[RFC-0003] Implement OCIRepository reconciliation

[stefanprodan]

This PR adds a new kind to the source API and implements the OCIRepository reconciliation as described in the RFC Flux OCI support for Kubernetes manifests.

Authors:

• @rashedkvm
• @somtochiama
• @stefanprodan

API implementation

• spec.url
• spec.ref.digest
• spec.ref.tag
• spec.ref.semver
• spec.provider
• spec.secretRef
• spec.serviceAccountName
• spec.certSecretRef
• spec.status.artifact.metadata

When the OCI artifact is annotated in the registry, these annotations are reflected in-cluster under spec.status.artifact.metadata . When using flux push artifact the following annotations are used to track the origin Git repository:

• org.opencontainers.image.source: <GIT-URL>
• org.opencontainers.image.revision: <GIT-BRANCH|TAG>/<GIT-SHA>

⚠️ Note that spec.verify is not included in this PR. We would like to release OCIRepository without cosign verification, then implement it for both OCIRepository and HelmChart OCI artifacts.

OCI preview

To try out the OCI feature, you can build the Flux CLI that contains this version of source-controller and a version of kustomize-controller that has OCI support:

# checkout the OCI branch
git clone https://github.com/fluxcd/flux2.git
cd flux2
git switch oci

# build Flux
make build
sudo mv ./bin/flux /opt/homebrew/bin/flux

# register the podinfo repo from GHCR
flux create source oci podinfo-oci \
--url oci://ghcr.io/stefanprodan/manifests/podinfo \
--semver 6.x \
--interval 10m

# reconcile podinfo in the default namespace
flux create kustomization podinfo-oci \
--source=OCIRepository/podinfo-oci \
--path="./kustomize" \
--prune=true \
--interval=5m \
--target-namespace=default \
--wait=true

# various OCI commands
flux get sources oci
flux reconcile source oci podinfo-oci
flux suspend source oci podinfo-oci
flux resume source oci podinfo-oci
flux export source oci podinfo-oci
flux delete ks podinfo-oci --silent
flux delete source oci podinfo-oci --silent

To generate your own artifacts, clone podinfo and push the manifests to your own container registry:

# export your GH username
export GH_USER=<username>

# clone podinfo
git clone https://github.com/stefanprodan/podinfo.git
cd podinfo

# check the 6.1.5 release
git checkout 6.1.5

# push 6.1.5 to GHCR
flux push artifact oci://ghcr.io/${GH_USER}/manifests/podinfo:$(git tag --points-at HEAD) \
	--path="./kustomize" \
	--source="$(git config --get remote.origin.url)" \
	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"

# check the 6.1.6 release
git checkout 6.1.6

# push 6.1.6 to GHCR
flux push artifact oci://ghcr.io/${GH_USER}/manifests/podinfo:$(git tag --points-at HEAD) \
	--path="./kustomize" \
	--source="$(git config --get remote.origin.url)" \
	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"

# tag 6.1.6 as latest
flux tag artifact oci://ghcr.io/${GH_USER}/manifests/podinfo:6.1.6 --tag latest

[rashedkvm]

Installed Controller Preview and ran test CR for bundle image package. Test succeeded.

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: sample-app
  namespace: default
spec:
  interval: 1m
  url: rkamaldocker/sample-app
  ref:
    tag: 1.0.0

Extracted tar - looks good

# curl http://source-controller.flux-system.svc.cluster.local./ocirepository/default/sample-app/2db7841074d483b2f3fde931988962b529c7fdf5d1e6928d2b70b723410e5b81.tar.gz -o oci-test/sample-app.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  193k  100  193k    0     0  94.4M      0 --:--:-- --:--:-- --:--:-- 94.4M
# cd oci-test
# tar -xf sample-app.tar.gz
# ls -a
.  ..  .git  .github  .gitignore  .mvn	LICENSE  README.md  Tiltfile  accelerator.yaml	catalog  config  mvnw  mvnw.cmd  pom.xml  sample-app.tar.gz  src
# 

[rashedkvm]

@stefanprodan Seeing issue with the multi-layer image by CNB buildpack. Please try the following:

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
  name: petclinic
  namespace: default
spec:
  interval: 15m
  url: scothis/petclinic
  ref:
    tag: latest

Error status condition

  - lastTransitionTime: "2022-06-26T03:51:23Z"
    message: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx
    observedGeneration: 1
    reason: OCIOperationFailed
    status: "False"
    type: Ready

Both docker and crane client validates this image

~ crane validate --remote scothis/petclinic:latest
PASS: scothis/petclinic:latest

Can you try pulling the image scothis/petclinic:latest with the modified Flux CLI? Thanks!

[stefanprodan]

tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx

@rashedkvm this is expected, we only support regular files https://github.com/fluxcd/pkg/blob/76f30cf3b1d1b2503a5202b2a96d9faeb25623a2/untar/untar.go#L60 To make this work with Flux you need to use spec.ignore and include only the files with Kubernetes manifest.

[darkowlzz]

Went through it just to get familiar with the implementation.
Overall, looks good to me. Left a few minor comments.

[pjbgf]

Some small nits...

[darkowlzz]

LGTM!
I've tested and verified that the OCI registry auto-login works for AWS, Azure and GCP.

[pjbgf]

LGTM