Add Prow CI scripts and configuration

Add CI scripts for OFCIR SSH-from-Pod pattern:
- prow_setup.sh: machine setup (install deps, validate env)
- prow_e2e.sh: E2E deployment (connected/disconnected)
- prow_infra_verify.sh: infrastructure verification
- prow_disconnected_dry_run.sh: mirror config validation
- prow_cleanup.sh: periodic infrastructure cleanup

Add OWNERS file for Prow review workflow.
Add migration and OFCIR setup documentation.

Author: eliorerz

Makefile.ci

@@ -22,6 +22,7 @@ include Makefile
 .PHONY: validate validate-shell validate-yaml validate-json-schema validate-ansible \
         validate-tags validate-templates validate-mirror validate-makefile validate-plugins \
         build-ci-image push-ci-image test-ci-image build-push-ci-image \
+        build-tarball build-push-tarball \
         deploy-cluster-pre-install-validate \
         environment provision-landing-zone verify-landing-zone \
         install-enclave verify-enclave-installation \
@@ -241,6 +242,16 @@ validate-makefile:
 validate-plugins:
 	@./scripts/verification/validate.sh plugins
 
+# --- Tarball targets ---
+
+# Build distribution tarball (used by ci-operator container test)
+build-tarball:
+	@./scripts/ci/build_tarball.sh build
+
+# Build and push tarball to Quay (postsubmit)
+build-push-tarball:
+	@./scripts/ci/build_tarball.sh build-push
+
 # --- CI Image targets ---
 
 build-ci-image:

OWNERS

@@ -0,0 +1,20 @@
+approvers:
+- agonzalezrh
+- carbonin
+- danielerez
+- eliorerz
+- eurijon
+- javipolo
+- maorfr
+- mlorenzofr
+- rporres
+reviewers:
+- agonzalezrh
+- carbonin
+- danielerez
+- eliorerz
+- eurijon
+- javipolo
+- maorfr
+- mlorenzofr
+- rporres

scripts/ci/build_tarball.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# Build and optionally push the enclave distribution tarball.
+#
+# Usage:
+#   scripts/ci/build_tarball.sh build          # Build and validate only
+#   scripts/ci/build_tarball.sh build-push     # Build, validate, and push to Quay
+
+set -euo pipefail
+
+ACTION="${1:-build}"
+
+TAG="${TARBALL_TAG:-$(git rev-parse --short HEAD 2>/dev/null || echo dev)}"
+TARBALL="enclave.tar.gz"
+MAX_SIZE=1073741824  # 1GB
+
+# --- Build ---
+
+echo "Building distribution tarball..."
+echo -n "$TAG" > .version
+
+tar --exclude='.git' --exclude='.gitignore' --exclude='.github' --exclude='scripts' \
+    --exclude='Makefile.ci' \
+    -czvf "/tmp/$TARBALL" .
+mv "/tmp/$TARBALL" .
+
+echo ""
+echo "Validating tarball..."
+
+# Check size
+SIZE=$(stat -c%s "$TARBALL")
+echo "Tarball size: $(numfmt --to=iec-i --suffix=B "$SIZE")"
+if [ "$SIZE" -gt "$MAX_SIZE" ]; then
+    echo "Error: Tarball exceeds 1GB"
+    exit 1
+fi
+
+# Extract file list
+tar -tzf "$TARBALL" > /tmp/tarball-contents.txt
+
+# Check required files
+REQUIRED_FILES=(".version" "Makefile")
+for file in "${REQUIRED_FILES[@]}"; do
+    if ! grep -q "^\./${file}$" /tmp/tarball-contents.txt; then
+        echo "Error: Required file '${file}' not found in tarball"
+        head -20 /tmp/tarball-contents.txt
+        exit 1
+    fi
+    echo "  Found ${file}"
+done
+
+# Check required directories (only if they exist in source)
+REQUIRED_DIRS=("playbooks" "operators" "configs")
+for dir in "${REQUIRED_DIRS[@]}"; do
+    if [ -d "$dir" ]; then
+        if ! grep -q "^\./${dir}/" /tmp/tarball-contents.txt; then
+            echo "Error: Required directory '${dir}/' not found in tarball"
+            head -20 /tmp/tarball-contents.txt
+            exit 1
+        fi
+        echo "  Found ${dir}/"
+    fi
+done
+
+# Check excluded paths are absent
+EXCLUDED_PATHS=(".git/" ".github/" "Makefile.ci")
+for path in "${EXCLUDED_PATHS[@]}"; do
+    if grep -q "^\./${path}" /tmp/tarball-contents.txt; then
+        echo "Error: Excluded path '${path}' found in tarball"
+        exit 1
+    fi
+    echo "  ${path} correctly excluded"
+done
+
+# Validate file counts for critical directories
+echo "Validating file counts..."
+for dir in "${REQUIRED_DIRS[@]}"; do
+    if [ -d "$dir" ]; then
+        SOURCE_COUNT=$(find "$dir" -type f | wc -l)
+        TARBALL_COUNT=$(grep "^\./${dir}/" /tmp/tarball-contents.txt | grep -v '/$' | wc -l)
+        echo "  ${dir}/: source=${SOURCE_COUNT}, tarball=${TARBALL_COUNT}"
+        if [ "$SOURCE_COUNT" -ne "$TARBALL_COUNT" ]; then
+            echo "Error: File count mismatch in ${dir}/"
+            echo "  Expected: ${SOURCE_COUNT} files"
+            echo "  Found in tarball: ${TARBALL_COUNT} files"
+            exit 1
+        fi
+    fi
+done
+
+echo "Tarball validation passed"
+rm -f .version
+
+# --- Push (optional) ---
+
+if [ "$ACTION" = "build-push" ]; then
+    if [ -z "${QUAY_USER:-}" ] || [ -z "${QUAY_TOKEN:-}" ]; then
+        echo "Error: QUAY_USER and QUAY_TOKEN must be set"
+        exit 1
+    fi
+
+    echo "$QUAY_TOKEN" | podman login quay.io -u "$QUAY_USER" --password-stdin
+
+    echo "Pushing tarball with tag: $TAG"
+    oras push "quay.io/edge-infrastructure/enclave:${TAG}" \
+        "${TARBALL}:application/vnd.oci.image.layer.v1.tar+gzip"
+
+    rm -f "$TARBALL"
+    echo "Tarball pushed successfully"
+elif [ "$ACTION" = "build" ]; then
+    echo "Tarball built: $TARBALL"
+else
+    echo "Unknown action: $ACTION"
+    echo "Usage: $0 build|build-push"
+    exit 1
+fi