Clean up Dockerfile, don't default to root on Alpine (#2589)

Signed-off-by: Jonas Köhnen <jonas.koehnen@sap.com>

Dockerfile

@@ -1,52 +1,32 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-#### DOCKERHUB DOCKERFILE ####
+# This is {docker.io,quay.io,ghcr.io}/openbao/openbao{,-hsm}.
 FROM alpine:3.23 AS default
 
-ARG BIN_NAME
-# NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
-# and the version to download. Example: NAME=openbao PRODUCT_VERSION=1.2.3.
-ARG NAME=openbao
-ARG PRODUCT_VERSION
-ARG PRODUCT_REVISION
-
-# Additional metadata labels used by container registries, platforms
-# and certification scanners.
-LABEL name="OpenBao" \
-      maintainer="OpenBao <openbao@lists.openssf.org>" \
-      vendor="OpenBao" \
-      version=${PRODUCT_VERSION} \
-      release=${PRODUCT_REVISION} \
-      revision=${PRODUCT_REVISION} \
-      summary="OpenBao is a tool for securely accessing secrets." \
-      description="OpenBao is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. OpenBao provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."
-
 COPY LICENSE /licenses/mozilla.txt
 
-# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
-ENV NAME=$NAME
-ENV VERSION=$VERSION
-
 # Create a non-root user to run the software.
-RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}
+RUN addgroup openbao && adduser -S -G openbao openbao
 
 ARG EXTRA_PACKAGES
-RUN apk add --no-cache libcap su-exec dumb-init tzdata ${EXTRA_PACKAGES}
-
-COPY $BIN_NAME /bin/
+RUN apk add --no-cache ca-certificates libcap su-exec dumb-init tzdata ${EXTRA_PACKAGES}
 
+# The OpenBao binary is built externally in CI and copied into the container
+# build.
+ARG BIN_NAME
+COPY ${BIN_NAME} /bin/
 RUN ln -s /bin/${BIN_NAME} /bin/vault
 
-# /vault/logs is made available to use as a location to store audit logs, if
-# desired; /vault/file is made available to use as a location with the file
-# storage backend, if desired; the server will be started with /vault/config as
-# the configuration directory so you can add additional config files in that
+# /openbao/logs is made available to use as a location to store audit logs, if
+# desired; /openbao/file is made available to use as a location with the file
+# storage backend, if desired; the server will be started with /openbao/config
+# as the configuration directory so you can add additional config files in that
 # location.
 RUN mkdir -p /openbao/logs && \
     mkdir -p /openbao/file && \
     mkdir -p /openbao/config && \
-    chown -R ${NAME}:${NAME} /openbao
+    chown -R openbao:openbao /openbao
 
 # Expose the logs directory as a volume since there's potentially long-running
 # state in there
@@ -60,48 +40,25 @@ VOLUME /openbao/file
 # OpenBao.
 EXPOSE 8200
 
+# Use the OpenBao user as the default user for starting this container.
+USER openbao
+
 # The entry point script uses dumb-init as the top-level process to reap any
 # zombie processes created by OpenBao sub-processes.
 COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 ENTRYPOINT ["docker-entrypoint.sh"]
 
-
-# # By default you'll get a single-node development server that stores everything
-# # in RAM and bootstraps itself. Don't use this configuration for production.
+# By default you'll get a single-node development server that stores everything
+# in RAM and bootstraps itself. Don't use this configuration for production.
 CMD ["server", "-dev", "-dev-no-store-token"]
 
 
-
-
-#### UBI DOCKERFILE ####
+# This is {docker.io,quay.io,ghcr.io}/openbao/openbao{,-hsm}-ubi.
 FROM registry.access.redhat.com/ubi10-minimal:10.1 AS ubi
 
-ARG BIN_NAME
-# PRODUCT_VERSION is the version built dist/$TARGETOS/$TARGETARCH/$BIN_NAME,
-# which we COPY in later. Example: PRODUCT_VERSION=1.2.3.
-ARG PRODUCT_VERSION
-ARG PRODUCT_REVISION
-
-# Additional metadata labels used by container registries, platforms
-# and certification scanners.
-LABEL name="OpenBao" \
-      maintainer="OpenBao <openbao@lists.openssf.org>" \
-      vendor="OpenBao" \
-      version=${PRODUCT_VERSION} \
-      release=${PRODUCT_REVISION} \
-      revision=${PRODUCT_REVISION} \
-      summary="OpenBao is a tool for securely accessing secrets." \
-      description="OpenBao is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. OpenBao provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."
-
 COPY LICENSE /licenses/mozilla.txt
 
-# Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
-ENV NAME=$NAME
-ENV VERSION=$VERSION
-
-# Set up certificates, our base tools, and OpenBao. Unlike the other version of
-# this (https://github.com/hashicorp/docker-vault/blob/master/ubi/Dockerfile),
-# we copy in the OpenBao binary from CRT.
+# Set up ca-certificates & base tooling.
 RUN set -eux; \
     microdnf install -y ca-certificates gnupg openssl libcap tzdata procps shadow-utils util-linux
 
@@ -110,18 +67,18 @@ RUN groupadd --gid 1000 openbao && \
     adduser --uid 100 --system -g openbao openbao && \
     usermod -a -G root openbao
 
-# Copy in the new OpenBao from CRT pipeline, rather than fetching it from our
-# public releases.
-COPY $BIN_NAME /bin/
-
+# The OpenBao binary is built externally in CI and copied into the container
+# build.
+ARG BIN_NAME
+COPY ${BIN_NAME} /bin/
 RUN ln -s /bin/${BIN_NAME} /bin/vault
 
-# /vault/logs is made available to use as a location to store audit logs, if
-# desired; /vault/file is made available to use as a location with the file
-# storage backend, if desired; the server will be started with /vault/config as
-# the configuration directory so you can add additional config files in that
+# /openbao/logs is made available to use as a location to store audit logs, if
+# desired; /openbao/file is made available to use as a location with the file
+# storage backend, if desired; the server will be started with /openbao/config
+# as the configuration directory so you can add additional config files in that
 # location.
-ENV HOME /home/openbao
+ENV HOME=/home/openbao
 RUN mkdir -p /openbao/logs && \
     mkdir -p /openbao/file && \
     mkdir -p /openbao/config && \
@@ -142,14 +99,14 @@ VOLUME /openbao/file
 # OpenBao.
 EXPOSE 8200
 
+# Use the OpenBao user as the default user for starting this container.
+USER openbao
+
 # The entry point script uses dumb-init as the top-level process to reap any
 # zombie processes created by OpenBao sub-processes.
 COPY .release/docker/ubi-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 ENTRYPOINT ["docker-entrypoint.sh"]
 
-# Use the OpenBao user as the default user for starting this container.
-USER openbao
-
-# # By default you'll get a single-node development server that stores everything
-# # in RAM and bootstraps itself. Don't use this configuration for production.
+# By default you'll get a single-node development server that stores everything
+# in RAM and bootstraps itself. Don't use this configuration for production.
 CMD ["server", "-dev", "-dev-no-store-token"]

changelog/2589.txt

@@ -0,0 +1,20 @@
+```release-note:change
+packaging/container: The openbao & openbao-hsm container images now run under
+the `openbao` user rather than the `root` user by default, matching the default
+behavior of openbao-ubi variants:
+- Note that the container entrypoint will always drop down to the `openbao` user
+  before starting OpenBao even if started as `root`. The additional capabilities
+  are only used pre-startup to automatically fix up permissions of files
+  accessed by OpenBao.
+- If you rely on the container initially running as `root` by default, you can
+  revert to this behavior by manually specifying the user in your container
+  engine.
+```
+```release-note:change
+packaging/container: Removed `name`, `maintainer`, `vendor`, `version`,
+`release`, `revision`, `summary`, and `description` labels from
+container images in favor of the already attached [OpenContainers
+labels](https://github.com/opencontainers/image-spec/blob/main/annotations.md).
+If you have tooling that relies on these labels, instruct it to use the
+OpenContainers labels instead.
+```

