Add dev-env for containerized workflow

[yashvardhannanavati]

Signed-off-by: Yashvardhan Nanavati [email protected]

Assisted-by: Cursor

Summary by Sourcery

Introduce a containerized development environment for running IIB workers against an external Konflux cluster and associated local services.

New Features:

• Add a podman-compose configuration to run IIB API, a containerized workflow worker, registry, database, and supporting services locally.
• Provide a dedicated worker configuration for containerized builds that integrates with an external Konflux cluster, GitLab, and registries.
• Add example environment and certificate files to bootstrap configuration for the containerized workflow.

Documentation:

• Document setup, configuration, and troubleshooting steps for running the IIB containerized workflow development environment.

[sourcery-ai]

Reviewer's Guide

Introduces a containerized development environment for the IIB worker that delegates build operations to an external Konflux cluster, including configuration, orchestration via podman-compose, and a dedicated worker configuration class driven by environment variables.

Sequence diagram for containerized Konflux-based build workflow

sequenceDiagram
    actor Developer
    participant iib_api
    participant rabbitmq
    participant iib_worker_containerized
    participant GitLab
    participant KonfluxCluster
    participant IIBRegistry
    participant IndexDB

    Developer->>iib_api: POST /api/v1/builds/rm
    iib_api-->>Developer: 202 Accepted (request_id)
    iib_api->>rabbitmq: Enqueue rm build task
    rabbitmq->>iib_worker_containerized: Deliver rm build task

    iib_worker_containerized->>GitLab: Clone catalog repo
    iib_worker_containerized->>iib_worker_containerized: Modify catalog (remove operators)
    iib_worker_containerized->>GitLab: Commit and push changes

    GitLab->>KonfluxCluster: Trigger PipelineRun
    iib_worker_containerized->>KonfluxCluster: Watch PipelineRun status
    KonfluxCluster-->>iib_worker_containerized: PipelineRun completed

    iib_worker_containerized->>IIBRegistry: Copy built index image
    iib_worker_containerized->>IndexDB: Update index.db artifact
    iib_worker_containerized-->>rabbitmq: Mark task completed
    Developer->>iib_api: GET request status
    iib_api-->>Developer: Completed with built index image

Loading

Class diagram for new ContainerizedConfig worker configuration

classDiagram
    class DevelopmentConfig {
    }

    class ContainerizedConfig {
        <<extends DevelopmentConfig>>
        +iib_konflux_cluster_url: Optional_str
        +iib_konflux_cluster_token: Optional_str
        +iib_konflux_cluster_ca_cert: Optional_str
        +iib_konflux_namespace: Optional_str
        +iib_konflux_pipeline_timeout: int

        +iib_index_configs_gitlab_tokens_map: dict

        +iib_registry: str
        +iib_image_push_template: str
        +iib_docker_config_template: str

        +iib_index_db_artifact_registry: Optional_str
        +iib_index_db_imagestream_registry: Optional_str
        +iib_index_db_artifact_template: str

        +include: list

        +iib_log_level: str
        +iib_request_logs_dir: Optional_str

        +iib_aws_s3_bucket_name: Optional_str
        +iib_greenwave_url: Optional_str
        +iib_skopeo_timeout: str
        +iib_total_attempts: int
        +iib_retry_delay: int
        +iib_retry_jitter: int
        +iib_retry_multiplier: int

