From f004d4268d04f31c2da7c0bb79c4af76487defcc Mon Sep 17 00:00:00 2001
From: BAK BYEONG JUN <richard.bak@loafle.com>
Date: Mon, 14 Apr 2025 20:41:14 +0000
Subject: [PATCH] init

---
 tasks/docker-registry/task.yaml       |  6 +-
 tasks/secret-extract-kaniko/task.yaml | 95 ++++++++++++++++++---------
 2 files changed, 67 insertions(+), 34 deletions(-)

diff --git a/tasks/docker-registry/task.yaml b/tasks/docker-registry/task.yaml
index 8018abe..4c5e0df 100644
--- a/tasks/docker-registry/task.yaml
+++ b/tasks/docker-registry/task.yaml
@@ -91,9 +91,7 @@ spec:
         - --skip-tls-verify
         - --verbosity=info
         - --reproducible
-        {{- if ne (params.kanikoArgs) "" }}
-        {{- $kanikoArgs := splitList " " .Params.kanikoArgs }}
-        {{- range $kanikoArgs }}
+        {{- $args := splitList " " .Params.kanikoArgs }}
+        {{- range $args }}
         - {{ . }}
         {{- end }}
-        {{- end }}
diff --git a/tasks/secret-extract-kaniko/task.yaml b/tasks/secret-extract-kaniko/task.yaml
index b0a66d3..2e6c3fe 100644
--- a/tasks/secret-extract-kaniko/task.yaml
+++ b/tasks/secret-extract-kaniko/task.yaml
@@ -4,61 +4,96 @@ metadata:
   name: secret-extract-kaniko
   annotations:
     description: >
-      This task reads secret values from a workspace and combines them with parameter keys
-      to produce '--build-arg KEY=VALUE' formatted strings for use with Kaniko or other CLI tools.
-
+      Combines parameterized keys and values from a mounted secret workspace into a Kaniko-style
+      '--build-arg KEY=VALUE' flat string. This result is usable with splitList and Kaniko's args.
 spec:
   params:
     - name: kanikoFlags
       type: array
       description: >
-        A list of argument flags (e.g. --build-arg, --verbosity) to be paired with key=value strings.
-        The index of each item should correspond with argumentKeys and secretKeys.
+        List of argument flags such as '--build-arg' (length must match argumentKeys and secretKeys).
     - name: argumentKeys
       type: array
       description: >
-        Build argument keys (e.g. PYPI_USERNAME)
+        Keys to be used as the left-hand side of '--build-arg KEY=VALUE'.
     - name: secretKeys
       type: array
       description: >
-        File names inside the secret workspace, used as values
- 
-  workspaces:
-    - name: secret
-      description: Secret workspace with files matching secretKeys
+        File names to read from the 'secret' workspace for the corresponding key's value.
 
   results:
     - name: kanikoArgs
       description: >
-        A space-separated string of arguments in the format '--build-arg KEY=VALUE', suitable for passing to the Kaniko executor.
+        Flat string of build arguments for Kaniko (e.g. '--build-arg KEY=VALUE ...').
+
+  workspaces:
+    - name: secret
+      description: >
+        Workspace where secret files (secretKeys) are mounted.
 
   steps:
-    - name: extract
+    - name: build-arg-string
       image: alpine:3.21.3
       workingDir: /workspace/secret
+      args:
+        - $(params.kanikoFlags[*])
+        - ---
+        - $(params.argumentKeys[*])
+        - ---
+        - $(params.secretKeys[*])
       script: |
         #!/bin/sh
         set -e
 
-        KANIKO_FLAGS=($(params.kanikoFlags[*]))
-        ARGUMENT_KEYS=($(params.argumentKeys[*]))
-        SECRET_KEYS=($(params.secretKeys[*]))
+        # Parse positional args by splitting into three sections via delimiter ---
+        kanikoFlag_section=true
+        argumentKey_section=false
+        secretKey_section=false
 
-        FINAL_ARGS=""
+        KANIKO_FLAGS=""
+        ARGUMENT_KEYS=""
+        SECRET_KEYS=""
 
-        for i in $(seq 0 $((${#KANIKO_FLAGS[@]} - 1))); do
-          KANIKO_FLAG="${KANIKO_FLAGS[$i]}"
-          ARGUMENT_KEY="${ARGUMENT_KEYS[$i]}"
-          SECRET_KEY="${SECRET_KEYS[$i]}"
-          
-          if [ -f "$SECRET_KEY" ]; then
-            VAL=$(cat "$SECRET_KEY")
-            FINAL_ARGS="$FINAL_ARGS $KANIKO_FLAG $ARGUMENT_KEY=$VAL"
-          else
-            echo "❌ ERROR: Secret file '$SECRET_KEY' not found in workspace"
-            exit 1
+        for val in "$@"; do
+          if [ "$val" = "---" ]; then
+            if [ "$kanikoFlag_section" = true ]; then
+              kanikoFlag_section=false
+              argumentKey_section=true
+            elif [ "$argumentKey_section" = true ]; then
+              argumentKey_section=false
+              secretKey_section=true
+            fi
+            continue
+          fi
+
+          if [ "$kanikoFlag_section" = true ]; then
+            KANIKO_FLAGS="$KANIKO_FLAGS $val"
+          elif [ "$argumentKey_section" = true ]; then
+            ARGUMENT_KEYS="$ARGUMENT_KEYS $val"
+          elif [ "$secretKey_section" = true ]; then
+            SECRET_KEYS="$SECRET_KEYS $val"
           fi
         done
 
-        echo "✅ Final build args: $FINAL_ARGS"
-        echo -n "$FINAL_ARGS" > /tekton/results/kanikoArgs
\ No newline at end of file
+        set -f  # disable globbing
+        IFS=' ' read -r -a kanikoFlagArray <<< "$KANIKO_FLAGS"
+        IFS=' ' read -r -a argumentKeyArray <<< "$ARGUMENT_KEYS"
+        IFS=' ' read -r -a secretKeyArray <<< "$SECRET_KEYS"
+
+        KANIKO_ARGS=""
+        for i in $(seq 0 $((${#kanikoFlagArray[@]} - 1))); do
+          kanikoFlag="${kanikoFlagArray[$i]}"
+          argumentKey="${argumentKeyArray[$i]}"
+          secretKey="${secretKeyArray[$i]}"
+
+          if [ ! -f "$secretKey" ]; then
+            echo "❌ Missing secret file: $secretKey"
+            exit 1
+          fi
+
+          secretValue=$(cat "$secretKey")
+          KANIKO_ARGS="$KANIKO_ARGS $kanikoFlag $argumentKey=$secretValue"
+        done
+
+        echo "✅ Final Kaniko args: $KANIKO_ARGS"
+        echo -n "$KANIKO_ARGS" > /tekton/results/kanikoArgs