feat(cmd/rofl): Implement deploy via ROFL market

Author: kostko

.golangci.yml

@@ -77,6 +77,7 @@ linters-settings:
           - github.com/github/go-spdx/v2
           - github.com/opencontainers/image-spec/specs-go/v1
           - oras.land/oras-go/v2
+          - github.com/wI2L/jsondiff
   exhaustive:
     # Switch statements are to be considered exhaustive if a 'default' case is
     # present, even if all enum members aren't listed in the switch.

build/rofl/manifest.go

@@ -243,6 +243,10 @@ func (m *Manifest) Save() error {
 // used in case no deployment is passed.
 const DefaultDeploymentName = "default"
 
+// DefaultMachineName is the name of the default machine into which the app is deployed when no
+// specific machine is passed.
+const DefaultMachineName = "default"
+
 // Deployment describes a single ROFL app deployment.
 type Deployment struct {
 	// AppID is the Bech32-encoded ROFL app ID.
@@ -255,6 +259,8 @@ type Deployment struct {
 	Admin string `yaml:"admin,omitempty" json:"admin,omitempty"`
 	// Debug is a flag denoting whether this is a debuggable deployment.
 	Debug bool `yaml:"debug,omitempty" json:"debug,omitempty"`
+	// OCIRepository is the optional OCI repository where one can push the ORC to.
+	OCIRepository string `yaml:"oci_repository,omitempty" json:"oci_repository,omitempty"`
 	// TrustRoot is the optional trust root configuration.
 	TrustRoot *TrustRootConfig `yaml:"trust_root,omitempty" json:"trust_root,omitempty"`
 	// Policy is the ROFL app policy.
@@ -263,9 +269,12 @@ type Deployment struct {
 	Metadata map[string]string `yaml:"metadata,omitempty" json:"metadata,omitempty"`
 	// Secrets contains encrypted secrets.
 	Secrets []*SecretConfig `yaml:"secrets,omitempty" json:"secrets,omitempty"`
+
+	// Machines are the machines on which app replicas are deployed.
+	Machines map[string]*Machine `yaml:"machines,omitempty" json:"machines,omitempty"`
 }
 
-// Validate validates the manifest for correctness.
+// Validate validates the deployment for correctness.
 func (d *Deployment) Validate() error {
 	if len(d.AppID) > 0 {
 		var appID rofl.AppID
@@ -284,6 +293,12 @@ func (d *Deployment) Validate() error {
 			return fmt.Errorf("bad secret: %w", err)
 		}
 	}
+
+	for name, machine := range d.Machines {
+		if err := machine.Validate(); err != nil {
+			return fmt.Errorf("bad machine '%s': %w", name, err)
+		}
+	}
 	return nil
 }
 
@@ -292,6 +307,27 @@ func (d *Deployment) HasAppID() bool {
 	return len(d.AppID) > 0
 }
 
+// Machine is a hosted machine where a ROFL app is deployed.
+type Machine struct {
+	// Provider is the address of the ROFL market provider to deploy to.
+	Provider string `yaml:"provider,omitempty" json:"provider,omitempty"`
+	// Offer is the provider's offer identifier to provision.
+	Offer string `yaml:"offer,omitempty" json:"offer,omitempty"`
+	// ID is the identifier of the machine to deploy into.
+	ID string `yaml:"id,omitempty" json:"id,omitempty"`
+}
+
+// Validate validates the machine for correctness.
+func (m *Machine) Validate() error {
+	if m.Offer != "" && m.Provider == "" {
+		return fmt.Errorf("offer identifier cannot be specified without a provider")
+	}
+	if m.ID != "" && m.Provider == "" {
+		return fmt.Errorf("machine identifier cannot be specified without a provider")
+	}
+	return nil
+}
+
 // TrustRootConfig is the trust root configuration.
 type TrustRootConfig struct {
 	// Height is the consensus layer block height where to take the trust root.

build/rofl/oci.go

@@ -3,8 +3,11 @@ package rofl
 import (
 	"context"
 	"fmt"
+	"maps"
 	"os"
 	"path/filepath"
+	"slices"
+	"strings"
 
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 	oras "oras.land/oras-go/v2"
@@ -14,6 +17,7 @@ import (
 	"oras.land/oras-go/v2/registry/remote/credentials"
 	"oras.land/oras-go/v2/registry/remote/retry"
 
+	"github.com/oasisprotocol/oasis-core/go/common/crypto/hash"
 	"github.com/oasisprotocol/oasis-core/go/runtime/bundle"
 )
 
@@ -24,53 +28,63 @@ const (
 )
 
 // PushBundleToOciRepository pushes an ORC bundle to the given remote OCI repository.
-func PushBundleToOciRepository(bundleFn, dst, tag string) error {
+//
+// Returns the OCI manifest digest and the ORC manifest hash.
+func PushBundleToOciRepository(bundleFn, dst string) (string, hash.Hash, error) {
 	ctx := context.Background()
 
+	atoms := strings.Split(dst, ":")
+	if len(atoms) != 2 {
+		return "", hash.Hash{}, fmt.Errorf("malformed OCI repository reference (repo:tag required)")
+	}
+	dst = atoms[0]
+	tag := atoms[1]
+
 	// Open the bundle.
 	bnd, err := bundle.Open(bundleFn)
 	if err != nil {
-		return fmt.Errorf("failed to open bundle: %w", err)
+		return "", hash.Hash{}, fmt.Errorf("failed to open bundle: %w", err)
 	}
 	defer bnd.Close()
 
