feature: Go backend

.bumpversion.cfg

@@ -1,7 +1,7 @@
 [bumpversion]
 commit = True
 tag = True
-current_version = 1.0.3
+current_version = 2.0.0-alpha1
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-rc(?P<rc>\d+))?
 serialize = 
 	{major}.{minor}.{patch}-rc{rc}
@@ -11,7 +11,7 @@ serialize =
 
 [bumpversion:file:kustomization.yaml]
 
-[bumpversion:file:app/web-client/src/components/Footer/Component.tsx]
+[bumpversion:file:web-client/src/components/Footer/Component.tsx]
 
 [bumpversion:file:chart/Chart.yaml]
 

.dockerignore

@@ -1,6 +1,11 @@
-app/__pycache__
 .git
+.github
 .vscode
-env
-screenshots
+chart
+docs
 manifests
+screenshots
+static-content
+tests
+web-client/build
+web-client/node_modules

.drone.yml

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 SIGHUP s.r.l All rights reserved.
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
@@ -8,10 +8,10 @@ type: docker
 
 steps:
   - name: check
-    image: docker.io/library/golang:1.17.3
+    image: docker.io/library/golang:1.20
     pull: always
     commands:
-      - go get -u github.com/google/addlicense
+      - go install github.com/google/addlicense@v1.1.1
       - addlicense -c "SIGHUP s.r.l" -v -l bsd -check -ignore 'chart/**' .
 trigger:
   ref:
@@ -31,12 +31,15 @@ steps:
     image: quay.io/sighup/policeman
     pull: always
     environment:
-      FILTER_REGEX_EXCLUDE: (app/static-content/semantic.min.css|chart/|tests/e2e/)
+      FILTER_REGEX_EXCLUDE: (chart/|tests/e2e/)
       # Identifies false positives like missing 'selector'.
       # Doing this is valid for Kustomize patches
       VALIDATE_KUBERNETES_KUBEVAL: "false"
       # Some duplicated code is intended.
       VALIDATE_JSCPD: "false"
+      # The included version of golang-ci at the time os this writing has issues
+      # with Go +1.18
+      VALIDATE_GO: "false"
       TYPESCRIPT_DEFAULT_STYLE: "prettier"
     depends_on:
       - clone
@@ -48,6 +51,7 @@ steps:
       - clone
     commands:
       - kustomize build . > gpm.yml
+      - helm template --set config.secretKey=e2e chart > rendered_chart.yaml
 
   - name: check-deprecated-apis
     image: us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5
@@ -56,7 +60,8 @@ steps:
       - render
     commands:
       # we use --ignore-deprecations because we don't want the CI to fail when the API has not been removed yet.
-      - /pluto detect gpm.yml --ignore-deprecations --target-versions=k8s=v1.25.0
+      - /pluto detect gpm.yaml --ignore-deprecations --target-versions=k8s=v1.33.0
+      - /pluto detect rendered_chart.yaml --ignore-deprecations --target-versions=k8s=v1.33.0
 
 trigger:
   ref:
@@ -94,12 +99,10 @@ steps:
       - name: dockersock
         path: /var/run/docker.sock
     commands:
-      - docker build
-        --pull=true
-        --rm=true
-        -f $${DOCKERFILE}
-        -t $${CONTAINER_IMAGE_NAME}:$${CONTAINER_IMAGE_TAG}
-        $${BUILD_CONTEXT}
+      - "apk add git"
+      - "docker buildx create --name sighup-builder --use"
+      - "docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 --pull -f $${DOCKERFILE} -t $${CONTAINER_IMAGE_NAME}:$${CONTAINER_IMAGE_TAG} $${BUILD_CONTEXT}"
+      - "docker buildx build --load --platform linux/amd64 -t $${CONTAINER_IMAGE_NAME}:$${CONTAINER_IMAGE_TAG} $${BUILD_CONTEXT}"
 
 volumes:
   - name: dockerconfig
@@ -124,6 +127,7 @@ trigger:
       - refs/heads/main
       - refs/heads/snyk-**
       - refs/heads/dependabot/**
+      - refs/heads/feature/go-backend
     exclude:
       - refs/tags/gatekeeper-policy-manager-*
 
@@ -182,6 +186,8 @@ steps:
     image: mcr.microsoft.com/playwright:v1.30.0-focal
     commands:
       - for f in tests/e2e/test-results/*/*diff.png; do echo $f; base64 -w 0 $f; echo; done;
+      # - for f in tests/e2e/test-results/*/*expected.png; do echo $f; base64 -w 0 $f; echo; done;
+      # - for f in tests/e2e/test-results/*/*actual.png; do echo $f; base64 -w 0 $f; echo; done;
       - "echo 'Use base64 to decode the images and see the diff'"
     when:
       status:
@@ -235,6 +241,7 @@ trigger:
       - refs/heads/dependabot/**
       - refs/heads/snyk-**
       - refs/tags/gatekeeper-policy-manager-*
+      - refs/heads/featuer/go-backend
 
 steps:
   - name: prepare-tar-gz
@@ -259,7 +266,7 @@ steps:
         include:
           - refs/tags/**
         exclude:
-          - refs/tags/gatekeeper-policy-manager-*  # Exclude helm chart releases
+          - refs/tags/gatekeeper-policy-manager-* # Exclude helm chart releases
 
