catalog
catalog copied to clipboard
Published
20 hours ago •
tektoncd
tektoncd
[s2i task]: support for Environment variables to set during build-time and don't require privileged Security Context
Signed-off-by: Zbynek Roubalik [email protected]
Changes
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you review them:
- [x] Follows the authoring recommendations
- [x] Includes [docs][docs] (if user facing)
- [x] Includes [tests][tests] (for new tasks or changed functionality)
- See the [end-to-end testing documentation][e2e] for guidance and CI details.
- [x] Meets the [Tekton contributor standards][contributor] (including functionality, content, code)
- [x] Commit messages follow [commit message best practices][commit]
- [x] Has a kind label. You can add one by adding a comment on this PR that
contains
/kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep - [x] Complies with Catalog Organization TEP, see example. Note An issue has been filed to automate this validation
-
[x] File path follows
<kind>/<name>/<version>/name.yaml -
[x] Has
README.mdat<kind>/<name>/<version>/README.md -
[x] Has mandatory
metadata.labels-app.kubernetes.io/versionthe same as the<version>of the resource -
[x] Has mandatory
metadata.annotationstekton.dev/pipelines.minVersion -
[x] mandatory
spec.descriptionfollows the convention``` spec: description: >- one line summary of the resource Paragraph(s) to describe the resource. ```
-
See the contribution guide for more details.
[docs] https://github.com/tektoncd/community/blob/master/standards.md#docs [tests] https://github.com/tektoncd/community/blob/master/standards.md#tests [e2e] https://github.com/tektoncd/catalog/blob/main/CONTRIBUTING.md#end-to-end-testing [contributor] https://github.com/tektoncd/community/blob/main/standards.md [commit] https://github.com/tektoncd/community/blob/master/standards.md#commit-messages
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by:
To complete the pull request process, please assign vdemeester after the PR has been reviewed.
You can assign the PR to them by writing /assign @vdemeester in a comment when ready.
The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
Hi @zroubalik. Thanks for your PR.
I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Diff between version 0.3 and 0.4
diff --git a/task/s2i/0.3/README.md b/task/s2i/0.4/README.md
index 7824d0f..df4fe1d 100644
--- a/task/s2i/0.3/README.md
+++ b/task/s2i/0.4/README.md
@@ -10,13 +10,12 @@ source code.
## Changelog
-- Renamed `IMAGE_NAME` parameter to `IMAGE`.
-- Add support for `dockerconfig` which can be provided via `workspaces`.
+- Add support for Environment variables to set during _build-time_ via `ENV_VARS` parameter.
## Install the Task
```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.4/raw
```
## Parameters
@@ -27,12 +26,14 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
(_default: ._).
- **TLSVERIFY**: Verify the TLS on the registry endpoint (for push/pull to a
non-TLS registry) (_default:_ `true`)
+- **LOGLEVEL**: Log level when running the S2I binary (_default:_ `0`)
+- **ENV_VARS**: Environment variables to set during _build-time_ (_optional_, _default_: [])
## Workspaces
- **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the source to build.
- **sslcertdir**: An [_optional_ Workspace](https://github.com/tektoncd/pipeline/blob/v0.17.0/docs/workspaces.md#optional-workspaces) containing your custom SSL certificates to connect to the registry. Buildah will look for files ending with \*.crt, \*.cert, \*.key into this workspace. See [this sample](./samples/openshift-internal-registry.yaml) for a complete example on how to use it with OpenShift internal registry.
-- **`dockerconfig`**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
+- **dockerconfig**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
## Results
@@ -125,6 +126,7 @@ spec:
storage: 100Mi
```
- **[`dockerconfig.yaml`](samples/dockerconfig.yaml)**: A PipelineRun configured to demonstrate usage of `dockerconfig` workspace for referencing `.docker/config.json` file.
+- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
Here is a non-exhaustive list of well maintained s2i builder image
(from [`sclorg`](https://github.com/sclorg/)):
diff --git a/task/s2i/0.3/s2i.yaml b/task/s2i/0.4/s2i.yaml
index 52bc0f7..5bec431 100644
--- a/task/s2i/0.3/s2i.yaml
+++ b/task/s2i/0.4/s2i.yaml
@@ -3,7 +3,7 @@ kind: Task
metadata:
name: s2i
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/pipelines.minVersion: "0.17.0"
tekton.dev/categories: Image Build
@@ -33,6 +33,10 @@ spec:
- name: LOGLEVEL
description: Log level when running the S2I binary
default: "0"
+ - name: ENV_VARS
+ type: array
+ description: Environment variables to set during _build-time_.
