Implement Single Layer OCI Artifacts (#98)

Fixes #75

---------

Co-authored-by: Jakob Möller <[email protected]>
Co-authored-by: ikhandamirov <[email protected]>
Co-authored-by: Ilya Khandamirov <[email protected]>

Author: 3 people

.github/workflows/tests.yaml

@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   tests:
-    runs-on: ubuntu-latest
+    runs-on: large_runner
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -105,81 +105,24 @@ jobs:
           kubectl wait pod -l app=protected-registry1 --for condition=Ready --timeout 5m
           kubectl wait pod -l app=protected-registry2 --for condition=Ready --timeout 5m
 
-      - name: Install external CRDs
-        run: kubectl apply --server-side -k https://github.com/openfluxcd/artifact//config/crd?ref=v0.1.1
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@73fff7404f76953c0a224d12ca0dd276b8d9be63
 
-      - name: Checkout helm-controller
-        uses: actions/checkout@v4
-        with:
-          repository: openfluxcd/helm-controller
-          path: helm-controller
-
-      # TODO: Create helm-controller image in public repository to omit rebuilds
-      - name: Install helm-controller
-        env:
-          IMG: localhost:31000/helm-controller:latest
-        run: |
-          make -C helm-controller docker-build
-          make -C helm-controller docker-push
-          make -C helm-controller install
-          make -C helm-controller deploy
-          kubectl wait deployment.apps/helm-controller --for condition=Available --namespace helm-system --timeout 5m
-          kubectl logs --tail -1 -l app=helm-controller -n helm-system -f --ignore-errors &> helm-controller.log &
-
-      - name: Checkout kustomize-controller
-        uses: actions/checkout@v4
-        with:
-          repository: openfluxcd/kustomize-controller
-          path: kustomize-controller
+      - name: Install Flux in Kind
+        run: flux install
 
-      # TODO: Create kustomize-controller image in public repository to omit rebuilds
-      - name: Install kustomize-controller
-        env:
-          IMG: localhost:31000/kustomize-controller:latest
-        run: |
-          make -C kustomize-controller docker-build
-          make -C kustomize-controller docker-push
-          make -C kustomize-controller install
-          make -C kustomize-controller deploy
-          kubectl wait deployment.apps/kustomize-controller --for condition=Available --namespace kustomize-system --timeout 5m
-          kubectl logs --tail -1 -l app=kustomize-controller -n kustomize-system -f --ignore-errors &> kustomize-controller.log &
-
-      # TODO: Replace once the release with the 'skipDigestGeneration' field in the component constructor is available
-      # uses: open-component-model/ocm-setup-action@main
-      # with:
-      #   version: v0.19.0-rc.1
-      - name: Set up cache for ocm (temporarily)
-        uses: actions/cache@v4
-        with:
-          path: |
-            ocm/bin
-          key: ${{ env.cache_name }}-${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ hashFiles('**/go.mod') }}
-          restore-keys: |
-            ${{ env.cache_name }}-${{ runner.os }}-go-
-        env:
-          cache_name: dummy-cache
-      - name: Checkout OCM (temporarily)
-        uses: actions/checkout@v4
-        with:
-          repository: open-component-model/ocm
-          path: ocm
-      - name: Build OCM (temporarily)
-        run: |
-          make -C ocm bin/ocm
-          echo "${{ github.workspace }}/ocm/bin" >> "$GITHUB_PATH"
+      - name: Setup ocm
+        uses: open-component-model/ocm-setup-action@9bb4321df9c9eb033b54ef3563101b299a754336
 
       - name: Run e2e test
         env:
           RESOURCE_TIMEOUT: 5m
-          HELM_CHART: ghcr.io/stefanprodan/charts/podinfo:6.7.1
           IMAGE_REFERENCE: ghcr.io/stefanprodan/podinfo:6.7.1
           CONTROLLER_LOG_PATH: ./ocm-k8s-toolkit-controller.log
-          IMAGE_REGISTRY_URL: http://localhost:31000
-          INTERNAL_IMAGE_REGISTRY_URL: http://registry-internal.default.svc.cluster.local:5000
-          PROTECTED_REGISTRY_URL: http://localhost:31001
-          INTERNAL_PROTECTED_REGISTRY_URL: http://protected-registry1-internal.default.svc.cluster.local:5001
-          PROTECTED_REGISTRY_URL2: http://localhost:31002
-          INTERNAL_PROTECTED_REGISTRY_URL2: http://protected-registry2-internal.default.svc.cluster.local:5002
+          PROTECTED_REGISTRY_URL: http://localhost:31002
+          INTERNAL_PROTECTED_REGISTRY_URL: http://protected-registry1-internal.default.svc.cluster.local:5002
+          PROTECTED_REGISTRY_URL2: http://localhost:31003
+          INTERNAL_PROTECTED_REGISTRY_URL2: http://protected-registry2-internal.default.svc.cluster.local:5003
         run: make test-e2e
 
