From ee9f39df78841ed4e2341aa553301d8c5f5542a5 Mon Sep 17 00:00:00 2001
From: Public copy <41898282+github-actions[bot]@users.noreply.github.com>
Date: Tue, 15 Oct 2024 17:04:56 +0000
Subject: [PATCH] automated commit

Signed-off-by: Public copy <41898282+github-actions[bot]@users.noreply.github.com>
---
 .terraform.lock.hcl                           |  16 +--
 .../tests/{ => agent-jmx}/fakeintake.yaml     |   0
 images/datadog-agent/tests/agent-jmx/main.tf  | 126 ++++++++++++++++++
 .../datadog-agent/tests/agent-jmx/tomcat.yaml |  40 ++++++
 .../datadog-agent/tests/agent/fakeintake.yaml |  39 ++++++
 .../datadog-agent/tests/{ => agent}/main.tf   |   4 +-
 images/docker-selenium/config/main.tf         |   1 +
 images/docker-selenium/tests/main.tf          |  36 ++++-
 images/docker-selenium/tests/smoke.sh         |  73 +++++-----
 images/gradle/config/main.tf                  |  67 +++++-----
 images/gradle/tests/build.sh                  |   2 +-
 images/gradle/tests/main.tf                   |  10 ++
 images/jdk/tests/main.tf                      |   2 +-
 images/maven/config/main.tf                   |  71 +++++-----
 main.tf                                       |  23 ++++
 tflib/publisher/providers.tf                  |   2 +-
 16 files changed, 385 insertions(+), 127 deletions(-)
 rename images/datadog-agent/tests/{ => agent-jmx}/fakeintake.yaml (100%)
 create mode 100644 images/datadog-agent/tests/agent-jmx/main.tf
 create mode 100644 images/datadog-agent/tests/agent-jmx/tomcat.yaml
 create mode 100644 images/datadog-agent/tests/agent/fakeintake.yaml
 rename images/datadog-agent/tests/{ => agent}/main.tf (97%)

diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index 7b1100ea75..e8653d84c8 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -44,16 +44,16 @@ provider "registry.terraform.io/chainguard-dev/cosign" {
 }
 
 provider "registry.terraform.io/chainguard-dev/imagetest" {
-  version     = "0.0.35"
-  constraints = "0.0.35"
+  version     = "0.0.39"
+  constraints = "0.0.39"
   hashes = [
-    "h1:EN/A506RLZ4JqZY9nyVkRH/ayiDsTHgdLtuwZqUtqcU=",
-    "h1:xcvWF1k+olybnGgCaKKI/tW6djPfvvPHxACbJazyw8M=",
-    "zh:7aa184ab554ea81e25c015474ec10c4e3ce9ce0d60693338b2bd55579095cc0f",
+    "h1:9CgfZVtlzeihlmYpUqsl8UNP/9p0znHZOXH4QmSntr0=",
+    "h1:RdZ3Eqcm1WczgiZsWQOqbpMbx8ShjQJMKAZCcYR1qLs=",
+    "zh:0bfeaae1460f9ccbe398e5540b7f341451c26bf310fb566ddff610c34cce9262",
+    "zh:24064f73dbd6c4f682fc7b04af8396af47dce4909b33fc3f0120256fe703cdf0",
     "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
-    "zh:99457d8f8d40ae98f7bec047ac04abf4e52e453c2f4f482c98406f505a5229b4",
-    "zh:aef8c30e8a09d5c1ca010ad96d2c29c647a4212cea3cc6ce4d3055b243c71f68",
-    "zh:b097bf6a12cacd23c6b324ade1b586389d91ec4b43acba2bb8e428f81452a5a7",
+    "zh:d74eaf7a8031a4573d624f183adad65559603bfc1e0b210c23610f99c38831c1",
+    "zh:fc0388808626cd63b54729054757ddf4efeaf4b7ced495f3c636907d6556cb20",
   ]
 }
 
