feat: mvp

.dmtlint.yaml

@@ -0,0 +1,31 @@
+global:
+  linters-settings:
+    documentation:
+      impact: error
+linters-settings:
+  openapi:
+    exclude-rules:
+      enum:
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.sts.properties.provider"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.provider"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.provider"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.sts.properties.provider"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.upgrade.properties.remediation.properties.strategy.properties"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.uninstall.properties.deletionPropagation"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.driftDetection.properties.mode"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.upgrade.properties.remediation.properties.strategy"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.chart.properties.spec.properties.verify.properties.provider"
+        - "spec.versions[0].schema.openAPIV3Schema.properties.status.properties.lastAttemptedReleaseAction"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.chart.properties.spec.properties.verify.properties.provider"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.driftDetection.properties.mode"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.postRenderers.items.properties.kustomize.properties.patchesJson6902.items.properties.patch.items.properties.op"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.uninstall.properties.deletionPropagation"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.spec.properties.upgrade.properties.remediation.properties.strategy"
+        - "spec.versions[1].schema.openAPIV3Schema.properties.status.properties.lastAttemptedReleaseAction"
+        - "properties.logLevel"
+        - "properties.logFormat"
+  rbac:
+    exclude-rules:
+      wildcards:
+        - kind: ClusterRole
+          name: d8:operator-helm:helm-controller

.github/workflows/build.yaml

@@ -0,0 +1,44 @@
+name: Build
+
+on: [push]
+
+env:
+  CI_COMMIT_REF_NAME: ${{ github.ref_name }}
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    name: Lint
+    steps:
+      - uses: actions/checkout@v4
+      - uses: deckhouse/modules-actions/lint@main
+        # TODO: change after MVP
+        # env:
+        #   DMT_METRICS_URL: ${{ secrets.DMT_METRICS_URL }}
+        #   DMT_METRICS_TOKEN: ${{ secrets.DMT_METRICS_TOKEN }}
+
+  build:
+    runs-on: ubuntu-latest
+    name: Build and Push images
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: deckhouse/modules-actions/setup@main
+        with:
+          registry: ghcr.io
+          registry_login: ${{ github.actor }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get the repository name
+        id: repo_name
+        run: echo "REPO_NAME=$(echo '${{ github.repository }}' | cut -d'/' -f2)" >> $GITHUB_OUTPUT
+
+      - uses: deckhouse/modules-actions/build@main
+        with:
+          # TODO: change after MVP
+          # module_source: ghcr.io/${{ github.repository_owner }}/modules
+          module_source: ghcr.io/deckhouse/${{ steps.repo_name.outputs.REPO_NAME }}
+          module_name: ${{ steps.repo_name.outputs.REPO_NAME }}
+          module_tag: ${{ github.ref_name }}
+          svace_enabled: false

.github/workflows/deploy.yaml

@@ -0,0 +1,45 @@
+name: Deploy
+
+on:
+  workflow_dispatch:
+   inputs:
+      release_channel:
+        description: "Select the release channel"
+        type: choice
+        default: alpha
+        options:
+          - "alpha"
+          - "beta"
+          - "early-access"
+          - "stable"
+          - "rock-solid"
+      tag:
+        description: "Tag of the module, e.g., v1.21.1"
+        type: string
+        required: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    name: Deploy the module
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: deckhouse/modules-actions/setup@main
+        with:
+          registry: ghcr.io
+          registry_login: ${{ github.actor }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get the repository name
+        id: repo_name
+        run: echo "REPO_NAME=$(echo '${{ github.repository }}' | cut -d'/' -f2)" >> $GITHUB_OUTPUT
+
+      - uses: deckhouse/modules-actions/deploy@main
+        with:
+          # TODO: change after MVP
+          # module_source: ghcr.io/${{ github.actor }}/modules
+          module_source: ghcr.io/deckhouse/${{ steps.repo_name.outputs.REPO_NAME }}
+          module_name: ${{ steps.repo_name.outputs.REPO_NAME }}
+          module_tag: ${{ github.event.inputs.tag }}
+          release_channel: ${{ github.event.inputs.release_channel }}

.gitignore

@@ -0,0 +1,40 @@
+# Binaries for programs and plugins
+*.exe
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
+.glide/
+
+# vim
+*.swp
+
+# IDE
+.project
+.settings
+.idea/
+.vscode
+venv/
+
+# macOS Finder files
+*.DS_Store
+._*
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+.pytest_cache/
+
+#werf
+/base_images.yml
+
+# opencode
+**/.opencode/

.helmignore

@@ -0,0 +1,12 @@
+crds
+docs
+enabled
+hooks
+images
+lib
+Makefile
+openapi
+*.md
+release.yaml
+werf*.yaml
+NOTES.txt

