Initial commit

Author: Mauritz Uph

.github/workflows/publish-to-docker.yaml

@@ -0,0 +1,37 @@
+name: Create and publish a Docker image
+
+on:
+  release:
+    types: [created]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/release-binaries.yaml

@@ -0,0 +1,32 @@
+# .github/workflows/release.yaml
+
+on:
+  release:
+    types: [created]
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  releases-matrix:
+    name: Release Go Binary
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # build and publish in parallel: linux/386, linux/amd64, linux/arm64, windows/386, windows/amd64, darwin/amd64, darwin/arm64
+        goos: [linux, darwin]
+        goarch: ["386", amd64, arm64]
+        exclude:
+          - goarch: "386"
+            goos: darwin
+          - goarch: arm64
+            goos: windows
+    steps:
+      - uses: actions/checkout@v3
+      - uses: wangyoucao577/go-release-action@v1
+        with:
+          pre_command: cp cmd/main.go .
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          goos: ${{ matrix.goos }}
+          goarch: ${{ matrix.goarch }}

.gitignore

@@ -0,0 +1,23 @@
+.idea
+
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/
+
+# Go workspace file
+go.work

Dockerfile

@@ -0,0 +1,20 @@
+FROM bitnami/kubectl:1.20.9 as kubectl
+FROM golang:1.20-alpine as builder
+WORKDIR /app
+
+COPY go.sum go.mod ./
+COPY cmd/main.go main.go
+RUN go mod download
+RUN go build -o acrpurgectl main.go
+
+FROM alpine:latest
+
+# Azure-Cli dependencies
+RUN apk update
+RUN apk add bash py3-pip gcc musl-dev python3-dev libffi-dev openssl-dev cargo make
+RUN pip install --upgrade pip
+RUN pip install azure-cli
+COPY --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/
+
+WORKDIR /root/
+COPY --from=builder /app/acrpurgectl /root

README.md

@@ -0,0 +1,62 @@
+# Azure ACR Purge Control 🗑️
+
+``acrpurgectl`` is a tool that extends the az-cli acr deletion command.
+It parses all images from the Kubernetes (k8s) contexts that you provide and ensures that no
+image currently running in your cluster is deleted.
+
+## Key Features
+- Takes into account the list of Kubernetes contexts during the deletion process, ensuring no running image is deleted.
+- Eliminates the need to pay for ACR tasks.
+- Offers a familiar workflow inspired by the "terraform plan" and "terraform apply" approach.
+- Allows for the use of the "dry-run" command to preview tags before actual deletion, instilling confidence in your actions.
+
+## CLI Commands
+
+Here are the available CLI commands and their descriptions:
+
+| Command                            | Description                                                                                                                                            |
+|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `--registry <registry_name>`       | Set the name of the Azure Container Registry.                                                                                                          |
+| `--repository <repository_name>`   | Set the name of the repository in your Azure Container Registry.                                                                                       |
+| `--subscription <subscription_id>` | Set the ID of the Azure subscription. If not specified, the default one will be used.                                                                  |
+| `--timestamp <cutoff_timestamp>`   | Set the cutoff timestamp. All images before this timestamp will be deleted. Default: 01/01/2024.                                                       |
+| `--delay <delay_in_seconds>`       | Set the delay (in seconds) between deletion requests. Default: 1 second.                                                                               |
+| `--contexts <context_list>`        | Comma-separated list of Kubernetes contexts. The deletion process will not start if any 'imageToDelete' is running in a cluster from the context list. |
+| `--dry-run`                        | Perform a dry run, printing the tags to be deleted but do not delete them.                                                                             |
+
+## Usage with Docker
+
+You can use Azure ACR Purge with Docker by running the Docker image and logging into your Azure account. Here's how you can do it:
+
+Run the Docker image and access the interactive shell:
+
+```sh
+docker run -it --rm ghcr.io/h3adex/acrpurgectl:latest
+```
+
+Inside the container's interactive shell, log in to your Azure account using the Azure CLI:
+
+```sh
+az login
+```
+
+Execute Azure ACR Purge with your desired parameters. For example:
+
+```sh
+./acrpurgectl --repository test/repo-a --registry testregistry --subscription 1111-2222-3333-4444 --timestamp 01/02/2021
+```
+
+If you want to use the `--contexts` option, you need to share your local kubeconfig file with the Docker container, to allow Azure ACR Purge to access your Kubernetes contexts:
+
+```sh
+docker run -it --rm -v /path/to/your/.kube/config:/root/.kube/config ghcr.io/h3adex/acrpurgectl:latest
+```
+
+Then execute Azure ACR Purge with the `--contexts` parameter:
+
+```sh
+./acrpurgectl --repository test/repo-a --registry testregistry --subscription 1111-2222-3333-4444 --timestamp 01/02/2021 --contexts context1,context2
+```
+
+This will initiate the process to delete old images from the specified repository in your Azure Container Registry based on the provided parameters. 
+Make sure to tailor the commands to your specific needs and repositories. Happy cleaning! 🧹🐳

