VEP48: Support architecture specific image import for registry datasource (#3753)

* importer: introduce registry datasource architecture option

This commit introduces preliminary support for a new optional field under the
DV registry source.

The field, platform, has an additional subfield: architecture which
when specified serves as an image index filter to extract a
disk.img only from layers which match it.

If there's a mismatch between requested architecture and
available architectures in the image index the import will fail.

If the requested image is a manifest and not an index the architecture
of the manifest will be compared to the requested architecture and if
they mismatch the import will fail.

API naming has been chosen to mimic the OCI image index spec[1].

[1] https://github.com/opencontainers/image-spec/blob/main/image-index.md#oci-image-index-specification

Signed-off-by: Adi Aloni <[email protected]>

* importer: pullMethod node architecture support

This commit adds support for specifying architecture for the registry
data source with pullMethod node. When configured, the importer Pod will
gain another NodeSelector for nodes that have the matching architecture
label.

In the event that the importer Pod is unschedulable due to the
pullMethod node's node selector, the condition will be propagated to the
DV's running condition until it becomes schedulable.

Signed-off-by: Adi Aloni <[email protected]>

* docs, image-from-registry: add multi-platform support

Adds a section in the docs about using the platform field for
multi-platform image pull.

Signed-off-by: Adi Aloni <[email protected]>

---------

Signed-off-by: Adi Aloni <[email protected]>

Author: Acedus

api/openapi-spec/swagger.json

@@ -4866,6 +4866,10 @@
       "description": "ImageStream is the name of image stream for import",
       "type": "string"
      },
+     "platform": {
+      "description": "Platform describes the minimum runtime requirements of the image",
+      "$ref": "#/definitions/v1beta1.PlatformOptions"
+     },
      "pullMethod": {
       "description": "PullMethod can be either \"pod\" (default import), or \"node\" (node docker cache based import)",
       "type": "string"
@@ -5134,6 +5138,15 @@
     "description": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility",
     "type": "object"
    },
+   "v1beta1.PlatformOptions": {
+    "type": "object",
+    "properties": {
+     "architecture": {
+      "description": "Architecture specifies the image target CPU architecture",
+      "type": "string"
+     }
+    }
+   },
    "v1beta1.StorageSpec": {
     "description": "StorageSpec defines the Storage type specification",
     "type": "object",

cmd/cdi-importer/importer.go

@@ -262,6 +262,7 @@ func newDataSource(source string, contentType string, volumeMode v1.PersistentVo
 	certDir, _ := util.ParseEnvVar(common.ImporterCertDirVar, false)
 	insecureTLS, _ := strconv.ParseBool(os.Getenv(common.InsecureTLSVar))
 	thumbprint, _ := util.ParseEnvVar(common.ImporterThumbprint, false)
+	registryImageArchitecture, _ := util.ParseEnvVar(common.ImporterRegistryImageArchitecture, false)
 
 	currentCheckpoint, _ := util.ParseEnvVar(common.ImporterCurrentCheckpoint, false)
 	previousCheckpoint, _ := util.ParseEnvVar(common.ImporterPreviousCheckpoint, false)
@@ -281,7 +282,7 @@ func newDataSource(source string, contentType string, volumeMode v1.PersistentVo
 		}
 		return ds
 	case cc.SourceRegistry:
-		ds := importer.NewRegistryDataSource(ep, acc, sec, certDir, insecureTLS)
+		ds := importer.NewRegistryDataSource(ep, acc, sec, registryImageArchitecture, certDir, insecureTLS)
 		return ds
 	case cc.SourceS3:
 		ds, err := importer.NewS3DataSource(ep, acc, sec, certDir)

