From a031779d1cc0e86f6ac23f3a18cb3f157b126202 Mon Sep 17 00:00:00 2001 From: Davanum Srinivas Date: Sat, 23 May 2026 11:22:34 -0400 Subject: [PATCH] feat(install): build + push ateom-gvisor image during kind bootstrap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ateom-gvisor is the per-worker-pod sidecar referenced via WorkerPool.spec.ateomImage. Its source lives under cmd/ateom-gvisor but it has no Deployment/DaemonSet manifest in manifests/ate-install/, so the ko-resolve pipeline that builds every other binary never builds it. Operators creating a WorkerPool after a fresh --deploy-ate-system have to either run a packaged demo (its template's ko:// reference side-effects the build) or invoke ko publish by hand. Add publish_ateom_image() that runs ko publish --base-import-paths ./cmd/ateom-gvisor and writes the resulting @sha256: to .ate-kind/ateom-image. Invoke it from the end of deploy_ate_system when ATE_INSTALL_KIND=true, and expose --publish-ateom-image so the image can be rebuilt alone after a code change. .ate-kind/ is gitignored. Non-kind installs are unaffected — operators retain control of their own image-publishing flow against the cluster's registry. Signed-off-by: Davanum Srinivas --- .gitignore | 5 ++++- hack/install-ate.sh | 29 +++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index d7afedf..b941343 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,7 @@ __pycache__/ *.pyc # Local environment variables -.ate-dev-env.sh \ No newline at end of file +.ate-dev-env.sh + +# Local install state (digests of locally-published images, etc.) +.ate-kind/ \ No newline at end of file diff --git a/hack/install-ate.sh b/hack/install-ate.sh index 8e043e8..75e5bb2 100755 --- a/hack/install-ate.sh +++ b/hack/install-ate.sh @@ -69,6 +69,7 @@ function usage() { echo " --deploy-atelet Deploy atelet only" echo " --deploy-ate-apiserver Deploy ate-api-server only" echo " --deploy-atenet Deploy atenet only" + echo " --publish-ateom-image Build + push ateom-gvisor (kind only); writes digest to .ate-kind/ateom-image" echo "" echo "To create individual resources used by ate-system (Note: These are" echo "called automatically by --deploy-ate-system):" @@ -245,6 +246,32 @@ deploy_ate_system() { run_kubectl rollout status deployment/atenet-router -n ate-system --timeout=120s run_kubectl rollout status statefulset/valkey-cluster -n ate-system --timeout=120s run_kubectl rollout status daemonset/atelet -n ate-system --timeout=120s + + publish_ateom_image +} + +# Build + push the ateom-gvisor image and persist its digest under +# .ate-kind/ateom-image. ateom-gvisor is the per-worker-pod sidecar +# referenced via WorkerPool.spec.ateomImage; it has no Deployment +# manifest under manifests/ate-install/, so the ko-resolve pipeline that +# builds every other binary never touches it. Without this step, +# operators creating a WorkerPool after a fresh --deploy-ate-system have +# to invoke ko publish by hand. +# +# Only runs in kind mode; non-kind installs continue to manage their own +# image-publishing flow against the cluster's registry. +publish_ateom_image() { + if [[ "${ATE_INSTALL_KIND:-false}" != "true" ]]; then + return 0 + fi + log_step "publish_ateom_image" + local out_dir="${ROOT}/.ate-kind" + mkdir -p "${out_dir}" + local image + image=$("${ROOT}/hack/run-tool.sh" ko publish --base-import-paths ./cmd/ateom-gvisor) + echo "${image}" > "${out_dir}/ateom-image" + echo " image: ${image}" + echo " digest: ${out_dir}/ateom-image" } # Ensure secrets and configmaps required by ate-apiserver @@ -376,6 +403,8 @@ while [[ "$#" -gt 0 ]]; do --deploy-atenet) deploy_atenet ;; --delete-atenet) delete_atenet ;; + --publish-ateom-image) publish_ateom_image ;; + --create-jwt-authority-pool-secret) create_jwt_authority_pool_secret ;; --create-session-id-ca-pool-secret) create_session_id_ca_pool_secret ;; --create-podcertificate-controller-cas) create_podcertificate_controller_cas ;;