Support fetching packages from S3 buckets

[lyoung-confluent]

Adds experimental support for fetching packages directly from S3 bucket via a s3://<bucket>/<optional prefix>/ repository URL. It will load any credentials from the default AWS credentials chain. While this uses the AWS S3 SDK, it can be pointed at any S3 compatible API (ex: GCS, Cloudflare R2, etc) via the endpoint url configuration feature.

[tuananh]

This is cool :) can we get this reviewed ?

[imjasonh]

Just curious: is there a specific use case you're interested in supporting with this, that this is blocking? This could be useful, but if we're not blocked on it I might like to consider it for a little longer.

(Sorry for not seeing this PR until now 😭 )

[imjasonh]

WDYT about https://gocloud.dev/howto/blob/ instead here? This could give us a standard interface for non-S3 APIs. AFAIK GCS's S3 compatibility is "best effort" which means not great.

[lyoung-confluent]

I think that would be fine to swap to if you'd prefer, though as I understand it pretty all blob storage implement the basic S3 APIs with full compatibility, it's as soon as you start using the more complex features like ACLs, CORS, etc that you start to run into issues. Given this is only ever calling GetObject I wouldn't expect to run into those issues.

[imjasonh]

This seems interesting, but I'm a bit worried about adding features that might move compatibility away from apk add and other non-go-apk tools.

[lyoung-confluent]

Just curious: is there a specific use case you're interested in supporting with this, that this is blocking? This could be useful, but if we're not blocked on it I might like to consider it for a little longer.

It's not blocking, we're building/using a fork of apko with this dependency replaced via go.mod to get the functionality right now, it would just be convenient to have upstream as well. I understand the apprehension around diverging from apk-tools though.

The use-case is we build APK packages internally (using melange) and publish them to an S3 bucket and then assemble a variety of images using those packages from S3 via apko. These are internal/private source code or binaries that will only be baked into images, not installed on the fly at runtime. As such we don't expect/need to support fetching the packages via apk-tools or HTTPS (mostly because authentication in apk-tools is limited to just basic authentication).

We experimented with using mountpoint-s3 and mounting the bucket as a packages directory then using apko as-is but that didn't work as it needs to seek on the files. Using s3fs-fuse does seem to work but it's not very friendly/easy to use for our developers on macOS so we looked at adding the support natively which is also more performant.

[lyoung-confluent]

It's worth calling out that this line has a bit of code-smell, uri.Parse will fail for the s3 schema: https://go.dev/play/p/PlTtp5oC7S3

This line currently just directly casts to the underlying uri.URI type to avoid this which isn't great

[lyoung-confluent]

@imjasonh An alternative design that might be more palatable is to adopt the pattern used by Terraform via https://github.com/hashicorp/go-getter (or maybe even just swap to using this library) where a custom prefix of s3:: or gcs:: can be added before the https:// when providing a URL, ex:

s3::https://s3.amazonaws.com/bucket/foo
gcs::https://www.googleapis.com/storage/v1/bucket

That could allow us to still specify the raw https://... URL in the apk repositories file. It's more of a build-time hint to use authentication when accessing the URL still over HTTP