feat: upgrade to oras-go v2 and support OCI registries requiring authentication. Closes #2819

[pdecat]

This PR upgrades the oras client library to v2 and adds support for OCI registries requiring authentication (tested with Gitlab).

Resolves #2819

[pdecat]

This dependency is going to be merged into oras-go oras-project/oras-credentials-go#80

[binaek]

Ah!

Is there a timeline for the merge? It wasn't obvious to me from the discussion thread.

[pdecat]

Well, they are talking about waiting for v1.0.0-rc.1, currently at v0.2.0.

[pdecat]

I asked in their Slack about the timeline.

[pdecat]

It should not take too long:

We need to wait for couple of weeks or a month to ensure that all APIs are indeed stable. The stability is currently being validated by oras CLI and notation CLI

[binaek]

Thank you for the PR @pdecat .

We have been meaning to get to this, (open issue), but were always held back with the conflicts in go dependency resolution.

[pdecat]

We have been meaning to get to this, (open issue),

Did not see that issue, updated PR description to link to it.

but were always held back with the conflicts in go dependency resolution.

I don't see any conflict nowadays, isn't it?

[pdecat]

Not sure if this is desired or not as there are checks later to ensure binaries for several platforms exist.

[binaek]

If this limits the layers downloaded, then we should probably include it

[pdecat]

It apparently require more changes than I expected.

As a test, just adding this:

diff --git a/pkg/ociinstaller/ocidownloader.go b/pkg/ociinstaller/ocidownloader.go
index bb6f8815..cfb3318a 100644
--- a/pkg/ociinstaller/ocidownloader.go
+++ b/pkg/ociinstaller/ocidownloader.go
@@ -79,8 +79,10 @@ func (o *ociDownloader) Pull(ctx context.Context, ref string, mediaTypes []strin
        log.Println("[TRACE] ociDownloader.Pull:", "pulling...")

        copyOpt := oras.DefaultCopyOptions
-       // TODO: use WithTargetPlatform to limit downloads
-       // copyOpt.WithTargetPlatform()
+       copyOpt.WithTargetPlatform(&ocispec.Platform{
+               Architecture: "amd64",
+               OS:           "linux",
+       })
        manifestDescriptor, err := oras.Copy(ctx, repo, tag, fileStore, tag, copyOpt)
        if err != nil {
                log.Println("[ERROR] ociDownloader.Pull:", "failed to pull", ref, err)

Results in:

steampipe plugin install csv:latest
2023-06-26 15:09:57.723 UTC [TRACE] steampipe: parse complete after 1 decode passes
2023-06-26 15:09:57.723 UTC [TRACE] steampipe: ensureInstallDir /home/patrick/.steampipe
2023-06-26 15:09:57.727 UTC [TRACE] steampipe: nothing to migrate in /home/patrick/.steampipe/internal/update-check.json
2023-06-26 15:09:57.728 UTC [TRACE] steampipe: No memory limit set

2023-06-26 15:09:57.728 UTC [TRACE] steampipe: ociDownloader.Download: downloading us-docker.pkg.dev/steampipe/plugins/turbot/csv:latest
2023-06-26 15:09:57.728 UTC [TRACE] steampipe: ociDownloader.Pull: preparing to pull ref us-docker.pkg.dev/steampipe/plugins/turbot/csv:latest tag latest destDir /home/patrick/.steampipe/plugins/tmp-0e41-4be8-9d66
2023-06-26 15:09:57.728 UTC [TRACE] steampipe: ociDownloader.Pull: pulling...
csv:latest                     [=========>----------------------------------------------------------] Downloading
2023-06-26 15:09:58.426 UTC [ERROR] steampipe: ociDownloader.Pull: failed to pull us-docker.pkg.dev/steampipe/plugins/turbot/csv:latest fail to recognize platform from unknown config applicati
csv:latest                     [====================================================================] Done

Skipped the following plugin:

Plugin:   csv@latest
Reason:   fail to recognize platform from unknown config application/vnd.turbot.steampipe.config.v1+json: expect application/vnd.oci.image.config.v1+json

[binaek]

@pdecat can you please remove this comment if it's not working/required?

[pdecat]

Simplified code a bit with feedback from the oras-go maintainers: https://cloud-native.slack.com/archives/CJ1KHJM5Z/p1687852628854409?thread_ts=1687832097.450759&cid=CJ1KHJM5Z

[kaidaguerre]

Just one small tweak and I think we're good to merge it

[kaidaguerre]

can we put a const in for hub.steampipe.io/ in the consts package

[pdecat]

Done!

[kaidaguerre]

can we put a const in for hub.steampipe.io in the consts package

[pdecat]

Done!

[binaek]

@pdecat We have a couple of tests which verify that OCI installations are working as expected (correct binaries in the expected locations)

Can you rebase your branch with main? That should help verify the work you are doing!

[pdecat]

Added the constant, and rebased on main.

