release cost-allocation

.github/workflows/build-push.yml

@@ -41,63 +41,119 @@ jobs:
             subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
 
     steps:
-      - uses: actions/checkout@v4
-        if: matrix.target.ref == github.ref
-
-      - uses: azure/login@v1
-        if: matrix.target.ref == github.ref
-        with:
-          client-id: ${{matrix.target.client-id}}
-          tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
-          subscription-id: ${{matrix.target.subscription-id}}
-
-      - name: Get GitHub Public IP
-        if: matrix.target.ref == github.ref
-        id: github_public_ip
-        run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
-
-      - name: Add GitHub IP to ACR
-        if: matrix.target.ref == github.ref
-        id: update_firewall
-        run: az acr network-rule add
-          --name ${{matrix.target.acr-name}}
-          --subscription ${{matrix.target.subscription-id}}
-          --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
-
-      - name: Generate image tag
-        if: matrix.target.ref == github.ref
-        id: tag
-        run: |
-          sha=${GITHUB_SHA::8}
-          ts=$(date +%s)
-          echo "tag=${GITHUB_REF_NAME}-${sha}-${ts}" >> $GITHUB_OUTPUT
-
-      - name: Build image
-        if: matrix.target.ref == github.ref
-        env:
-          AZURE_SUBSCRIPTION_ID: ${{matrix.target.subscription-id}}
-          ACR_NAME: ${{matrix.target.acr-name}}
-          IMAGE_NAME: radix-cost-allocation
-          TAG: ${{steps.tag.outputs.tag}}
-        run: |
-          az acr task run \
-             --subscription ${AZURE_SUBSCRIPTION_ID} \
-             --name radix-image-builder-internal \
-             --registry ${ACR_NAME} \
-             --context ${GITHUB_WORKSPACE} \
-             --file ${GITHUB_WORKSPACE}/Dockerfile \
-             --set DOCKER_REGISTRY=${ACR_NAME} \
-             --set BRANCH=${GITHUB_REF_NAME} \
-             --set TAGS="--tag ${ACR_NAME}.azurecr.io/${IMAGE_NAME}:${TAG}" \
-             --set DOCKER_FILE_NAME=Dockerfile \
-             --set PUSH="--push" \
-             --set REPOSITORY_NAME=${IMAGE_NAME} \
-             --set CACHE="" \
-             --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max"
-
-      - name: Revoke GitHub IP on ACR
-        if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
-        run: az acr network-rule remove
-          --name ${{matrix.target.acr-name}}
-          --subscription ${{matrix.target.subscription-id}}
-          --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
+    - uses: actions/checkout@v4
+      if: matrix.target.ref == github.ref
+
+    - uses: azure/login@v2
+      if: matrix.target.ref == github.ref
+      with:
+        client-id: ${{matrix.target.client-id}}
+        tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+        subscription-id: ${{matrix.target.subscription-id}}
+
+    - name: Get GitHub Public IP
+      if: matrix.target.ref == github.ref
+      id: github_public_ip
+      run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
+
+    - name: Add GitHub IP to ACR
+      if: matrix.target.ref == github.ref
+      id: update_firewall
+      run: az acr network-rule add
+        --name ${{matrix.target.acr-name}}
+        --subscription ${{matrix.target.subscription-id}}
+        --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
+
+    - name: Wait for 2 minutes while the network rule to take effect
+      if: matrix.target.ref == github.ref
+      run: |
+        sleep 120
+
+    - name: Wait for Specific IP in ACR Network Rules
+      if: matrix.target.ref == github.ref
+      run: |
+        MAX_ATTEMPTS=10
+        ATTEMPT=0
+        TARGET_IP="${{ steps.github_public_ip.outputs.ipv4 }}"
+        echo "Waiting for IP $TARGET_IP to be allowed in ACR network rules..."
+        while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do
+          NETWORK_RULES=$(az acr network-rule list --name ${{matrix.target.acr-name}} --subscription ${{ matrix.target.subscription-id }}   --query "ipRules[]|[?contains(ipAddressOrRange, '$TARGET_IP')]"  --output tsv)
+          if [ -n "$NETWORK_RULES" ]; then
+            echo "IP $TARGET_IP is allowed."
+            break
+          fi
+          echo "Attempt $((ATTEMPT+1)) of $MAX_ATTEMPTS. Retrying in 10 seconds..."
+          ATTEMPT=$((ATTEMPT+1))
+          sleep 10
+        done
+        if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then
+          echo "IP $TARGET_IP was not allowed after $MAX_ATTEMPTS attempts. Exiting."
+          exit 1
+        fi
+
+    - name: Get ACR Login Server
+      if: matrix.target.ref == github.ref
+      id: get-acr-login-server
+      run: |
+        echo "login_server=$(az acr show --name ${{ matrix.target.acr-name }} --query loginServer --output tsv)" >> $GITHUB_OUTPUT
+
+    - name: Get ACR Access Token
+      if: matrix.target.ref == github.ref
+      id: get-acr-token
+      run: |
+        echo "Getting ACR access token"
+        access_token=$(az acr login --name ${{ matrix.target.acr-name }} --expose-token --output tsv --query accessToken)
+        echo "::add-mask::$access_token"
+        echo "access_token=$access_token" >> $GITHUB_OUTPUT
+
+    - name: Log in to ACR
+      if: matrix.target.ref == github.ref
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ steps.get-acr-login-server.outputs.login_server }}
+        username: "00000000-0000-0000-0000-000000000000"
+        password: ${{ steps.get-acr-token.outputs.access_token }}
+
+    - name: Set up Docker Buildx
+      if: matrix.target.ref == github.ref
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build an image name
+      if: matrix.target.ref == github.ref
+      id: build-image-name
+      run: |
+        echo "image-name=${{ matrix.target.acr-name }}.azurecr.io/radix-cost-allocation" >> $GITHUB_OUTPUT
+
+    - name: Build an image tag
+      if: matrix.target.ref == github.ref
+      id: build-tag
+      run: |
+        sha=${GITHUB_SHA::8}
+        ts=$(date +%s)
+        echo "tag=${GITHUB_REF_NAME}-${sha}-${ts}" >> $GITHUB_OUTPUT
+
+    - name: Extract labels from metadata for Docker
+      if: matrix.target.ref == github.ref
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ steps.build-image-name.outputs.image-name }}
+
+    - name: Build and push Docker image
+      if: matrix.target.ref == github.ref
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        platforms: |
+          linux/amd64
+          linux/arm64
+        tags: "${{ steps.build-image-name.outputs.image-name }}:${{ steps.build-tag.outputs.tag }}"
+        labels: ${{ steps.meta.outputs.labels }}
+
+    - name: Revoke GitHub IP on ACR
+      if: ${{ matrix.target.ref == github.ref && steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
+      run: az acr network-rule remove
+        --name ${{matrix.target.acr-name}}
+        --subscription ${{matrix.target.subscription-id}}
+        --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}