cmd/main.go

@@ -0,0 +1,184 @@
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"log"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/araddon/dateparse"
+)
+
+type ImageMetadata struct {
+	Architecture         string `json:"architecture"`
+	ChangeableAttributes struct {
+		DeleteEnabled bool `json:"deleteEnabled"`
+		ListEnabled   bool `json:"listEnabled"`
+		ReadEnabled   bool `json:"readEnabled"`
+		WriteEnabled  bool `json:"writeEnabled"`
+	} `json:"changeableAttributes"`
+	ConfigMediaType string    `json:"configMediaType"`
+	CreatedTime     time.Time `json:"createdTime"`
+	Digest          string    `json:"digest"`
+	ImageSize       int       `json:"imageSize"`
+	LastUpdateTime  time.Time `json:"lastUpdateTime"`
+	MediaType       string    `json:"mediaType"`
+	Os              string    `json:"os"`
+	Tags            []string  `json:"tags"`
+}
+
+const Layout = "2006-01-02T15:04:05"
+
+func isImageRunningInCluster(clusterImages []string, imageToDelete ImageMetadata, repository string) (string, error) {
+	for _, clusterImage := range clusterImages {
+		for _, tag := range imageToDelete.Tags {
+			if strings.Contains(clusterImage, fmt.Sprintf("%s:%s", repository, tag)) {
+				return clusterImage, fmt.Errorf("image is running in your provided k8s clusters")
+			}
+		}
+	}
+
+	return "", nil
+}
+
+func main() {
+	registryName := flag.String("registry", "", "Name of the Azure Container Registry")
+	repositoryName := flag.String("repository", "", "Name of the repository in your registry")
+	subscriptionId := flag.String("subscription", "", "ID of the subscription. If not specified it will use the default one")
+	contexts := flag.String("contexts", "", "Comma-separated list of Kubernetes contexts. The deletion process will not start if any 'imageToDelete' is running in a cluster from the context list")
+	deletionCutoffTimestamp := flag.String("timestamp", "01/01/2024", "All Images before the timestamp will get deleted")
+	delay := flag.Float64("delay", 1, "Delay between deletion requests")
+	dryRunMode := flag.Bool("dry-run", false, "Perform a dry run, print tags to be deleted but do not delete them")
+	flag.Parse()
+
+	if *repositoryName == "" || *registryName == "" {
+		log.Println("You must provide the registry and repository")
+		return
+	}
+
+	if *subscriptionId != "" {
+		_, err := exec.Command("bash", "-c", fmt.Sprintf("az account set --subscription %s", *subscriptionId)).Output()
+		if err != nil {
+			log.Println("Failed to set az subscription: ", err)
+			return
+		}
+	}
+
+	var k8sImages []string
+	if len(*contexts) >= 0 {
+		for _, context := range strings.Split(*contexts, ",") {
+			output, err := exec.Command(
+				"bash",
+				"-c",
+				fmt.Sprintf("kubectl get pods --context %s --all-namespaces -o jsonpath=\"{.items[*].spec.containers[*].image}\"", context),
+			).Output()
+			if err != nil {
+				log.Println("Failed to set az subscription: ", err)
+				return
+			}
+
+			for _, image := range strings.Split(string(output), " ") {
+				k8sImages = append(k8sImages, image)
+			}
+		}
+	}
+
+	parsedDate, err := dateparse.ParseAny(*deletionCutoffTimestamp)
+	if err != nil {
+		log.Println("Unable to parse the provided date: ", err)
+		return
+	}
+
+	listManifestsCmd := fmt.Sprintf(
+		"az acr manifest list-metadata --name %s --registry %s --orderby time_asc --query \"[?lastUpdateTime < '%s']\"",