 	// Create a temporary file store to build the OCI layers.
 	tmpDir, err := os.MkdirTemp("", "oasis-orc2oci")
 	if err != nil {
-		return fmt.Errorf("failed to create temporary directory: %w", err)
+		return "", hash.Hash{}, fmt.Errorf("failed to create temporary directory: %w", err)
 	}
 	defer os.RemoveAll(tmpDir)
 
 	storeDir := filepath.Join(tmpDir, "oci")
 	store, err := file.New(storeDir)
 	if err != nil {
-		return fmt.Errorf("failed to create temporary OCI store: %w", err)
+		return "", hash.Hash{}, fmt.Errorf("failed to create temporary OCI store: %w", err)
 	}
 	defer store.Close()
 
 	bundleDir := filepath.Join(tmpDir, "bundle")
 	if err = bnd.WriteExploded(bundleDir); err != nil {
-		return fmt.Errorf("failed to explode bundle: %w", err)
+		return "", hash.Hash{}, fmt.Errorf("failed to explode bundle: %w", err)
 	}
 
 	// Generate the config object from the manifest.
 	const manifestName = "META-INF/MANIFEST.MF"
 	configDsc, err := store.Add(ctx, manifestName, ociTypeOrcConfig, filepath.Join(bundleDir, manifestName))
 	if err != nil {
-		return fmt.Errorf("failed to add config object from manifest: %w", err)
+		return "", hash.Hash{}, fmt.Errorf("failed to add config object from manifest: %w", err)
 	}
 
 	// Add other files as layers.
 	layers := make([]v1.Descriptor, 0, len(bnd.Data)-1)
-	for fn := range bnd.Data {
+	fns := slices.Sorted(maps.Keys(bnd.Data)) // Ensure deterministic order.
+	for _, fn := range fns {
 		if fn == manifestName {
 			continue
 		}
 
 		var layerDsc v1.Descriptor
 		layerDsc, err = store.Add(ctx, fn, ociTypeOrcLayer, filepath.Join(bundleDir, fn))
 		if err != nil {
-			return fmt.Errorf("failed to add OCI layer: %w", err)
+			return "", hash.Hash{}, fmt.Errorf("failed to add OCI layer: %w", err)
 		}
 
 		layers = append(layers, layerDsc)
@@ -80,25 +94,29 @@ func PushBundleToOciRepository(bundleFn, dst, tag string) error {
 	opts := oras.PackManifestOptions{
 		Layers:           layers,
 		ConfigDescriptor: &configDsc,
+		ManifestAnnotations: map[string]string{
+			// Use a fixed crated timestamp to avoid changing the manifest digest for no reason.
+			v1.AnnotationCreated: "2025-03-31T00:00:00Z",
+		},
 	}
 	manifestDescriptor, err := oras.PackManifest(ctx, store, oras.PackManifestVersion1_1, ociTypeOrcArtifact, opts)
 	if err != nil {
-		return fmt.Errorf("failed to pack OCI manifest: %w", err)
+		return "", hash.Hash{}, fmt.Errorf("failed to pack OCI manifest: %w", err)
 	}
 
 	// Tag the manifest.
 	if err = store.Tag(ctx, manifestDescriptor, tag); err != nil {
-		return fmt.Errorf("failed to tag OCI manifest: %w", err)
+		return "", hash.Hash{}, fmt.Errorf("failed to tag OCI manifest: %w", err)
 	}
 
 	// Connect to remote repository.
 	repo, err := remote.NewRepository(dst)
 	if err != nil {
-		return fmt.Errorf("failed to init remote OCI repository: %w", err)
+		return "", hash.Hash{}, fmt.Errorf("failed to init remote OCI repository: %w", err)
 	}
 	creds, err := credentials.NewStoreFromDocker(credentials.StoreOptions{})
 	if err != nil {
-		return fmt.Errorf("failed to init OCI credential store: %w", err)
+		return "", hash.Hash{}, fmt.Errorf("failed to init OCI credential store: %w", err)
 	}
 	repo.Client = &auth.Client{
 		Client:     retry.DefaultClient,
@@ -108,8 +126,8 @@ func PushBundleToOciRepository(bundleFn, dst, tag string) error {
 
 	// Push to remote repository.
 	if _, err = oras.Copy(ctx, store, tag, repo, tag, oras.DefaultCopyOptions); err != nil {
-		return fmt.Errorf("failed to push to remote OCI repository: %w", err)
+		return "", hash.Hash{}, fmt.Errorf("failed to push to remote OCI repository: %w", err)
 	}
 
-	return nil
+	return manifestDescriptor.Digest.String(), bnd.Manifest.Hash(), nil
 }

build/rofl/provider/defaults.go

@@ -0,0 +1,8 @@
+package provider
+
+// DefaultSchedulerApp contains the default scheduler app IDs for each network/paratime.
+var DefaultSchedulerApp = map[string]map[string]string{
+	"testnet": {
+		"sapphire": "rofl1qrqw99h0f7az3hwt2cl7yeew3wtz0fxunu7luyfg",
+	},
+}