feat(images): gcr pubsub push notification for image updates

[dmccaffery]

Would like to add support for handling GCR pubsub notifications for image repository updates based on:

https://cloud.google.com/container-registry/docs/configuring-notifications

and:

https://cloud.google.com/pubsub/docs/push

GCR has some pretty tight limits around API requests and some setups where a single GCR registry used by many clusters is hitting the limits pretty hard. Using this webhook receiver, GCR users could disable long polling entirely using --exclude-images and rely on the webhook receiver to update the image cache.

The implementation should support the following payloads:

• add image (new)
• add tag

It should also support authentication token validation from google if configured to do so.

I'm happy to implement this, but wanted to reach out to the community for thoughts before doing so.

[squaremo]

disable long polling entirely using --exclude-images and rely on the webhook receiver

It was unclear to me whether an image would be scanned if it's excluded with --exclude-images, but mentioned in a webhook. The answer is "Yes, kind of": the registry cache will happily respond to a webhook by scanning the mentioned image repo, whether it's excluded or not. However, the cluster will not bother to record credentials for a given image if it's excluded -- so it's possible that the scan will fail authentication.

It's not immediately obvious to me what the solution is :-/

[sjk07]

I have started executing on this, should have something together by tomorrow 🤞