature/api-workflow-triggers

opened 08:18PM - 02 Sep 25 UTC

rockythorn

+2973 -17

# Apollo Production Workflow API & Admin Interface Enhancements ## 📋 Summary … This PR introduces a comprehensive API key authentication system and admin interface for Apollo, enabling secure programmatic access to workflow management and database operations. The changes span 6 commits and add significant new functionality while maintaining backward compatibility. ## 🚀 New Features ### 1. API Key Authentication System - **Secure API key generation** with `apollo_sk_` prefix and bcrypt hashing - **Permission-based access control** (workflow:trigger, workflow:status, *) - **Expiration and revocation management** - **Usage tracking** with last_used_at timestamps - **Web-based management interface** at `/admin/api-keys/` ### 2. Workflow API Endpoints - **`POST /api/v3/workflows/rh-matcher/trigger`** - Trigger RH matcher with optional version filtering - **`POST /api/v3/workflows/poll-rhcsaf/trigger`** - Trigger RHCSAF advisory polling - **`GET /api/v3/workflows/{id}/status`** - Check workflow execution status - **`GET /api/v3/workflows/products`** - List available products for filtering ### 3. API Key Management Endpoints - **`POST /api/v3/keys/`** - Create new API keys - **`GET /api/v3/keys/`** - List user's API keys - **`DELETE /api/v3/keys/{id}`** - Revoke API keys - **`GET /api/v3/keys/{id}`** - Get API key details ### 4. Admin Interface Enhancements - **Workflows management page** at `/admin/workflows/` with manual trigger buttons - **API key management** with creation, revocation, and usage tracking - **Environment-aware database operations** (development only) - **Improved navigation** with active state highlighting ### 5. Database Partial Reset (Development Only) - **Environment-gated functionality** (`ENV != production`) - **Preview before deletion** with impact assessment - **Cascading deletes** through foreign key constraints - **Automatic index state updates** for `red_hat_index_state` table ## ⚠️ **CRITICAL: Database Migration Required** ### Migration File: `apollo/migrations/20250825165713_add_api_keys.sql` This migration **MUST** be applied before deployment: ```sql -- Creates api_keys table create table api_keys ( id bigserial primary key, created_at timestamptz not null default now(), updated_at timestamptz, revoked_at timestamptz, name varchar(255) not null, key_hash varchar(255) not null, key_prefix varchar(32) not null, user_id bigint not null references users(id) on delete cascade, permissions jsonb not null default '[]'::jsonb, expires_at timestamptz, last_used_at timestamptz ); -- Performance indexes create index api_keys_user_id_idx on api_keys(user_id); create index api_keys_key_prefix_idx on api_keys(key_prefix); create index api_keys_revoked_at_idx on api_keys(revoked_at); create index api_keys_expires_at_idx on api_keys(expires_at); ``` ### Migration Steps: 1. **Create RDS snapshot** before applying migration 2. **Apply migration** using dbmate or manual execution 3. **Verify table creation** and index setup 4. **Deploy updated application code** ## 🔧 Technical Changes ### Core Infrastructure - **New APIKey model** in `apollo/db/__init__.py` with Tortoise ORM integration - **Enhanced authentication** in `apollo/server/auth.py` supporting both session and API key auth - **Workflow service** in `apollo/server/services/workflow_service.py` for Temporal integration - **Database service** in `apollo/server/services/database_service.py` for safe reset operations ### Workflow System Improvements - **Major version filtering** for RhMatcherWorkflow with validation against supported products - **Input validation** and error handling for workflow parameters - **Temporal client integration** with proper connection management ### Security Enhancements - **bcrypt password hashing** for API key storage - **Permission-based authorization** with granular access control - **Environment-based feature gating** preventing dangerous operations in production - **Session management** integration with existing Apollo authentication ## 📁 Files Changed ### New Files (8) - `apollo/migrations/20250825165713_add_api_keys.sql` - Database migration - `apollo/server/routes/api_keys.py` - API key management endpoints - `apollo/server/routes/admin_api_keys.py` - Web interface for API keys - `apollo/server/services/workflow_service.py` - Workflow management service - `apollo/server/services/database_service.py` - Database operations service - `apollo/server/templates/admin_api_keys.jinja` - API keys listing page - `apollo/server/templates/admin_api_key_new.jinja` - API key creation form - `apollo/server/models/workflow.py` - Workflow request/response models ### Modified Files (12) - `apollo/db/__init__.py` - Added APIKey model - `apollo/schema.sql` - Updated with api_keys table schema - `apollo/server/auth.py` - Enhanced with API key authentication - `apollo/server/routes/api_workflows.py` - Added workflow API endpoints - `apollo/server/server.py` - Registered new routes - `apollo/rpmworker/rh_matcher_workflows.py` - Enhanced input validation - `apollo/rpmworker/rh_matcher_activities.py` - Added version filtering - `apollo/server/templates/admin_layout.jinja` - Navigation improvements - `apollo/server/templates/admin_user.jinja` - Enhanced user management - `apollo/server/BUILD.bazel` - Build configuration updates - `apollo/server/models/__init__.py` - Model exports - `apollo/server/services/__init__.py` - Service exports ## 🔄 Deployment Considerations ### Prerequisites - **Database migration** must be applied first - **Environment variables** properly configured (`ENV=production` for production) - **Admin user account** available for initial API key creation ### Backward Compatibility - ✅ **Existing functionality unchanged** - all current features continue to work - ✅ **Session authentication preserved** - web interface works as before - ✅ **Existing workflows** continue running via cron jobs - ✅ **Database schema** only adds new table, no modifications to existing tables ### New Functionality Available After Deployment 1. **API-driven workflow triggers** for automation and CI/CD integration 2. **Programmatic access** to workflow status and management 3. **Admin interface enhancements** for better user and key management 4. **Development database reset** capabilities for testing environments ## 🧪 Testing Recommendations ### Before Deployment - [ ] Verify database migration in staging environment - [ ] Test API key creation and authentication - [ ] Validate workflow triggering via API - [ ] Confirm admin interface functionality ### After Deployment - [ ] Create initial admin API keys - [ ] Test workflow API endpoints with real API keys - [ ] Verify environment-based feature gating works correctly - [ ] Monitor API key usage and security logs --- **Note:** This PR represents a significant enhancement to Apollo's automation capabilities while maintaining production stability and security. The database migration is the only breaking change requiring manual intervention.