doc/image-from-registry.md

@@ -191,3 +191,31 @@ spec:
 ```
 
 More information on image streams is available [here](https://docs.openshift.com/container-platform/4.8/openshift_images/image-streams-manage.html) and [here](https://www.tutorialworks.com/openshift-imagestreams).
+
+# Import registry image by platform specification
+
+When importing an image from a [OCI Image Index](https://specs.opencontainers.org/image-spec/image-index/), you can optionally specify a `platform` field to influence which image variant is selected from the multi-platform manifest.
+Currently the `platform` field supports the following subfields for filtering:
+- `architecture` - Specifies the image target CPU architecture (e.g., `amd64`, `arm64`, `s390x`)
+
+Subfields defined by the OCI Image Index `platform` specification but not listed above will default to the values defined in the OCI specification.
+
+```yaml
+apiVersion: cdi.kubevirt.io/v1beta1
+kind: DataVolume
+metadata:
+  name: registry-image-datavolume
+spec:
+  source:
+    registry:
+      url: "docker://quay.io/containerdisks/fedora:latest"
+      platform:
+        architecture: "arm64"
+  storage:
+    resources:
+      requests:
+        storage: 10Gi
+```
+
+> [!NOTE]  
+> When `platform.architecture` is used together with `pullMethod: node`, a node selector will be added to the resulting importer Pod to ensure it schedules onto a node matching the specified architecture.

pkg/apis/core/v1beta1/openapi_generated.go

@@ -163,6 +163,8 @@ const (
 	ImporterExtraHeader = "IMPORTER_EXTRA_HEADER_"
 	// ImporterSecretExtraHeadersDir is where the secrets containing extra HTTP headers will be mounted
 	ImporterSecretExtraHeadersDir = "/extraheaders"
+	// ImporterRegistryImageArchitecture provides a constant to capture our env variable "IMPORTER_REGISTRY_IMAGE_ARCHITECTURE"
+	ImporterRegistryImageArchitecture = "IMPORTER_REGISTRY_IMAGE_ARCHITECTURE"
 
 	// ImporterGoogleCredentialFileVar provides a constant to capture our env variable "GOOGLE_APPLICATION_CREDENTIALS"
 	//nolint:gosec // This is not a real credential

pkg/common/common.go

@@ -86,6 +86,8 @@ const (
 	AnnPodReady = AnnAPIGroup + "/storage.pod.ready"
 	// AnnPodRestarts is a PVC annotation that tells how many times a related pod was restarted
 	AnnPodRestarts = AnnAPIGroup + "/storage.pod.restarts"
+	// AnnPodSchedulable is a PVC annotation that tells if the Pod is schedulable or not
+	AnnPodSchedulable = AnnAPIGroup + "/storage.pod.schedulable"
 	// AnnPopulatedFor is a PVC annotation telling the datavolume controller that the PVC is already populated
 	AnnPopulatedFor = AnnAPIGroup + "/storage.populatedFor"
 	// AnnPrePopulated is a PVC annotation telling the datavolume controller that the PVC is already populated
@@ -188,6 +190,8 @@ const (
 	AnnExtraHeaders = AnnAPIGroup + "/storage.import.extraHeaders"
 	// AnnSecretExtraHeaders provides a const for our PVC secretExtraHeaders annotation
 	AnnSecretExtraHeaders = AnnAPIGroup + "/storage.import.secretExtraHeaders"
+	// AnnRegistryImageArchitecture provides a const for our PVC registryImageArchitecture annotation
+	AnnRegistryImageArchitecture = AnnAPIGroup + "/storage.import.registryImageArchitecture"
 
 	// AnnCloneToken is the annotation containing the clone token
 	AnnCloneToken = AnnAPIGroup + "/storage.clone.token"
@@ -1705,6 +1709,10 @@ func UpdateRegistryAnnotations(annotations map[string]string, registry *cdiv1.Da
 	if certConfigMap != nil && *certConfigMap != "" {
 		annotations[AnnCertConfigMap] = *certConfigMap
 	}
+
+	if registry.Platform != nil && registry.Platform.Architecture != "" {
+		annotations[AnnRegistryImageArchitecture] = registry.Platform.Architecture
+	}
 }
 
 // UpdateVDDKAnnotations updates the passed annotations for proper VDDK import

pkg/controller/common/util.go

@@ -75,6 +75,8 @@ func updateRunningCondition(conditions []cdiv1.DataVolumeCondition, anno map[str
 		default:
