apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: secret-extract-kaniko
  annotations:
    description: >
      This task reads secret values from a workspace and combines them with parameter keys
      to produce '--build-arg KEY=VALUE' formatted strings for use with Kaniko or other CLI tools.

spec:
  params:
    - name: kanikoFlags
      type: array
      description: >
        A list of argument flags (e.g. --build-arg, --verbosity) to be paired with key=value strings.
        The index of each item should correspond with argumentKeys and secretKeys.
    - name: argumentKeys
      type: array
      description: >
        Build argument keys (e.g. PYPI_USERNAME)
    - name: secretKeys
      type: array
      description: >
        File names inside the secret workspace, used as values
 
  workspaces:
    - name: secret
      description: Secret workspace with files matching secretKeys

  results:
    - name: kaniko-args
      description: >
        A space-separated string of arguments in the format '--build-arg KEY=VALUE', suitable for passing to the Kaniko executor.

  steps:
    - name: extract
      image: alpine:3.21.3
      workingDir: /workspace/secret
      script: |
        #!/bin/sh
        set -e

        KANIKO_FLAGS=($(params.kanikoFlags[*]))
        ARGUMENT_KEYS=($(params.argumentKeys[*]))
        SECRET_KEYS=($(params.secretKeys[*]))

        FINAL_ARGS=""

        for i in $(seq 0 $((${#KANIKO_FLAGS[@]} - 1))); do
          KANIKO_FLAG="${KANIKO_FLAGS[$i]}"
          ARGUMENT_KEY="${ARGUMENT_KEYS[$i]}"
          SECRET_KEY="${SECRET_KEYS[$i]}"
          
          if [ -f "$SECRET_KEY" ]; then
            VAL=$(cat "$SECRET_KEY")
            FINAL_ARGS="$FINAL_ARGS $KANIKO_FLAG $ARGUMENT_KEY=$VAL"
          else
            echo "❌ ERROR: Secret file '$SECRET_KEY' not found in workspace"
            exit 1
          fi
        done

        echo "✅ Final build args: $FINAL_ARGS"
        echo -n "$FINAL_ARGS" > /tekton/results/kaniko-args