Refactoring Juicebox GCP Service

Author: James Belchamber

.github/workflows/build_and_publish.yml

@@ -0,0 +1,64 @@
+name: Build and Publish
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build_and_publish:
+    name: Build and Publish
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.24.4"
+          check-latest: false
+
+      - name: Build Executable
+        run: |
+          go build ./cmd/jb-sw-realm
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/main.yml .github/workflows/lint_and_test.yml.github/workflows/main.yml renamed to .github/workflows/lint_and_test.yml

@@ -1,10 +1,7 @@
-name: CI
+name: Lint and Test
 
 on:
   pull_request: {}
-  push:
-    branches:
-    - main
   workflow_dispatch: {}
 
 jobs:
@@ -13,18 +10,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.22.2'
+          go-version: "1.24.4"
           check-latest: false
 
       - name: Run revive
         run: |
           go install github.com/mgechev/revive@latest
-          revive -config revive.toml -formatter friendly -set_exit_status ./...
+          revive -config revive.toml -formatter friendly ./...
 
       - name: Run staticcheck
         run: |

Dockerfile

@@ -1,36 +1,13 @@
-FROM golang:1.22.2 as build-env
+FROM debian:latest
 
-WORKDIR /app
+RUN apt update && apt install -y ca-certificates
 
-COPY go.mod go.sum ./
-
-RUN go mod download
-
-COPY . .
-
-RUN CGO_ENABLED=0 go build -o /jb-sw-realm ./cmd/jb-sw-realm
-
-FROM debian:11-slim
-
-RUN apt-get update && apt-get install -y curl supervisor
-
-WORKDIR /otel
-
-RUN curl -LO https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v0.77.0/otelcol-contrib_0.77.0_linux_amd64.tar.gz \
-    && tar -xzvf otelcol-contrib_0.77.0_linux_amd64.tar.gz \
-    && mv otelcol-contrib /usr/local/bin/otelcol-contrib \
-    && rm -rf /otel
-
-COPY otel-collector-config.yaml /etc/otelcol-contrib/config.yaml
-
-COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
-
-COPY --from=build-env /jb-sw-realm /usr/local/bin/jb-sw-realm
+COPY jb-sw-realm /usr/local/bin/jb-sw-realm
 
 ENV PORT 8080
 
 EXPOSE 8080
 
 HEALTHCHECK CMD curl --fail "http://localhost:8080" || exit 1
 
-ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
+ENTRYPOINT ["/usr/local/bin/jb-sw-realm"]

gcp/run.tf

@@ -10,8 +10,18 @@ resource "google_cloud_run_v2_service" "juicebox" {
   template {
     timeout         = "300s"
     service_account = google_service_account.service_account.email
+    volumes {
+      name = "otel-config"
+      secret {
+        secret = google_secret_manager_secret.opentelemetry_configuration.secret_id
+        items {
+          version = "latest"
+          path    = "config.yaml"
+        }
+      }
+    }
     containers {
-      name = "juicebox-1"
+      name = "jb-sw-realms"
       ports {
         name           = "http1"
         container_port = 8080
@@ -49,6 +59,10 @@ resource "google_cloud_run_v2_service" "juicebox" {
         name  = "REALM_ID"
         value = var.realm_id
       }
+      env {
+        name  = "OPENTELEMETRY_ENDPOINT"
+        value = "localhost:4317"
+      }
       dynamic "env" {
         for_each = var.juicebox_vars
         content {
@@ -57,6 +71,27 @@ resource "google_cloud_run_v2_service" "juicebox" {
         }
       }
     }
+    containers {
+      name = "otel-collector"
+      resources {
+        limits = {
+          cpu    = "1"
+          memory = "512Mi"
+        }
+      }
+      image = "${var.otelcol_image_url}:${var.otelcol_image_version}"
+      volume_mounts {
+        name       = "otel-config"
+        mount_path = "/etc/otelcol-contrib/"
+      }
+      dynamic "env" {
+        for_each = var.otelcol_vars
+        content {
+          name  = env.key
+          value = env.value
+        }
+      }
+    }
   }
 }
 
@@ -68,6 +103,22 @@ resource "google_project_iam_binding" "logs_writer_binding" {
   ]
 }
 
+resource "google_project_iam_binding" "metrics_writer_binding" {
+  project = var.project_id
+  role    = "roles/monitoring.metricWriter"
+  members = [
+    "serviceAccount:${google_service_account.service_account.email}"
+  ]
+}
+
+resource "google_project_iam_binding" "cloud_trace_agent_binding" {
+  project = var.project_id
+  role    = "roles/cloudtrace.agent"
+  members = [
+    "serviceAccount:${google_service_account.service_account.email}"
+  ]
+}
+
 resource "google_cloud_run_v2_service_iam_binding" "allow_unauthenticated_users" {
   project = var.project_id
   name    = google_cloud_run_v2_service.juicebox.name