+ default: []
workspaces:
- name: source
- name: sslcertdir
@@ -50,17 +54,27 @@ spec:
- name: generate
image: quay.io/openshift-pipeline/s2i:nightly
workingDir: $(workspaces.source.path)
- command:
- - /usr/local/bin/s2i
- - --loglevel=$(params.LOGLEVEL)
- - build
- - $(params.PATH_CONTEXT)
- - $(params.BUILDER_IMAGE)
- - --as-dockerfile
- - /gen-source/Dockerfile.gen
+ args: ["$(params.ENV_VARS[*])"]
+ script: |
+ echo "Processing Build Environment Variables"
+ echo "" > /env-vars/env-file
+ for var in "$@"
+ do
+ echo "$var" >> /env-vars/env-file
+ done
+
+ echo "Generated Build Env Var file"
+ echo "------------------------------"
+ cat /env-vars/env-file
+ echo "------------------------------"
+
+ /usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
+ --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-vars/env-file
volumeMounts:
- mountPath: /gen-source
name: gen-source
+ - mountPath: /env-vars
+ name: env-vars
- name: build
image: quay.io/buildah/stable:v1.17.0
workingDir: /gen-source
@@ -84,3 +98,6 @@ spec:
name: varlibcontainers
- emptyDir: {}
name: gen-source
+ - emptyDir: {}
+ name: env-vars
+
diff --git a/task/s2i/0.4/samples/env-vars.yaml b/task/s2i/0.4/samples/env-vars.yaml
new file mode 100644
index 0000000..4a92199
--- /dev/null
+++ b/task/s2i/0.4/samples/env-vars.yaml
@@ -0,0 +1,56 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: s2i-test-pipeline-run
+spec:
+ pipelineSpec:
+ workspaces:
+ - name: shared-workspace
+ - name: sslcertdir
+ optional: true
+ - name: dockerconfig
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: shared-workspace
+ params:
+ - name: url
+ value: https://github.com/sclorg/nodejs-ex
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: s2i
+ taskRef:
+ name: s2i
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: shared-workspace
+ params:
+ - name: BUILDER_IMAGE
+ value: quay.io/centos7/nodejs-12-centos7
+ - name: TLSVERIFY
+ value: "false"
+ - name: LOGLEVEL
+ value: "10"
+ - name: IMAGE
+ value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/$(context.pipelineRun.name)
+ - name: ENV_VARS
+ value:
+ - "ENV_VAR_1=VALUE_1"
+ - "ENV_VAR_2=VALUE 2"
+ workspaces:
+ - name: shared-workspace
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 100Mi
Catlin Output
FILE: task/s2i/0.4/s2i.yaml
HINT : Task: tekton.dev/v1beta1 - name: "s2i" is missing a readable display name annotation("tekton.dev/displayName")
WARN : Step "generate" references "$(params.LOGLEVEL)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
WARN : Step "build" references "$(params.TLSVERIFY)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-generate line 14:
/usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
^----------------^ SC2046: Quote this to prevent word splitting.
^--------------------^ SC2046: Quote this to prevent word splitting.
^---------------------^ SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-build line 2:
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
In s2i-build line 3:
buildah ${CERT_DIR_FLAG} bud --tls-verify=$(params.TLSVERIFY) --layers \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" bud --tls-verify=$(params.TLSVERIFY) --layers \
In s2i-build line 4:
-f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 5:
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
^-----------^ SC2155: Declare and assign separately to avoid masking return values.
In s2i-build line 6:
buildah ${CERT_DIR_FLAG} push --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
^-----------------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" push --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
In s2i-build line 7:
$(params.IMAGE) docker://$(params.IMAGE)
^-------------^ SC2046: Quote this to prevent word splitting.
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 8:
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
^-----------------------^ SC2046: Quote this to prevent word splitting.
^-- SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2155 -- Declare and assign separately to ...
https://www.shellcheck.net/wiki/SC3010 -- In POSIX sh, [[ ]] is undefined.
Diff between version 0.3 and 0.4
diff --git a/task/s2i/0.3/README.md b/task/s2i/0.4/README.md
index 7824d0f..85fcfb1 100644
--- a/task/s2i/0.3/README.md
+++ b/task/s2i/0.4/README.md
@@ -10,13 +10,13 @@ source code.
## Changelog
-- Renamed `IMAGE_NAME` parameter to `IMAGE`.
-- Add support for `dockerconfig` which can be provided via `workspaces`.
+- Add support for Environment variables to set during _build-time_ via `ENV_VARS` parameter.
+- Privileged Security Context is no longer required.
