✨unpacker: switch from google/go-containerregistry to containers/image

[joelanford]

Description

See https://docs.google.com/document/d/1s-nfpJqecWGuriFIVXr2REbZLUB8N8QxLp1MQKLPhlE/edit#heading=h.x3tfh25grvnv

• This tilt-support PR is required to make the tilt test pass: Tiltfile: accept optional build tags tilt-support#9

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	41f0aaf
🔍 Latest deploy log	https://app.netlify.com/sites/olmv1/deploys/66e0e49a75d7440008172f95
😎 Deploy Preview	https://deploy-preview-1194--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 74.64789% with 36 lines in your changes missing coverage. Please review.

Project coverage is 76.82%. Comparing base (d09f325) to head (41f0aaf).
Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/rukpak/source/containers_image.go	72.30%	19 Missing and 17 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1194      +/-   ##
==========================================
+ Coverage   76.49%   76.82%   +0.32%     
==========================================
  Files          40       40              
  Lines        2336     2369      +33     
==========================================
+ Hits         1787     1820      +33     
+ Misses        392      383       -9     
- Partials      157      166       +9     

Flag	Coverage Δ
e2e	58.21% <57.74%> (+0.63%)	⬆️
unit	52.93% <67.60%> (+0.53%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[tmshort]

Loss of CertPoolWatcher: certPoolWatcher here...

[tmshort]

Not seeing ContainersImageRegistry use certificate, so is the certPoolWatcher even necessary?
And if that's the case, this could lead to more code being deleted... but presumably it's used somewhere?

[tmshort]

Yes, in BuildHTTPClient

[joelanford]

Yeah, the containers/image source implementation lets us set the CA files on a context struct, which I think are reloaded on every pull.

And yeah, the certPoolWatcher should still be used to connect to catalogd.

[joelanford]

This doesn't seem to be a default for containers/image, interestingly. Researching this a bit more.

[everettraven]

Primary read/write file for auth seems to be ${XDG_RUNTIME_DIR}/containers/auth.json or $HOME/.config/containers/auth.json: https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md#description

[everettraven]

Looking at this, we should probably revisit the RFC and highlight the default location for all the configs we may care about

[joelanford]

So it turns out that file location is just not a thing (yet at least): containers/image#1746

[joelanford]

We could follow the pattern that podman and skopeo do. If REGISTRY_AUTH_FILE is set in the environment, we set its value on this field. I'll switch the PR to do that for now.

[joelanford]

I took all of the auth stuff back out of the PR for now. We should discuss and handle separately.

This PR is now focused on containers/image and use of /etc/containers system configuration (as an unsupported/subject-to-change internal API)

[tmshort]

A few comments. Mostly surrounding the need for a new Issuer?

[tmshort]

Nit: extra blank line.

[tmshort]

Wondering if you want to go all out and put each flag on its own line?

[joelanford]

🤷‍♂️

I was mainly focused on "like flags" and "can I see it without side-to-side scrolling?"

Notes

• I wanted UNIT_TEST_DIRS as close to the end as possible because I sometimes find myself copying/pasting the command line from a full run so that I can run unit tests in a specific package (and yes, I know we could make UNIT_TEST_DIRS overrideable, but in other projects that do that I always forget what the var name is, so I end up copy/pasting anyway)
• I was forced to put test.govoerdir after the UNIT_TEST_DIRS because those flags are passed to the test binary.

[tmshort]

Should this be ClusterIssuer/olmv1-ca? Did you really want to create another CA/Issuer? Note that we already have a self-signed-issuer in the cert-manager namespace.

[joelanford]

The intention here is to setup our standard e2e test with:

• an image registry the serves with an untrusted certificate
• a mounted /etc/containers/registries.conf file that instructs operator-controller to allow insecure connections to the image registry.

This setup proves that our image puller respect what shows up in /etc/containers/registries.conf (if the registries.conf volume mount is removed, the tests fail)

The extension developer e2e and the upgrade e2e are left using the standard olmv1-ca to:

1. Verify that op-con works without a mounted /etc/containers/registry.conf
2. Avoid issues with pre-upgrade setup which depends on using the unmodified manifest of the previous release (meaning we can't mount /etc/containers to allow op-con to trust an insecure registry)

[joelanford]

I honestly don't love the current setup. It seems overly complex and brittle, and I do acknowledge that this PR makes it ever so slightly more complex and brittle.

I'd be in favor of looking at our e2e test code and fixtures holistically in order to do a bit of cleanup and refactoring, but IMO, in a separate PR.

[tmshort]

As long as the intent was to have a separate trust chain for the registries, then ok. The current CAs are used for communication catalogd <-> operator-controller, and api-server -> catalogd (for webhooks)

[joelanford]

Yes, the intent is to explicitly have a separate (untrusted) trust chain. The other places the CA were used are:

• catalogd -> e2e image registry
• operator-controller -> e2e image registry

Prior to this PR, the same exact image registry setup was used for every e2e (e2e, upgrade-e2e, and developer-extension-e2e).

With this PR, the vanilla e2e is explicitly changed to use the untrusted self-signed cert (while the other e2e variants remain unchanged)

[tmshort]

Not sure why you want another issuer (a few comments on this)

[joelanford]

See #1194 (comment)

[tmshort]

Is there an explicit check for this type of error?

[joelanford]

Hmm. It appears that we do not check for this error type in our reconciler. I brought this over from the now-deleted image_registry.go where it was used.

I do check for it in unit tests.

WDYT about addressing this in a follow-up?

[tmshort]

Depends on how many other changes will occur if you update... but at least it's isolated.

[tmshort]

/lgtm

[LalatenduMohanty]

/hold Adding a hold as @everettraven and me can use few hours to review and test the PR . Will remove the hold before EOD today.

[LalatenduMohanty]

/lgtm

[LalatenduMohanty]

/hold cancel