+		*repositoryName, *registryName, parsedDate.Format(Layout),
+	)
+
+	manifestInformation, err := exec.Command("bash", "-c", listManifestsCmd).Output()
+	if err != nil {
+		log.Println("Failed to retrieve manifest information: ", err)
+	}
+
+	var imageMetadataList []ImageMetadata
+	err = json.Unmarshal(manifestInformation, &imageMetadataList)
+	if err != nil {
+		log.Println("Error reading metadata: ", err)
+		return
+	}
+
+	if len(imageMetadataList) == 0 {
+		log.Printf("No Docker Images found which succeed the deletionCutoffTimestamp %s\n", parsedDate)
+		return
+	}
+
+	var imagesToDelete []ImageMetadata
+	for _, metadata := range imageMetadataList {
+		if len(metadata.Tags) == 0 {
+			continue
+		}
+
+		if len(k8sImages) != 0 {
+			image, err := isImageRunningInCluster(k8sImages, metadata, *repositoryName)
+			if err != nil {
+				log.Fatalf("Error: The Image %s is running in one of your cluster. Please reconsider your deletion timestamp. \n", image)
+			}
+		}
+
+		if *dryRunMode {
+			log.Printf("[DRY-RUN] Docker Image %s with tags %s would get deleted. Created Time: %s \n", *repositoryName, strings.Join(metadata.Tags, ","), metadata.CreatedTime)
+			continue
+		}
+
+		if len(metadata.Digest) > 0 {
+			imagesToDelete = append(imagesToDelete, metadata)
+		}
+	}
+
+	if len(imagesToDelete) == 0 {
+		return
+	}
+
+	amountImages := 0
+	for _, imageToDelete := range imagesToDelete {
+		log.Printf("Docker Image %s with tags %s will get deleted. Created Time: %s \n", *repositoryName, strings.Join(imageToDelete.Tags, ","), imageToDelete.CreatedTime)
+		amountImages++
+	}
+
+	log.Printf("%d Images will get deleted. Do you want to perfom the deletion? Please answer with yes\n", amountImages)
+
+	var response string
+	_, err = fmt.Scanln(&response)
+	if err != nil {
+		log.Println("Unable to read user input")
+		return
+	}
+
+	if response != "yes" {
+		log.Println("Goodbye!")
+		return
+	}
+
+	log.Printf("Starting deletion process with a delay of %f s \n", *delay)
+	for _, imageToDelete := range imagesToDelete {
+		if len(imageToDelete.Digest) == 0 {
+			log.Printf("Skipping image with tags: %s since it has not digest \n", strings.Join(imageToDelete.Tags, ","))
+		}
+
+		deleteManifest := fmt.Sprintf(
+			"az acr repository delete --name %s --image %s@%s --yes",
+			*registryName, *repositoryName, imageToDelete.Digest,
+		)
+		_, err := exec.Command("bash", "-c", deleteManifest).Output()
+		if err != nil {
+			log.Printf("Error fulfilling deletion command: %s\n", err)
+		}
+
+		log.Printf("Deleted image %s with tags: %s \n", *repositoryName, strings.Join(imageToDelete.Tags, ","))
+		time.Sleep(time.Second * time.Duration(*delay))
+	}
+
+	log.Printf("Done. Goodbye!")
+}

go.mod

@@ -0,0 +1,5 @@
+module azure-registry-purge
+
+go 1.20
+
+require github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de

go.sum

@@ -0,0 +1,15 @@
+github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de h1:FxWPpzIjnTlhPwqqXc4/vE0f7GvRjuAsbW+HOIe8KnA=
+github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de/go.mod h1:DCaWoUhZrYW9p1lxo/cm8EmUOOzAPSEZNGF2DK1dJgw=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/mattn/go-runewidth v0.0.10/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/scylladb/termtables v0.0.0-20191203121021-c4c0b6d42ff4/go.mod h1:C1a7PQSMz9NShzorzCiG2fk9+xuCgLkPeCvMHYR2OWg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=