deployer (tbc)

Author: d4rkstar

.env.example

@@ -12,4 +12,10 @@ KUBERNETES_CERT_FILENAME=./tokens/ca.crt
 # if not set, the image is build with local tag and will not be pushed
 REGISTRY=
 # namespace is required if REGISTRY is set
-NAMESPACE=
+NAMESPACE=
+
+REGISTRY_HOST=http://127.0.0.1:5000
+REGISTRY_USER=opsuser
+REGISTRY_PASS=password
+
+ADMIN_API_URL=http://127.0.0.1:5002

README.md

@@ -34,18 +34,23 @@ Available APIs at the moment:
 
 `PATCH /system/api/v1/auth/{login}` - Update the user password patching the corresponding wsku/\<login\> entry.
 
+### Build API
+
+`POST /system/api/build` - Perform the build of a custom image and push it to repository.
+
+More informations [Here](docs/DEPLOYER.md)
+
 ### Info API
 
 `GET /system/info` - Info endpoint
 
-
 ## Developer instructions
 
 You need to have access to be Apache OpenServerless admin and have access to kubernetes cluster.
 
 Refer to the [Apache OpenServerless installation page](https://openserverless.apache.org/docs/installation/install/docker/): 
 
-Give the command `task setup-developer` and it will:
+Give the command `task dev:setup-developer` and it will:
 
 - extract the required ca.crt and token from operator service account
 - copy a sample .env file
@@ -61,14 +66,22 @@ Open http://localhost:5002/system/apidocs/ to see the API documentation.
 Taskfile supports the following tasks:
 
 ```yaml
-* build:                 Build the image locally
-* build-and-load:        Build the image and loads it to local Kind cluster
-* buildx:                Build the docker image using buildx. Set PUSH=1 to push the image to the registry. 
-* docker-login:          Login to the docker registry. Set REGISTRY=ghcr or REGISTRY=dockerhub in .env to use the respective registry. 
-* get-tokens:            Get Service Account tokens and save them to tokens directory
-* image-tag:             Create a new tag for the current git commit.       
-* run:                   Run the admin api locally, using configuration from .env file 
-* setup-developer:       Setup developer environment
+* build:                       Build the image locally
+* build-and-load:              Build the image and loads it to local Kind cluster
+* buildx:                      Build the docker image using buildx. Set PUSH=1 to push the image to the registry. 
+* docker-login:                Login to the docker registry. Set REGISTRY=ghcr or REGISTRY=dockerhub in .env to use the respective registry. 
+* image-tag:                   Create a new tag for the current git commit.       
+* builder:cleanjobs:           Clean up old jobs
+* builder:delete-image:        Delete an image from the registry
+* builder:get-image:           Get an image from the registry
+* builder:list-catalogs:       List catalogs in the registry
+* builder:list-images:         List images in a specific catalog
+* builder:logs:                Show logs of the last build job
+* builder:send:                Send the build to the server
+* builder:updatetoml:          Update the buildkitd.toml file config map
+* dev:get-tokens:              Get Service Account tokens and save them to tokens directory
+* dev:run:                     Run the admin api locally, using configuration from .env file 
+* dev:setup-developer:         Setup developer environment
 ```
 
