chore(module): add pre-created mount points to images

Images with pre-created mount points:

- cdi-apiserver
- cdi-cloner
- cdi-controller
- cdi-importer
- cdi-operator
- dvcr
- dvcr-importer
- dvcr-uploader
- kube-api-rewriter
- virt-api
- virt-controller
- virt-handler
- virt-launcher
- virt-operator
- virtualization-api
- virtualization-audit
- virtualization-controller
- hp pods

Some notes:

- Create /var/run subdirectories in /run, as /var/run is a symlink to ../run.
- Add /var, /run and symlink /var/run -> ../run in 'distroless' base image.
- Pre-create /var, /run and symlink /var/run -> ../run in kube-api-rewriter image.
- Remove unused extraheaders settings in dvcr-importer and dvcr-uploader.

Signed-off-by: YuryLysov <[email protected]>

Co-authored-by: Ivan Mikheykin <[email protected]>
Co-authored-by: Nikita Korolev <[email protected]>
Signed-off-by: Nikita Korolev <[email protected]>
Signed-off-by: Ivan Mikheykin <[email protected]>

Author: 3 people

.prettierignore

@@ -1,6 +1,7 @@
 **/*.git
 **/.svn
 **/.hg
+images/**/mount-points.yaml
 **/werf*.yaml
 **/werf*.yml
 .werf/**

.werf/defines/image-mountpoints.tmpl

@@ -0,0 +1,32 @@
+{{/*
+
+Template to bake mount points in the image. These static mount points
+are required so containerd can start a container with image integrity check.
+
+Problem: each directory specified in volumeMounts items should exist
+in image, containerd is unable to create mount point for us when
+integrity check is enabled.
+
+Solution: define all possible mount points in mount-points.yaml file and
+include this template in git section of the werf.inc.yaml.
+
+*/}}
+{{/* NOTE: Keep in sync with version in Deckhouse CSE */}}
+{{- define "image mount points" }}
+{{-   $mountPoints := ($.Files.Get (printf "images/%s/mount-points.yaml" $.ImageName) | fromYaml) }}
+{{-   $context := . }}
+{{-   range $v := $mountPoints.dirs }}
+- add: /tools/mounts/mountdir
+  to: {{ $v | trimSuffix "/" }}
+  stageDependencies:
+    install:
+    - "**/*"
+{{-   end }}
+{{-   range $v := $mountPoints.files }}
+- add: /tools/mounts/mountfile
+  to: {{ $v }}
+  stageDependencies:
+    install:
+    - "**/*"
+{{-   end }}
+{{- end }}

images/cdi-apiserver/mount-points.yaml

@@ -0,0 +1,7 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/certs/cdi-apiserver-signer-bundle
+  - /run/certs/cdi-apiserver-server-cert
+  - /kubeconfig.local

images/cdi-apiserver/werf.inc.yaml

@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}cdi-artifact
   add: /cdi-binaries

images/cdi-cloner/mount-points.yaml

@@ -0,0 +1,7 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# See https://github.com/deckhouse/3p-containerized-data-importer/blob/80d763d788e06b3decaf22e4762076cec64582b3/pkg/controller/clone-controller.go#L699
+
+dirs:
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/cdi/clone/source

images/cdi-cloner/werf.inc.yaml

@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins
   add: /relocate

images/cdi-controller/mount-points.yaml

@@ -0,0 +1,13 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# Some volume mounts are ignored:
+# - /tmp - already in the 'distroless' base image.
+
+dirs:
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/cdi/token/keys
+  - /run/certs/cdi-uploadserver-signer
+  - /run/certs/cdi-uploadserver-client-signer
+  - /run/ca-bundle/cdi-uploadserver-signer-bundle
+  - /run/ca-bundle/cdi-uploadserver-client-signer-bundle
+  - /kubeconfig.local

images/cdi-controller/werf.inc.yaml

@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins
   add: /relocate

images/cdi-importer/mount-points.yaml

@@ -0,0 +1,17 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# See https://github.com/deckhouse/3p-containerized-data-importer/blob/d5fa5124b8a645521843814fffecdf385b74b379/pkg/controller/import-controller.go#L962
+#
+# Some volume mounts are ignored:
+# - /extraheaders - Etra headers not implemented in virtualization-controller.
+# - /google - No support for GCS data source in VirtualImage.
+# - /tmp - already in the 'distroless' base image.
+
+dirs:
+  - /certs
+  - /data
+  - /opt
+  - /proxycerts
+  - /scratch
+  - /shared
+

images/cdi-importer/werf.inc.yaml

@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins
   add: /relocate