use watch instead of polling

Signed-off-by: itspooya <pooyadowlat@gmail.com>

Author: itspooya

.github/workflows/ci.yaml

@@ -1,34 +1,100 @@
 name: ci
+
+# Trigger configuration
 on:
+  # Run on pushes to master branch and tags
   push:
+    branches:
+      - master
+    tags:
+      - 'v*'
+  # Run on PRs targeting master branch
   pull_request:
-  create:
-    tags: '*'
+    branches:
+      - master
+  # Support manual trigger from Actions tab
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write # Needed for pushing to container registries
 
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v5
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0  # Needed for proper versioning
+      
+    - name: Set up Go
+      uses: actions/setup-go@v5
       with:
         go-version: '^1.22'
-    - run: go install github.com/mattn/goveralls@latest
-    - run: |
-        make test
-        make
-        make build.docker
-    - run: goveralls -coverprofile=profile.cov -service=github
+        cache: true
+        
+    - name: Run tests
+      run: make test
+      
+    - name: Build binary
+      run: make
+      
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+      
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+      with:
+        install: true
+      
+    - name: Setup code coverage tooling
+      run: go install github.com/mattn/goveralls@latest
+      
+    - name: Submit code coverage
+      run: goveralls -coverprofile=profile.cov -service=github
       env:
         COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Push the latest Docker image
-      run: |
-        echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin
-        VERSION=latest make build.push
-      if: github.ref == 'refs/heads/master'
-    - name: Push the release Docker image
-      run: |
-        echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin
-        VERSION=${{ github.ref_name }} make build.push
-      if: startsWith(github.ref, 'refs/tags/')
+        
+    - name: Docker metadata
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: |
+          mikkeloscar/pdb-controller
+          ghcr.io/${{ github.repository }}
+        # Generate tags for:
+        # - latest for master branch
+        # - git tags
+        # - branch name for other branches
+        tags: |
+          type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
+          type=semver,pattern={{version}}
+          type=ref,event=branch
+        
+    - name: Login to Docker Hub
+      if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
+      uses: docker/login-action@v3
+      with:
+        # Note: You need to add these secrets in your GitHub repository settings
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_PASSWORD }}
+        
+    - name: Login to GitHub Container Registry
+      if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+        
+    - name: Build and push Docker image
+      if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
+      uses: docker/bake-action@v4
+      with:
+        files: ./docker-bake.hcl
+        push: true
+        set: |
+          *.tags=${{ steps.meta.outputs.tags }}
+          *.platforms=linux/amd64,linux/arm64

.github/workflows/golangci-lint.yaml

@@ -1,22 +1,36 @@
 name: golangci-lint
 on:
   push:
-    tags:
-      - v*
     branches:
       - master
       - main
+    tags:
+      - v*
   pull_request:
+
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
           go-version: '^1.22'
+          cache: true
+
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
+          version: v1.64
           args: --timeout=5m
+          only-new-issues: true

Dockerfile

@@ -1,10 +1,31 @@
-ARG BASE_IMAGE=alpine:3.20
-FROM ${BASE_IMAGE}
-LABEL maintainer="Team Teapot @ Zalando SE <team-teapot@zalando.de>"
+FROM golang:1.22 as builder
 
 ARG TARGETARCH
 
-# add binary
-ADD build/linux/${TARGETARCH}/pdb-controller /
+# Set working directory
+WORKDIR /app
+
+# Copy go mod and sum files
+COPY go.mod go.sum ./
+
+# Download all dependencies
+RUN go mod download
+
+# Copy the source code
+COPY . .
+
+# Build the application
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -a -installsuffix cgo -o pdb-controller .
+
+# Use distroless as minimal base image
+FROM gcr.io/distroless/static:nonroot
+
+LABEL maintainer="Team Teapot @ Zalando SE <team-teapot@zalando.de>"
+
+# Copy the binary from builder stage
+COPY --from=builder /app/pdb-controller /
+
+# Use non-root user
+USER nonroot:nonroot
 
 ENTRYPOINT ["/pdb-controller"]

Makefile

@@ -45,8 +45,31 @@ build/linux/arm64/$(BINARY): $(SOURCES)
 build/osx/$(BINARY): $(SOURCES)
 	GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build $(BUILD_FLAGS) -o build/osx/$(BINARY) -ldflags "$(LDFLAGS)" .
 