.werf/consts.yaml

@@ -0,0 +1,21 @@
+# Edition module settings
+{{- $_ := set . "MODULE_EDITION" (env "MODULE_EDITION" "EE") }}
+
+# Component versions
+{{- $_ := set . "Package" dict -}}
+{{- $_ := set . "Core" dict -}}
+{{- $versions_path := "/build/components/versions.yml" -}}
+
+{{- if .ModuleDir -}}
+{{-   $versions_path = (printf "%s%s" (trimPrefix "/" .ModuleDir ) $versions_path) -}}
+{{- end -}}
+
+{{- $versions_ctx := (.Files.Get $versions_path | fromYaml) -}}
+
+{{- range $k, $v := $versions_ctx.package -}}
+{{-   $_ := set $.Package $k $v -}}
+{{- end -}}
+
+{{- range $k, $v := $versions_ctx.core -}}
+{{-   $_ := set $.Core $k $v -}}
+{{- end -}}

.werf/defines/image-build.tmpl

@@ -0,0 +1,20 @@
+{{- define "image-build.build" }}
+{{-   if ne $.SVACE_ENABLED "false" }}
+svace build --init --clear-build-dir {{ .BuildCommand }}
+attempt=0
+retries=5
+success=0
+set +e
+while [[ $attempt -lt $retries ]]; do
+  ssh -o ConnectTimeout=10 -o ServerAliveInterval=10 -o ServerAliveCountMax=12 {{ $.SVACE_ANALYZE_SSH_USER }}@{{ $.SVACE_ANALYZE_HOST }} mkdir -p /svace-analyze/{{ $.Commit.Hash }}/{{ $.ProjectName }}/.svace-dir
+  rsync -zr --timeout=10 --compress-choice=zstd --partial --append-verify .svace-dir {{ $.SVACE_ANALYZE_SSH_USER }}@{{ $.SVACE_ANALYZE_HOST }}:/svace-analyze/{{ $.Commit.Hash }}/{{ $.ProjectName }}/ && success=1 && break
+  sleep 10
+  attempt=$((attempt + 1))
+done
+set -e
+[[ $success == 1 ]] && rm -rf .svace-dir || exit 1
+{{ .BuildCommand }}
+{{-   else }}
+{{ .BuildCommand }}
+{{-   end }}
+{{- end }}

.werf/defines/image-mountpoints.tmpl

@@ -0,0 +1,32 @@
+{{/*
+
+Template to bake mount points in the image. These static mount points
+are required so containerd can start a container with image integrity check.
+
+Problem: each directory specified in volumeMounts items should exist
+in image, containerd is unable to create mount point for us when
+integrity check is enabled.
+
+Solution: define all possible mount points in mount-points.yaml file and
+include this template in git section of the werf.inc.yaml.
+
+*/}}
+{{/* NOTE: Keep in sync with version in Deckhouse CSE */}}
+{{- define "image mount points" }}
+{{-   $mountPoints := ($.Files.Get (printf "images/%s/mount-points.yaml" $.ImageName) | fromYaml) }}
+{{-   $context := . }}
+{{-   range $v := $mountPoints.dirs }}
+- add: /tools/mounts/mountdir
+  to: {{ $v | trimSuffix "/" }}
+  stageDependencies:
+    install:
+    - "**/*"
+{{-   end }}
+{{-   range $v := $mountPoints.files }}
+- add: /tools/mounts/mountfile
+  to: {{ $v }}
+  stageDependencies:
+    install:
+    - "**/*"
+{{-   end }}
+{{- end }}

.werf/defines/images.tmpl

@@ -0,0 +1,49 @@
+{{/*
+Template for ease of use of multiple image imports
+Default stage "install".
+Important! To render properly in "embedded module" mode, ensure that caller passes context with "ModuleNamePrefix" variable.
+
+Usage:
+{{- $images := list "swtpm" "numactl" "libfuse3" -}}
+{{- include "importPackageImages" (list . $images "install") -}}  # install stage (default)
+Result:
+...
+ - image: packages/binaries/libfuse3
+   add: /libfuse3
+   to: /libfuse3
+   before: install
+...
+
+{{- include "importPackageImages" (list . $images "setup") -}}    # setup stage
+Result:
+...
+ - image: packages/binaries/libfuse3
+   add: /libfuse3
+   to: /libfuse3
+   before: setup
+...
+*/}}
+
+{{ define "importPackageImages" }}
+{{-   if not (eq (kindOf .) "slice") }}
+{{-      fail "importPackageImages: invalid type of argument, slice is expected" }}
+{{-   end }}
+{{-   $context := index . 0 }}
+{{-   $ImageNameList := index . 1 }}
+{{-   $stage := "install" }}
+{{-   if gt (len .) 2 }}
+{{-     $stage = index . 2 }}
+{{-   end }}
+{{-   range $imageName := $ImageNameList }}
+{{-     $packages := splitList " " $imageName -}}
+{{-     range $packages -}}
+{{-       $image := trim . -}}
+{{-       if ne $image "" }}
+- image: {{ $context.ModuleNamePrefix }}packages/{{ $image }}
+  add: /{{ $image }}
+  to: /{{ $image }}
+  before: {{ $stage }}
+{{-       end }}
+{{-     end -}}
+{{-   end }}
+{{ end }}

