refactoring done

- official netbox library used
- check command with filter support
- in,out command currently only noop
- Container image creation updated and documented
- Golang image for the build stage
- Distroless base without libc and shell for the final image
- Concourse config documented

Author: businessbean

.dockerignore

@@ -1,2 +1,3 @@
-.git/
 .idea/
+.vscode/
+.DS_Store

.gitignore

@@ -0,0 +1,2 @@
+.vscode/
+.DS_Store

Dockerfile

@@ -1,17 +1,41 @@
-FROM keppel.eu-de-1.cloud.sap/ccloud-dockerhub-mirror/library/golang:alpine AS builder
+ARG BUILDER_NAME="golang"
+ARG BUILDER_VERSION="1.25.0-bookworm"
+ARG BASE_NAME="gcr.io/distroless/static-debian12"
+ARG BASE_VERSION="latest"
+FROM $BUILDER_NAME:$BUILDER_VERSION AS buildstage
+ARG BUILD_VERSION
 
-RUN apk update && apk add --no-cache git ca-certificates && update-ca-certificates
+ENV CGO_ENABLED=0
 
-ADD . /app/
-WORKDIR /app
-RUN CGO_ENABLED=0 go build -ldflags="-w -s" -o resource .
-RUN mkdir -p /target/opt/resource/
-RUN cp resource /target/opt/resource/
-RUN ln -s resource /target/opt/resource/in
-RUN ln -s resource /target/opt/resource/out
-RUN ln -s resource /target/opt/resource/check
+COPY . /go/src
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 
+RUN mkdir -p /opt/resource
+WORKDIR /go/src
+RUN \
+  export GIT_COMMIT="$(git rev-parse HEAD)" \
+  && export BUILD_DATE="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
+  && export ENV LDFLAGS="-X 'k8s.io/component-base/version.gitCommit=${GIT_COMMIT}' -X 'k8s.io/component-base/version.buildDate=${BUILD_DATE}' -X 'k8s.io/component-base/version.gitVersion=${BUILD_VERSION}'" \
+  && go build -ldflags "${LDFLAGS}" -o /opt/resource/check cmd/check/main.go \
+  && go build -ldflags "${LDFLAGS}" -o /opt/resource/in cmd/in/main.go \
+  && go build -ldflags "${LDFLAGS}" -o /opt/resource/out cmd/out/main.go
 
-FROM scratch
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=builder /target/opt /opt
+RUN /opt/resource/check -v | grep -q "${BUILD_VERSION}"
+RUN /opt/resource/in -v | grep -q "${BUILD_VERSION}"
+RUN /opt/resource/out -v | grep -q "${BUILD_VERSION}"
+
+ARG BASE_NAME
+ARG BASE_VERSION
+FROM $BASE_NAME:$BASE_VERSION
+ARG BASE_NAME
+ARG BASE_VERSION
+ARG BUILD_VERSION
+COPY --from=buildstage /opt/resource /opt/resource
+
+LABEL org.opencontainers.image.title=concourse-netbox-resource
+LABEL org.opencontainers.image.authors="businessbean, SchwarzM"
+LABEL org.opencontainers.image.url="https://github.com/sapcc/concourse-netbox-resource/blob/master/Dockerfile"
+LABEL org.opencontainers.image.version="${BUILD_VERSION}"
+LABEL org.opencontainers.image.base.name="${BASE_NAME}"
+LABEL org.opencontainers.image.base.digest="${BASE_NAME}:${BASE_VERSION}"
+LABEL source_repository="https://github.com/sapcc/concourse-netbox-resource/"

