Initial Commit

Signed-off-by: Gabriele Bartolini <[email protected]>

Author: litaocdl

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/build.yml

@@ -0,0 +1,91 @@
+name: Continuous Delivery
+
+on:
+  push:
+    tags:
+      - v*
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+env:
+  IMAGE_STAGING: ghcr.io/cloudnative-pg/pgbouncer-testing
+  IMAGE_RELEASE: ghcr.io/cloudnative-pg/pgbouncer
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-20.04
+    steps:
+      -
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      -
+        name: Detect platforms
+        id: docker-platforms
+        run: |
+          # Now we only support linux/amd64
+          platforms="linux/amd64"
+          echo "::set-output name=platforms::${platforms}"
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: ${{ steps.docker-platforms.outputs.platforms }}
+      -
+        name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Log in to the GitHub Container registry
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Set image repository
+        id: image-repo
+        run: |
+          if [[ "${GITHUB_REF}" =~ refs/tags/v(.*) ]]; then
+            echo "::set-output name=images::${{ env.IMAGE_RELEASE }},${{ env.IMAGE_STAGING }}"
+          else
+            echo "::set-output name=images::${{ env.IMAGE_STAGING }}"
+          fi
+      -
+        name: Gather image info
+        id: gather-versions
+        run: |
+          pgbouncer_version=$(jq -r '.PGBOUNCER_VERSION' .versions.json)
+          release_version=$(jq -r '.IMAGE_RELEASE_VERSION' .versions.json)
+          debian_version=$(jq -r '.DEBIAN_VERSION' .versions.json)
+          echo "::set-output name=pgbouncer_version::${pgbouncer_version}"
+          echo "::set-output name=release_version::${release_version}"
+          echo "::set-output name=debian_version::${debian_version}"
+      -
+        name: Docker meta
+        id: docker-meta
+        uses: docker/[email protected]
+        with:
+          # list of Docker images to use as base name for tags
+          images: "${{ steps.image-repo.outputs.images }}"
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            type=match,pattern=v(.*),group=1
+            type=match,pattern=v(.*)-\d+,group=1
+            type=ref,event=branch
+          labels: |
+            org.opencontainers.image.version=${{ steps.gather-versions.outputs.pgbouncer_version }}
+            org.opencontainers.image.revision=${{ steps.gather-versions.outputs.release_version }}
+            org.opencontainers.image.licenses=PostgreSQL
+      -
+        name: Build and push
+        uses: docker/[email protected]
+        with:
+          platforms: ${{ steps.docker-platforms.outputs.platforms }}
+          context: .
+          push: true
+          tags: ${{ steps.docker-meta.outputs.tags }}
+          labels: ${{ steps.docker-meta.outputs.labels }}

