osbuild: Update nvidiabluefield manifest to use up to date capsule file for secure boot

[eelgaev]

Secure Boot Support: Added the redhat-cap-1.0.0-1.noarch.rpm package (hosted in an official NVIDIA github repository). This includes an updated capsule file with CA-5, CA-6, and CA-8 certificates required for RHEL9 and RHEL10 secure boot.

DOCA Version Shift: Switched the dependency from DOCA 3.3.0 to the DOCA 3.2.x LTS versions.

Kernel Argument Cleanup: Removed modprobe.blacklist=mlxbf_pmc from the kernel arguments, as this issue has been resolved in recent RHEL10 kernels.
mlxbf-pmc: driver update to Linux v6.16 [Nvidia 10.2 FEAT]

Linked PR: osbuild/osbuild#2470

[openshift-ci]

Hi @eelgaev. Thanks for your PR.

I'm waiting for a coreos member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gemini-code-assist]

Code Review

This pull request updates the Mellanox DOCA package sources to use the latest-3.2-LTS path, adds the redhat-cap RPM package from GitHub, and removes the modprobe.blacklist=mlxbf_pmc kernel parameter. Feedback highlights two key issues: first, the newly added redhat-cap RPM requires its GPG public key to be added to the org.osbuild.rpm stage to avoid verification failures; second, using the mutable latest-3.2-LTS path in URLs risks build failures if packages are updated, so an immutable version path should be used instead.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

The newly added redhat-cap RPM is sourced from a GitHub release (NVIDIA/doca-platform), which is outside the Mellanox DOCA repository. However, its corresponding GPG public key has not been added to the gpgkeys list of the org.osbuild.rpm stage (which currently only contains the Mellanox Technologies signing key).\n\nBecause OSBuild enforces GPG signature verification for all packages in the org.osbuild.rpm stage, installing redhat-cap will fail during the build due to a missing or mismatched GPG key.\n\nTo resolve this, the GPG public key used to sign the redhat-cap RPM must be added to the gpgkeys list under the org.osbuild.rpm stage options.

[gemini-code-assist]

Using a mutable version path like latest-3.2-LTS in the source URLs makes the build non-reproducible and fragile. If Mellanox updates the latest-3.2-LTS directory with newer package versions, the SHA256 hashes defined in this manifest will no longer match, causing immediate build failures.\n\nTo ensure reproducible and stable builds, use the specific, immutable version path (e.g., 3.2.0 or the exact LTS release version) instead of latest-3.2-LTS.

[dustymabe]

This looks like it should be 3 separate commits with appropriate commit messages.

[dustymabe]

Let's see how the code review over in osbuild/osbuild#2471 goes. If that merges instead of osbuild/osbuild#2470 then we'll need a different PR here.