## Install the Task
```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.4/raw
```
## Parameters
@@ -27,12 +27,14 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
(_default: ._).
- **TLSVERIFY**: Verify the TLS on the registry endpoint (for push/pull to a
non-TLS registry) (_default:_ `true`)
+- **LOGLEVEL**: Log level when running the S2I binary (_default:_ `0`)
+- **ENV_VARS**: Environment variables to set during _build-time_ (_optional_, _default_: [])
## Workspaces
- **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the source to build.
- **sslcertdir**: An [_optional_ Workspace](https://github.com/tektoncd/pipeline/blob/v0.17.0/docs/workspaces.md#optional-workspaces) containing your custom SSL certificates to connect to the registry. Buildah will look for files ending with \*.crt, \*.cert, \*.key into this workspace. See [this sample](./samples/openshift-internal-registry.yaml) for a complete example on how to use it with OpenShift internal registry.
-- **`dockerconfig`**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
+- **dockerconfig**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
## Results
@@ -125,6 +127,7 @@ spec:
storage: 100Mi
```
- **[`dockerconfig.yaml`](samples/dockerconfig.yaml)**: A PipelineRun configured to demonstrate usage of `dockerconfig` workspace for referencing `.docker/config.json` file.
+- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
Here is a non-exhaustive list of well maintained s2i builder image
(from [`sclorg`](https://github.com/sclorg/)):
diff --git a/task/s2i/0.3/s2i.yaml b/task/s2i/0.4/s2i.yaml
index 52bc0f7..43e2ff0 100644
--- a/task/s2i/0.3/s2i.yaml
+++ b/task/s2i/0.4/s2i.yaml
@@ -3,7 +3,7 @@ kind: Task
metadata:
name: s2i
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/pipelines.minVersion: "0.17.0"
tekton.dev/categories: Image Build
@@ -33,6 +33,10 @@ spec:
- name: LOGLEVEL
description: Log level when running the S2I binary
default: "0"
+ - name: ENV_VARS
+ type: array
+ description: Environment variables to set during _build-time_.
+ default: []
workspaces:
- name: source
- name: sslcertdir
@@ -50,27 +54,39 @@ spec:
- name: generate
image: quay.io/openshift-pipeline/s2i:nightly
workingDir: $(workspaces.source.path)
- command:
- - /usr/local/bin/s2i
- - --loglevel=$(params.LOGLEVEL)
- - build
- - $(params.PATH_CONTEXT)
- - $(params.BUILDER_IMAGE)
- - --as-dockerfile
- - /gen-source/Dockerfile.gen
+ args: ["$(params.ENV_VARS[*])"]
+ script: |
+ echo "Processing Build Environment Variables"
+ echo "" > /env-vars/env-file
+ for var in "$@"
+ do
+ echo "$var" >> /env-vars/env-file
+ done
+
+ echo "Generated Build Env Var file"
+ echo "------------------------------"
+ cat /env-vars/env-file
+ echo "------------------------------"
+
+ /usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
+ --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-vars/env-file
volumeMounts:
- mountPath: /gen-source
name: gen-source
+ - mountPath: /env-vars
+ name: env-vars
- name: build
image: quay.io/buildah/stable:v1.17.0
workingDir: /gen-source
script: |
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
- buildah ${CERT_DIR_FLAG} bud --tls-verify=$(params.TLSVERIFY) --layers \
+ buildah ${CERT_DIR_FLAG} bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
-f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
+
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
- buildah ${CERT_DIR_FLAG} push --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
+ buildah ${CERT_DIR_FLAG} push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
$(params.IMAGE) docker://$(params.IMAGE)
+
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
volumeMounts:
- name: varlibcontainers
@@ -78,9 +94,13 @@ spec:
- mountPath: /gen-source
name: gen-source
securityContext:
- privileged: true
+ capabilities:
+ add: ["SETFCAP"]
volumes:
- emptyDir: {}
name: varlibcontainers
- emptyDir: {}
name: gen-source
+ - emptyDir: {}
+ name: env-vars
+
diff --git a/task/s2i/0.4/samples/env-vars.yaml b/task/s2i/0.4/samples/env-vars.yaml
new file mode 100644
index 0000000..4a92199
--- /dev/null
+++ b/task/s2i/0.4/samples/env-vars.yaml
@@ -0,0 +1,56 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: s2i-test-pipeline-run
+spec:
+ pipelineSpec:
+ workspaces:
+ - name: shared-workspace
+ - name: sslcertdir
+ optional: true
+ - name: dockerconfig
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: shared-workspace
+ params:
+ - name: url
+ value: https://github.com/sclorg/nodejs-ex
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: s2i
+ taskRef:
+ name: s2i
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: shared-workspace
+ params:
+ - name: BUILDER_IMAGE
+ value: quay.io/centos7/nodejs-12-centos7
+ - name: TLSVERIFY
+ value: "false"
+ - name: LOGLEVEL
+ value: "10"
+ - name: IMAGE
+ value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/$(context.pipelineRun.name)
+ - name: ENV_VARS
+ value:
+ - "ENV_VAR_1=VALUE_1"
+ - "ENV_VAR_2=VALUE 2"
+ workspaces:
+ - name: shared-workspace
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 100Mi
Catlin Output
FILE: task/s2i/0.4/s2i.yaml
HINT : Task: tekton.dev/v1beta1 - name: "s2i" is missing a readable display name annotation("tekton.dev/displayName")
WARN : Step "generate" references "$(params.LOGLEVEL)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
WARN : Step "build" references "$(params.TLSVERIFY)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-generate line 14:
/usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
^----------------^ SC2046: Quote this to prevent word splitting.
