diff --git a/tasks/before-pipeline/task.yaml b/tasks/before-pipeline/task.yaml index c5eabdf..fbea5ac 100644 --- a/tasks/before-pipeline/task.yaml +++ b/tasks/before-pipeline/task.yaml @@ -32,5 +32,6 @@ spec: #!/bin/bash workingFolder="$(params.workingFolderPrefix)-$(date +%s)-$(head /dev/urandom | tr -dc a-z0-9 | head -c 6)" mkdir -p /workspace/shared/${workingFolder} + mkdir -p /workspace/shared/${workingFolder}/___HOME___ echo "Created folder: ${workingFolder}" echo -n "${workingFolder}" > $(results.workingFolder.path) diff --git a/tasks/docker-registry/task.yaml b/tasks/docker-registry/task.yaml index 82c6fa9..7cf2a12 100644 --- a/tasks/docker-registry/task.yaml +++ b/tasks/docker-registry/task.yaml @@ -87,14 +87,10 @@ spec: value: /tekton/home/.docker command: - /kaniko/executor - args: |- - {{- range splitList " " .Params.kanikoArgsList }} - - '{{ . }}' - {{- end }} + args: - --dockerfile=$(params.dockerfile) - --context=$(params.context) - --destination=$(params.imageName):$(params.tag) - --skip-tls-verify - --verbosity=info - --reproducible - diff --git a/tasks/secret-extract-kaniko/task.yaml b/tasks/secret-extract-kaniko/task.yaml deleted file mode 100644 index 4f8d724..0000000 --- a/tasks/secret-extract-kaniko/task.yaml +++ /dev/null @@ -1,120 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Task -metadata: - name: secret-extract-kaniko - annotations: - description: > - Combines parameterized keys and values from a mounted secret workspace into a Kaniko-style - '--build-arg KEY=VALUE' flat string. This result is usable with splitList and Kaniko's args. -spec: - params: - - name: kanikoFlags - type: array - description: > - List of argument flags such as '--build-arg' (length must match argumentKeys and secretKeys). - - name: argumentKeys - type: array - description: > - Keys to be used as the left-hand side of '--build-arg KEY=VALUE'. - - name: secretKeys - type: array - description: > - File names to read from the 'secret' workspace for the corresponding key's value. - - results: - - name: kanikoArgs - description: > - Flat string of build arguments for Kaniko (e.g. '--build-arg KEY=VALUE ...'). - - workspaces: - - name: secret - description: > - Workspace where secret files (secretKeys) are mounted. - - steps: - - name: build-arg-string - image: alpine:3.21.3 - workingDir: /workspace/secret - args: - - $(params.kanikoFlags[*]) - - --- - - $(params.argumentKeys[*]) - - --- - - $(params.secretKeys[*]) - script: | - #!/bin/sh - set -e - - # Parse positional args by splitting into three sections via delimiter --- - kanikoFlag_section=true - argumentKey_section=false - secretKey_section=false - - KANIKO_FLAGS="" - ARGUMENT_KEYS="" - SECRET_KEYS="" - - for val in "$@"; do - if [ "$val" = "---" ]; then - if [ "$kanikoFlag_section" = true ]; then - kanikoFlag_section=false - argumentKey_section=true - elif [ "$argumentKey_section" = true ]; then - argumentKey_section=false - secretKey_section=true - fi - continue - fi - - if [ "$kanikoFlag_section" = true ]; then - KANIKO_FLAGS="$KANIKO_FLAGS $val" - elif [ "$argumentKey_section" = true ]; then - ARGUMENT_KEYS="$ARGUMENT_KEYS $val" - elif [ "$secretKey_section" = true ]; then - SECRET_KEYS="$SECRET_KEYS $val" - fi - done - - # Trim leading/trailing spaces - KANIKO_FLAGS=$(echo "$KANIKO_FLAGS" | sed 's/^ *//;s/ *$//') - ARGUMENT_KEYS=$(echo "$ARGUMENT_KEYS" | sed 's/^ *//;s/ *$//') - SECRET_KEYS=$(echo "$SECRET_KEYS" | sed 's/^ *//;s/ *$//') - - # Count elements in each list - count_flags=$(echo "$KANIKO_FLAGS" | wc -w) - count_keys=$(echo "$ARGUMENT_KEYS" | wc -w) - count_secrets=$(echo "$SECRET_KEYS" | wc -w) - - if [ "$count_flags" != "$count_keys" ] || [ "$count_flags" != "$count_secrets" ]; then - echo "❌ Mismatched counts for flags, keys, or secrets." - exit 1 - fi - - KANIKO_ARGS="" - i=1 - while [ "$i" -le "$count_flags" ]; do - # Extract i-th element - kanikoFlag=$(echo "$KANIKO_FLAGS" | cut -d' ' -f"$i") - argumentKey=$(echo "$ARGUMENT_KEYS" | cut -d' ' -f"$i") - secretKey=$(echo "$SECRET_KEYS" | cut -d' ' -f"$i") - - if [ ! -f "$secretKey" ]; then - echo "❌ Missing secret file: $secretKey" - exit 1 - fi - - secretValue=$(cat "$secretKey") - if [ -z "$KANIKO_ARGS" ]; then - KANIKO_ARGS="$kanikoFlag=$argumentKey=$secretValue" - else - KANIKO_ARGS="${KANIKO_ARGS} $kanikoFlag=$argumentKey=$secretValue" - fi - i=$((i + 1)) - done - - # Trim leading/trailing spaces from final output - KANIKO_ARGS=$(echo "$KANIKO_ARGS" | sed 's/^ *//;s/ *$//') - - echo "✅ Final Kaniko args:" - echo "$KANIKO_ARGS" - echo -e "$KANIKO_ARGS" > /tekton/results/kanikoArgs \ No newline at end of file diff --git a/tasks/secret-home/task.yaml b/tasks/secret-home/task.yaml new file mode 100644 index 0000000..4b19c40 --- /dev/null +++ b/tasks/secret-home/task.yaml @@ -0,0 +1,42 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: secret-home +spec: + params: + - name: subdirectory + type: string + description: Subdirectory within the repo where the source code is located + default: "" + + - name: keys + type: array + description: Name of the key(s) to extract from the secret + + workspaces: + - name: source + description: Workspace containing the cloned Git repository + + steps: + - name: extract + image: alpine:3.21.3 + workingDir: /workspace/source/$(params.subdirectory) + script: | + #!/bin/sh + set -e + apk add --no-cache rsync + + for key in $(params.keys); do + echo "Copying $key" + target="/workspace/source/$(params.subdirectory)/___HOME___/$key" + mkdir -p "$(dirname "$target")" + rsync -R "/secrets/credentials/$key" "$(dirname "$target")" + done + volumeMounts: + - name: credentials + mountPath: /secrets/credentials + + volumes: + - name: credentials + secret: + secretName: credentials