-build.docker: build.linux
-	docker build --rm -t "$(IMAGE):$(TAG)" -f $(DOCKERFILE) --build-arg TARGETARCH= .
+# Build single-arch Docker image (amd64 by default)
+build.docker:
+	docker build --rm -t "$(IMAGE):$(TAG)" -f $(DOCKERFILE) --build-arg TARGETARCH=amd64 .
 
+# Build multi-architecture images using Docker Bake
+build.docker.multiarch:
+	docker buildx bake --set *.tags="$(IMAGE):$(TAG)" --set *.platforms="linux/amd64,linux/arm64"
+
+# Single architecture builds for development purposes
+build.docker.amd64:
+	docker build --rm -t "$(IMAGE):$(TAG)" -f $(DOCKERFILE) --build-arg TARGETARCH=amd64 --platform linux/amd64 .
+
+build.docker.arm64:
+	docker build --rm -t "$(IMAGE):$(TAG)" -f $(DOCKERFILE) --build-arg TARGETARCH=arm64 --platform linux/arm64 .
+
+# Push the single architecture image
 build.push: build.docker
 	docker push "$(IMAGE):$(TAG)"
+
+# Build and push multi-architecture images in one step using Docker Bake
+build.push.multiarch:
+	VERSION="$(TAG)" REGISTRY="$(shell echo $(IMAGE) | cut -d/ -f1)" IMAGE_NAME="$(shell echo $(IMAGE) | cut -d/ -f2)" \
+	docker buildx bake --file docker-bake.hcl --push
+
+# Build and push multi-architecture images to GitHub Container Registry
+build.push.multiarch.ghcr:
+	VERSION="$(TAG)" GHCR_REPOSITORY="itspooya/$(BINARY)" \
+	docker buildx bake --file docker-bake.hcl --push

README.md

@@ -10,9 +10,7 @@ and was created for lack of an alternative.
 
 ## How it works
 
-The controller simply gets all Pod Disruption Budgets for each namespace and
-compares them to Deployments and StatefulSets. For any resource with more than
-1 replica and no matching Pod Disruption Budget, a default PDB will be created:
+The controller uses Kubernetes informers and watch functionality to detect changes in Deployments, StatefulSets and PodDisruptionBudgets. It automatically gets all Pod Disruption Budgets for each namespace and compares them to Deployments and StatefulSets. For any resource with more than 1 replica and no matching Pod Disruption Budget, a default PDB will be created:
 
 ```yaml
 apiVersion: policy/v1beta1
@@ -59,6 +57,78 @@ Assuming Go has been setup with module support it can be built simply by running
 $ make
 ```
 
+### Docker Image
+
+The controller is packaged as a Docker image using a multi-stage build with Google's distroless base image for enhanced security and reduced image size.
+
+#### Available Container Registries
+
+Images are available from multiple registries for redundancy and flexibility:
+
+* Docker Hub: `mikkeloscar/pdb-controller`
+* GitHub Container Registry: `ghcr.io/itspooya/pdb-controller`
+
+To pull the latest image:
+
+```sh
+# From Docker Hub
+docker pull mikkeloscar/pdb-controller:latest
+
+# From GitHub Container Registry
+docker pull ghcr.io/itspooya/pdb-controller:latest
+```
+
+#### Building Docker Images
+
+##### Single Architecture Image (amd64)
+
+```sh
+make build.docker
+```
+
+##### Multi-Architecture Image (amd64 and arm64)
+
+```sh
+make build.docker.multiarch
+```
+
+##### Architecture-Specific Images for Development
+
+```sh
+make build.docker.amd64
+make build.docker.arm64
+```
+
+#### Building and Pushing Images
+
+##### Push Single Architecture Image
+
+```sh
+make build.push
+```
+
+##### Push Multi-Architecture Image
+
+```sh
+# Push to Docker Hub
+make build.push.multiarch
+
+# Push to GitHub Container Registry
+make build.push.multiarch.ghcr
+```
+
+##### Custom Version Tag
+
+```sh
+# For Docker Hub
+VERSION=v1.2.3 make build.push.multiarch
+
+# For GitHub Container Registry
+VERSION=v1.2.3 make build.push.multiarch.ghcr
+```
+
+The multi-architecture build process uses Docker Buildx with Docker Bake for an optimized building experience.
+
 ## Setup
 
 The `pdb-controller` can be run as a deployment in the cluster. See
@@ -70,10 +140,6 @@ Deploy it by running:
 $ kubectl apply -f docs/deployment.yaml
 ```
 
-## TODO
-
-* [ ] Instead of long polling, add a Watch feature.
-
 ## LICENSE
 
 See [LICENSE](LICENSE) file.