tree: add labels.json and security OCI labels for Clair scanning#1919
tree: add labels.json and security OCI labels for Clair scanning#1919jlebon wants to merge 2 commits intoopenshift:masterfrom
labels.json and security OCI labels for Clair scanning#1919Conversation
OKD doesn't care about this anymore and we don't either. So this is essentially dead code. Nuke all c9s-related bits. Assisted-by: OpenCode (Claude Opus 4.6)
As part of container-first reporting (KONFLUX-6210), security scanners like Clair expect metadata at the OCI level (as labels) _and_ in the rootfs itself (as a JSON file at `/usr/share/buildinfo/labels.json`). To accommodate this, each variant now has a `build-args-*.conf` file that specifies the image name and CPE, but also while we're here, the image `FROM` to use which nicely cleans up the building docs. For the architecture, we use buildah's built-in `TARGETARCH`. This is only relevant on OCP, not OKD. So skip it there. Closes: https://redhat.atlassian.net/browse/COS-4051 Assisted-by: OpenCode (Claude Opus 4.6)
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Let's hold this until coreos/fedora-coreos-pipeline#1325 and coreos/coreos-assembler#4512 are merged. Also, this does imply that for ART to build the node image in Konflux, AIUI doozer would have to learn about build arg files when calling out to Konflux. cc @joepvd in case you have concerns there. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jlebon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
| # instructions on how to build this, see `docs/building.md`. | ||
|
|
||
| FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev:c9s-coreos as build | ||
| ARG IMAGE_FROM=registry.ci.openshift.org/coreos/stream-coreos-base:10 |
There was a problem hiding this comment.
to make it explicit?
| ARG IMAGE_FROM=registry.ci.openshift.org/coreos/stream-coreos-base:10 | |
| ARG IMAGE_FROM=overridden |
| target_arch = os.environ.get('TARGETARCH', '') | ||
|
|
||
| if not all([image_name, image_cpe, target_arch]): | ||
| return |
There was a problem hiding this comment.
does this mean it will just silently fail? would we want it to silently fail?
There was a problem hiding this comment.
I guess what we could do here is sanity-check whether we're in CentOS Stream or RHEL and only in the latter loudly fail.
|
OK filed https://redhat.atlassian.net/browse/ART-14812 for the ART side of this. I didn't hear a "no, we don't want to support this" from Joep. :) |
2 participants
As part of container-first reporting (KONFLUX-6210), security scanners like Clair expect metadata at the OCI level (as labels) and in the rootfs itself (as a JSON file at
/usr/share/buildinfo/labels.json).To accommodate this, each variant now has a
build-args-*.conffile that specifies the image name and CPE, but also while we're here, the imageFROMto use which nicely cleans up the building docs. For the architecture, we use buildah's built-inTARGETARCH.This is only relevant on OCP, not OKD. So skip it there.
Closes: https://redhat.atlassian.net/browse/COS-4051
Assisted-by: OpenCode (Claude Opus 4.6)