feat: allow per-extension license metadata (#111)

gbartolini · NiccoloFei · web-flow · commit be6fe6982f5f · 2026-02-21T12:32:23.000+01:00
Introduce a `licenses` field in the metadata schema as a list of SPDX identifiers, allowing each extension to declare its own licensing. These are joined with " AND " at build time to populate the OCI `org.opencontainers.image.licenses` label and annotation, replacing the previously hardcoded "Apache-2.0". The existing extensions have been updated: pgaudit and pgvector use the PostgreSQL license, while PostGIS includes the full set of licenses from its dependency tree, as reported by trivy. Closes #110 Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com> Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com> Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
diff --git a/README.md b/README.md
@@ -147,7 +147,7 @@ annotations as defined by the [OCI Image Format Specification](https://github.co
 | `org.opencontainers.image.title` | Human-readable image title |
 | `org.opencontainers.image.description` | Image description |
 | `org.opencontainers.image.source` | Source repository URL |
-| `org.opencontainers.image.licenses` | License identifier (Apache-2.0) |
+| `org.opencontainers.image.licenses` | License identifier |
 
 You can inspect these labels using container tools:
 
diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -74,7 +74,7 @@ target "default" {
     "index,manifest:org.opencontainers.image.description=A ${metadata.name} ${getExtensionVersion(distro, pgVersion)} container image for PostgreSQL ${pgVersion} on ${distro}",
     "index,manifest:org.opencontainers.image.documentation=${url}",
     "index,manifest:org.opencontainers.image.authors=${authors}",
-    "index,manifest:org.opencontainers.image.licenses=Apache-2.0",
+    "index,manifest:org.opencontainers.image.licenses=${join(" AND ", metadata.licenses)}",
     "index,manifest:org.opencontainers.image.base.name=scratch",
     "index,manifest:io.cloudnativepg.image.base.name=${getBaseImage(distro, pgVersion)}",
     "index,manifest:io.cloudnativepg.image.base.pgmajor=${pgVersion}",
@@ -91,7 +91,7 @@ target "default" {
     "org.opencontainers.image.description" = "A ${metadata.name} ${getExtensionVersion(distro, pgVersion)} container image for PostgreSQL ${pgVersion} on ${distro}",
     "org.opencontainers.image.documentation" = "${url}",
     "org.opencontainers.image.authors" = "${authors}",
-    "org.opencontainers.image.licenses" = "Apache-2.0",
+    "org.opencontainers.image.licenses" = "${join(" AND ", metadata.licenses)}",
     "org.opencontainers.image.base.name" = "scratch",
     "io.cloudnativepg.image.base.name" = "${getBaseImage(distro, pgVersion)}",
     "io.cloudnativepg.image.base.pgmajor" = "${pgVersion}",
diff --git a/pgaudit/metadata.hcl b/pgaudit/metadata.hcl
@@ -2,6 +2,7 @@ metadata = {
   name                     = "pgaudit"
   sql_name                 = "pgaudit"
   image_name               = "pgaudit"
+  licenses                 = ["PostgreSQL"]
   shared_preload_libraries = ["pgaudit"]
   extension_control_path   = []
   dynamic_library_path     = []
diff --git a/pgvector/metadata.hcl b/pgvector/metadata.hcl
@@ -2,6 +2,7 @@ metadata = {
   name                     = "pgvector"
   sql_name                 = "vector"
   image_name               = "pgvector"
+  licenses                 = ["PostgreSQL"]
   shared_preload_libraries = []
   extension_control_path   = []
   dynamic_library_path     = []
diff --git a/postgis/metadata.hcl b/postgis/metadata.hcl
@@ -2,6 +2,14 @@ metadata = {
   name                     = "postgis"
   sql_name                 = "postgis"
   image_name               = "postgis-extension"
+  licenses                 = [ "Apache-2.0", "blessing", "BSD-2-Clause", "BSD-3-Clause",
+                              "BSD-3-Clause-Clear", "BSD-3-Clause-LBNL", "BSD-4-Clause-UC",
+                              "BSL-1.0", "CC-BY-3.0", "CC-BY-4.0", "CC-BY-SA-3.0", "curl",
+                              "FTL", "GPL-2.0-or-later", "GPL-3.0-or-later", "HDF5", "HPND-sell-variant",
+                              "IJG", "Info-ZIP", "ISC", "LGPL-2.1-or-later", "Libpng", "libtiff",
+                              "MIT", "MIT-Modern-Variant", "MPL-1.1", "OLDAP-2.8",
+                              "PostgreSQL", "Spencer-86", "SPL-1.0", "Unicode-DFS-2015",
+                              "Unlicense", "X11", "Zlib" ]
   shared_preload_libraries = []
   extension_control_path   = []
   dynamic_library_path     = []
diff --git a/templates/metadata.hcl.tmpl b/templates/metadata.hcl.tmpl
@@ -9,6 +9,16 @@ metadata = {
   # it identifies the image (e.g. ghcr.io/cloudnative-pg/<image_name>)
   image_name               = "{{ .Name }}"
 
+  # TODO: Remove this comment block after customizing the file.
+  # `licenses`: A list of SPDX identifiers representing the software's licenses.
+  # Formatting Rules:
+  # - Must be a list of strings: ["MIT", "Apache-2.0"]
+  # - Use SPDX IDs exactly as they appear at https://spdx.org/licenses/
+  # - These are automatically joined with " AND " to populate the OCI label
+  #   org.opencontainers.image.licenses
+  # Examples: "Apache-2.0", "PostgreSQL", "MIT".
+  licenses                 = ["Apache-2.0"]
+
   # TODO: Remove this comment block after customizing the file.
   # `shared_preload_libraries`: list libraries to be added to
   # `shared_preload_libraries` in Postgres. Usually empty.
