feat: add prebuilds configuration & bootstrapping (#17527)

Closes https://github.com/coder/internal/issues/508

---------

Signed-off-by: Danny Kopping <dannykopping@gmail.com>
Co-authored-by: Cian Johnston <cian@coder.com>

enterprise/coderd/coderd.go

@@ -12,12 +12,15 @@ import (
 	"sync"
 	"time"
 
+	"github.com/coder/quartz"
+
 	"github.com/coder/coder/v2/buildinfo"
 	"github.com/coder/coder/v2/coderd/appearance"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/entitlements"
 	"github.com/coder/coder/v2/coderd/idpsync"
 	agplportsharing "github.com/coder/coder/v2/coderd/portsharing"
+	agplprebuilds "github.com/coder/coder/v2/coderd/prebuilds"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/enterprise/coderd/enidpsync"
 	"github.com/coder/coder/v2/enterprise/coderd/portsharing"
@@ -43,6 +46,7 @@ import (
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/enterprise/coderd/dbauthz"
 	"github.com/coder/coder/v2/enterprise/coderd/license"
+	"github.com/coder/coder/v2/enterprise/coderd/prebuilds"
 	"github.com/coder/coder/v2/enterprise/coderd/proxyhealth"
 	"github.com/coder/coder/v2/enterprise/coderd/schedule"
 	"github.com/coder/coder/v2/enterprise/dbcrypt"
@@ -658,6 +662,7 @@ func (api *API) Close() error {
 	if api.Options.CheckInactiveUsersCancelFunc != nil {
 		api.Options.CheckInactiveUsersCancelFunc()
 	}
+
 	return api.AGPL.Close()
 }
 
@@ -860,6 +865,20 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 			api.AGPL.PortSharer.Store(&ps)
 		}
 
+		if initial, changed, enabled := featureChanged(codersdk.FeatureWorkspacePrebuilds); shouldUpdate(initial, changed, enabled) {
+			reconciler, claimer := api.setupPrebuilds(enabled)
+			if current := api.AGPL.PrebuildsReconciler.Load(); current != nil {
+				stopCtx, giveUp := context.WithTimeoutCause(context.Background(), time.Second*30, xerrors.New("gave up waiting for reconciler to stop"))
+				defer giveUp()
+				(*current).Stop(stopCtx, xerrors.New("entitlements change"))
+			}
+
+			api.AGPL.PrebuildsReconciler.Store(&reconciler)
+			go reconciler.Run(context.Background())
+
+			api.AGPL.PrebuildsClaimer.Store(&claimer)
+		}
+
 		// External token encryption is soft-enforced
 		featureExternalTokenEncryption := reloadedEntitlements.Features[codersdk.FeatureExternalTokenEncryption]
 		featureExternalTokenEncryption.Enabled = len(api.ExternalTokenEncryption) > 0
@@ -1128,3 +1147,24 @@ func (api *API) runEntitlementsLoop(ctx context.Context) {
 func (api *API) Authorize(r *http.Request, action policy.Action, object rbac.Objecter) bool {
 	return api.AGPL.HTTPAuth.Authorize(r, action, object)
 }
+
+// nolint:revive // featureEnabled is a legit control flag.
+func (api *API) setupPrebuilds(featureEnabled bool) (agplprebuilds.ReconciliationOrchestrator, agplprebuilds.Claimer) {
+	experimentEnabled := api.AGPL.Experiments.Enabled(codersdk.ExperimentWorkspacePrebuilds)
+	if !experimentEnabled || !featureEnabled {
+		levelFn := api.Logger.Debug
+		// If the experiment is enabled but the license does not entitle the feature, operators should be warned.
+		if !featureEnabled {
+			levelFn = api.Logger.Warn
+		}
+
+		levelFn(context.Background(), "prebuilds not enabled; ensure you have a premium license and the 'workspace-prebuilds' experiment set",
+			slog.F("experiment_enabled", experimentEnabled), slog.F("feature_enabled", featureEnabled))
+
+		return agplprebuilds.DefaultReconciler, agplprebuilds.DefaultClaimer
+	}
+
+	reconciler := prebuilds.NewStoreReconciler(api.Database, api.Pubsub, api.DeploymentValues.Prebuilds,
+		api.Logger.Named("prebuilds"), quartz.NewReal())
+	return reconciler, prebuilds.EnterpriseClaimer{}
+}