[pdecat]

Looks like an acceptance test failed because of Github rate limiting:

Error: fatal: unable to access 'https://github.com/turbot/steampipe/': The requested URL returned error: 429

https://github.com/turbot/steampipe/actions/runs/5532253026/jobs/10094278301?pr=3620#step:2:57

Also, a check is failing on MacOS:

/Users/runner/work/_temp/f5247854-5695-4fc1-8fcd-d6f01fc9338e.sh: line 1: [: -eq: unary operator expected

https://github.com/turbot/steampipe/actions/runs/5532253026/jobs/10094274375?pr=3620#step:15:16

[pdecat]

Tests related to this PR seem to pass on Linux:

ok 36 plugin list - output table
ok 37 plugin list - output json
ok 38 plugin list - output table (with a missing plugin)
ok 39 plugin list - output json (with a missing plugin)
ok 40 plugin list - output table (with a failed plugin)
ok 41 plugin list - output json (with a failed plugin)
ok 42 verify that installing plugins creates individual version.json files
ok 43 verify that backfilling of individual plugin version.json works
ok 44 verify that backfilling of individual plugin version.json works where it is only partially backfilled
ok 45 verify that global plugin/versions.json is composed from individual version.json files when it is absent
ok 46 verify that global plugin/versions.json is composed from individual version.json files when it is corrupt
ok 47 verify that composition of global plugin/versions.json works when an individual version.json file is corrupt
ok 48 verify that plugin installed from registry are marked as 'local' when the modtime of the binary is after the install time

https://github.com/turbot/steampipe/actions/runs/5532253026/jobs/10094278681?pr=3620

But not on MacOS:

ok 36 plugin list - output table
ok 37 plugin list - output json
not ok 38 plugin list - output table (with a missing plugin) # timeout after 120s
# (in test file tests/acceptance/test_files/service_and_plugin.bats, line 496)
#   `steampipe plugin uninstall hackernews@0.6.0 --install-dir $tmpdir' failed due to timeout
#
#
# Installed plugin: bitbucket@0.3.1 v0.3.1
# Documentation:    https://hub.steampipe.io/plugins/turbot/bitbucket
#
# Installed plugin: hackernews@0.6.0 v0.6.0
# Documentation:    https://hub.steampipe.io/plugins/turbot/hackernews
#
# /Users/runner/work/steampipe/steampipe/tests/acceptance/test_files/service_and_plugin.bats: line 491: 10387 Terminated: 15          steampipe plugin uninstall hackernews@0.6.0 --install-dir $tmpdir
not ok 39 plugin list - output json (with a missing plugin)
# (in test file tests/acceptance/test_files/service_and_plugin.bats, line 507)
#   `steampipe plugin uninstall hackernews@0.6.0 --install-dir $tmpdir' failed with status 12
#
#
# Installed plugin: bitbucket@0.3.1 v0.3.1
# Documentation:    https://hub.steampipe.io/plugins/turbot/bitbucket
#
# Installed plugin: hackernews@0.6.0 v0.6.0
# Documentation:    https://hub.steampipe.io/plugins/turbot/hackernews
#
# Error: cannot listen on listenAddresses [localhost] and port 9193
not ok 40 plugin list - output table (with a failed plugin)
# (from function `assert_equal' in file tests/acceptance/lib/bats-assert/src/assert_equal.bash, line 40,
#  in test file tests/acceptance/test_files/service_and_plugin.bats, line 525)
#   `assert_equal "$output" "$(cat $TEST_DATA_DIR/expected_plugin_list_table_with_failed_plugins.txt)"' failed
#
#
# Installed plugin: bitbucket@0.3.1 v0.3.1
# Documentation:    https://hub.steampipe.io/plugins/turbot/bitbucket
#
# Installed plugin: hackernews@0.6.0 v0.6.0
# Documentation:    https://hub.steampipe.io/plugins/turbot/hackernews
#
# Error: plugin listing failed - cannot listen on listenAddresses [localhost] and port 9193
#
# -- values do not equal --
#     ],
#     "warnings": null
#   }
# actual (1 lines):
#   Error: plugin listing failed - cannot listen on listenAddresses [localhost] and port 9193
# --
#
ok 42 verify that installing plugins creates individual version.json files
ok 43 verify that backfilling of individual plugin version.json works
ok 44 verify that backfilling of individual plugin version.json works where it is only partially backfilled
ok 45 verify that global plugin/versions.json is composed from individual version.json files when it is absent
ok 46 verify that global plugin/versions.json is composed from individual version.json files when it is corrupt
ok 47 verify that composition of global plugin/versions.json works when an individual version.json file is corrupt
not ok 48 verify that plugin installed from registry are marked as 'local' when the modtime of the binary is after the install time
# (from function `assert_equal' in file tests/acceptance/lib/bats-assert/src/assert_equal.bash, line 40,
#  in test file tests/acceptance/test_files/service_and_plugin.bats, line [68](https://github.com/turbot/steampipe/actions/runs/5532253026/jobs/10094274027?pr=3620#step:13:69)9)
#   `assert_equal "$version" '"local"'' failed
# Error: plugin listing failed - cannot listen on listenAddresses [localhost] and port 9193
#
# -- values do not equal --
# expected : "local"
# actual   :
# --
#

https://github.com/turbot/steampipe/actions/runs/5532253026/jobs/10094274027?pr=3620

[binaek]

@pdecat requested a couple of (very) small changes. Thank you!

[binaek]

@pdecat can you please remove this comment if it's not working/required?

[binaek]

Make this a TRACE level log. Raw log messages should not end up in the console if we can avoid it.

[pdecat]

Done!

[binaek]

TRACE

[pdecat]

Done!