chainguard-images · JonahEdick · May 6, 2024 · May 6, 2024 · May 7, 2024 · May 7, 2024
diff --git a/generated.tf b/generated.tf
diff --git a/images/rabbitmq-default-user-credential-updater/README.md b/images/rabbitmq-default-user-credential-updater/README.md
@@ -0,0 +1,54 @@
+<!--monopod:start-->
+# rabbitmq-default-user-credential-updater
+| | |
+| - | - |
+| **OCI Reference** | `cgr.dev/chainguard/rabbitmq-default-user-credential-updater` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/rabbitmq-default-user-credential-updater/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+* [Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+<!--overview:start-->
+Minimal image with [default-user-credential-updater](https://github.com/rabbitmq/default-user-credential-updater)
+<!--overview:end-->
+
+<!--getting:start-->
+## Download this Image
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/rabbitmq-default-user-credential-updater:latest
+```
+<!--getting:end-->
+
+<!--body:start-->
+## Usage
+
+This image is a drop-in replacement for the upstream image.
+For exampl, you can run it using the upstream RabbitMQ Cluster Operator deployment by
+defining the `DEFAULT_USER_UPDATER_IMAGE` environment variable:
+
+```shell
+cat <<EOF > kustomization.yaml
+resources:
+- https://github.com/rabbitmq/cluster-operator/releases/latest/download/cluster-operator.yml
+patches:
+- patch: |-
+    - op: add
+      path: "/spec/template/spec/containers/0/env/-"
+      value: 
+        name: DEFAULT_USER_UPDATER_IMAGE
+        value: cgr.dev/chainguard/rabbitmq-default-user-credential-updater:latest
+  target:
+    kind: Deployment
+    namespace: rabbitmq-system
+    name: rabbitmq-cluster-operator
+EOF
+
+kustomize build . | kubectl apply -f -
+```
+<!--body:end-->
diff --git a/images/rabbitmq-default-user-credential-updater/config/main.tf b/images/rabbitmq-default-user-credential-updater/config/main.tf
@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+variable "extra_packages" {
+  description = "The additional packages to install"
+  default = [
+    "rabbitmq-default-user-credential-updater",
+  ]
+}
+
+data "apko_config" "this" {
+  config_contents = file("${path.module}/template.apko.yaml")
+  extra_packages  = var.extra_packages
+}
+
+output "config" {
+  value = jsonencode(data.apko_config.this.config)
+}
diff --git a/images/rabbitmq-default-user-credential-updater/config/template.apko.yaml b/images/rabbitmq-default-user-credential-updater/config/template.apko.yaml
@@ -0,0 +1,15 @@
+contents:
+  packages: []
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
+
+entrypoint:
+  command: /usr/bin/default-user-credential-updater
diff --git a/images/rabbitmq-default-user-credential-updater/generated.tf b/images/rabbitmq-default-user-credential-updater/generated.tf
diff --git a/images/rabbitmq-default-user-credential-updater/main.tf b/images/rabbitmq-default-user-credential-updater/main.tf
@@ -0,0 +1,38 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "config" { source = "./config" }
+
+module "rabbitmq-default-user-credential-updater" {
+  source            = "../../tflib/publisher"
+  name              = basename(path.module)
+  target_repository = var.target_repository
+  config            = module.config.config
+
+  build-dev = true
+
+}
+
+module "test" {
+  source = "./tests"
+  digest = module.rabbitmq-default-user-credential-updater.image_ref
+}
+
+resource "oci_tag" "latest" {
+  depends_on = [module.test]
+  digest_ref = module.rabbitmq-default-user-credential-updater.image_ref
+  tag        = "latest"
+}
+
+resource "oci_tag" "latest-dev" {
+  depends_on = [module.test]
+  digest_ref = module.rabbitmq-default-user-credential-updater.dev_ref
+  tag        = "latest-dev"
+}
