feat: support convertion to encrypted nydus image

Support convering oci image to encrypted nydus image.

Signed-off-by: taohong <taoohong@linux.alibaba.com>

go.mod

@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	github.com/containerd/containerd v1.7.2
-	github.com/containerd/nydus-snapshotter v0.9.0
+	github.com/containerd/nydus-snapshotter v0.10.0
 	github.com/containerd/stargz-snapshotter v0.14.3
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3
 	github.com/docker/cli v23.0.3+incompatible

go.sum

@@ -66,8 +66,8 @@ github.com/containerd/continuity v0.4.1 h1:wQnVrjIyQ8vhU2sgOiL5T07jo+ouqc2bnKsv5
 github.com/containerd/continuity v0.4.1/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
 github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY=
 github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=
-github.com/containerd/nydus-snapshotter v0.9.0 h1:f0Tr3srVKDlURgLG/Kocy4WQIYsmSoc8ihHxdzfB2S0=
-github.com/containerd/nydus-snapshotter v0.9.0/go.mod h1:xEsAzeM0gZEW6POBPOa+1X7EThYsEJNWnO/fhf2moYU=
+github.com/containerd/nydus-snapshotter v0.10.0 h1:aCQoKmksOmZ2C34znlhOCOlYExiw4s/UPPzbIFKQc8U=
+github.com/containerd/nydus-snapshotter v0.10.0/go.mod h1:xEsAzeM0gZEW6POBPOa+1X7EThYsEJNWnO/fhf2moYU=
 github.com/containerd/stargz-snapshotter v0.14.3 h1:OTUVZoPSPs8mGgmQUE1dqw3WX/3nrsmsurW7UPLWl1U=
 github.com/containerd/stargz-snapshotter v0.14.3/go.mod h1:j2Ya4JeA5gMZJr8BchSkPjlcCEh++auAxp4nidPI6N0=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=

pkg/driver/nydus/nydus.go

@@ -63,20 +63,21 @@ type chunkDictInfo struct {
 }
 
 type Driver struct {
-	workDir          string
-	builderPath      string
-	fsVersion        string
-	compressor       string
-	chunkDictRef     string
-	mergeManifest    bool
-	ociRef           bool
-	docker2oci       bool
-	alignedChunk     bool
-	chunkSize        string
-	batchSize        string
-	prefetchPatterns string
-	backend          backend.Backend
-	platformMC       platforms.MatchComparer
+	workDir           string
+	builderPath       string
+	fsVersion         string
+	compressor        string
+	chunkDictRef      string
+	mergeManifest     bool
+	ociRef            bool
+	docker2oci        bool
+	alignedChunk      bool
+	chunkSize         string
+	batchSize         string
+	prefetchPatterns  string
+	backend           backend.Backend
+	platformMC        platforms.MatchComparer
+	encryptRecipients []string
 }
 
 func detectBuilderVersion(ctx context.Context, builder string) string {
@@ -174,26 +175,32 @@ func New(cfg map[string]string, platformMC platforms.MatchComparer) (*Driver, er
 		return nil, errors.Wrap(err, "invalid oci_ref option")
 	}
 
+	encryptRecipients := []string{}
+	if cfg["encrypt_recipients"] != "" {
+		encryptRecipients = strings.Split(cfg["encrypt_recipients"], ",")
+	}
+
 	if ociRef && fsVersion != "6" {
 		logrus.Warn("forcibly using fs version 6 when oci_ref option enabled")
 		fsVersion = "6"
 	}
 
 	return &Driver{
-		workDir:          workDir,
-		builderPath:      builderPath,
-		fsVersion:        fsVersion,
-		compressor:       compressor,
-		chunkDictRef:     chunkDictRef,
-		mergeManifest:    mergeManifest,
-		ociRef:           ociRef,
-		docker2oci:       docker2oci,
-		alignedChunk:     fsAlignChunk,
-		chunkSize:        fsChunkSize,
-		batchSize:        BatchSize,
-		prefetchPatterns: prefetchPatterns,
-		backend:          _backend,
-		platformMC:       platformMC,
+		workDir:           workDir,
+		builderPath:       builderPath,
+		fsVersion:         fsVersion,
+		compressor:        compressor,
+		chunkDictRef:      chunkDictRef,
+		mergeManifest:     mergeManifest,
+		ociRef:            ociRef,
+		docker2oci:        docker2oci,
+		alignedChunk:      fsAlignChunk,
+		chunkSize:         fsChunkSize,
+		batchSize:         BatchSize,
+		prefetchPatterns:  prefetchPatterns,
+		backend:           _backend,
+		platformMC:        platformMC,
+		encryptRecipients: encryptRecipients,
 	}, nil
 }
 
@@ -244,16 +251,18 @@ func (d *Driver) convert(ctx context.Context, provider accelcontent.Provider, so
 		AlignedChunk:     d.alignedChunk,
 		ChunkSize:        d.chunkSize,
 		BatchSize:        d.batchSize,
+		Encrypt:          len(d.encryptRecipients) != 0,
 	}
 	mergeOpt := nydusify.MergeOption{
-		WorkDir:          packOpt.WorkDir,
-		BuilderPath:      packOpt.BuilderPath,
-		FsVersion:        packOpt.FsVersion,
-		ChunkDictPath:    packOpt.ChunkDictPath,
-		PrefetchPatterns: packOpt.PrefetchPatterns,
-		Backend:          packOpt.Backend,
-		OCI:              d.docker2oci,
-		OCIRef:           packOpt.OCIRef,
+		WorkDir:           packOpt.WorkDir,
+		BuilderPath:       packOpt.BuilderPath,
+		FsVersion:         packOpt.FsVersion,
+		ChunkDictPath:     packOpt.ChunkDictPath,
+		PrefetchPatterns:  packOpt.PrefetchPatterns,
+		Backend:           packOpt.Backend,
+		OCI:               d.docker2oci,
+		OCIRef:            packOpt.OCIRef,
+		EncryptRecipients: d.encryptRecipients,
 	}
 	convertHookFunc := func(
 		ctx context.Context, cs content.Store, orgDesc ocispec.Descriptor, newDesc *ocispec.Descriptor,