add support for vendor override files

[jmt-lab]

Description of changes:

• Introduces concept of vendor override files. Users can now define a vendor.toml or multiple toml files in a vendor.d/ directory that specify overrides for vendors.
• Twoliter will now utilized the vendor overrides and maintains its digest check on the actual images match

Testing done:

• Tested use of vendor.toml override and ensured twoliter fetch passed and fetched the correct image
• Tested error on if the digests are different
• Tested use of vendor.d/ folder

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[cbgbt]

Would it be possible to add integration tests that show how vendor overrides interact with a workspace? I think that would help clarify the behavior and, of course, protect us from regressions.

[cbgbt]

Nice work so far! There has been some offline conversation around modifying how the override interacts with different scenarios.

Apart from that, I have some suggestions for the implementation.

[cbgbt]

Nice work! The refactor really makes things much cleaner, thanks for doing that! I think as overall feedback, I'd like to see some test cases showing the expected behavior of the overrides.

[cbgbt]

#[serde(skip)] here introduces an invariant that the programmer now has to keep track of: If I want to use overrides, I need to ensure that codepaths which populate this B Tree have been run first.

I'd prefer if we could instead use the type system enforce these invariants. Maybe we could instead create a parent Workspace structure which refers to both the ser/de Lock and also separately parses or holds the overrides?

[jmt-lab]

I actually think this should move to Project which kind of acts as our parent Workspace structure.

[cbgbt]

That makes sense to me!

[cbgbt]

I would have expected cargo fmt to add whitespace here.

[cbgbt]

We may wish to do a set comparison here.

[cbgbt]

Looks like this drops the concept of the override.d style directory that we had mentioned.

Just commenting to confirm. I'm ok with incrementally adding that if we need it!

[cbgbt]

I never knew that Rust reserved the override keyword :)

[cbgbt]

Not needed for this PR since we aren't actually changing this, but I think it's more common in rust to use VecDeque for breadth-first traversal.

e.g. you can do:

while let Some(image) = remaining.pop_front() {
    /// etc etc
    for dep in metadata.kits {
        remaining.push_back();
    }
}

I'd be happy with just cutting an issue to simplify this later.

[cbgbt]

Nice work, @jmt-lab!

As a followup on the ask for integration testing -- @jmt-lab hit some road blocks with Docker misbehaving while interacting with a secure registry on localhost (and also seemingly making nonsense of the image digest...).

I have seen his integration tests pass for crane and otherwise seen how they fail due to docker "strangeness."

We'll cut an issue to followup on cleaning up the integration tests, since twoliter overrides blocks other important work in Twoliter.

@jmt-lab mind linking a remote branch with the current progress, even if the code is hack quality?

[cbgbt]

Nice!

[jmt-lab]

It's currently living in my fork at: https://github.com/jmt-lab/twoliter/tree/integ-save