release cluster cleanup

.github/workflows/build-push.yml

@@ -1,50 +1,159 @@
-name: radix-cluster-cleanup-build
+name: Build & push
 on:
   push:
     branches:
-      - master
-      - release
+    - master
+    - release
+  workflow_dispatch:
 permissions:
   id-token: write
+  contents: read
+
 jobs:
-  get-target-configs:
-    name: Get target configs for branch
-    outputs:
-      target_configs: ${{ steps.get-target-configs.outputs.target_configs }}
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v4
-      - name: Get target configs
-        id: get-target-configs
-        run: |
-          configs=$(ls $GITHUB_WORKSPACE/.github/workflows/config/${GITHUB_REF_NAME} | jq -Rsc '. / "\n" - [""]')
-          echo ::set-output name=target_configs::${configs}
-
-  build-push-acr:
-    name: Build & push
+  build-deploy:
     runs-on: ubuntu-20.04
-    needs:
-      - get-target-configs
     strategy:
       fail-fast: false
-      matrix: 
-        config: ${{ fromJson(needs.get-target-configs.outputs.target_configs) }}
+      matrix:
+        target:
+        - name: "dev"
+          ref: "refs/heads/master"
+          acr-name: "radixdev"
+          client-id: "2bfe6984-f5e3-4d09-a0b2-4dd96de3f21e"
+          subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
+
+        - name: "playground"
+          ref: "refs/heads/release"
+          acr-name: "radixplayground"
+          client-id: "7c000a42-1edb-4491-a241-4ac77bf7dd6d"
+          subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
+
+        - name: "platform"
+          ref: "refs/heads/release"
+          acr-name: "radixprod"
+          client-id: "4ac3be6d-c4df-46be-ba6c-55d490a024f5"
+          subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
+
+        - name: "c2"
+          ref: "refs/heads/release"
+          acr-name: "radixc2prod"
+          client-id: "4ac3be6d-c4df-46be-ba6c-55d490a024f5"
+          subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
+
     steps:
     - uses: actions/checkout@v4
-    - name: Persist environment from ${{ matrix.config }} across steps
+      if: matrix.target.ref == github.ref
+
+    - uses: azure/login@v2
+      if: matrix.target.ref == github.ref
+      with:
+        client-id: ${{matrix.target.client-id}}
+        tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+        subscription-id: ${{matrix.target.subscription-id}}
+
+    - name: Get GitHub Public IP
+      if: matrix.target.ref == github.ref
+      id: github_public_ip
+      run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
+
+    - name: Add GitHub IP to ACR
+      if: matrix.target.ref == github.ref
+      id: update_firewall
+      run: az acr network-rule add
+        --name ${{matrix.target.acr-name}}
+        --subscription ${{matrix.target.subscription-id}}
+        --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
+
+    - name: Wait for 2 minutes while the network rule to take effect
+      if: matrix.target.ref == github.ref
+      run: |
+        sleep 120
+
+    - name: Wait for Specific IP in ACR Network Rules
+      if: matrix.target.ref == github.ref
       run: |
-        env_vars_from_cfg=`env -i GITHUB_WORKSPACE=$GITHUB_WORKSPACE /bin/bash -c "set -a && source $GITHUB_WORKSPACE/.github/workflows/config/${GITHUB_REF_NAME}/${{ matrix.config }} && printenv"`
-        for env_var in $env_vars_from_cfg
-        do
-          echo $env_var >> $GITHUB_ENV
+        MAX_ATTEMPTS=10
+        ATTEMPT=0
+        TARGET_IP="${{ steps.github_public_ip.outputs.ipv4 }}"
+        echo "Waiting for IP $TARGET_IP to be allowed in ACR network rules..."
+        while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do
+          NETWORK_RULES=$(az acr network-rule list --name ${{matrix.target.acr-name}} --subscription ${{ matrix.target.subscription-id }}   --query "ipRules[]|[?contains(ipAddressOrRange, '$TARGET_IP')]"  --output tsv)
+          if [ -n "$NETWORK_RULES" ]; then
+            echo "IP $TARGET_IP is allowed."
+            break
+          fi
+          echo "Attempt $((ATTEMPT+1)) of $MAX_ATTEMPTS. Retrying in 10 seconds..."
+          ATTEMPT=$((ATTEMPT+1))
+          sleep 10
         done
+        if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then
+          echo "IP $TARGET_IP was not allowed after $MAX_ATTEMPTS attempts. Exiting."
+          exit 1
+        fi
 
