(feature): add direct image registry client Unpacker implementation

[everettraven]

Description

• Replaces the pod based Unpacker implementations with one that communicates directly with an image registry
• Adds unit tests for the image registry Unpacker implementation
• Updates e2e tests to push test images to an image registry running on the e2e cluster
• Adds permissions to get Secrets in the catalogd-system namespace. This is so we can pull images that require authentication by using a pull secret

Motivation

• resolves Replace pod-based image unpacker with an image registry client #143
• resolves Changing catalog image source doesn't unpack again #132
• resolves Explore alternative methods for unpacking catalog data #66
• resolves Optimize memory usage of unpacking FBC from pod logs #22
• resolves #145 Follow Up: Update the e2e testing to work when the UnpackImageRegistryClient feature-gate is enabled #163
• resolves #145 Follow-Up: Implement Garbage Collection for unused catalog images in the cache #161
• resolves Make registry client unpacking the default and only Unpack implementation #182
• resolves [Epic] Unpack image source using direct registry client #179

[codecov]

Codecov Report

Attention: 67 lines in your changes are missing coverage. Please review.

Comparison is base (8a90d8d) 87.02% compared to head (9fea4bc) 49.72%.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #145       +/-   ##
===========================================
- Coverage   87.02%   49.72%   -37.30%     
===========================================
  Files           3        6        +3     
  Lines         131      366      +235     
===========================================
+ Hits          114      182       +68     
- Misses         10      163      +153     
- Partials        7       21       +14     

Files	Coverage Δ
pkg/controllers/core/catalog_controller.go	90.19% <20.00%> (-3.62%)	⬇️
internal/source/unpacker.go	0.00% <0.00%> (ø)
cmd/manager/main.go	9.92% <29.72%> (ø)
internal/source/image_registry_client.go	66.66% <66.66%> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[everettraven]

#162

[stevekuznetsov]

We don't have one (yet) but I think it's useful to consider writing code for controllers as if there were a long-lived deployment you are on the pager for. Every commit that merges to the codebase deploys, and you need to keep in mind that branch cuts for future releases can happen at any point.

The implication here is that if we were to cut a release of catalogd with this PR, the server would cache image layers forever and not do any cleanup. Prefer when adding new features to a controller to handle (minimally) the full lifecycle.

There are a couple layers of indirection in the codebase so I don't know how the basic intuition translates to this case, but writing the full lifecycle code in a controller context is fairly straightforward.

[everettraven]

We don't have one (yet) but I think it's useful to consider writing code for controllers as if there were a long-lived deployment you are on the pager for. Every commit that merges to the codebase deploys, and you need to keep in mind that branch cuts for future releases can happen at any point.

The implication here is that if we were to cut a release of catalogd with this PR, the server would cache image layers forever and not do any cleanup. Prefer when adding new features to a controller to handle (minimally) the full lifecycle.

Maybe I'm misunderstanding, but I thought that is what feature gates are used for? As far as I understand it, the feature gate should signal that a feature is minimally functional (IMO this is - it does what it needs to even if not optimized) but is still a work in progress, is bound to change, and could need optimizations. This feature gate should be disabled by default and therefore this implication shouldn't happen unless the feature gate is explicitly enabled.

If I am misunderstanding I am happy to add the garbage collection logic. My intention here was to simply get the basic implementation in and then iterate from there.

There are a couple layers of indirection in the codebase so I don't know how the basic intuition translates to this case, but writing the full lifecycle code in a controller context is fairly straightforward.

I don't think it would be too complex to do a minimal implementation of garbage collection. As I mentioned above, I don't mind adding it if I misunderstood the message sent by sticking this functionality behind a feature gate and that we could get these optimization type things in iteratively.

[joelanford]

IMO, it is reasonable to deliver half-baked features behind a disabled-by-default feature gate. It would be good to have a design that enumerates the plan for how the feature is delivered and what the proposed maturity process is for the feature gate.

Is there a brief or RFC for this? Seems big enough to warrant one.

[stevekuznetsov]

I'm less interested in Google Docs than making the development easier. Since lifecycle is the bread and butter of what controllers do, it's usually useful to tackle it (minimally) whole-hog so that you don't make more refactor work for yourself in the future on code you just wrote.

[joelanford]

I don't disagree. I'd guess that we may not all agree what our definitions of "minimally" are though. That's where a high-level plan could help achieve alignment on expectations.

[everettraven]

Is there a brief or RFC for this? Seems big enough to warrant one.

There is not

[anik120]

+1 on the RFC.

[joelanford]

Have you seen https://github.com/tilt-dev/ctlptl?

Since we're already tilt-enabled, perhaps this is a reasonable tool to evaluate for our cluster setup purposes, especially since it seems to support setting up image registries that are
simultaneously accessible to the local dev environment and the in-cluster processes.