       - name: Publish logs on failure
@@ -188,7 +131,7 @@ jobs:
         with:
           name: controller-logs
           # Currently, it is planned that the integration tests runs on every commit on a PR. Therefore, we could
-          # produce a lot of logs. To note clutter the storage, the retention-days are reduced to 1.
+          # produce a lot of logs. To not clutter the storage, the retention-days are reduced to 1.
           retention-days: 1
           path: |
             helm-controller.log

Makefile

@@ -10,6 +10,10 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
+OS ?= $(shell go env GOOS)
+ARCH ?= $(shell go env GOARCH)
+
+
 # CONTAINER_TOOL defines the container tool to be used for building images.
 # Be aware that the target commands are only tested with Docker which is
 # scaffolded by default. However, you might want to replace it to use other
@@ -64,7 +68,7 @@ vet: ## Run go vet against code.
 	go vet ./...
 
 .PHONY: test
-test: manifests generate envtest ## Run tests.
+test: manifests generate envtest zot-registry ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $$(go list ./... | grep -v /e2e) -coverprofile cover.out
 
 # Utilize Kind or modify the e2e tests to load the image locally, enabling compatibility with other vendors.
@@ -152,7 +156,7 @@ deploy: deploy-cert-manager manifests kustomize ## Deploy controller to the K8s
 	$(call set-images)
 	$(KUSTOMIZE) build config/default-zot-https | $(KUBECTL) apply -f -
 
-# Undeploy target undeploys the controller, its zot regostry and related certificates. 
+# Undeploy target undeploys the controller, its zot registry and related certificates.
 # However, it does not undeploy the cert-manager, which might still be needed by other applications in the cluster.
 # If you wish to undeploy cert manager as well, execute 'make undeploy-cert-manager' in addition.
 .PHONY: undeploy
@@ -171,6 +175,7 @@ KUBECTL ?= kubectl
 KUSTOMIZE ?= $(LOCALBIN)/kustomize-$(KUSTOMIZE_VERSION)
 CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen-$(CONTROLLER_TOOLS_VERSION)
 ENVTEST ?= $(LOCALBIN)/setup-envtest-$(ENVTEST_VERSION)
+ZOT_BINARY ?= $(LOCALBIN)/zot-registry
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.4.1
@@ -211,6 +216,14 @@ deploy-cert-manager: ## Deploy cert-manager to the K8s cluster specified in ~/.k
 undeploy-cert-manager: ## Undeploy cert-manager from the K8s cluster specified in ~/.kube/config.
 	$(KUBECTL) delete --ignore-not-found=$(IGNORE_NOT_FOUND) -f $(CERT-MANAGER_YAML)
 
+.PHONY: zot-registry
+zot-registry: $(LOCALBIN) ## Download zot registry binary locally if necessary.
+ifeq (, $(shell which $(ZOT_BINARY)))
+	wget "https://github.com/project-zot/zot/releases/download/$(ZOT_VERSION)/zot-$(OS)-$(ARCH)-minimal" \
+		-O $(ZOT_BINARY) \
+		&& chmod u+x $(ZOT_BINARY)
+endif
+
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary (ideally with version)
 # $2 - package url which can be installed

PROJECT

@@ -71,4 +71,4 @@ resources:
   kind: Replication
   path: github.com/open-component-model/ocm-k8s-toolkit/api/v1alpha1
   version: v1alpha1
-version: "3"
+version: "3"

api/v1alpha1/common_types.go

@@ -113,3 +113,32 @@ type ResourceInfo struct {
 	// +required
 	Digest string `json:"digest,omitempty"`
 }
+
+type BlobInfo struct {
+	// Digest is the digest of the blob.
+	Digest string `json:"digest"`
+
+	// Tag/Version of the blob.
+	// Corresponds to the tag the blob is available in the OCI registry.
+	Tag string `json:"tag"`
+
+	// Size is the number of bytes of the blob.
+	// Can be used to determine how to file should be handled when downloaded (memory/disk).
+	Size int64 `json:"size"`
+}
+
+// OCIArtifactInfo contains information on how to locate an OCI Artifact.
+type OCIArtifactInfo struct {
+	// OCI repository name
+	// +required
+	Repository string `json:"repository"`
+
+	// Manifest digest
+	// Used to fetch single layer OCI artifact and remove manifests
+	// +required
+	Digest string `json:"digest"`
+
+	// Blob
+	// +required
+	Blob BlobInfo `json:"blob"`
+}

api/v1alpha1/component_types.go

@@ -20,7 +20,6 @@ import (
 	"fmt"
 	"time"
 
