chore(base-image): Migrate Konflux builds to UBI9/RHEL9

[davdhacs]

Description

Migrates scanner builds from UBI8/RHEL8 to UBI9/RHEL9 base images.

Key Changes

Konflux Base Images:

• Builder: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.24
• Scanner runtime: registry.access.redhat.com/ubi9-minimal:latest
• Scanner DB: registry.redhat.io/rhel9/postgresql-15:latest
• Image names: rhacs-scanner-rhel9, rhacs-scanner-slim-rhel9, rhacs-scanner-db-rhel9, rhacs-scanner-db-slim-rhel9

Non-Konflux Base Images:

• Scanner: ubi9-minimal
• Scanner DB: ubi9 / ubi9-minimal
• Vulnerabilities: ubi9-minimal

RPM/Repo Updates:

• rpms.lock.yaml: xz updated from RHEL 8 (5.2.4) to RHEL 9 (5.2.5)
• rpms.rhel.repo: repos updated from rhel8 to rhel9
• PostgreSQL download script: pg_rhel_major=9

Tekton Labels:

• CPE labels: el8 → el9

UBI9 Compatibility Fixes:

• update-ca-trust extract -o /etc/pki/ca-trust/extracted for unprivileged containers (RHBZ#2241240)
• cp --recursive --no-dereference --no-clobber in restore-all-dir-contents
• microdnf install -y xz (explicit -y flag)

Checklist

• Investigated and inspected CI test results

Testing Performed

TBD

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[davdhacs]

@tommartensen fyi this is the parallel scanner update for UBI9. In this, we also have to add the update-ca-trust workaround for UBI9 changed perms on second execution.

The arm build fails because tar hits a bug in a syscall in qemu; I still have some debug logging around that, and I expect the arm arch build to fail because of it.

[davdhacs]

/test all

[davdhacs]

/retest

[davdhacs]

@tommartensen could you review this? (the ubi9 upgrade for scanner(v2); includes the update-ca-trust permissions workaround)

[tommartensen]

LGTM to me from a Konflux perspective. Have you deployed and smoke tested the resulting images (like we did for collector)?

[davdhacs]

LGTM to me from a Konflux perspective. Have you deployed and smoke tested the resulting images (like we did for collector)?

Yes, I tested with these changes (minus the master-merge [empty] commits). I'll re-do the smoke test with this and the latest master collector builds.

[BradLugo]

Note to self and @stackrox/scanner: we need to follow up on #2092 and update the image for s390x to avoid using a different version of psql.

[davdhacs]

/test ?

[davdhacs]

The test failures are not-related to UBI9/changes in this PR.

[davdhacs]

#2888
test fix pr

[davdhacs]

/retest e2e-tests

[davdhacs]

/test e2e-tests

[davdhacs]

/test e2e-tests

[davdhacs]

/test e2e-tests

[davdhacs]

/test e2e-tests

[davdhacs]

@BradLugo can I get another +1? I merged changes from master to get the e2e test fix.

[mclasmeier]

I just did some testing with this scanner and I believe it suffers from the same problem as the one I have addressed with this commit.

See:

I am deploying ACS (some semi-recent master version, doesn't mater) on an OpenShift cluster, with scanner v2 enabled, scanner v4 disabled and an overlay which injects this PR's scanner version image into the scanner deployment:

❯ roxie deploy --resources=auto central \
  --set spec.scanner.scannerComponent=Enabled \
  --set spec.scannerV4.scannerComponent=Disabled \
  --set spec.overlays='[{"apiVersion":"apps/v1", "kind":"Deployment", "name":"scanner", "patches":[{"path":"spec.template.spec.containers[name:scanner].image", "value":"quay.io/rhacs-eng/scanner:2.39.x-86-gf65ee678a8"}]}]'
00:00 Using kubeconfig /Users/mclasmeier/.kube/infra/kubeconfig
00:00 Running with a controlling terminal.
00:01 🚀 ACS Deployer initialized
00:01 roxctl version: 4.9.1-0-g1bde1c73b2
00:01 
00:01 ┌────────────────────────────────────────────────────────────┐
00:01 │ Deployment Configuration                                   │
00:01 ├────────────────────────────────────────────────────────────┤
00:01 │              Component: Central                            │
00:01 │           Cluster Type: OpenShift4                         │
00:01 │               Main Tag:                                    │
00:01 │     Kubernetes Context: admin                              │
00:01 │      Deployment Method: Operator                           │
00:01 │               Exposure: loadbalancer                       │
00:01 └────────────────────────────────────────────────────────────┘
00:01 
00:01 Looking up main image tag
00:07 Using stackrox repository tag: 4.11.x-300-g280a4287f7
00:07 Auto-detected cluster type OpenShift4: using resource profile "medium"
00:07 Initiating deployment of Central
00:07 Deploying Central to namespace acs-central
00:07 Existing Central deployment found, tearing down...
00:07 🗑️  Tearing down acs-central
00:08 ⏳ Waiting for Central resources to be fully deleted...
00:08 Deleting Central resources
00:14 ✓ Central resources in namespace acs-central have been deleted
00:14 🚀 Deploying Central via Operator...
00:17 ✓ Operator already deployed with correct version
00:17 Preparing namespace acs-central
00:18 ✓ Admin password secret created
00:18 Using Central resource profile: medium
00:18 Applying Central custom resource
00:19 ✓ Central Custom Resource applied
00:19 ⏳ Waiting for Central to become ready...
[...]
01:00 ✓ Central is ready (1 replicas)
01:00 ⏳ Waiting for LoadBalancer central-loadbalancer to get external IP...
[...]
01:49 ✓ Central is ready and responding!
[...]

Then, I exec into the scanner container and show that the restore-all-dir-contents script cannot be invoked again (after the import-additional-cas script has run) -- something that I believe needs to be possible, because that would happen on container restarts.

❯ kubectl -n acs-central exec -it deploy/scanner -- /bin/sh
sh-5.1$ /restore-all-dir-contents 
cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/GlobalSign_ECC_Root_CA_-_R4.pem': Permission denied
cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/GlobalSign_ECC_Root_CA_-_R5.pem': Permission denied
cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/GlobalSign_Root_CA_-_R3.pem': Permission denied
cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/GlobalSign_Root_CA_-_R6.pem': Permission denied
cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/certSIGN_Root_CA_G2.pem': Permission denied
sh-5.1$ 

[davdhacs]

I just did some testing with this scanner and I believe it suffers from the same problem as the one I have addressed with this commit.

01:49 ✓ Central is ready and responding!

cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/GlobalSign_ECC_Root_CA_-_R5.pem': Permission denied

This looks like the chmod within the restore-* script is conclusively needed then? I'm out this week--could you commit the fix to this branch?

[mclasmeier]

I just did some testing with this scanner and I believe it suffers from the same problem as the one I have addressed with this commit.

01:49 ✓ Central is ready and responding!

cp: cannot create regular file '/etc/pki/ca-trust/extracted/pem/directory-hash/GlobalSign_ECC_Root_CA_-_R5.pem': Permission denied

This looks like the chmod within the restore-* script is conclusively needed then? I'm out this week--could you commit the fix to this branch?

Before I do that, let me run some more tests first, I'd like to check if we can address this ca-trust/save/restore issue a bit cleaner.

[mclasmeier]

Before I do that, let me run some more tests first, I'd like to check if we can address this ca-trust/save/restore issue a bit cleaner.

FTR, currently testing this even simpler fix:
stackrox/stackrox@247a365

Looking good so far.

[davdhacs]

/retest-failed-builds

[davdhacs]

/test e2e-tests

[davdhacs]

/retest

[github-actions]

/retest scanner-db-on-push

[openshift-ci]

@github-actions[bot]: The /retest command does not accept any targets.
The following commands are available to trigger optional jobs:

/test e2e-tests

/test slim-e2e-tests

Use /test all to run all jobs.

Details

In response to this:

/retest scanner-db-on-push

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@davdhacs: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-tests	8222ac2	link	false	/test e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.