Add publish subcommand

Signed-off-by: Danil-Grigorev <[email protected]>

Author: Danil-Grigorev

cmd/plugin/cmd/preload.go

@@ -19,13 +19,15 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
+	"oras.land/oras-go/v2/registry/remote/auth"
 	operatorv1 "sigs.k8s.io/cluster-api-operator/api/v1alpha2"
 	providercontroller "sigs.k8s.io/cluster-api-operator/internal/controller"
 	"sigs.k8s.io/cluster-api-operator/util"
@@ -58,13 +60,15 @@ var loadCmd = &cobra.Command{
 	Long: LongDesc(`
 		Preload provider manifests to a management cluster.
 
-		To prepare an OCI image you can use oras CLI: https://oras.land/docs/installation
+		To publish provider manifests, "capioperator publish" subcommand can be used.
 
-		oras push ttl.sh/infrastructure-provider:v2.3.0 --artifact-type application/vnd.acme.config metadata.yaml:text/plain infrastructure-components.yaml:text/plain
+		You can also use oras CLI: https://oras.land/docs/installation
+
+		oras push ttl.sh/infrastructure-provider:v2.3.0 metadata.yaml infrastructure-components.yaml
 
 		Alternatively, for multi-provider OCI artifact, a fully specified name can be used for both metadata and components:
 
-		oras push ttl.sh/infrastructure-provider:tag --artifact-type application/vnd.acme.config infrastructure-docker-v1.9.3-metadata.yaml:text/plain infrastructure-docker-v1.9.3-components.yaml:text/plain
+		oras push ttl.sh/infrastructure-provider:tag infrastructure-docker-v1.9.3-metadata.yaml infrastructure-docker-v1.9.3-components.yaml
 	`),
 	Example: Examples(`
 		# Load CAPI operator manifests from OCI source
@@ -254,7 +258,7 @@ func fetchProviders(ctx context.Context, cl client.Client, providerList genericP
 
 	for _, provider := range providerList.GetItems() {
 		if provider.GetSpec().FetchConfig != nil && provider.GetSpec().FetchConfig.OCI != "" {
-			cm, err := providercontroller.OCIConfigMap(ctx, provider)
+			cm, err := providercontroller.OCIConfigMap(ctx, provider, ociAuthentication())
 			if err != nil {
 				return configMaps, err
 			}
@@ -287,7 +291,7 @@ func templateConfigMap(ctx context.Context, providerType clusterctlv1.ProviderTy
 	provider.SetSpec(spec)
 
 	if spec.Version != "" {
-		return providercontroller.OCIConfigMap(ctx, provider)
+		return providercontroller.OCIConfigMap(ctx, provider, ociAuthentication())
 	}
 
 	// User didn't set the version, try to get repository default.
@@ -312,7 +316,7 @@ func templateConfigMap(ctx context.Context, providerType clusterctlv1.ProviderTy
 
 	provider.SetSpec(spec)
 
-	return providercontroller.OCIConfigMap(ctx, provider)
+	return providercontroller.OCIConfigMap(ctx, provider, ociAuthentication())
 }
 
 func providerConfigMap(ctx context.Context, provider operatorv1.GenericProvider) (*corev1.ConfigMap, error) {
@@ -348,3 +352,22 @@ func providerConfigMap(ctx context.Context, provider operatorv1.GenericProvider)
 
 	return providercontroller.RepositoryConfigMap(ctx, provider, repo)
 }
+
+// ociAuthentication returns user supplied credentials from provider variables.
+func ociAuthentication() *auth.Credential {
+	username := os.Getenv(providercontroller.OCIUsernameKey)
+	password := os.Getenv(providercontroller.OCIPasswordKey)
+	accessToken := os.Getenv(providercontroller.OCIAccessTokenKey)
+	refreshToken := os.Getenv(providercontroller.OCIRefreshTokenKey)
+
+	if username != "" || password != "" || accessToken != "" || refreshToken != "" {
+		return &auth.Credential{
+			Username:     username,
+			Password:     password,
+			AccessToken:  accessToken,
+			RefreshToken: refreshToken,
+		}
+	}
+
+	return nil
+}

