✨ unpacker: switch from google/go-containerregistry to containers/image

.goreleaser.yml

@@ -9,6 +9,8 @@ builds:
     asmflags: "{{ .Env.GO_BUILD_ASMFLAGS }}"
     gcflags: "{{ .Env.GO_BUILD_GCFLAGS }}"
     ldflags: "{{ .Env.GO_BUILD_LDFLAGS }}"
+    tags:
+    - "{{ .Env.GO_BUILD_TAGS }}"
     mod_timestamp: "{{ .CommitTimestamp }}"
     goos:
     - linux

Makefile

@@ -23,6 +23,9 @@ ifeq ($(shell [[ $$HOME == "" || $$HOME == "/" ]] && [[ $$XDG_DATA_HOME == "" ]]
 	SETUP_ENVTEST_BIN_DIR_OVERRIDE += --bin-dir /tmp/envtest-binaries
 endif
 
+# For standard development and release flows, we use the config/overlays/cert-manager overlay.
+KUSTOMIZE_OVERLAY := config/overlays/cert-manager
+
 # bingo manages consistent tooling versions for things like kind, kustomize, etc.
 include .bingo/Variables.mk
 
@@ -75,7 +78,7 @@ fmt: ## Run go fmt against code.
 
 .PHONY: vet
 vet: ## Run go vet against code.
-	go vet ./...
+	go vet -tags '$(GO_BUILD_TAGS)' ./...
 
 .PHONY: bingo-upgrade
 bingo-upgrade: $(BINGO) #EXHELP Upgrade tools
@@ -85,8 +88,13 @@ bingo-upgrade: $(BINGO) #EXHELP Upgrade tools
 	done
 
 .PHONY: test-unit
+UNIT_TEST_DIRS := $(shell go list ./... | grep -v /test/e2e | grep -v /test/upgrade)
 test-unit: generate fmt vet $(SETUP_ENVTEST) ## Run tests.
-	eval $$($(SETUP_ENVTEST) use -p env $(ENVTEST_SERVER_VERSION) $(SETUP_ENVTEST_BIN_DIR_OVERRIDE)) && go test $(shell go list ./... | grep -v /test/e2e | grep -v /test/upgrade) -coverprofile cover.out
+	eval $$($(SETUP_ENVTEST) use -p env $(ENVTEST_SERVER_VERSION) $(SETUP_ENVTEST_BIN_DIR_OVERRIDE)) && \
+        go test \
+          -tags '$(GO_BUILD_TAGS)' \
+          -coverprofile cover.out \
+          $(UNIT_TEST_DIRS)
 
 FOCUS := $(if $(TEST),-v -focus "$(TEST)")
 ifeq ($(origin E2E_FLAGS), undefined)
@@ -95,11 +103,14 @@ endif
 test-e2e: $(GINKGO) ## Run the e2e tests
 	$(GINKGO) $(E2E_FLAGS) -trace -vv $(FOCUS) test/e2e
 
-e2e: KIND_CLUSTER_NAME=catalogd-e2e
+e2e: KIND_CLUSTER_NAME := catalogd-e2e
+e2e: ISSUER_KIND := Issuer
+e2e: ISSUER_NAME := selfsigned-issuer
+e2e: KUSTOMIZE_OVERLAY := config/overlays/e2e
 e2e: run image-registry test-e2e kind-cluster-cleanup ## Run e2e test suite on local kind cluster
 
 image-registry: ## Setup in-cluster image registry
-	./test/tools/imageregistry/registry.sh
+	./test/tools/imageregistry/registry.sh $(ISSUER_KIND) $(ISSUER_NAME)
 
 .PHONY: tidy
 tidy: ## Update dependencies
@@ -111,13 +122,15 @@ verify: tidy fmt vet generate ## Verify the current code generation and lint
 
