feat(cloud-query): add PostgreSQL sidecar container and update build process (#2453)

Author: floreks

.github/workflows/cloud-query-cd.yaml

@@ -22,6 +22,7 @@ env:
   GOBIN: /home/runner/go/bin
   GOPROXY: "https://proxy.golang.org"
   REGISTRY_IMAGE: ghcr.io/pluralsh/cloud-query
+  REGISTRY_IMAGE_DB: ghcr.io/pluralsh/cloud-query-db
   DOCKER_METADATA_PR_HEAD_SHA: 'true'
 jobs:
   test:
@@ -44,8 +45,8 @@ jobs:
         run: go mod download
       - name: Test
         run: PATH=$PATH:$GOPATH/bin make test
-  build-image:
-    name: Build image
+  build-db:
+    name: Build db image
     needs: [ test ]
     permissions:
       contents: 'read'
@@ -60,6 +61,91 @@ jobs:
           - platform: linux/arm64
             runner: ubuntu-24.04-arm
     runs-on: ${{ matrix.platforms.runner }}
+    defaults:
+      run:
+        shell: bash
+        working-directory: go/cloud-query
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platforms.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_IMAGE_DB }}
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: 'projects/${{ secrets.GOOGLE_PROJECT_ID }}/locations/global/workloadIdentityPools/github/providers/github'
+          service_account: '[email protected]'
+          token_format: 'access_token'
+          create_credentials_file: true
+      - uses: google-github-actions/[email protected]
+      - name: Login to GCR
+        run: gcloud auth configure-docker -q
+      - name: Login to Docker
+        uses: docker/login-action@v3
+        with:
+          username: mjgpluralsh
+          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/[email protected]
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: "./go/cloud-query"
+          file: "./go/cloud-query/db.Dockerfile"
+          tags: ${{ env.REGISTRY_IMAGE_DB }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: ${{ matrix.platforms.platform }}
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            GIT_COMMIT=${{ github.sha }}
+            VERSION=${{ steps.meta.outputs.version }}
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-db-${{ env.PLATFORM_PAIR }}-${{ github.run_id }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+  build-cloud-query:
+    name: Build cloud-query image
+    needs: [test]
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+      packages: 'write'
+    strategy:
+      fail-fast: false
+      matrix:
+        platforms:
+          - platform: linux/amd64
+            runner: ubuntu-24.04
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.platforms.runner }}
     defaults:
       run:
         shell: bash
@@ -125,13 +211,76 @@ jobs:
       - name: Upload digest
         uses: actions/upload-artifact@v4
         with:
-          name: digests-${{ env.PLATFORM_PAIR }}
+          name: digests-cloudquery-${{ env.PLATFORM_PAIR }}-${{ github.run_id }}
           path: ${{ runner.temp }}/digests/*
           if-no-files-found: error
           retention-days: 1
-  publish-image:
-    name: Publish image
-    needs: [ build-image ]
+  publish-db:
+    name: Publish db image
+    needs: [build-db]
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+      packages: 'write'
+    strategy:
+      fail-fast: false
+      matrix:
+        images:
+          - ghcr.io/pluralsh/cloud-query-db
+          - gcr.io/pluralsh/cloud-query-db
+          - docker.io/pluralsh/cloud-query-db
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-db-*
+          merge-multiple: true
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: 'projects/${{ secrets.GOOGLE_PROJECT_ID }}/locations/global/workloadIdentityPools/github/providers/github'
+          service_account: '[email protected]'
+          token_format: 'access_token'
+          create_credentials_file: true
+      - uses: google-github-actions/[email protected]
+      - name: Login to GCR
+        run: gcloud auth configure-docker -q
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: mjgpluralsh
+          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ matrix.images }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=tag
+            type=ref,event=pr
+            type=sha
+            type=raw,value=${{ github.event.inputs.version }},enable=${{ github.event.inputs.version != '' }}
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.REGISTRY_IMAGE_DB }}@sha256:%s ' *)
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ matrix.images }}:${{ steps.meta.outputs.version }}
+  publish-cloud-query:
+    name: Publish cloud-query image
+    needs: [build-cloud-query]
     permissions:
       contents: 'read'
       id-token: 'write'
@@ -149,7 +298,7 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           path: ${{ runner.temp }}/digests
-          pattern: digests-*
+          pattern: digests-cloudquery-*
           merge-multiple: true
       - name: Login to GHCR
         uses: docker/login-action@v3
@@ -191,4 +340,4 @@ jobs:
             $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
       - name: Inspect image
         run: |
-          docker buildx imagetools inspect ${{ matrix.images }}:${{ steps.meta.outputs.version }}
+          docker buildx imagetools inspect ${{ matrix.images }}:${{ steps.meta.outputs.version }}

charts/console-rapid/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: console-rapid
 description: rapid channel chart for the plural console (used for testing)
 appVersion: 0.11.28
-version: 0.3.132
+version: 0.3.133
 dependencies:
   - name: kas
     version: 0.3.0

charts/console/templates/cloud-query/deployment.yaml

@@ -42,6 +42,20 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
+        - name: cloud-query-db
+          image: "{{ .Values.cloudQuery.database.image.repository }}:{{ .Values.cloudQuery.database.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+          imagePullPolicy: {{ .Values.cloudQuery.database.image.pullPolicy }}
+          env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                {{- if .Values.cloudQuery.database.password.existingSecret.name }}
+                  name: {{ .Values.cloudQuery.database.password.existingSecret.name }}
+                  key: {{ .Values.cloudQuery.database.password.existingSecret.key }}
+                {{- else }}
+                  name: {{ include "console.cloudquery.db.secret" . }}
+                  key: password
+                {{- end }}
         - name: cloud-query
           {{- with .Values.cloudQuery.securityContext }}
           securityContext:
@@ -72,25 +86,23 @@ spec:
           livenessProbe:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cloudQuery.readinessProbe }}
           readinessProbe:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            httpGet:
+              path: /healthz
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 30
+            failureThreshold: 1
           {{- with .Values.cloudQuery.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          volumeMounts:
-            - name: {{ .Values.cloudQuery.database.volume.name }}
-              mountPath: {{ .Values.cloudQuery.database.volume.mountPath }}
           {{- with .Values.cloudQuery.volumeMounts }}
+          volumeMounts:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-      volumes:
-        - name: {{ .Values.cloudQuery.database.volume.name }}
-          emptyDir:
-            medium: {{ .Values.cloudQuery.database.volume.medium }}
       {{- with .Values.cloudQuery.volumes }}
+      volumes:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.cloudQuery.nodeSelector }}