add shadowsocks-rust (chainguard-images#2398)

Signed-off-by: Furkan Türkal <[email protected]>
Co-authored-by: Batuhan <[email protected]>

images/shadowsocks-rust/README.md

@@ -0,0 +1,71 @@
+<!--monopod:start-->
+# shadowsocks-rust
+| | |
+| - | - |
+| **OCI Reference** | `cgr.dev/chainguard/shadowsocks-rust` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/shadowsocks-rust/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+* [Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+<!--overview:start-->
+Shadowsocks-rust is a Rust implementation of the Shadowsocks protocol, aimed at ensuring secure and private internet access by encrypting connections and circumventing internet restrictions.
+<!--overview:end-->
+
+<!--getting:start-->
+## Download this Image
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/shadowsocks-rust:latest
+```
+<!--getting:end-->
+
+<!--body:start-->
+## Usage
+
+Create a configuration file `config.json`:
+
+```bash
+cat <<EOF > config.json
+{
+    "server": "127.0.0.1",
+    "server_port": 8388,
+    "local_port": 1080,
+    "local_address": "127.0.0.1",
+    "password": "password",
+    "timeout": 300,
+    "method": "aes-256-gcm"
+}
+EOF
+```
+
+* Start the `sslocal`:
+
+```bash
+docker run \
+  --name sslocal-rust \
+  --restart always \
+  -p 1080:1080/tcp \
+  -v /path/to/config.json:/etc/shadowsocks-rust/config.json \
+  -dit cgr.dev/chainguard/shadowsocks-rust-ssserver:latest
+```
+
+* Start the `ssserver`:
+
+```bash
+docker run \
+  --name ssserver-rust \
+  --restart always \
+  -p 8388:8388/tcp \
+  -p 8388:8388/udp \
+  -v /path/to/config.json:/etc/shadowsocks-rust/config.json \
+  -dit cgr.dev/chainguard/shadowsocks-rust-sslocal:latest
+```
+
+Jump to the official [Getting Started](https://github.com/shadowsocks/shadowsocks-rust?tab=readme-ov-file#getting-started) guide for more detailed usage.
+<!--body:end-->

images/shadowsocks-rust/configs/main.tf

@@ -0,0 +1,39 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+locals {
+  packages = {
+    "sslocal"  = "shadowsocks-rust-sslocal${var.suffix}"
+    "ssserver" = "shadowsocks-rust-ssserver${var.suffix}"
+  }
+}
+
+variable "name" {
+  description = "Package name"
+}
+
+variable "suffix" {
+  description = "Package name suffix (e.g. version stream)"
+  default     = ""
+}
+
+variable "extra_packages" {
+  description = "The additional packages to install"
+  default     = ["shadowsocks-rust"]
+}
+
+data "apko_config" "this" {
+  config_contents = file("${path.module}/template.${var.name}.apko.yaml")
+  extra_packages  = concat([local.packages[var.name]], var.extra_packages)
+}
+
+output "config" {
+  value = jsonencode(data.apko_config.this.config)
+}
+
+output "main_package" {
+  value = local.packages[var.name]
+}

images/shadowsocks-rust/configs/template.sslocal.apko.yaml

@@ -0,0 +1,17 @@
+contents:
+  packages:
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
+
+entrypoint:
+  command: /usr/bin/docker-entrypoint.sh
+
+cmd: sslocal --log-without-time -c /etc/shadowsocks-rust/config.json

images/shadowsocks-rust/configs/template.ssserver.apko.yaml

@@ -0,0 +1,17 @@
+contents:
+  packages:
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 0 # ssserver requires root to bind to port
+
+entrypoint:
+  command: /usr/bin/docker-entrypoint.sh
+
+cmd: ssserver --log-without-time -a nobody -c /etc/shadowsocks-rust/config.json

images/shadowsocks-rust/main.tf

@@ -0,0 +1,50 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+locals {
+  components = toset(["sslocal", "ssserver"])
+}
+
+module "config" {
+  for_each = local.components
+  source   = "./configs"
+  name     = each.key
+}
+
+module "latest" {
+  for_each = local.components
+  source   = "../../tflib/publisher"
+
+  name              = basename(path.module)
+  target_repository = "${var.target_repository}-${each.key}"
+  config            = module.config[each.key].config
+  build-dev         = true
+}
+
+module "test" {
+  source  = "./tests"
+  digests = { for k, v in module.latest : k => v.image_ref }
+}
+
+resource "oci_tag" "latest" {
+  for_each = local.components
+
+  digest_ref = module.latest[each.key].image_ref
+  tag        = "latest"
+  depends_on = [module.test]
+}
+
+resource "oci_tag" "latest-dev" {
+  for_each = local.components
+
+  digest_ref = module.latest[each.key].dev_ref
+  tag        = "latest-dev"
+  depends_on = [module.test]
+}

images/shadowsocks-rust/metadata.yaml

@@ -0,0 +1,11 @@
+name: shadowsocks-rust
+image: cgr.dev/chainguard/shadowsocks-rust
+logo: https://storage.googleapis.com/chainguard-academy/logos/shadowsocks-rust.svg
+endoflife: ""
+console_summary: ""
+short_description: Shadowsocks-rust is a Rust implementation of the Shadowsocks protocol, aimed at ensuring secure and private internet access by encrypting connections and circumventing internet restrictions.
+compatibility_notes: ""
+readme_file: README.md
+upstream_url: https://github.com/shadowsocks/shadowsocks-rust
+keywords:
+  - application

images/shadowsocks-rust/tests/01-smoke.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o errtrace -o pipefail -x
+
+echo "${SERVER_IMAGE_NAME}"
+echo "${LOCAL_IMAGE_NAME}"
+
+PREFIX="shadowsocks"
+SERVER_CONTAINER_NAME="${PREFIX}-ssserver-$(uuidgen)"
+LOCAL_CONTAINER_NAME="${PREFIX}-sslocal-$(uuidgen)"
+NETWORK_NAME="${PREFIX}-net-$(uuidgen)"
+SSSERVER_PORT="${FREE_PORT}"
+SSLOCAL_PORT="$((${SSSERVER_PORT} + 1))"
+
+cleanup() {
+    docker logs ${SERVER_CONTAINER_NAME}
+    docker logs ${LOCAL_CONTAINER_NAME}
+    docker kill ${SERVER_CONTAINER_NAME}
+    docker kill ${LOCAL_CONTAINER_NAME}
+    docker network rm ${NETWORK_NAME}
+}
+
+trap cleanup EXIT
+
+docker network create ${NETWORK_NAME}
+
+cat <<EOF > config.json
+{
+    "server": "127.0.0.1",
+    "server_port": 8388,
+    "local_port": 1080,
+    "local_address": "127.0.0.1",
+    "password": "password",
+    "timeout": 300,
+    "method": "aes-256-gcm"
+}
+EOF
+
+# Start sserver
+docker run \
+    -d \
+    --name ${SERVER_CONTAINER_NAME} \
+    --network ${NETWORK_NAME} \
+    -p "${SSSERVER_PORT}":8388/tcp \
+    -p 8388:8388/udp \
+    -v $(pwd)/config.json:/etc/shadowsocks-rust/config.json \
+    ${SERVER_IMAGE_NAME}
+
+sleep 5
+docker logs ${SERVER_CONTAINER_NAME} | grep -q "listening on"
+
+# Start sslocal
+docker run \
+    -d \
+    --name ${LOCAL_CONTAINER_NAME} \
+    --network ${NETWORK_NAME} \
+    -p "${SSLOCAL_PORT}":1080/tcp \
+    -v $(pwd)/config.json:/etc/shadowsocks-rust/config.json \
+    ${LOCAL_IMAGE_NAME}
+
+sleep 5
+docker logs ${LOCAL_CONTAINER_NAME} | grep -q "listening on"

images/shadowsocks-rust/tests/main.tf

@@ -0,0 +1,75 @@
+terraform {
+  required_providers {
+    oci       = { source = "chainguard-dev/oci" }
+    imagetest = { source = "chainguard-dev/imagetest" }
+  }
+}
+
+variable "digests" {
+  description = "The image digests to run tests over."
+  type = object({
+    sslocal  = string
+    ssserver = string
+  })
+}
+
+data "oci_string" "ref" {
+  for_each = var.digests
+  input    = each.value
+}
+
+data "oci_exec_test" "smoke" {
+  digest = var.digests["ssserver"] # This doesn't actually matter here, just pass it something valid
+  script = "${path.module}/01-smoke.sh"
+
+  env {
+    name  = "SERVER_IMAGE_NAME"
+    value = "${data.oci_string.ref["ssserver"].registry_repo}:${data.oci_string.ref["ssserver"].pseudo_tag}"
+  }
+  env {
+    name  = "LOCAL_IMAGE_NAME"
+    value = "${data.oci_string.ref["sslocal"].registry_repo}:${data.oci_string.ref["sslocal"].pseudo_tag}"
+  }
+}
+
+data "imagetest_inventory" "this" {}
+
+resource "imagetest_harness_k3s" "this" {
+  name      = "shadowsocks-rust"
+  inventory = data.imagetest_inventory.this
+
+  sandbox = {
+    envs = {
+      "IMAGE_NAME_SSLOCAL"  = "${data.oci_string.ref["sslocal"].registry_repo}:${data.oci_string.ref["sslocal"].pseudo_tag}"
+      "IMAGE_NAME_SSSERVER" = "${data.oci_string.ref["ssserver"].registry_repo}:${data.oci_string.ref["ssserver"].pseudo_tag}"
+    }
+  }
+}
+
+resource "imagetest_feature" "basic" {
+  harness     = imagetest_harness_k3s.this
+  name        = "Basic"
+  description = "Basic functionality of the shadowsocks-rust."
+
+  steps = [
+    {
+      name = "Deploy"
+      cmd  = <<EOF
+ kubectl apply -f https://raw.githubusercontent.com/shadowsocks/shadowsocks-rust/master/k8s/shadowsocks-rust.yaml
+ kubectl set image deployment/shadowsocks-rust shadowsocks-rust="${data.oci_string.ref["ssserver"].registry_repo}:${data.oci_string.ref["ssserver"].pseudo_tag}"
+       EOF
+    },
+    {
+      name  = "Ensure it comes up healthy"
+      cmd   = <<EOF
+ kubectl rollout status deployment/shadowsocks-rust --timeout=120s
+ kubectl wait --for=condition=ready pod --selector app.kubernetes.io/name=shadowsocks-rust
+       EOF
+      retry = { attempts = 3, delay = "2s", factor = 2 }
+    },
+  ]
+
+  labels = {
+    type = "k8s"
+  }
+}

main.tf

@@ -1254,6 +1254,11 @@ module "semgrep" {
   target_repository = "${var.target_repository}/semgrep"
 }
 
+module "shadowsocks-rust" {
+  source            = "./images/shadowsocks-rust"
+  target_repository = "${var.target_repository}/shadowsocks-rust"
+}
+
 module "sigstore-policy-controller" {
   source            = "./images/sigstore-policy-controller"
   target_repository = "${var.target_repository}/sigstore-policy-controller"