^--------------------^ SC2046: Quote this to prevent word splitting.
^---------------------^ SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-build line 2:
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
In s2i-build line 3:
buildah ${CERT_DIR_FLAG} bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
In s2i-build line 4:
-f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 6:
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
^-----------^ SC2155: Declare and assign separately to avoid masking return values.
In s2i-build line 7:
buildah ${CERT_DIR_FLAG} push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
^-----------------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
In s2i-build line 8:
$(params.IMAGE) docker://$(params.IMAGE)
^-------------^ SC2046: Quote this to prevent word splitting.
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 10:
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
^-----------------------^ SC2046: Quote this to prevent word splitting.
^-- SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2155 -- Declare and assign separately to ...
https://www.shellcheck.net/wiki/SC3010 -- In POSIX sh, [[ ]] is undefined.
Diff between version 0.3 and 0.4
diff --git a/task/s2i/0.3/README.md b/task/s2i/0.4/README.md
index 7824d0f..85fcfb1 100644
--- a/task/s2i/0.3/README.md
+++ b/task/s2i/0.4/README.md
@@ -10,13 +10,13 @@ source code.
## Changelog
-- Renamed `IMAGE_NAME` parameter to `IMAGE`.
-- Add support for `dockerconfig` which can be provided via `workspaces`.
+- Add support for Environment variables to set during _build-time_ via `ENV_VARS` parameter.
+- Privileged Security Context is no longer required.
## Install the Task
```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.4/raw
```
## Parameters
@@ -27,12 +27,14 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
(_default: ._).
- **TLSVERIFY**: Verify the TLS on the registry endpoint (for push/pull to a
non-TLS registry) (_default:_ `true`)
+- **LOGLEVEL**: Log level when running the S2I binary (_default:_ `0`)
+- **ENV_VARS**: Environment variables to set during _build-time_ (_optional_, _default_: [])
## Workspaces
- **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the source to build.
- **sslcertdir**: An [_optional_ Workspace](https://github.com/tektoncd/pipeline/blob/v0.17.0/docs/workspaces.md#optional-workspaces) containing your custom SSL certificates to connect to the registry. Buildah will look for files ending with \*.crt, \*.cert, \*.key into this workspace. See [this sample](./samples/openshift-internal-registry.yaml) for a complete example on how to use it with OpenShift internal registry.
-- **`dockerconfig`**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
+- **dockerconfig**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
## Results
@@ -125,6 +127,7 @@ spec:
storage: 100Mi
```
- **[`dockerconfig.yaml`](samples/dockerconfig.yaml)**: A PipelineRun configured to demonstrate usage of `dockerconfig` workspace for referencing `.docker/config.json` file.
+- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
Here is a non-exhaustive list of well maintained s2i builder image
(from [`sclorg`](https://github.com/sclorg/)):
diff --git a/task/s2i/0.3/s2i.yaml b/task/s2i/0.4/s2i.yaml
index 52bc0f7..1d92157 100644
--- a/task/s2i/0.3/s2i.yaml
+++ b/task/s2i/0.4/s2i.yaml
@@ -3,7 +3,7 @@ kind: Task
metadata:
name: s2i
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/pipelines.minVersion: "0.17.0"
tekton.dev/categories: Image Build
@@ -33,6 +33,10 @@ spec:
- name: LOGLEVEL
description: Log level when running the S2I binary
default: "0"
+ - name: ENV_VARS
+ type: array
+ description: Environment variables to set during _build-time_.