diff --git a/images/datadog-agent/tests/fakeintake.yaml b/images/datadog-agent/tests/agent-jmx/fakeintake.yaml
similarity index 100%
rename from images/datadog-agent/tests/fakeintake.yaml
rename to images/datadog-agent/tests/agent-jmx/fakeintake.yaml
diff --git a/images/datadog-agent/tests/agent-jmx/main.tf b/images/datadog-agent/tests/agent-jmx/main.tf
new file mode 100644
index 0000000000..74918be393
--- /dev/null
+++ b/images/datadog-agent/tests/agent-jmx/main.tf
@@ -0,0 +1,126 @@
+terraform {
+  required_providers {
+    oci       = { source = "chainguard-dev/oci" }
+    imagetest = { source = "chainguard-dev/imagetest" }
+  }
+}
+
+variable "digest" {
+  description = "The image digest to run tests over."
+}
+
+locals { parsed = provider::oci::parse(var.digest) }
+
+variable "namespace" {
+  default = "datadog-agent-system"
+}
+
+data "imagetest_inventory" "this" {}
+
+resource "imagetest_harness_k3s" "this" {
+  name      = "datadog-agent-jmx"
+  inventory = data.imagetest_inventory.this
+
+  sandbox = {
+    mounts = [
+      {
+        source      = path.module
+        destination = "/tests"
+      }
+    ]
+    envs = {
+      "DATADOG_JMX_IMAGE" = "${local.parsed.registry_repo}:${local.parsed.pseudo_tag}"
+    }
+  }
+}
+
+module "helm-datadog-operator-thing" {
+  source = "../../../../tflib/imagetest/helm"
+
+  namespace = var.namespace
+  repo      = "https://helm.datadoghq.com"
+  chart     = "datadog-operator"
+
+  values = {
+    watchNamespaces : [""]
+    datadog = {
+      apiKey      = "dummy"
+      dd_url      = "http://fakeintake.${var.namespace}.svc.cluster.local"
+      clusterName = "chainguard"
+    }
+  }
+}
+
+resource "imagetest_feature" "basic-helm-operator" {
+  name        = "Basic"
+  description = "Basic datadog-agent-operator Helm install test"
+  harness     = imagetest_harness_k3s.this
+
+  steps = [
+    {
+      name = "Setup fakeintake"
+      cmd  = "kubectl apply --wait -f /tests/fakeintake.yaml"
+    },
+    {
+      name = "Helm install"
+      cmd  = module.helm-datadog-operator-thing.install_cmd
+    },
+    {
+      name  = "Check datadog-agent-operator pods"
+      cmd   = "kubectl wait --for=condition=Ready pods --all --namespace ${var.namespace}"
+      retry = { attempts = 5, delay = "10s" }
+    },
+    {
+      name = "Check datadog-agent pods"
+      cmd  = <<EOFagent
+        cat <<EOF > /tmp/datadog-agent.yaml
+apiVersion: "datadoghq.com/v2alpha1"
+kind: "DatadogAgent"
+metadata:
+  name: "datadog"
+spec:
+  global:
+    site: "http://fakeintake.${var.namespace}.svc.cluster.local"
+    clusterName: "chainguard"
+    credentials:
+      apiKey: "dummy"
+  override:
+    nodeAgent:
+      env:
+        - name: DD_HOSTNAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+      image:
+        name: $DATADOG_JMX_IMAGE
+        jmxEnabled: true
+EOF
+        kubectl apply -f /tmp/datadog-agent.yaml
+        kubectl get datadogagents
+        # wait until the agent is ready
+        kubectl wait --for=condition=Ready datadogagent/datadog --timeout=5m
+
+        # let's deploy a JMX application
+        kubectl apply -f /tests/tomcat.yaml
+
+        # wait until tomcat is ready
+        kubectl wait pod --for=condition=Ready tomcat-test --timeout 5m
+
+        # wait until jmx metrics are available
+        sleep 120
+
+        # get the name of the pod which has label agent.datadoghq.com/component=agent
+        AGENT_POD=$(kubectl get pods -l agent.datadoghq.com/component=agent -o jsonpath='{.items[0].metadata.name}')
+
+        echo "Agent pod: $AGENT_POD"
+        
+        # check if the JMX metrics are available
+        kubectl exec $AGENT_POD -c agent -- agent status "jmx fetch" | grep "status: OK"
+EOFagent
+    }
+  ]
+
+  labels = {
+    type = "k8s",
+  }
+}
diff --git a/images/datadog-agent/tests/agent-jmx/tomcat.yaml b/images/datadog-agent/tests/agent-jmx/tomcat.yaml
new file mode 100644
index 0000000000..183355776c
--- /dev/null
+++ b/images/datadog-agent/tests/agent-jmx/tomcat.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: tomcat-test
+  annotations:
+    ad.datadoghq.com/tomcat.checks: |
+      {
+        "tomcat": {
+          "init_config": {
+            "is_jmx": true,
+            "collect_default_metrics": true
+          },
+          "instances": [{
+            "host": "%%host%%",
+            "port": "9012"
+          }]
+        }
+      }      
+spec:
+  containers:
+    - name: tomcat
+      image: tomcat:8.0
+      imagePullPolicy: Always
+      ports:
+        - name: jmx-metrics
+          containerPort: 9012
+      env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: JAVA_OPTS
+          value: >-
+            -Dcom.sun.management.jmxremote
+            -Dcom.sun.management.jmxremote.authenticate=false
+            -Dcom.sun.management.jmxremote.ssl=false
+            -Dcom.sun.management.jmxremote.local.only=false
+            -Dcom.sun.management.jmxremote.port=9012
+            -Dcom.sun.management.jmxremote.rmi.port=9012
+            -Djava.rmi.server.hostname=$(POD_IP)            
diff --git a/images/datadog-agent/tests/agent/fakeintake.yaml b/images/datadog-agent/tests/agent/fakeintake.yaml
new file mode 100644
index 0000000000..fd182b436b
--- /dev/null
+++ b/images/datadog-agent/tests/agent/fakeintake.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: datadog-agent-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fakeintake
+  namespace: datadog-agent-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: fakeintake
+  template:
+    metadata:
+      labels:
+        app: fakeintake
+    spec:
+      containers:
+        - name: fakeintake
+          image: datadog/fakeintake
+          ports:
+            - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: fakeintake
+  namespace: datadog-agent-system
+spec:
+  type: ClusterIP
+  selector:
+    app: fakeintake
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
diff --git a/images/datadog-agent/tests/main.tf b/images/datadog-agent/tests/agent/main.tf
similarity index 97%
rename from images/datadog-agent/tests/main.tf
rename to images/datadog-agent/tests/agent/main.tf
index 7698f676f6..e79829ce7f 100644
--- a/images/datadog-agent/tests/main.tf
+++ b/images/datadog-agent/tests/agent/main.tf
@@ -36,7 +36,7 @@ resource "imagetest_harness_k3s" "this" {
 }
 
 module "helm" {
-  source = "../../../tflib/imagetest/helm"
+  source = "../../../../tflib/imagetest/helm"
 
   namespace = var.namespace
   repo      = "https://helm.datadoghq.com"
@@ -95,7 +95,7 @@ module "helm" {
   }
 }
 
-resource "imagetest_feature" "basic" {
+resource "imagetest_feature" "basic-helm" {
   name        = "Basic"
   description = "Basic datadog-agent Helm install test"
   harness     = imagetest_harness_k3s.this
diff --git a/images/docker-selenium/config/main.tf b/images/docker-selenium/config/main.tf
index 58503c1ade..a7655f5b6d 100644
--- a/images/docker-selenium/config/main.tf
+++ b/images/docker-selenium/config/main.tf
@@ -27,6 +27,7 @@ output "config" {
     contents = {
       packages = concat([
         "docker-selenium-supervisor-config",
+        "docker-selenium-standalone-chrome",
       ], var.extra_packages)
     }
     accounts = module.accts.block
diff --git a/images/docker-selenium/tests/main.tf b/images/docker-selenium/tests/main.tf
index 848784c465..5d5cb405c5 100644
--- a/images/docker-selenium/tests/main.tf
+++ b/images/docker-selenium/tests/main.tf
@@ -1,6 +1,7 @@
 terraform {
   required_providers {
-    oci = { source = "chainguard-dev/oci" }
+    imagetest = { source = "chainguard-dev/imagetest" }
+    oci       = { source = "chainguard-dev/oci" }
   }
 }
 
@@ -8,9 +9,34 @@ variable "digest" {
   description = "The image digest to run tests over."
 }
 
-locals { parsed = provider::oci::parse(var.digest) }
+data "imagetest_inventory" "inventory" {}
 
-data "oci_exec_test" "smoke" {
-  digest = var.digest
-  script = "${path.module}/smoke.sh"
+// Run a simple Docker test to verify the image is working.
+resource "imagetest_harness_docker" "docker" {
+  name      = "docker"
+  inventory = data.imagetest_inventory.inventory
+
+  envs = {
+    IMAGE_NAME : var.digest
+  }
+  mounts = [
+    {
+      source      = path.module
+      destination = "/tests"
+    }
+  ]
+}
+
+resource "imagetest_feature" "test" {
+  name    = "docker-test"
+  harness = imagetest_harness_docker.docker
+
+  steps = [{
+    name    = "basic test"
+    workdir = "/tests"
+    cmd     = <<EOF
+        ./smoke.sh
+      EOF
+    },
+  ]
 }
diff --git a/images/docker-selenium/tests/smoke.sh b/images/docker-selenium/tests/smoke.sh
index 5a2e13b51d..f42cf6b33a 100755
--- a/images/docker-selenium/tests/smoke.sh
+++ b/images/docker-selenium/tests/smoke.sh
@@ -2,11 +2,13 @@
 
 set -o errexit -o nounset -o errtrace -o pipefail -x
 
+apk add uuidgen curl jq netcat-openbsd
+
 CONTAINER_NAME="docker-selenium-$(uuidgen)"
 