Can we spend 30 minutes now (but time boxed) evaluating this to see if it would be a drop in replacement?

If it is a good candidate, it would be fine to integrate in a follow-up.

[everettraven]

I have seen that. I played around with doing it the kind way and wasn't able to get that working well (there seemed to be resolution issues from the direct client and it couldn't find the registry when using both the names mentioned in the docs). My understanding is that ctlptl pretty much does the steps mentioned in the kind docs for you and would, in theory, have the same results so i didn't give it a shot.

That being said, I'm happy to time box an evaluation of it. I'll circle back around to investigating this after addressing other things since this would be a follow-up anyways

[everettraven]

I gave this a shot and ran into the same issues I had with the approach documented by kind. It just can't seem to resolve the registry URL. Maybe this is just an issue on my machine though? I haven't tested it on my Mac, but I've had kind related troubles in the past on my work laptop running Fedora so 🤷

[joelanford]

Okay, sounds good. Maybe make a tracker for this, even if it's just a way to mentally bookmark this apparent gap in the ecosystem for cluster+registry tooling. It seems like progress is being made, so perhaps we can revisit again in 3-6 months.

[everettraven]

#192

[joelanford]

I'm a little confused here. Is this a CA or is this the docker registry's server certificate, or both?

I think what we need is just a self-signed server keypair, and then clients just need the server cert to trust. But maybe I'm missing something.

[everettraven]

My understanding is that it is both. We use the tls.crt and tls.key entries in the generated secret to be used by the image registry and we inject the ca.crt entry to the necessary locations so that clients trust the cert used by the image registry. I tried it some different ways to no avail, but it could just be due to my lack of experience with cert-manager (and certificate management in general)

[everettraven]

Leaving as is for now. This should be addressed by #188

[joelanford]

This is coming from Docker Hub, which is rate-limited, and can cause flakes. Can we find a registry container in quay (or some other better image registry)?

[everettraven]

We could try to use Project Quay as the image registry but that would require a good bit more effort to investigate how to properly configure this. This image is Apache 2.0 licensed so if we are concerned about the flakes we could probably pull from dockerhub, re-tag, and push to a quay repo?

[everettraven]

Another alternative is writing our own simple registry in Go and building+loading that image onto the kind cluster.

[joelanford]

I think registry:2 is fine for now. I'm not seeing it obviously mirrored into another registry. Perhaps a follow-up issue and/or comment in the YAML about this for now?

[everettraven]

Sounds good. Just to try it out, I testing what it would take to write a super barebones registry in Go. Was able to do it with:

package main

import (
	"log"
	"net/http"
	"os"

	"github.com/google/go-containerregistry/pkg/registry"
)

func main() {
	certFile, certEnvVarExists := os.LookupEnv("REGISTRY_HTTP_TLS_CERTIFICATE")
	if !certEnvVarExists {
		if err := http.ListenAndServe(":5000", registry.New()); err != nil {
			log.Fatal(err)
		}
	}

	keyFile, keyEnvVarExists := os.LookupEnv("REGISTRY_HTTP_TLS_KEY")
	if !keyEnvVarExists {
		log.Fatal("environment variable REGISTRY_HTTP_TLS_CERTIFICATE specified but REGISTRY_HTTP_TLS_KEY was not")
	}
	if err := http.ListenAndServeTLS(":5000", certFile, keyFile, registry.New(registry.Logger(log.Default()))); err != nil {
		log.Fatal(err)
	}
}

I built and loaded an image with this for e2e and it passed when run locally. I won't push this up because it was a quick poc, but something I thought would be worth sharing.

[everettraven]

Follow up issue: #189

[joelanford]

Not sure this really matters, but I'd suggest (for a follow-up) moving the GC function into a separate package so that we can avoid a unit test in the main package.

[joelanford]

Left a few more comments about potential follow-ups. But LGTM.

[fgiloux]

It seems that the selected library does not support mirroring. What is the plan in this regard?

[joelanford]

It seems that the selected library does not support mirroring. What is the plan in this regard?

This is a known (and out-of-scope for now) feature that needs to be implemented. The RFC calls this out and says that we'll cover it in a future RFC.

[rashmigottipati]

Can probably switch to using ConfigsLocationLabel from here without creating a new constant variable

[rashmigottipati]

this comment is applicable here

[anik120]

LGTM

The most important follow up to capture for me would be the reassessing of the two interfaces, Unpack and Store, and the use of a cache in Unpack in that context.

[anik120]

I'd prefer to have this context captured as a comment here somewhere somehow (I'm not sure what the mechanics for using comments in a kustomization files are). Issues aren't available to a reader of the code, comments are, even if the comment is just pointing to the GitHub issue.