Refactor charm to use ROCK image (#19)

* refactor charm to use ROCK image

.github/workflows/integration_test.yaml

@@ -2,30 +2,14 @@ name: Integration tests
 
 on:
   pull_request:
-  workflow_call:
 
 jobs:
-  integration-test-microk8s:
-    name: Integration tests (microk8s)
-    strategy:
-      fail-fast: false
-      matrix:
-        tox-environments:
-          - integration-charm
-          - integration-scaling
-          - integration-upgrades
-          - integration-vault
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup operator environment
-        uses: charmed-kubernetes/actions-operator@main
-        with:
-          juju-channel: 3.1/stable
-          provider: microk8s
-          microk8s-addons: "ingress storage dns rbac registry"
-          channel: 1.25-strict/stable
-      - name: Run integration tests
-        # set a predictable model name so it can be consumed by charm-logdump-action
-        run: tox -e ${{ matrix.tox-environments }}
+  integration-tests:
+    uses: canonical/operator-workflows/.github/workflows/integration_test.yaml@main
+    secrets: inherit
+    with:
+      channel: 1.25-strict/stable
+      modules: '["test_charm.py", "test_scaling.py", "test_vault.py"]'
+      juju-channel: 3.1/stable
+      self-hosted-runner: false
+      microk8s-addons: "dns ingress rbac storage metallb:10.15.119.2-10.15.119.4 registry"

.gitignore

@@ -9,3 +9,5 @@ __pycache__/
 .vscode/
 *.whl
 *.tar.gz
+*.rock
+*.lock

.trivyignore

@@ -0,0 +1,6 @@
+# TODO (kelkawi-a): remove these once pebble CVE resolution propagates down the pipeline
+CVE-2023-45288
+CVE-2024-27308
+# TODO (kelkawi-a): remove these once Temporal pushes the latest SDK build to pip
+CVE-2024-32650
+CVE-2024-24790

CONTRIBUTING.md

@@ -35,6 +35,9 @@ deployment, follow the following steps:
     # Install charmcraft from snap:
     sudo snap install charmcraft --classic
 
+    # Install Rockcraft from snap:
+    sudo snap install rockcraft --classic
+
     # Add the 'ubuntu' user to the Microk8s group:
     sudo usermod -a -G microk8s ubuntu
 
@@ -45,7 +48,7 @@ deployment, follow the following steps:
     newgrp microk8s
 
     # Enable the necessary Microk8s addons:
-    microk8s enable hostpath-storage dns
+    microk8s enable hostpath-storage dns registry
 
     # Install the Juju CLI client, juju:
     sudo snap install juju --classic
@@ -60,20 +63,17 @@ deployment, follow the following steps:
     juju model-config logging-config="<root>=INFO;unit=DEBUG"
 
     # Pack the charm:
-    charmcraft pack [--destructive-mode]
+    charmcraft pack
 
-    # Build wheel file:
-    cd resource_sample && poetry build -f wheel
+    # Build ROCK file and push it to local registry:
+    cd resource_sample_py && make build_rock
 
     # Deploy the charm:
-    juju deploy ./temporal-worker-k8s_ubuntu-22.04-amd64.charm --resource temporal-worker-image=python:3.8.2-slim-buster
+    juju deploy ./temporal-worker-k8s_ubuntu-22.04-amd64.charm --resource temporal-worker-image=localhost:32000/temporal-worker-rock
     juju config temporal-worker-k8s --file=path/to/config.yaml
 
-    # Attach wheel file resource:
-    juju attach-resource temporal-worker-k8s workflows-file=./resource_sample/dist/python_samples-1.1.0-py3-none-any.whl
-
     # Check progress:
-    juju status --relations --watch 1s
+    juju status --relations --watch 2s
     juju debug-log
 
     # Clean-up before retrying:

README.md

@@ -3,7 +3,7 @@
 
 # Temporal Worker K8s Operator
 
-This is the Kubernetes Python Operator for the Temporal worker.
+This is the Kubernetes Python Operator for the Temporal Worker.
 
