apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: secret-extract-kaniko
  annotations:
    description: >
      Combines parameterized keys and values from a mounted secret workspace into a Kaniko-style
      '--build-arg KEY=VALUE' flat string. This result is usable with splitList and Kaniko's args.
spec:
  params:
    - name: kanikoFlags
      type: array
      description: >
        List of argument flags such as '--build-arg' (length must match argumentKeys and secretKeys).
    - name: argumentKeys
      type: array
      description: >
        Keys to be used as the left-hand side of '--build-arg KEY=VALUE'.
    - name: secretKeys
      type: array
      description: >
        File names to read from the 'secret' workspace for the corresponding key's value.

  results:
    - name: kanikoArgs
      description: >
        Flat string of build arguments for Kaniko (e.g. '--build-arg KEY=VALUE ...').

  workspaces:
    - name: secret
      description: >
        Workspace where secret files (secretKeys) are mounted.

  steps:
    - name: build-arg-string
      image: alpine:3.21.3
      workingDir: /workspace/secret
      args:
        - $(params.kanikoFlags[*])
        - ---
        - $(params.argumentKeys[*])
        - ---
        - $(params.secretKeys[*])
      script: |
        #!/bin/sh
        set -e

        # Parse positional args by splitting into three sections via delimiter ---
        kanikoFlag_section=true
        argumentKey_section=false
        secretKey_section=false

        KANIKO_FLAGS=""
        ARGUMENT_KEYS=""
        SECRET_KEYS=""

        for val in "$@"; do
          if [ "$val" = "---" ]; then
            if [ "$kanikoFlag_section" = true ]; then
              kanikoFlag_section=false
              argumentKey_section=true
            elif [ "$argumentKey_section" = true ]; then
              argumentKey_section=false
              secretKey_section=true
            fi
            continue
          fi

          if [ "$kanikoFlag_section" = true ]; then
            KANIKO_FLAGS="$KANIKO_FLAGS $val"
          elif [ "$argumentKey_section" = true ]; then
            ARGUMENT_KEYS="$ARGUMENT_KEYS $val"
          elif [ "$secretKey_section" = true ]; then
            SECRET_KEYS="$SECRET_KEYS $val"
          fi
        done

        # Trim leading/trailing spaces
        KANIKO_FLAGS=$(echo "$KANIKO_FLAGS" | sed 's/^ *//;s/ *$//')
        ARGUMENT_KEYS=$(echo "$ARGUMENT_KEYS" | sed 's/^ *//;s/ *$//')
        SECRET_KEYS=$(echo "$SECRET_KEYS" | sed 's/^ *//;s/ *$//')

        # Count elements in each list
        count_flags=$(echo "$KANIKO_FLAGS" | wc -w)
        count_keys=$(echo "$ARGUMENT_KEYS" | wc -w)
        count_secrets=$(echo "$SECRET_KEYS" | wc -w)

        if [ "$count_flags" != "$count_keys" ] || [ "$count_flags" != "$count_secrets" ]; then
          echo "❌ Mismatched counts for flags, keys, or secrets."
          exit 1
        fi

        KANIKO_ARGS=""
        i=1
        while [ "$i" -le "$count_flags" ]; do
          # Extract i-th element
          kanikoFlag=$(echo "$KANIKO_FLAGS" | cut -d' ' -f"$i")
          argumentKey=$(echo "$ARGUMENT_KEYS" | cut -d' ' -f"$i")
          secretKey=$(echo "$SECRET_KEYS" | cut -d' ' -f"$i")

          if [ ! -f "$secretKey" ]; then
            echo "❌ Missing secret file: $secretKey"
            exit 1
          fi

          secretValue=$(cat "$secretKey")
          if [ -z "$KANIKO_ARGS" ]; then
            KANIKO_ARGS="- $kanikoFlag $argumentKey=$secretValue"
          else
            KANIKO_ARGS="${KANIKO_ARGS}\n- $kanikoFlag $argumentKey=$secretValue"
          fi
          i=$((i + 1))
        done

        # Trim leading/trailing spaces from final output
        KANIKO_ARGS=$(echo "$KANIKO_ARGS" | sed 's/^ *//;s/ *$//')

        echo "✅ Final Kaniko args:"
        echo "$KANIKO_ARGS"
        echo -e "$KANIKO_ARGS" > /tekton/results/kanikoArgs