.github/workflows/update.yml

@@ -0,0 +1,141 @@
+name: Automatic Updates
+
+on:
+  schedule:
+    - cron: 0 0 * * *
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+  update:
+    runs-on: ubuntu-20.04
+    steps:
+      -
+        uses: actions/checkout@v2
+        with:
+          token: ${{ secrets.REPO_GHA_PAT }}
+          fetch-depth: 0
+      -
+        name: Get latest PgBouncer
+        run: |
+          echo PGBOUNCER_VERSION=$(curl -s https://api.github.com/repos/pgbouncer/pgbouncer/releases/latest | jq -r '.assets[].name' | grep -oP "pgbouncer-\K([[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)(?=\.tar\.gz)") >> $GITHUB_ENV
+      -
+        name: Get latest Debian base image
+        run: |
+           echo DEBIAN_VERSION=$(curl -SsL "https://registry.hub.docker.com/v2/repositories/library/debian/tags/?name=buster-20&ordering=last_updated&" | jq -r ".results[].name | match(\"buster.*-slim\") | .string" | head -n1) >> $GITHUB_ENV
+      -
+        name: Update Dockerfile
+        run: |
+          INITIAL_RELEASE_VERSION=$(jq -r '.IMAGE_RELEASE_VERSION' .versions.json)
+          sed \
+            -e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \
+            -e 's/%%DEBIAN_VERSION%%/${{ env.DEBIAN_VERSION }}/' \
+            -e "s/%%IMAGE_RELEASE_VERSION%%/${INITIAL_RELEASE_VERSION}/" \
+            Dockerfile.template > Dockerfile
+      -
+        name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Build and export to Docker
+        uses: docker/[email protected]
+        with:
+          context: .
+          load: true
+          push: false
+          tags: newimage
+      -
+        name: Dockle scan
+        uses: erzz/[email protected]
+        with:
+          image: newimage
+          exit-code: '1'
+          failure-threshold: WARN
+        env:
+          DOCKLE_IGNORES: DKL-DI-0006
+      -
+        name: Extract package list from container
+        run: |
+          docker run -t --entrypoint bash newimage -c 'apt list --installed | sort' > packages.txt
+      -
+        # We verify if there has been any change in the image. It could be:
+        # * a pgbouncer update
+        # * a new Debian base image
+        # * any change in the installed packages
+        # * any change in the git repository except the pipeline
+        name: Check if the image has been updated since the latest tag
+        run: |
+          echo UPDATED=false >> $GITHUB_ENV
+          if git describe --tags; then
+            current_tag=$(git describe --tags --abbrev=0)
+            if [[ -n $(git diff --name-status  ${current_tag} -- . ':(exclude)README.md' ':(exclude).github' ':(exclude).gitignore') ]]; then
+              echo UPDATED=true >> $GITHUB_ENV
+            fi
+          fi
+      -
+        name: Define tag
+        if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
+        run: |
+          release_number=1
+          if git describe --tags; then
+            current_tag=$(git describe --tags --abbrev=0)
+            current_pgbouncer_version=$(echo $current_tag | cut -d'-' -f 1)
+            current_pgbouncer_version=${current_pgbouncer_version##v}
+            current_release=$(echo $current_tag | cut -d'-' -f 2)
+            if [ $current_pgbouncer_version = ${{ env.PGBOUNCER_VERSION }} ]; then
+              release_number=$((current_release+1))
+            fi
+          fi
+          echo IMAGE_RELEASE_VERSION=${release_number} >> $GITHUB_ENV
+          echo TAG=${{ env.PGBOUNCER_VERSION }}-${release_number} >> $GITHUB_ENV
+      -
+        # In case we are releasing, we need to re-generate the Dockerfile from
+        # the template again since now we also know the proper release version.
+        name: Update Dockerfile and the JSON version file
+        if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
+        run: |
+          sed \
+            -e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \
+            -e 's/%%DEBIAN_VERSION%%/${{ env.DEBIAN_VERSION }}/' \
+            -e 's/%%IMAGE_RELEASE_VERSION%%/${{ env.IMAGE_RELEASE_VERSION }}/' \
+            Dockerfile.template > Dockerfile
+          jq -S '.PGBOUNCER_VERSION = "${{ env.PGBOUNCER_VERSION }}" | .IMAGE_RELEASE_VERSION = "${{ env.IMAGE_RELEASE_VERSION }}" | .DEBIAN_VERSION = "${{ env.DEBIAN_VERSION }}"' < .versions.json >> .versions.json.new
+          mv .versions.json.new .versions.json
+      -
+        name: Temporarily disable "include administrators" branch protection
+        if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
+        id: disable_include_admins
+        uses: benjefferies/[email protected]
+        with:
+          access_token: ${{ secrets.REPO_GHA_PAT }}
+          branch: main
+          enforce_admins: false
+      -
+        name: Commit changes
+        if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
+        uses: EndBug/add-and-commit@v7
+        id: commit
+        with:
+          author_name: EnterpriseDB Automated Updates
+          author_email: [email protected]
+          message: 'Automatic update'
+          tag: v${{ env.TAG }}
+      -
+        name: Make sure a tag is created in case of update
+        if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
+        uses: mathieudutour/[email protected]
+        with:
+          github_token: ${{ secrets.REPO_GHA_PAT }}
+          custom_tag: ${{ env.TAG }}
+          tag_prefix: 'v'
+      -
+        name: Enable "include administrators" branch protection
+        uses: benjefferies/[email protected]
+        if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
+        with:
+          access_token: ${{ secrets.REPO_GHA_PAT }}
+          branch: main
+          enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}

