feat(images): Add Chromium (#2347)

Adds Chromium image that runs headless with GPU access disabled and
sandboxing turned off

Signed-off-by: RJ Sampson <rj.sampson@chainguard.dev>

images/chromium/README.md

@@ -0,0 +1,49 @@
+<!--monopod:start-->
+# chromium
+| | |
+| - | - |
+| **OCI Reference** | `cgr.dev/chainguard/chromium` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/chromium/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+* [Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+<!--overview:start-->
+Minimal [Chromium](https://chromium.googlesource.com/chromium/src/) container image.
+<!--overview:end-->
+
+<!--getting:start-->
+## Download this Image
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/chromium:latest
+```
+<!--getting:end-->
+
+<!--body:start-->
+## Usage
+
+Running Chromium doesn't require passing any additional parameters to Docker:
+
+```bash
+docker run cgr.dev/chainguard/chromium:latest
+```
+
+Please note that Chromium is ran in a headless state with the sandbox and GPU access disabled with the flags:
+
+```
+--headless --no-sandbox --disable-gpu
+```
+
+We run Chromium headless with GPU access disabled due to the container not having GPU access.
+
+Chromium's sandbox has been disabled as the container is sandboxed from the host environment.
+
+This can be overriden via the environment variable `CHROMIUM_USER_FLAGS` though this is unsupported.
+
+<!--body:end-->

images/chromium/config/main.tf

@@ -0,0 +1,47 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+variable "extra_packages" {
+  description = "Additional packages to install."
+  type        = list(string)
+  default     = ["chromium"]
+}
+
+variable "environment" {
+  default = {}
+}
+
+module "accts" {
+  source = "../../../tflib/accts"
+  run-as = 65532
+  uid    = 65532
+  gid    = 65532
+  name   = "chrome"
+}
+
+output "config" {
+  value = jsonencode({
+    archs = ["x86_64"]
+    contents = {
+      packages = var.extra_packages
+    }
+    accounts = module.accts.block
+    environment = merge({
+      "CHROMIUM_USER_FLAGS" : "--headless --no-sandbox --disable-gpu"
+    })
+    entrypoint = {
+      command = "/usr/bin/chromium-browser"
+    }
+    paths = [{
+      path        = "/usr/lib/chromium"
+      type        = "directory"
+      uid         = module.accts.uid
+      gid         = module.accts.gid
+      permissions = 509
+      recursive   = true
+    }]
+  })
+}

images/chromium/main.tf

@@ -0,0 +1,39 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "config" {
+  source = "./config"
+}
+
+module "latest" {
+  source            = "../../tflib/publisher"
+  name              = basename(path.module)
+  target_repository = var.target_repository
+  config            = module.config.config
+  build-dev         = true
+}
+
+module "test" {
+  source = "./tests"
+
+  digest = module.latest.image_ref
+}
+
+resource "oci_tag" "latest" {
+  depends_on = [module.test]
+  digest_ref = module.latest.image_ref
+  tag        = "latest"
+}
+
+resource "oci_tag" "latest-dev" {
+  depends_on = [module.test]
+  digest_ref = module.latest.dev_ref
+  tag        = "latest-dev"
+}

images/chromium/metadata.yaml

@@ -0,0 +1,12 @@
+name: chromium
+image: cgr.dev/chainguard/chromium
+logo: https://storage.googleapis.com/chainguard-academy/logos/chromium.svg
+endoflife: ""
+console_summary: ""
+short_description: Minimal [Chromium](https://chromium.googlesource.com/chromium/src/) container image.
+compatibility_notes: ""
+readme_file: README.md
+upstream_url: https://chromium.googlesource.com/chromium/src/
+keywords:
+  - application
+  - browser

images/chromium/tests/main.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+data "oci_string" "ref" { input = var.digest }
+
+data "oci_exec_test" "smoke" {
+  digest = var.digest
+  script = "${path.module}/smoke.sh"
+}

images/chromium/tests/smoke.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o errtrace -o pipefail -x
+
+CHROME_CONTAINER_NAME="chromium-$(uuidgen)"
+CHROMEDRIVER_CONTAINER_NAME="chromedriver-$(uuidgen)"
+
+# Check status
+docker run \
+  --rm \
+  --platform linux/x86_64 \
+  --name "${CHROME_CONTAINER_NAME}" \
+  "${IMAGE_NAME}" \
+  --dump-dom \
+  https://www.chromestatus.com
+
+# Test ChromeDriver starts successfully
+docker run \
+  -d --rm \
+  --platform linux/x86_64 \
+  --entrypoint chromedriver \
+  --name "${CHROMEDRIVER_CONTAINER_NAME}" \
+  "${IMAGE_NAME}"
+
+# Stop container when script exits
+trap "docker stop ${CHROMEDRIVER_CONTAINER_NAME}" EXIT
+sleep 5
+
+# Retrieve container logs
+logs=$(docker logs "${CHROMEDRIVER_CONTAINER_NAME}" 2>&1)
+
+# Ensure ChromeDriver started successfully
+expected_logs=("ChromeDriver was started successfully.")
+
+for log in "${expected_logs[@]}"; do
+  if ! echo "$logs" | grep -q "$log"; then
+    echo "ChromeDriver failed to start."
+    exit 1
+  fi
+done

main.tf

@@ -237,6 +237,11 @@ module "cfssl" {
   target_repository = "${var.target_repository}/cfssl"
 }
 
+module "chromium" {
+  source            = "./images/chromium"
+  target_repository = "${var.target_repository}/chromium"
+}
+
 module "cilium" {
   source            = "./images/cilium"
   target_repository = "${var.target_repository}/cilium"