image-cache: allow updating on and accessing from a live cluster

[srgvg]

Feature Request

Description

I just did some initial tests of Talos v1.9.0-beta1 which includes the image-cache feature, and this seems to work as expected.

To be able to fully manage a stand-alone, isolated and air-gapped cluster, it would be neat to have some extra features:

• update (push new and delete old from) the cache on a live cluster
• access the cache as a proper registry/oci registry over http, to allow caching more than just container images: e.g. Helm charts or FluxCD artifacts. The FluxCD source controller OCIRepository object can be configured with a "proxy server". This proxy server should point to the local cache.

Related

• Whilst adding non container images like Helm charts, to the cache is currently possible, it does not work with the talosctl images cache-create --image-layer-cache-path switch. I tried looking at the crane project to find out if that misses some switch of its own, or is a bug - as they do support other OCI types - but couldn't exactly pinpoint it.

[smira]

Please keep in mind that you can also deploy a registry mirror in the environment as well which would support all of the above in a more native way.

I don't think we would allow external network access to the image cache for security reasons.

Updating the cache on a live cluster might be on a radar eventually.

[a1994sc]

The project zarf does a very similar thing of creating an intra-cluster oci registry; I am very much looking forward to trying this feature out in the near future.... having core images cached on disk sounds amazing.