.werf/defines/packages-clean.tmpl

@@ -0,0 +1,12 @@
+{{- define "alt packages clean" }}
+- apt-get clean
+- rm --recursive --force /var/lib/apt/lists/ftp.altlinux.org* /var/cache/apt/*.bin
+  {{- if $.DistroPackagesProxy }}
+- rm --recursive --force /var/lib/apt/lists/{{ $.DistroPackagesProxy }}* 
+  {{- end }}
+{{- end }}
+
+{{- define "debian packages clean" }}
+- apt-get clean
+- find /var/lib/apt/ /var/cache/apt/ -type f -delete
+{{- end }}

.werf/defines/packages-proxies.tmpl

@@ -0,0 +1,70 @@
+{{- define "alt packages proxy" }}
+# Replace altlinux repos with our proxy
+  {{- if $.DistroPackagesProxy }}
+- sed -i "s|ftp.altlinux.org/pub/distributions/archive|{{ $.DistroPackagesProxy }}/repository/archive-ALT-Linux-APT-Repository|g" /etc/apt/sources.list.d/alt.list
+  {{- end }}
+# TODO: remove this when http becomes available
+# change scheme from http to ftp
+- sed -i "s|rpm \[p11\] http://|#rpm [p11] http://|g" /etc/apt/sources.list.d/alt.list
+- sed -i "s|#rpm \[p11\] ftp://|rpm [p11] ftp://|g" /etc/apt/sources.list.d/alt.list
+- export DEBIAN_FRONTEND=noninteractive
+- apt-get update -y
+{{- end }}
+
+{{- define "alt dist upgrade" }}
+- apt-get dist-upgrade -y
+- find /var/cache/apt/ -type f -delete
+- rm -rf /var/log/*log /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old
+{{- end }}
+
+{{- define "debian packages proxy" }}
+# 5 years 157680000
+- |
+    echo "Acquire::Check-Valid-Until false;" >> /etc/apt/apt.conf
+    echo "Acquire::Check-Date false;" >> /etc/apt/apt.conf
+    echo "Acquire::Max-FutureTime 157680000;" >> /etc/apt/apt.conf
+# Replace debian repos with our proxy
+  {{- if $.DistroPackagesProxy }}
+- if [ -f /etc/apt/sources.list ]; then sed -i "s|http://deb.debian.org|http://{{ $.DistroPackagesProxy }}/repository|g" /etc/apt/sources.list; fi
+- if [ -f /etc/apt/sources.list.d/debian.sources ]; then sed -i "s|http://deb.debian.org|http://{{ $.DistroPackagesProxy }}/repository|g" /etc/apt/sources.list.d/debian.sources; fi
+  {{- end }}
+- export DEBIAN_FRONTEND=noninteractive
+- apt-get update
+{{- end }}
+
+{{- define "ubuntu packages proxy" }}
+  # Replace ubuntu repos with our proxy
+  {{- if $.DistroPackagesProxy }}
+- sed -i 's|http://archive.ubuntu.com|http://{{ $.DistroPackagesProxy }}/repository/archive-ubuntu|g' /etc/apt/sources.list
+- sed -i 's|http://security.ubuntu.com|http://{{ $.DistroPackagesProxy }}/repository/security-ubuntu|g' /etc/apt/sources.list
+  {{- end }}
+- export DEBIAN_FRONTEND=noninteractive
+# one year
+- apt-get -o Acquire::Check-Valid-Until=false -o Acquire::Check-Date=false -o Acquire::Max-FutureTime=31536000 update
+{{- end }}
+
+{{- define "alpine packages proxy" }}
+# Replace alpine repos with our proxy
+  {{- if $.DistroPackagesProxy }}
+- sed -i 's|https://dl-cdn.alpinelinux.org|http://{{ $.DistroPackagesProxy }}/repository|g' /etc/apk/repositories
+  {{- end }}
+- apk update
+{{- end }}
+
+{{- define "node packages proxy" }}
+  {{- if $.DistroPackagesProxy }}
+- npm config set registry http://{{ $.DistroPackagesProxy }}/repository/npmjs/
+  {{- end }}
+{{- end }}
+
+{{- define "pypi proxy" }}
+  {{- if $.DistroPackagesProxy }}
+- |
+  cat <<"EOD" > /etc/pip.conf
+  [global]
+  index = http://{{ $.DistroPackagesProxy }}/repository/pypi-proxy/pypi
+  index-url = http://{{ $.DistroPackagesProxy }}/repository/pypi-proxy/simple
+  trusted-host = {{ $.DistroPackagesProxy }}
+  EOD
+  {{- end }}
+{{- end }}