feat: add static registry to talosctl

Fixes #11928
Fixes #11929

Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>

Author: shanduur

cmd/talosctl/cmd/talos/image.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/signal"
 	"slices"
 	"strings"
 	"text/tabwriter"
@@ -20,9 +21,11 @@ import (
 	"github.com/dustin/go-humanize"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"go.uber.org/zap"
 
 	"github.com/siderolabs/talos/cmd/talosctl/pkg/talos/artifacts"
 	"github.com/siderolabs/talos/cmd/talosctl/pkg/talos/helpers"
+	"github.com/siderolabs/talos/internal/app/machined/pkg/system/services/registry"
 	"github.com/siderolabs/talos/pkg/imager/cache"
 	"github.com/siderolabs/talos/pkg/images"
 	"github.com/siderolabs/talos/pkg/machinery/api/common"
@@ -168,14 +171,24 @@ var imageDefaultCmd = &cobra.Command{
 	},
 }
 
-var minimumVersion = semver.MustParse("1.11.0-alpha.0")
+const (
+	provisionerDocker    = "docker"
+	provisionerInstaller = "installer"
+	provisionerAll       = "all"
+)
+
+var imageDefaultCmdFlags = struct {
+	provisioner pflag.Value
+}{
+	provisioner: helpers.StringChoice(provisionerInstaller, provisionerDocker, provisionerAll),
+}
 
 // imageSourceBundleCmd represents the image source-bundle command.
 var imageSourceBundleCmd = &cobra.Command{
 	Use:   "source-bundle <talos-version>",
 	Short: "List the source images used for building Talos",
 	Long:  ``,
-	Args: helpers.ChainCobraPositionalArgs(
+	Args: cobra.MatchAll(
 		cobra.ExactArgs(1),
 		func(cmd *cobra.Command, args []string) error {
 			maximumVersion, err := semver.ParseTolerant(version.Tag)
@@ -245,6 +258,8 @@ var imageSourceBundleCmd = &cobra.Command{
 	},
 }
 
+var minimumVersion = semver.MustParse("1.11.0-alpha.0")
+
 // imageIntegrationCmd represents the integration image command.
 var imageIntegrationCmd = &cobra.Command{
 	Use:    "integration",
@@ -374,6 +389,7 @@ talosctl images default | talosctl images cache-create --image-cache-path=/tmp/t
 			imageCacheCreateCmdFlags.insecure,
 			imageCacheCreateCmdFlags.imageLayerCachePath,
 			imageCacheCreateCmdFlags.imageCachePath,
+			imageCacheCreateCmdFlags.layout.String() == layoutFlat,
 		)
 		if err != nil {
 			return fmt.Errorf("error generating cache: %w", err)
@@ -383,27 +399,65 @@ talosctl images default | talosctl images cache-create --image-cache-path=/tmp/t
 	},
 }
 
-var imageCacheCreateCmdFlags struct {
+const (
+	layoutOCI  = "oci"
+	layoutFlat = "flat"
+)
+
+var imageCacheCreateCmdFlags = struct {
 	imageCachePath      string
 	imageLayerCachePath string
-	platform            string
+	layout              pflag.Value
+	platform            []string
 
 	images []string
 
 	insecure bool
 	force    bool
+}{
+	layout: helpers.StringChoice(layoutOCI, layoutFlat),
 }
 
-const (
-	provisionerDocker    = "docker"
-	provisionerInstaller = "installer"
-	provisionerAll       = "all"
-)
+// imageCacheServeCmd represents the image cache serve command.
+var imageCacheServeCmd = &cobra.Command{
+	Use:     "cache-serve",
+	Short:   "Serve an OCI image cache directory over HTTP(S) as a container registry",
+	Long:    `Serve an OCI image cache directory over HTTP(S) as a container registry`,
+	Example: ``,
+	Args:    cobra.NoArgs,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx, cancel := signal.NotifyContext(cmd.Context(), os.Interrupt)
+		defer cancel()
 
