diff --git a/task/buildah-oci-ta/0.1/README.md b/task/buildah-oci-ta/0.1/README.md index 3d8831c6c8..5c8c111afc 100644 --- a/task/buildah-oci-ta/0.1/README.md +++ b/task/buildah-oci-ta/0.1/README.md @@ -20,6 +20,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |HERMETIC|Determines if build will be executed without network access.|false|false| |IMAGE|Reference of the image buildah will produce.||true| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|OPTIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$OPTIONAL_SECRET|""|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| |TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index d1eec69fd9..374ddd2c7c 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -67,6 +67,11 @@ spec: hours, days, and weeks, respectively. type: string default: "" + - name: OPTIONAL_SECRET + description: Name of a secret which will be made available to the build + with 'buildah build --secret' at /run/secrets/$OPTIONAL_SECRET + type: string + default: "" - name: PREFETCH_INPUT description: In case it is not empty, the prefetched content should be made available to the build. @@ -125,6 +130,10 @@ spec: secret: optional: true secretName: $(params.ENTITLEMENT_SECRET) + - name: optional-secret + secret: + optional: true + secretName: $(params.OPTIONAL_SECRET) - name: shared emptyDir: {} - name: trusted-ca @@ -158,6 +167,8 @@ spec: value: $(params.IMAGE) - name: IMAGE_EXPIRES_AFTER value: $(params.IMAGE_EXPIRES_AFTER) + - name: OPTIONAL_SECRET + value: $(params.OPTIONAL_SECRET) - name: STORAGE_DRIVER value: vfs - name: TARGET_STAGE @@ -192,6 +203,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /optional-secret + name: optional-secret - mountPath: /mnt/trusted-ca name: trusted-ca readOnly: true @@ -314,6 +327,13 @@ spec: echo "Adding the entitlement to the build" fi + OPTIONAL_SECRET_PATH="/optional-secret" + if [ -d "$OPTIONAL_SECRET_PATH" ]; then + cp -r --preserve=mode "$OPTIONAL_SECRET_PATH" /tmp/optional-secret + BUILDAH_ARGS+=("--secret=id=${OPTIONAL_SECRET},src=/tmp/optional-secret") + echo "Adding the secret ${OPTIONAL_SECRET} to the build, available at /run/secrets/${OPTIONAL_SECRET}" + fi + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 6fdd140f6c..c677dc4739 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -67,6 +67,11 @@ spec: respectively. name: IMAGE_EXPIRES_AFTER type: string + - default: "" + description: Name of a secret which will be made available to the build with 'buildah + build --secret' at /run/secrets/$OPTIONAL_SECRET + name: OPTIONAL_SECRET + type: string - default: "" description: In case it is not empty, the prefetched content should be made available to the build. @@ -142,6 +147,8 @@ spec: value: $(params.IMAGE) - name: IMAGE_EXPIRES_AFTER value: $(params.IMAGE_EXPIRES_AFTER) + - name: OPTIONAL_SECRET + value: $(params.OPTIONAL_SECRET) - name: STORAGE_DRIVER value: vfs - name: TARGET_STAGE @@ -213,6 +220,7 @@ spec: rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" rsync -ra /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /optional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/optional-secret/" rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/" @@ -336,6 +344,13 @@ spec: echo "Adding the entitlement to the build" fi + OPTIONAL_SECRET_PATH="/optional-secret" + if [ -d "$OPTIONAL_SECRET_PATH" ]; then + cp -r --preserve=mode "$OPTIONAL_SECRET_PATH" /tmp/optional-secret + BUILDAH_ARGS+=("--secret=id=${OPTIONAL_SECRET},src=/tmp/optional-secret") + echo "Adding the secret ${OPTIONAL_SECRET} to the build, available at /run/secrets/${OPTIONAL_SECRET}" + fi + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ @@ -378,6 +393,7 @@ spec: -e HERMETIC="$HERMETIC" \ -e IMAGE="$IMAGE" \ -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \ + -e OPTIONAL_SECRET="$OPTIONAL_SECRET" \ -e STORAGE_DRIVER="$STORAGE_DRIVER" \ -e TARGET_STAGE="$TARGET_STAGE" \ -e TLSVERIFY="$TLSVERIFY" \ @@ -388,6 +404,7 @@ spec: -v "$BUILD_DIR/volumes/shared:/shared:Z" \ -v "$BUILD_DIR/volumes/workdir:/var/workdir:Z" \ -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/optional-secret:/optional-secret:Z" \ -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \ @@ -411,6 +428,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /optional-secret + name: optional-secret - mountPath: /mnt/trusted-ca name: trusted-ca readOnly: true @@ -584,6 +603,10 @@ spec: secret: optional: true secretName: $(params.ENTITLEMENT_SECRET) + - name: optional-secret + secret: + optional: true + secretName: $(params.OPTIONAL_SECRET) - emptyDir: {} name: shared - configMap: diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index 46d0c41a01..3de1970cf9 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -78,6 +78,11 @@ spec: description: Name of secret which contains the entitlement certificates name: ENTITLEMENT_SECRET type: string + - default: "" + description: Name of a secret which will be made available to the build with 'buildah + build --secret' at /run/secrets/$OPTIONAL_SECRET + name: OPTIONAL_SECRET + type: string - default: [] description: Array of --build-arg values ("arg=value" strings) name: BUILD_ARGS @@ -147,6 +152,8 @@ spec: value: $(params.BUILDER_IMAGE) - name: ENTITLEMENT_SECRET value: $(params.ENTITLEMENT_SECRET) + - name: OPTIONAL_SECRET + value: $(params.OPTIONAL_SECRET) - name: BUILD_ARGS_FILE value: $(params.BUILD_ARGS_FILE) - name: ADD_CAPABILITIES @@ -201,6 +208,7 @@ spec: rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/" rsync -ra /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" + rsync -ra /optional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/optional-secret/" rsync -ra /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/" @@ -328,6 +336,13 @@ spec: echo "Adding the entitlement to the build" fi + OPTIONAL_SECRET_PATH="/optional-secret" + if [ -d "$OPTIONAL_SECRET_PATH" ]; then + cp -r --preserve=mode "$OPTIONAL_SECRET_PATH" /tmp/optional-secret + BUILDAH_ARGS+=("--secret=id=${OPTIONAL_SECRET},src=/tmp/optional-secret") + echo "Adding the secret ${OPTIONAL_SECRET} to the build, available at /run/secrets/${OPTIONAL_SECRET}" + fi + unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ "${BUILDAH_ARGS[@]}" \ @@ -375,12 +390,14 @@ spec: -e TARGET_STAGE="$TARGET_STAGE" \ -e PARAM_BUILDER_IMAGE="$PARAM_BUILDER_IMAGE" \ -e ENTITLEMENT_SECRET="$ENTITLEMENT_SECRET" \ + -e OPTIONAL_SECRET="$OPTIONAL_SECRET" \ -e BUILD_ARGS_FILE="$BUILD_ARGS_FILE" \ -e ADD_CAPABILITIES="$ADD_CAPABILITIES" \ -e COMMIT_SHA="$COMMIT_SHA" \ -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \ -v "$BUILD_DIR/volumes/shared:/shared:Z" \ -v "$BUILD_DIR/volumes/etc-pki-entitlement:/entitlement:Z" \ + -v "$BUILD_DIR/volumes/optional-secret:/optional-secret:Z" \ -v "$BUILD_DIR/volumes/trusted-ca:/mnt/trusted-ca:Z" \ -v "$BUILD_DIR/.docker/:/root/.docker:Z" \ -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \ @@ -404,6 +421,8 @@ spec: name: varlibcontainers - mountPath: /entitlement name: etc-pki-entitlement + - mountPath: /optional-secret + name: optional-secret - mountPath: /mnt/trusted-ca name: trusted-ca readOnly: true @@ -585,6 +604,10 @@ spec: secret: optional: true secretName: $(params.ENTITLEMENT_SECRET) + - name: optional-secret + secret: + optional: true + secretName: $(params.OPTIONAL_SECRET) - configMap: items: - key: $(params.caTrustConfigMapKey)