Bump the Kit metadata label version, bundle krane with Twoliter

[cbgbt]

Issue number:

Closes #362
Closes #352

Description of changes:
The Kit metadata version bump is motivated by #384, which will begin to introduce application inventory that includes an RPM packages "Epoch" value and refrain from special-casing bottlerocket-core-kit. This change will cause unexpected advisory evaluation behavior for downstream workspaces which depend on core-kit but use an older version of Twoliter when core-kit bumps the epoch of all packages.

When introducing the version bump, Twoliter's integration tests began to fail because they depend on existing published kits, so this PR additionally:

• Bundles the krane tool with Twoliter, obviating the need to use system-provided OCI tooling
• Rewrites the integration tests to build and publish kits to a local registry

Testing done:

• Provided unit and integration tests pass
• If I try to build bottlerocket-os/bottlerocket with this change directly, I get the following message:

...
[2024-10-07T06:43:37Z INFO  twoliter::project::lock::image] Resolving dependency image dependency '[email protected]/bottlerocket/bottlerocket-core-kit:v2.8.4'.
Error: kit appears to be built with metadata version 'v1', possibly by an older version of twoliter with unsupported incompatibilities. This version of twoliter supports metadata version 'v2'.

• If I build my own core-kit, then proceed to build bottlerocket, the build proceeds as usual.
• If I try to build with this new core-kit, but the previous Twoliter, I get the following:

[2024-10-07T07:21:39Z INFO  twoliter::project::lock::image] Resolving dependency image dependency '[email protected]/bottlerocket/bottlerocket-core-kit:v2.8.5 (overridden-to: public.ecr.aws/seankell/bottlerocket-core-kit:v2.8.5)'.
Error: no metadata stored on image, this image appears to not be a kit

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[bcressey]

It'd be nice to have a URL in a comment above this, so it's easy to double-check hashes. Also in this case, there's both the GitHub-generated archive and a release artifact of the sources, so the URL would help indicate which one is used.

[cbgbt]

^ force push to address comment from @bcressey

[cbgbt]

^ force push to rebase

[sam-berning]

Nice, this looks good!

Now that krane is bundled in to twoliter, there's some cleanup that we can do on oci-cli-wrapper (or maybe we can just eliminate it) because we needed to provide an interface that worked for both docker and krane and they didn't play nice in some cases. Not a problem for this PR though, we can just open an issue.

[cbgbt]

Now that krane is bundled in to twoliter, there's some cleanup that we can do on oci-cli-wrapper (or maybe we can just eliminate it) because we needed to provide an interface that worked for both docker and krane and they didn't play nice in some cases

I was thinking about this too. For now I've opted to keep the interface in case we regret the decision to use krane or want to shop around, or re-introduce the ability to override it at runtime.

I'm definitely open to removing it or favoring a more pleasant API in the future though!