-var imageDefaultCmdFlags = struct {
-	provisioner pflag.Value
-}{
-	provisioner: helpers.StringChoice(provisionerInstaller, provisionerDocker, provisionerAll),
+		development, err := zap.NewDevelopment()
+		if err != nil {
+			return fmt.Errorf("failed to create development logger: %w", err)
+		}
+
+		it := func(yield func(string) bool) {
+			for _, root := range []string{imageCacheServeCmdFlags.imageCachePath} {
+				if !yield(root) {
+					return
+				}
+			}
+		}
+
+		return registry.NewService(registry.NewMultiPathFS(it), development).Run(
+			ctx,
+			registry.WithTLS(
+				imageCacheServeCmdFlags.tlsCertFile,
+				imageCacheServeCmdFlags.tlsKeyFile,
+			),
+			registry.WithAddress(imageCacheServeCmdFlags.address),
+		)
+	},
+}
+
+var imageCacheServeCmdFlags struct {
+	imageCachePath string
+	address        string
+	tlsCertFile    string
+	tlsKeyFile     string
 }
 
 func init() {
@@ -415,19 +469,28 @@ func init() {
 
 	imageCmd.AddCommand(imageListCmd)
 	imageCmd.AddCommand(imagePullCmd)
-	imageCmd.AddCommand(imageCacheCreateCmd)
-	imageCmd.AddCommand(imageIntegrationCmd)
 	imageCmd.AddCommand(imageSourceBundleCmd)
 
+	imageCmd.AddCommand(imageCacheCreateCmd)
 	imageCacheCreateCmd.PersistentFlags().StringVar(&imageCacheCreateCmdFlags.imageCachePath, "image-cache-path", "", "directory to save the image cache in OCI format")
 	imageCacheCreateCmd.MarkPersistentFlagRequired("image-cache-path") //nolint:errcheck
 	imageCacheCreateCmd.PersistentFlags().StringVar(&imageCacheCreateCmdFlags.imageLayerCachePath, "image-layer-cache-path", "", "directory to save the image layer cache")
-	imageCacheCreateCmd.PersistentFlags().StringVar(&imageCacheCreateCmdFlags.platform, "platform", "linux/amd64", "platform to use for the cache")
+	imageCacheCreateCmd.PersistentFlags().Var(imageCacheCreateCmdFlags.layout, "layout",
+		"Specifies the cache layout format: \"oci\" for an OCI image layout directory, or \"flat\" for a registry-like flat file structure")
+	imageCacheCreateCmd.PersistentFlags().StringSliceVar(&imageCacheCreateCmdFlags.platform, "platform", []string{"linux/amd64"}, "platform to use for the cache")
 	imageCacheCreateCmd.PersistentFlags().StringSliceVar(&imageCacheCreateCmdFlags.images, "images", nil, "images to cache")
 	imageCacheCreateCmd.MarkPersistentFlagRequired("images") //nolint:errcheck
 	imageCacheCreateCmd.PersistentFlags().BoolVar(&imageCacheCreateCmdFlags.insecure, "insecure", false, "allow insecure registries")
 	imageCacheCreateCmd.PersistentFlags().BoolVar(&imageCacheCreateCmdFlags.force, "force", false, "force overwrite of existing image cache")
 
