106 lines
3.3 KiB
YAML
106 lines
3.3 KiB
YAML
apiVersion: tekton.dev/v1
|
|
kind: Task
|
|
metadata:
|
|
name: secret-extract-kaniko
|
|
annotations:
|
|
description: >
|
|
Combines parameterized keys and values from a mounted secret workspace into a Kaniko-style
|
|
'--build-arg KEY=VALUE' flat string. This result is usable with splitList and Kaniko's args.
|
|
spec:
|
|
params:
|
|
- name: kanikoFlags
|
|
type: array
|
|
description: >
|
|
List of argument flags such as '--build-arg' (length must match argumentKeys and secretKeys).
|
|
- name: argumentKeys
|
|
type: array
|
|
description: >
|
|
Keys to be used as the left-hand side of '--build-arg KEY=VALUE'.
|
|
- name: secretKeys
|
|
type: array
|
|
description: >
|
|
File names to read from the 'secret' workspace for the corresponding key's value.
|
|
|
|
results:
|
|
- name: kanikoArgs
|
|
description: >
|
|
Flat string of build arguments for Kaniko (e.g. '--build-arg KEY=VALUE ...').
|
|
|
|
workspaces:
|
|
- name: secret
|
|
description: >
|
|
Workspace where secret files (secretKeys) are mounted.
|
|
|
|
steps:
|
|
- name: build-arg-string
|
|
image: alpine:3.21.3
|
|
workingDir: /workspace/secret
|
|
args:
|
|
- $(params.kanikoFlags[*])
|
|
- ---
|
|
- $(params.argumentKeys[*])
|
|
- ---
|
|
- $(params.secretKeys[*])
|
|
script: |
|
|
#!/bin/sh
|
|
set -e
|
|
|
|
# Parse positional args by splitting into three sections via delimiter ---
|
|
kanikoFlag_section=true
|
|
argumentKey_section=false
|
|
secretKey_section=false
|
|
|
|
KANIKO_FLAGS=""
|
|
ARGUMENT_KEYS=""
|
|
SECRET_KEYS=""
|
|
|
|
for val in "$@"; do
|
|
if [ "$val" = "---" ]; then
|
|
if [ "$kanikoFlag_section" = true ]; then
|
|
kanikoFlag_section=false
|
|
argumentKey_section=true
|
|
elif [ "$argumentKey_section" = true ]; then
|
|
argumentKey_section=false
|
|
secretKey_section=true
|
|
fi
|
|
continue
|
|
fi
|
|
|
|
if [ "$kanikoFlag_section" = true ]; then
|
|
KANIKO_FLAGS="$KANIKO_FLAGS $val"
|
|
elif [ "$argumentKey_section" = true ]; then
|
|
ARGUMENT_KEYS="$ARGUMENT_KEYS $val"
|
|
elif [ "$secretKey_section" = true ]; then
|
|
SECRET_KEYS="$SECRET_KEYS $val"
|
|
fi
|
|
done
|
|
|
|
set -f
|
|
IFS=' ' read -r -a kanikoFlagArray <<< "$KANIKO_FLAGS"
|
|
IFS=' ' read -r -a argumentKeyArray <<< "$ARGUMENT_KEYS"
|
|
IFS=' ' read -r -a secretKeyArray <<< "$SECRET_KEYS"
|
|
|
|
len=${#kanikoFlagArray[@]}
|
|
if [ "$len" -ne "${#argumentKeyArray[@]}" ] || [ "$len" -ne "${#secretKeyArray[@]}" ]; then
|
|
echo "❌ Mismatched array lengths for flags, keys, or secrets."
|
|
exit 1
|
|
fi
|
|
|
|
KANIKO_ARGS=""
|
|
for i in $(seq 0 $(($len - 1))); do
|
|
kanikoFlag="${kanikoFlagArray[$i]}"
|
|
argumentKey="${argumentKeyArray[$i]}"
|
|
secretKey="${secretKeyArray[$i]}"
|
|
|
|
if [ ! -f "$secretKey" ]; then
|
|
echo "❌ Missing secret file: $secretKey"
|
|
exit 1
|
|
fi
|
|
|
|
secretValue=$(cat "$secretKey")
|
|
KANIKO_ARGS="$KANIKO_ARGS $kanikoFlag $argumentKey=$secretValue"
|
|
done
|
|
|
|
echo "✅ Final Kaniko args:"
|
|
echo "$KANIKO_ARGS"
|
|
echo -n "$KANIKO_ARGS" > /tekton/results/kanikoArgs |