Introduce builder (#559)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
	- Added configuration for Kubernetes builder environment
	- Introduced Talos imager configuration with version v1.8.4
- Implemented garbage collection policies for OCI worker storage
management

- **Chores**
	- Updated Makefile to streamline image building process
	- Added Kubernetes deployment templates for builder sandbox

- **Infrastructure**
	- Created new configuration files for builder package
	- Enhanced build and deployment workflows

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

packages/core/builder/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: builder
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/core/builder/Makefile

@@ -0,0 +1,35 @@
+NAMESPACE=cozy-builder
+NAME := builder
+
+TALOS_VERSION=$(shell awk '/^version:/ {print $$2}' ../installer/images/talos/profiles/installer.yaml)
+
+include ../../../scripts/common-envs.mk
+
+help: ## Show this help.
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+show:
+	helm template -n $(NAMESPACE) $(NAME) .
+
+apply: ## Create builder sandbox in existing Kubernetes cluster.
+	helm template -n $(NAMESPACE) $(NAME) . | kubectl apply -f -
+	docker buildx ls | grep -q '^buildkit-builder*' || docker buildx create \
+		--bootstrap \
+		--name=buildkit-$(NAME) \
+		--driver=kubernetes \
+		--driver-opt=namespace=$(NAMESPACE),replicas=1 \
+		--platform=linux/amd64 \
+		--platform=linux/arm64 \
+		--use \
+		--config config.toml
+
+diff:
+	helm template -n $(NAMESPACE) $(NAME) . | kubectl diff -f -
+
+delete: ## Remove builder sandbox from existing Kubernetes cluster.
+	kubectl delete deploy -n $(NAMESPACE) $(NAME)-talos-imager
+	docker buildx rm buildkit-$(NAME)
+
+wait-for-builder:
+	kubectl wait deploy --for=condition=Progressing -n $(NAMESPACE) $(NAME)-talos-imager
+	kubectl wait pod --for=condition=Ready -n $(NAMESPACE) -l app=$(NAME)-talos-imager

packages/core/builder/config.toml

@@ -0,0 +1,11 @@
+[worker.oci]
+  gc = true
+  gckeepstorage = 50000
+
+  [[worker.oci.gcpolicy]]
+    keepBytes = 10737418240
+    keepDuration = 604800
+    filters = [ "type==source.local", "type==exec.cachemount", "type==source.git.checkout"]
+  [[worker.oci.gcpolicy]]
+    all = true
+    keepBytes = 53687091200

packages/core/builder/templates/sandbox.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Release.Namespace }}
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-talos-imager
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-talos-imager
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-talos-imager
+    spec:
+      automountServiceAccountToken: false
+      terminationGracePeriodSeconds: 1
+      containers:
+      - name: imagere
+        image: "{{ .Values.talos.imager.image }}"
+        securityContext:
+          privileged: true
+        command:
+        - sleep
+        - infinity
+        volumeMounts:
+        - mountPath: /dev
+          name: dev
+      volumes:
+      - hostPath:
+          path: /dev
+          type: Directory
+        name: dev

packages/core/builder/values.yaml

@@ -0,0 +1,3 @@
+talos:
+  imager:
+    image: ghcr.io/siderolabs/imager:v1.8.4

packages/core/installer/Makefile

@@ -19,10 +19,12 @@ diff:
 
 update:
 	hack/gen-profiles.sh
+	IMAGE=$$(awk '/^version:/ {print $$2}' images/talos/profiles/installer.yaml) \
+		yq -i '.talos.imager.image = "ghcr.io/siderolabs/imager:" + strenv(IMAGE)' ../builder/values.yaml
 
 image: pre-checks image-cozystack image-talos image-matchbox
 
-image-cozystack:
+image-cozystack: run-builder
 	make -C ../../.. repos
 	docker buildx build -f images/cozystack/Dockerfile ../../.. \
 		--provenance false \
@@ -37,13 +39,11 @@ image-cozystack:
 		yq -i '.cozystack.image = strenv(IMAGE)' values.yaml
 	rm -f images/cozystack.json
 
-image-talos:
+image-talos: run-builder
 	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
-	docker load -i ../../../_out/assets/installer-amd64.tar
-	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
-	docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
+	skopeo copy docker-archive:../../../_out/assets/installer-amd64.tar docker://$(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
 
-image-matchbox:
+image-matchbox:  run-builder
 	test -f ../../../_out/assets/kernel-amd64 || make talos-kernel
 	test -f ../../../_out/assets/initramfs-metal-amd64.xz || make talos-initramfs
 	docker buildx build -f images/matchbox/Dockerfile ../../.. \
@@ -62,5 +62,8 @@ assets: talos-iso talos-nocloud talos-metal
 talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal:
 	mkdir -p ../../../_out/assets
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
-		docker run --rm -i -v /dev:/dev --privileged "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" --tar-to-stdout - | \
+		kubectl exec -i -n cozy-builder deploy/builder-talos-imager -- imager --tar-to-stdout - | \
 		tar -C ../../../_out/assets -xzf-
+
+run-builder:
+	make -C ../builder/ apply wait-for-builder