+	imageCmd.AddCommand(imageCacheServeCmd)
+	imageCacheServeCmd.PersistentFlags().StringVar(&imageCacheServeCmdFlags.imageCachePath, "image-cache-path", "", "directory to save the image cache in OCI format")
+	imageCacheServeCmd.MarkPersistentFlagRequired("image-cache-path") //nolint:errcheck
+	imageCacheServeCmd.PersistentFlags().StringVar(&imageCacheServeCmdFlags.address, "address", constants.RegistrydListenAddress, "address to serve the registry on")
+	imageCacheServeCmd.PersistentFlags().StringVar(&imageCacheServeCmdFlags.tlsCertFile, "tls-cert-file", "", "TLS certificate file to use for serving")
+	imageCacheServeCmd.PersistentFlags().StringVar(&imageCacheServeCmdFlags.tlsKeyFile, "tls-key-file", "", "TLS key file to use for serving")
+
+	imageCmd.AddCommand(imageIntegrationCmd)
 	imageIntegrationCmd.PersistentFlags().StringVar(&imageIntegrationCmdFlags.installerTag, "installer-tag", "", "tag of the installer image to use")
 	imageIntegrationCmd.MarkPersistentFlagRequired("installer-tag") //nolint:errcheck
 	imageIntegrationCmd.PersistentFlags().StringVar(&imageIntegrationCmdFlags.registryAndUser, "registry-and-user", "", "registry and user to use for the images")

cmd/talosctl/pkg/talos/helpers/flags.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"slices"
 
-	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
 
@@ -52,16 +51,3 @@ func StringChoice(defaultValue string, otherChoices ...string) pflag.Value {
 		},
 	}
 }
-
-// ChainCobraPositionalArgs chains multiple cobra.PositionalArgs validators together.
-func ChainCobraPositionalArgs(validators ...cobra.PositionalArgs) cobra.PositionalArgs {
-	return func(cmd *cobra.Command, args []string) error {
-		for _, validator := range validators {
-			if err := validator(cmd, args); err != nil {
-				return err
-			}
-		}
-
-		return nil
-	}
-}

hack/release.toml

@@ -103,6 +103,21 @@ These fields were removed from the default machine configuration schema in v1.12
 etcd container image is now pulled from `registry.k8s.io/etcd` instead of `gcr.io/etcd-development/etcd`.
 """
 
+    [notes.talosctl]
+        title = "talosctl image cache-serve"
+        description = """\
+`talosctl` includes new subcommand `image cache-serve`.
+It allows serving the created OCI image registry over HTTP/HTTPS.
+It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the `cache-create` command;
+
+Additionally `talosctl image cache-create` has some changes:
+  * new flag `--layout`: `oci` (_default_), `flat`:
+    * `oci` preserves current behavior;
+    * `flat` does not repack artifact layer, but moves it to a destination directory, allowing it to be served by `talosctl image cache-serve`;
+  * changed flag `--platform`: now can accept multiple os/arch combinations:
+    * comma separated (`--platform=linux/amd64,linux/arm64`);
+    * multiple instances (`--platform=linux/amd64 --platform=linux/arm64`);
+"""
 
 [make_deps]
 

internal/app/machined/pkg/system/services/registry/params.go

@@ -15,9 +15,6 @@ import (
 
 func extractParams(req *http.Request) (params, error) {
 	registry := req.URL.Query().Get("ns")
-	if registry == "" {
-		return params{}, xerrors.NewTaggedf[badRequestTag]("missing ns")
-	}
 
 	value := req.PathValue("args")
 

internal/app/machined/pkg/system/services/registry/registry.go

@@ -44,8 +44,32 @@ type Service struct {
 	root   fs.StatFS
 }
 
+type config struct {
+	addr        string
+	tlsKeyPath  string
+	tlsCertPath string
+}
+
+// Option is a functional option for configuring the service.
+type Option func(*config)
+
+// WithTLS enables TLS with the given certificate and key paths.
+func WithTLS(certPath, keyPath string) Option {
+	return func(c *config) {
+		c.tlsCertPath = certPath
+		c.tlsKeyPath = keyPath
+	}
+}
+
+// WithAddress sets the address to listen on.
+func WithAddress(addr string) Option {
+	return func(c *config) {
+		c.addr = addr
+	}
+}
+
 // Run is an entrypoint to the API service.
-func (svc *Service) Run(ctx context.Context) error {
+func (svc *Service) Run(ctx context.Context, options ...Option) error {
 	mux := http.NewServeMux()
 
 	mux.HandleFunc("GET /v2/{args...}", svc.serveHTTP)
@@ -56,7 +80,15 @@ func (svc *Service) Run(ctx context.Context) error {
 		mux.HandleFunc("GET /"+p+"/{$}", giveOk)
 	}
 