 .PHONY: lint
 lint: $(GOLANGCI_LINT) ## Run golangci linter.
-	$(GOLANGCI_LINT) run $(GOLANGCI_LINT_ARGS)
+	$(GOLANGCI_LINT) run --build-tags $(GO_BUILD_TAGS) $(GOLANGCI_LINT_ARGS)
 
 ## image-registry target has to come after run-latest-release,
 ## because the image-registry depends on the olm-ca issuer.
 .PHONY: test-upgrade-e2e
 test-upgrade-e2e: export TEST_CLUSTER_CATALOG_NAME := test-catalog
 test-upgrade-e2e: export TEST_CLUSTER_CATALOG_IMAGE := docker-registry.catalogd-e2e.svc:5000/test-catalog:e2e
+test-upgrade-e2e: ISSUER_KIND=ClusterIssuer
+test-upgrade-e2e: ISSUER_NAME=olmv1-ca
 test-upgrade-e2e: kind-cluster cert-manager build-container kind-load run-latest-release image-registry pre-upgrade-setup only-deploy-manifest wait post-upgrade-checks kind-cluster-cleanup ## Run upgrade e2e tests on a local kind cluster
 
 pre-upgrade-setup:
@@ -157,8 +170,9 @@ export GO_BUILD_LDFLAGS  := -s -w \
     -X "$(VERSION_PKG).gitTreeState=$(GIT_TREE_STATE)" \
     -X "$(VERSION_PKG).commitDate=$(GIT_COMMIT_DATE)"
 export GO_BUILD_GCFLAGS  := all=-trimpath=${PWD}
+export GO_BUILD_TAGS     := containers_image_openpgp
 
-BUILDCMD = go build -ldflags '$(GO_BUILD_LDFLAGS)' -gcflags '$(GO_BUILD_GCFLAGS)' -asmflags '$(GO_BUILD_ASMFLAGS)' -o $(BUILDBIN)/$(notdir $@) ./cmd/$(notdir $@)
+BUILDCMD = go build -tags '$(GO_BUILD_TAGS)' -ldflags '$(GO_BUILD_LDFLAGS)' -gcflags '$(GO_BUILD_GCFLAGS)' -asmflags '$(GO_BUILD_ASMFLAGS)' -o $(BUILDBIN)/$(notdir $@) ./cmd/$(notdir $@)
 
 .PHONY: build-deps
 build-deps: generate fmt vet
@@ -209,13 +223,13 @@ deploy: export MANIFEST="./catalogd.yaml"
 deploy: export DEFAULT_CATALOGS="./config/base/default/clustercatalogs/default-catalogs.yaml"
 deploy: $(KUSTOMIZE) ## Deploy Catalogd to the K8s cluster specified in ~/.kube/config with cert-manager and default clustercatalogs
 	cd config/base/manager && $(KUSTOMIZE) edit set image controller=$(IMAGE) && cd ../../..
-	$(KUSTOMIZE) build config/overlays/cert-manager | sed "s/cert-git-version/cert-$(GIT_VERSION)/g" > catalogd.yaml
+	$(KUSTOMIZE) build $(KUSTOMIZE_OVERLAY) | sed "s/cert-git-version/cert-$(GIT_VERSION)/g" > catalogd.yaml
 	envsubst '$$CERT_MGR_VERSION,$$MANIFEST,$$DEFAULT_CATALOGS' < scripts/install.tpl.sh | bash -s
 
 .PHONY: only-deploy-manifest
 only-deploy-manifest: $(KUSTOMIZE) ## Deploy just the Catalogd manifest--used in e2e testing where cert-manager is installed in a separate step
 	cd config/base/manager && $(KUSTOMIZE) edit set image controller=$(IMAGE)
-	$(KUSTOMIZE) build config/overlays/cert-manager | kubectl apply -f -
+	$(KUSTOMIZE) build $(KUSTOMIZE_OVERLAY) | kubectl apply -f -
 