 ## Description
 
@@ -13,18 +13,29 @@ execution of services and applications (using workflows).
 Use Workflow as Code (TM) to build and operate resilient applications. Leverage
 developer friendly primitives and avoid fighting your infrastructure
 
-This operator provides a Temporal worker, and consists of Python scripts which
+This operator provides a Temporal Worker, and consists of Python scripts which
 connect to a deployed Temporal server.
 
 ## Usage
 
 ### Deploying
 
-The Temporal worker operator can be deployed and connected to a deployed
+To deploy the Temporal Worker operator, you can start by creating a Temporal
+workflow, or use the one provided in
+[`resource_sample_py`](./resource_sample_py/). Once done, the project can be
+built as a [ROCK](https://documentation.ubuntu.com/rockcraft/en/stable/) and
+pushed to the [local registry](https://microk8s.io/docs/registry-built-in) by
+running the following command inside the `resource_sample_py` directory:
+
+```bash
+make build_rock
+```
+
+The Temporal Worker operator can then be deployed and connected to a deployed
 Temporal server using the Juju command line as follows:
 
 ```bash
-juju deploy temporal-worker-k8s
+juju deploy temporal-worker-k8s --resource temporal-worker-image=localhost:32000/temporal-worker-rock
 juju config temporal-worker-k8s --file=path/to/config.yaml
 ```
 
@@ -35,63 +46,44 @@ temporal-worker-k8s:
   host: "localhost:7233" # Replace with Temporal server hostname
   queue: "test-queue"
   namespace: "test"
-  workflows-file-name: "python_samples-1.1.0-py3-none-any.whl"
-  # To support all defined workflows and activities, use the 'all' keyword
-  supported-workflows: "all"
-  supported-activities: "all"
 ```
 
-### Attaching "workflows-file" resource
-
-The Temporal worker operator expects a "workflows-file" resource to be attached
-after deployment, which contains a set of defined Temporal workflows and
-activities as defined in the [resource_sample](./resource_sample/) directory.
-The structure of the built wheel file must follow the same structure:
+Once done, the charm should enter an active state, indicating that the worker is
+running successfully. To verify this, you can check the logs of the juju unit to
+ensure there are no errors with the workload container:
 
+```bash
+juju ssh --container temporal-worker temporal-worker-k8s/0 /charm/bin/pebble logs temporal-worker -f
 ```
-- workflows/
-    - workflow-a.py
-    - workflow-b.py
-- activities/
-    - activity-a.py
-    - activity-b.py
-- some_other_directory/
-- some_helper_file.py
-```
 
-The sample wheel file can be built by running `poetry build -f wheel` in the
-[resource_sample](./resource_sample/) directory.
+Note: The only requirement for the ROCK is to have a `scripts/start-worker.sh`
+file, which will be used as the entry point for the charm to start the workload
+container.
+
+### Adding Environment Variables
 
-Once ready, the resource can be attached as follows:
+The Temporal Worker operator can be used to inject environment variables that
+can be ingested by your workflows. This can be done using the Juju command line as follows:
 
 ```bash
-make -C resource_sample/ build
-juju attach-resource temporal-worker-k8s workflows-file=./resource_sample/dist/python_samples-1.1.0-py3-none-any.whl
+juju attach-resource temporal-worker-k8s env-file=path/to/.env
 ```
 
-Once done, the charm should enter an active state, indicating that the worker is
-running successfully. To verify this, you can check the logs of the kubernetes
-pod to ensure there are no errors with the workload container:
+#### **`.env`**
 
