pkg/cli/admin/release/info: support generating RPM diffs

It's often useful when looking up release images to know the list of RPM
packages that shipped in the node image. Add new switches for this:
- `oc adm release info --rpmdb $IMG` will list all the packages in the
  node image for the given release image payload
- `oc adm release info --rpmdb-diff $IMG1 $IMG2` will diff the set of
  packages in the node image for the given release image payloads

The code is generic over the actual target image. By default, the node
image is used, but `--rpmdb-image` can be used to select a different
one.

The primary motivation for this is
openshift/enhancements#1637, in which the
node image will no longer be built within the CoreOS pipeline as a
base image. Instead, it will be a layered image built in OpenShift
CI/Konflux. As a result, all layered packages will not show up in the
CoreOS release browser differ.

With this functionality, the release controller will be able to render
RPM diffs in the web UI, greatly de-emphasize the CoreOS differ and
effectively dropping the requirement for having VPN access.

Some notes on the implementation:
- The rpmdb for a given image is cached, keyed by the image digest.
- The new layered node image in specific supports a "metadata layer"
  semantic in which the last layer of the image is a metadata-only layer
  describing the RPM contents. If we detect this, we use it. This saves
  us from having to download the whole image.
- Otherwise, we don't try to be smart here and e.g. only download
  some layers. There are some issues with doing that. We literally
  do download the full image, _but_ we only cache the rpmdb content
  and throw away the rest. That said, the high cost isn't an issue
  in practice because the release controller can nicely represent
  operations which take time so it didn't feel worth the effort of
  trying to optimize this further.

Once we have SBOMs available for all our images, this should be a
more canonical way to cheaply query the RPM contents of an image.
Additionally/alternatively, for the node image specifically, if we ever
end up with lockfiles in the git repo, this would effectively mean that
the git changelog _is_ the RPM changelog also, meshing nicely with the
existing infrastructure around that.

Author: jlebon

pkg/cli/admin/release/annotations.go

@@ -36,6 +36,8 @@ const (
 	// This LABEL is the git clone location that an image was built with. Copied
 	// unmodified to the image-references file.
 	annotationBuildSourceLocation = "io.openshift.build.source-location"
+	// This LABEL indicates that an image is capped by a metadata layer.
+	annotationMetalayer = "io.openshift.metalayer"
 
 	urlGithubPrefix = "https://github.com/"
 )