feat: adding a CB trigger and periodic job for purge untagged CFT ima…

…ges (#2204) Co-authored-by: Andrew Peabody <[email protected]>
GoogleCloudPlatform · Mar 12, 2024 · 954b504 · 954b504
1 parent a9a2edb
commit 954b504
Show file tree

Hide file tree

Showing 4 changed files with 195 additions and 55 deletions.
diff --git a/infra/terraform/test-org/ci-project/.terraform.lock.hcl b/infra/terraform/test-org/ci-project/.terraform.lock.hcl
diff --git a/infra/terraform/test-org/ci-project/image_purger.tf b/infra/terraform/test-org/ci-project/image_purger.tf
@@ -0,0 +1,47 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_cloudbuild_trigger" "image_purge_trigger" {
+  description = "Purge CFT images without tags"
+  github {
+    owner = local.gh_orgs.infra
+    name  = local.gh_repos.infra
+    # this will be invoked via cloud scheduler, hence using a regex that will not match any branch
+    push {
+      branch = ".^"
+    }
+  }
+
+  filename = "infra/terraform/test-org/image-cleanup/cloudbuild.yaml"
+}
+
+resource "google_cloud_scheduler_job" "image_purge_job" {
+  name        = "trigger-purge-cft-image-build"
+  description = "Trigger Purge CFT images without tags build"
+  region      = "us-central1"
+  # run every day at 3:00
+  schedule = "0 3 * * *"
+
+  http_target {
+    http_method = "POST"
+    uri         = "https://cloudbuild.googleapis.com/v1/projects/${local.project_id}/triggers/${google_cloudbuild_trigger.image_purge_trigger.trigger_id}:run"
+    body        = base64encode("{\"branchName\": \"master\"}")
+    oauth_token {
+      service_account_email = google_service_account.service_account.email
+    }
+  }
+  depends_on = [google_project_iam_member.project]
+}
diff --git a/infra/terraform/test-org/image-cleanup/cft-image-cleanup.sh b/infra/terraform/test-org/image-cleanup/cft-image-cleanup.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+IFS=$'\n\t'
+set -eou pipefail
+MODE="DRYRUN"
+
+if [[ "$#" -lt 1 || "${1}" == '-h' || "${1}" == '--help' ]]; then
+  cat >&2 <<"EOF"
+cft-image-cleanup.sh cleans up untagged cft-dev-tool images.
+USAGE:
+  cft-image-cleanup.sh REPOSITORY [DELETE]
+  e.g. $ ./cft-image-cleanup.sh gcr.io/cloud-foundation-cicd/cft/developer-tools DELETE
+  would delete all image digests that do not have a tag in the gcr.io/cloud-foundation-cicd/cft/developer-tools repository
+EOF
+  exit 1
+fi
+
+main(){
+  local C=0
+  IMAGE="${1}"
+  for digest in $(gcloud container images list-tags "${IMAGE}" --limit=999999 --sort-by=TIMESTAMP \
+    --format='get(digest)' --filter='-tags:*'); do
+    if [[ "$MODE" == "DRYRUN" ]]; then
+      echo "to delete: $digest"
+    elif [[ "$MODE" == "DELETE" ]]; then
+      (
+        set -x
+        gcloud container images delete -q --force-delete-tags "${IMAGE}@${digest}"
+      )
+    fi
+    (( C=C+1 ))
+  done
+  echo "Deleted ${C} images in ${IMAGE}." >&2
+}
+
+if [[ "$#" -eq 1 ]]; then
+  echo ">>> executing in DRY RUN mode; use the DELETE arg for deleting the images <<<"
+elif [[ "$#" -eq 2 && "${2}" == 'DELETE' ]]; then
+  MODE="DELETE"
+fi
+main "${1}"
diff --git a/infra/terraform/test-org/image-cleanup/cloudbuild.yaml b/infra/terraform/test-org/image-cleanup/cloudbuild.yaml
@@ -0,0 +1,65 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+steps:
+  - name: "gcr.io/cloud-builders/gcloud"
+    dir: "infra/terraform/test-org/image-cleanup"
+    id: "purge-dev-tools"
+    waitFor: ["-"]
+    entrypoint: "bash"
+    args:
+      [
+        "./cft-image-cleanup.sh",
+        "$_REGISTRY_URL/$_DOCKER_IMAGE_DEVELOPER_TOOLS",
+        "DELETE",
+      ]
+  - name: "gcr.io/cloud-builders/gcloud"
+    dir: "infra/terraform/test-org/image-cleanup"
+    id: "purge-dev-tools-light"
+    waitFor: ["-"]
+    entrypoint: "bash"
+    args:
+      [
+        "./cft-image-cleanup.sh",
+        "$_REGISTRY_URL/$_DOCKER_IMAGE_DEVELOPER_TOOLS_LIGHT",
+        "DELETE",
+      ]
+  - name: "gcr.io/cloud-builders/gcloud"
+    dir: "infra/terraform/test-org/image-cleanup"
+    id: "purge-dev-tool-krm"
+    waitFor: ["-"]
+    entrypoint: "bash"
+    args:
+      [
+        "./cft-image-cleanup.sh",
+        "$_REGISTRY_URL/$_DOCKER_IMAGE_DEVELOPER_TOOLS_KRM",
+        "DELETE",
+      ]
+  - name: "gcr.io/cloud-builders/gcloud"
+    dir: "infra/terraform/test-org/image-cleanup"
+    id: "purge-dev-tools-jenkins"
+    waitFor: ["-"]
+    entrypoint: "bash"
+    args:
+      [
+        "./cft-image-cleanup.sh",
+        "$_REGISTRY_URL/$_DOCKER_IMAGE_DEVELOPER_TOOLS_JENKINS",
+        "DELETE",
+      ]
+substitutions:
+  _REGISTRY_URL: "gcr.io/cloud-foundation-cicd"
+  _DOCKER_IMAGE_DEVELOPER_TOOLS: "cft/developer-tools"
+  _DOCKER_IMAGE_DEVELOPER_TOOLS_LIGHT: "cft/developer-tools-light"
+  _DOCKER_IMAGE_DEVELOPER_TOOLS_KRM: "cft/developer-tools-krm"
+  _DOCKER_IMAGE_DEVELOPER_TOOLS_JENKINS: "cft/developer-tools-jenkins"