 			conditions = updateCondition(conditions, cdiv1.DataVolumeRunning, corev1.ConditionUnknown, anno[cc.AnnRunningConditionMessage], anno[cc.AnnRunningConditionReason])
 		}
+	} else if schedulable, ok := anno[cc.AnnPodSchedulable]; ok && schedulable == "false" {
+		conditions = updateCondition(conditions, cdiv1.DataVolumeRunning, corev1.ConditionFalse, "Importer pod cannot be scheduled", "Unschedulable")
 	} else {
 		conditions = updateCondition(conditions, cdiv1.DataVolumeRunning, corev1.ConditionFalse, anno[cc.AnnRunningConditionMessage], anno[cc.AnnRunningConditionReason])
 	}

pkg/controller/datavolume/conditions.go

@@ -76,32 +76,33 @@ type ImportReconciler struct {
 }
 
 type importPodEnvVar struct {
-	ep                 string
-	secretName         string
-	source             string
-	contentType        string
-	imageSize          string
-	certConfigMap      string
-	diskID             string
-	uuid               string
-	pullMethod         string
-	readyFile          string
-	doneFile           string
-	backingFile        string
-	thumbprint         string
-	filesystemOverhead string
-	insecureTLS        bool
-	currentCheckpoint  string
-	previousCheckpoint string
-	finalCheckpoint    string
-	preallocation      bool
-	httpProxy          string
-	httpsProxy         string
-	noProxy            string
-	certConfigMapProxy string
-	extraHeaders       []string
-	secretExtraHeaders []string
-	cacheMode          string
+	ep                        string
+	secretName                string
+	source                    string
+	contentType               string
+	imageSize                 string
+	certConfigMap             string
+	diskID                    string
+	uuid                      string
+	pullMethod                string
+	readyFile                 string
+	doneFile                  string
+	backingFile               string
+	thumbprint                string
+	filesystemOverhead        string
+	insecureTLS               bool
+	currentCheckpoint         string
+	previousCheckpoint        string
+	finalCheckpoint           string
+	preallocation             bool
+	httpProxy                 string
+	httpsProxy                string
+	noProxy                   string
+	certConfigMapProxy        string
+	extraHeaders              []string
+	secretExtraHeaders        []string
+	cacheMode                 string
+	registryImageArchitecture string
 }
 
 type importerPodArgs struct {
@@ -405,6 +406,16 @@ func (r *ImportReconciler) updatePvcFromPod(pvc *corev1.PersistentVolumeClaim, p
 		anno[cc.AnnPodPhase] = string(pod.Status.Phase)
 	}
 
+	anno[cc.AnnPodSchedulable] = "true"
+	if phase, ok := anno[cc.AnnPodPhase]; ok && phase == string(corev1.PodPending) {
+		for _, cond := range pod.Status.Conditions {
+			if cond.Type == corev1.PodScheduled && cond.Reason == corev1.PodReasonUnschedulable {
+				anno[cc.AnnPodSchedulable] = "false"
+				break
+			}
+		}
+	}
+
 	for _, ev := range pod.Spec.Containers[0].Env {
 		if ev.Name == common.CacheMode && ev.Value == common.CacheModeTryNone {
 			anno[cc.AnnRequiresDirectIO] = "false"
@@ -599,6 +610,7 @@ func (r *ImportReconciler) createImportEnvVar(pvc *corev1.PersistentVolumeClaim)
 		podEnvVar.previousCheckpoint = getValueFromAnnotation(pvc, cc.AnnPreviousCheckpoint)
 		podEnvVar.currentCheckpoint = getValueFromAnnotation(pvc, cc.AnnCurrentCheckpoint)
 		podEnvVar.finalCheckpoint = getValueFromAnnotation(pvc, cc.AnnFinalCheckpoint)
+		podEnvVar.registryImageArchitecture = getValueFromAnnotation(pvc, cc.AnnRegistryImageArchitecture)
 
 		for annotation, value := range pvc.Annotations {
 			if strings.HasPrefix(annotation, cc.AnnExtraHeaders) {
@@ -873,6 +885,9 @@ func createImporterPod(ctx context.Context, log logr.Logger, client client.Clien
 			return nil, err
 		}
 		setRegistryNodeImportEnvVars(args)
+		if args.podEnvVar.registryImageArchitecture != "" {
+			setRegistryNodeImportNodeSelector(args)