        +validate() ValueError
    }

    DevelopmentConfig <|-- ContainerizedConfig

    class CelerySettingsModule {
        +module_level_config_vars
    }

    ContainerizedConfig ..> CelerySettingsModule: exported_as_module_level_variables

Loading

File-Level Changes

Change	Details	Files
Add podman-compose stack to run IIB with a containerized worker that talks to an external Konflux cluster and local registry.	Define services for local registry, database, memcached, rabbitmq, IIB API, containerized IIB worker, and external message broker Generate TLS certs for the local registry via a one-shot minica service and share them through a named volume Configure the containerized worker to run Celery with a custom settings module, privileged container options, and appropriate volume mounts for code, auth, certs, and logs	podman-compose-containerized.yml
Introduce a dedicated containerized worker configuration class that extends the development config and is driven by env vars for Konflux, GitLab, and registry settings.	Define ContainerizedConfig with Konflux cluster connection parameters, GitLab token map, registry and index-db artifact configuration Extend the default task include list to load containerized workflow tasks Add validation logic to enforce presence of required Konflux settings and export config as module-level variables for Celery	docker/containerized/worker_config.py
Document the containerized workflow dev environment and provide config templates and example certs.	Add detailed README describing containerized workflow architecture, prerequisites, setup, testing, and troubleshooting Add a template env file for containerized configuration variables Add an example Konflux CA certificate file placeholder for local setup	docker/containerized/README.md .env.containerized.template docker/containerized/konflux-ca.crt.example

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• In ContainerizedConfig, consider wrapping the json.loads of IIB_INDEX_CONFIGS_GITLAB_TOKENS_MAP in a try/except so that malformed JSON results in a clear configuration error rather than a generic import failure.
• The containerized worker currently mounts registry-certs-volume at both /registry-certs and /tmp/registry-certs; if only one path is actually used, simplifying to a single mount point will make the certificate usage clearer.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `ContainerizedConfig`, consider wrapping the `json.loads` of `IIB_INDEX_CONFIGS_GITLAB_TOKENS_MAP` in a try/except so that malformed JSON results in a clear configuration error rather than a generic import failure.
- The containerized worker currently mounts `registry-certs-volume` at both `/registry-certs` and `/tmp/registry-certs`; if only one path is actually used, simplifying to a single mount point will make the certificate usage clearer.

## Individual Comments

### Comment 1
<location> `podman-compose-containerized.yml:38` </location>
<code_context>
+      - ./docker/registry/auth:/auth
+
+  db:
+    image: postgres:9.6
+    environment:
+      POSTGRES_USER: iib
</code_context>

<issue_to_address>
**🚨 issue (security):** Postgres 9.6 is EOL and represents a security/maintenance risk; consider bumping to a supported version.

Using an EOL `postgres:9.6` image increases security risk and upgrade cost. Prefer a supported major (e.g. 13–15) and update any dependent config/migrations. If you must remain on 9.6 for now, document it as an explicit exception and track an upgrade task.
</issue_to_address>

### Comment 2
<location> `podman-compose-containerized.yml:12` </location>
<code_context>
+    command:
+      - /bin/sh
+      - -c
+      - >-
+        go install github.com/jsha/minica@latest &&
+        cd /opt/app-root/certs &&
+        namei -l /opt/app-root &&
</code_context>

<issue_to_address>
**suggestion (performance):** Installing minica from source on every start with `@latest` harms reproducibility and startup time.

This approach both adds compile time to each container start and introduces non-determinism, since minica can change without any version bump here. Please either pin a specific version/tag (e.g. `@vX.Y.Z`) or use an image that already has minica installed so the registry bootstrap is deterministic and faster.

```suggestion
        go install github.com/jsha/[email protected] &&
```
</issue_to_address>

### Comment 3
<location> `docker/containerized/worker_config.py:101` </location>
<code_context>
+        required_configs = {
+            'iib_konflux_cluster_url': cls.iib_konflux_cluster_url,
+            'iib_konflux_cluster_token': cls.iib_konflux_cluster_token,
+            'iib_konflux_cluster_ca_cert': cls.iib_konflux_cluster_ca_cert,
+            'iib_konflux_namespace': cls.iib_konflux_namespace,
+        }
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Validation only checks that a CA cert path string is set, not that the file actually exists or is usable.

Because `validate()` only checks for a non-empty `iib_konflux_cluster_ca_cert`, a missing `/etc/iib/konflux-ca.crt` (when the env var is unset) won’t be caught until TLS fails at runtime. Consider also verifying that the path exists (e.g., `os.path.exists(cls.iib_konflux_cluster_ca_cert)`) and is readable so misconfigurations fail fast during startup.