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -100,12 +99,6 @@ type ComponentStatus struct {
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 
-	// ArtifactRef references the generated artifact containing a list of
-	// component descriptors. This list can be used by other controllers to
-	// avoid re-downloading (and potentially also re-verifying) the components.
-	// +optional
-	ArtifactRef corev1.LocalObjectReference `json:"artifactRef,omitempty"`
-
 	// Component specifies the concrete version of the component that was
 	// fetched after based on the semver constraints during the last successful
 	// reconciliation.
@@ -117,6 +110,12 @@ type ComponentStatus struct {
 	// in the order the configuration data was applied.
 	// +optional
 	EffectiveOCMConfig []OCMConfiguration `json:"effectiveOCMConfig,omitempty"`
+
+	// OCIArtifact references the generated OCI artifact containing a list of
+	// component descriptors. This list can be used by other controllers to
+	// avoid re-downloading (and potentially also re-verifying) the components.
+	// +optional
+	OCIArtifact *OCIArtifactInfo `json:"ociArtifact,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -180,6 +179,28 @@ func (in *Component) GetVerifications() []Verification {
 	return in.Spec.Verify
 }
 
+func (in *Component) GetOCIArtifact() *OCIArtifactInfo {
+	return in.Status.OCIArtifact
+}
+
+// GetOCIRepository returns the name of the OCI repository of the OCI artifact in which the component
+// descriptors are stored.
+func (in *Component) GetOCIRepository() string {
+	return in.Status.OCIArtifact.Repository
+}
+
+// GetManifestDigest returns the manifest digest of the OCI artifact, in which the component descriptors
+// are stored.
+func (in *Component) GetManifestDigest() string {
+	return in.Status.OCIArtifact.Digest
+}
+
+// GetBlobDigest returns the blob digest of the OCI artifact, in which the component descriptors
+// are stored.
+func (in *Component) GetBlobDigest() string {
+	return in.Status.OCIArtifact.Blob.Digest
+}
+
 // +kubebuilder:object:root=true
 
 // ComponentList contains a list of Component.

api/v1alpha1/condition_types.go

@@ -17,22 +17,16 @@ limitations under the License.
 package v1alpha1
 
 const (
-	// SecretFetchFailedReason is used when the controller failed to fetch its secrets.
-	SecretFetchFailedReason = "SecretFetchFailed"
-
 	// ConfigFetchFailedReason is used when the controller failed to fetch its configs.
 	ConfigFetchFailedReason = "ConfigFetchFailed"
 
-	// VerificationsInvalidReason is used when the controller failed to gather the verification information.
-	VerificationsInvalidReason = "VerificationsInvalid"
-
 	// ConfigureContextFailedReason is used when the controller failed to create an authenticated context.
 	ConfigureContextFailedReason = "ConfigureContextFailed"
 
 	// CheckVersionFailedReason is used when the controller failed to check for new versions.
 	CheckVersionFailedReason = "CheckVersionFailed"
 
-	// RepositorySpecInvalidReason is used when the referenced repository spec cannot be unmarshaled and therefore is
+	// RepositorySpecInvalidReason is used when the referenced repository spec cannot be unmarshalled and therefore is
 	// invalid.
 	RepositorySpecInvalidReason = "RepositorySpecInvalid"
 
@@ -42,7 +36,7 @@ const (
 	// ComponentIsNotReadyReason is used when the referenced component is not Ready yet.
 	ComponentIsNotReadyReason = "ComponentIsNotReady"
 
-	// ComponentIsNotReadyReason is used when the referenced component is not Ready yet.
+	// ReplicationFailedReason is used when the referenced component is not Ready yet.
 	ReplicationFailedReason = "ReplicationFailed"
 
 	// VerificationFailedReason is used when the signature verification of a component failed.
@@ -57,23 +51,50 @@ const (
 	// GetComponentVersionFailedReason is used when the component cannot be fetched.
 	GetComponentVersionFailedReason = "GetComponentVersionFailed"
 
