jitsucom-jitsu-{console,rotor}

images/jitsucom-jitsu/README.md

@@ -0,0 +1,56 @@
+<!--monopod:start-->
+# jitsucom-jitsu
+| | |
+| - | - |
+| **OCI Reference** | `cgr.dev/chainguard/jitsucom-jitsu` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/jitsucom-jitsu/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+* [Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+<!--overview:start-->
+Jitsu is an open-source Segment alternative. Fully-scriptable data ingestion engine for modern data teams. Set-up a real-time data pipeline in minutes, not days
+<!--overview:end-->
+
+<!--getting:start-->
+## Download this Image
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/jitsucom-jitsu:latest
+```
+<!--getting:end-->
+
+<!--body:start-->
+
+## Usage
+
+There is no official Helm chart providied for Jitsu, but you can use the following Helm chart to deploy Jitsu on your Kubernetes cluster.
+
+Here is the issue that they discussed: https://github.com/jitsucom/jitsu/issues/880
+
+And here is the Helm chart that you can use: https://github.com/stafftastic/jitsu-chart 
+
+which is the Helm chart we used to deploy Jitsu on Kubernetes during the tests.
+
+
+```yaml
+$ helm install jitsu oci://registry-1.docker.io/stafftasticcharts/jitsu -f-<<EOF
+console:
+  image:
+    repository: cgr.dev/chainguard/jitsucom-console
+    tag: latest
+    pullPolicy: IfNotPresent
+rotor:
+  image:
+    repository: cgr.dev/chainguard/jitsucom-rotor
+    tag: latest
+    pullPolicy: IfNotPresent
+EOF
+```
+
+<!--body:end-->

images/jitsucom-jitsu/TESTING.md

@@ -0,0 +1,123 @@
+# Testing Jitsu images
+
+Note: These images must be tested on an `amd64` system.
+
+### Deploying with Helm
+
+There is not an officially maintained Helm chart. We tested using an unofficial chart maintained [here](https://github.com/stafftastic/jitsu-chart).
+
+To deploy the chart using our images, run:
+
+```bash
+helm upgrade --install jitsu oci://registry-1.docker.io/stafftasticcharts/jitsu \
+    -n jitsu \
+    --create-namespace \
+    --set bulker.image.repository=cgr.dev/chainguard/jitsucom-bulker \
+    --set bulker.image.tag=latest \
+    --set console.image.repository=cgr.dev/chainguard/jitsucom-console \
+    --set console.image.tag=latest \
+    --set ingest.image.repository=cgr.dev/chainguard/jitsucom-ingest \
+    --set ingest.image.tag=latest \
+    --set rotor.image.repository=cgr.dev/chainguard/jitsucom-rotor \
+    --set rotor.image.tag=latest \
+    --set syncctl.image.repository=cgr.dev/chainguard/jitsucom-syncctl \
+    --set syncctl.image.tag=latest \
+    --set tokenGenerator.image.tag=1.30.0 # `:latest` tag doesn't not exist, so set to _latest_ version
+```
+
+Wait for the rollout to complete:
+
+```bash
+kubectl rollout status deployment/jitsu-bulker -n jitsu
+```
+
+Port-forward the console:
+
+```bash
+kubectl port-forward svc/jitsu-console <YOUR PORT>:3000 -n jitsu
+```
+
+The console should be accessible over `localhost:<YOUR PORT>`.
+
+### Deploying with Docker Compose
+
+There is an official compose maintained by Jitsucom [here](https://github.com/jitsucom/jitsu/blob/newjitsu/docker/docker-compose.yml) that carries over the same complications we had automating tests against the Helm chart.
+
+To deploy using the compose, fetch it:
+
+```bash
+wget https://raw.githubusercontent.com/jitsucom/jitsu/newjitsu/docker/docker-compose.yml -O docker-compose.yml
+```
+
+We need to replace the images used for the bulker, console, ingestor, rotor, and syncctl with our own. For example, to replace the console image with ours we can do this:
+
+```yaml
+console:
+  ...
+  image: cgr.dev/chainguard/console:latest
+```
+
+Now we can deploy it:
+
+```bash
+docker compose up -d
+```
+
+When health checks have completed, the console should be accessible over [localhost:3000](http://localhost:3000).
+
+### Complications automating tests
+
+Unfortunately, a number of problems were encountered while trying to automate tests for the Jitsu suite of images. Namely, when passing the auth tokens to both the official and unofficial images to utilize the provided APIs, they are rejected.
+
+If deployed with Helm, these are randomly generated by default. They can be retrieved as a secret:
+
+```bash
+kubectl get -n jitsu secrets jitsu-tokens -o yaml
+```
+
+You should see a list of auth tokens similar to this:
+
+```yaml
+  bulkerAuthToken: REg3M3dhb2F3OU5wcEZrUUl4UG5ZSWZUUXZHWkNma3Y=
+  consoleAuthToken: c2VydmljZS1hZG1pbi1hY2NvdW50OkR0WF8xanhPd3A1UXlyS25sSjJwQ0RPLWMyaW4yTEhq
+  ingestAuthToken: WmpwcnIwVkZoQ1B3cVNXN014OEluWWo0SjFKSGZSYVI=
+  rotorAuthToken: dFRmTXNBT3l1akdKY1dBaFZzVjRGVHpvTXd3R1d6U1A=
+  syncctlAuthToken: Z3NNbmJGcTlQR21jVU1LSXRzTUtCeVg3NHdkZkRpV0c=
+```
+
+Within the compose, you can set the auth token for images by setting the associated environment variable. For instance, for `bulker`, it can be set by running
+
+```bash
+export BULKER_TOKEN=...
+```
+
+We then tried to send a simple test event like this (along with several variations of the same test):
+
+```bash
+BULKER_AUTH_TOKEN=$(kubectl get -n jitsu secrets jitsu-tokens -o json | jq -r .data.bulkerAuthToken)
+TEST_HEADER=$(printf "Authorization: Bearer ${BULKER_AUTH_TOKEN}\nContent-type: application/json")
+curl -X POST "http://localhost:<PORT RUNNING BULKER>/api/v1/event" -H "${TEST_HEADER}" -d "${TEST_EVENT}"
+```
+
+And it consistently failed with:
+
+```
+{"error":"Invalid token: <OUR AUTH TOKEN>"}
+```
+
+It didn't matter whether we tested against bulker or any of the other Jitsu images; the result was the same. Manually setting these in the Helm chart and in the compose did not help.
+
+Entering the pods and performing tests after deployment was also a dead end. The binaries used within each container have limitations as far as what they are able to do. I.E., attempting to use the `bulker` binary will result in starting another server instance and there aren't any CLI options that provide additional behavior.
+
+We also tried overriding the seed email and password and authenticating with the console via curl:
+
+```yaml
+console:
+  config:
+    seedUserEmail: "john@doe.com"
+    seedUserPassword: "somepassword"
+```
+
+This failed as well.
+
+Luckily, behavior between our images and upstream in consistent. No disparities were found from what could be tested.

images/jitsucom-jitsu/configs/console/template.apko.yaml

@@ -0,0 +1,31 @@
+contents:
+  packages: [
+    "busybox",
+  ]
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
+
+paths:
+  - path: /app/
+    type: directory
+    permissions: 0o777
+    gid: 65532
+
+# Currently there are some packages required that are only available in
+# the x86_64 variety.
+archs:
+  - x86_64
+
+environment:
+  NODE_ENV: production
+
+entrypoint:
+  command: sh -c "/app/docker-start-console.sh"

images/jitsucom-jitsu/configs/main.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+variable "extra_packages" {
+  description = "The additional packages to install"
+  default     = []
+}
+
+variable "name" {
+  description = "The name of the component"
+  default     = "console"
+}
+
+data "apko_config" "this" {
+  config_contents = file("${path.module}/${var.name}/template.apko.yaml")
+  extra_packages  = var.extra_packages
+}
+
+output "config" {
+  value = jsonencode(data.apko_config.this.config)
+}

images/jitsucom-jitsu/configs/rotor/template.apko.yaml

@@ -0,0 +1,29 @@
+contents:
+  packages: [
+    "busybox",
+  ]
+
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: 65532
+
+# Currently there are some packages required that are only available in
+# the x86_64 variety.
+archs:
+  - x86_64
+
+environment:
+  NODE_ENV: production  
+
+work-dir: /app
+
+entrypoint:
+  command: /usr/local/bin/docker-entrypoint.sh
+
+cmd: --no-node-snapshot --max-old-space-size=2048 main.js

images/jitsucom-jitsu/main.tf

@@ -0,0 +1,58 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+locals {
+  components = toset([
+    "console",
+    "rotor",
+  ])
+
+  # Upstream images are named `jitsucom-{component}`.
+  mangled_repository = replace(var.target_repository, "/jitsucom-jitsu", "/jitsucom")
+
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "config" {
+  for_each       = local.components
+  source         = "./configs"
+  name           = each.key
+  extra_packages = ["jitsucom-jitsu-${each.key}"]
+}
+
+module "jitsucom-jitsu" {
+  for_each          = local.components
+  source            = "../../tflib/publisher"
+  name              = basename(path.module)
+  target_repository = "${local.mangled_repository}-${each.key}"
+  config            = module.config[each.key].config
+
+  build-dev    = true
+  main_package = "jitsucom-jitsu-${each.key}"
+}
+
+module "test" {
+  source  = "./tests"
+  digests = { for k, v in module.jitsucom-jitsu : k => v.image_ref }
+}
+
+resource "oci_tag" "latest" {
+  for_each   = local.components
+  depends_on = [module.test]
+  digest_ref = module.jitsucom-jitsu[each.key].image_ref
+  tag        = "latest"
+}
+
+resource "oci_tag" "latest-dev" {
+  for_each   = local.components
+  depends_on = [module.test]
+  digest_ref = module.jitsucom-jitsu[each.key].dev_ref
+  tag        = "latest-dev"
+}
+

images/jitsucom-jitsu/metadata.yaml

@@ -0,0 +1,12 @@
+name: jitsucom-jitsu
+image: cgr.dev/chainguard/jitsucom-jitsu
+logo: https://storage.googleapis.com/chainguard-academy/logos/jitsucom-jitsu.svg
+endoflife: ""
+console_summary: ""
+short_description: Jitsu is an open-source Segment alternative. Fully-scriptable data ingestion engine for modern data teams. Set-up a real-time data pipeline in minutes, not days
+compatibility_notes: ""
+readme_file: README.md
+upstream_url: https://github.com/jitsucom/jitsu
+keywords:
+- jitsu
+- application