feat: Update templates for production components and v0.9.2

pinetops · pinetops · commit 076b7ccf7c1d · 2025-09-13T15:08:37.000-04:00
- Add workload-identity and gke-network-policy components to production skaffold profile
- These components are required for production deployments
- Ensures future regenerations include necessary production configuration
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,28 @@
-# Start from the google cloud SDK image which supports multiple architectures
+# Multi-stage build for compliance-cli
+# Build stage compiles the Go binary for the target architecture
+FROM golang:1.21-alpine AS builder
+
+# Install build dependencies
+RUN apk add --no-cache git
+
+# Set working directory
+WORKDIR /build
+
+# Copy go mod files
+COPY go.mod go.sum ./
+
+# Download dependencies
+RUN go mod download
+
+# Copy source code
+COPY . .
+
+# Build for the target architecture
+# Docker automatically sets TARGETARCH based on the platform being built
+ARG TARGETARCH
+RUN GOOS=linux GOARCH=${TARGETARCH} go build -o compliance-cli ./cmd/deploy
+
+# Final stage - Start from the google cloud SDK image which supports multiple architectures
 FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:stable
 
 # Install additional useful tools
@@ -8,17 +32,19 @@ RUN apt-get update && apt-get install -y \
     git \
     && rm -rf /var/lib/apt/lists/*
 
-# Install yq separately
-RUN curl -L https://github.com/mikefarah/yq/releases/download/v4.40.5/yq_linux_amd64 -o /usr/local/bin/yq \
-    && chmod +x /usr/local/bin/yq
+# Install yq for the correct architecture
+ARG TARGETARCH
+RUN if [ "${TARGETARCH}" = "arm64" ]; then \
+        curl -L https://github.com/mikefarah/yq/releases/download/v4.40.5/yq_linux_arm64 -o /usr/local/bin/yq; \
+    else \
+        curl -L https://github.com/mikefarah/yq/releases/download/v4.40.5/yq_linux_amd64 -o /usr/local/bin/yq; \
+    fi && \
+    chmod +x /usr/local/bin/yq
 
-# Add the compliance-cli binary
-COPY compliance-cli /usr/local/bin/compliance-cli
+# Copy the compliance-cli binary from builder
+COPY --from=builder /build/compliance-cli /usr/local/bin/compliance-cli
 RUN chmod +x /usr/local/bin/compliance-cli
 
-# Add any other custom tools your org uses
-# COPY other-tool /usr/local/bin/other-tool
-
 # Set workdir
 WORKDIR /workspace
 
diff --git a/internal/deploy/preview.go b/internal/deploy/preview.go
@@ -42,6 +42,7 @@ func NewPreviewCommand(appConfig *config.AppConfig) *cobra.Command {
 			}
 
 			previewName := fmt.Sprintf("pr%s", prNumber)
+			deployConfig.PRNumber = prNumber
 
 			// Set preview-specific configuration using app config
 			deployConfig.Pipeline = fmt.Sprintf("%s-preview-pipeline", appConfig.App)
diff --git a/internal/generate/templates/cloudbuild/preview-destroy.yaml.tmpl b/internal/generate/templates/cloudbuild/preview-destroy.yaml.tmpl
@@ -12,7 +12,7 @@ steps:
   env:
   - 'PROJECT_ID=${_PROJECT_ID}'
   - 'REGION=${_REGION}'
-  - 'PR_NUMBER=${_PR_NUMBER}'
+  - '_PR_NUMBER=${_PR_NUMBER}'
 
 options:
   logging: CLOUD_LOGGING_ONLY
diff --git a/internal/generate/templates/skaffold.yaml.tmpl b/internal/generate/templates/skaffold.yaml.tmpl
@@ -71,5 +71,7 @@ profiles:
     kustomize:
       paths: 
       - ../k8s/app/resources/prod
+      - ../k8s/components/security/workload-identity
+      - ../k8s/components/networking/gke-network-policy
       buildArgs:
       - --load-restrictor=LoadRestrictionsNone
diff --git a/internal/preview/destroy.go b/internal/preview/destroy.go
@@ -64,6 +64,11 @@ Removes:
 				log.Printf("Warning: Failed to destroy Cloud Deploy releases: %v", err)
 			}
 
