feat(catalog): managed container images on UBI9

Andrew Dunnrequested to merge
feat/managed-images into main

Summary

Second MR in the v2.0 modernization. Lands eight catalog-managed container images AND cuts over every template to consume them. After this merges, the catalog ships its own toolchain images and consumers never curl-install at runtime.

Stacked on top of !6 (merged) (v2-foundations). The diff currently includes v2-foundations changes; it shrinks to just managed-images + image cutover once !6 (merged) merges.

Image set

Image Base Use
ci-tools ubi9-minimal Shared base: cosign + syft + glab + skopeo + jq + curl + git
ci-go ci-tools Go toolchain + govulncheck + golangci-lint
ci-go-fips ci-go Go in FIPS-140-3 native mode (GOFIPS140=v1.0.0)
ci-rust ci-tools Rust toolchain + clippy/rustfmt/cargo-audit/cargo-deny/cargo-zigbuild/zig
ci-buildah ubi9 Rootless OCI build engine: buildah + podman + skopeo + cosign
ci-buildkit ubi9 Rootless OCI build engine: BuildKit + skopeo + cosign
ci-kaniko PST kaniko fork Kaniko (Chainguard fork) + cosign for onramp/offramp customers
posture-verify ci-go Toolchain for the posture-verify component

Image-tag convention

Every catalog tag vX.Y.Z produces images at registry.gitlab.com/gitlab-com/public-sector-tools/pipeline/<name>:X.Y.Z (v-stripped, matches $[[ component.version ]] interpolation), plus :vX.Y.Z (with prefix) and :latest on final tags only. RC tags publish images but do NOT move :latest.

Template cutover

Every template's image: default now points at a catalog-managed image:

  • alpine:3.20 / ubi9-minimal / curlimages -> pipeline/ci-tools:$[[ component.version ]]
  • quay.io/buildah/stable -> pipeline/ci-buildah:$[[ component.version ]]
  • binary's build_image default -> pipeline/ci-go:latest (consumers override for Rust / FIPS)

Curl-installs of cosign, syft removed from attest, container, container-attest, container-manifest, container-sbom, extra-assets, verify, clone-upstream, compliance. Tools now come pre-installed in the catalog image. BREAKING: cosign_version and syft_version inputs removed from those components; the version is pinned via the image at the consumer's catalog tag.

vale keeps its vale curl-install (docs-only tool, not in ci-tools).

Renovate

Custom-manager regex added for containers/*.Containerfile ARG VERSION pin-comments. Tool bumps auto-merge on minor + patch; majors need a human reviewer.

Endorsement-language cleanup

Repo-wide sweep removing "DoD-grade", "FedRAMP-aligned", and "Iron Bank compatible" framings. The catalog should describe its behavior, not claim affiliation with third-party programs. Standards references (NIST 800-53, CMMC 2.0 L2, SSDF v1.1, FIPS-140-3) remain as factual.

What's NOT in this MR

  • Catalog dogfooding the build (still uses quay.io/buildah/stable for the bootstrap; swap to pipeline/ci-buildah after v2.0.0).
  • Three new engine components (build-container-buildkit/buildah/kaniko).
  • posture-verify component template.
  • glab repo publish catalog switch from release-cli.

Test plan

  • syntax + lint-templates pass on MR pipeline.
  • After merge: on the next main-with-Containerfile-change or first v2.0.0-rc.1 tag pipeline, all 8 image builds + signs succeed.
  • v2.0.0-rc.1 tag triggers all 8 image builds; sim consumer (separate MR) validates the end-to-end contract.
Edited by Andrew Dunn

Merge request reports