Introduce the native CLI

This command line tool overhauls the initial setup for Kubernetes
deployments.

The new tool gives us more information when something doesn't work out
as intended and brings the the cluster setup considerably closer to what
one would expect in a production grade system.

The nativelink image and worker containers are now fully built
in the cluster via Tekton Pipelines. Rebuilds may be triggered with curl
requests instead of the old `nix run .#xxx.copyTo` workflow. This makes
the setup more generic and provides clearer pointers on how to bring the
system into continuously updating production workflows.

The `native` tool is technically fully self-contained. The examples
still make use of some local paths, but it's now possible to set up the
cluster and deploy NativeLink in it without cloning the nativelink
repository. This requires slightly modified `01_operations.sh` scripts
which we'll add as a new example.

Author: aaronmondal

.github/styles/config/vocabularies/TraceMachina/accept.txt

@@ -26,3 +26,5 @@ parsable
 rebase
 remoteable
 Chromium
+Pulumi
+Tekton

.github/workflows/lre.yaml

@@ -67,8 +67,7 @@ jobs:
 
       - name: Start Kubernetes cluster (Infra)
         run: >
-          nix develop --impure --command
-          bash -c "./deployment-examples/kubernetes/00_infra.sh"
+          nix run .#native up
 
       - name: Start Kubernetes cluster (Operations)
         run: >

.gitignore

@@ -14,3 +14,4 @@ result
 .bazelrc.user
 MODULE.bazel.lock
 trivy-results.sarif
+Pulumi.dev.yaml

.golangci.yaml

@@ -0,0 +1,21 @@
+---
+linters:
+  enable-all: true
+  disable:
+    # Deprecated.
+    - nosnakecase
+    - interfacer
+    - exhaustivestruct
+    - ifshort
+    - deadcode
+    - varcheck
+    - golint
+    - maligned
+    - scopelint
+    - structcheck
+
+    # Allow all packages for now.
+    - depguard
+
+    # TODO(aaronmondal): Fix these at some point.
+    - exhaustruct

Pulumi.yaml

@@ -0,0 +1,11 @@
+---
+name: nativelink
+org: TraceMachina
+runtime: go
+description: The development cluster for NativeLink.
+organization:
+  pulumi:tags:
+    company: "Trace Machina, Inc."
+backend:
+  # Only intended to run locally.
+  url: file://~

deployment-examples/chromium/00_infra.sh

@@ -7,16 +7,29 @@ set -xeuo pipefail
 
 SRC_ROOT=$(git rev-parse --show-toplevel)
 
-kubectl apply -f ${SRC_ROOT}/deployment-examples/chromium/gateway.yaml
+EVENTLISTENER=$(kubectl get gtw eventlistener -o=jsonpath='{.status.addresses[0].value}')
 
 # The image for the scheduler and CAS.
-nix run .#image.copyTo \
-    docker://localhost:5001/nativelink:local \
-    -- \
-    --dest-tls-verify=false
+curl -v \
+    -H 'content-Type: application/json' \
+    -d '{
+        "flakeOutput": "./src_root#image",
+        "imageTagOverride": "local"
+    }' \
+    http://${EVENTLISTENER}:8080
 
-# Wrap it with nativelink to turn it into a worker.
-nix run .#nativelink-worker-siso-chromium.copyTo \
-    docker://localhost:5001/nativelink-worker-siso-chromium:local \
-    -- \
-    --dest-tls-verify=false
+# Wrap it nativelink to turn it into a worker.
+curl -v \
+    -H 'content-Type: application/json' \
+    -d '{
+        "flakeOutput": "./src_root#nativelink-worker-siso-chromium",
+        "imageTagOverride": "local"
+    }' \
+    http://${EVENTLISTENER}:8080
+
+# Wait for the pipelines to finish.
+kubectl wait \
+    --for=condition=Succeeded \
+    --timeout=30m \
+    pipelinerun \
+        -l tekton.dev/pipeline=rebuild-nativelink

deployment-examples/chromium/01_operations.sh

@@ -19,16 +19,25 @@ In this example we're using `kind` to set up the cluster `cilium` to provide a
 First set up a local development cluster:
 
 ```bash
-./00_infra.sh
+native up
 ```
 
