Merge branch 'main' into context-support

* main:
  fix: container binds syntax (testcontainers#2899)
  refactor(cockroachdb): to use request driven options (testcontainers#2883)
  chore(deps): bump actions/setup-go from 5.0.0 to 5.1.0 (testcontainers#2904)
  chore(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.0 (testcontainers#2903)
  chore(deps): bump test-summary/action from 2.3 to 2.4 (testcontainers#2902)
  feat(wait): strategy walk (testcontainers#2895)
  feat(wait): tls strategy (testcontainers#2896)

.github/workflows/ci-test-go.yml

@@ -65,7 +65,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
         with:
             go-version: '${{ inputs.go-version }}'
             cache-dependency-path: '${{ inputs.project-directory }}/go.sum'
@@ -141,7 +141,7 @@ jobs:
             ./scripts/check_environment.sh
 
       - name: Test Summary
-        uses: test-summary/action@032c8a9cec6aaa3c20228112cae6ca10a3b29336 # v2.3
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
         with:
             paths: "**/${{ inputs.project-directory }}/TEST-unit*.xml"
         if: always()

.github/workflows/ci-windows.yml

@@ -31,7 +31,7 @@ jobs:
           ref: ${{ github.event.client_payload.pull_request.head.ref }}
 
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
         with:
           go-version-file: go.mod
         id: go

.github/workflows/docker-moby-latest.yml

@@ -25,7 +25,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
         with:
             go-version-file: 'go.mod'
             cache-dependency-path: 'go.sum'

.github/workflows/scorecards.yml

@@ -25,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif

container.go

@@ -532,7 +532,7 @@ func (c *ContainerRequest) validateMounts() error {
 	if len(hostConfig.Binds) > 0 {
 		for _, bind := range hostConfig.Binds {
 			parts := strings.Split(bind, ":")
-			if len(parts) != 2 {
+			if len(parts) != 2 && len(parts) != 3 {
 				return fmt.Errorf("%w: %s", ErrInvalidBindMount, bind)
 			}
 			targetPath := parts[1]

container_test.go

@@ -73,11 +73,33 @@ func Test_ContainerValidation(t *testing.T) {
 		},
 		{
 			Name:          "Invalid bind mount",
-			ExpectedError: "invalid bind mount: /data:/data:/data",
+			ExpectedError: "invalid bind mount: /data:/data:a:b",
 			ContainerRequest: testcontainers.ContainerRequest{
 				Image: "redis:latest",
 				HostConfigModifier: func(hc *container.HostConfig) {
-					hc.Binds = []string{"/data:/data:/data"}
+					hc.Binds = []string{"/data:/data:a:b"}
+				},
+			},
+		},
+		{
+			Name: "bind-options/provided",
+			ContainerRequest: testcontainers.ContainerRequest{
+				Image: "redis:latest",
+				HostConfigModifier: func(hc *container.HostConfig) {
+					hc.Binds = []string{
+						"/a:/a:nocopy",
+						"/b:/b:ro",
+						"/c:/c:rw",
+						"/d:/d:z",
+						"/e:/e:Z",
+						"/f:/f:shared",
+						"/g:/g:rshared",
+						"/h:/h:slave",
+						"/i:/i:rslave",
+						"/j:/j:private",
+						"/k:/k:rprivate",
+						"/l:/l:ro,z,shared",
+					}
 				},
 			},
 		},

docs/features/tls.md

@@ -12,6 +12,6 @@ The example will also create a client that will connect to the server using the
 demonstrating how to use the generated certificate to communicate with a service.
 
 <!--codeinclude-->
-[Create a self-signed certificate](../../modules/cockroachdb/certs.go) inside_block:exampleSelfSignedCert
-[Sign a self-signed certificate](../../modules/cockroachdb/certs.go) inside_block:exampleSignSelfSignedCert
+[Create a self-signed certificate](../../modules/rabbitmq/examples_test.go) inside_block:exampleSelfSignedCert
+[Sign a self-signed certificate](../../modules/rabbitmq/examples_test.go) inside_block:exampleSignSelfSignedCert
 <!--/codeinclude-->

docs/features/wait/introduction.md

@@ -15,6 +15,7 @@ Below you can find a list of the available wait strategies that you can use:
 - [Log](./log.md)
 - [Multi](./multi.md)
 - [SQL](./sql.md)
+- [TLS](./tls.md)
 
 ## Startup timeout and Poll interval
 
@@ -25,3 +26,8 @@ If the default 60s timeout is not sufficient, it can be updated with the `WithSt
 Besides that, it's possible to define a poll interval, which will actually stop 100 milliseconds the test execution.
 