gcp/secret-manager.tf

@@ -21,3 +21,25 @@ resource "google_secret_manager_secret_iam_binding" "access" {
     "serviceAccount:${google_service_account.service_account.email}"
   ]
 }
+
+resource "google_secret_manager_secret" "opentelemetry_configuration" {
+  secret_id = "jb-sw-otel-config"
+  replication {
+    auto {}
+  }
+}
+
+resource "google_secret_manager_secret_version" "opentelemetry_configuration" {
+  secret      = google_secret_manager_secret.opentelemetry_configuration.id
+  secret_data = base64decode(var.otelcol_config_b64)
+}
+
+resource "google_secret_manager_secret_iam_binding" "opentelemetry_configuration" {
+  for_each  = var.tenant_secrets
+  secret_id = google_secret_manager_secret.opentelemetry_configuration.id
+  role      = "roles/secretmanager.secretAccessor"
+
+  members = [
+    "serviceAccount:${google_service_account.service_account.email}"
+  ]
+}

gcp/variables.tf

@@ -38,3 +38,26 @@ variable "juicebox_vars" {
   type        = map(string)
   default     = {}
 }
+
+variable "otelcol_image_url" {
+  description = "The url of the opentelemetry collector docker image"
+  type        = string
+}
+
+variable "otelcol_image_version" {
+  description = "The version of the opentelemetry collector docker image"
+  type        = string
+}
+
+variable "otelcol_config_b64" {
+  description = "A configuration file for the OpenTelemetry Collector, encoded in base64"
+  type        = string
+  default     = "cmVjZWl2ZXJzOgogIG90bHA6CiAgICBwcm90b2NvbHM6CiAgICAgIGdycGM6CiAgICAgICAgZW5kcG9pbnQ6IGxvY2FsaG9zdDo0MzE3CiAgaG9zdG1ldHJpY3M6CiAgICBjb2xsZWN0aW9uX2ludGVydmFsOiAxMHMKICAgIHNjcmFwZXJzOgogICAgICBwYWdpbmc6CiAgICAgICAgbWV0cmljczoKICAgICAgICAgIHN5c3RlbS5wYWdpbmcudXRpbGl6YXRpb246CiAgICAgICAgICAgIGVuYWJsZWQ6IHRydWUKICAgICAgY3B1OgogICAgICAgIG1ldHJpY3M6CiAgICAgICAgICBzeXN0ZW0uY3B1LnV0aWxpemF0aW9uOgogICAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgIGRpc2s6CiAgICAgIGZpbGVzeXN0ZW06CiAgICAgICAgbWV0cmljczoKICAgICAgICAgIHN5c3RlbS5maWxlc3lzdGVtLnV0aWxpemF0aW9uOgogICAgICAgICAgICBlbmFibGVkOiB0cnVlCiAgICAgIGxvYWQ6CiAgICAgIG1lbW9yeToKICAgICAgbmV0d29yazoKICAgICAgcHJvY2Vzc2VzOgoKcHJvY2Vzc29yczoKICBiYXRjaDoKICAgIHNlbmRfYmF0Y2hfbWF4X3NpemU6IDEwMAogICAgc2VuZF9iYXRjaF9zaXplOiAxMAogICAgdGltZW91dDogMTBzCiAgYXR0cmlidXRlcy9kZDoKICAgIGFjdGlvbnM6CiAgICAgIC0ga2V5OiBlbnYKICAgICAgICBhY3Rpb246IGluc2VydAogICAgICAgIHZhbHVlOiAke2VudjpERF9FTlZfTkFNRX0KCmV4cG9ydGVyczoKICBkYXRhZG9nOgogICAgYXBpOgogICAgICBzaXRlOiAke2VudjpERF9TSVRFfQogICAgICBrZXk6ICR7ZW52OkREX0FQSV9LRVl9CiAgICBob3N0X21ldGFkYXRhOgogICAgICB0YWdzOgogICAgICAgIC0gcmVhbG06JHtlbnY6UkVBTE1fSUR9CgpzZXJ2aWNlOgogIHBpcGVsaW5lczoKICAgIG1ldHJpY3M6CiAgICAgIHJlY2VpdmVyczogW2hvc3RtZXRyaWNzLCBvdGxwXQogICAgICBwcm9jZXNzb3JzOiBbYXR0cmlidXRlcy9kZCxiYXRjaF0KICAgICAgZXhwb3J0ZXJzOiBbZGF0YWRvZ10KICAgIHRyYWNlczoKICAgICAgcmVjZWl2ZXJzOiBbb3RscF0KICAgICAgcHJvY2Vzc29yczogW2F0dHJpYnV0ZXMvZGQsYmF0Y2hdCiAgICAgIGV4cG9ydGVyczogW2RhdGFkb2ddCiAgICBsb2dzOgogICAgICByZWNlaXZlcnM6IFtvdGxwXQogICAgICBwcm9jZXNzb3JzOiBbYXR0cmlidXRlcy9kZCxiYXRjaF0KICAgICAgZXhwb3J0ZXJzOiBbZGF0YWRvZ10K"
+  # This is a base64 representation of ../otel-collector-config.yaml
+}
+
+variable "otelcol_vars" {
+  description = "Environment variables for the juicebox container"
+  type        = map(string)
+  default     = {}
+}