refactor: copy files into role, copy containers into quay lsr

[richm]

copy quadlet files into role from external git repo

copy container images into quay.io linux-system-roles

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Inline trustee quadlet and config files into the role instead of downloading them from an external repository, and simplify related configuration handling.

New Features:

• Add embedded quadlet unit files and trustee-gc configuration templates to the role for local deployment.

Enhancements:

• Simplify quadlet installation by copying files from the role rather than cloning a remote Git repository.
• Always manage trustee-gc configuration directories and KBS substitutions based on local files instead of conditional repo presence.
• Remove unnecessary git dependency and handler flush from the role execution flow.

Tests:

• Add placeholder test role files directory for trustee_client tests.

[sourcery-ai]

Reviewer's Guide

Refactors the trustee_quadlet role to stop cloning quadlet/config files from an external Git repo and instead ship static quadlet and config assets within the role, simplifying installation and KBS configuration handling.

Flow diagram for updated trustee_quadlet.yml tasks

flowchart TD
  Start[Start trustee_quadlet tasks] --> CreateDirs[Ensure /etc/trustee-gc and systemd quadlet dir exist]

  CreateDirs --> CopyQuadlet[Copy static quadlet files from role files/quadlet to __trustee_client_quadlet_install_dir]

  CopyQuadlet --> CopyAAConfigs[Copy AA configs from files/configs/aa to /etc/trustee-gc/]
  CopyAAConfigs --> CopyCDHConfigs[Copy CDH configs from files/configs/cdh to /etc/trustee-gc/]

  CopyCDHConfigs --> SetKBSCert[Set __trustee_client_kbs_cert_content from path or explicit content]

  SetKBSCert --> ReplaceKBSUrl[Replace KBS_URL in aa and cdh config.toml]
  ReplaceKBSUrl -->|when trustee_client_kbs_url length > 0| ReplaceKBSCert[Replace KBS_CERT in aa and cdh config.toml]

  ReplaceKBSCert -->|when __trustee_client_kbs_cert_content length > 0| WriteCert[Write KBS certificate to /etc/trustee-gc/server.crt]

  WriteCert --> SevStat[Stat /dev/sev-guest device]
  SevStat --> PodmanStat[Stat trustee-gc pod quadlet file]
  PodmanStat --> EnableService[Enable and start trustee-gc pod with systemd]

  EnableService --> End[End trustee_quadlet tasks]

Loading

File-Level Changes

Change	Details	Files
Replace dynamic quadlet/config retrieval from external Git repository with static files embedded in the role and simplify copy logic.	Remove tasks that create a temp directory, clone a Git repository, discover quadlet files, and clean up the temporary directory. Change the quadlet install step to copy all unit files from the role's files/quadlet/ directory into the quadlet install directory. Introduce dedicated copy tasks to deploy AA and CDH config directories from files/configs/aa and files/configs/cdh into /etc/trustee-gc/ with appropriate file and directory modes. Drop conditional checks based on the presence of a configs directory in the cloned repository and rely on shipped config files instead.	tasks/trustee_quadlet.yml
Adjust KBS configuration handling to operate unconditionally on shipped config files and ensure certificate material is written once in a clearer location.	Remove when-conditions tied to the now-removed repository configs directory while keeping the requirement for non-empty trustee_client_kbs_url. Keep KBS_CERT replacement gated only on non-empty __trustee_client_kbs_cert_content. Move the task that writes the KBS certificate to /etc/trustee-gc/server.crt earlier in the play, colocated with other KBS-related tasks, and remove the duplicate at the end of the file.	tasks/trustee_quadlet.yml
Update role variables to reflect removal of the external Git dependency.	Remove internal variables describing the external quadlet Git repository URL, path, and branch. Remove git from the list of required trustee_gc packages since it is no longer used.	vars/main.yml
Clean up task orchestration and remove unnecessary handler flushing.	Remove the explicit meta: flush_handlers task at the end of tasks/main.yml since it is no longer needed.	tasks/main.yml
Add new in-repo quadlet unit and config assets that replace previously downloaded content.	Add CDH config.toml under files/configs/cdh/ with placeholder KBS_URL and KBS_CERT to be replaced at runtime. Add AA config.toml under files/configs/aa/ with placeholders for KBS_URL and KBS_CERT. Add static quadlet pod and container unit files under files/quadlet/ (trustee-gc-aa.container, trustee-gc-asr.container, trustee-gc-cdh.container, trustee-gc.pod). Introduce a placeholder test-role files directory under tests/roles/linux-system-roles.trustee_client/files to support tests using the new static assets.	files/configs/cdh/config.toml files/configs/aa/config.toml files/quadlet/trustee-gc-aa.container files/quadlet/trustee-gc-asr.container files/quadlet/trustee-gc-cdh.container files/quadlet/trustee-gc.pod tests/roles/linux-system-roles.trustee_client/files