This PR introduces a comprehensive API key authentication system and admin interface for Apollo, enabling secure programmatic access to workflow management and database operations. The changes span 6 commits and add significant new functionality while maintaining backward compatibility […] and represents a significant enhancement to Apollo’s automation capabilities while maintaining production stability and security.

[…]

New Functionality Available After Deployment

API-driven workflow triggers for automation and CI/CD integration

Programmatic access to workflow status and management

Admin interface enhancements for better user and key management

Development database reset capabilities for testing environments

We’ll update this thread as soon as this is merged.

sthornton · September 9, 2025, 3:02pm

The latest PR for adding in the requested API functionality to Apollo has been merged in. We are now waiting on the deployment of the new code. This effort is being tracked here.

sthornton · September 10, 2025, 3:44pm

Problem Overview

Currently, Apollo risks missing (or “skipping”) some Red Hat advisories when cloning them for Rocky Linux version 9.X. This occurs due to the interaction between Peridot-hosted repositories and the manual, error-prone nature of advisory matching:

Peridot Repositories: Rocky Linux Peridot RPM repositories only retain the most recently built artifact for each package. When a new build is published, older builds are removed from the repository.
Manual Workflow Execution: The RhMatcherWorkflow is typically run manually during repository staging or release. In practice, this step is often skipped or delayed, especially during busy update cycles.
Window for Matching: The workflow matches advisories only for packages currently present in the repository. If multiple new package versions (e.g., kernel v1, v2, v3) are published before the workflow runs, advisories for earlier versions (v1, v2) can be permanently missed, as those builds are no longer available for matching.
Staging vs. Live: Matching advisories against staging repositories is a manual process and presents risk, as these may contain unreleased content. Matching against live repositories is safe and suitable for automation.

Example – Rocky 9.6 Kernel Advisories:
On a development instance of Apollo, only the most recent Rocky 9.6 kernel advisory (RLSA-2025:14420) was cloned and published. Earlier advisories, such as RHSA-2025:13962, were skipped. This can be confirmed by searching the dev instance, which shows only one 9.6 kernel advisory. This demonstrates the real-world impact of the current workflow limitations.

Apollo’s current advisory cloning process:

Pulls Red Hat advisories and related metadata (CVEs, Bugzilla, affected products) into a PostgreSQL database.
Matches Red Hat packages to Rocky Linux packages using repository metadata.
Clones and adapts advisories for Rocky Linux, creating new records and mapping associated packages, CVEs, and fixes.
Currently relies on manual triggers for the matching process, which is the root of the issue described above.

Summary:
To close this gap, a fully automated matcher workflow is needed. This workflow should run on a regular schedule (cron) and target only the live public Rocky Linux repositories, serving as a reliable backup to ensure all applicable advisories are cloned, regardless of manual process reliability. This is a crucial stopgap until broader improvements are implemented.

