apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: docker-registry
spec:
  params:
    - name: subdirectory
      type: string
      default: ""
      description: Subdirectory within the repo where the Dockerfile/context reside

    - name: imageName
      type: string
      description: Full image name (e.g. docker.unbox-x.net/registry/my-app)

    - name: tag
      type: string
      description: Version tag (e.g. v1.0.0)

    - name: dockerfile
      type: string
      default: ./Dockerfile
      description: Path to Dockerfile (relative to subdirectory)

    - name: context
      type: string
      default: .
      description: Build context (relative to subdirectory)

  workspaces:
    - name: source
      description: Source code workspace

    - name: docker-auth
      description: Docker registry secret (username/password)

    - name: pypi-auth
      description: PyPI registry secret (username/password)

  results:
    - name: imageUrl
      description: Final pushed image URL with tag

  volumes:
    - name: env
      emptyDir: {}

  steps:
    - name: write-pypi-env
      image: alpine:3.21.3
      script: |
        #!/bin/sh
        set -e
        mkdir -p /tekton/env
        echo "PYPI_USERNAME=$(cat /workspace/pypi-auth/username)" > /tekton/env/.env
        echo "PYPI_PASSWORD=$(cat /workspace/pypi-auth/password)" >> /tekton/env/.env
      volumeMounts:
        - name: env
          mountPath: /tekton/env

    - name: write-docker-config
      image: alpine:3.21.3
      workingDir: /workspace/source
      script: |
        #!/bin/sh
        set -e

        if [ -n "$(params.subdirectory)" ]; then
          cd "$(params.subdirectory)"
        fi

        IMAGE="$(params.imageName):$(params.tag)"
        USERNAME=$(cat /workspace/docker-auth/username)
        PASSWORD=$(cat /workspace/docker-auth/password)
        REGISTRY=$(echo "$IMAGE" | cut -d/ -f1)

        echo -n "$IMAGE" > /tekton/results/imageUrl

        mkdir -p /tekton/home/.docker
        cat > /tekton/home/.docker/config.json <<EOF
        {
          "auths": {
            "$REGISTRY": {
              "auth": "$(echo -n "$USERNAME:$PASSWORD" | base64)"
            }
          }
        }
        EOF
      volumeMounts:
        - name: env
          mountPath: /tekton/env

    - name: kaniko-build
      image: gcr.io/kaniko-project/executor:v1.23.2
      workingDir: /workspace/source
      command: ["/bin/sh"]
      args:
        - -c
        - |
          set -e
          . /tekton/env/.env

          /kaniko/executor \
            --dockerfile=$(params.subdirectory)/$(params.dockerfile) \
            --context=$(params.subdirectory)/$(params.context) \
            --destination=$(params.imageName):$(params.tag) \
            --build-arg=PYPI_USERNAME=$PYPI_USERNAME \
            --build-arg=PYPI_PASSWORD=$PYPI_PASSWORD \
            --skip-tls-verify \
            --reproducible \
            --verbosity=info
      env:
        - name: DOCKER_CONFIG
          value: /tekton/home/.docker
      volumeMounts:
        - name: env
          mountPath: /tekton/env