diff --git a/images/rabbitmq-default-user-credential-updater/metadata.yaml b/images/rabbitmq-default-user-credential-updater/metadata.yaml
@@ -0,0 +1,12 @@
+name: rabbitmq-default-user-credential-updater
+image: cgr.dev/chainguard/rabbitmq-default-user-credential-updater
+logo: https://storage.googleapis.com/chainguard-academy/logos/rabbitmq-default-user-credential-updater.svg
+endoflife: ""
+console_summary: ""
+short_description: Minimal image with [default-user-credential-updater](https://github.com/rabbitmq/default-user-credential-updater)
+compatibility_notes: ""
+readme_file: README.md
+upstream_url: https://github.com/rabbitmq/default-user-credential-updater
+keywords:
+  - application
+  - tools
diff --git a/images/rabbitmq-default-user-credential-updater/tests/main.tf b/images/rabbitmq-default-user-credential-updater/tests/main.tf
@@ -0,0 +1,128 @@
+terraform {
+  required_providers {
+    oci       = { source = "chainguard-dev/oci" }
+    imagetest = { source = "chainguard-dev/imagetest" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+data "oci_string" "ref" { input = var.digest }
+
+data "imagetest_inventory" "this" {}
+
+resource "imagetest_harness_k3s" "this" {
+  name      = "rabbitmq-default-user-credential-updater"
+  inventory = data.imagetest_inventory.this
+
+  sandbox = {
+    mounts = [
+      {
+        source      = path.module
+        destination = "/tests"
+      }
+    ]
+  }
+}
+
+locals {
+  namespace = "rabbitmq-system"
+}
+
+module "helm-vault" {
+  source = "../../../tflib/imagetest/helm"
+
+  repo      = "https://helm.releases.hashicorp.com"
+  chart     = "vault"
+  namespace = local.namespace
+  name      = "vault"
+
+  values = {
+    server = {
+      image = {
+        repository = "cgr.dev/chainguard/vault"
+        tag        = "latest"
+      }
+      dev      = { enabled = true }
+      logLevel = "debug"
+    }
+    injector = {
+      logLevel = "debug"
+      image = {
+        repository = "cgr.dev/chainguard/vault-k8s"
+        tag        = "latest"
+      }
+      agentImage = {
+        repository = "cgr.dev/chainguard/vault"
+        tag        = "latest"
+      }
+    }
+  }
+}
+
+resource "imagetest_feature" "vault" {
+  harness     = imagetest_harness_k3s.this
+  name        = "Vault"
+  description = "Integration test with RabbitMQ and Hashicorp Vault."
+
+  steps = [
+    {
+      name = "Create required namespace"
+      cmd  = <<EOF
+        kubectl create ns ${local.namespace}
+      EOF
+    },
+    {
+      name = "Helm deploy Vault"
+      cmd  = module.helm-vault.install_cmd
+    },
+    {
+      name = "Wait for deployment to finish, then run setup.sh script"
+      cmd  = <<EOF
+        sleep 5
+        kubectl wait --for=condition=Ready pod/vault-0 -n ${local.namespace}
+        chmod +x /tests/setup.sh
+        RABBITMQ_NAMESPACE=${local.namespace} /tests/setup.sh
+      EOF
+    },
+    {
+      name = "Depoly rabbit mq with custom default-user-credential-updater image"
+      cmd  = <<EOF
+        apk add kustomize
+cat > kustomization.yaml <<kust
+resources:
+- cgr.dev/chainguard/rabbitmq-cluster-operator
+patches:
+- patch: |-
+    - op: add
+      path: "/spec/template/spec/containers/0/env/-"
+      value: 
+        name: DEFAULT_USER_UPDATER_IMAGE
+        value: ${data.oci_string.ref.registry_repo}
+  target:
+    kind: Deployment
+    namespace: rabbitmq-system
+    name: rabbitmq-cluster-operator
+kust
+        kustomize build . | kubectl apply -f -
+        kubectl apply -f /tests/rabbitmq.yaml -n ${local.namespace}
+        sleep 30
+        kubectl wait --for=condition=Ready pod/vault-default-user-server-0 -n ${local.namespace} --timeout 600s
+      EOF
+    },
+    {
+      name = "Run test.sh script"
+      cmd  = <<EOF