README.md

@@ -1,2 +1,66 @@
 # concourse-netbox-resource
 A concourse resource to trigger from netbox
+
+## Container Image build
+
+This resource is built using a Dockerfile that uses a multi-stage build process. The first stage builds the Go application, and the second stage creates a minimal container image using distroless. The following optional build arguments are available:
+
+- `BUILDER_NAME`: The name of the Go builder image (default: `golang`)
+- `BUILDER_VERSION`: The version of the Go builder image (default: `1.24.4-bookworm`)
+- `BASE_NAME`: The base image for the final container (default: `gcr.io/distroless/static-debian12`)
+- `BASE_VERSION`: The version of the base image (default: `latest`) (`nonroot` is not possible because Concourse [requires root permissions to run the resource](https://github.com/concourse/concourse/issues/403))
+
+The following build arguments are mandatory:
+
+- `BUILD_VERSION`: The semantic version for the container and the Go application
+
+```shell=bash
+export BUILD_VERSION=0.1.0
+docker build --build-arg BUILD_VERSION="${BUILD_VERSION}" --tag concourse-netbox-resource:"${BUILD_VERSION}"-"$(date -u +'%Y%m%d%H%M%S')" ./
+unset BUILD_VERSION
+```
+
+## Usage
+
+This resource is designed to be used in a Concourse CI pipeline. It can be configured to trigger jobs based on events from NetBox, such as changes to devices or other objects.
+
+### Configuration
+
+The `source.url` parameter is mandatory. All fields in the `source.filter` section and the `source.token` are optional. Fields with brackets `[]` can contain multiple values. `source.filter.device_name` and `source.filter.interface_name` are using a `case-insensitive contains` filter.
+
+This is an example of how to configure the resource in a Concourse pipeline:
+
+```yaml
+resource_types:
+  - name: netbox-resource
+    type: registry-image
+    check_every: never
+    source:
+      repository: registry.fqdn/org/concourse-netbox-resource
+      tag: 0.1.0-20250619163905
+
+resources:
+  - name: example.netbox
+    type: netbox-resource
+    icon: netbox
+    check_every: 15m
+    source:
+      url: "https://netbox.example.local"
+      token: "your-api-token"
+      filter:
+        site_name: ["site 1"]
+        tag: ["tag1"]
+        role: ["server"]
+        device_id: [123]
+        device_name: ["server1"]
+        device_type: ["vendor model"]
+        device_status: ["active"]
+        server_interface:
+          interface_id: [456]
+          interface_name: ["eth0"]
+          enabled: true
+          mgmt_only: false
+          connected: true
+          cabled: true
+          type: ["virtual"]
+```

cmd/check/main.go

@@ -0,0 +1,129 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/sapcc/concourse-netbox-resource/pkg/concourse"
+	"github.com/sapcc/concourse-netbox-resource/pkg/helper"
+	"github.com/sapcc/concourse-netbox-resource/pkg/netbox"
+)
+
+var (
+	input        concourse.Input
+	output       []concourse.Version
+	err          error
+	cmdlineflags helper.CmdLineFlags
+	ctx          context.Context
+	usage        string = `This command queries the NetBox API for objects matching the specified filter and returns their latest versions.
+The input is required in JSON format from stdin, which should include the NetBox URL, the API token and optional filters.
+The output will be a JSON array of objects with their latest versions.
+
+{
+  "source": {
+    "url": "https://netbox.example.local",
+    "token": "your-api-token"
+		},
+		"filter": {
+			"site_name": ["My Site"],
+			"tag": ["my-tag"],
+			"role": ["server"],
+			"device_id": [123],
+			"device_name": ["my-server"],
+			"device_type": ["server type"],
+			"device_status": ["active"],
+			"server_interface": {
+				"interface_id": [456],
+				"interface_name": ["eth0"],
+				"enabled": true,
+				"mgmt_only": false,
+				"connected": true,
+				"cabled": true,
+				"type": ["1000base-t"]
+			}
+	},
+  "version": {
+    "id": 123,
+		"last_updated": "2023-10-01T12:00:00Z",
+		"object_type": "interfaces",
+		"device_id": 123,
+		"device_name": "my-server",
+		"device_role": "server",
+		"interface_name": "eth0",
+		"interface_type": "1000base-t"
+  }
+}
+
+Example: check < source.json
+Parameters:
+`
+)
+
+func init() {
+	cmdlineflags = helper.AddFlags()
+	ctx = context.Background()
+}
+
+func main() {
+	if cmdlineflags.Buildinfo {
+		os.Stdout.WriteString(helper.ShowBuildInfo())
+		os.Exit(0)
+	}
+
+	if cmdlineflags.Versioninfo {
+		os.Stdout.WriteString(helper.ShowVersionInfo())
+		os.Exit(0)
+	}
+
+	if cmdlineflags.Help {
+		os.Stdout.WriteString(usage)
+		flag.PrintDefaults()
+		os.Exit(0)
+	}
+
+	input, err = validateInput()
+	if err != nil {
+		fmt.Println(fmt.Errorf("input validation failed: %w", err))
+		os.Exit(1)
+	}
+
+	output, err = netbox.Query(input, ctx)
+	if err != nil {
+		fmt.Println(fmt.Errorf("netbox query failed: %w", err))
+		os.Exit(1)
+	}
+
+	encodedOutput, encodeErr := json.Marshal(output)
+	if encodeErr != nil {
+		fmt.Println(fmt.Errorf("failed to Json encode query result: %w (output: %+v)", encodeErr, output))
+		os.Exit(1)
+	}
+
+	if _, writeErr := os.Stdout.Write(encodedOutput); writeErr != nil {
+		fmt.Println(fmt.Errorf("failed to output Json encoded query result: %w (output: %s)", writeErr, string(encodedOutput)))
+		os.Exit(1)
+	}
+}
+
+func validateInput() (concourse.Input, error) {
+	var inputParsed concourse.Input
+
+	stat, _ := os.Stdin.Stat()
+	if (stat.Mode() & os.ModeCharDevice) != 0 {
+		return concourse.Input{}, fmt.Errorf("no input provided on stdin")
+	}
+
+	err := json.NewDecoder(os.Stdin).Decode(&inputParsed)
+	if err != nil && err != io.EOF {
+		return concourse.Input{}, fmt.Errorf("failed to decode input")
+	}
+
+	if inputParsed.Source.Url == "" {
+		return concourse.Input{}, fmt.Errorf("source.netbox_url containing the NetBox URL is required")
+	}
+	return inputParsed, nil
+}