 wait:
 	kubectl wait --for=condition=Available --namespace=$(CATALOGD_NAMESPACE) deployment/catalogd-controller-manager --timeout=60s
@@ -244,7 +258,7 @@ release: $(GORELEASER) ## Runs goreleaser for catalogd. By default, this will ru
 quickstart: export MANIFEST := https://github.com/operator-framework/catalogd/releases/download/$(VERSION)/catalogd.yaml
 quickstart: export DEFAULT_CATALOGS := https://github.com/operator-framework/catalogd/releases/download/$(VERSION)/default-catalogs.yaml
 quickstart: $(KUSTOMIZE) generate ## Generate the installation release manifests and scripts
-	$(KUSTOMIZE) build config/overlays/cert-manager | sed "s/:devel/:$(GIT_VERSION)/g" | sed "s/cert-git-version/cert-$(GIT_VERSION)/g" > catalogd.yaml
+	$(KUSTOMIZE) build $(KUSTOMIZE_OVERLAY) | sed "s/:devel/:$(GIT_VERSION)/g" | sed "s/cert-git-version/cert-$(GIT_VERSION)/g" > catalogd.yaml
 	envsubst '$$CERT_MGR_VERSION,$$MANIFEST,$$DEFAULT_CATALOGS' < scripts/install.tpl.sh > install.sh
 
 .PHONY: demo-update

Tiltfile

@@ -12,4 +12,4 @@ repo = {
     'starting_debug_port': 20000,
 }
 
-deploy_repo('catalogd', repo)
+deploy_repo('catalogd', repo, '-tags containers_image_openpgp')

cmd/manager/main.go

@@ -26,6 +26,7 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/containers/image/v5/types"
 	"github.com/spf13/pflag"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -44,7 +45,6 @@ import (
 	corecontrollers "github.com/operator-framework/catalogd/internal/controllers/core"
 	"github.com/operator-framework/catalogd/internal/features"
 	"github.com/operator-framework/catalogd/internal/garbagecollection"
-	"github.com/operator-framework/catalogd/internal/httputil"
 	catalogdmetrics "github.com/operator-framework/catalogd/internal/metrics"
 	"github.com/operator-framework/catalogd/internal/serverutil"
 	"github.com/operator-framework/catalogd/internal/source"
@@ -99,7 +99,7 @@ func main() {
 	flag.StringVar(&certFile, "tls-cert", "", "The certificate file used for serving catalog contents over HTTPS. Requires tls-key.")
 	flag.StringVar(&keyFile, "tls-key", "", "The key file used for serving catalog contents over HTTPS. Requires tls-cert.")
 	flag.IntVar(&webhookPort, "webhook-server-port", 9443, "The port that the mutating webhook server serves at.")
-	flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of TLS certificate to use for verifying HTTPS connections to the Catalogd and docker-registry web servers.")
+	flag.StringVar(&caCertDir, "ca-certs-dir", "", "The directory of CA certificate to use for verifying HTTPS connections to image registries.")
 	opts := zap.Options{
 		Development: true,
 	}
@@ -178,16 +178,17 @@ func main() {
 		os.Exit(1)
 	}
 
-	certPool, err := httputil.NewCertPool(caCertDir, ctrl.Log.WithName("cert-pool"))
-	if err != nil {
-		setupLog.Error(err, "unable to create CA certificate pool")
+	unpackCacheBasePath := filepath.Join(cacheDir, source.UnpackCacheDir)
+	if err := os.MkdirAll(unpackCacheBasePath, 0770); err != nil {
+		setupLog.Error(err, "unable to create cache directory for unpacking")
 		os.Exit(1)
 	}
-
-	unpacker, err := source.NewDefaultUnpacker(systemNamespace, cacheDir, certPool)
-	if err != nil {
-		setupLog.Error(err, "unable to create unpacker")
-		os.Exit(1)
+	unpacker := &source.ContainersImageRegistry{
+		BaseCachePath: unpackCacheBasePath,
+		SourceContext: &types.SystemContext{
+			OCICertPath:    caCertDir,
+			DockerCertPath: caCertDir,
+		},
 	}
 