 ## Build and push
@@ -128,4 +141,8 @@ $ git push apache 0.1.0-incubating.2507270910
 ```
 
 This will trigger the build workflow, and the process will be visible at
-https://github.com/apache/openserverless-admin-api/actions
+https://github.com/apache/openserverless-admin-api/actions
+
+## Additional Documentation
+
+- [Deployer](docs/DEPLOYER.md)

Taskfile.yml

@@ -27,32 +27,14 @@ vars:
 
 dotenv:
  - .env  
-  
-tasks:
 
-  get-tokens:
-    desc: "Get Service Account tokens and save them to tokens directory"
-    silent: true
-    cmds:
-      - mkdir -p tokens
-      - kubectl get secret nuvolaris-wsku-secret -o jsonpath='{.data.token}' | base64 --decode > tokens/token
-      - kubectl get secret nuvolaris-wsku-secret -o jsonpath='{.data.ca\.crt}' | base64 --decode > tokens/ca.crt
+includes:
+  builder:
+    taskfile: TaskfileBuilder.yml
+  dev:
+    taskfile: TaskfileDev.yml
 
-  setup-developer:
-    desc: "Setup developer environment"
-    silent: true
-    cmds:
-      - task: get-tokens
-      - |
-        if [ ! -f .env ]; 
-        then cp .env.example .env
-          echo "Please edit .env file with your local CouchDB and Kubernetes credentials"
-        fi
-      - |
-        if [ ! -d .venv ];
-        then uv venv
-        fi
-      - uv pip install -r pyproject.toml 2>/dev/null 
+tasks:
 
   docker-login-ghcr: >
     silent: true
@@ -144,9 +126,3 @@ tasks:
         BASEIMG=$(task base-image-name)
         IMG="$BASEIMG:{{.TAG}}"
         kind load docker-image $IMG --name=nuvolaris
-
-  run:
-    desc: |
-      Run the admin api locally, using configuration from .env file
-    cmds:
-      - uv run -m openserverless

TaskfileBuilder.yml

@@ -0,0 +1,106 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+version: '3'
+
+tasks:
+  
+  send:
+    desc: Send the build to the server
+    vars:
+      AUTH:
+        sh: cat ~/.wskprops | grep "AUTH" | cut -d'=' -f2 | xargs -I {}
+    cmds:
+      - if test -z "{{.SOURCE}}"; then echo "SOURCE IS NOT SET" && exit 1; fi
+      - if test -z "{{.TARGET}}"; then echo "TARGET IS NOT SET" && exit 1; fi
+      - if test -z "{{.KIND}}"; then echo "KIND IS NOT SET" && exit 1; fi
+      - |
+        echo '{"source": "{{.SOURCE}}", "target": "{{.TARGET}}", "kind": "{{.KIND}}", "file": "{{.REQUIREMENTS}}" }' | http POST $ADMIN_API_URL/system/build Content-Type:application/json Authorization:"{{.AUTH}}"
+      - sleep 5
+      - task: logs
+    deps:
+      - cleanjobs
+      # - updatetoml
+    silent: true
+  
+  logs:
+    desc: Show logs of the last build job
+    cmds:
+      - kubectl -n nuvolaris logs $(kubectl get jobs.batch -o name | grep "build-") -c buildkit --follow
+    silent: false
+  
+  cleanjobs:
+    desc: Clean up old jobs
+    cmds:
+      - for I in $(kubectl get jobs -n nuvolaris | grep build | awk '{ print $1 }' | tr "\n" " "); do kubectl delete job $I; done
+      - for I in $(kubectl get cm -n nuvolaris | grep "cm-" | awk '{ print $1 }' | tr "\n" " "); do kubectl delete cm $I; done
+    silent: true
+  
+  updatetoml:
+    desc: Update the buildkitd.toml file config map
+    cmds:
+      - |
+        if test $(kubectl -n nuvolaris get cm -o name | grep nuvolaris-buildkitd-conf | wc -l) -gt 0; 
+          then kubectl -n nuvolaris delete configmap nuvolaris-buildkitd-conf
+        fi
+      - kubectl -n nuvolaris create configmap nuvolaris-buildkitd-conf --from-file=deploy/buildkit/buildkitd.toml
+    silent: true
+
+  list-catalogs:
+    desc: List catalogs in the registry
+    cmds:
+      - http -a $REGISTRY_USER:$REGISTRY_PASS GET "${REGISTRY_HOST}/v2/_catalog"
+    silent: false
+
+  list-images:
+    desc: List images in a specific catalog
+    vars:
+      CATALOG: '{{.CATALOG}}'
+    cmds:
+      - if test -z "{{.CATALOG}}"; then echo "CATALOG IS NOT SET" && exit 1; fi
+      - http -a $REGISTRY_USER:$REGISTRY_PASS GET "${REGISTRY_HOST}/v2/{{.CATALOG}}/tags/list"
+    silent: false
+  
+  get-image:
+    desc: Get an image from the registry
+    vars:
+      IMAGE: '{{.IMAGE}}'
+      IMAGE_NAME:
+        sh: echo '{{.IMAGE}}' | cut -d':' -f1
+      HASH:
+        sh: echo '{{.IMAGE}}' | cut -d':' -f2
+    cmds:
+      - echo "Getting image {{.IMAGE_NAME}} with hash {{.HASH}}"
+      - http -a $REGISTRY_USER:$REGISTRY_PASS GET "${REGISTRY_HOST}/v2/{{.IMAGE_NAME}}/manifests/{{.HASH}}"
+    silent: false
+
+  delete-image:
+    desc: Delete an image from the registry
+    vars:
+      IMAGE: '{{.IMAGE}}'
+      IMAGE_NAME:
+        sh: echo '{{.IMAGE}}' | cut -d':' -f1
+      HASH:
+        sh: echo '{{.IMAGE}}' | cut -d':' -f2
+      MANIFEST_DIGEST:
+        sh: http --headers -a $REGISTRY_USER:$REGISTRY_PASS GET "${REGISTRY_HOST}/v2/{{.IMAGE_NAME}}/manifests/{{.HASH}}" | grep -i 'Docker-Content-Digest:' | awk '{print $2}' | tr -d '\r'
+    cmds:
+      - echo 'Deleting image {{.IMAGE}}'
+      - echo "Deleting manifest {{.MANIFEST_DIGEST}} for image {{.IMAGE_NAME}}"
+      - http -a $REGISTRY_USER:$REGISTRY_PASS DELETE "${REGISTRY_HOST}/v2/{{.IMAGE_NAME}}/manifests/{{.MANIFEST_DIGEST}}"
+    silent: false

TaskfileDev.yml

@@ -0,0 +1,50 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+version: '3'
+
+tasks:
+  get-tokens:
+    desc: "Get Service Account tokens and save them to tokens directory"
+    silent: true
+    cmds:
+      - mkdir -p tokens
+      - kubectl get secret nuvolaris-wsku-secret -o jsonpath='{.data.token}' | base64 --decode > tokens/token
+      - kubectl get secret nuvolaris-wsku-secret -o jsonpath='{.data.ca\.crt}' | base64 --decode > tokens/ca.crt
+      
+  setup-developer:
+    desc: "Setup developer environment"
+    silent: true
+    cmds:
+      - task: get-tokens
+      - |
+        if [ ! -f .env ]; 
+        then cp .env.example .env
+          echo "Please edit .env file with your local CouchDB and Kubernetes credentials"
+        fi
+      - |
+        if [ ! -d .venv ];
+        then uv venv
+        fi
+      - uv pip install -r pyproject.toml 2>/dev/null 
+  
+  run:
+    desc: |
+      Run the admin api locally, using configuration from .env file
+    cmds:
+      - uv run -m openserverless

deploy/buildkit/buildkitd.toml

@@ -0,0 +1,24 @@
+# =========================
+# Worker OCI (rootlesskit)
+# =========================
+[worker.oci]
+  enabled = true
+  rootless = true
+  no-process-sandbox = true
+  snapshotter = "overlayfs"   # usa overlayfs se il kernel lo consente
+
+[worker.containerd]
+  enabled = false
+
+# =========================
+# Registry HTTP insicuro
+# =========================
+[registry."nuvolaris-registry-svc:5000"]
+  insecure = true
+  http = true
+
+# =========================
+# Logging
+# =========================
+[log]
+  level = "debug"

deploy/samples/requirements.txt

@@ -0,0 +1,2 @@
+gnews
+beautifulsoup4

docs/DEPLOYER.md

@@ -0,0 +1,60 @@
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one
+  ~ or more contributor license agreements.  See the NOTICE file
+  ~ distributed with this work for additional information
+  ~ regarding copyright ownership.  The ASF licenses this file
+  ~ to you under the Apache License, Version 2.0 (the
+  ~ "License"); you may not use this file except in compliance
+  ~ with the License.  You may obtain a copy of the License at
+  ~
+  ~   http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  ~
+-->
+# Deployer
+
+These tasks are useful to interact with OpenServerless Admin Api Builder
+
+There are some tasks to interact with OpenServerless internal registry too.
+
+## Available tasks
+
+task: Available tasks for this project:
+
+```
+* builder:cleanjobs:           Clean up old jobs
+* builder:delete-image:        Delete an image from the registry
+* builder:get-image:           Get an image from the registry
+* builder:list-catalogs:       List catalogs in the registry
+* builder:list-images:         List images in a specific catalog
+* builder:logs:                Show logs of the last build job
+* builder:send:                Send the build to the server
+* builder:updatetoml:          Update the buildkitd.toml file config map
+```
+
+## Examples
+
+### Build a custom runtime
+
+`task builder:send SOURCE=apache/openserverless-runtime-python:v3.13-2506091954 TARGET=devel:python3.13-custom KIND=python REQUIREMENTS=$(base64 -i deploy/samples/requirements.txt)`
+
+### List images for the user
+
+`task builder:list-images CATALOG=devel`
+
+### Delete an image for the user
+
+`task builder:delete-image IMAGE=devel:alpine`
+
+# Useful Links
+
+- https://crazymax.dev/buildkit/user-guides/rootless-mode/
+- https://www.linkedin.com/pulse/kubernetes-v133-user-namespaces-revolutionizing-false-rodrigo-mqoif/
+- https://chatgpt.com/c/689c9b5b-1d3c-8333-9f25-19d016fdacd0
+- https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/