missing Red Hat CA cert; unable to pull images from Red Hat registry

[miabbott]

I think the removal of subscription-manager and its associated dependencies caused RHCOS to lose the Red Hat CA. This is impacting the ability to pull container images from the Red Hat registry.

This looks similar to CentOS/sig-atomic-buildscripts#329

# rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://rhcos:openshift/3.10/x86_64/os
                   Version: 3.10-7.5 (2018-07-17 19:50:05)
                    Commit: 195f9e0cf36d04682fc8d380093b40eef1dd96009e85ce86a7e5419029e4aeea

# podman --log-level debug pull registry.access.redhat.com/rhel
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: override_kernelcheck=true           
DEBU[0000] overlay test mount with multiple lowers succeeded 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=true 
INFO[0000] CNI network crio-bridge (type=bridge) is used from /etc/cni/net.d/100-crio-bridge.conf 
INFO[0000] Initial CNI setting succeeded                
DEBU[0000] parsed reference to refname into "[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.override_kernel_check=true]registry.access.redhat.com/rhel:latest" 
DEBU[0000] reference "[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.override_kernel_check=true]registry.access.redhat.com/rhel:latest" does not resolve to an image ID 
DEBU[0000] parsed reference to refname into "[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.override_kernel_check=true]registry.access.redhat.com/rhel:latest" 
DEBU[0000] reference "[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.override_kernel_check=true]registry.access.redhat.com/rhel:latest" does not resolve to an image ID 
DEBU[0000] parsed reference to refname into "[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.override_kernel_check=true]registry.access.redhat.com/rhel:latest" 
Trying to pull registry.access.redhat.com/rhel...DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration 
DEBU[0000]  Using "default-docker" configuration        
DEBU[0000]  No signature storage configuration found for registry.access.redhat.com/rhel:latest 
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/registry.access.redhat.com 
DEBU[0000]  crt: /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt 
Failed
ERRO[0000] error pulling image "registry.access.redhat.com/rhel": unable to pull registry.access.redhat.com/rhel 

# docker pull registry.access.redhat.com/rhel
Using default tag: latest
Trying to pull repository registry.access.redhat.com/rhel ... 
open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory

# ls -l /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt 
lrwxrwxrwx. 1 root root 27 Jul 17 20:25 /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

# ls -l /etc/rhsm/ca/redhat-uep.pem
ls: cannot access /etc/rhsm/ca/redhat-uep.pem: No such file or directory

# rpm -qf /etc/rhsm/ca/redhat-uep/.pem
error: file /etc/rhsm/ca/redhat-uep/.pem: No such file or directory