Objective

Develop and deploy a new, automated matcher workflow that:

Runs on a configurable schedule (default: every hour via cron).
Only scans Rocky Linux live public repository URLs (not staging).
Ensures all relevant advisories are cloned as soon as possible after new builds are released.
Minimizes the risk of missing the manual step for an engineer running the matcher workflow.

Implementation Plan

Database Changes
- Add a new table or extend existing product/repo tables to store Rocky Linux live public repository URLs (explicitly separate from staging).
New Matcher Workflow
- Implement a new workflow (parallel to/complementing RHMatcherWorkflow) that:
  - Queries only the live public repo URLs from the database.
  - Matches Red Hat advisories to only those packages present in live repos.
  - Avoids advisory generation for packages not yet published to users (i.e., present only in staging).
Cron Integration
- Deploy the new matcher workflow as a scheduled task (cronjob).
- Default frequency: every hour (should be configurable via environment variable or config DB entry).
Documentation & Communication
- Document the workflow, configuration options, and rationale.
- Communicate to stakeholders that this closes the gap where advisories could be missed due to infrequent matcher runs.

Why This Is Needed

Completeness: Guarantees all relevant security and bugfix advisories are cloned and published for Rocky users.
Reliability: Reduces manual operations and risk of human error/omission.
Trust: Maintains alignment with Red Hat advisories, supporting compliance and user expectations.
Flexibility: Configurable schedule allows tuning based on repo activity and resource availability.

Timeline

~~I expect to have a pre-PR ready for review today which adds some needed functionality for managing Apollo repomd.xml URLs using the admin portal built into the Apollo UI.~~
I expect to prepare an initial pull request for community review within approximately 1 week.

Summary:
By automating the matcher workflow on a regular schedule and focusing exclusively on public live repositories, we ensure that no advisories are skipped—even if there are multiple package builds between workflow runs. This adaptation is critical for maintaining the integrity and security of the Rocky Linux advisory system.

sthornton · September 10, 2025, 10:27pm

I’ve opened a PR with some initial groundwork that will make the development of these proposed features much easier and which should provide some easier to use functionality for managing Apollo configuration updates in the future.

github.com/resf/distro-tools

Feature/supported products administration web UI

main ← rockythorn:feature/supported-products-admin-clean

opened 10:20PM - 10 Sep 25 UTC

rockythorn

+3911 -17

# Apollo Supported Products Admin Interface This PR introduces a comprehensiv…e admin interface for managing supported products configurations with enhanced functionality for bulk operations, dependency checking, and configuration generation. This is preparation for some additional changes proposed in [this Rocky Linux forum post](https://forums.rockylinux.org/t/apollo-errata-you-a-ciq-ospo-request-for-comment/18102/24). ## 🚀 Major Features Added ### 1. Complete Supported Products Admin Interface - **New admin section** with full CRUD operations for products, mirrors, repositories, blocks, and overrides - **Configuration import/export** functionality with JSON format support - **Interactive management** with dedicated pages for each component - **Validation and error handling** throughout the interface ### 2. Bulk Mirror Deletion with Safety Checks - **Checkbox-based bulk selection** for efficient mirror management - **Dependency validation** prevents deletion of mirrors with associated blocks/overrides - **Confirmation dialogs** and detailed error reporting - **Transaction safety** ensures data integrity during bulk operations ### 3. Enhanced Configuration Generator Script - **New Rocky Linux configuration generator** (`scripts/generate_rocky_config.py`) - **Intelligent crawling** discovers repository structures automatically - **Architecture detection** with support for riscv64, i686, and other architectures - **Name customization** via `--name-suffix` parameter for differentiated repository sets - **Version-aware parsing** handles complex URL structures and version detection ## 📁 Files Added/Modified ### New Files (3,924+ lines added) - `apollo/server/routes/admin_supported_products.py` - Core admin functionality (1,345 lines) - `scripts/generate_rocky_config.py` - Repository configuration generator (582 lines) - `apollo/tests/test_supported_products_logic.py` - Comprehensive test suite (411 lines) - **8 new Jinja templates** for admin interface components (1,586+ lines total) ### Modified Files - `apollo/server/templates/admin_layout.jinja` - Reduced sidebar padding for better layout - `apollo/server/templates/admin_supported_products.jinja` - Fixed Export button overflow - `apollo/server/routes/advisories.py` - Added supported products column - `apollo/server/server.py` - Registered new admin routes - `apollo/tests/BUILD.bazel` - Added test dependencies ## 🔧 Technical Improvements ### UI/UX Enhancements - **Responsive table design** with horizontal scrolling for large datasets - **Improved button layout** preventing overflow and wrapping issues - **Better spacing** between sidebar and content areas - **Consistent styling** using Carbon Design System components ### Data Safety & Validation - **Cascade deletion prevention** for configurations with dependencies - **Import validation** with detailed error reporting - **Required field checking** across all forms - **Bulk operation confirmation** with dependency warnings ### Testing Coverage - **30+ test methods** covering configuration validation, bulk operations, and dependency checking - **Self-contained tests** without FastAPI dependencies for reliability - **Architecture-specific testing** for riscv64, i686 support - **Edge case coverage** for parsing and validation logic ## 🏗️ Architecture Changes ### Database Operations - Enhanced supported products management with proper relationship handling - Improved query efficiency for bulk operations - Better transaction management for complex operations ### Repository Management - Intelligent repository discovery and configuration generation - Support for complex mirror structures and versioning - Enhanced URL parsing for various repository layouts ### Admin Interface - Modular template structure for maintainability - Consistent form handling and validation - Proper error messaging and user feedback ## 📊 Impact Summary - **18 files changed** with **3,924 additions** and **23 deletions** - **Complete admin interface** for supported products management - **Enhanced security** with dependency checking and validation - **Improved efficiency** with bulk operations and automated generation - **Better architecture support** including riscv64 and i686 - **Comprehensive testing** ensuring reliability and correctness This PR significantly enhances the Apollo system's administrative capabilities while maintaining data integrity and providing a user-friendly interface for complex repository management tasks. ### While this PR is open, this code will be available to preview on https://apollo.ciq.dev

