init

2025-04-14 20:41:14 +00:00 · 2025-04-14 20:41:14 +00:00 · f004d4268d
commit f004d4268d
parent 2814d93c07
2 changed files with 67 additions and 34 deletions
--- a/tasks/docker-registry/task.yaml
+++ b/tasks/docker-registry/task.yaml
@ -91,9 +91,7 @@ spec:
        - --skip-tls-verify
        - --verbosity=info
        - --reproducible
-        {{- if ne (params.kanikoArgs) "" }}
-        {{- $kanikoArgs := splitList " " .Params.kanikoArgs }}
-        {{- range $kanikoArgs }}
+        {{- $args := splitList " " .Params.kanikoArgs }}
+        {{- range $args }}
        - {{ . }}
        {{- end }}
-        {{- end }}
--- a/tasks/secret-extract-kaniko/task.yaml
+++ b/tasks/secret-extract-kaniko/task.yaml
@ -4,61 +4,96 @@ metadata:
  name: secret-extract-kaniko
  annotations:
    description: >
-      This task reads secret values from a workspace and combines them with parameter keys
-      to produce '--build-arg KEY=VALUE' formatted strings for use with Kaniko or other CLI tools.
-
+      Combines parameterized keys and values from a mounted secret workspace into a Kaniko-style
+      '--build-arg KEY=VALUE' flat string. This result is usable with splitList and Kaniko's args.
 spec:
  params:
    - name: kanikoFlags
      type: array
      description: >
-        A list of argument flags (e.g. --build-arg, --verbosity) to be paired with key=value strings.
-        The index of each item should correspond with argumentKeys and secretKeys.
+        List of argument flags such as '--build-arg' (length must match argumentKeys and secretKeys).
    - name: argumentKeys
      type: array
      description: >
-        Build argument keys (e.g. PYPI_USERNAME)
+        Keys to be used as the left-hand side of '--build-arg KEY=VALUE'.
    - name: secretKeys
      type: array
      description: >
-        File names inside the secret workspace, used as values
- 
-  workspaces:
-    - name: secret
-      description: Secret workspace with files matching secretKeys
+        File names to read from the 'secret' workspace for the corresponding key's value.

  results:
    - name: kanikoArgs
      description: >
-        A space-separated string of arguments in the format '--build-arg KEY=VALUE', suitable for passing to the Kaniko executor.
+        Flat string of build arguments for Kaniko (e.g. '--build-arg KEY=VALUE ...').
+
+  workspaces:
+    - name: secret
+      description: >
+        Workspace where secret files (secretKeys) are mounted.

  steps:
-    - name: extract
+    - name: build-arg-string
      image: alpine:3.21.3
      workingDir: /workspace/secret
+      args:
+        - $(params.kanikoFlags[*])
+        - ---
+        - $(params.argumentKeys[*])
+        - ---
+        - $(params.secretKeys[*])
      script: |
        #!/bin/sh
        set -e

-        KANIKO_FLAGS=($(params.kanikoFlags[*]))
-        ARGUMENT_KEYS=($(params.argumentKeys[*]))
-        SECRET_KEYS=($(params.secretKeys[*]))
+        # Parse positional args by splitting into three sections via delimiter ---
+        kanikoFlag_section=true
+        argumentKey_section=false
+        secretKey_section=false

-        FINAL_ARGS=""
+        KANIKO_FLAGS=""
+        ARGUMENT_KEYS=""
+        SECRET_KEYS=""

-        for i in $(seq 0 $((${#KANIKO_FLAGS[@]} - 1))); do
-          KANIKO_FLAG="${KANIKO_FLAGS[$i]}"
-          ARGUMENT_KEY="${ARGUMENT_KEYS[$i]}"
-          SECRET_KEY="${SECRET_KEYS[$i]}"
+        for val in "$@"; do
+          if [ "$val" = "---" ]; then
+            if [ "$kanikoFlag_section" = true ]; then
+              kanikoFlag_section=false
+              argumentKey_section=true
+            elif [ "$argumentKey_section" = true ]; then
+              argumentKey_section=false
+              secretKey_section=true
+            fi
+            continue
+          fi

-          if [ -f "$SECRET_KEY" ]; then
-            VAL=$(cat "$SECRET_KEY")
-            FINAL_ARGS="$FINAL_ARGS $KANIKO_FLAG $ARGUMENT_KEY=$VAL"
-          else
-            echo "❌ ERROR: Secret file '$SECRET_KEY' not found in workspace"
-            exit 1
+          if [ "$kanikoFlag_section" = true ]; then
+            KANIKO_FLAGS="$KANIKO_FLAGS $val"
+          elif [ "$argumentKey_section" = true ]; then
+            ARGUMENT_KEYS="$ARGUMENT_KEYS $val"
+          elif [ "$secretKey_section" = true ]; then
+            SECRET_KEYS="$SECRET_KEYS $val"
          fi
        done

-        echo "✅ Final build args: $FINAL_ARGS"
-        echo -n "$FINAL_ARGS" > /tekton/results/kanikoArgs
+        set -f  # disable globbing
+        IFS=' ' read -r -a kanikoFlagArray <<< "$KANIKO_FLAGS"
+        IFS=' ' read -r -a argumentKeyArray <<< "$ARGUMENT_KEYS"
+        IFS=' ' read -r -a secretKeyArray <<< "$SECRET_KEYS"
+
+        KANIKO_ARGS=""
+        for i in $(seq 0 $((${#kanikoFlagArray[@]} - 1))); do
+          kanikoFlag="${kanikoFlagArray[$i]}"
+          argumentKey="${argumentKeyArray[$i]}"
+          secretKey="${secretKeyArray[$i]}"
+
+          if [ ! -f "$secretKey" ]; then
+            echo "❌ Missing secret file: $secretKey"
+            exit 1
+          fi
+
+          secretValue=$(cat "$secretKey")
+          KANIKO_ARGS="$KANIKO_ARGS $kanikoFlag $argumentKey=$secretValue"
+        done
+
+        echo "✅ Final Kaniko args: $KANIKO_ARGS"
+        echo -n "$KANIKO_ARGS" > /tekton/results/kanikoArgs