cmd/in/main.go

@@ -0,0 +1,91 @@
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/sapcc/concourse-netbox-resource/pkg/concourse"
+	"github.com/sapcc/concourse-netbox-resource/pkg/helper"
+)
+
+var (
+	input        concourse.Input
+	output       concourse.Output
+	cmdlineflags helper.CmdLineFlags
+	usage        string = `This command implements the Concourse in interface as a noop. It reads the input, validates it, and outputs the version.
+
+	Example: in /tmp/build/get < request.json
+	`
+)
+
+func init() {
+	cmdlineflags = helper.AddFlags()
+}
+
+func main() {
+	if cmdlineflags.Buildinfo {
+		os.Stdout.WriteString(helper.ShowBuildInfo())
+		os.Exit(0)
+	}
+
+	if cmdlineflags.Versioninfo {
+		os.Stdout.WriteString(helper.ShowVersionInfo())
+		os.Exit(0)
+	}
+
+	if cmdlineflags.Help {
+		os.Stdout.WriteString(usage)
+		flag.PrintDefaults()
+		os.Exit(0)
+	}
+
+	stat, _ := os.Stdin.Stat()
+	if (stat.Mode() & os.ModeCharDevice) != 0 {
+		fmt.Println(fmt.Errorf("no input provided on stdin"))
+		os.Exit(1)
+	}
+	err := json.NewDecoder(os.Stdin).Decode(&input)
+	if err != nil && err != io.EOF {
+		fmt.Println(fmt.Errorf("failed to decode input"))
+		os.Exit(1)
+	}
+
+	if len(os.Args) < 2 {
+		fmt.Println(fmt.Errorf("destination path argument is required"))
+		os.Exit(1)
+	}
+	outPath := os.Args[1]
+	if outPath != "/tmp/build/get" {
+		fmt.Println(fmt.Errorf("invalid destination path: %s", outPath))
+		os.Exit(1)
+	}
+	file, err := os.Create(outPath + "/version.json")
+	if err != nil {
+		fmt.Println(fmt.Errorf("failed to create output file: %w", err))
+		os.Exit(1)
+	}
+	defer file.Close()
+
+	output.Version.Id = input.Version.Id
+	output.Version.LastUpdated = input.Version.LastUpdated
+	output.Version.ObjectType = input.Version.ObjectType
+	output.Version.DeviceId = input.Version.DeviceId
+	output.Version.DeviceName = input.Version.DeviceName
+	output.Version.DeviceRole = input.Version.DeviceRole
+	output.Version.DeviceApiUrl = input.Version.DeviceApiUrl
+	output.Version.DeviceDisplayUrl = input.Version.DeviceDisplayUrl
+	if input.Version.ObjectType == "interfaces" {
+		output.Version.InterfaceName = input.Version.InterfaceName
+		output.Version.InterfaceType = input.Version.InterfaceType
+		output.Version.InterfaceApiUrl = input.Version.InterfaceApiUrl
+		output.Version.InterfaceDisplayUrl = input.Version.InterfaceDisplayUrl
+	}
+
+	if err := json.NewEncoder(file).Encode(output); err != nil {
+		fmt.Println(fmt.Errorf("failed to write JSON output: %w", err))
+	}
+	json.NewEncoder(os.Stdout).Encode(output)
+}