[release-4.22] tree: add labels.json and security OCI labels for Clair scanning#1946
[release-4.22] tree: add labels.json and security OCI labels for Clair scanning#1946aaradhak wants to merge 2 commits into
Conversation
OKD doesn't care about this anymore and we don't either. So this is essentially dead code. Nuke all c9s-related bits. Assisted-by: OpenCode (Claude Opus 4.6)
As part of container-first reporting (KONFLUX-6210), security scanners like Clair expect metadata at the OCI level (as labels) _and_ in the rootfs itself (as a JSON file at `/usr/share/buildinfo/labels.json`). To accommodate this, each variant now has a `build-args-*.conf` file that specifies the image name and CPE, but also while we're here, the image `FROM` to use which nicely cleans up the building docs. For the architecture, we use buildah's built-in `TARGETARCH`. This is only relevant on OCP, not OKD. So skip it there. Once we start building the node image through Konflux, this should in theory no longer be necessary because the Konflux pipeline itself automatically adds this information (though there's still details there to figure out on where that information comes from/whether it's correct). Closes: https://redhat.atlassian.net/browse/COS-4051 Assisted-by: OpenCode (Claude Opus 4.6)
|
@aaradhak: This pull request references COS-4682 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aaradhak The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@aaradhak: No Jira issue is referenced in the title of this pull request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@aaradhak: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
…hanges Backport of openshift#78212 for the release-4.22 branch. In openshift/os#1946, the Containerfile changes from a hardcoded FROM image to using `ARG IMAGE_FROM`. It also adds a `generate-labels` script that needs IMAGE_NAME and IMAGE_CPE to produce labels.json and OCI security labels for Clair scanning. Since ci-operator doesn't support build-args files, we need to: 1. Add `${IMAGE_FROM}` to the `as` list so ci-operator knows to replace `FROM ${IMAGE_FROM}` with the rhel-coreos-base image. 2. Pass IMAGE_NAME and IMAGE_CPE as explicit build args. Both the old FROM value and `${IMAGE_FROM}` are in the `as` list so that CI works regardless of which PR merges first (this one or openshift#1946).
|
This needs something like b39cb0c as well otherwise what we did in coreos/fedora-coreos-pipeline@c4dca5c is going to cause the 4.22 built container images to drop the |
Backport of #1919 to
release-4.22, addinglabels.jsonand OCI security labels so that scanners like Clair can identify RHCOS images. This supersedes #1933 (the automated cherry-pick), with the following change:6b42281) per travier's feedback, since those were reverted on master in NO-JIRA: Make build-args files use 5.0 version and revert repo names change #1936.Only the two relevant commits are included:
tree: drop (c9s) node image supporttree: add labels.json and security OCI labels for Clair scanningThis mirrors what was done for
masterin openshift/release#78212. A corresponding openshift/release PR will follow.labels.jsonand security OCI labels for Clair scanning #1919 (merged to master/4.23)labels.jsonand security OCI labels for Clair scanning #1933 (superseded by this PR)Tracker Jiras:
Epic : COS-4682
Backport JIRA : COS-4687