new image: bank-vaults (chainguard-images#1395)

* new image: bank-vaults Signed-off-by: Tuan Anh Tran <[email protected]> * tf fmt Signed-off-by: Tuan Anh Tran <[email protected]> * fix monopod readme Signed-off-by: Tuan Anh Tran <[email protected]> * sleep before kubectl wait test Signed-off-by: Tuan Anh Tran <[email protected]> * sleep 30 Signed-off-by: Tuan Anh Tran <[email protected]> * wait for custom resource vault become healthy Signed-off-by: Tuan Anh Tran <[email protected]> * wait for custom resource vault become healthy, timeout 300s Signed-off-by: Tuan Anh Tran <[email protected]> --------- Signed-off-by: Tuan Anh Tran <[email protected]>
Aditvil-Dev · Sep 16, 2023 · a18b3ef · a18b3ef
1 parent 294d349
commit a18b3ef
Show file tree

Hide file tree

Showing 8 changed files with 164 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -12,6 +12,7 @@
 | [aws-efs-csi-driver](./images/aws-efs-csi-driver) | `cgr.dev/chainguard/aws-efs-csi-driver` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/aws-efs-csi-driver.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/aws-efs-csi-driver:latest) |
 | [aws-for-fluent-bit](./images/aws-for-fluent-bit) | `cgr.dev/chainguard/aws-for-fluent-bit` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/aws-for-fluent-bit.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/aws-for-fluent-bit:latest) |
 | [aws-load-balancer-controller](./images/aws-load-balancer-controller) | `cgr.dev/chainguard/aws-load-balancer-controller` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/aws-load-balancer-controller.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/aws-load-balancer-controller:latest) |
+| [bank-vaults](./images/bank-vaults) | `cgr.dev/chainguard/bank-vaults` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/bank-vaults.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/bank-vaults:latest) |
 | [bash](./images/bash) | `cgr.dev/chainguard/bash` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/bash.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/bash:latest) |
 | [bazel](./images/bazel) | `cgr.dev/chainguard/bazel` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/bazel.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/bazel:latest) |
 | [boring-registry](./images/boring-registry) | `cgr.dev/chainguard/boring-registry` | stable | [![](https://storage.googleapis.com/chainguard-images-build-outputs/badges/boring-registry.build.status.latest.svg)](https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/boring-registry:latest) |

diff --git a/images/bank-vaults/README.md b/images/bank-vaults/README.md
@@ -0,0 +1,37 @@
+<!--monopod:start-->
+# bank-vaults
+| | |
+| - | - |
+| **Status** | stable |
+| **OCI Reference** | `cgr.dev/chainguard/bank-vaults` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/bank-vaults/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+*[Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+Minimal Image for Bank Vaults
+
+## Get It!
+
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/bank-vaults:latest
+```
+
+## Usage
+
+This image is a drop-in replacement for the upstream image.
+You can run it using the helm chart with:
+
+```shell
+$ helm repo add bank-vaults oci://ghcr.io/bank-vaults/helm-charts/vault-operator
+$ helm install bank-vaults bank-vaults/bank-vaults \
+    --set bankVaults.image.repository=cgr.dev/chainguard/bank-vaults \
+    --set bankVaults.image.tag=latest
+    <other configuration parameters here>
+```
diff --git a/images/bank-vaults/configs/latest.apko.yaml b/images/bank-vaults/configs/latest.apko.yaml
@@ -0,0 +1,16 @@
+contents:
+  packages:
+    - bank-vaults-template
+    - bank-vaults
+
+accounts:
+  groups:
+    - groupname: bank-vaults
+      gid: 65532
+  users:
+    - username: bank-vaults
+      uid: 65532
+  run-as: 65532
+
+entrypoint:
+  command: /usr/bin/bank-vaults
diff --git a/images/bank-vaults/image.yaml b/images/bank-vaults/image.yaml
@@ -0,0 +1,3 @@
+versions:
+  - apko:
+      config: configs/latest.apko.yaml
diff --git a/images/bank-vaults/main.tf b/images/bank-vaults/main.tf
@@ -0,0 +1,54 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "latest" {
+  source = "../../tflib/publisher"
+
+  name = basename(path.module)
+
+  target_repository = var.target_repository
+  config            = file("${path.module}/configs/latest.apko.yaml")
+}
+
+module "dev" { source = "../../tflib/dev-subvariant" }
+
+module "latest-dev" {
+  source = "../../tflib/publisher"
+
+  name = basename(path.module)
+
+  target_repository = var.target_repository
+  # Make the dev variant an explicit extension of the
+  # locked original.
+  config         = jsonencode(module.latest.config)
+  extra_packages = module.dev.extra_packages
+}
+
+module "version-tags" {
+  source  = "../../tflib/version-tags"
+  package = "bank-vaults"
+  config  = module.latest.config
+}
+
+module "test-latest" {
+  source = "./tests"
+  digest = module.latest.image_ref
+}
+
+module "tagger" {
+  source = "../../tflib/tagger"
+
+  depends_on = [module.test-latest]
+
+  tags = merge(
+    { for t in toset(concat(["latest"], module.version-tags.tag_list)) : t => module.latest.image_ref },
+    { for t in toset(concat(["latest"], module.version-tags.tag_list)) : "${t}-dev" => module.latest-dev.image_ref },
+  )
+}
diff --git a/images/bank-vaults/tests/full-test.sh b/images/bank-vaults/tests/full-test.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o errtrace -o pipefail -x
+
+# installation instruction from here https://bank-vaults.dev/docs/installing/
+
+kubectl config set-context --current --namespace=default
+
+helm upgrade --install --wait vault-operator oci://ghcr.io/bank-vaults/helm-charts/vault-operator \
+    --set bankVaults.image.repository=${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} \
+    --set bankVaults.image.tag=$IMAGE_TAG
+
+kubectl kustomize https://github.com/bank-vaults/vault-operator/deploy/rbac | kubectl apply -f -
+
+kubectl apply -f https://raw.githubusercontent.com/bank-vaults/vault-operator/v1.21.0/deploy/examples/cr-raft.yaml
+
+kubectl -n default wait --for=condition=healthy vault vault --timeout=300s
diff --git a/images/bank-vaults/tests/main.tf b/images/bank-vaults/tests/main.tf
@@ -0,0 +1,31 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+data "oci_string" "ref" { input = var.digest }
+
+data "oci_exec_test" "test" {
+  digest = var.digest
+  script = "${path.module}/full-test.sh"
+
+  env {
+    name  = "IMAGE_REGISTRY"
+    value = data.oci_string.ref.registry
+  }
+
+  env {
+    name  = "IMAGE_REPOSITORY"
+    value = data.oci_string.ref.repo
+  }
+
+  env {
+    name  = "IMAGE_TAG"
+    value = data.oci_string.ref.pseudo_tag
+  }
+}
diff --git a/main.tf b/main.tf
@@ -99,6 +99,11 @@ module "bash" {
   target_repository = "${var.target_repository}/bash"
 }
 
+module "bank-vaults" {
+  source            = "./images/bank-vaults"
+  target_repository = "${var.target_repository}/bank-vaults"
+}
+
 module "bazel" {
   source            = "./images/bazel"
   target_repository = "${var.target_repository}/bazel"