Skip to content

[release-4.22] tree: add labels.json and security OCI labels for Clair scanning#1946

Open
aaradhak wants to merge 2 commits into
openshift:release-4.22from
aaradhak:acs-ar
Open

[release-4.22] tree: add labels.json and security OCI labels for Clair scanning#1946
aaradhak wants to merge 2 commits into
openshift:release-4.22from
aaradhak:acs-ar

Conversation

@aaradhak

@aaradhak aaradhak commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Backport of #1919 to release-4.22, adding labels.json and OCI security labels so that scanners like Clair can identify RHCOS images. This supersedes #1933 (the automated cherry-pick), with the following change:

Only the two relevant commits are included:

  • tree: drop (c9s) node image support
  • tree: add labels.json and security OCI labels for Clair scanning

This mirrors what was done for master in openshift/release#78212. A corresponding openshift/release PR will follow.

Tracker Jiras:
Epic : COS-4682
Backport JIRA : COS-4687

jlebon added 2 commits July 14, 2026 13:34
OKD doesn't care about this anymore and we don't either. So this is
essentially dead code.

Nuke all c9s-related bits.

Assisted-by: OpenCode (Claude Opus 4.6)
As part of container-first reporting (KONFLUX-6210), security scanners
like Clair expect metadata at the OCI level (as labels) _and_ in the
rootfs itself (as a JSON file at `/usr/share/buildinfo/labels.json`).

To accommodate this, each variant now has a `build-args-*.conf` file
that specifies the image name and CPE, but also while we're here, the
image `FROM` to use which nicely cleans up the building docs. For the
architecture, we use buildah's built-in `TARGETARCH`.

This is only relevant on OCP, not OKD. So skip it there.

Once we start building the node image through Konflux, this should
in theory no longer be necessary because the Konflux pipeline itself
automatically adds this information (though there's still details
there to figure out on where that information comes from/whether it's
correct).

Closes: https://redhat.atlassian.net/browse/COS-4051
Assisted-by: OpenCode (Claude Opus 4.6)
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 14, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 14, 2026

Copy link
Copy Markdown

@aaradhak: This pull request references COS-4682 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

Backport of #1919 to release-4.22, adding labels.json and OCI security labels so that scanners like Clair can identify RHCOS images. This supersedes #1933 (the automated cherry-pick), with the following change:

Only the two relevant commits are included:

  • tree: drop (c9s) node image support
  • tree: add labels.json and security OCI labels for Clair scanning

CI Note

The ci/prow/images test will fail until the corresponding openshift/release CI config is updated for release-4.22. The ci-operator config needs to:

  1. Map rhel-coreos-base to replace ${IMAGE_FROM} (instead of the old hardcoded FROM image)
  2. Pass IMAGE_NAME and IMAGE_CPE as build args

This mirrors what was done for master in openshift/release#78212. A corresponding openshift/release PR will follow.

Context

/jira COS-4682

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aaradhak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 14, 2026
@aaradhak aaradhak changed the title COS-4682: [release-4.22] tree: add labels.json and security OCI labels for Clair scanning [release-4.22] tree: add labels.json and security OCI labels for Clair scanning Jul 14, 2026
@openshift-ci-robot openshift-ci-robot removed the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 14, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@aaradhak: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

Details

In response to this:

Summary

Backport of #1919 to release-4.22, adding labels.json and OCI security labels so that scanners like Clair can identify RHCOS images. This supersedes #1933 (the automated cherry-pick), with the following change:

Only the two relevant commits are included:

  • tree: drop (c9s) node image support
  • tree: add labels.json and security OCI labels for Clair scanning

CI Note

The ci/prow/images test will fail until the corresponding openshift/release CI config is updated for release-4.22. The ci-operator config needs to:

  1. Map rhel-coreos-base to replace ${IMAGE_FROM} (instead of the old hardcoded FROM image)
  2. Pass IMAGE_NAME and IMAGE_CPE as build args

This mirrors what was done for master in openshift/release#78212. A corresponding openshift/release PR will follow.

Context

/jira COS-4682

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@aaradhak: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/images a218a9b link true /test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

aaradhak added a commit to aaradhak/release that referenced this pull request Jul 15, 2026
…hanges

Backport of openshift#78212 for the release-4.22 branch.

In openshift/os#1946, the Containerfile changes
from a hardcoded FROM image to using `ARG IMAGE_FROM`. It also adds a
`generate-labels` script that needs IMAGE_NAME and IMAGE_CPE to produce
labels.json and OCI security labels for Clair scanning.

Since ci-operator doesn't support build-args files, we need to:
1. Add `${IMAGE_FROM}` to the `as` list so ci-operator knows to
   replace `FROM ${IMAGE_FROM}` with the rhel-coreos-base image.
2. Pass IMAGE_NAME and IMAGE_CPE as explicit build args.

Both the old FROM value and `${IMAGE_FROM}` are in the `as` list so
that CI works regardless of which PR merges first (this one or openshift#1946).
@dustymabe

Copy link
Copy Markdown
Member

This needs something like b39cb0c as well otherwise what we did in coreos/fedora-coreos-pipeline@c4dca5c is going to cause the 4.22 built container images to drop the io.openshift.os.streamclass label.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants