andrimuhyidin/configmap.yaml

## configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: gcr-cleaner
data:
  # AUTH
  SERVICE_ACCOUNT: gcr-cleaner@adept-primer-345706.iam.gserviceaccount.com
  GCR_URL_REGION: https://asia.gcr.io
  # IMAGE_NAME must be full of image repository URL
  IMAGE_NAME: asia.gcr.io/adept-primer-345706/alpine
  # IMAGE_TAGS must contains service name and environment, because we need specify keep image base on tag
  IMAGE_TAGS: service1-develop service1-staging
  # All tags will be impact this retain values
  RETAIN_IMAGE: "2"

## cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: gcr-cleaner
spec:
  schedule: "* * * * *"
  failedJobsHistoryLimit: 1
  successfulJobsHistoryLimit: 1
  concurrencyPolicy: Forbid
  suspend: false
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          volumes:
          - name: gcr-cleaner-script
            configMap:
              name: gcr-cleaner-script
              defaultMode: 0777
          containers:
          - name: apps1
            image: google/cloud-sdk:alpine
            imagePullPolicy: IfNotPresent
            envFrom:
              - configMapRef:
                  name: gcr-cleaner
              - secretRef:
                  name: gcr-cleaner
            command: ["/bin/bash", "-c", "/root/script/gcr-cleaner.sh"]
            volumeMounts:
            - name: gcr-cleaner-script
              mountPath: /root/script

## gcr-cleaner.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: gcr-cleaner-script
data:
  gcr-cleaner.sh: |
    #!/bin/bash
    # set -x
    main() {
        local C=0
        NUMBER_OF_IMAGES_TO_REMAIN=$((${RETAIN_IMAGE} - 1))

        # dependencies
        apk --update add jq

        # auth
        echo -n $GCR_CRED > gcr-user.json
        gcloud auth activate-service-account $SERVICE_ACCOUNT --key-file=gcr-user.json
        gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin $GCR_URL_REGION

        # gcr cleaner
        for IMAGE_TAG in ${IMAGE_TAGS[@]}; do
        (
            # 1. Get date and time the image want to retain
            CUTOFF=$(
                gcloud container images list-tags $IMAGE_NAME \
                --limit=unlimited \
                --sort-by=~TIMESTAMP \
                --flatten="[].tags[]" \
                --filter="tags~$IMAGE_TAG" \
                --format=json | TZ=/usr/share/zoneinfo/UTC jq -r '.['$NUMBER_OF_IMAGES_TO_REMAIN'].timestamp.datetime | sub("(?<before>.*):"; .before ) | strptime("%Y-%m-%d %H:%M:%S%z") | mktime | strftime("%Y-%m-%d %H:%M:%S%z")'
            )
            # output: 2022-03-29 00:40:05+0000

            # 2. Get the image list (digest format)
            IMAGE_TAG_LIST=$(
                gcloud container images list-tags $IMAGE_NAME \
                --limit=unlimited \
                --sort-by=~TIMESTAMP \
                --flatten="[].tags[]" \
                --filter="tags~$IMAGE_TAG AND timestamp.datetime < '${CUTOFF}'" \
                --format="get(digest)"
            )
            # output: sha256:d72e2d383f2d5fb1e8186ebfd1fbb22a87c04f52ac12fc379d21abb368d373df

            # 3. List of images digest want to delete
            for digest in $IMAGE_TAG_LIST; do
                (
                    set -x
                    gcloud container images delete -q --force-delete-tags "${IMAGE_NAME}@${digest}"
                )
                let C=C+1
            done
            echo "Deleted ${C} images in ${IMAGE_NAME}:$IMAGE_TAG~." >&2
        )
        done
    }
    main; exit

## secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: gcr-cleaner
data:
  # Only sample, encrypt your SA json file to base64
  GCR_CRED: ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiYWRlcHQtcHJpbWVyLTM0NTcwNiIsCiAgInByaXZhdGVfa2V5X2lkIjogIjBhODljZThhMzk4OTQzMGExZTQxODViMmUyZjM2NjY4MGYyY2I5ZDAiLAogICJwcml2YXRlX2tleSI6ICJBREQgWU9VUiBTQSBBTkQgRU5DUllQVCBUTyBCQVNFNjQiLAogICJjbGllbnRfZW1haWwiOiAiZ2NyLWNsZWFuZXJAYWRlcHQtcHJpbWVyLTM0NTcwNi5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsCiAgImNsaWVudF9pZCI6ICIxMTEwNDg1MDYzNjYwNjM1NzIxNDAiLAogICJhdXRoX3VyaSI6ICJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9vYXV0aDIvYXV0aCIsCiAgInRva2VuX3VyaSI6ICJodHRwczovL29hdXRoMi5nb29nbGVhcGlzLmNvbS90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2djci1jbGVhbmVyJTQwYWRlcHQtcHJpbWVyLTM0NTcwNi5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIKfQ==
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: gcr-cleaner
	data:
	# AUTH
	SERVICE_ACCOUNT: gcr-cleaner@adept-primer-345706.iam.gserviceaccount.com
	GCR_URL_REGION: https://asia.gcr.io
	# IMAGE_NAME must be full of image repository URL
	IMAGE_NAME: asia.gcr.io/adept-primer-345706/alpine
	# IMAGE_TAGS must contains service name and environment, because we need specify keep image base on tag
	IMAGE_TAGS: service1-develop service1-staging
	# All tags will be impact this retain values
	RETAIN_IMAGE: "2"
	apiVersion: batch/v1
	kind: CronJob
	metadata:
	name: gcr-cleaner
	spec:
	schedule: "* * * * *"
	failedJobsHistoryLimit: 1
	successfulJobsHistoryLimit: 1
	concurrencyPolicy: Forbid
	suspend: false
	jobTemplate:
	spec:
	template:
	spec:
	restartPolicy: Never
	volumes:
	- name: gcr-cleaner-script
	configMap:
	name: gcr-cleaner-script
	defaultMode: 0777
	containers:
	- name: apps1
	image: google/cloud-sdk:alpine
	imagePullPolicy: IfNotPresent
	envFrom:
	- configMapRef:
	name: gcr-cleaner
	- secretRef:
	name: gcr-cleaner
	command: ["/bin/bash", "-c", "/root/script/gcr-cleaner.sh"]
	volumeMounts:
	- name: gcr-cleaner-script
	mountPath: /root/script
	apiVersion: v1
	kind: Secret
	metadata:
	name: gcr-cleaner
	data:
	# Only sample, encrypt your SA json file to base64
	GCR_CRED: ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAiYWRlcHQtcHJpbWVyLTM0NTcwNiIsCiAgInByaXZhdGVfa2V5X2lkIjogIjBhODljZThhMzk4OTQzMGExZTQxODViMmUyZjM2NjY4MGYyY2I5ZDAiLAogICJwcml2YXRlX2tleSI6ICJBREQgWU9VUiBTQSBBTkQgRU5DUllQVCBUTyBCQVNFNjQiLAogICJjbGllbnRfZW1haWwiOiAiZ2NyLWNsZWFuZXJAYWRlcHQtcHJpbWVyLTM0NTcwNi5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIsCiAgImNsaWVudF9pZCI6ICIxMTEwNDg1MDYzNjYwNjM1NzIxNDAiLAogICJhdXRoX3VyaSI6ICJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9vYXV0aDIvYXV0aCIsCiAgInRva2VuX3VyaSI6ICJodHRwczovL29hdXRoMi5nb29nbGVhcGlzLmNvbS90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2djci1jbGVhbmVyJTQwYWRlcHQtcHJpbWVyLTM0NTcwNi5pYW0uZ3NlcnZpY2VhY2NvdW50LmNvbSIKfQ==