64 lines
2.0 KiB
YAML
64 lines
2.0 KiB
YAML
apiVersion: tekton.dev/v1
|
|
kind: Task
|
|
metadata:
|
|
name: secret-extract-kaniko
|
|
annotations:
|
|
description: >
|
|
This task reads secret values from a workspace and combines them with parameter keys
|
|
to produce '--build-arg KEY=VALUE' formatted strings for use with Kaniko or other CLI tools.
|
|
|
|
spec:
|
|
params:
|
|
- name: kanikoFlags
|
|
type: array
|
|
description: >
|
|
A list of argument flags (e.g. --build-arg, --verbosity) to be paired with key=value strings.
|
|
The index of each item should correspond with argumentKeys and secretKeys.
|
|
- name: argumentKeys
|
|
type: array
|
|
description: >
|
|
Build argument keys (e.g. PYPI_USERNAME)
|
|
- name: secretKeys
|
|
type: array
|
|
description: >
|
|
File names inside the secret workspace, used as values
|
|
|
|
workspaces:
|
|
- name: secret
|
|
description: Secret workspace with files matching secretKeys
|
|
|
|
results:
|
|
- name: kaniko-args
|
|
description: >
|
|
A space-separated string of arguments in the format '--build-arg KEY=VALUE', suitable for passing to the Kaniko executor.
|
|
|
|
steps:
|
|
- name: extract
|
|
image: alpine:3.21.3
|
|
workingDir: /workspace/secret
|
|
script: |
|
|
#!/bin/sh
|
|
set -e
|
|
|
|
KANIKO_FLAGS=($(params.kanikoFlags[*]))
|
|
ARGUMENT_KEYS=($(params.argumentKeys[*]))
|
|
SECRET_KEYS=($(params.secretKeys[*]))
|
|
|
|
FINAL_ARGS=""
|
|
|
|
for i in $(seq 0 $((${#KANIKO_FLAGS[@]} - 1))); do
|
|
KANIKO_FLAG="${KANIKO_FLAGS[$i]}"
|
|
ARGUMENT_KEY="${ARGUMENT_KEYS[$i]}"
|
|
SECRET_KEY="${SECRET_KEYS[$i]}"
|
|
|
|
if [ -f "$SECRET_KEY" ]; then
|
|
VAL=$(cat "$SECRET_KEY")
|
|
FINAL_ARGS="$FINAL_ARGS $KANIKO_FLAG $ARGUMENT_KEY=$VAL"
|
|
else
|
|
echo "❌ ERROR: Secret file '$SECRET_KEY' not found in workspace"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
echo "✅ Final build args: $FINAL_ARGS"
|
|
echo -n "$FINAL_ARGS" > /tekton/results/kaniko-args |