feat(appliance): ADR-119 config-delivery model + OVA bootstrap-seed publishing#531
Merged
Conversation
Presence-driven first boot (autoinstall/kickstart convention): a config artifact's presence decides headless-apply vs zero-config first-run; rich config (hostname/TLS/DNS creds) moves post-boot to the DCUI + operator warm path. Carrier is a stock cloud-init NoCloud vfat 'cidata' volume — no bespoke reader, no countdown, no signature file. Deliberately minimizes novelty to match familiar appliance shapes (pfSense/TrueNAS/OVF). Cross-refs ADR-104 (claim) and ADR-103 (convergence: OVA is a bootstrap seed, currency via operator upgrade). Corrects ADR-104's appliance interactivity row.
… asset Automates the previously-manual 'attach the OVA to a Release by hand' flow: builds the OVA, xz-compresses the qcow2, writes SHA256SUMS, and uploads to the matching GitHub release (gh release upload --clobber). Decoupled from 'release' on purpose — the OVA is a thin bootstrap seed (ADR-103/ADR-119), republished occasionally to move the baseline, while per-release currency flows through GHCR images + operator upgrade. Adds 'make publish-appliance' and refreshes the appliance README to document the convergence contract.
…dry-run - Always recompress the qcow2 (drop the stale-.xz guard that would re-publish old bytes under a fresh checksum on a same-VERSION rebuild) [H1/H2] - Dry-run reports intent only; no xz, no SHA256SUMS write [L3] - Only publish a .xz when a source qcow2 exists this run (OVA-only --skip-build ships just the OVA) [H2] - Upload SHA256SUMS last as the commit marker; add a verify hint [M3] - Comment the release-minting decoupling [M2] - ADR-119: soften the OVF empty-slot claim to future tense + follow-on note [M1]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two linked pieces toward deploying the appliance the way a normal person would — download an OVA, import it, run it.
ADR-119 — appliance configuration delivery & first-boot orchestration (Draft)
Settles the design we'd been circling:
set-hostname/set-tls/set-dns-creds, follow-on). This is the pfSense/TrueNAS shape.cidatavolume — cloud-init is the reader; no bespoke discovery, no signature file.KG_PROVISION_SCHEMAcovers forward-compat.publish.sh appliance— OVA as a bootstrap-seed release assetAutomates the previously-manual "attach the OVA to a Release by hand" step (per the appliance README): build OVA →
xzthe qcow2 →SHA256SUMS→gh release upload --clobber.Convergence contract (ADR-103): the OVA is a thin bootstrap seed — download once, run, then
operator.sh upgradekeeps it current via GHCR images. The container images are the per-release artifacts; the OVA is republished only occasionally to move the baseline. So the command is decoupled fromreleaseby design. Addsmake publish-appliance.Test
bash -n scripts/publish.sh✓;./publish.sh appliance --dry-runexercises the build/checksum/guard path.docs/scripts/adr lint→ 0 errors / 0 warnings; INDEX regenerated.Note
This is design + the publishing tooling. The first-boot orchestration changes (no-config → real first-run) and the
operator set-*warm-reconfig verbs are follow-on implementation tracked by ADR-119.