feat(images): Add Postgres Bitnami

Signed-off-by: RJ Sampson <rj.sampson@chainguard.dev>

images/postgres-bitnami/README.md

@@ -0,0 +1,32 @@
+<!--monopod:start-->
+# postgres-bitnami
+| | |
+| - | - |
+| **OCI Reference** | `cgr.dev/chainguard/postgres-bitnami` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/postgres-bitnami/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+* [Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+<!--overview:start-->
+Minimal PostgreSQL Bitnami image.
+<!--overview:end-->
+
+<!--getting:start-->
+## Download this Image
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/postgres-bitnami:latest
+```
+<!--getting:end-->
+
+<!--body:start-->
+This image provides PostgreSQL with bitnami compliance in place.
+
+The latest image and usage documentation can be found [here](https://github.com/chainguard-images/images/tree/main/images/postgres).
+<!--body:end-->

images/postgres-bitnami/config/main.tf

@@ -0,0 +1,19 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+variable "extra_packages" {
+  description = "The additional packages to install (e.g. postgresql-15)."
+  default     = [""]
+}
+
+data "apko_config" "this" {
+  config_contents = file("${path.module}/template.apko.yaml")
+  extra_packages  = var.extra_packages
+}
+
+output "config" {
+  value = jsonencode(data.apko_config.this.config)
+}

images/postgres-bitnami/config/template.apko.yaml

@@ -0,0 +1,51 @@
+contents:
+  packages:
+    - glibc-locale-en
+    - busybox
+    - su-exec
+    # Postgres comes via var.extra_packages
+
+accounts:
+  groups:
+    - groupname: postgres
+      gid: 1001
+  users:
+    - username: postgres
+      uid: 1001
+      gid: 1001
+  run-as: 1001
+
+entrypoint:
+  command: /opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh
+
+environment:
+  PGDATA: /opt/bitnami/postgresql/data
+  # Postgres defers to locale and docker-library/postgres sets UTF-8 as default.
+  LANG: en_US.UTF-8
+  BITNAMI_APP_NAME: postgresql
+
+paths:
+  - path: /opt/bitnami/postgresql/data
+    type: directory
+    uid: 1001
+    gid: 1001
+    permissions: 0o755
+    recursive: true
+  - path: /opt/bitnami/postgresql/tmp
+    type: directory
+    uid: 1001
+    gid: 1001
+    permissions: 0o755
+    recursive: true
+  - path: /opt/bitnami/postgresql/logs
+    type: directory
+    uid: 1001
+    gid: 1001
+    permissions: 0o755
+    recursive: true
+  - path: /opt/bitnami/postgresql/conf
+    type: directory
+    uid: 1001
+    gid: 1001
+    permissions: 0o777
+    recursive: true

images/postgres-bitnami/main.tf

@@ -0,0 +1,46 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "latest-config" {
+  source = "./config"
+  extra_packages = [
+    "postgresql",
+    "postgresql-client",
+    "postgresql-oci-entrypoint",
+    "postgresql-contrib",
+    "postgresql-bitnami-compat",
+    "libpq",
+  ]
+}
+
+module "latest" {
+  source            = "../../tflib/publisher"
+  name              = basename(path.module)
+  target_repository = var.target_repository
+  config            = module.latest-config.config
+  build-dev         = true
+}
+
+module "latest-test" {
+  source = "./tests"
+  digest = module.latest.image_ref
+}
+
+resource "oci_tag" "latest" {
+  depends_on = [module.latest-test]
+  digest_ref = module.latest.image_ref
+  tag        = "latest"
+}
+
+resource "oci_tag" "latest-dev" {
+  depends_on = [module.latest-test]
+  digest_ref = module.latest.dev_ref
+  tag        = "latest-dev"
+}

images/postgres-bitnami/metadata.yaml

@@ -0,0 +1,12 @@
+name: postgres-bitnami
+image: cgr.dev/chainguard/postgres-bitnami
+logo: https://storage.googleapis.com/chainguard-academy/logos/postgres.svg
+endoflife: ""
+console_summary: ""
+short_description: Minimal PostgreSQL Bitnami image.
+compatibility_notes: ""
+readme_file: README.md
+upstream_url: https://www.postgresql.org/
+keywords:
+  - application
+  - databases

images/postgres-bitnami/tests/main.tf

@@ -0,0 +1,79 @@
+terraform {
+  required_providers {
+    oci       = { source = "chainguard-dev/oci" }
+    imagetest = { source = "chainguard-dev/imagetest" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+data "oci_string" "ref" { input = var.digest }
+
+data "imagetest_inventory" "this" {}
+
+resource "imagetest_harness_k3s" "this" {
+  name      = "postgres"
+  inventory = data.imagetest_inventory.this
+
+  sandbox = {
+    envs = {
+      "NAME" : "postgres"
+      "NAMESPACE" : "postgres"
+    }
+    mounts = [{
+      source      = path.module
+      destination = "/tests"
+    }]
+  }
+}
+
+module "helm" {
+  source = "../../../tflib/imagetest/helm"
+
+  name      = "postgres"
+  namespace = "postgres"
+  chart     = "oci://registry-1.docker.io/bitnamicharts/postgresql"
+
+  # https://artifacthub.io/packages/helm/bitnami/postgresql#securing-traffic-using-tls
+  values = {
+    image = {
+      registry   = data.oci_string.ref.registry
+      repository = data.oci_string.ref.repo
+      tag        = data.oci_string.ref.pseudo_tag
+      digest     = data.oci_string.ref.digest
+    }
+    volumePermissions = {
+      enabled = true
+    }
+    tls = {
+      enabled       = true
+      autoGenerated = true
+    }
+  }
+}
+
+resource "imagetest_feature" "basic" {
+  harness     = imagetest_harness_k3s.this
+  name        = "Basic"
+  description = "Basic functionality of the Postgres Helm chart."
+
+  steps = [
+    {
+      name = "Install Helm chart"
+      cmd  = module.helm.install_cmd
+    },
+    {
+      name    = "Postgres TLS test"
+      workdir = "/tests"
+      cmd     = <<EOF
+        ./tls.sh
+      EOF
+    },
+  ]
+
+  labels = {
+    type = "k8s"
+  }
+}

images/postgres-bitnami/tests/tls.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o errtrace -o pipefail -x
+
+wait_for_pod() {
+  kubectl wait pod/"${NAME}"-postgresql-0 --for=condition=Ready --timeout=120s -n "${NAMESPACE}"
+}
+
+check_tls() {
+  # Add Postgres client utilities
+  apk add postgresql-client
+
+  # Copy autogenerated TLS certs
+  mkdir -p /certs
+  kubectl cp "${NAMESPACE}"/"${NAME}"-postgresql-0:/opt/bitnami/postgresql/certs /certs
+
+  # Forward port
+  kubectl port-forward service/"${NAME}"-postgresql -n "${NAMESPACE}" 5432:5432
+
+  # Validate TLS works
+  psql host="${NAME}"-postgresql."${NAME}".svc.cluster.local port=5432 \
+    sslmode=require sslcert=/certs/tls.crt sslkey=/certs/tls.key sslrootcert=/certs/ca.crt \
+    -c SELECT 1
+}
+
+# Run tests
+wait_for_pod
+check_tls