Package the checks as an OCI container for usage in Kubernetes (#6)

* Add packaging OCI container

This commit adds a OCI to deploy the checks via Kubernetes

* Instruct OBS to build the container

This commit adds supporting files for building the container via OBS

* Publish container to OBS via GitHub actions

This commit expands the ci.yaml file wit the ability to deploy the
checks OCI image to OBS.

* Prohibit accidental overrides

This commit ensures checks get only installed into a non empty
pre-existing directory. This is done to ensure that the volume is
mounted and empty. The installation should fail otherwise.

* Remove dead code

.github/workflows/ci.yaml

@@ -81,3 +81,65 @@ jobs:
           pushd $OSC_CHECKOUT_DIR
           osc ar
           osc commit -m "GitHub Actions automated update to reference ${{ github.sha }}"
+
+  obs-commit-image:
+    name: Commit to OBS to generate a container image
+    runs-on: ubuntu-20.04
+    if: github.ref == 'refs/heads/main' || github.event_name == 'release'
+    needs: [tlint]
+    container:
+      image: ghcr.io/trento-project/continuous-delivery:main
+      env:
+        FOLDER: packaging/suse/container
+        NAME: trento-checks-image
+        OBS_PASS: ${{ secrets.OBS_PASS }}
+        OBS_PROJECT: ${{ secrets.OBS_PROJECT }}
+        OBS_USER: ${{ secrets.OBS_USER }}
+        OSC_CHECKOUT_DIR: /tmp/trento-checks-image
+        REPOSITORY: ${{ github.repository }}
+      options: -u 0:0
+    steps:
+      - name: Cancel Previous Runs
+        uses: styfle/[email protected]
+        with:
+          access_token: ${{ github.token }}
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions-ecosystem/action-get-latest-tag@v1
+        id: latest-tag
+        with:
+          semver_only: true
+          initial_version: 0.0.1
+      - name: Configure OSC
+        run: |
+          mkdir -p $HOME/.config/osc
+          cp /home/osc/.config/osc/oscrc $HOME/.config/osc
+          /scripts/init_osc_creds.sh
+      - name: Prepare .changes file
+        # The .changes file is updated only in release creation. This current task should be improved
+        # in order to add the current rolling release notes
+        if: github.event_name == 'release'
+        run: |
+          CHANGES_FILE=$NAME.changes
+          osc checkout $OBS_PROJECT $NAME $CHANGES_FILE
+          mv $CHANGES_FILE $FOLDER
+          VERSION=${{ steps.latest-tag.outputs.tag }}
+          hack/gh_release_to_obs_changeset.py $REPOSITORY -a [email protected] -t $VERSION -f $FOLDER/$CHANGES_FILE
+      - name: Set version
+        run: |
+          git config --global --add safe.directory /__w/checks/checks
+          VERSION=$(./hack/get_version_from_git.sh)
+          # "+" character is not allowed in OBS dockerfile version strings
+          VERSION=${VERSION//[+]/-}
+          sed -i 's~%%VERSION%%~'"${VERSION}"'~' $FOLDER/Dockerfile
+      - name: Commit on OBS
+        run: |
+          OBS_PACKAGE=$OBS_PROJECT/$NAME
+          osc checkout $OBS_PACKAGE -o $OSC_CHECKOUT_DIR
+          cp -r $FOLDER/* $OSC_CHECKOUT_DIR
+          tar --transform 's,^./,/checks/,' -zcvf $OSC_CHECKOUT_DIR/checks.tar.gz --exclude=./.git ./*
+          cd $OSC_CHECKOUT_DIR
+          osc ar
+          osc commit -m "New development version of $NAME released"
+

bin/trento-install-checks

@@ -0,0 +1,39 @@
+#!/bin/sh
+#
+#  trento-install-checks
+#
+#  This script installs the checks into the directory Wanda expects them.  It
+#  is required, for Kubernetes style sidecar containers and should not be used
+#  in regular deployments using docker
+#
+
+checks_src="/usr/local/src/trento-checks/checks"
+checks_dst="/usr/share/trento/checks"
+
+if [ -d "$checks_dst" ] && [ -n "$(find "$checks_dst" -maxdepth 0 -type d -empty 2>/dev/null)" ]; then
+  if [ ! -d "$checks_src" ]; then
+    echo "Make sure the checks are installed to $checks_src" 1>&2
+
+    # FIXME: handle via trap
+    unset checks_src
+    unset checks_dst
+
+    exit 1
+  fi
+
+  install -p -m 0644 "$checks_src"/* "$checks_dst" || echo "Make sure $checks_dst exists, is empty and accessible" 1>&2
+
+  # FIXME: handle via trap
+  unset checks_src
+  unset checks_dst
+
+  exit $?
+fi
+
+echo "Make sure $checks_dst exists, is empty and accessible" 1>&2
+
+# FIXME: handle via trap
+unset checks_src
+unset checks_dst
+
+exit 1

packaging/suse/container/Dockerfile

@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: Apache-2.0
+#!BuildTag: trento/trento-checks:latest
+#!BuildTag: trento/trento-checks:%%VERSION%%
+#!BuildTag: trento/trento-checks:%%VERSION%%-build%RELEASE%
+#!UseOBSRepositories
+#!ExclusiveArch: x86_64
+FROM bci/bci-base:15.4
+
+LABEL org.opencontainers.image.source="https://github.com/trento-project/checks"
+
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+# tar is required by kubectl cp
+RUN zypper --non-interactive in -y tar && \
+    zypper --non-interactive clean
+
+COPY checks /usr/local/src/trento-checks/checks
+
+COPY bin/trento-install-checks /usr/local/bin/trento-install-checks
+RUN chmod +x /usr/local/bin/trento-install-checks
+
+ENTRYPOINT ["/usr/local/bin/trento-install-checks"]

packaging/suse/container/_constraints

@@ -0,0 +1,7 @@
+<constraints>
+  <hardware>
+    <disk>
+      <size unit="G">8</size>
+    </disk>
+  </hardware>
+</constraints>

packaging/suse/container/_service

@@ -0,0 +1,4 @@
+<services>
+  <service mode="buildtime" name="docker_label_helper"/>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+</services>