-	server := http.Server{Addr: constants.RegistrydListenAddress, Handler: mux}
+	cfg := &config{
+		addr: constants.RegistrydListenAddress,
+	}
+
+	for _, option := range options {
+		option(cfg)
+	}
+
+	server := http.Server{Addr: cfg.addr, Handler: mux}
 	errCh := make(chan error, 1)
 
 	ctx, cancel := context.WithCancel(ctx)
@@ -73,9 +105,18 @@ func (svc *Service) Run(ctx context.Context) error {
 
 	svc.logger.Info("starting registry server", zap.String("addr", server.Addr))
 
-	err := server.ListenAndServe()
-	if errors.Is(err, http.ErrServerClosed) {
-		err = nil
+	var err error
+
+	if cfg.tlsCertPath != "" && cfg.tlsKeyPath != "" {
+		err = server.ListenAndServeTLS(cfg.tlsCertPath, cfg.tlsKeyPath)
+		if errors.Is(err, http.ErrServerClosed) {
+			err = nil
+		}
+	} else {
+		err = server.ListenAndServe()
+		if errors.Is(err, http.ErrServerClosed) {
+			err = nil
+		}
 	}
 
 	cancel()
@@ -94,6 +135,7 @@ func (svc *Service) serveHTTP(w http.ResponseWriter, req *http.Request) {
 	}
 }
 
+//nolint:gocyclo
 func (svc *Service) handler(w http.ResponseWriter, req *http.Request) error {
 	logger := svc.logger.With(
 		zap.String("method", req.Method),
@@ -114,6 +156,17 @@ func (svc *Service) handler(w http.ResponseWriter, req *http.Request) error {
 		zap.String("registry", p.registry),
 	)
 
+	if p.registry == "" {
+		p.registry, err = svc.tryFindRegistry(p)
+		if err != nil {
+			return err
+		}
+
+		if p.registry == "" {
+			return fmt.Errorf("failed to extract params: %w", xerrors.NewTaggedf[badRequestTag]("missing ns"))
+		}
+	}
+
 	ref, err := svc.resolveCanonicalRef(p)
 	if err != nil {
 		return err
@@ -292,3 +345,29 @@ type (
 	badRequestTag    struct{}
 	internalErrorTag struct{}
 )
+
+func (svc *Service) tryFindRegistry(p params) (string, error) {
+	entries, err := fs.ReadDir(svc.root, "manifests")
+	if err != nil {
+		return "", xerrors.NewTaggedf[internalErrorTag]("failed to read manifests directory: %w", err)
+	}
+
+	for _, entry := range entries {
+		p.registry = entry.Name()
+
+		ref, err := reference.ParseDockerRef(p.String())
+		if err != nil {
+			return "", xerrors.NewTaggedf[badRequestTag]("failed to parse docker ref: %w", err)
+		}
+
+		namedTaggedName := handleRegistryWithPort(ref, p)
+
+		taggedFile := filepath.Join("manifests", namedTaggedName, "reference")
+
+		if _, err := fs.Stat(svc.root, taggedFile); err == nil {
+			return entry.Name(), nil
+		}
+	}
+
+	return "", nil
+}

internal/app/machined/pkg/system/services/registry/registry_test.go

@@ -48,7 +48,7 @@ func TestRegistry(t *testing.T) {
 	platform, err := v1.ParsePlatform("linux/amd64")
 	assert.NoError(t, err)
 
-	assert.NoError(t, cache.Generate(images, platform.String(), false, "", cacheDir))
+	assert.NoError(t, cache.Generate(images, []string{platform.String()}, false, "", cacheDir, false))
 
 	l, err := layout.ImageIndexFromPath(cacheDir)
 	assert.NoError(t, err)