feat: initial commit with full monorepo structure

Author: Pattarapon (Petong) Theanthong

.github/workflows/app-ci.yml

@@ -0,0 +1,60 @@
+name: Build and Push App
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - "app/**"
+      - ".github/workflows/app-ci.yml"
+
+permissions:
+  contents: write
+
+env:
+  IMAGE_NAME: pazzii/go-sample-app
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,format=long
+            type=raw,value=latest
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./app
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Update Kustomize Image Tag
+        run: |
+          cd k8s/overlays/production
+          kustomize edit set image ${{ env.IMAGE_NAME }}=${{ env.IMAGE_NAME }}:sha-${{ github.sha }}
+
+          git config --global user.name 'GitHub Actions'
+          git config --global user.email 'actions@github.com'
+          git add kustomization.yaml
+          git commit -m "chore: update image tag to sha-${{ github.sha }}"
+          git push

.gitignore

@@ -0,0 +1,59 @@
+# syntax=docker/dockerfile:1
+
+# ==============================================================================
+# Stage 1: Builder
+# Description: Compiles the Go application into a statically linked binary.
+# ==============================================================================
+FROM golang:1.21.4-alpine3.18 AS builder
+
+# Set the working directory inside the build container.
+WORKDIR /build
+
+# Copy dependency definition files first to leverage Docker layer caching.
+# This ensures 'go mod download' is only re-run if dependencies change.
+COPY go.mod ./
+
+# Download dependencies.
+# Optimization: Use '--mount=type=cache' to persist the module cache between builds,
+# significantly speeding up CI/CD pipelines.
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download
+
+# Copy the entire source code into the container.
+COPY . .
+
+# Build the application binary.
+# Compilation Flags:
+#   - CGO_ENABLED=0   : Ensures a statically linked binary (no dependency on C libraries).
+#   - GOOS=linux      : Explicitly targets Linux environment.
+#   - -ldflags="-w -s": Strips debug information (DWARF) and symbol tables to reduce image size.
+# Optimization: Re-uses the Go build cache.
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=linux go build \
+    -ldflags="-w -s" \
+    -o app .
+
+# ==============================================================================
+# Stage 2: Runner
+# Description: Creates a minimal, secure production image using Distroless.
+# Security: Contains no shell, package manager, or unnecessary tools.
+# ==============================================================================
+FROM gcr.io/distroless/static-debian12:nonroot as release
+
+# Set the working directory to root.
+WORKDIR /
+
+# Retrieve the compiled binary from the builder stage.
+COPY --from=builder /build/app /app
+
+# Document the port that the application listens on.
+EXPOSE 8080
+
+# Security Best Practice: Run as a non-root user.
+# Using the numeric ID 65532 (which corresponds to 'nonroot' in Distroless) 
+# is preferred for strict Kubernetes Pod Security Standards (PSS).
+USER 65532:65532
+
+# Define the immutable entrypoint for the container.
+ENTRYPOINT ["/app"]

app/Dockerfile

@@ -0,0 +1,3 @@
+module hello-api
+
+go 1.21.4

app/go.mod

@@ -0,0 +1,25 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+)
+
+func main() {
+	http.HandleFunc("/", getHello)
+	err := http.ListenAndServe(":8080", nil)
+	if errors.Is(err, http.ErrServerClosed) {
+		fmt.Printf("server closed\n")
+	} else if err != nil {
+		fmt.Printf("error starting server: %s\n", err)
+		os.Exit(1)
+	}
+}
+
+func getHello(w http.ResponseWriter, r *http.Request) {
+	name := r.URL.Query().Get("name")
+	io.WriteString(w, "Hello "+name+"\n")
+}

app/main.go

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: smoke-test
+spec:
+  metrics:
+    - name: web-check
+      provider:
+        job:
+          spec:
+            template:
+              spec:
+                containers:
+                  - name: curl-check
+                    image: curlimages/curl
+                    command: ["curl", "-f", "http://go-sample-app-svc:80"]
+                restartPolicy: Never
+            backoffLimit: 2

k8s/base/analysis.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - rollout.yaml
+  - service.yaml
+  - analysis.yaml
+
+configurations:
+  - kustomizeconfig.yaml

k8s/base/kustomization.yaml

@@ -0,0 +1,8 @@
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/template/spec/containers/envFrom/configMapRef/name
+        kind: Rollout
+      - path: spec/template/spec/volumes/configMap/name
+        kind: Rollout

k8s/base/kustomizeconfig.yaml

@@ -0,0 +1,72 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Rollout
+metadata:
+  name: go-sample-app
+spec:
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: go-sample-app
+  strategy:
+    canary:
+      analysis:
+        templates:
+          - templateName: smoke-test
+      steps:
+        - setWeight: 20
+        - pause: { duration: 30s }
+        - setWeight: 50
+        - pause: { duration: 30s }
+        - setWeight: 100
+  template:
+    metadata:
+      labels:
+        app: go-sample-app
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                    - key: app
+                      operator: In
+                      values:
+                        - go-sample-app
+                topologyKey: kubernetes.io/hostname
+      containers:
+        - name: main
+          image: pazzii/go-sample-app:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8080
+          envFrom:
+            - configMapRef:
+                name: app-config
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65532
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "64Mi"
+            limits:
+              cpu: "200m"
+              memory: "128Mi"

k8s/base/rollout.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: go-sample-app-svc
+spec:
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+      name: http
+  selector:
+    app: go-sample-app