sthornton · September 25, 2025, 10:10pm

This PR was huge and as such I’ve decided to cancel it. I’m working on breaking it apart into smaller PRs that I will get reviewed by CIQ folks before pushing a comprehensive PR to the RESF with links to the PRs reviewed by CIQ. The goal here is to reduce the load on RESF engineers in the need to review a massive PR in extreme detail (though this is still welcomed).

dl.lagg0 · October 28, 2025, 7:41pm

Hello @sthornton and team,

Thank you for all the work that’s gone into the Apollo errata initiative — it’s really appreciated.

Could you please share if there have been any recent updates on the errata data publishing? Our monthly patching cycle depends on having accurate and current information, so even a manual update once a month would be very helpful in the meantime.

Thanks again for your efforts and support.

sthornton · October 28, 2025, 8:05pm

Thanks for reaching out. The RESF has merged in changes that have allowed for regular errata generation. Can you help me understand how you are consuming the RESF errata? There are number of different ways:

Apollo UI: https://apollo.build.resf.org/
Errata UI: https://errata.build.resf.org/
Apollo API: FastAPI - Swagger UI

These are being updated daily though there are some days where we don’t have anything to generate. Please feel free to reach out with further questions either here on on Mattermost.

Sam

dl.lagg0 · October 28, 2025, 11:00pm

In our case, we use a patching and compliance tool that pulls information directly from the standard Rocky repositories — mainly the metadata files like repomd.xml and the *-UPDATEINFO.xml.gz under /repodata/ (for example, here).

The tool relies on those files to determine which packages have new errata or security advisories.

sthornton · October 29, 2025, 6:49pm

I unfortunately don’t have any ability to deploy the updated repomedata. This is part of series of workflows that are managed by the RESF Release Engineering team. I would highly recommend asking in the Mattermost Security channel as you may get a more timely response there. My current understanding is that whenever new content is deployed into the repos the underlying tooling should be calling the Apollo API to generate fresh updateinfo.xml so ideally the updated repometadata isn’t too far delayed behind the advisories showing up in the Apollo system. You’ve got me thinking now and I may see if I can get something pulled together that could track the statistics for delays between and advisory showing up in Apollo and that same advisory being available in updateinfo.xml.

dl.lagg0 · October 29, 2025, 7:21pm

Thanks, appreciate the details and the insight!
I’ll reach out to the Security channel to check in with the Release Engineering folks. Thanks again.

riverhawk2002 · December 5, 2025, 10:52pm

I’m very happy to report that after the release of 9.7, the latest security errata are being ingested into my third party patch/vuln management systems in a timely manner. The systemd vuln was available instantly and we were tracking that down to completion.

This is a tremendous step forward and hoping the momentum for RLBAs and RLEAs to be reinstated as well. It’s a large win and congrats to the RL leaders and their development teams.

Topic		Replies	Views
Some errata missing in comparison with RHEL and AlmaLinux Rocky Linux Help & Support	16	4269	August 25, 2023
Rocky Security Advisories CVE Library Rocky Linux Help & Support	10	2376	April 21, 2025
Rocky 9: no Errata Update in the repository for half a year Rocky Linux Help & Support	3	222	September 6, 2025
Rocky Linux 8 Errata not updated since 5th of April Rocky Linux Help & Support	3	402	August 9, 2024
Rocky Linux Security Feed Rocky Linux Help & Support	3	692	November 5, 2023