apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: buildah
  namespace: default
spec:
  description: |-
    Buildah task builds source into a container image and then pushes it to a container registry.
    Buildah Task builds source into a container image using Project Atomic's Buildah build tool.It uses Buildah's support for building from Dockerfiles, using its buildah bud command.This command executes the directives in the Dockerfile to assemble a container image, then pushes that image to a container registry.
  params:
  - description: Reference of the image buildah will produce.
    name: IMAGE
    type: string
  - default: quay.io/buildah/stable:v1
    description: The location of the buildah builder image.
    name: BUILDER_IMAGE
    type: string
  - default: overlay
    description: Set buildah storage driver
    name: STORAGE_DRIVER
    type: string
  - default: ./Dockerfile
    description: Path to the Dockerfile to build.
    name: DOCKERFILE
    type: string
  - default: .
    description: Path to the directory to use as context.
    name: CONTEXT
    type: string
  - default: "true"
    description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS
      registry)
    name: TLSVERIFY
    type: string
  - default: oci
    description: The format of the built container, oci or docker
    name: FORMAT
    type: string
  - default: ""
    description: Extra parameters passed for the build command when building images.
      WARNING - must be sanitized to avoid command injection
    name: BUILD_EXTRA_ARGS
    type: string
  - default: ""
    description: Extra parameters passed for the push command when pushing images.
      WARNING - must be sanitized to avoid command injection
    name: PUSH_EXTRA_ARGS
    type: string
  - default: "false"
    description: Skip pushing the built image
    name: SKIP_PUSH
    type: string
  - default:
    - ""
    description: Dockerfile build arguments, array of key=value
    name: BUILD_ARGS
    type: array
  results:
  - description: Digest of the image just built.
    name: IMAGE_DIGEST
    type: string
  - description: Image repository where the built image would be pushed to
    name: IMAGE_URL
    type: string
  steps:
  - args:
    - $(params.BUILD_ARGS[*])
    computeResources: {}
    env:
    - name: PARAM_IMAGE
      value: $(params.IMAGE)
    - name: PARAM_STORAGE_DRIVER
      value: $(params.STORAGE_DRIVER)
    - name: PARAM_DOCKERFILE
      value: $(params.DOCKERFILE)
    - name: PARAM_CONTEXT
      value: $(params.CONTEXT)
    - name: PARAM_TLSVERIFY
      value: $(params.TLSVERIFY)
    - name: PARAM_FORMAT
      value: $(params.FORMAT)
    - name: PARAM_BUILD_EXTRA_ARGS
      value: $(params.BUILD_EXTRA_ARGS)
    - name: PARAM_PUSH_EXTRA_ARGS
      value: $(params.PUSH_EXTRA_ARGS)
    - name: PARAM_SKIP_PUSH
      value: $(params.SKIP_PUSH)
    image: $(params.BUILDER_IMAGE)
    name: build-and-push
    script: |
      BUILD_ARGS=()
      for buildarg in "$@"
      do
        BUILD_ARGS+=("--build-arg=$buildarg")
      done
      [ "$(workspaces.sslcertdir.bound)" = "true" ] && CERT_DIR_FLAG="--cert-dir=$(workspaces.sslcertdir.path)"
      [ "$(workspaces.dockerconfig.bound)" = "true" ] && DOCKER_CONFIG="$(workspaces.dockerconfig.path)" && export DOCKER_CONFIG
      # build the image (CERT_DIR_FLAG should be omitted if empty and BUILD_EXTRA_ARGS can contain multiple args)
      # shellcheck disable=SC2046,SC2086
      buildah ${CERT_DIR_FLAG} "--storage-driver=${PARAM_STORAGE_DRIVER}" bud "${BUILD_ARGS[@]}" ${PARAM_BUILD_EXTRA_ARGS} \
        "--format=${PARAM_FORMAT}" "--tls-verify=${PARAM_TLSVERIFY}" \
        -f "${PARAM_DOCKERFILE}" -t "${PARAM_IMAGE}" "${PARAM_CONTEXT}"
      [ "${PARAM_SKIP_PUSH}" = "true" ] && echo "Push skipped" && exit 0
      # push the image (CERT_DIR_FLAG should be omitted if empty and PUSH_EXTRA_ARGS can contain multiple args)
      # shellcheck disable=SC2046,SC2086
      buildah ${CERT_DIR_FLAG} "--storage-driver=${PARAM_STORAGE_DRIVER}" push \
        "--tls-verify=${PARAM_TLSVERIFY}" --digestfile /tmp/image-digest ${PARAM_PUSH_EXTRA_ARGS} \
        "${PARAM_IMAGE}" "docker://${PARAM_IMAGE}"
      tee "$(results.IMAGE_DIGEST.path)" < /tmp/image-digest
      printf '%s' "${PARAM_IMAGE}" | tee "$(results.IMAGE_URL.path)"
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /var/lib/containers
      name: varlibcontainers
    workingDir: $(workspaces.source.path)
  volumes:
  - emptyDir: {}
    name: varlibcontainers
  workspaces:
  - name: source
  - name: sslcertdir
    optional: true
  - description: An optional workspace that allows providing a .docker/config.json
      file for Buildah to access the container registry. The file should be placed
      at the root of the Workspace with name config.json.
    name: dockerconfig
    optional: true