NO-JIRA: Add cpe label to match product security metadata

[alebedev87]

The check-labels release task enforces the cpe label to match the product security metadata. Without this override, the UBI base image cpe label is used, which does not match.

Example of failed check-labels job: link.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds a Common Platform Enumeration (CPE) label to the final external-dns-operator container image in the Containerfile. The label cpe:/a:redhat:ext_dns_optr:1.3::el9 is appended to the existing image metadata alongside the maintainer, component, name, and version labels. No other build steps or runtime configuration was modified.

Possibly related PRs

• openshift/external-dns-operator#436: Modifies image metadata labels in Containerfile.external-dns-operator, with this PR adding a CPE label while that PR updates name/version labels.

Suggested reviewers

• davidesalerno
• gcs278
• grzpiotrowski

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names use stable, static strings with no dynamic values, generated identifiers, timestamps, or non-deterministic content. Test titles are descriptive and follow best practices.
Test Structure And Quality	✅ Passed	This PR only modifies Containerfile.external-dns-operator to add a cpe label. No Ginkgo test files were changed, so the test code quality check is not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added. E2e tests use standard testing, webhook tests use Ginkgo but aren't e2e. Check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The change only updates container image metadata by adding a CPE label to Containerfile.external-dns-operator. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only a CPE label to the Containerfile for product metadata. No deployment manifests, operator code, or scheduling constraints modified. Not applicable to topology check.
Ote Binary Stdout Contract	✅ Passed	PR only modifies Containerfile metadata (adds cpe label); no code changes that could affect OTE binary stdout contract. Existing code properly uses structured logging to appropriate outputs.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies Containerfile to add a cpe label. No Ginkgo e2e tests are added or modified, so the check does not apply.
Description check	✅ Passed	The pull request description clearly explains the purpose of adding a cpe label override to match product security metadata and references a failed check-labels job example.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a CPE label to the external-dns-operator image to match product security metadata requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@alebedev87: This pull request explicitly references no jira issue.

Details

In response to this:

The check-labels release task enforces the cpe label to match the product security metadata. Without this override, the UBI base image cpe label is used, which does not match.

Example of failed check-labels job: link.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[grzpiotrowski]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grzpiotrowski

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [grzpiotrowski]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.