chainguard-dev / terraform-provider-oci Goto Github PK
View Code? Open in Web Editor NEWTerraform provider to perform OCI image operations
Home Page: https://registry.terraform.io/providers/chainguard-dev/oci
License: Mozilla Public License 2.0
Terraform provider to perform OCI image operations
Home Page: https://registry.terraform.io/providers/chainguard-dev/oci
License: Mozilla Public License 2.0
Maybe this can be done at the TF level too, but it'd be great to be able to specify at the oci
provider level too (e.g. tests in this apply should have a default timeout of 30s
).
cc @imjasonh
Here's an example where (I believe) we handed out the same free port to multiple concurrent processes:
If we track port's we've handed out at the provider level, then we can avoid duplication and have tests "return" then once the test is complete.
cc @imjasonh
Right now a lot of tests open ports and then hit them via curl
or other things, but when run concurrently fixed ports cause failures.
Our CoreDNS tests work around this in bash, but it'd be great to have something more built in (and randomized so these searches don't also collide as @Dentrax and @developer-guy hit with our private images iirc):
https://github.com/chainguard-images/images/blob/dff0f86a3a70d0ab4c5f6508ea502b3048fb6e11/images/coredns/tests/02-nslookup-with-Corefile.sh#L13-L20
cc @imjasonh
I noticed looking at the code that it uses remote.Image
data "crane_ref" "test" {
ref = "cgr.dev/chainguard/static:latest-glibc"
}
We can currently get its digest (crane_ref.test.digest
) and full image ref (crane_ref.test.id
). What else might be useful?
For images:
crane_ref.test.layers
, a list of objects with digest
, size
, mediaType
crane_ref.test.files
, a map of filepath -> object with contents
, permissions
(like local_file
)For indexes:
crane_ref.test.manifests
, a list of objects with digest
, size
, mediaType
, platform
crane_ref.test.images
, a map of platform -> object, which is an image like above, which can give you layers
, files
, whateverFor any manifest:
crane_ref.test.mediaType
crane_ref.test.annotations
, a map of string -> stringIt probably only makes sense to populate files
if we can do it lazily, which I'm not sure we can. We might be able to take as an input the filepaths to care about, and only populate those (and fail if they're not there):
data "crane_ref" "test" {
ref = "cgr.dev/chainguard/static:latest-glibc"
filepaths = ["/etc/passwd", "/lib/apk/db/installed"]
}
oci_append.site: Creating...
╷
│ Error: Unable to push image
│
│ with oci_append.site,
│ on service.tf line 14, in resource "oci_append" "site":
│ 14: resource "oci_append" "site" {
│
│ Unable to push image, got error: PUT https://gcr.io/v2/mattmoor-chainguard/apko-hugo-cloudrun/manifests/sha256:d983e9ebe396bdbb1a035aed87fa4e30551188393349ad54cbaaab4c5aaf388c: DIGEST_INVALID: Manifest digest
│ "sha256:95bd4706afe03ac83a251988698f0b87edc1f8ac47276c3077a6849c5b5ee719" does not match expected digest "sha256:d983e9ebe396bdbb1a035aed87fa4e30551188393349ad54cbaaab4c5aaf388c".
Prior art: https://github.com/GoogleContainerTools/container-structure-test
Something like:
data "oci_ref" "image" {
ref = "alpine"
}
data "oci_validate" "validate" {
test {
rule = (oci_ref.image.config.user = "nobody")
}
test {
rule = (contains(oci_ref.image.config.env, "FOO=bar"))
}
test {
file = {
digest = oci_ref.image.id
path = "/etc/passwd"
contains = "nobody"
not_contains = "my credit card number is:"
permissions = "-rw-r--r--"
}
}
}
resource "google_cloud_run_service" "service" {
image = oci_validate.validate.validated_ref
}
We can also consider command tests that effectively docker run <image>
and inspect the result.
Ideally this would not vary based on the working directory the module happens to be invoked from, so I think ${path.module}
is the best bet.
cc @imjasonh
resource "oci_tag" "tag" {
digest_ref = oci_append.foo.image_ref
tag = "v1.2.3"
}
output "tagged" {
value = oci_tag.tag.tagged_digest
}
Applies a tag to a previously built/fetched/signed/attested/verified/tested image by digest.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.