Merge pull request #295 from nais/workload-image

Add support for workload image option

Author: mortenlj

actions/deploy/README.md

@@ -26,6 +26,9 @@ The available configuration options for the NAIS deploy GitHub action.
 | VAR                  |                          | Comma-separated list of template variables in the form `key=value`. Will overwrite any identical template variable in the `VARS` file.                                                                                      |
 | VARS                 | `/dev/null`              | File containing template variables. Will be interpolated with the `$RESOURCE` file. Must be JSON or YAML format.                                                                                                            |
 | WAIT                 | `true`                   | Block until deployment has completed with either `success`, `failure` or `error` state.                                                                                                                                     |
+| WORKLOAD_IMAGE       |                          | Use this image in a companion Image resource.                                                                                                                                                                               | 
+| WORKLOAD_NAME        | \(auto-detect\)          | Name of workload.                                                                                                                                                                                                           | 
+
 
 Note that `OWNER` and `REPOSITORY` corresponds to the two parts of a full repository identifier.
 If that name is `navikt/myapplication`, those two variables should be set to `navikt` and `myapplication`, respectively.

actions/deploy/entrypoint.sh

@@ -49,7 +49,7 @@ if [ -z "$DEPLOY_SERVER" ]; then
     echo
     echo ::endgroup::
     if [ $WGET_EXIT_CODE -eq 0 ]; then
-	export DEPLOY_SERVER=$(jq --raw-output '.DEPLOY_SERVER' < deploy.json)
+	    export DEPLOY_SERVER=$(jq --raw-output '.DEPLOY_SERVER' < deploy.json)
     fi
 fi
 

go.mod

@@ -14,13 +14,13 @@ require (
 	github.com/lestrrat-go/jwx/v2 v2.1.4
 	github.com/lib/pq v1.10.9
 	github.com/nais/api/pkg/apiclient v0.0.0-20250203125351-77dc0579837a
-	github.com/nais/liberator v0.0.0-20250212071940-b052d0557cca
+	github.com/nais/liberator v0.0.0-20250318133902-16463bfb012c
 	github.com/prometheus/client_golang v1.20.5
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/pflag v1.0.6
 	github.com/spf13/viper v1.19.0
 	github.com/stretchr/testify v1.10.0
-	github.com/vektra/mockery/v2 v2.53.0
+	github.com/vektra/mockery/v2 v2.53.2
 	go.opentelemetry.io/otel v1.34.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0
 	go.opentelemetry.io/otel/sdk v1.34.0
@@ -121,11 +121,11 @@ require (
 	go.opentelemetry.io/otel/metric v1.34.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/crypto v0.35.0 // indirect
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect
 	golang.org/x/exp/typeparams v0.0.0-20231108232855-2478ac86f678 // indirect
 	golang.org/x/mod v0.23.0 // indirect
-	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/net v0.36.0 // indirect
 	golang.org/x/oauth2 v0.26.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect

go.sum

@@ -230,8 +230,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/nais/api/pkg/apiclient v0.0.0-20250203125351-77dc0579837a h1:0Xcuog4Mvhcr57aowsMLKsBnfB/DkVzb4LSc34Kf1Ik=
 github.com/nais/api/pkg/apiclient v0.0.0-20250203125351-77dc0579837a/go.mod h1:0Tle2/7Ub7oryydDjLbvppxs+GgxuRBV1C+7hIAPV+Y=
-github.com/nais/liberator v0.0.0-20250212071940-b052d0557cca h1:9Sgit939OTidcMbRmNw4Vd8OI4Bd9pVZ3XZuz7MZu7I=
-github.com/nais/liberator v0.0.0-20250212071940-b052d0557cca/go.mod h1:1IbhJBul6MCc66nwT38lKsKuuYTAFxmQs7pvPwnA0N8=
+github.com/nais/liberator v0.0.0-20250318133902-16463bfb012c h1:rX9eQ5Ie+mesMLZaYVo2YXPYI4RT0b42QS5UHFsVM0U=
+github.com/nais/liberator v0.0.0-20250318133902-16463bfb012c/go.mod h1:F3YcGoCG6HAyX5R2tgGH79/R0LBAU2xtRgRaveSXKiA=
 github.com/onsi/ginkgo/v2 v2.22.1 h1:QW7tbJAUDyVDVOM5dFa7qaybo+CRfR7bemlQUN6Z8aM=
 github.com/onsi/ginkgo/v2 v2.22.1/go.mod h1:S6aTpoRsSq2cZOd+pssHAlKW/Q/jZt6cPrPlnj4a1xM=
 github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
@@ -305,8 +305,8 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
-github.com/vektra/mockery/v2 v2.53.0 h1:QyZI8V2c+7oOEP/OnZjMMPlONXTgSsiLtaszzUz0yz0=
-github.com/vektra/mockery/v2 v2.53.0/go.mod h1:d0FVY5GgakIHczpYNVMLpYF2DttDgc97fHFTMcT3xlE=
+github.com/vektra/mockery/v2 v2.53.2 h1:4G/4fl9x722Yb8hLqH1YU3XZNRJFwl5KUMvpkmAyuC8=
+github.com/vektra/mockery/v2 v2.53.2/go.mod h1:UJT+mgXhCcOCHXTnM5cJHCZL+d76BYB+EbY1sFztEB8=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -357,8 +357,8 @@ golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
 golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac h1:l5+whBCLH3iH2ZNHYLbAe58bo7yrN4mVcnkHDYz5vvs=
 golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScyxUhjuVHR3HGaDPMn9rMSUUbxo=
 golang.org/x/exp/typeparams v0.0.0-20231108232855-2478ac86f678 h1:1P7xPZEwZMoBoz0Yze5Nx2/4pxj6nw9ZqHWXqP0iRgQ=
@@ -378,8 +378,8 @@ golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
-golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
+golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
 golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=

pkg/deployclient/config.go

@@ -22,6 +22,7 @@ type Config struct {
 	GithubToken               string
 	GrpcAuthentication        bool
 	GrpcUseTLS                bool
+	OpenTelemetryCollectorURL string
 	Owner                     string
 	PollInterval              time.Duration
 	PrintPayload              bool
@@ -37,22 +38,24 @@ type Config struct {
 	Telemetry                 *telemetry.PipelineTimings
 	Timeout                   time.Duration
 	TracingDashboardURL       string
-	OpenTelemetryCollectorURL string
 	Variables                 []string
 	VariablesFile             string
 	Wait                      bool
+	WorkloadImage             string
+	WorkloadName              string
 }
 
