chore(base-image): Migrate Konflux builds to UBI9/RHEL9

[davdhacs]

Description

Migrates scanner builds from UBI8/RHEL8 to UBI9/RHEL9 base images.

Key Changes

Konflux Base Images:

• Builder: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.24
• Scanner runtime: registry.access.redhat.com/ubi9-minimal:latest
• Scanner DB: registry.redhat.io/rhel9/postgresql-15:latest
• Image names: rhacs-scanner-rhel9, rhacs-scanner-slim-rhel9, rhacs-scanner-db-rhel9, rhacs-scanner-db-slim-rhel9

Non-Konflux Base Images:

• Scanner: ubi9-minimal
• Scanner DB: ubi9 / ubi9-minimal
• Vulnerabilities: ubi9-minimal

RPM/Repo Updates:

• rpms.lock.yaml: xz updated from RHEL 8 (5.2.4) to RHEL 9 (5.2.5)
• rpms.rhel.repo: repos updated from rhel8 to rhel9
• PostgreSQL download script: pg_rhel_major=9

Tekton Labels:

• CPE labels: el8 → el9

UBI9 Compatibility Fixes:

• update-ca-trust extract -o /etc/pki/ca-trust/extracted for unprivileged containers (RHBZ#2241240)
• cp --recursive --no-dereference --no-clobber in restore-all-dir-contents
• microdnf install -y xz (explicit -y flag)

Checklist

• Investigated and inspected CI test results

Testing Performed

TBD

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[davdhacs]

@tommartensen fyi this is the parallel scanner update for UBI9. In this, we also have to add the update-ca-trust workaround for UBI9 changed perms on second execution.

The arm build fails because tar hits a bug in a syscall in qemu; I still have some debug logging around that, and I expect the arm arch build to fail because of it.

[davdhacs]

/test all

[davdhacs]

/retest

[davdhacs]

@tommartensen could you review this? (the ubi9 upgrade for scanner(v2); includes the update-ca-trust permissions workaround)

[tommartensen]

LGTM to me from a Konflux perspective. Have you deployed and smoke tested the resulting images (like we did for collector)?

[davdhacs]

LGTM to me from a Konflux perspective. Have you deployed and smoke tested the resulting images (like we did for collector)?

Yes, I tested with these changes (minus the master-merge [empty] commits). I'll re-do the smoke test with this and the latest master collector builds.

[BradLugo]

Note to self and @stackrox/scanner: we need to follow up on #2092 and update the image for s390x to avoid using a different version of psql.

[davdhacs]

/test ?

[davdhacs]

The test failures are not-related to UBI9/changes in this PR.

[davdhacs]

/retest-failed-builds

[davdhacs]

/test e2e-tests

[davdhacs]

/retest

[davdhacs]

/test e2e-tests

[openshift-ci]

@github-actions[bot]: The /retest command does not accept any targets.
The following commands are available to trigger optional jobs:

/test e2e-tests

/test slim-e2e-tests

Use /test all to run all jobs.

Details

In response to this:

/retest scanner-db-on-push

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[davdhacs]

🥳 CA-refactor PR approved and merged into this branch. Now I am re-running CI, and I intend to merge this next week (I'll request approvals after the holiday weekend).

[openshift-ci]

@github-actions[bot]: The /retest command does not accept any targets.
The following commands are available to trigger optional jobs:

/test e2e-tests

/test slim-e2e-tests

Use /test all to run all jobs.

Details

In response to this:

/retest scanner-db-slim-on-push

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@github-actions[bot]: The /retest command does not accept any targets.
The following commands are available to trigger optional jobs:

/test e2e-tests

/test slim-e2e-tests

Use /test all to run all jobs.

Details

In response to this:

/retest scanner-db-on-push

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

/retest scanner-db-on-push

[openshift-ci]

@github-actions[bot]: The /retest command does not accept any targets.
The following commands are available to trigger optional jobs:

/test e2e-tests

/test slim-e2e-tests

Use /test all to run all jobs.

Details

In response to this:

/retest scanner-db-on-push

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[davdhacs]

@BradLugo is scanner CI in a good place -- and we can proceed with this UBI9 bump for scanner (v2)? (in preparation for 4.11.0 having all containers on ubi9/rhel9)

[davdhacs]

@mclasmeier re-review please? (holding for Scanner team to sign-off again now since time has passed and there were scanner-repo CI blockers and fixes that I don't know about)

[mclasmeier]

Can review either later today or tomorrow.