-```bash
-kubectl -n <juju_model_name> logs temporal-worker-k8s-0 -c temporal-worker -f
 ```
-
-Note: Files defined under the "workflows" directory must only contain classes
-decorated using the `@workflow.defn` decorator. Files defined under the
-"activities" directory must only contain methods decorated using the
-`@activity.defn` decorator. Any additional methods or classes needed should be
-defined in other files.
+VALUE=123
+```
 
 ## Verifying
 
-To verify that the setup is running correctly, run `juju status --watch 1s` and
+To verify that the setup is running correctly, run `juju status --watch 2s` and
 ensure the pod is active.
 
 To run a basic workflow, you may use a simple client (e.g.
 [sdk-python sample](https://github.com/temporalio/sdk-python#quick-start)) and
 connect to the same Temporal server. If run on the same namespace and task queue
-as the Temporal worker, it should be executed successfully.
+as the Temporal Worker, it should be executed successfully.
 
 ## Scaling
 
@@ -103,7 +95,7 @@ juju scale-application temporal-worker-k8s <num_of_replicas_required_replicas>
 
 ## Error Monitoring
 
-The Temporal worker operator has a built-in Sentry interceptor which can be used
+The Temporal Worker operator has a built-in Sentry interceptor which can be used
 to intercept and capture errors from the Temporal SDK. To enable it, run the
 following commands:
 
@@ -115,7 +107,7 @@ juju config temporal-worker-k8s sentry-environment="staging"
 
 ## Observability
 
-The Temporal worker operator charm can be related to the
+The Temporal Worker operator charm can be related to the
 [Canonical Observability Stack](https://charmhub.io/topics/canonical-observability-stack)
 in order to collect logs and telemetry. To deploy cos-lite and expose its
 endpoints as offers, follow these steps:
@@ -147,7 +139,7 @@ juju run grafana/0 -m cos get-admin-password --wait 1m
 
 ## Vault
 
-The Temporal worker operator charm can be related to the
+The Temporal Worker operator charm can be related to the
 [Vault operator charm](https://charmhub.io/vault-k8s) to securely store
 credentials that can be accessed by workflows. This is the recommended way of
 storing workflow-related credentials in production environments. To enable this,
@@ -165,7 +157,7 @@ instructions found [here](https://charmhub.io/vault-k8s/docs/h-getting-started).
 
 For a reference on how to access credentials from Vault through the workflow
 code,
-[`activity2.py`](./resource_sample/resource_sample/activities/activity2.py)
+[`activity2.py`](./resource_sample_py/resource_sample/activities/activity2.py)
 under the `resource_sample` directory shows a sample for writing and reading
 secrets in Vault.
 

config.yaml

@@ -31,16 +31,6 @@ options:
     default: ""
     type: string
 
-  supported-workflows:
-    description: Comma-separated list of workflow names to extract from attached wheel file.
-    default: ""
-    type: string
-
-  supported-activities:
-    description: Comma-separated list of workflow activities to extract from attached wheel file.
-    default: ""
-    type: string
-
   sentry-dsn:
     description: Sentry Data Source Name to send events to.
     default: ""
@@ -69,11 +59,6 @@ options:
     default: 1.0
     type: float
 
-  workflows-file-name:
-    description: Name of the wheel file resource attached to the charm.
-    default: ""
-    type: string
-
   encryption-key:
     description: Base64-encoded key used for data encryption.
     default: ""
@@ -161,18 +146,3 @@ options:
     description: Client certificate URL for OIDC authentication.
     default: ""
     type: string
-
-  http-proxy:
-    description: Used to set HTTP_PROXY environment variable.
-    default: ""
-    type: string
-
-  https-proxy:
-    description: Used to set HTTPS_PROXY environment variable.
-    default: ""
-    type: string
-
-  no-proxy:
-    description: Used to set NO_PROXY environment variable.
-    default: ""
-    type: string

metadata.yaml

@@ -35,17 +35,11 @@ peers:
 containers:
   temporal-worker:
     resource: temporal-worker-image
-    # Included for simplicity in integration tests.
-    upstream-source: python:3.8.2-slim-buster
 
 resources:
   temporal-worker-image:
     type: oci-image
     description: OCI image containing Python package.
-  workflows-file:
-    type: file
-    description: Wheel file containing Temporal workflows and activities.
-    filename: 'workflows-file.whl'
   env-file:
     type: file
     description: .env file containing environment variables to be sourced to the workload container.