Support resource fetching from OCI artifacts

[jlebon]

From #1923 (comment):

Tangentially on this but Ignition still doesn't support fetching from OCI, right? IMO defining an OCI artifact format for Ignition and supporting fetching from it should actually become the default flow even. Nowadays there's so many good tools for OCI artifacts.

And the key here is: OCI is already cloud/platform independent and most IaaS systems support registry-as-service as well - we don't need per-hypervisor secrets for that.

[prestist]

Thanks for filing this @jlebon.

Context

This came up in the PR #1923 discussion where @cgwalters pointed out that OCI registries could replace the need for separate backends for each cloud provider (S3, GCS, Azure Blob, etc.). Benefits:

• Platform-agnostic: OCI is already supported across cloud providers
• Standardized auth: Registry-as-a-service offerings have consistent auth mechanisms
• Existing ecosystem: ORAS, Helm, cosign, and other tooling already exist
• Potential default: Could become the preferred method for distributing configs and resources

Current state

Ignition supports: http/https, tftp, s3/arn, gs, data, and Azure Blob (via https)

Each cloud-specific backend needs its own implementation and credential handling.

Implementation requirements

1. Artifact format: Define how Ignition configs and resources get packaged as OCI artifacts

   • OCI Artifacts spec or OCI Image manifest
   • Media types for Ignition configs, files, etc.

2. URL scheme: Something like oci://registry.example.com/namespace/artifact:tag

3. Auth support: Registry auth methods

   • Basic auth, bearer tokens
   • Cloud provider IAM (similar to S3/GCS)
   • Docker config.json credential helpers

4. Library options: Go OCI clients

   • github.com/google/go-containerregistry
   • github.com/containers/image (used by Podman/Buildah)
   • github.com/oras-project/oras-go (built for OCI artifacts)

5. Spec updates: Document in the Ignition spec

Related

• OCI Artifacts: https://github.com/opencontainers/artifacts
• ORAS: https://oras.land/

This needs design discussion before implementation. Best for someone familiar with Ignition internals and OCI specs.