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In the copy tasks inside the role, you can simplify and make the role more conventional by using role-relative paths like src: quadlet/ and src: configs/aa instead of files/quadlet/ and files/configs/aa, since Ansible automatically looks under the role’s files/ directory.
• By removing the final meta: flush_handlers, any handlers (e.g. for systemd units) will now run only at the end of the play; if service startup is expected immediately after quadlet deployment, consider reintroducing a targeted flush_handlers at the appropriate point instead of dropping it entirely.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the `copy` tasks inside the role, you can simplify and make the role more conventional by using role-relative paths like `src: quadlet/` and `src: configs/aa` instead of `files/quadlet/` and `files/configs/aa`, since Ansible automatically looks under the role’s `files/` directory.
- By removing the final `meta: flush_handlers`, any handlers (e.g. for systemd units) will now run only at the end of the play; if service startup is expected immediately after quadlet deployment, consider reintroducing a targeted `flush_handlers` at the appropriate point instead of dropping it entirely.

## Individual Comments

### Comment 1
<location path="tasks/trustee_quadlet.yml" line_range="16-19" />
<code_context>
-  when: quadlet_files_found.files | length == 0
-
 - name: Copy Trustee Guest Components quadlet files to install directory
   ansible.builtin.copy:
-    src: "{{ item.path }}"
-    dest: "{{ __trustee_client_quadlet_install_dir }}/{{ item.path | basename }}"
+    src: files/quadlet/
+    dest: "{{ __trustee_client_quadlet_install_dir }}/"
     mode: "0644"
-    remote_src: true
-    force: true
</code_context>
<issue_to_address>
**suggestion:** Consider specifying `directory_mode` for the quadlet copy to ensure directory permissions are consistent and explicit.

Since `src` is now the `files/quadlet/` directory, `mode` will only apply to files and directory permissions will use Ansible’s defaults. To match the config copy tasks and avoid relying on distribution defaults, please set an explicit `directory_mode` (e.g. `"0755"`) here as well.

Suggested implementation:

```
- name: Copy Trustee Guest Components quadlet files to install directory
   ansible.builtin.copy:
     src: files/quadlet/
     dest: "{{ __trustee_client_quadlet_install_dir }}/"
     mode: "0644"
     directory_mode: "0755"

```

If there are other `ansible.builtin.copy` tasks in this role that copy directories (e.g. the “config copy tasks” you mentioned), consider aligning their `directory_mode` values as well to keep permissions consistent across the role.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Consider specifying directory_mode for the quadlet copy to ensure directory permissions are consistent and explicit.

Since src is now the files/quadlet/ directory, mode will only apply to files and directory permissions will use Ansible’s defaults. To match the config copy tasks and avoid relying on distribution defaults, please set an explicit directory_mode (e.g. "0755") here as well.

Suggested implementation:

- name: Copy Trustee Guest Components quadlet files to install directory
   ansible.builtin.copy:
     src: files/quadlet/
     dest: "{{ __trustee_client_quadlet_install_dir }}/"
     mode: "0644"
     directory_mode: "0755"

If there are other ansible.builtin.copy tasks in this role that copy directories (e.g. the “config copy tasks” you mentioned), consider aligning their directory_mode values as well to keep permissions consistent across the role.

[richm]

[citest]