-SELENIUM_PORT="${FREE_PORT}"
-NO_VNC_PORT="$((${SELENIUM_PORT} + 1))"
-VNC_PORT="$((${NO_VNC_PORT} + 1))"
+SELENIUM_PORT="4444"
+NO_VNC_PORT="7900"
+VNC_PORT="5900"
 
 # Start container
 docker run \
@@ -23,6 +25,32 @@ docker run \
 # Stop container when script exits
 trap "docker stop ${CONTAINER_NAME}" EXIT
 
+# Use curl container
+curl() {
+  docker run --network container:"${CONTAINER_NAME}" cgr.dev/chainguard/curl "$@"
+}
+
+# Function to dump logs and exit
+function dump_logs_and_exit {
+  echo "Dumping logs before exiting..."
+  docker logs "${CONTAINER_NAME}"
+  supervisor_logs=$(docker exec "${CONTAINER_NAME}" ls /var/log/supervisor || true)
+  for log in ${supervisor_logs}; do
+    docker exec "${CONTAINER_NAME}" cat "/var/log/supervisor/${log}" || true
+  done
+  exit 1
+}
+
+# Wait for Selenium to initialize (extended wait with loop)
+echo "Waiting for Selenium to be ready..."
+echo "Giving Selenium container a moment to start..."
+sleep 10
+
+echo "Waiting for Selenium to be ready with exponential backoff..."
+max_retries=10
+retry_count=0
+delay=5
+
 # Verify services are available
 echo "Checking if Selenium is ready..."
 if ! curl -vsL --retry-all-errors --retry 10 --retry-max-time 120 http://localhost:"${SELENIUM_PORT}"/status | jq -e '.value.ready == true'; then
@@ -37,41 +65,16 @@ echo "Checking if Selenium has 1 available node..."
 curl -vsL http://localhost:"${SELENIUM_PORT}"/status | jq '.value.nodes | length == 1'
 curl -vsL http://localhost:"${SELENIUM_PORT}"/status | jq '.value.nodes[0].avaibility == "UP"'
 
-echo "Checking noVNC availability..."
-nc -zv localhost "${NO_VNC_PORT}"
-
-# netcat may succeed but the noVNC page may not be available
-if ! curl -vsL --retry-all-errors --retry 2 --retry-max-time 10 localhost:"${NO_VNC_PORT}"; then
-  if [[ "$?" -eq "56" ]]; then
-    exit 1
-  fi
-fi
-
-# Check if container is still running
-if ! docker ps --filter "name=${CONTAINER_NAME}" --format '{{.Names}}' | grep -q "^${CONTAINER_NAME}$"; then
-  echo "FAILED: ${CONTAINER_NAME} is not running."
-  exit 1
+# Validate noVNC page
+if ! curl -vsL --retry 2 --retry-max-time 10 http://localhost:"${NO_VNC_PORT}"; then
+  echo "noVNC page is not available."
+  dump_logs_and_exit
 fi
 
-function dump_logs_and_exit {
-  echo "Dumping supervisor logs and exiting..."
-  supervisor_logs=$(docker exec "${CONTAINER_NAME}" ls /var/log/supervisor)
-  for log in ${supervisor_logs}; do
-    echo "Dumping supervisor log: ${log}"
-    docker exec "${CONTAINER_NAME}" cat "/var/log/supervisor/${log}" || true
-  done
-  container_logs=$(docker logs "${CONTAINER_NAME}")
-  echo "Dumping container logs: ${container_logs}"
-  exit 1
-}
-
+# Check for expected log messages
 logs=$(docker logs "${CONTAINER_NAME}" 2>&1)
-
-# Services that started by supervisor should have entered RUNNING state
 true_asserts=("xvfb entered RUNNING state" "vnc entered RUNNING state" "novnc entered RUNNING state" "selenium-standalone entered RUNNING state")
-
-# Services that started by supervisor should NOT have exited unexpectedly
-false_asserts=("WARN exited" "terminated by SIGTRAP", "not expected")
+false_asserts=("WARN exited" "terminated by SIGTRAP" "not expected")
 
 for assert in "${true_asserts[@]}"; do
   if ! echo "$logs" | grep -q "$assert"; then
@@ -87,4 +90,4 @@ for assert in "${false_asserts[@]}"; do
   fi
 done
 
