GRIF-48 implement development container

.github/workflows/container.yml

@@ -0,0 +1,57 @@
+name: Build container
+
+env:
+  REGISTRY_USER: ${{ github.actor }}
+  REGISTRY_PASSWORD: ${{ github.token }}
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+
+jobs:
+  build_main:
+    name: ${{ matrix.build.name }}
+    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        install_latest: [ true ]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          ref: "main"
+      - name: set lower case owner name
+        run: |
+          echo "OWNER_LC=${OWNER,,}" >>${GITHUB_ENV}
+        env:
+          OWNER: '${{ github.repository_owner }}'
+      - name: Log in to ghcr.io
+        uses: redhat-actions/podman-login@v1
+        with:
+          username: ${{ env.REGISTRY_USER }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+          registry: "ghcr.io/redhatproductsecurity"
+      - run: |
+          sudo apt-get update
+          sudo apt-get -y install buildah
+        name: 'install deps'
+      - run: make build
+        name: 'build main development image'
+      - run: |
+          buildah tag localhost/griffon:dev ghcr.io/redhatproductsecurity/griffon/griffon:dev
+          buildah push ghcr.io/redhatproductsecurity/griffon/griffon:dev
+        name: 'push images'
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+      - name: Sign image with a key
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/redhatproductsecurity/griffon/griffon:dev
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+      - name: Verify image
+        run: |
+          cosign verify --key cosign.pub ghcr.io/redhatproductsecurity/griffon/griffon:dev
+        env:
+          COSIGN_PUBLIC_KEY: ${{secrets.COSIGN_PUBLIC_KEY}}

Containerfile

@@ -1,15 +1,23 @@
+
 FROM quay.io/fedora/fedora:37
 
 LABEL maintainer="Red Hat Product Security Dev - Red Hat, Inc." \
       vendor="Red Hat Product Security Dev - Red Hat, Inc." \
       summary="Red Hat Product Security CLI." \
       distribution-scope="public"
 
-ARG PIP_INDEX_URL="https://pypi.org/simple"
+ARG PIP_INDEX_URL
+ARG ROOT_CA_URL
+ARG REQUESTS_CA_BUNDLE
+ARG CORGI_API_URL
+ARG OSIDB_API_URL
 ENV PYTHONUNBUFFERED=1 \
     PIP_NO_CACHE_DIR=off \
     PIP_INDEX_URL="${PIP_INDEX_URL}" \
-    REQUESTS_CA_BUNDLE="${REQUESTS_CA_BUNDLE}"
+    REQUESTS_CA_BUNDLE="${REQUESTS_CA_BUNDLE}" \
+    ROOT_CA_URL="${ROOT_CA_URL}" \
+    CORGI_API_URL="${CORGI_API_URL}" \
+    OSIDB_API_URL="${OSIDB_API_URL}"
 
 RUN cd /etc/pki/ca-trust/source/anchors/ && \
     # The '| true' skips this step if the ROOT_CA_URL is unset or fails in another way
@@ -35,8 +43,10 @@ RUN dnf --nodocs --setopt install_weak_deps=false -y install \
     && dnf --nodocs --setopt install_weak_deps=false -y upgrade --security \
     && dnf clean all
 
-# TODO - this will be removed once we ship corgi_bindings to pypi
-RUN  pip install pip install -e "git+https://github.com/RedHatProductSecurity/component-registry-bindings#egg=component_registry_bindings"
+# # TODO - this will be removed once we ship corgi_bindings to pypi
+RUN pip3 install -e git+https://github.com/RedHatProductSecurity/component-registry-bindings#egg=component_registry_bindings
+
+COPY ./files/.zshrc /root/.zshrc
 
 WORKDIR /opt/app-root/src/
 
@@ -46,20 +56,15 @@ COPY ./requirements ./requirements
 # docker-compose may override this in the build step).
 RUN pip3 install -r "./requirements/base.txt"
 
-# TODO - remove once corgi-bindings is in pypi
-RUN pip3 install -e "${CORGI_BINDINGS_PIP_URI}"
-
 # Limit copied files to only the ones required to run the app
-COPY ./files/krb5.conf /etc
 COPY ./*.sh ./*.py ./
 COPY ./griffon ./griffon
 COPY ./README.md ./README.md
+COPY ./LICENSE ./LICENSE
 
 RUN pip3 install .
 
-# TODO - we need to grok 'autocompletion' in a container context
-
 RUN chgrp -R 0 /opt/app-root && \
     chmod -R g=u /opt/app-root
 
-ENTRYPOINT ["griffon"]
+ENTRYPOINT ["zsh"]

Makefile

@@ -8,6 +8,16 @@ openssl=`which openssl`
 build: Containerfile
 	$(podman) build --tag localhost/griffon .
 
+build: Containerfile
+	$(podman) build --build-arg CORGI_API_URL="${CORGI_API_URL}" \
+					--build-arg OSIDB_API_URL="${OSIDB_API_URL}" \
+					--build-arg REQUESTS_CA_BUNDLE="${REQUESTS_CA_BUNDLE}" \
+					--build-arg PIP_INDEX_URL="${PIP_INDEX_URL}" \
+					--build-arg ROOT_CA_URL="${ROOT_CA_URL}" \
+					--tag localhost/griffon:dev .
+run:
+	podman run --privileged -it -v /etc/krb5.conf:/etc/krb5.conf localhost/griffon:dev
+
 test-all:
 	$(tox)
 

docs/user_guide.md

@@ -85,6 +85,35 @@ ensuring to source (ex. source ~/.zshrc) to pickup the change.
 
 https://click.palletsprojects.com/en/8.1.x/shell-completion/
 
+
+## Building and running container
+
+First set some env vars
+
+```commandline
+export CORGI_API_URL=<INSERT COMPONENT REGISTRY URL>
+export OSIDB_API_URL=<INESRT OSIDB URL>
+export REQUESTS_CA_BUNDLE=<INSERT CA BUNDLE PATH>
+export PIP_INDEX_URL=<INSERT PIP INDEX URL>
+export ROOT_CA_URL=<INSERT ROOT CA URL >
+```
+then run make target for building container
+
+```commandline
+> make build
+```
+
+Once the container is successfully built 
+
+```commandline
+> podman run --privileged -it -v /etc/krb5.conf:/etc/krb5.conf localhost/griffon:latest
+```
+then you will have to kinit with your user name (inside the container) before you use 
+griffon.
+
+**Note** - This is a temporary container for current development ... at some point
+we will make a release container.
+
 ## Writing custom plugins
 
 Griffon can be extended with custom plugins - handy for integrating with 

files/.zshrc

@@ -0,0 +1,3 @@
+autoload -Uz compinit
+compinit
+eval "$(_GRIFFON_COMPLETE=zsh_source griffon)"