init
This commit is contained in:
parent
2814d93c07
commit
f004d4268d
@ -91,9 +91,7 @@ spec:
|
|||||||
- --skip-tls-verify
|
- --skip-tls-verify
|
||||||
- --verbosity=info
|
- --verbosity=info
|
||||||
- --reproducible
|
- --reproducible
|
||||||
{{- if ne (params.kanikoArgs) "" }}
|
{{- $args := splitList " " .Params.kanikoArgs }}
|
||||||
{{- $kanikoArgs := splitList " " .Params.kanikoArgs }}
|
{{- range $args }}
|
||||||
{{- range $kanikoArgs }}
|
|
||||||
- {{ . }}
|
- {{ . }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
|
||||||
|
|||||||
@ -4,61 +4,96 @@ metadata:
|
|||||||
name: secret-extract-kaniko
|
name: secret-extract-kaniko
|
||||||
annotations:
|
annotations:
|
||||||
description: >
|
description: >
|
||||||
This task reads secret values from a workspace and combines them with parameter keys
|
Combines parameterized keys and values from a mounted secret workspace into a Kaniko-style
|
||||||
to produce '--build-arg KEY=VALUE' formatted strings for use with Kaniko or other CLI tools.
|
'--build-arg KEY=VALUE' flat string. This result is usable with splitList and Kaniko's args.
|
||||||
|
|
||||||
spec:
|
spec:
|
||||||
params:
|
params:
|
||||||
- name: kanikoFlags
|
- name: kanikoFlags
|
||||||
type: array
|
type: array
|
||||||
description: >
|
description: >
|
||||||
A list of argument flags (e.g. --build-arg, --verbosity) to be paired with key=value strings.
|
List of argument flags such as '--build-arg' (length must match argumentKeys and secretKeys).
|
||||||
The index of each item should correspond with argumentKeys and secretKeys.
|
|
||||||
- name: argumentKeys
|
- name: argumentKeys
|
||||||
type: array
|
type: array
|
||||||
description: >
|
description: >
|
||||||
Build argument keys (e.g. PYPI_USERNAME)
|
Keys to be used as the left-hand side of '--build-arg KEY=VALUE'.
|
||||||
- name: secretKeys
|
- name: secretKeys
|
||||||
type: array
|
type: array
|
||||||
description: >
|
description: >
|
||||||
File names inside the secret workspace, used as values
|
File names to read from the 'secret' workspace for the corresponding key's value.
|
||||||
|
|
||||||
workspaces:
|
|
||||||
- name: secret
|
|
||||||
description: Secret workspace with files matching secretKeys
|
|
||||||
|
|
||||||
results:
|
results:
|
||||||
- name: kanikoArgs
|
- name: kanikoArgs
|
||||||
description: >
|
description: >
|
||||||
A space-separated string of arguments in the format '--build-arg KEY=VALUE', suitable for passing to the Kaniko executor.
|
Flat string of build arguments for Kaniko (e.g. '--build-arg KEY=VALUE ...').
|
||||||
|
|
||||||
|
workspaces:
|
||||||
|
- name: secret
|
||||||
|
description: >
|
||||||
|
Workspace where secret files (secretKeys) are mounted.
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: extract
|
- name: build-arg-string
|
||||||
image: alpine:3.21.3
|
image: alpine:3.21.3
|
||||||
workingDir: /workspace/secret
|
workingDir: /workspace/secret
|
||||||
|
args:
|
||||||
|
- $(params.kanikoFlags[*])
|
||||||
|
- ---
|
||||||
|
- $(params.argumentKeys[*])
|
||||||
|
- ---
|
||||||
|
- $(params.secretKeys[*])
|
||||||
script: |
|
script: |
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
KANIKO_FLAGS=($(params.kanikoFlags[*]))
|
# Parse positional args by splitting into three sections via delimiter ---
|
||||||
ARGUMENT_KEYS=($(params.argumentKeys[*]))
|
kanikoFlag_section=true
|
||||||
SECRET_KEYS=($(params.secretKeys[*]))
|
argumentKey_section=false
|
||||||
|
secretKey_section=false
|
||||||
|
|
||||||
FINAL_ARGS=""
|
KANIKO_FLAGS=""
|
||||||
|
ARGUMENT_KEYS=""
|
||||||
|
SECRET_KEYS=""
|
||||||
|
|
||||||
for i in $(seq 0 $((${#KANIKO_FLAGS[@]} - 1))); do
|
for val in "$@"; do
|
||||||
KANIKO_FLAG="${KANIKO_FLAGS[$i]}"
|
if [ "$val" = "---" ]; then
|
||||||
ARGUMENT_KEY="${ARGUMENT_KEYS[$i]}"
|
if [ "$kanikoFlag_section" = true ]; then
|
||||||
SECRET_KEY="${SECRET_KEYS[$i]}"
|
kanikoFlag_section=false
|
||||||
|
argumentKey_section=true
|
||||||
|
elif [ "$argumentKey_section" = true ]; then
|
||||||
|
argumentKey_section=false
|
||||||
|
secretKey_section=true
|
||||||
|
fi
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -f "$SECRET_KEY" ]; then
|
if [ "$kanikoFlag_section" = true ]; then
|
||||||
VAL=$(cat "$SECRET_KEY")
|
KANIKO_FLAGS="$KANIKO_FLAGS $val"
|
||||||
FINAL_ARGS="$FINAL_ARGS $KANIKO_FLAG $ARGUMENT_KEY=$VAL"
|
elif [ "$argumentKey_section" = true ]; then
|
||||||
else
|
ARGUMENT_KEYS="$ARGUMENT_KEYS $val"
|
||||||
echo "❌ ERROR: Secret file '$SECRET_KEY' not found in workspace"
|
elif [ "$secretKey_section" = true ]; then
|
||||||
exit 1
|
SECRET_KEYS="$SECRET_KEYS $val"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
echo "✅ Final build args: $FINAL_ARGS"
|
set -f # disable globbing
|
||||||
echo -n "$FINAL_ARGS" > /tekton/results/kanikoArgs
|
IFS=' ' read -r -a kanikoFlagArray <<< "$KANIKO_FLAGS"
|
||||||
|
IFS=' ' read -r -a argumentKeyArray <<< "$ARGUMENT_KEYS"
|
||||||
|
IFS=' ' read -r -a secretKeyArray <<< "$SECRET_KEYS"
|
||||||
|
|
||||||
|
KANIKO_ARGS=""
|
||||||
|
for i in $(seq 0 $((${#kanikoFlagArray[@]} - 1))); do
|
||||||
|
kanikoFlag="${kanikoFlagArray[$i]}"
|
||||||
|
argumentKey="${argumentKeyArray[$i]}"
|
||||||
|
secretKey="${secretKeyArray[$i]}"
|
||||||
|
|
||||||
|
if [ ! -f "$secretKey" ]; then
|
||||||
|
echo "❌ Missing secret file: $secretKey"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
secretValue=$(cat "$secretKey")
|
||||||
|
KANIKO_ARGS="$KANIKO_ARGS $kanikoFlag $argumentKey=$secretValue"
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "✅ Final Kaniko args: $KANIKO_ARGS"
|
||||||
|
echo -n "$KANIKO_ARGS" > /tekton/results/kanikoArgs
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user