-echo "All assertions passed."
+echo "All checks passed successfully."
diff --git a/images/gradle/config/main.tf b/images/gradle/config/main.tf
index 071334b510..e228d56aab 100644
--- a/images/gradle/config/main.tf
+++ b/images/gradle/config/main.tf
@@ -1,48 +1,45 @@
-locals {
-  baseline_packages = ["busybox", "glibc-locale-en"]
-}
-
-module "accts" {
-  name   = "gradle"
-  source = "../../../tflib/accts"
+variable "extra_packages" {
+  description = "The additional packages to install"
+  type        = list(string)
+  default     = []
 }
 
-terraform {
-  required_providers {
-    apko = { source = "chainguard-dev/apko" }
-  }
+variable "extra_environment" {
+  description = "Additional apko environment."
+  type        = map(string)
+  default     = {}
 }
 
-variable "extra_packages" {
-  default     = []
-  description = "The additional packages to install (e.g. gradle-8, openjdk-17)."
+module "accts" {
+  source = "../../../tflib/accts"
+  uid    = 65532
+  gid    = 65532
+  run-as = 65532
 }
 
 output "config" {
   value = jsonencode({
-    "contents" : {
-      // TODO: remove the need for using hardcoded local.baseline_packages by plumbing
-      // these packages through var.extra_packages in all callers of this config module
-      "packages" : distinct(concat(local.baseline_packages, var.extra_packages))
-    },
-    "entrypoint" : {
-      "command" : "/usr/bin/gradle"
-    },
-    "work-dir" : "/home/build",
-    "accounts" : module.accts.block,
-    "environment" : {
-      "JAVA_HOME" : "/usr/lib/jvm/default-jvm",
-      "LANG" : "en_US.UTF-8"
-    },
-    "paths" : [
+    contents = {
+      packages = concat([
+      ], var.extra_packages)
+    }
+    accounts = module.accts.block
+    entrypoint = {
+      command = "/usr/bin/gradle"
+    }
+    work-dir = "/home/build"
+    environment = merge({
+      JAVA_HOME = "/usr/lib/jvm/default-jvm"
+      LANG      = "en_US.UTF-8"
+    }, var.extra_environment)
+    paths = [
       {
-        "path" : "/home/build",
-        "type" : "directory",
-        "uid" : 65532,
-        "gid" : 65532,
-        "permissions" : 493
+        path        = "/home/build"
+        type        = "directory"
+        uid         = 65532
+        gid         = 65532
+        permissions = 493
       }
     ]
   })
 }
-
diff --git a/images/gradle/tests/build.sh b/images/gradle/tests/build.sh
index 32e719aaa9..eb38aa096b 100755
--- a/images/gradle/tests/build.sh
+++ b/images/gradle/tests/build.sh
@@ -2,4 +2,4 @@
 
 set -o errexit -o nounset -o errtrace -o pipefail -x
 
-docker run --rm --entrypoint "" "${IMAGE_NAME}" sh -c "gradle init --type java-application --test-framework junit-jupiter && gradle build"
+docker run --rm --entrypoint "" "${IMAGE_NAME}" sh -c "gradle init --type java-application --dsl kotlin --test-framework junit-jupiter --package my.project --project-name my-project --no-split-project --incubating --java-version ${JAVA_VERSION} && gradle build"
diff --git a/images/gradle/tests/main.tf b/images/gradle/tests/main.tf
index 17f17035fb..9d6b0e3a86 100644
--- a/images/gradle/tests/main.tf
+++ b/images/gradle/tests/main.tf
@@ -8,6 +8,10 @@ variable "digest" {
   description = "The image digest to run tests over."
 }
 