+> [!TIP]
+> The `native up` command uses Pulumi under the hood. You can view and delete
+> the stack with `pulumi stack` and `pulumi destroy`.
+
 Next start a few standard deployments. This part also builds the remote
 execution containers and makes them available to the cluster:
 
 ```bash
 ./01_operations.sh
 ```
 
+> [!TIP]
+> The operations invoke cluster-internal Tekton Pipelines to build and push the
+> `nativelink` and worker images. You can view the state of the pipelines with
+> `tkn pr ls` and `tkn pr logs`/`tkn pr logs --follow`.
+
 Finally, deploy NativeLink:
 
 ```bash

deployment-examples/chromium/README.md

@@ -7,22 +7,35 @@ set -xeuo pipefail
 
 SRC_ROOT=$(git rev-parse --show-toplevel)
 
-kubectl apply -f ${SRC_ROOT}/deployment-examples/kubernetes/gateway.yaml
-
-# The image for the scheduler and CAS.
-nix run .#image.copyTo \
-    docker://localhost:5001/nativelink:local \
-    -- \
-    --dest-tls-verify=false
-
-# The worker image for C++ actions.
-nix run .#nativelink-worker-lre-cc.copyTo \
-    docker://localhost:5001/nativelink-worker-lre-cc:local \
-    -- \
-    --dest-tls-verify=false
-
-# The worker image for Java actions.
-nix run .#nativelink-worker-lre-java.copyTo \
-    docker://localhost:5001/nativelink-worker-lre-java:local \
-    -- \
-    --dest-tls-verify=false
+EVENTLISTENER=$(kubectl get gtw eventlistener -o=jsonpath='{.status.addresses[0].value}')
+
+curl -v \
+    -H 'content-Type: application/json' \
+    -d '{
+        "flakeOutput": "./src_root#image",
+        "imageTagOverride": "local"
+    }' \
+    http://${EVENTLISTENER}:8080
+
+curl -v \
+    -H 'content-Type: application/json' \
+    -d '{
+        "flakeOutput": "./src_root#nativelink-worker-lre-cc",
+        "imageTagOverride": "local"
+    }' \
+    http://${EVENTLISTENER}:8080
+
+curl -v \
+    -H 'content-Type: application/json' \
+    -d '{
+        "flakeOutput": "./src_root#nativelink-worker-lre-java",
+        "imageTagOverride": "local"
+    }' \
+    http://${EVENTLISTENER}:8080
+
+# Wait for the pipelines to finish.
+kubectl wait \
+    --for=condition=Succeeded \
+    --timeout=30m \
+    pipelinerun \
+        -l tekton.dev/pipeline=rebuild-nativelink

deployment-examples/kubernetes/00_infra.sh

@@ -9,16 +9,25 @@ In this example we're using `kind` to set up the cluster `cilium` to provide a
 First set up a local development cluster:
 
 ```bash
-./00_infra.sh
+native up
 ```
 
+> [!TIP]
+> The `native up` command uses Pulumi under the hood. You can view and delete
+> the stack with `pulumi stack` and `pulumi destroy`.
+
 Next start a few standard deployments. This part also builds the remote
 execution containers and makes them available to the cluster:
 
 ```bash
 ./01_operations.sh
 ```
 
+> [!TIP]
+> The operations invoke cluster-internal Tekton Pipelines to build and push the
+> `nativelink` and worker images. You can view the state of the pipelines with
+> `tkn pr ls` and `tkn pr logs`/`tkn pr logs --follow`.
+
 Finally, deploy NativeLink:
 
 ```bash