.gitignore

@@ -0,0 +1,2 @@
+# Dockle Report
+dockle-report.json

.versions.json

@@ -0,0 +1,5 @@
+{
+  "IMAGE_RELEASE_VERSION": "1",
+  "PGBOUNCER_VERSION": "1.17.0",
+  "DEBIAN_VERSION": "buster-20220328-slim"
+}

CODEOWNERS

@@ -0,0 +1 @@
+* @NiccoloFei @fcanovai @gbartolini @jbattiato @litaocdl @mnencia @sxd

CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+# Code of Conduct
+
+Cloud Native Postgres follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). <!-- wokeignore:rule=master -->

Dockerfile

@@ -0,0 +1,79 @@
+# vim:set ft=dockerfile:
+# 
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+ARG DEBIAN_VERSION=buster-20220328-slim
+ARG PGBOUNCER_VERSION=1.17.0
+
+FROM debian:${DEBIAN_VERSION} AS build
+ARG PGBOUNCER_VERSION
+
+# Install build dependencies. 
+RUN set -ex; \
+    apt-get update && apt-get upgrade -y; \
+	apt-get install -y --no-install-recommends curl make pkg-config libevent-dev build-essential libssl-dev libudns-dev openssl ; \
+    apt-get purge -y --auto-remove ; \
+    rm -fr /tmp/* ; \
+    rm -rf /var/lib/apt/lists/*
+
+# build pgbouncer
+RUN  curl -sL http://www.pgbouncer.org/downloads/files/${PGBOUNCER_VERSION}/pgbouncer-${PGBOUNCER_VERSION}.tar.gz > pgbouncer.tar.gz ; \
+     tar xzf pgbouncer.tar.gz ; \
+     cd pgbouncer-${PGBOUNCER_VERSION} ; \
+     sh ./configure --without-cares --with-udns ;  \
+     make
+
+
+FROM debian:${DEBIAN_VERSION}
+ARG PGBOUNCER_VERSION
+ARG TARGETARCH
+
+LABEL name="PgBouncer Container Images" \
+      vendor="The CloudNativePG Contributors" \
+      version="%%PGBOUNCER_VERSION%%" \
+      release="%%IMAGE_RELEASE_VERSION%%" \
+      summary="Container images for PgBouncer (connection pooler for PostgreSQL)." \
+      description="This Docker image contains PgBouncer based on Debian ${DEBIAN_VERSION}."
+
+RUN  set -ex; \
+     apt-get update && apt-get upgrade -y; \ 
+     apt-get install -y libevent-dev libssl-dev libudns-dev libvshadow-utils findutils; \
+     apt-get -y install postgresql ; \
+     apt-get -y clean ; \
+     rm -rf /var/lib/apt/lists/*; \
+     rm -fr /tmp/* ; \
+     adduser  pgbouncer ;  \
+     mkdir -p /var/log/pgbouncer ; \
+     mkdir -p /var/run/pgbouncer ; \
+     chown pgbouncer:pgbouncer /var/log/pgbouncer ; \
+     chown pgbouncer:pgbouncer /var/run/pgbouncer ; 
+
+COPY --from=build ["/pgbouncer-${PGBOUNCER_VERSION}/pgbouncer", "/usr/bin/"]
+COPY --from=build ["/pgbouncer-${PGBOUNCER_VERSION}/etc/pgbouncer.ini", "/etc/pgbouncer/pgbouncer.ini.example"]
+COPY --from=build ["/pgbouncer-${PGBOUNCER_VERSION}/etc/userlist.txt", "/etc/pgbouncer/userlist.txt.example"]
+
+RUN touch /etc/pgbouncer/pgbouncer.ini /etc/pgbouncer/userlist.txt
+
+# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout
+RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true
+HEALTHCHECK --interval=5m --timeout=3s \
+  CMD curl -f http://localhost/ || exit 1
+EXPOSE 6432
+
+USER pgbouncer
+
+COPY entrypoint.sh .
+
+ENTRYPOINT ["./entrypoint.sh"]