-	// StorageReconcileFailedReason is used when there was a problem reconciling the artifact storage.
-	StorageReconcileFailedReason = "StorageReconcileFailed"
+	// MarshalFailedReason is used when we fail to marshal a struct.
+	MarshalFailedReason = "MarshalFailed"
+
+	// YamlToJSONDecodeFailedReason is used when we fail to decode yaml to json.
+	YamlToJSONDecodeFailedReason = "YamlToJsonDecodeFailed"
+
+	// CreateOCIRepositoryNameFailedReason is used when we fail to create an OCI repository name.
+	CreateOCIRepositoryNameFailedReason = "CreateOCIRepositoryNameFailed"
+
+	// CreateOCIRepositoryFailedReason is used when we fail to create an OCI repository.
+	CreateOCIRepositoryFailedReason = "CreateOCIRepositoryFailed"
+
+	// PushOCIArtifactFailedReason is used when we fail to push an OCI artifact.
+	PushOCIArtifactFailedReason = "PushOCIArtifactFailed"
 
-	// ReconcileArtifactFailedReason is used when we fail in creating an Artifact.
-	ReconcileArtifactFailedReason = "ReconcileArtifactFailed"
+	// FetchOCIArtifactFailedReason is used when we fail to fetch an OCI artifact.
+	FetchOCIArtifactFailedReason = "FetchOCIArtifactFailed"
 
-	// GetArtifactFailedReason is used when we fail in getting an Artifact.
-	GetArtifactFailedReason = "GetArtifactFailed"
+	// CopyOCIArtifactFailedReason is used when we fail to copy an OCI artifact.
+	CopyOCIArtifactFailedReason = "CopyOCIArtifactFailed"
+
+	// DeleteArtifactFailedReason is used when we fail to copy an OCI artifact.
+	DeleteOCIArtifactFailedReason = "DeleteOCIArtifactFailed"
+
+	// OCIRepositoryExistsFailedReason is used when we fail to check the existence of an OCI repository.
+	OCIRepositoryExistsFailedReason = "OCIRepositoryExistsFailed"
 
 	// ResolveResourceFailedReason is used when we fail in resolving a resource.
 	ResolveResourceFailedReason = "ResolveResourceFailed"
 
 	// GetResourceAccessFailedReason is used when we fail in getting a resource access(es).
 	GetResourceAccessFailedReason = "GetResourceAccessFailed"
 
-	// GetComponentForArtifactFailedReason is used when we fail in getting a component for an artifact.
-	GetComponentForArtifactFailedReason = "GetComponentForArtifactFailed"
+	// GetBlobAccessFailedReason is used when we fail to get a blob access.
+	GetBlobAccessFailedReason = "GetBlobAccessFailed"
+
+	// VerifyResourceFailedReason is used when we fail to verify a resource.
+	VerifyResourceFailedReason = "VerifyResourceFailed"
+
+	// GetResourceFailedReason is used when we fail to get the resource.
+	GetResourceFailedReason = "GetResourceFailed"
+
+	// CompressGzipFailedReason is used when we fail to compress to gzip.
+	CompressGzipFailedReason = "CompressGzipFailed"
 
 	// StatusSetFailedReason is used when we fail to set the component status.
 	StatusSetFailedReason = "StatusSetFailed"
@@ -84,14 +105,17 @@ const (
 	// ConfigurationFailedReason is used when a resource was not able to be configured.
 	ConfigurationFailedReason = "ConfigurationFailed"
 
-	// LocalizationRuleGenerationFailedReason is used when the controller failed to localize an artifact.
+	// CreateTGZFailedReason is used when a TGZ creation failed.
+	CreateTGZFailedReason = "CreateTGZFailed"
+
+	// LocalizationRuleGenerationFailedReason is used when the controller failed to localize an OCI artifact.
 	LocalizationRuleGenerationFailedReason = "LocalizationRuleGenerationFailed"
 
 	// LocalizationIsNotReadyReason is used when a controller is waiting to get the localization result.
 	LocalizationIsNotReadyReason = "LocalizationIsNotReady"
 
-	// UniqueIDGenerationFailedReason is used when the controller failed to generate a unique identifier for a pending artifact.
-	// This can happen if the artifact is based on multiple other sources but these sources could not be used
+	// UniqueIDGenerationFailedReason is used when the controller failed to generate a unique identifier for a pending OCI artifact.
+	// This can happen if the OCI artifact is based on multiple other sources but these sources could not be used
 	// to determine a unique identifier.
 	UniqueIDGenerationFailedReason = "UniqueIDGenerationFailed"