 	var localStorage storage.Instance
@@ -248,7 +249,7 @@ func main() {
 
 	ctx := ctrl.SetupSignalHandler()
 	gc := &garbagecollection.GarbageCollector{
-		CachePath:      filepath.Join(cacheDir, source.UnpackCacheDir),
+		CachePath:      unpackCacheBasePath,
 		Logger:         ctrl.Log.WithName("garbage-collector"),
 		MetadataClient: metaClient,
 		Interval:       gcInterval,

config/base/rbac/role.yaml

@@ -4,26 +4,6 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - pods/log
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - olm.operatorframework.io
   resources:
@@ -50,16 +30,3 @@ rules:
   - get
   - patch
   - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: manager-role
-  namespace: system
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get

config/base/rbac/role_binding.yaml

@@ -13,20 +13,3 @@ subjects:
 - kind: ServiceAccount
   name: controller-manager
   namespace: system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/name: catalogd
-    app.kubernetes.io/part-of: olm
-  name: manager-rolebinding
-  namespace: system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: manager-role
-subjects:
-- kind: ServiceAccount
-  name: controller-manager
-  namespace: system

config/components/ca/kustomization.yaml

@@ -3,3 +3,8 @@ kind: Component
 # No namespace is specified here, otherwise, it will overwrite _all_ the other namespaces!
 resources:
 - resources/issuers.yaml
+patches:
+- target:
+    kind: Deployment
+    name: controller-manager
+  path: patches/manager_deployment_cacerts.yaml

config/components/ca/patches/manager_deployment_cacerts.yaml

@@ -0,0 +1,9 @@
+- op: add
+  path: /spec/template/spec/volumes/-
+  value: {"name":"olmv1-certificate", "secret":{"secretName":"catalogd-catalogserver-cert-git-version", "optional": false, "items": [{"key": "ca.crt", "path": "olm-ca.crt"}]}}
+- op: add
+  path: /spec/template/spec/containers/1/volumeMounts/-
+  value: {"name":"olmv1-certificate", "readOnly": true, "mountPath":"/var/ca-certs/"}
+- op: add
+  path: /spec/template/spec/containers/1/args/-
+  value: "--ca-certs-dir=/var/ca-certs"

config/components/registries-conf/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+namespace: olmv1-system
+resources:
+- registries_conf_configmap.yaml
+patches:
+- path: manager_e2e_registries_conf_patch.yaml

config/components/registries-conf/manager_e2e_registries_conf_patch.yaml

@@ -0,0 +1,18 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+      - name: manager
+        volumeMounts:
+        - name: e2e-registries-conf
+          mountPath: /etc/containers
+      volumes:
+      - name: e2e-registries-conf
+        configMap:
+          name: e2e-registries-conf

config/components/registries-conf/registries_conf_configmap.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: e2e-registries-conf
+  namespace: system
+data:
+  registries.conf: |
+    [[registry]]
+    prefix = "docker-registry.catalogd-e2e.svc:5000"
+    insecure = true
+    location = "docker-registry.catalogd-e2e.svc:5000"

config/components/tls/patches/manager_deployment_certs.yaml

@@ -10,6 +10,3 @@
 - op: add
   path: /spec/template/spec/containers/1/args/-
   value: "--tls-key=/var/certs/tls.key"
-- op: add
-  path: /spec/template/spec/containers/1/args/-
-  value: "--ca-certs-dir=/var/certs"

config/overlays/e2e/kustomization.yaml

@@ -0,0 +1,12 @@
+# kustomization file for all the e2e's
+# DO NOT ADD A NAMESPACE HERE
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base/crd
+  - ../../base/rbac
+  - ../../base/manager
+components:
+  - ../../components/tls
+  - ../../components/registries-conf
+  - ../../components/ca