cmd/plugin/cmd/publish.go

@@ -0,0 +1,161 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/spf13/cobra"
+	oras "oras.land/oras-go/v2"
+	"oras.land/oras-go/v2/content/file"
+	"oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+type publishManifestsOptions struct {
+	ociUrl string
+	dir    string
+	files  []string
+}
+
+var publishOpts = &publishManifestsOptions{}
+
+var publishCmd = &cobra.Command{
+	Use:     "publish",
+	GroupID: groupManagement,
+	Short:   "publish provider manifests to OCI registry",
+	Long: LongDesc(`
+		Publishes provider manifests to an OCI registry.
+	`),
+	Example: Examples(`
+		# Publish provider manifests to the OCI destination
+		capioperator publish -u ttl.sh/${IMAGE_NAME}:5m -d manifests
+
+		# Publish manifests from files to the OCI destination
+		capioperator publish -u ttl.sh/${IMAGE_NAME}:5m -f metadata.yaml -f infrastructure-components.yaml
+	`),
+	Args: cobra.NoArgs,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return runPublish()
+	},
+}
+
+func init() {
+	publishCmd.PersistentFlags().StringVarP(&publishOpts.dir, "dir", "d", ".", `Directory with provider manifests`)
+	publishCmd.PersistentFlags().StringSliceVarP(&publishOpts.files, "file", "f", []string{}, `Provider manifes file`)
+	publishCmd.Flags().StringVarP(&publishOpts.ociUrl, "artifact-url", "u", "",
+		"The URL of the OCI artifact to collect component manifests from.")
+
+	RootCmd.AddCommand(publishCmd)
+}
+
+func runPublish() (err error) {
+	// 0. Create a file store
+	fs, err := file.New(publishOpts.dir)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		err = fs.Close()
+	}()
+
+	ctx := context.Background()
+
+	// 1. Add files to the file store
+	mediaType := "application/vnd.test.file"
+	fileDescriptors := []v1.Descriptor{}
+
+	files, err := os.ReadDir(publishOpts.dir)
+	if err != nil {
+		return err
+	}
+
+	for _, file := range files {
+		if !file.Type().IsRegular() {
+			continue
+		}
+
+		fileDescriptor, err := fs.Add(ctx, file.Name(), mediaType, "")
+		if err != nil {
+			return err
+		}
+
+		fileDescriptors = append(fileDescriptors, fileDescriptor)
+
+		fmt.Printf("Added file: %s\n", file.Name())
+	}
+
+	for _, file := range publishOpts.files {
+		fileDescriptor, err := fs.Add(ctx, file, mediaType, "")
+		if err != nil {
+			return err
+		}
+
+		fileDescriptors = append(fileDescriptors, fileDescriptor)
+
+		fmt.Printf("Added custom file: %s\n", file)
+	}
+
+	// 2. Pack the files and tag the packed manifest
+	artifactType := "application/vnd.acme.config"
+	opts := oras.PackManifestOptions{
+		Layers: fileDescriptors,
+	}
+
+	manifestDescriptor, err := oras.PackManifest(ctx, fs, oras.PackManifestVersion1_1, artifactType, opts)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("Packaged manifests")
+
+	parts := strings.Split(publishOpts.ociUrl, ":")
+
+	tag := parts[len(parts)-1]
+	if err = fs.Tag(ctx, manifestDescriptor, tag); err != nil {
+		return err
+	}
+
+	// 3. Connect to a remote repository
+	reg := strings.Split(publishOpts.ociUrl, "/")[0]
+
+	repo, err := remote.NewRepository(publishOpts.ociUrl)
+	if err != nil {
+		return err
+	}
+
+	if creds := ociAuthentication(); creds != nil {
+		repo.Client = &auth.Client{
+			Client:     retry.DefaultClient,
+			Cache:      auth.NewCache(),
+			Credential: auth.StaticCredential(reg, *creds),
+		}
+	}
+
+	// 4. Copy from the file store to the remote repository
+	_, err = oras.Copy(ctx, fs, tag, repo, tag, oras.DefaultCopyOptions)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

internal/controller/manifests_downloader.go

@@ -27,6 +27,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"oras.land/oras-go/v2/registry/remote/auth"
 
 	"sigs.k8s.io/cluster-api/cmd/clusterctl/client/repository"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -104,7 +105,7 @@ func (p *phaseReconciler) downloadManifests(ctx context.Context) (reconcile.Resu
 
 	// Fetch the provider metadata and components yaml files from the provided repository GitHub/GitLab or OCI source
 	if p.provider.GetSpec().FetchConfig != nil && p.provider.GetSpec().FetchConfig.OCI != "" {
-		configMap, err = OCIConfigMap(ctx, p.provider)
+		configMap, err = OCIConfigMap(ctx, p.provider, OCIAuthentication(p.configClient.Variables()))
 		if err != nil {
 			return reconcile.Result{}, wrapPhaseError(err, operatorv1.ComponentsFetchErrorReason, operatorv1.ProviderInstalledCondition)
 		}
@@ -225,7 +226,7 @@ func TemplateManifestsConfigMap(provider operatorv1.GenericProvider, labels map[
 }
 
 // OCIConfigMap templates config from the OCI source.
-func OCIConfigMap(ctx context.Context, provider operatorv1.GenericProvider) (*corev1.ConfigMap, error) {
+func OCIConfigMap(ctx context.Context, provider operatorv1.GenericProvider, auth *auth.Credential) (*corev1.ConfigMap, error) {
 	store, err := FetchOCI(ctx, provider, nil)
 	if err != nil {
 		return nil, err

internal/controller/oci_source.go

@@ -33,10 +33,10 @@ import (
 )
 
 const (
-	ociUsernameKey     = "OCI_USERNAME"
-	ociPasswordKey     = "OCI_PASSWORD"
-	ociAccessTokenKey  = "OCI_ACCESS_TOKEN"
-	ociRefreshTokenKey = "OCI_REFRESH_TOKEN" // #nosec G101
+	OCIUsernameKey     = "OCI_USERNAME"
+	OCIPasswordKey     = "OCI_PASSWORD"
+	OCIAccessTokenKey  = "OCI_ACCESS_TOKEN"
+	OCIRefreshTokenKey = "OCI_REFRESH_TOKEN" // #nosec G101
 
 	metadataFile     = "metadata.yaml"
 	fullMetadataFile = "%s-%s-%s-metadata.yaml"
@@ -184,10 +184,10 @@ func CopyOCIStore(ctx context.Context, url string, version string, store *mapSto
 
 // OCIAuthentication returns user supplied credentials from provider variables.
 func OCIAuthentication(c configclient.VariablesClient) *auth.Credential {
-	username, _ := c.Get(ociUsernameKey)
-	password, _ := c.Get(ociPasswordKey)
-	accessToken, _ := c.Get(ociAccessTokenKey)
-	refreshToken, _ := c.Get(ociRefreshTokenKey)
+	username, _ := c.Get(OCIUsernameKey)
+	password, _ := c.Get(OCIPasswordKey)
+	accessToken, _ := c.Get(OCIAccessTokenKey)
+	refreshToken, _ := c.Get(OCIRefreshTokenKey)
 
 	if username != "" || password != "" || accessToken != "" || refreshToken != "" {
 		return &auth.Credential{