Refactor gateway DNS and routing

Author: josep-tecnativa

.github/workflows/ci.yml

@@ -1,6 +1,7 @@
 permissions:
   contents: read
   packages: write
+  pull-requests: write
 
 name: Build, Test & Deploy
 
@@ -41,6 +42,10 @@ jobs:
       DOCKER_IMAGE_NAME: ${{ github.repository }}
       # Push only on non-PR events (push to main/tags, workflow_dispatch)
       PUSH: ${{ toJSON(github.event_name != 'pull_request') }}
+      # Push PR image only for PRs from the same repository
+      PUSH_PR_IMAGE:
+        ${{ toJSON(github.event_name == 'pull_request' &&
+        github.event.pull_request.head.repo.full_name == github.repository) }}
     steps:
       # Set up Docker Environment
       - uses: actions/checkout@v4
@@ -89,8 +94,10 @@ jobs:
           echo "Actor: $GITHUB_ACTOR"
           echo "Event: $GITHUB_EVENT_NAME"
           echo "Ref:   $GITHUB_REF"
+          echo "PUSH:  ${{ env.PUSH }}"
+          echo "PR:    ${{ env.PUSH_PR_IMAGE }}"
       - name: Login to GitHub Container Registry
-        if: ${{ fromJSON(env.PUSH) }}
+        if: ${{ fromJSON(env.PUSH) || fromJSON(env.PUSH_PR_IMAGE) }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -125,3 +132,74 @@ jobs:
           cache-to: type=local,dest=/tmp/.buildx-cache,mode=max
           labels: ${{ steps.docker_meta_public.outputs.labels }}
           tags: ${{ steps.docker_meta_public.outputs.tags }}
+
+      - name: Docker meta for PR image
+        if: ${{ fromJSON(env.PUSH_PR_IMAGE) }}
+        id: docker_meta_pr
+        uses: crazy-max/ghaction-docker-meta@v1
+        with:
+          images: |
+            ghcr.io/tecnativa/docker-whitelist-gateway-service
+          tags: |
+            type=raw,value=pr-${{ github.event.pull_request.number }}
+            type=raw,value=pr-${{ github.event.pull_request.number }}-${{ github.sha }}
+
+      - name: Build and push PR image to GHCR
+        if: ${{ fromJSON(env.PUSH_PR_IMAGE) }}
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: |
+            linux/386
+            linux/amd64
+            linux/arm64
+          load: false
+          push: true
+          provenance: false
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache,mode=max
+          labels: ${{ steps.docker_meta_pr.outputs.labels }}
+          tags: ${{ steps.docker_meta_pr.outputs.tags }}
+
+      - name: Comment PR with test image
+        if: ${{ fromJSON(env.PUSH_PR_IMAGE) }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request.number;
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const image = `ghcr.io/tecnativa/docker-whitelist-gateway-service:pr-${pr}`;
+            const marker = "<!-- pr-test-image-comment -->";
+            const body = `${marker}
+            Test image published:
+            \`${image}\``;
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner,
+              repo,
+              issue_number: pr,
+              per_page: 100,
+            });
+
+            const existing = comments.find(comment =>
+              comment.user?.type === "Bot" &&
+              comment.body?.includes(marker)
+            );
+
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner,
+                repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number: pr,
+                body,
+              });
+            }

Dockerfile

@@ -1,33 +1,45 @@
 FROM python:3-alpine
 
-ENTRYPOINT ["dumb-init", "--", "/usr/local/bin/entrypoint.sh"]
-CMD ["proxy"]
-HEALTHCHECK CMD ["healthcheck"]
-
-RUN apk add --no-cache -t .build build-base curl-dev && \
-    apk add --no-cache iptables ipset iproute2 dnsmasq && \
-    apk add --no-cache libcurl && \
-    pip install --no-cache-dir dnspython dumb-init pycurl && \
-    apk del .build
+RUN apk add --no-cache --virtual .build-deps \
+        build-base \
+        curl-dev \
+    && apk add --no-cache \
+        dumb-init \
+        dnsmasq \
+        iproute2 \
+        ipset \
+        iptables \
+        libcurl \
+    && pip install --no-cache-dir \
+        dnspython \
+        pycurl \
+    && apk del .build-deps
 
 ENV NAMESERVERS="1.1.1.1 8.8.8.8" \
     PORT="*" \
-    LISTEN_PORT=15000 \
-    RESOLVE_INTERVAL=60 \
-    PRE_RESOLVE=0 \
-    MODE=tcp \
-    VERBOSE=0 \
-    MAX_CONNECTIONS=100 \
-    UDP_ANSWERS=1 \
-    HTTP_HEALTHCHECK=0 \
+    LISTEN_PORT="15000" \
+    RESOLVE_INTERVAL="60" \
+    PRE_RESOLVE="0" \
+    MODE="tcp" \
+    VERBOSE="0" \
+    MAX_CONNECTIONS="100" \
+    UDP_ANSWERS="1" \
+    HTTP_HEALTHCHECK="0" \
     HTTP_HEALTHCHECK_URL="http://\$TARGET/" \
-    SMTP_HEALTHCHECK=0 \
+    SMTP_HEALTHCHECK="0" \
     SMTP_HEALTHCHECK_URL="smtp://\$TARGET/" \
     SMTP_HEALTHCHECK_COMMAND="HELP" \
-    DNS_UPSTREAMS="1.1.1.1 8.8.8.8" \
-    RESOLVE_INTERVAL="60"
+    DNS_UPSTREAMS="1.1.1.1 8.8.8.8"
 
 COPY proxy.py /usr/local/bin/proxy
 COPY healthcheck.py /usr/local/bin/healthcheck
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
-RUN chmod +x /usr/local/bin/entrypoint.sh
+
+RUN chmod +x \
+    /usr/local/bin/proxy \
+    /usr/local/bin/healthcheck \
+    /usr/local/bin/entrypoint.sh
+
+ENTRYPOINT ["dumb-init", "--", "/usr/local/bin/entrypoint.sh"]
+CMD ["proxy"]
+HEALTHCHECK CMD ["healthcheck"]