operator: add ephemeral volume support for Clair (PROJQUAY-6684)

[dmesser]

Add Ephemeral Volume Support for /tmp in Managed Clair Component

Summary

This PR introduces an optional feature for the managed Clair component, allowing users to enable a generic ephemeral volume mount at /tmp inside the Clair container. This addresses PROJQUAY-6684 and provides a workaround for issues with /tmp storage in certain environments.

Key Features

• New Override:
  Adds a useEphemeralVolume boolean override for the managed Clair component. When set to true, a generic ephemeral volume is mounted at /tmp.
• Configurable Storage:
  Users can optionally override storageClassName and volumeSize (default: 10Gi, minimum: 1Gi) for the ephemeral volume, similar to existing database components.
• Validation:
  • If useEphemeralVolume is not enabled, specifying storageClassName or volumeSize triggers a clear error in the Clair component status.
  • Volume size below 1Gi is rejected with a user-friendly error.
• Status Reporting:
  PVC provisioning and error events for the ephemeral volume are surfaced in the Clair component’s status, consistent with how database PVCs are handled.
• Refactoring:
  Centralizes the logic and string constants for identifying the Clair deployment, improving maintainability.
• Tests:
  Unit test and integration test coverage has been added. Also an existing kuttl tests has been fixed.

Motivation

In environments with a heavy load and large image layers, Clair doesn't have to use the executing nodes' (often limited) local storage for unpacking individual image layers, but can rely on external storage, which can dynamically request higher capacity or faster storage. It's not a classic persistent volume because we only need this storage during the lifetime of the individual pod.

Backwards Compatibility

The new override is optional and defaults to false, preserving existing behavior for all users not opting in.

---

Summary by Sourcery

Add optional ephemeral volume support for Clair component to mount a PVC-backed ephemeral volume at /tmp with configurable storage class and size, including validation, status reporting, and related tests.

New Features:

• Introduce a useEphemeralVolume override to enable an ephemeral PVC volume at /tmp in the managed Clair component
• Allow configuring the ephemeral volume’s storageClassName and volumeSize with sensible defaults

Enhancements:

• Validate that storageClassName or volumeSize overrides require useEphemeralVolume=true and enforce a minimum 1Gi volume size
• Surface PVC provisioning status and failure events for the ephemeral /tmp volume in the Clair component’s readiness condition
• Refactor deployment suffix constants and consolidate Clair deployment identification logic

Documentation:

• Extend the CRD to include the useEphemeralVolume field

Tests:

• Add unit and integration tests for ephemeral volume injection and status checks
• Add e2e KUTTL tests to verify /tmp volume mount and configuration

[sourcery-ai]

We've reviewed this pull request using the Sourcery rules engine

[Copilot]

Pull Request Overview

This PR introduces optional ephemeral volume support for the Clair container, enabling a generic ephemeral volume to be mounted at /tmp for the managed Clair component.

• Adds a new boolean override (useEphemeralVolume) along with storageClassName and volumeSize options for Clair.
• Injects the ephemeral volume into the Clair deployment and updates status reporting and validation logic.
• Enhances unit and integration tests and updates CRD definitions accordingly.

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/middleware/middleware.go	Adds constants for deployment suffixes and injects ephemeral volume.
pkg/cmpstatus/clair_test.go	Provides extended test cases to validate ephemeral volume provisioning.
pkg/cmpstatus/clair.go	Adds PVC status checks for ephemeral volume with provisioning failure events.
e2e/storageclass_overrides/00-create-quay-registry.yaml	Minor update removing an extra configBundleSecret entry.
e2e/ephemeralvolume_overrides/00-create-quay-registry.yaml	Adds a new test CR for ephemeral volume overrides.
e2e/ephemeralvolume_overrides/00-assert.yaml	Asserts the presence and configuration of ephemeral volume injection.
config/crd/bases/quay.redhat.com_quayregistries.yaml	Updates CRD schema to include the useEphemeralVolume override.
bundle/manifests/quayregistries.crd.yaml	Mirrors CRD changes in the bundle manifest.
apis/quay/v1/zz_generated.deepcopy.go	Updates deepcopy functions for the new UseEphemeralVolume field override.
apis/quay/v1/quayregistry_types_test.go	Enhances override validation tests with new scenarios for ephemeral volumes.
apis/quay/v1/quayregistry_types.go	Adds support and validation for the ephemeral volume override.

Comments suppressed due to low confidence (2)

pkg/middleware/middleware.go:441

• [nitpick] Consider adding an inline comment to clarify that matching the container name with 'clairAppDeploymentSuffix' is intentional to identify the Clair container for ephemeral volume injection.

		if c.Name == clairAppDeploymentSuffix {

pkg/cmpstatus/clair.go:111

• The variable 'dep' is used to filter ReplicaSet owner references, but its definition isn't clearly visible in the scope of the new ephemeral volume check block. Please verify that 'dep' is properly defined and accessible here to prevent potential runtime errors.

					if owner.Kind == "Deployment" && owner.Name == dep.Name {

[sourcery-ai]

We've reviewed this pull request using the Sourcery rules engine