+		}
 	}
 
 	pod := makeImporterPodSpec(args)
@@ -1181,6 +1196,13 @@ func setRegistryNodeImportEnvVars(args *importerPodArgs) {
 	args.podEnvVar.doneFile = "/shared/done"
 }
 
+func setRegistryNodeImportNodeSelector(args *importerPodArgs) {
+	if args.workloadNodePlacement.NodeSelector == nil {
+		args.workloadNodePlacement.NodeSelector = make(map[string]string, 0)
+	}
+	args.workloadNodePlacement.NodeSelector[v1.LabelArchStable] = args.podEnvVar.registryImageArchitecture
+}
+
 func createConfigMapVolume(certVolName, objRef string) corev1.Volume {
 	return corev1.Volume{
 		Name: certVolName,
@@ -1296,6 +1318,10 @@ func makeImportEnv(podEnvVar *importPodEnvVar, uid types.UID) []corev1.EnvVar {
 			Name:  common.CacheMode,
 			Value: podEnvVar.cacheMode,
 		},
+		{
+			Name:  common.ImporterRegistryImageArchitecture,
+			Value: podEnvVar.registryImageArchitecture,
+		},
 	}
 	if podEnvVar.secretName != "" && podEnvVar.source != cc.SourceGCS {
 		env = append(env, corev1.EnvVar{

pkg/controller/import-controller.go

@@ -997,27 +997,29 @@ var _ = Describe("Import test env", func() {
 
 	It("Should create import env", func() {
 		testEnvVar := &importPodEnvVar{
-			ep:                 "myendpoint",
-			httpProxy:          "httpproxy",
-			httpsProxy:         "httpsproxy",
-			noProxy:            "httpproxy",
-			secretName:         "",
-			source:             cc.SourceHTTP,
-			contentType:        string(cdiv1.DataVolumeKubeVirt),
-			imageSize:          "1G",
-			certConfigMap:      "",
-			diskID:             "",
-			uuid:               "",
-			readyFile:          "",
-			doneFile:           "",
-			backingFile:        "",
-			thumbprint:         "",
-			filesystemOverhead: "0.055",
-			insecureTLS:        false,
-			currentCheckpoint:  "",
-			previousCheckpoint: "",
-			finalCheckpoint:    "",
-			preallocation:      false}
+			ep:                        "myendpoint",
+			httpProxy:                 "httpproxy",
+			httpsProxy:                "httpsproxy",
+			noProxy:                   "httpproxy",
+			secretName:                "",
+			source:                    cc.SourceHTTP,
+			contentType:               string(cdiv1.DataVolumeKubeVirt),
+			imageSize:                 "1G",
+			certConfigMap:             "",
+			diskID:                    "",
+			uuid:                      "",
+			readyFile:                 "",
+			doneFile:                  "",
+			backingFile:               "",
+			thumbprint:                "",
+			filesystemOverhead:        "0.055",
+			insecureTLS:               false,
+			currentCheckpoint:         "",
+			previousCheckpoint:        "",
+			finalCheckpoint:           "",
+			preallocation:             false,
+			registryImageArchitecture: "",
+		}
 		Expect(reflect.DeepEqual(makeImportEnv(testEnvVar, mockUID), createImportTestEnv(testEnvVar, mockUID))).To(BeTrue())
 	})
 })
@@ -1300,6 +1302,10 @@ func createImportTestEnv(podEnvVar *importPodEnvVar, uid string) []corev1.EnvVar
 			Name:  common.CacheMode,
 			Value: podEnvVar.cacheMode,
 		},
+		{
+			Name:  common.ImporterRegistryImageArchitecture,
+			Value: podEnvVar.registryImageArchitecture,
+		},
 	}
 
 	if podEnvVar.secretName != "" {

pkg/controller/import-controller_test.go

@@ -227,7 +227,7 @@ type updatePVCAnnotationsFunc func(pvc, pvcPrime *corev1.PersistentVolumeClaim)
 
 var desiredAnnotations = []string{cc.AnnPodPhase, cc.AnnPodReady, cc.AnnPodRestarts,
 	cc.AnnPreallocationRequested, cc.AnnPreallocationApplied, cc.AnnCurrentCheckpoint, cc.AnnMultiStageImportDone,
-	cc.AnnRunningCondition, cc.AnnRunningConditionMessage, cc.AnnRunningConditionReason}
+	cc.AnnRunningCondition, cc.AnnRunningConditionMessage, cc.AnnRunningConditionReason, cc.AnnPodSchedulable}
 
 func (r *ReconcilerBase) updatePVCWithPVCPrimeAnnotations(pvc, pvcPrime *corev1.PersistentVolumeClaim, updateFunc updatePVCAnnotationsFunc) (*corev1.PersistentVolumeClaim, error) {
 	pvcCopy := pvc.DeepCopy()