 func InitConfig(cfg *Config) {
-	flag.BoolVar(&cfg.Actions, "actions", getEnvBool("ACTIONS", false), "Use GitHub Actions compatible error and warning messages. (env ACTIONS)")
-	flag.StringVar(&cfg.GithubToken, "github-token", os.Getenv("GITHUB_TOKEN"), "Github JWT. (env GITHUB_TOKEN)")
 	flag.StringVar(&cfg.APIKey, "apikey", os.Getenv("APIKEY"), "NAIS Deploy API key. (env APIKEY)")
+	flag.BoolVar(&cfg.Actions, "actions", getEnvBool("ACTIONS", false), "Use GitHub Actions compatible error and warning messages. (env ACTIONS)")
 	flag.StringVar(&cfg.Cluster, "cluster", os.Getenv("CLUSTER"), "NAIS cluster to deploy into. (env CLUSTER)")
 	flag.StringVar(&cfg.DeployServerURL, "deploy-server", getEnv("DEPLOY_SERVER", DefaultDeployServer), "URL to API server. (env DEPLOY_SERVER)")
 	flag.BoolVar(&cfg.DryRun, "dry-run", getEnvBool("DRY_RUN", false), "Run templating, but don't actually make any requests. (env DRY_RUN)")
 	flag.StringVar(&cfg.Environment, "environment", os.Getenv("ENVIRONMENT"), "Environment for GitHub deployment. Autodetected from nais.yaml if not specified. (env ENVIRONMENT)")
+	flag.StringVar(&cfg.GithubToken, "github-token", os.Getenv("GITHUB_TOKEN"), "Github JWT. (env GITHUB_TOKEN)")
 	flag.BoolVar(&cfg.GrpcAuthentication, "grpc-authentication", getEnvBool("GRPC_AUTHENTICATION", true), "Use team API key to authenticate requests. (env GRPC_AUTHENTICATION)")
 	flag.BoolVar(&cfg.GrpcUseTLS, "grpc-use-tls", getEnvBool("GRPC_USE_TLS", true), "Use encrypted connection for gRPC calls. (env GRPC_USE_TLS)")
+	flag.StringVar(&cfg.OpenTelemetryCollectorURL, "otel-collector-endpoint", getEnv("OTEL_COLLECTOR_ENDPOINT", DefaultOtelCollectorEndpoint), "OpenTelemetry collector endpoint. (env OTEL_COLLECTOR_ENDPOINT)")
 	flag.StringVar(&cfg.Owner, "owner", getEnv("OWNER", DefaultOwner), "Owner of GitHub repository. (env OWNER)")
 	flag.BoolVar(&cfg.PrintPayload, "print-payload", getEnvBool("PRINT_PAYLOAD", false), "Print templated resources to standard output. (env PRINT_PAYLOAD)")
 	flag.BoolVar(&cfg.Quiet, "quiet", getEnvBool("QUIET", false), "Suppress printing of informational messages except errors. (env QUIET)")
@@ -61,14 +64,15 @@ func InitConfig(cfg *Config) {
 	flag.StringSliceVar(&cfg.Resource, "resource", getEnvStringSlice("RESOURCE"), "File with Kubernetes resource. Can be specified multiple times. (env RESOURCE)")
 	flag.BoolVar(&cfg.Retry, "retry", getEnvBool("RETRY", true), "Retry deploy when encountering transient errors. (env RETRY)")
 	flag.StringVar(&cfg.Team, "team", os.Getenv("TEAM"), "Team making the deployment. Auto-detected from nais.yaml if possible. (env TEAM)")
-	flag.StringVar(&cfg.OpenTelemetryCollectorURL, "otel-collector-endpoint", getEnv("OTEL_COLLECTOR_ENDPOINT", DefaultOtelCollectorEndpoint), "OpenTelemetry collector endpoint. (env OTEL_COLLECTOR_ENDPOINT)")
 	flag.StringVar(&cfg.Traceparent, "traceparent", os.Getenv("TRACEPARENT"), "The W3C Trace Context traceparent value for the workflow run. (env TRACEPARENT)")
 	flag.StringVar(&cfg.TelemetryInput, "telemetry", os.Getenv("TELEMETRY"), "Telemetry data from CI pipeline. (env TELEMETRY)")
 	flag.DurationVar(&cfg.Timeout, "timeout", getEnvDuration("TIMEOUT", DefaultDeployTimeout), "Time to wait for successful deployment. (env TIMEOUT)")
 	flag.StringVar(&cfg.TracingDashboardURL, "tracing-dashboard-url", getEnv("TRACING_DASHBOARD_URL", DefaultTracingDashboardURL), "Base URL to Grafana tracing dashboard onto which the trace ID can be appended (env TRACING_DASHBOARD_URL)")
 	flag.StringSliceVar(&cfg.Variables, "var", getEnvStringSlice("VAR"), "Template variable in the form KEY=VALUE. Can be specified multiple times. (env VAR)")
 	flag.StringVar(&cfg.VariablesFile, "vars", os.Getenv("VARS"), "File containing template variables. (env VARS)")
 	flag.BoolVar(&cfg.Wait, "wait", getEnvBool("WAIT", false), "Block until deployment reaches final state (success, failure, error). (env WAIT)")
+	flag.StringVar(&cfg.WorkloadImage, "workload-image", getEnv("WORKLOAD_IMAGE", ""), "Use this image in a companion Image resource. (env WORKLOAD_IMAGE)")
+	flag.StringVar(&cfg.WorkloadName, "workload-name", os.Getenv("WORKLOAD_NAME"), "Name of workload if no resource specified. (env WORKLOAD_NAME)")
 
 	flag.Parse()
 
@@ -123,10 +127,14 @@ func getEnvBool(key string, def bool) bool {
 }
 
 func (cfg *Config) Validate() error {
-	if len(cfg.Resource) == 0 {
+	if len(cfg.Resource) == 0 && len(cfg.WorkloadName) == 0 {
 		return ErrResourceRequired
 	}
 
