chainguard-dev · joshrwolf · Jan 17, 2025
diff --git a/docs/resources/tests.md b/docs/resources/tests.md
@@ -0,0 +1,83 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "imagetest_tests Resource - terraform-provider-imagetest"
+subcategory: ""
+description: |-
+
+---
+
+# imagetest_tests (Resource)
+
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `driver` (String) The driver to use for the test suite. Only one driver can be used at a time.
+- `images` (Map of String) Images to use for the test suite.
+
+### Optional
+
+- `drivers` (Attributes) The resource specific driver configuration. This is merged with the provider scoped drivers configuration. (see [below for nested schema](#nestedatt--drivers))
+- `name` (String) The name of the test. If one is not provided, a random name will be generated.
+- `tests` (Attributes List) An ordered list of test suites to run (see [below for nested schema](#nestedatt--tests))
+
+### Read-Only
+
+- `id` (String) The unique identifier for the test. If a name is provided, this will be the name appended with a random suffix.
+
+<a id="nestedatt--drivers"></a>
+### Nested Schema for `drivers`
+
+Optional:
+
+- `docker_in_docker` (Attributes) The docker_in_docker driver (see [below for nested schema](#nestedatt--drivers--docker_in_docker))
+- `k3s_in_docker` (Attributes) The k3s_in_docker driver (see [below for nested schema](#nestedatt--drivers--k3s_in_docker))
+
+<a id="nestedatt--drivers--docker_in_docker"></a>
+### Nested Schema for `drivers.docker_in_docker`
+
+Optional:
+
+- `image_ref` (String) The image reference to use for the docker-in-docker driver
+
+
+<a id="nestedatt--drivers--k3s_in_docker"></a>
+### Nested Schema for `drivers.k3s_in_docker`
+
+Optional:
+
+- `cni` (Boolean) Enable the CNI plugin
+- `metrics_server` (Boolean) Enable the metrics server
+- `network_policy` (Boolean) Enable the network policy
+- `traefik` (Boolean) Enable the traefik ingress controller
+
+
+
+<a id="nestedatt--tests"></a>
+### Nested Schema for `tests`
+
+Required:
+
+- `image` (String) The image reference to use as the base image for the test.
+- `name` (String) The name of the test
+
+Optional:
+
+- `content` (Attributes List) The content to use for the test (see [below for nested schema](#nestedatt--tests--content))
+- `envs` (Map of String) Environment variables to set on the test container. These will overwrite the environment variables set in the image's config on conflicts.
+
+<a id="nestedatt--tests--content"></a>
+### Nested Schema for `tests.content`
+
+Required:
+
+- `source` (String) The source path to use for the test
+
+Optional:
+
+- `target` (String) The target path to use for the test
diff --git a/examples/tests_resource/helm/main.tf b/examples/tests_resource/helm/main.tf
@@ -0,0 +1,33 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+variable "target_repository" {}
+
+variable "content" {}
+
+data "apko_config" "sandbox" {
+  config_contents = jsonencode({
+    contents = {
+      packages = ["busybox", "bash", "helm", "kubectl", "jq"]
+    }
+    cmd = "bash -eux -o pipefail -c 'source /imagetest/foo.sh'"
+  })
+}
+
+resource "apko_build" "sandbox" {
+  repo   = var.target_repository
+  config = data.apko_config.sandbox.config
+}
+
+output "test" {
+  value = [{
+    name  = "helm test"
+    image = apko_build.sandbox.image_ref
+    content = [{
+      source = var.content
+    }]
+  }]
+}
diff --git a/examples/tests_resource/main.tf b/examples/tests_resource/main.tf
@@ -0,0 +1,52 @@
+terraform {
+  required_providers {
+    imagetest = {
+      source = "registry.terraform.io/chainguard-dev/imagetest"
+    }
+    apko = { source = "chainguard-dev/apko" }
+  }
+  backend "inmem" {}
+}
+
+locals { repo = "gcr.io/wolf-chainguard/images" }
+
+provider "imagetest" {
+  repo = local.repo
+}
+
+provider "apko" {
+  extra_repositories = concat([
+    "https://packages.wolfi.dev/os",
+    "https://packages.cgr.dev/extras",
+  ])
+  build_repositories = ["https://apk.cgr.dev/chainguard-private"]
+  extra_keyring = concat([
+    "https://packages.wolfi.dev/os/wolfi-signing.rsa.pub",
+    "https://packages.cgr.dev/extras/chainguard-extras.rsa.pub",
+  ])
+
+  extra_packages = ["chainguard-baselayout"]
+
+  default_archs = ["aarch64"]
+}
+
+module "helm_test" {
+  source            = "./helm"
+  target_repository = local.repo
+  content           = "${path.module}/tests"
+}
+
+resource "imagetest_tests" "foo" {
+  name   = "foo"
+  driver = "k3s_in_docker"
+
+  images = {
+    foo = "cgr.dev/chainguard/busybox:latest@sha256:b7fc3eef4303188eb295aaf8e02d888ced307d2a45090d6f673b95a41bfc033d"
+  }
+
+  tests = concat([], module.helm_test.test)
+}
+
+output "tests" {
+  value = imagetest_tests.foo
+}
diff --git a/examples/tests_resource/tests/foo.sh b/examples/tests_resource/tests/foo.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+echo "Hello World"
+
+kubectl get po -A
+
+echo "$IMAGES" | jq '.'
diff --git a/internal/bundler/layer.go b/internal/bundler/layer.go
@@ -4,8 +4,10 @@ import (
 	"archive/tar"
 	"io"
 	"io/fs"
-	"path/filepath"
+	"os"
+	"path"
 
+	"chainguard.dev/apko/pkg/tarfs"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
@@ -29,6 +31,32 @@ func NewFSLayer(source fs.FS, target string) Layerer {
 	}
 }
 
+// NewFSLayerFromPath is a helper function that creates a FS from a local path.
+func NewFSLayerFromPath(source string, target string) Layerer {
+	pi, err := os.Stat(source)
+	if err != nil {
+		return nil
+	}
+
+	if pi.IsDir() {
+		return NewFSLayer(os.DirFS(source), target)
+	}
+
+	// There are better ways to make an FS from a isngle layer, but we already
+	// import tfs through apko, so just be a little lazy here
+	data, err := os.ReadFile(source)
+	if err != nil {
+		return nil
+	}
+
+	tfs := tarfs.New()
+	if err := tfs.WriteFile(pi.Name(), data, pi.Mode()); err != nil {
+		return nil
+	}
+
+	return NewFSLayer(tfs, target)
+}
+
 func (l *fsl) Layer() (v1.Layer, error) {
 	return tarball.LayerFromOpener(func() (io.ReadCloser, error) {
 		pr, pw := io.Pipe()
@@ -38,7 +66,7 @@ func (l *fsl) Layer() (v1.Layer, error) {
 			defer tw.Close()
 			defer pw.Close()
 
-			if err := fs.WalkDir(l.source, ".", func(path string, d fs.DirEntry, err error) error {
+			if err := fs.WalkDir(l.source, ".", func(p string, d fs.DirEntry, err error) error {
 				if err != nil {
 					return err
 				}
@@ -53,14 +81,14 @@ func (l *fsl) Layer() (v1.Layer, error) {
 					return err
 				}
 
-				hdr.Name = filepath.Join(l.target, path)
+				hdr.Name = path.Join(l.target, p)
 
 				if err := tw.WriteHeader(hdr); err != nil {
 					return err
 				}
 
 				if !d.IsDir() {
-					f, err := l.source.Open(path)
+					f, err := l.source.Open(p)
 					if err != nil {
 						return err
 					}

diff --git a/internal/drivers/docker_in_docker/doc.go b/internal/drivers/docker_in_docker/doc.go
@@ -0,0 +1,12 @@
+// dockerindocker is a driver that runs each test container in its _own_ dind
+// sandbox. Each test container is created as a new image, with the base layer
+// containing the dind image, and subsequent layers containing the test
+// container. Mapped out, the layers look like:
+//
+//	0: cgr.dev/chainguard-private/docker-dind:latest
+//	1: imagetest created layer, with the appropriate test content and apk dependencies
+//
+// Things are done this way to ensure the tests that run _feel_ like they are
+// simply in an environment with docker installed, while also ensuring they are
+// portable to other drivers, such as docker-in-a-vm.
+package dockerindocker