COS-4051: tree: add labels.json and security OCI labels for Clair scanning

[jlebon]

As part of container-first reporting (KONFLUX-6210), security scanners like Clair expect metadata at the OCI level (as labels) and in the rootfs itself (as a JSON file at /usr/share/buildinfo/labels.json).

To accommodate this, each variant now has a build-args-*.conf file that specifies the image name and CPE, but also while we're here, the image FROM to use which nicely cleans up the building docs. For the architecture, we use buildah's built-in TARGETARCH.

This is only relevant on OCP, not OKD. So skip it there.

Once we start building the node image through Konflux, this should in theory no longer be necessary because the Konflux pipeline itself automatically adds this information (though there's still details there to figure out on where that information comes from/whether it's correct).

Closes: https://redhat.atlassian.net/browse/COS-4051
Assisted-by: OpenCode (Claude Opus 4.6)

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jlebon]

Let's hold this until coreos/fedora-coreos-pipeline#1325 and coreos/coreos-assembler#4512 are merged.

Also, this does imply that for ART to build the node image in Konflux, AIUI doozer would have to learn about build arg files when calling out to Konflux. cc @joepvd in case you have concerns there.

[jlebon]

OK filed https://redhat.atlassian.net/browse/ART-14812 for the ART side of this. I didn't hear a "no, we don't want to support this" from Joep. :)

[jlebon]

Requirements for this have merged now so I think we're unblocked on this!

[jlebon]

Asked my agent to build all of RHCOS 9.8, RHCOS 10.2 and SCOS 10, and to give a final report of all values. Here it is.

---

RHCOS 9.8

OCI Labels:

Label	Value
name	openshift/ose-rhel-coreos-9
cpe	cpe:/a:redhat:openshift:4.22::el9
architecture	amd64

/usr/share/buildinfo/labels.json:

{
  "architecture": "amd64",
  "cpe": "cpe:/a:redhat:openshift:4.22::el9",
  "name": "openshift/ose-rhel-coreos-9",
  "org.opencontainers.image.created": "2026-04-21T20:11:58Z"
}

---

RHCOS 10.2

OCI Labels:

Label	Value
name	openshift/ose-rhel-coreos-10
cpe	cpe:/a:redhat:openshift:4.22::el10
architecture	amd64

/usr/share/buildinfo/labels.json:

{
  "architecture": "amd64",
  "cpe": "cpe:/a:redhat:openshift:4.22::el10",
  "name": "openshift/ose-rhel-coreos-10",
  "org.opencontainers.image.created": "2026-04-21T20:15:24Z"
}

---

SCOS (CentOS Stream 10)

OCI Labels:

Label	Value
name	(empty)
cpe	(empty)
architecture	amd64

/usr/share/buildinfo/labels.json: not present

[jlebon]

So yeah, the name and cpe labels are still there even for the SCOS build, because you can't conditionalize labels from a Containerfile (except for the chunkah trick...), but I don't think it matters anyway for SCOS.

[jlebon]

OK right, CI is failing here because OpenShift CI doesn't know about the build args. And looking at ci-operator, it looks like it doesn't support build args files. Sigh. The OpenShift CI vs Konflux thing is really awkward.

Anyway, just hacking around this for now by hardcoding values for ci-operator in openshift/release#78212. Not great, I know...

[jlebon]

/retest

[jlebon]

/retest

[jlebon]

• cannot install both openssl-libs-1:3.5.5-1.el9.x86_64 from rhel-9.8-baseos and openssl-libs-1:3.5.5-2.el9_8.x86_64 from @System

Base RHCOS 9.8 image is ahead of 9.8 CI repos

[jlebon]

/retest

[jlebon]

OK, still hitting the openssl-libs mismatch due to CI repos being stale. And looking at:

 rpm-md repo 'rhel-9.8-baseos'; generated: 2026-04-13T04:52:49Z solvables: 1187 

it looks like it's 14 days old? Whereas we always compose with the latest 9.8 nightly.

[jlebon]

I think the actual CI issue here comes from openshift-eng/ocp-build-data#9980 (comment)

[jlebon]

Building the extensions image locally with the same pulp stage repo used as a source for the CI reposync, it does succeed and finds openssl-devel-1:3.5.5-2.el9_8.x86_64. I also see:

rpm-md repo 'rhel-9.8-baseos'; generated: 2026-04-24T18:14:32Z solvables: 13702

So yeah, I think it is a sync issue.

[thegreyd]

/retest-required

[openshift-ci-robot]

@jlebon: This pull request references COS-4051 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

As part of container-first reporting (KONFLUX-6210), security scanners like Clair expect metadata at the OCI level (as labels) and in the rootfs itself (as a JSON file at /usr/share/buildinfo/labels.json).

To accommodate this, each variant now has a build-args-*.conf file that specifies the image name and CPE, but also while we're here, the image FROM to use which nicely cleans up the building docs. For the architecture, we use buildah's built-in TARGETARCH.

This is only relevant on OCP, not OKD. So skip it there.

Once we start building the node image through Konflux, this should in theory no longer be necessary because the Konflux pipeline itself automatically adds this information (though there's still details there to figure out on where that information comes from/whether it's correct).

Closes: https://redhat.atlassian.net/browse/COS-4051
Assisted-by: OpenCode (Claude Opus 4.6)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jlebon]

OK, CI is passing! 🎉
Not really happy about the repo name mangling commit, but hopefully we can revert that soon.

This is ready for final review now.

[dustymabe]

/lgtm

we should update branching docs somewhere regarding this change.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dustymabe, jlebon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dustymabe,jlebon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jlebon]

/verified by #1919 (comment)

[openshift-ci-robot]

@jlebon: This PR has been marked as verified by https://github.com/openshift/os/pull/1919#issuecomment-4291558976.

Details

In response to this:

/verified by #1919 (comment)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@jlebon: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jlebon]

/cherrypick release-4.22

[openshift-cherrypick-robot]

@jlebon: new pull request created: #1933

Details

In response to this:

/cherrypick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.