goreleaser.hsm.yaml

@@ -17,7 +17,7 @@ builds:
       - ui
       - hsm
     ldflags:
-      - -X github.com/openbao/openbao/version.fullVersion={{.Version}} -X github.com/openbao/openbao/version.GitCommit={{.Commit}} -X github.com/openbao/openbao/version.CommitDate={{ .Date }} -X github.com/openbao/openbao/version.VersionMetadata=hsm
+      - -X github.com/openbao/openbao/version.fullVersion={{ .Version }} -X github.com/openbao/openbao/version.GitCommit={{ .Commit }} -X github.com/openbao/openbao/version.CommitDate={{ .Date }} -X github.com/openbao/openbao/version.VersionMetadata=hsm
     env:
       - CGO_ENABLED=1
       - >-
@@ -130,24 +130,20 @@ dockers:
       - builds-hsm
     build_flag_templates:
       - "--pull"
-      - "--build-arg=BIN_NAME={{.ProjectName}}"
-      - "--build-arg=REVISION={{.FullCommit}}"
-      - "--build-arg=VERSION={{.Version}}"
+      - "--build-arg=BIN_NAME={{ .ProjectName }}"
       - "--build-arg=EXTRA_PACKAGES=gcompat"
       - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=default"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao-hsm{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-amd64"
@@ -168,23 +164,19 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--build-arg=EXTRA_PACKAGES=gcompat"
       - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=default"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao-hsm{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-arm64"
@@ -204,22 +196,18 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=ubi"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao-hsm-ubi{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-amd64"
@@ -240,22 +228,18 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=ubi"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao-hsm-ubi{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-arm64"

goreleaser.linux.yaml

@@ -16,7 +16,7 @@ builds:
     tags:
       - ui
     ldflags:
-      - -X github.com/openbao/openbao/version.fullVersion={{.Version}} -X github.com/openbao/openbao/version.GitCommit={{.Commit}} -X github.com/openbao/openbao/version.CommitDate={{ .Date }}
+      - -X github.com/openbao/openbao/version.fullVersion={{ .Version }} -X github.com/openbao/openbao/version.GitCommit={{ .Commit }} -X github.com/openbao/openbao/version.CommitDate={{ .Date }}
     env:
       - CGO_ENABLED=0
     goos:
@@ -120,23 +120,19 @@ dockers:
       - builds-linux
     build_flag_templates:
       - "--pull"
-      - "--build-arg=BIN_NAME={{.ProjectName}}"
-      - "--build-arg=REVISION={{.FullCommit}}"
-      - "--build-arg=VERSION={{.Version}}"
+      - "--build-arg=BIN_NAME={{ .ProjectName }}"
       - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=default"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-amd64"
@@ -157,22 +153,18 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=default"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-arm"
@@ -193,22 +185,18 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=default"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-arm64"
@@ -227,23 +215,19 @@ dockers:
       - builds-linux
     build_flag_templates:
       - "--pull"
-      - "--build-arg=BIN_NAME={{.ProjectName}}"
-      - "--build-arg=REVISION={{.FullCommit}}"
-      - "--build-arg=VERSION={{.Version}}"
+      - "--build-arg=BIN_NAME={{ .ProjectName }}"
       - "--platform=linux/ppc64le"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=default"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-ppc64le"
@@ -263,22 +247,18 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--platform=linux/riscv64"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=default"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-riscv64"
@@ -298,22 +278,18 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--platform=linux/s390x"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=default"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-s390x"
@@ -333,22 +309,18 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=ubi"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao-ubi{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-amd64"
@@ -369,22 +341,18 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=ubi"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao-ubi{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-arm64"
@@ -404,22 +372,18 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--platform=linux/ppc64le"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=ubi"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao-ubi{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-ppc64le"
@@ -439,22 +403,18 @@ dockers:
     build_flag_templates:
       - "--pull"
       - "--build-arg=BIN_NAME={{ .ProjectName }}"
-      - "--build-arg=REVISION={{ .FullCommit }}"
-      - "--build-arg=VERSION={{ .Version }}"
       - "--platform=linux/s390x"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.vendor=OpenBao"
-      - "--label=org.opencontainers.image.description=OpenBao {{ .Version }}"
+      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
+      - "--label=org.opencontainers.image.authors=OpenBao <openbao@lists.openssf.org>"
       - "--label=org.opencontainers.image.url=https://github.com/openbao/openbao"
       - "--label=org.opencontainers.image.documentation=https://github.com/openbao/openbao/blob/main/README.md"
       - "--label=org.opencontainers.image.source=https://github.com/openbao/openbao"
-      - "--label=org.opencontainers.image.licenses=MPL-2.0"
       - "--label=org.opencontainers.image.version={{ .Version }}"
       - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - '--label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}'
-      - "--label=release={{ .Version }}"
-      - "--label=revision={{ .FullCommit }}"
-      - "--label=version={{ .Version }}"
+      - "--label=org.opencontainers.image.vendor=OpenBao"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.title=OpenBao"
+      - "--label=org.opencontainers.image.description=OpenBao is a tool for securely accessing secrets"
       - "--target=ubi"
     image_templates:
       - "ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/openbao-ubi{{ .Env.NIGHTLY_RELEASE }}:{{ .Version }}-s390x"