Add multi-arch test-tools container image (#11)

* Add multi-arch test-tools container image

Adds a minimal container image (wolfi-base + curl + jq) for use by
helm test pods. Runs as non-root (UID 65532). CI workflow builds
linux/amd64 and linux/arm64, pushes to ghcr.io/disentangle-network/test-tools,
and includes Trivy scan, cosign signature, and SBOM attachment.

* switch test pods to wolfi-based test-tools image

Replace alpine/curl with ghcr.io/disentangle-network/test-tools
(Chainguard wolfi-base + curl + jq). Removes runtime apk add
calls that fail under non-root securityContext. Updates runAsUser
to 65532 (Chainguard nonroot). Regenerates golden files.

---------

Co-authored-by: Larsen Close <lclose@quovis.io>

Author: disentangle-network

.github/workflows/test-tools.yml

@@ -0,0 +1,85 @@
+name: Test Tools Image
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'test-tools/**'
+    tags:
+      - 'test-tools-v*'
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Determine tags
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/disentangle-network/test-tools
+          tags: |
+            type=match,pattern=test-tools-v(.*),group=1
+            type=raw,value=latest
+
+      - name: Build and push multi-arch image
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: ./test-tools
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ghcr.io/disentangle-network/test-tools:latest
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign image by digest
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: |
+          cosign sign --yes ghcr.io/disentangle-network/test-tools@${{ steps.build.outputs.digest }}
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/disentangle-network/test-tools:latest
+          format: spdx-json
+          output-file: sbom.spdx.json
+
+      - name: Attach SBOM to image
+        run: |
+          cosign attach sbom --sbom sbom.spdx.json ghcr.io/disentangle-network/test-tools@${{ steps.build.outputs.digest }}

helm/disentangle/templates/tests/test-connection.yaml

@@ -12,10 +12,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-connection
-    image: alpine/curl:8.12.1
+    image: "{{ .Values.testImage.repository }}:{{ .Values.testImage.tag }}"
+    imagePullPolicy: {{ .Values.testImage.pullPolicy }}
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:

helm/disentangle/templates/tests/test-genesis-sync.yaml

@@ -12,10 +12,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-genesis
-    image: alpine/curl:8.12.1
+    image: "{{ .Values.testImage.repository }}:{{ .Values.testImage.tag }}"
+    imagePullPolicy: {{ .Values.testImage.pullPolicy }}
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -32,7 +33,6 @@ spec:
       - -c
       - |
         set -e
-        apk add --no-cache jq > /dev/null 2>&1
 
         echo "=== Disentangle Genesis Sync Test ==="
 

helm/disentangle/templates/tests/test-rpc-api.yaml

@@ -12,10 +12,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-rpc
-    image: alpine/curl:8.12.1
+    image: "{{ .Values.testImage.repository }}:{{ .Values.testImage.tag }}"
+    imagePullPolicy: {{ .Values.testImage.pullPolicy }}
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -32,7 +33,6 @@ spec:
       - -c
       - |
         set -e
-        apk add --no-cache jq > /dev/null 2>&1
 
         echo "=== Disentangle RPC API Test ==="
 

helm/disentangle/values.yaml

@@ -7,6 +7,12 @@ image:
   tag: ""  # defaults to appVersion from Chart.yaml
   pullPolicy: IfNotPresent
 
+# Test image (includes curl + jq; no runtime apk needed)
+testImage:
+  repository: ghcr.io/disentangle-network/test-tools
+  tag: "latest"
+  pullPolicy: IfNotPresent
+
 # Network configuration
 nodes:
   count: 5           # Number of nodes in the network

test-tools/Dockerfile

@@ -0,0 +1,4 @@
+FROM cgr.dev/chainguard/wolfi-base:latest
+RUN apk update && apk add --no-cache curl jq && rm -rf /var/cache/apk/*
+USER 65532
+ENTRYPOINT ["/bin/sh"]

tests/golden/custom-resources.yaml

@@ -230,10 +230,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-connection
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -309,10 +310,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-genesis
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -329,7 +331,6 @@ spec:
       - -c
       - |
         set -e
-        apk add --no-cache jq > /dev/null 2>&1
 
         echo "=== Disentangle Genesis Sync Test ==="
 
@@ -397,10 +398,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-rpc
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -417,7 +419,6 @@ spec:
       - -c
       - |
         set -e
-        apk add --no-cache jq > /dev/null 2>&1
 
         echo "=== Disentangle RPC API Test ==="
 

tests/golden/default.yaml

@@ -230,10 +230,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-connection
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -309,10 +310,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-genesis
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -329,7 +331,6 @@ spec:
       - -c
       - |
         set -e
-        apk add --no-cache jq > /dev/null 2>&1
 
         echo "=== Disentangle Genesis Sync Test ==="
 
@@ -397,10 +398,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-rpc
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -417,7 +419,6 @@ spec:
       - -c
       - |
         set -e
-        apk add --no-cache jq > /dev/null 2>&1
 
         echo "=== Disentangle RPC API Test ==="
 

tests/golden/full-features.yaml

@@ -338,10 +338,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-connection
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -417,10 +418,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-genesis
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -437,7 +439,6 @@ spec:
       - -c
       - |
         set -e
-        apk add --no-cache jq > /dev/null 2>&1
 
         echo "=== Disentangle Genesis Sync Test ==="
 
@@ -505,10 +506,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-rpc
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -525,7 +527,6 @@ spec:
       - -c
       - |
         set -e
-        apk add --no-cache jq > /dev/null 2>&1
 
         echo "=== Disentangle RPC API Test ==="
 

tests/golden/minimal.yaml

@@ -224,10 +224,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-connection
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -303,10 +304,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-genesis
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -323,7 +325,6 @@ spec:
       - -c
       - |
         set -e
-        apk add --no-cache jq > /dev/null 2>&1
 
         echo "=== Disentangle Genesis Sync Test ==="
 
@@ -391,10 +392,11 @@ spec:
   restartPolicy: Never
   containers:
   - name: test-rpc
-    image: alpine/curl:8.12.1
+    image: "ghcr.io/disentangle-network/test-tools:latest"
+    imagePullPolicy: IfNotPresent
     securityContext:
       runAsNonRoot: true
-      runAsUser: 65534
+      runAsUser: 65532
       allowPrivilegeEscalation: false
 
       capabilities:
@@ -411,7 +413,6 @@ spec:
       - -c
       - |
         set -e
-        apk add --no-cache jq > /dev/null 2>&1
 
         echo "=== Disentangle RPC API Test ==="