From 2985007430e0bd2da852b79cbcb9c32f6c3504bf Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 4 Jun 2026 14:37:52 -0700
Subject: [PATCH] Add native Dagger build for external-secrets (container.py)

Localizes external-secrets off ghcr.io: clones the forge mirror at v2.2.0
and builds the single all_providers static Go binary, faithful to upstream's
`make build`. ENTRYPOINT is the binary so the controller/webhook/cert-controller
Deployments can select their role via args.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 containers/external-secrets/container.py | 51 ++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 containers/external-secrets/container.py

diff --git a/containers/external-secrets/container.py b/containers/external-secrets/container.py
new file mode 100644
index 0000000..6be5765
--- /dev/null
+++ b/containers/external-secrets/container.py
@@ -0,0 +1,51 @@
+"""External Secrets Operator — native Dagger build.
+
+Two-stage build: Go binary (all providers), Alpine runtime.
+Source cloned from forge mirror.
+
+A single binary serves as the controller, webhook, and cert-controller; the
+Deployments select the role via a subcommand passed in `args:`, so the image
+ENTRYPOINT must be the binary itself (matching upstream's distroless image).
+"""
+
+import dagger
+
+from blumeops.containers import (
+    alpine_runtime,
+    clone_from_forge,
+    go_build,
+    oci_labels,
+)
+
+VERSION = "v2.2.0"
+
+
+async def build(src: dagger.Directory) -> dagger.Container:
+    source = clone_from_forge("external-secrets", VERSION)
+
+    # Upstream `make build` compiles every secret provider into a single
+    # static binary (`-tags all_providers`, CGO disabled). Mirror that so the
+    # local image is functionally identical to ghcr.io/.../external-secrets.
+    backend = go_build(
+        source,
+        "/external-secrets",
+        tags="all_providers",
+    )
+
+    runtime = alpine_runtime(
+        extra_apk=["ca-certificates"],
+        create_user=False,
+    )
+    runtime = oci_labels(
+        runtime,
+        title="External Secrets Operator",
+        description=(
+            "Kubernetes operator that integrates external secret management systems"
+        ),
+        version=VERSION,
+    )
+    return (
+        runtime.with_file("/bin/external-secrets", backend.file("/external-secrets"))
+        .with_user("65534")
+        .with_entrypoint(["/bin/external-secrets"])
+    )