.github/workflows/deploy-database.yml

@@ -49,38 +49,38 @@ jobs:
       - uses: actions/checkout@v4
         if: matrix.target.ref == github.ref
 
-      - uses: azure/login@v1
+      - uses: azure/login@v2
         if: matrix.target.ref == github.ref
         with:
           client-id: ${{matrix.target.client-id}}
           tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
           allow-no-subscriptions: true
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/preDeployScript.sql'
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/createSchema.sql'
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/createTables.sql'
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/createTypes.sql'
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}

.github/workflows/pr.yml

@@ -8,20 +8,27 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - name: Build docker image
-      env:
-        REF: ${{ github. sha }}
-      run: docker build -t radix-cost-allocatation:${REF##*/} .
+      - uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          platforms: |
+            linux/amd64
+            linux/arm64
+
 
   test:
     name: Unit Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version-file: 'go.mod'
       - name: Install dependencies
         run: go mod download
       - name: Run Tests
@@ -36,8 +43,8 @@ jobs:
           fetch-depth: 2
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version-file: 'go.mod'
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.55.2
+          version: v1.58.2

Dockerfile

@@ -1,10 +1,9 @@
-FROM golang:1.21-alpine3.18 as builder
+FROM docker.io/golang:1.22-alpine3.20 AS builder
 
-RUN apk update && \
-    apk add ca-certificates curl git && \
-    apk add --no-cache gcc musl-dev
+ENV CGO_ENABLED=0 \
+    GOOS=linux
 
-WORKDIR /go/src/github.com/equinor/radix-cost-allocation/
+WORKDIR /src
 
 # Install project dependencies
 COPY go.mod go.sum ./
@@ -13,16 +12,11 @@ RUN go mod download
 # Copy project code
 COPY . .
 
-# Build
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags "-s -w" -a -installsuffix cgo -o ./rootfs/radix-cost-allocation
-RUN addgroup -S -g 1000 radix-cost-allocation
-RUN adduser -S -u 1000 -G radix-cost-allocation radix-cost-allocation
+RUN go build -ldflags="-s -w" -o /build/radix-cost-allocation
 
-# Run operator
-FROM scratch
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=builder /etc/passwd /etc/passwd
-COPY --from=builder /go/src/github.com/equinor/radix-cost-allocation/rootfs/radix-cost-allocation /usr/local/bin/radix-cost-allocation
+# Final stage, ref https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md for distroless
+FROM gcr.io/distroless/static
+WORKDIR /app
+COPY --from=builder /build/radix-cost-allocation .
 USER 1000
-
-ENTRYPOINT ["/usr/local/bin/radix-cost-allocation"]
+ENTRYPOINT ["/app/radix-cost-allocation"]

Makefile

@@ -29,7 +29,6 @@ mocks: bootstrap
 	mockgen -source ./pkg/listers/nodebulkdto.go -destination ./pkg/listers/mock/nodebulkdto.go -package mock
 
 
-
 HAS_GOLANGCI_LINT := $(shell command -v golangci-lint;)
 HAS_MOCKGEN       := $(shell command -v mockgen;)
 

charts/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: radix-cost-allocation
 description: Pull cost data from containers and push to sql server
 kubeVersion: ">=1.24.0"
-appVersion: 1.1.0
-version: 1.2.0
+appVersion: 1.1.1
+version: 1.2.1
 sources:
   - https://github.com/equinor/radix-cost-allocation
 maintainers: