Merge branch 'main' into modernify-keda

.github/workflows/digestabot.yaml

@@ -19,7 +19,7 @@ jobs:
       id-token: write # To gitsign and federate
 
     steps:
-    - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+    - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
       with:
         egress-policy: audit
 

.github/workflows/presubmit-build.yaml

@@ -20,7 +20,7 @@ jobs:
   shard:
     runs-on: ubuntu-latest
     steps:
-    - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+    - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
       with:
         egress-policy: audit
 
@@ -114,7 +114,7 @@ jobs:
         shard: ${{ fromJson(needs.shard.outputs.shard_matrix) }}
 
     steps:
-    - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+    - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
       with:
         egress-policy: audit
 
@@ -204,7 +204,7 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     steps:
-      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
           egress-policy: audit
 

.github/workflows/presubmit-readme.yaml

@@ -4,7 +4,7 @@ jobs:
   presubmit-readme:
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
           egress-policy: audit
 

.github/workflows/release.yaml

@@ -29,7 +29,7 @@ jobs:
   shard:
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
           egress-policy: audit
 
@@ -84,7 +84,7 @@ jobs:
       contents: read
       actions: read
     steps:
-      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
           egress-policy: audit
 
@@ -173,7 +173,7 @@ jobs:
     needs: build
 
     steps:
-      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
           egress-policy: audit
 

.github/workflows/withdraw-images.yaml

@@ -16,7 +16,7 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
           egress-policy: audit
 

.github/workflows/withdraw-repos.yaml

@@ -16,7 +16,7 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
           egress-policy: audit
 

images/datadog-agent/config/agent/latest.apko.yaml

@@ -1,3 +1,8 @@
+contents:
+  packages:
+    - busybox
+    - datadog-agent-oci-compat
+
 accounts:
   groups:
     - groupname: nonroot
@@ -6,7 +11,8 @@ accounts:
     - username: nonroot
       uid: 65532
       gid: 65532
-  run-as: 65532
+  # by default, datadog-agent performs system monitoring and needs privilege
+  run-as: 0
 
 paths:
   - path: /etc/datadog-agent
@@ -21,6 +27,12 @@ paths:
     gid: 65532
     permissions: 0o755
     recursive: true
+  - path: /etc/s6
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0o755
+    recursive: true
 
 volumes:
   - /var/run/s6

images/datadog-agent/config/agent/main.tf

@@ -6,7 +6,7 @@ terraform {
 
 variable "extra_packages" {
   description = "The additional packages to install"
-  default     = ["datadog-agent", "datadog-agent-oci-compat"]
+  default     = ["datadog-agent"]
 }
 
 data "apko_config" "this" {

images/eck-operator/README.md

@@ -0,0 +1,101 @@
+<!--monopod:start-->
+# eck-operator
+| | |
+| - | - |
+| **OCI Reference** | `cgr.dev/chainguard/eck-operator` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/eck-operator/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+* [Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+<!--overview:start-->
+Elastic Cloud on Kubernetes
+<!--overview:end-->
+
+<!--getting:start-->
+## Download this Image
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/eck-operator:latest
+```
+<!--getting:end-->
+
+<!--body:start-->
+
+## Usage
+
+There are several ways to deploy the ECK operator. You can follow up the [Quickstart guide](https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-quickstart.html) or you can use the [Helm Chart](https://artifacthub.io/packages/helm/elastic/eck-operator) available in Artifact Hub to deploy the operator.
+
+The following example is going to show how to deploy the ECK operator using a its Helm Chart.
+
+### Deploy the ECK operator using Helm
+
+1. Add the Elastic Helm repository:
+
+```bash
+helm repo add elastic https://helm.elastic.co
+```
+
+2. Install the ECK operator:
+
+```bash
+
+helm install elastic-operator elastic/eck-operator --namespace elastic-system --set image.repository=cgr.dev/chainguard/eck-operator --set image.tag=latest
+```
+
+### Deploy an Elasticsearch cluster
+
+1. Create a file called `elasticsearch.yaml` with the following content:
+
+```yaml
+apiVersion: elasticsearch.k8s.elastic.co/v1
+kind: Elasticsearch
+metadata:
+  name: quickstart
+spec:
+  version: 8.13.3
+  nodeSets:
+  - name: default
+    count: 1
+    config:
+      node.store.allow_mmap: false
+```
+
+2. Deploy the Elasticsearch cluster:
+
+```
+kubectl apply -f elasticsearch.yaml
+```
+
+3. Check the Elasticsearch cluster status:
+
+```
+kubectl get elasticsearch quickstart -o=jsonpath='{.status.phase}'
+```
+
+4. Access the Elasticsearch cluster:
+
+```
+kubectl port-forward service/quickstart-es-http 9200
+```
+
+5. Get the password for the `elastic` user:
+
+```
+PASSWORD=$(kubectl get secret quickstart-es-elastic-user -o=jsonpath='{.data.elastic}' | base64 --decode)
+```
+
+6. Access the Elasticsearch cluster using curl:
+
+```
+curl -u "elastic:$PASSWORD" -k "https://localhost:9200"
+```
+
+That's it! You have deployed an Elasticsearch cluster using the ECK operator.
+
+<!--body:end-->

images/eck-operator/config/main.tf

@@ -0,0 +1,42 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+variable "extra_packages" {
+  description = "The additional packages to install"
+  // TODO: Add any other packages here you want to conditionally include,
+  // or update this default to [] if this isn't a version stream image.
+  default = [
+    "eck-operator",
+    // Other packages your image needs
+  ]
+}
+
+variable "extra_repositories" {
+  description = "The additional repositores to install from (e.g. extras)."
+  default     = ["https://packages.cgr.dev/extras"]
+}
+
+variable "extra_keyring" {
+  description = "The additional keys to use (e.g. extras)."
+  default     = ["https://packages.cgr.dev/extras/chainguard-extras.rsa.pub"]
+}
+
+module "accts" { source = "../../../tflib/accts" }
+
+output "config" {
+  value = jsonencode({
+    contents = {
+      packages     = var.extra_packages
+      repositories = var.extra_repositories
+      keyring      = var.extra_keyring
+    }
+    accounts = module.accts.block
+    entrypoint = {
+      command = "/elastic-operator"
+    }
+    cmd = "manager"
+  })
+}