   - name: registry-sha
     image: docker:dind
@@ -274,16 +281,16 @@ steps:
       repo: quay.io/sighup/gatekeeper-policy-manager
       container_image_name: gatekeeper-policy-manager
       container_image_tag: test-${DRONE_BUILD_NUMBER}
+      DOCKERFILE: Dockerfile
+      BUILD_CONTEXT: "."
     volumes:
       - name: dockersock
         path: /var/run/docker.sock
     commands:
-      - docker login $${registry} -u $${username} -p $${password}
-      - docker tag $${container_image_name}:$${container_image_tag} $${repo}:unstable
-      - "docker tag $${container_image_name}:$${container_image_tag} $${repo}:${DRONE_COMMIT_SHA}"
-      - docker push $${repo}:unstable
-      - "docker push $${repo}:${DRONE_COMMIT_SHA}"
-      - docker rmi $${container_image_name}:$${container_image_tag}
+      - "apk add git"
+      - "docker login $${registry} -u $${username} -p $${password}"
+      - "docker buildx create --name sighup-builder --use"
+      - "docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 --pull --push -f $${DOCKERFILE} -t $${repo}:unstable -t $${repo}:go -t $${repo}:${DRONE_COMMIT_SHA} $${BUILD_CONTEXT}"
     when:
       event:
         - push
@@ -301,16 +308,16 @@ steps:
       repo: quay.io/sighup/gatekeeper-policy-manager
       container_image_name: gatekeeper-policy-manager
       container_image_tag: test-${DRONE_BUILD_NUMBER}
+      DOCKERFILE: Dockerfile
+      BUILD_CONTEXT: "."
     volumes:
       - name: dockersock
         path: /var/run/docker.sock
     commands:
-      - docker login $${registry} -u $${username} -p $${password}
-      - docker tag $${container_image_name}:$${container_image_tag} $${repo}:latest
-      - "docker tag $${container_image_name}:$${container_image_tag} $${repo}:${DRONE_TAG}"
-      - docker push $${repo}:latest
-      - "docker push $${repo}:${DRONE_TAG}"
-      - docker rmi $${container_image_name}:$${container_image_tag}
+      - "apk add git"
+      - "docker login $${registry} -u $${username} -p $${password}"
+      - "docker buildx create --name sighup-builder --use"
+      - "docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 --pull --push -f $${DOCKERFILE} -t $${repo}:latest -t $${repo}:${DRONE_TAG} $${BUILD_CONTEXT}"
     when:
       event:
         - tag

.github/dependabot.yml

@@ -1,15 +1,15 @@
-# Copyright (c) 2022 SIGHUP s.r.l All rights reserved.
+# Copyright (c) 2023 SIGHUP s.r.l All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
 version: 2
 updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/app" # Location of package manifests
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/" # Location of package manifests
     schedule:
-      interval: "daily"
+      interval: "weekly"
 
   - package-ecosystem: "npm" # See documentation for possible values
     directory: "/app/web-client" # Location of package manifests
     schedule:
-      interval: "daily"
+      interval: "weekly"

.gitignore

@@ -1,8 +1,6 @@
-env
 .vscode
-__pycache__
-launch.json
-app/static-content/*
-!app/static-content/logo.svg
-!app/static-content/semantic.min.css
-tests/e2e/test-results
+static-content/*
+tests/e2e/test-results
+node_modules
+web-client/build
+**/mise.local.toml

Dockerfile

@@ -1,22 +1,45 @@
-# Copyright (c) 2022 SIGHUP s.r.l All rights reserved.
+# Copyright (c) 2023 SIGHUP s.r.l All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
-FROM node:lts-alpine AS node
-COPY app/web-client /web-client
+
+
+FROM --platform=$BUILDPLATFORM node:lts-alpine AS frontend
+ARG TARGETOS
+ARG TARGETARCH
+COPY ./web-client /web-client
 WORKDIR /web-client
+ENV npm_config_target_arch=${TARGETARCH} npm_config_target_platform=${TARGETOS}
 RUN yarn install && yarn cache clean && yarn build
 
 
-FROM python:3.11-slim
+FROM --platform=$BUILDPLATFORM golang:1.24 AS backend
+ARG TARGETOS
+ARG TARGETARCH
+WORKDIR /app
+COPY *.go ./
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=bind,source=go.mod,target=go.mod \
+    --mount=type=bind,source=go.sum,target=go.sum \
+    go mod download -x
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=bind,source=go.mod,target=go.mod \
+    --mount=type=bind,source=go.sum,target=go.sum \
+    go vet -v
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=bind,target=. \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /bin/gpm
+
+
+FROM gcr.io/distroless/static-debian11:nonroot AS target
 LABEL org.opencontainers.vendor="SIGHUP.io"
 LABEL org.opencontainers.image.authors="SIGHUP https://sighup.io"
 LABEL org.opencontainers.image.source="https://github.com/sighupio/gatekeeper-policy-manager"
 
-RUN groupadd -r gpm && useradd --no-log-init -r -g gpm gpm 
 WORKDIR /app
-COPY --chown=gpm ./app /app
-COPY --from=node --chown=gpm /web-client/build/ /app/static-content/
-RUN pip install --no-cache-dir -r /app/requirements.txt
-USER 999
+COPY templates ./templates
+COPY --from=backend ./bin/gpm ./gpm
+COPY --from=frontend /web-client/build/ ./static-content/
 EXPOSE 8080
-CMD ["gunicorn", "--bind=:8080", "--workers=2", "--threads=4", "--worker-class=gthread", "app:app"]
+CMD ["/app/gpm"]