diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 0a137c4d9a..dcd118dbba 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -71,6 +71,10 @@ spec: description: Name of secret which contains the entitlement certificates type: string default: "etc-pki-entitlement" + - name: OPTIONAL_SECRET + description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$OPTIONAL_SECRET + type: string + default: "" - name: BUILD_ARGS description: Array of --build-arg values ("arg=value" strings) type: array @@ -137,6 +141,8 @@ spec: value: $(params.BUILDER_IMAGE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) + - name: OPTIONAL_SECRET + value: $(params.OPTIONAL_SECRET) - name: BUILD_ARGS_FILE value: $(params.BUILD_ARGS_FILE) - name: ADD_CAPABILITIES @@ -276,6 +282,13 @@ spec: echo "Adding the entitlement to the build" fi + OPTIONAL_SECRET_PATH="/optional-secret" + if [ -d "$OPTIONAL_SECRET_PATH" ]; then + cp -r --preserve=mode "$OPTIONAL_SECRET_PATH" /tmp/optional-secret + BUILDAH_ARGS+=("--secret=id=${OPTIONAL_SECRET},src=/tmp/optional-secret") + echo "Adding the secret ${OPTIONAL_SECRET} to the build, available at /run/secrets/${OPTIONAL_SECRET}" + fi + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ @@ -313,6 +326,8 @@ spec: name: varlibcontainers - mountPath: "/entitlement" name: etc-pki-entitlement + - mountPath: "/optional-secret" + name: optional-secret - name: trusted-ca mountPath: /mnt/trusted-ca readOnly: true @@ -495,6 +510,10 @@ spec: secret: secretName: $(params.ENTITLEMENT_SECRET) optional: true + - name: optional-secret + secret: + secretName: $(params.OPTIONAL_SECRET) + optional: true - name: trusted-ca configMap: name: $(params.caTrustConfigMapName)