From ce856ee71e2a165760ebfb1815ad4e34c358ecc5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
Date: Wed, 5 Feb 2025 10:07:58 +0100
Subject: [PATCH] podvm-payload: add Dockerfile and submodules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The podvm-payload image ships binaries built from 3 sources.
To make it buildable with Konflux, we need a dedicated Dockerfile,
and a way to watch the source modification of all 3 repositories.

This commit is adding the Dockerfile, and have 2 submodules created
(for kata-containers and guest-components).
This should allow Konflux to trigger the build when we need.

Signed-off-by: Julien Ropé <jrope@redhat.com>
---
 .gitmodules                    |   6 ++
 podvm-payload/Dockerfile       | 102 +++++++++++++++++++++++++++++++++
 podvm-payload/guest-components |   1 +
 podvm-payload/kata-containers  |   1 +
 4 files changed, 110 insertions(+)
 create mode 100644 .gitmodules
 create mode 100644 podvm-payload/Dockerfile
 create mode 160000 podvm-payload/guest-components
 create mode 160000 podvm-payload/kata-containers

diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 000000000..3e7c5c31a
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,6 @@
+[submodule "podvm-payload/kata-containers"]
+	path = podvm-payload/kata-containers
+	url = https://github.com/openshift/kata-containers/
+[submodule "podvm-payload/guest-components"]
+	path = podvm-payload/guest-components
+	url = https://github.com/openshift/confidential-containers-guest-components/
diff --git a/podvm-payload/Dockerfile b/podvm-payload/Dockerfile
new file mode 100644
index 000000000..7f08c9d9b
--- /dev/null
+++ b/podvm-payload/Dockerfile
@@ -0,0 +1,102 @@
+## GOLANG ##
+FROM registry.access.redhat.com/ubi9/go-toolset:1.22.9-1737480393 as go_builder
+USER root
+ARG ARCH
+ENV ARCH=${ARCH}
+
+RUN mkdir -p /artifacts/usr/local/bin
+
+COPY src/cloud-api-adaptor /workdir
+
+# binary: agent-protocol-forwarder, proccess-user-data (golang)
+WORKDIR /workdir
+RUN CGO_ENABLED=1 GOOS=linux go build \
+-ldflags=-X=github.com/openshift/cloud-api-adaptor/cmd.VERSION=${CI_CLOUD_API_ADAPTOR_UPSTREAM_VERSION} \
+-ldflags=-X=github.com/openshift/cloud-api-adaptor/cmd.COMMIT=${CI_CLOUD_API_ADAPTOR_UPSTREAM_COMMIT} \
+-o /artifacts/usr/local/bin/agent-protocol-forwarder cmd/agent-protocol-forwarder/main.go
+
+RUN CGO_ENABLED=1 GOOS=linux go build \
+-ldflags=-X=github.com/openshift/cloud-api-adaptor/cmd.VERSION=${CI_CLOUD_API_ADAPTOR_UPSTREAM_VERSION} \
+-ldflags=-X=github.com/openshift/cloud-api-adaptor/cmd.COMMIT=${CI_CLOUD_API_ADAPTOR_UPSTREAM_COMMIT} \
+-o /artifacts/usr/local/bin/process-user-data cmd/process-user-data/*.go
+
+# config files and scripts
+RUN cp -r podvm/files/* /artifacts
+
+## RUST ##
+FROM registry.access.redhat.com/ubi9/ubi:latest as rust_builder
+USER root
+# This is registering RHEL when building on an unsubscribed system
+# If you are running a UBI container on a registered and subscribed RHEL host, 
+# the main RHEL Server repository is enabled inside the standard UBI container.
+# Uncomment this and provide the associated ARG variables to register.
+ARG ACTIVATION_KEY
+ARG ORG_ID
+RUN if [[ -n "${ACTIVATION_KEY}" && -n "${ORG_ID}" ]]; then \
+        REPO_ARCH=$(uname -m) && \
+        subscription-manager register --org=${ORG_ID} --activationkey=${ACTIVATION_KEY} && \
+        subscription-manager repos --enable rhel-9-for-${REPO_ARCH}-appstream-rpms --enable codeready-builder-for-rhel-9-${REPO_ARCH}-rpms; \
+    fi
+RUN dnf clean packages && dnf install -y git rust cargo perl-File-Compare perl-FindBin cmake gcc-c++ perl protobuf-compiler clang-devel device-mapper-devel tpm2-tss-devel
+
+RUN mkdir -p /artifacts/usr/local/bin
+
+COPY podvm-payload/kata-containers /workdir/kata-containers
+COPY podvm-payload/guest-components /workdir/guest-components
+
+# binary: kata-agent (rust)
+WORKDIR /workdir/kata-containers/src/agent
+RUN make src/version.rs
+RUN cargo build --verbose --release --features "guest-pull agent-policy"
+RUN cp /workdir/kata-containers/src/agent/target/release/kata-agent /artifacts/usr/local/bin
+
+# binary: attestation-agent (rust)
+WORKDIR /workdir/guest-components/attestation-agent/attestation-agent
+RUN ARCH=$(uname -m) && \
+  if [ "$ARCH" = "s390x" ]; then \
+        cargo build --verbose --release --no-default-features --features "coco_as,kbs,se-attester,bin,ttrpc,openssl"; \
+  else \
+        cargo build --verbose --release --no-default-features --features "coco_as,kbs,az-snp-vtpm-attester,az-tdx-vtpm-attester,bin,ttrpc,openssl"; \
+  fi
+RUN cp /workdir/guest-components/target/release/ttrpc-aa /artifacts/usr/local/bin/attestation-agent
+
+# binary: api-server-rest (rust)
+WORKDIR /workdir/guest-components/api-server-rest
+RUN cargo build --verbose --release
+RUN cp /workdir/guest-components/target/release/api-server-rest /artifacts/usr/local/bin
+
+## RUST 1.80 ##
+
+# This part is needed only for confidential data hub
+# Building the other components with rust 1.80 causes issues, and building CDH
+# with anything before 1.80 fails
+# This part of the build uses centos stream 9, which has a newer version of rust
+FROM quay.io/centos/centos:stream9 as rust_builder_1_80
+USER root
+RUN dnf clean packages && dnf --enablerepo=crb install -y git rust cargo perl-File-Compare perl-FindBin cmake gcc-c++ perl protobuf-compiler clang-devel device-mapper-devel tpm2-tss-devel
+
+RUN mkdir -p /artifacts/usr/local/bin
+
+COPY podvm-payload/guest-components /workdir/guest-components
+
+# binary: confidential-data-hub (rust) using the 1.80 rust version
+WORKDIR /workdir/guest-components/confidential-data-hub/hub
+RUN cargo build --verbose --release --no-default-features --features "kbs,bin,ttrpc"
+RUN cp /workdir/guest-components/target/release/ttrpc-cdh /artifacts/usr/local/bin/confidential-data-hub
+
+
+
+
+
+## FINAL IMAGE ##
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+
+COPY --from=go_builder /artifacts /artifacts
+COPY --from=rust_builder /artifacts /artifacts
+COPY --from=rust_builder_1_80 /artifacts /artifacts
+
+RUN microdnf install -y tar gzip && microdnf clean all
+
+# Create the final tarball and remove /artifacts to save space
+RUN tar czvf /podvm-binaries.tar.gz -C /artifacts usr/ etc/ && \
+    rm -rf /artifacts
diff --git a/podvm-payload/guest-components b/podvm-payload/guest-components
new file mode 160000
index 000000000..ffd22b3ca
--- /dev/null
+++ b/podvm-payload/guest-components
@@ -0,0 +1 @@
+Subproject commit ffd22b3ca8b0887e995021198433668cbfdfbf4b
diff --git a/podvm-payload/kata-containers b/podvm-payload/kata-containers
new file mode 160000
index 000000000..5c529ab40
--- /dev/null
+++ b/podvm-payload/kata-containers
@@ -0,0 +1 @@
+Subproject commit 5c529ab409ae22bd7c440b9ca5607dead17f9a15