+        apk add jq
+        chmod +x /tests/test.sh
+        RABBITMQ_NAMESPACE=${local.namespace}  /tests/test.sh
+      EOF
+    }
+  ]
+
+  labels = {
+    type = "k8s"
+  }
+}
diff --git a/images/rabbitmq-default-user-credential-updater/tests/rabbitmq.yaml b/images/rabbitmq-default-user-credential-updater/tests/rabbitmq.yaml
@@ -0,0 +1,16 @@
+# Adapted from https://github.com/rabbitmq/cluster-operator/blob/main/docs/examples/vault-default-user/rabbitmq.yaml
+# To test rabbitmq default-user-credential-updater with Hashicorp Vault
+apiVersion: rabbitmq.com/v1beta1
+kind: RabbitmqCluster
+metadata:
+  name: vault-default-user
+spec:
+  replicas: 3
+  secretBackend:
+    vault:
+      role: rabbitmq
+      # Optionally, set Vault annotations as listed in
+      # https://www.vaultproject.io/docs/platform/k8s/injector/annotations
+      annotations:
+        vault.hashicorp.com/template-static-secret-render-interval: "15s"
+      defaultUserPath: secret/data/rabbitmq/config
diff --git a/images/rabbitmq-default-user-credential-updater/tests/setup.sh b/images/rabbitmq-default-user-credential-updater/tests/setup.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Example setup script adapted from https://github.com/rabbitmq/cluster-operator/blob/main/docs/examples/vault-default-user/setup.sh
+# Used to test rabbitmq default-user-credential-updater with Hashicorp Vault
+
+set -euo pipefail
+
+RABBITMQ_NAMESPACE=${RABBITMQ_NAMESPACE:-'examples'}
+
+vault_exec () {
+    kubectl exec vault-0 -n $RABBITMQ_NAMESPACE -c vault -- /bin/sh -c "$*"
+}
+
+
+echo "Configuring K8s authentication..."
+# Required so that Vault init container and sidecar of RabbitmqCluster can authenticate with Vault.
+vault_exec "vault auth enable kubernetes"
+
+# In Kubernetes 1.21+ clusters, issuer may need to be configured as described in https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer
+# Otherwise, vault-agent-init container will output "error authenticating".
+# issuer=$(kubectl get --raw=http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)
+# vault_exec "vault write auth/kubernetes/config issuer=\"$issuer\" token_reviewer_jwt=\"\$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" kubernetes_host=https://\${KUBERNETES_PORT_443_TCP_ADDR}:443 kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+vault_exec "vault write auth/kubernetes/config token_reviewer_jwt=\"\$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" kubernetes_host=https://\${KUBERNETES_PORT_443_TCP_ADDR}:443 kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+
+echo "Creating credentials for rabbitmq default user..."
+# Each RabbitMQ cluster may have its own secret path. Here we have a generic path secret/rabbitmq/config
+vault_exec "vault kv put secret/rabbitmq/config username='rabbitmq' password='pwd1'"
+
+# Create a policy that allows to read the default user credentials.
+# The path need to be referenced from the RabbitmqCluster CRD spec.secretBackend.vault.defaultUserPath
+vault_exec "vault policy write rabbitmq-policy - <<EOF
+path \"secret/data/rabbitmq/config\" {
+    capabilities = [\"read\"]
+}
+EOF
+"
+
+# Define a Vault role that need to be referenced from the RabbitmqCluster CRD spec.secretBackend.vault.role
+# Assign the previously created policy.
+# bound_service_account_names must be RabbitmqCluster's service account name.
+# Service account name follows the pattern "<RabbitmqCluster name>-server”.
+# bound_service_account_namespaces must be the namespace where the RabbitmqCluster will be deployed.
+vault_exec "vault write auth/kubernetes/role/rabbitmq bound_service_account_names=vault-default-user-server,vault-tls-server bound_service_account_namespaces=$RABBITMQ_NAMESPACE policies=rabbitmq-policy ttl=24h"