+			// Destroy AlloyDB Omni DBClusters first (if any)
+			if err := destroyPRDBClusters(ctx, appConfig, projectID, region, prNumber, dryRun); err != nil {
+				log.Printf("Warning: Failed to destroy AlloyDB Omni DBClusters: %v", err)
+			}
+
 			// Destroy Kubernetes namespace
 			if err := destroyPRNamespace(ctx, appConfig, projectID, region, prNumber, dryRun); err != nil {
 				log.Printf("Warning: Failed to destroy Kubernetes namespace: %v", err)
@@ -153,6 +158,86 @@ func destroyPRReleases(ctx context.Context, appConfig *config.AppConfig, project
 	return nil
 }
 
+func destroyPRDBClusters(ctx context.Context, appConfig *config.AppConfig, projectID, region, prNumber string, dryRun bool) error {
+	log.Printf("🗄️  Destroying AlloyDB Omni DBClusters for PR #%s...", prNumber)
+
+	// Get cluster credentials
+	credsCmd := exec.CommandContext(ctx, "gcloud", "container", "clusters", "get-credentials",
+		fmt.Sprintf("%s-cluster", appConfig.App),
+		"--region="+region,
+		"--project="+projectID,
+	)
+	if err := credsCmd.Run(); err != nil {
+		// If we can't get credentials, skip DBCluster cleanup
+		log.Printf("  Warning: Could not get cluster credentials: %v", err)
+		return nil
+	}
+
+	namespaceName := fmt.Sprintf("%s-preview-pr%s", appConfig.App, prNumber)
+	
+	// Check if namespace exists
+	checkCmd := exec.CommandContext(ctx, "kubectl", "get", "namespace", namespaceName)
+	if err := checkCmd.Run(); err != nil {
+		// Namespace doesn't exist, nothing to do
+		return nil
+	}
+
+	// List DBClusters in the namespace
+	listCmd := exec.CommandContext(ctx, "kubectl", "get", "dbclusters.alloydbomni.dbadmin.goog", 
+		"-n", namespaceName,
+		"-o", "jsonpath={.items[*].metadata.name}",
+	)
+	
+	output, err := listCmd.Output()
+	if err != nil {
+		// DBClusters CRD might not exist or no DBClusters in namespace
+		if strings.Contains(err.Error(), "error validating data") || 
+		   strings.Contains(err.Error(), "the server doesn't have a resource type") {
+			log.Printf("  No DBClusters CRD or no DBClusters found")
+			return nil
+		}
+		log.Printf("  Warning: Could not list DBClusters: %v", err)
+		return nil
+	}
+
+	dbClusters := strings.TrimSpace(string(output))
+	if dbClusters == "" {
+		log.Printf("  No DBClusters found in namespace")
+		return nil
+	}
+
+	// Mark each DBCluster for deletion
+	for _, dbCluster := range strings.Fields(dbClusters) {
+		log.Printf("  🗑️  Marking DBCluster '%s' for deletion", dbCluster)
+		
+		if !dryRun {
+			// Set isDeleted=true to trigger graceful deletion
+			patchCmd := exec.CommandContext(ctx, "kubectl", "patch", 
+				"dbclusters.alloydbomni.dbadmin.goog", dbCluster,
+				"-n", namespaceName,
+				"--type=merge",
+				"-p", `{"spec":{"isDeleted":true}}`,
+			)
+			
+			if err := patchCmd.Run(); err != nil {
+				log.Printf("    ⚠️  Failed to mark DBCluster %s for deletion: %v", dbCluster, err)
+			} else {
+				log.Printf("    ✓ DBCluster %s marked for deletion", dbCluster)
+			}
+		}
+	}
+
+	// Wait a bit for the operator to start processing the deletion
+	if !dryRun && dbClusters != "" {
+		log.Printf("  ⏳ Waiting for AlloyDB Omni operator to process deletions...")
+		// Sleep for 10 seconds to give the operator time to start cleanup
+		// This helps avoid namespace getting stuck in Terminating state
+		exec.CommandContext(ctx, "sleep", "10").Run()
+	}
+
+	return nil
+}
+
 func destroyPRNamespace(ctx context.Context, appConfig *config.AppConfig, projectID, region, prNumber string, dryRun bool) error {
 	log.Printf("☸️  Destroying Kubernetes namespace for PR #%s...", prNumber)
 

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ func NewPreviewCommand(appConfig config.AppConfig) cobra.Command {`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`previewName := fmt.Sprintf("pr%s", prNumber)`
	`45`	`+ deployConfig.PRNumber = prNumber`
`45`	`46`
`46`	`47`	`// Set preview-specific configuration using app config`
`47`	`48`	`deployConfig.Pipeline = fmt.Sprintf("%s-preview-pipeline", appConfig.App)`