+	if len(cfg.WorkloadName) > 0 && len(cfg.WorkloadImage) == 0 {
+		return ErrImageRequired
+	}
+
 	if len(cfg.Cluster) == 0 {
 		return ErrClusterRequired
 	}

pkg/deployclient/deployclient.go

@@ -31,6 +31,7 @@ const (
 
 var (
 	ErrResourceRequired       = errors.New("at least one Kubernetes resource is required to make sense of the deployment")
+	ErrImageRequired          = errors.New("workload-image is required when using workload-name")
 	ErrAuthRequired           = errors.New("Github token or API key required")
 	ErrClusterRequired        = errors.New("cluster required; see reference section in the documentation for available environments")
 	ErrMalformedAPIKey        = errors.New("API key must be a hex encoded string")
@@ -128,6 +129,35 @@ func Prepare(ctx context.Context, cfg *Config) (*pb.DeploymentRequest, error) {
 		log.Infof("Detected environment '%s'", cfg.Environment)
 	}
 
+	if len(cfg.WorkloadImage) > 0 {
+		if len(cfg.WorkloadName) == 0 {
+			log.Infof("Workload image specified, but not workload name; attempting auto-detection...")
+
+			workloadNames := make([]string, 0, len(resources))
+			for i := range resources {
+				workloadNames = append(workloadNames, detectWorkloadName(resources[i]))
+			}
+
+			if len(workloadNames) == 1 {
+				cfg.WorkloadName = workloadNames[0]
+				log.Infof("Detected workload name '%s'", cfg.WorkloadName)
+			} else if len(workloadNames) > 1 {
+				log.Warnf("Multiple workload names detected, skipping image resource generation: %v", workloadNames)
+			} else {
+				log.Warn("No workload name detected, skipping image resource generation")
+			}
+		}
+
+		if len(cfg.WorkloadName) > 0 {
+			log.Infof("Building image resource for workload %q with image %q", cfg.WorkloadName, cfg.WorkloadImage)
+			resource, err := buildImageResource(cfg.WorkloadName, cfg.WorkloadImage, cfg.Team)
+			if err != nil {
+				return nil, ErrorWrap(ExitInternalError, fmt.Errorf("build image resource: %w", err))
+			}
+			resources = append(resources, resource)
+		}
+	}
+
 	for i := range resources {
 		resources[i], err = InjectAnnotations(resources[i], BuildEnvironmentAnnotations())
 		if err != nil {

pkg/deployclient/injection.go

@@ -3,6 +3,7 @@ package deployclient
 import (
 	"encoding/json"
 	"fmt"
+	nais_io_v1 "github.com/nais/liberator/pkg/apis/nais.io/v1"
 	"os"
 	"strings"
 
@@ -84,6 +85,29 @@ func BuildEnvironmentAnnotations() map[string]string {
 	return a
 }
 
+func buildImageResource(workloadName, workloadImage, namespace string) (json.RawMessage, error) {
+	image := nais_io_v1.Image{
+		TypeMeta: v1.TypeMeta{
+			Kind:       "Image",
+			APIVersion: "nais.io/v1",
+		},
+		ObjectMeta: v1.ObjectMeta{
+			Name:      workloadName,
+			Namespace: namespace,
+		},
+		Spec: nais_io_v1.ImageSpec{
+			Image: workloadImage,
+		},
+	}
+
+	encoded, err := json.Marshal(image)
+	if err != nil {
+		return nil, err
+	}
+
+	return encoded, nil
+}
+
 func changeCause(annotations map[string]string) string {
 	var commit, url string
 	var ok bool

pkg/deployclient/template.go

@@ -87,6 +87,28 @@ func detectNamespace(resource json.RawMessage) string {
 	return buf.Metadata.Namespace
 }
 
+func detectWorkloadName(message json.RawMessage) string {
+	type resource struct {
+		ApiVersion string `json:"apiVersion"`
+		Kind       string `json:"kind"`
+		Metadata   struct {
+			Name string `json:"name"`
+		}
+	}
+	buf := &resource{}
+	err := json.Unmarshal(message, buf)
+	if err != nil {
+		return ""
+	}
+
+	if strings.HasPrefix(buf.ApiVersion, "nais.io") {
+		if buf.Kind == "Application" || buf.Kind == "Naisjob" {
+			return buf.Metadata.Name
+		}
+	}
+	return ""
+}
+
 // Wrap JSON resources in a JSON array.
 func wrapResources(resources []json.RawMessage) (json.RawMessage, error) {
 	return json.Marshal(resources)