 If the default 100 milliseconds poll interval is not sufficient, it can be updated with the `WithPollInterval(pollInterval time.Duration)` function.
+
+## Modifying request strategies
+
+It's possible for options to modify `ContainerRequest.WaitingFor` using
+[Walk](walk.md).

docs/features/wait/tls.md

@@ -0,0 +1,31 @@
+# TLS Strategy
+
+TLS Strategy waits for one or more files to exist in the container and uses them
+and other details to construct a `tls.Config` which can be used to create secure
+connections.
+
+It supports:
+
+- x509 PEM Certificate loaded from a certificate / key file pair.
+- Root Certificate Authorities aka RootCAs loaded from PEM encoded files.
+- Server name.
+- Startup timeout to be used in seconds, default is 60 seconds.
+- Poll interval to be used in milliseconds, default is 100 milliseconds.
+
+## Waiting for certificate pair
+
+The following snippets show how to configure a request to wait for certificate
+pair to exist once started and then read the
+[tls.Config](https://pkg.go.dev/crypto/tls#Config), alongside how to copy a test
+certificate pair into a container image using a `Dockerfile`.
+
+It should be noted that copying certificate pairs into an images is only an
+example which might be useful for testing with testcontainers-go and should not
+be done with production images as that could expose your certificates if your
+images become public.
+
+<!--codeinclude-->
+[Wait for certificate](../../../wait/tls_test.go) inside_block:waitForTLSCert
+[Read TLS Config](../../../wait/tls_test.go) inside_block:waitTLSConfig
+[Dockerfile with certificate](../../../wait/testdata/http/Dockerfile)
+<!--/codeinclude-->

docs/features/wait/walk.md

@@ -0,0 +1,19 @@
+# Walk
+
+Walk walks the strategies tree and calls the visit function for each node.
+
+This allows modules to easily amend default wait strategies, updating or
+removing specific strategies based on requirements of functional options.
+
+For example removing a TLS strategy if a functional option enabled insecure mode
+or changing the location of the certificate based on the configured user.
+
+If visit function returns `wait.VisitStop`, the walk stops.
+If visit function returns `wait.VisitRemove`, the current node is removed.
+
+## Walk removing entries
+
+The following example shows how to remove a strategy based on its type.
+<!--codeinclude-->
+[Remove FileStrategy entries](../../../wait/walk_test.go) inside_block:walkRemoveFileStrategy
+<!--/codeinclude-->

docs/modules/cockroachdb.md

@@ -10,7 +10,7 @@ The Testcontainers module for CockroachDB.
 
 Please run the following command to add the CockroachDB module to your Go dependencies:
 
-```
+```shell
 go get github.com/testcontainers/testcontainers-go/modules/cockroachdb
 ```
 
@@ -54,23 +54,33 @@ E.g. `Run(context.Background(), "cockroachdb/cockroach:latest-v23.1")`.
 
 Set the database that is created & dialled with `cockroachdb.WithDatabase`.
 
-#### Password authentication
+#### User and Password
+
+You can configured the container to create a user with a password by setting `cockroachdb.WithUser` and `cockroachdb.WithPassword`.
 
-Disable insecure mode and connect with password authentication by setting `cockroachdb.WithUser` and `cockroachdb.WithPassword`.
+`cockroachdb.WithPassword` is incompatible with `cockroachdb.WithInsecure`.
 
 #### Store size
 
 Control the maximum amount of memory used for storage, by default this is 100% but can be changed by provided a valid option to `WithStoreSize`. Checkout https://www.cockroachlabs.com/docs/stable/cockroach-start#store for the full range of options available.
 
 #### TLS authentication
 
-`cockroachdb.WithTLS` lets you provide the CA certificate along with the certicate and key for the node & clients to connect with.
-Internally CockroachDB requires a client certificate for the user to connect with.
+`cockroachdb.WithInsecure` lets you disable the use of TLS on connections.
+
+`cockroachdb.WithInsecure` is incompatible with `cockroachdb.WithPassword`.
+
+#### Initialization Scripts
+
+`cockroachdb.WithInitScripts` adds the given scripts to those automatically run when the container starts.
+These will be ignored if data exists in the `/cockroach/cockroach-data` directory within the container.
 
-A helper `cockroachdb.NewTLSConfig` exists to generate all of this for you.
+`cockroachdb.WithNoClusterDefaults` disables the default cluster settings script.
 
-!!!warning
-    When TLS is enabled there's a very small, unlikely chance that the underlying driver can panic when registering the driver as part of waiting for CockroachDB to be ready to accept connections. If this is repeatedly happening please open an issue.
+Without this option Cockroach containers run `data/cluster-defaults.sql` on startup
+which configures the settings recommended by Cockroach Labs for
+[local testing clusters](https://www.cockroachlabs.com/docs/stable/local-testing)
+unless data exists in the `/cockroach/cockroach-data` directory within the container.
 
 ### Container Methods
 
@@ -87,3 +97,10 @@ Same as `ConnectionString` but any error to generate the address will raise a pa
 #### TLSConfig
 
 Returns `*tls.Config` setup to allow you to dial your client over TLS, if enabled, else this will error with `cockroachdb.ErrTLSNotEnabled`.
+
+!!!info
+    The `TLSConfig()` function is deprecated and will be removed in the next major release of _Testcontainers for Go_.
+
+#### ConnectionConfig
+
+Returns `*pgx.ConnConfig` which can be passed to `pgx.ConnectConfig` to open a new connection.

mkdocs.yml

@@ -64,6 +64,8 @@ nav:
             - Log: features/wait/log.md
             - Multi: features/wait/multi.md
             - SQL: features/wait/sql.md
+            - TLS: features/wait/tls.md
+            - Walk: features/wait/walk.md
     - Modules:
         - modules/index.md
         - modules/artemis.md