-    - uses: azure/login@v1
+    - name: Get ACR Login Server
+      if: matrix.target.ref == github.ref
+      id: get-acr-login-server
+      run: |
+        echo "login_server=$(az acr show --name ${{ matrix.target.acr-name }} --query loginServer --output tsv)" >> $GITHUB_OUTPUT
+
+    - name: Get ACR Access Token
+      if: matrix.target.ref == github.ref
+      id: get-acr-token
+      run: |
+        echo "Getting ACR access token"
+        access_token=$(az acr login --name ${{ matrix.target.acr-name }} --expose-token --output tsv --query accessToken)
+        echo "::add-mask::$access_token"
+        echo "access_token=$access_token" >> $GITHUB_OUTPUT
+
+    - name: Log in to ACR
+      if: matrix.target.ref == github.ref
+      uses: docker/login-action@v3
       with:
-        client-id: ${{ env.AZURE_CLIENT_ID }}
-        tenant-id: ${{ env.AZURE_TENANT_ID }}
-        subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
-
-    - name: Build image
+        registry: ${{ steps.get-acr-login-server.outputs.login_server }}
+        username: "00000000-0000-0000-0000-000000000000"
+        password: ${{ steps.get-acr-token.outputs.access_token }}
+
+    - name: Set up Docker Buildx
+      if: matrix.target.ref == github.ref
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build an image name
+      if: matrix.target.ref == github.ref
+      id: build-image-name
       run: |
-        $GITHUB_WORKSPACE/.github/workflows/scripts/build-push.sh
+        echo "image-name=${{ matrix.target.acr-name }}.azurecr.io/radix-cluster-cleanup" >> $GITHUB_OUTPUT
+
+    - name: Build an image tag
+      if: matrix.target.ref == github.ref
+      id: build-tag
+      run: |
+        sha=${GITHUB_SHA::8}
+        ts=$(date +%s)
+        echo "tag=${GITHUB_REF_NAME}-${sha}-${ts}" >> $GITHUB_OUTPUT
+
+    - name: Extract labels from metadata for Docker
+      if: matrix.target.ref == github.ref
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ steps.build-image-name.outputs.image-name }}
+
+    - name: Build and push Docker image
+      if: matrix.target.ref == github.ref
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        platforms: |
+          linux/amd64
+          linux/arm64
+        tags: "${{ steps.build-image-name.outputs.image-name }}:${{ steps.build-tag.outputs.tag }}"
+        labels: ${{ steps.meta.outputs.labels }}
+
+    - name: Revoke GitHub IP on ACR
+      if: ${{ matrix.target.ref == github.ref && steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
+      run: az acr network-rule remove
+        --name ${{matrix.target.acr-name}}
+        --subscription ${{matrix.target.subscription-id}}
+        --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}

.github/workflows/pr.yml

@@ -0,0 +1,54 @@
+name: radix-cluster-cleanup-pr
+on:
+  pull_request:
+    branches:
+    - master
+jobs:
+  build:
+    name: pull-request-check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          platforms: |
+            linux/amd64
+            linux/arm64
+
+  test:
+    name: Unit Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: './radix-cluster-cleanup/go.mod'
+      - name: Install dependencies
+        run: |
+          cd ./radix-cluster-cleanup
+          go mod download
+      - name: Run Tests
+        run: |
+          cd ./radix-cluster-cleanup
+          go test -cover `go list ./...`
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: './radix-cluster-cleanup/go.mod'
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: v1.58.2
+          working-directory: './radix-cluster-cleanup'

Dockerfile

@@ -1,30 +1,27 @@
-FROM golang:1.21-alpine3.19 as builder
+FROM docker.io/golang:1.22.5-alpine3.20 AS builder
 
-ENV GO111MODULE=on
+ENV CGO_ENABLED=0 \
+    GOOS=linux
 
-RUN apk update && \
-    apk add ca-certificates  && \
-    apk add --no-cache gcc musl-dev
-
-WORKDIR /go/src/github.com/equinor/radix-cluster-cleanup
+WORKDIR /src
 
 # Install project dependencies
-COPY radix-cluster-cleanup/go.mod radix-cluster-cleanup/go.sum ./
+COPY ./radix-cluster-cleanup/go.mod ./radix-cluster-cleanup/go.sum ./
 RUN go mod download
 
+# Copy and build project code
 COPY ./radix-cluster-cleanup .
-
-# build
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags "-s -w" -a -installsuffix cgo -o /usr/local/bin/radix-cluster-cleanup
-
-RUN addgroup -S -g 1000 radix-cluster-cleanup
-RUN adduser -S -u 1000 -G radix-cluster-cleanup radix-cluster-cleanup
-
-# Run operator
-FROM alpine:3
-COPY run_cluster_cleanup.sh /run_cluster_cleanup.sh
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=builder /etc/passwd /etc/passwd
-COPY --from=builder /usr/local/bin/radix-cluster-cleanup /radix-cluster-cleanup
-USER radix-cluster-cleanup
-ENTRYPOINT ["/run_cluster_cleanup.sh"]
+RUN go build -ldflags="-s -w" -o /build/radix-cluster-cleanup
+
+COPY ./run_cluster_cleanup.sh .
+
+#Get busybox shell for distroless
+FROM gcr.io/distroless/base:debug AS debug
+# Final stage, ref https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md for distroless
+FROM gcr.io/distroless/static
+WORKDIR /app
+COPY --from=builder /build/radix-cluster-cleanup .
+COPY --from=builder /src/run_cluster_cleanup.sh .
+COPY --from=debug /busybox/sh /bin
+USER 1000
+ENTRYPOINT ["/app/run_cluster_cleanup.sh"]

Dockerfile.goreleaser

@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine3.20
 RUN apk update && apk add ca-certificates && apk add bash && rm -rf /var/cache/apk/*
 
 RUN addgroup -S -g 1000 radix && adduser -S -u 1000 -G radix radix

Makefile

@@ -8,5 +8,5 @@ HAS_GOLANGCI_LINT := $(shell command -v golangci-lint;)
 
 bootstrap:
 ifndef HAS_GOLANGCI_LINT
-	go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.55.2
+	go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.1
 endif

charts/radix-cluster-cleanup/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: 1.0.11
+appVersion: 1.0.13
 description: A Helm chart for Kubernetes
 name: radix-cluster-cleanup
-version: 1.0.12
+version: 1.0.14