Suggested implementation:

```python
        if missing:
            raise ValueError(
                f"Missing required Konflux configuration: {', '.join(missing)}. "
                "Please set these in your .env.containerized file."
            )

        # Validate that the CA certificate path exists and is readable so we fail fast
        ca_cert_path = cls.iib_konflux_cluster_ca_cert
        if ca_cert_path:
            import os

            if not os.path.exists(ca_cert_path):
                raise ValueError(
                    f"Konflux cluster CA certificate path does not exist: {ca_cert_path}. "
                    "Please ensure the path is correct or update the IIB_KONFLUX_CLUSTER_CA_CERT setting."
                )
            if not os.path.isfile(ca_cert_path) or not os.access(ca_cert_path, os.R_OK):
                raise ValueError(
                    f"Konflux cluster CA certificate is not a readable file: {ca_cert_path}. "
                    "Please ensure the file is present and readable by the worker process."
                )

```

1. If your project style disallows inline imports, move `import os` to the top of `docker/containerized/worker_config.py` with the other imports and remove it from inside `validate()`.
2. If you already have helper utilities for file validation or a centralized config validation mechanism, you may want to replace the direct `os.path` / `os.access` calls with those helpers for consistency.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 issue (security): Postgres 9.6 is EOL and represents a security/maintenance risk; consider bumping to a supported version.

Using an EOL postgres:9.6 image increases security risk and upgrade cost. Prefer a supported major (e.g. 13–15) and update any dependent config/migrations. If you must remain on 9.6 for now, document it as an explicit exception and track an upgrade task.

[sourcery-ai]

suggestion (performance): Installing minica from source on every start with @latest harms reproducibility and startup time.

This approach both adds compile time to each container start and introduces non-determinism, since minica can change without any version bump here. Please either pin a specific version/tag (e.g. @vX.Y.Z) or use an image that already has minica installed so the registry bootstrap is deterministic and faster.

Suggested change

	go install github.com/jsha/minica@latest &&
	go install github.com/jsha/minica@v1.0.2 &&

[sourcery-ai]

suggestion (bug_risk): Validation only checks that a CA cert path string is set, not that the file actually exists or is usable.

Because validate() only checks for a non-empty iib_konflux_cluster_ca_cert, a missing /etc/iib/konflux-ca.crt (when the env var is unset) won’t be caught until TLS fails at runtime. Consider also verifying that the path exists (e.g., os.path.exists(cls.iib_konflux_cluster_ca_cert)) and is readable so misconfigurations fail fast during startup.

Suggested implementation:

        if missing:
            raise ValueError(
                f"Missing required Konflux configuration: {', '.join(missing)}. "
                "Please set these in your .env.containerized file."
            )

        # Validate that the CA certificate path exists and is readable so we fail fast
        ca_cert_path = cls.iib_konflux_cluster_ca_cert
        if ca_cert_path:
            import os

            if not os.path.exists(ca_cert_path):
                raise ValueError(
                    f"Konflux cluster CA certificate path does not exist: {ca_cert_path}. "
                    "Please ensure the path is correct or update the IIB_KONFLUX_CLUSTER_CA_CERT setting."
                )
            if not os.path.isfile(ca_cert_path) or not os.access(ca_cert_path, os.R_OK):
                raise ValueError(
                    f"Konflux cluster CA certificate is not a readable file: {ca_cert_path}. "
                    "Please ensure the file is present and readable by the worker process."
                )

1. If your project style disallows inline imports, move import os to the top of docker/containerized/worker_config.py with the other imports and remove it from inside validate().
2. If you already have helper utilities for file validation or a centralized config validation mechanism, you may want to replace the direct os.path / os.access calls with those helpers for consistency.

[JAVGan]

Need to change the format