init

tasks/docker-registry/task.yaml

@@ -27,13 +27,8 @@ spec:
       type: string
       default: .
 
-    - name: pypi-username
+    - name: kanikoArgs
-      description: PyPI username
+      description: arguments for kaniko
-      type: string
-      default: ""
-
-    - name: pypi-password
-      description: PyPI password
       type: string
       default: ""
 
@@ -81,15 +76,6 @@ spec:
         }
         EOF
 
-    - name: debug-paths
-      image: alpine
-      workingDir: $(workspaces.source.path)/$(params.subdirectory)
-      script: |
-        #!/bin/sh
-        echo "▶ Current dir: $(pwd)"
-        echo "▶ Files:"
-        find . -type f
-
     - name: kaniko-build
       image: gcr.io/kaniko-project/executor:v1.23.2
       workingDir: $(workspaces.source.path)/$(params.subdirectory)
@@ -105,7 +91,9 @@ spec:
         - --skip-tls-verify
         - --verbosity=info
         - --reproducible
-        - --build-arg
+        {{- if ne (params.kanikoArgs) "" }}
-        - PYPI_USERNAME=$(params.pypi-username)
+        {{- $kanikoArgs := splitList " " .Params.kanikoArgs }}
-        - --build-arg
+        {{- range $kanikoArgs }}
-        - PYPI_PASSWORD=$(params.pypi-password)
+        - {{ . }}
+        {{- end }}
+        {{- end }}

tasks/secret-extract-kaniko/task.yaml

@@ -0,0 +1,64 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: secret-extract-kaniko
+  annotations:
+    description: >
+      This task reads secret values from a workspace and combines them with parameter keys
+      to produce '--build-arg KEY=VALUE' formatted strings for use with Kaniko or other CLI tools.
+
+spec:
+  params:
+    - name: kanikoFlags
+      type: array
+      description: >
+        A list of argument flags (e.g. --build-arg, --verbosity) to be paired with key=value strings.
+        The index of each item should correspond with argumentKeys and secretKeys.
+    - name: argumentKeys
+      type: array
+      description: >
+        Build argument keys (e.g. PYPI_USERNAME)
+    - name: secretKeys
+      type: array
+      description: >
+        File names inside the secret workspace, used as values
+ 
+  workspaces:
+    - name: secret
+      description: Secret workspace with files matching secretKeys
+
+  results:
+    - name: kaniko-args
+      description: >
+        A space-separated string of arguments in the format '--build-arg KEY=VALUE', suitable for passing to the Kaniko executor.
+
+  steps:
+    - name: extract
+      image: alpine:3.21.3
+      workingDir: /workspace/secret
+      script: |
+        #!/bin/sh
+        set -e
+
+        KANIKO_FLAGS=($(params.kanikoFlags[*]))
+        ARGUMENT_KEYS=($(params.argumentKeys[*]))
+        SECRET_KEYS=($(params.secretKeys[*]))
+
+        FINAL_ARGS=""
+
+        for i in $(seq 0 $((${#KANIKO_FLAGS[@]} - 1))); do
+          KANIKO_FLAG="${KANIKO_FLAGS[$i]}"
+          ARGUMENT_KEY="${ARGUMENT_KEYS[$i]}"
+          SECRET_KEY="${SECRET_KEYS[$i]}"
+          
+          if [ -f "$SECRET_KEY" ]; then
+            VAL=$(cat "$SECRET_KEY")
+            FINAL_ARGS="$FINAL_ARGS $KANIKO_FLAG $ARGUMENT_KEY=$VAL"
+          else
+            echo "❌ ERROR: Secret file '$SECRET_KEY' not found in workspace"
+            exit 1
+          fi
+        done
+
+        echo "✅ Final build args: $FINAL_ARGS"
+        echo -n "$FINAL_ARGS" > /tekton/results/kaniko-args