+variable "java-version" {
+  description = "Java version"
+}
+
 data "oci_exec_test" "version" {
   digest = var.digest
   script = "docker run --rm $IMAGE_NAME --version"
@@ -16,4 +20,10 @@ data "oci_exec_test" "version" {
 data "oci_exec_test" "build" {
   digest = var.digest
   script = "${path.module}/build.sh"
+  env = [
+    {
+      name  = "JAVA_VERSION"
+      value = var.java-version
+    }
+  ]
 }
diff --git a/images/jdk/tests/main.tf b/images/jdk/tests/main.tf
index 7709b8a3e7..385ab87f1f 100644
--- a/images/jdk/tests/main.tf
+++ b/images/jdk/tests/main.tf
@@ -22,7 +22,7 @@ variable "java-target-version" {
 
 data "oci_exec_test" "version" {
   digest = var.digest
-  script = "docker run --rm $IMAGE_NAME javac -version"
+  script = "docker run --entrypoint javac --rm $IMAGE_NAME -version"
 }
 
 module "jre-test" {
diff --git a/images/maven/config/main.tf b/images/maven/config/main.tf
index 9c4ef0db34..776cbc2821 100644
--- a/images/maven/config/main.tf
+++ b/images/maven/config/main.tf
@@ -1,52 +1,45 @@
-locals {
-  baseline_packages = ["busybox", "glibc-locale-en"]
-}
-
-module "accts" {
-  name   = "maven"
-  source = "../../../tflib/accts"
-}
-
-terraform {
-  required_providers {
-    apko = { source = "chainguard-dev/apko" }
-  }
-}
-
 variable "extra_packages" {
-  default     = ["maven", "openjdk-17", "openjdk-17-default-jvm"]
   description = "The additional packages to install"
+  type        = list(string)
+  default     = []
+}
+
+variable "extra_environment" {
+  description = "Additional apko environment."
+  type        = map(string)
+  default     = {}
 }
 
-variable "java_home" {
-  default     = "/usr/lib/jvm/java-17-openjdk"
-  description = "The JAVA_HOME to set"
+module "accts" {
+  source = "../../../tflib/accts"
+  uid    = 65532
+  gid    = 65532
+  run-as = 65532
 }
 
 output "config" {
   value = jsonencode({
-    "contents" : {
-      // TODO: remove the need for using hardcoded local.baseline_packages by plumbing
-      // these packages through var.extra_packages in all callers of this config module
-      "packages" : distinct(concat(local.baseline_packages, var.extra_packages))
-    },
-    "entrypoint" : {
-      "command" : "/usr/bin/mvn"
-    },
-    "work-dir" : "/home/build",
-    "accounts" : module.accts.block,
-    "environment" : {
-      "LANG" : "en_US.UTF-8"
-    },
-    "paths" : [
+    contents = {
+      packages = concat([
+      ], var.extra_packages)
+    }
+    accounts = module.accts.block
+    entrypoint = {
+      command = "/usr/bin/mvn"
+    }
+    work-dir = "/home/build"
+    environment = merge({
+      JAVA_HOME = "/usr/lib/jvm/default-jvm"
+      LANG      = "en_US.UTF-8"
+    }, var.extra_environment)
+    paths = [
       {
-        "path" : "/home/build",
-        "type" : "directory",
-        "uid" : 65532,
-        "gid" : 65532,
-        "permissions" : 493
+        path        = "/home/build"
+        type        = "directory"
+        uid         = 65532
+        gid         = 65532
+        permissions = 493
       }
     ]
   })
 }
-
diff --git a/main.tf b/main.tf
index 4c2bf5a293..72cc1ceba7 100644
--- a/main.tf
+++ b/main.tf
@@ -13,7 +13,30 @@ terraform {
   backend "inmem" {}
 }
 
+variable "tests_skip_all" {
+  type    = bool
+  default = false
+}
+
+variable "tests_include_by_label" {
+  type    = map(string)
+  default = {}
+}
+
+variable "tests_exclude_by_label" {
+  type    = map(string)
+  default = {}
+}
+
 provider "imagetest" {
+  repo = "${var.target_repository}/imagetest"
+
+  test_execution = {
+    skip_all_tests   = var.tests_skip_all
+    include_by_label = var.tests_include_by_label
+    exclude_by_label = var.tests_exclude_by_label
+  }
+
   log = {
     file = {
       directory = "imagetest-logs"
diff --git a/tflib/publisher/providers.tf b/tflib/publisher/providers.tf
index c6dfc5d558..588134069f 100644
--- a/tflib/publisher/providers.tf
+++ b/tflib/publisher/providers.tf
@@ -18,7 +18,7 @@ terraform {
     }
     imagetest = {
       source  = "chainguard-dev/imagetest"
-      version = "0.0.35"
+      version = "0.0.39"
     }
   }
 }