Pulp Container registry and OCI artifacts support

# Pulp Container registry and OCI artifacts support ###### tags: `Refferes API`, `OCI artifacts` ## Current plans in OCI world Compat approach ( no new API, basically abuse OCI manifest) * https://www.docker.com/blog/announcing-docker-hub-oci-artifacts-support/ * https://cloud.redhat.com/blog/quay-oci-artifact-support-for-helm-charts * https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/use_red_hat_quay/oci-intro * https://github.com/quay/quay/blob/master/config.py#L765 * https://github.com/opencontainers/artifacts/blob/main/artifact-authors.md ## Future plans in OCI world New Artifact Manifest type, new Referrers API * https://github.com/oras-project/artifacts-spec/blob/main/scenarios.md * https://github.com/sigstore/cosign/issues/1397 ## Considerations: ORAS project/tool: * https://oras.land/ * https://oras.land/cli/1_pushing/ * https://oras.land/blog/oras-0.15-a-fully-functional-registry-client/ ## Conclusions: ### Today pulp-container registry supports: - oci image manifest/index pulp-container registry needs to enable OCI artifact support by: - adjust oci manifest validation - extend default support matrix for the media-types( so-called well-known types https://github.com/opencontainers/artifacts/blob/main/definitions-terms.md#well-known-type ) * helm, singularity, cosign, spdx, syft, etc - add configurable oci artifact media-type support * right now we have a harcoded list of supported media-type, make it configurable at runtime - add OCI artifact configuration support True/False(maybe user is not interesed in anything eslse except regular images) * to consider: once OCI artifact support is enabled the manifest.config becomes optional https://github.com/opencontainers/artifacts/blob/main/artifact-authors.md#optional-defining-config-schema * registry can decide to process and validate or may decide to ignore * still not sure whether the `config` key can be omited from manifest or this needs to be present there but can empty - unclear, needs to digging Result: We are able to support any OCI artifact presented in an OCI image manifest. If we don't do this a lot of content published to registries like dockerhub will start failing during pulp sync because of 'unkown media-types' Next step: I need to incorporate some of this by adjusting my cosign support PR https://github.com/pulp/pulp_container/pull/1199 and open a user story for the OCI artifacts ### Tomorrow - get ready for the Refferes API and new artifact.manifest media type - this is the future and corner stone for the security supply chain as well as proper storage of any arbitrary artifact in the regisry(via artifact.manifest). - Sigstore/cosign and other registries already work on adding suport - ORAS claims to already have this released in the latest RC