+ default: []
workspaces:
- name: source
- name: sslcertdir
@@ -50,27 +54,40 @@ spec:
- name: generate
image: quay.io/openshift-pipeline/s2i:nightly
workingDir: $(workspaces.source.path)
- command:
- - /usr/local/bin/s2i
- - --loglevel=$(params.LOGLEVEL)
- - build
- - $(params.PATH_CONTEXT)
- - $(params.BUILDER_IMAGE)
- - --as-dockerfile
- - /gen-source/Dockerfile.gen
+ args: ["$(params.ENV_VARS[*])"]
+ script: |
+ echo "Processing Build Environment Variables"
+ echo "" > /env-vars/env-file
+ for var in "$@"
+ do
+ echo "$var" >> /env-vars/env-file
+ done
+
+ echo "Generated Build Env Var file"
+ echo "------------------------------"
+ cat /env-vars/env-file
+ echo "------------------------------"
+
+ /usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
+ --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-vars/env-file
volumeMounts:
- mountPath: /gen-source
name: gen-source
+ - mountPath: /env-vars
+ name: env-vars
- name: build
image: quay.io/buildah/stable:v1.17.0
workingDir: /gen-source
script: |
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
- buildah ${CERT_DIR_FLAG} bud --tls-verify=$(params.TLSVERIFY) --layers \
- -f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
- buildah ${CERT_DIR_FLAG} push --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
+
+ buildah ${CERT_DIR_FLAG} bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
+ -f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
+
+ buildah ${CERT_DIR_FLAG} push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
$(params.IMAGE) docker://$(params.IMAGE)
+
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
volumeMounts:
- name: varlibcontainers
@@ -78,9 +95,13 @@ spec:
- mountPath: /gen-source
name: gen-source
securityContext:
- privileged: true
+ capabilities:
+ add: ["SETFCAP"]
volumes:
- emptyDir: {}
name: varlibcontainers
- emptyDir: {}
name: gen-source
+ - emptyDir: {}
+ name: env-vars
+
diff --git a/task/s2i/0.4/samples/env-vars.yaml b/task/s2i/0.4/samples/env-vars.yaml
new file mode 100644
index 0000000..4a92199
--- /dev/null
+++ b/task/s2i/0.4/samples/env-vars.yaml
@@ -0,0 +1,56 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: s2i-test-pipeline-run
+spec:
+ pipelineSpec:
+ workspaces:
+ - name: shared-workspace
+ - name: sslcertdir
+ optional: true
+ - name: dockerconfig
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: shared-workspace
+ params:
+ - name: url
+ value: https://github.com/sclorg/nodejs-ex
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: s2i
+ taskRef:
+ name: s2i
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: shared-workspace
+ params:
+ - name: BUILDER_IMAGE
+ value: quay.io/centos7/nodejs-12-centos7
+ - name: TLSVERIFY
+ value: "false"
+ - name: LOGLEVEL
+ value: "10"
+ - name: IMAGE
+ value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/$(context.pipelineRun.name)
+ - name: ENV_VARS
+ value:
+ - "ENV_VAR_1=VALUE_1"
+ - "ENV_VAR_2=VALUE 2"
+ workspaces:
+ - name: shared-workspace
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 100Mi
diff --git a/task/s2i/0.3/tests/pre-apply-task-hook.sh b/task/s2i/0.4/tests/pre-apply-task-hook.sh
index 54f0b9b..3e061a9 100755
--- a/task/s2i/0.3/tests/pre-apply-task-hook.sh
+++ b/task/s2i/0.4/tests/pre-apply-task-hook.sh
@@ -3,4 +3,4 @@
add_sidecar_secure_registry
# Add git-clone
-add_task git-clone 0.7
+add_task git-clone latest
Catlin Output
FILE: task/s2i/0.4/s2i.yaml
HINT : Task: tekton.dev/v1beta1 - name: "s2i" is missing a readable display name annotation("tekton.dev/displayName")
WARN : Step "generate" references "$(params.LOGLEVEL)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
WARN : Step "build" references "$(params.TLSVERIFY)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-generate line 14:
/usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
^----------------^ SC2046: Quote this to prevent word splitting.
^--------------------^ SC2046: Quote this to prevent word splitting.
^---------------------^ SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-build line 2:
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
In s2i-build line 3:
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
^-----------^ SC2155: Declare and assign separately to avoid masking return values.
In s2i-build line 5:
buildah ${CERT_DIR_FLAG} bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
In s2i-build line 6:
-f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 8:
buildah ${CERT_DIR_FLAG} push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
^-----------------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
In s2i-build line 9:
$(params.IMAGE) docker://$(params.IMAGE)
^-------------^ SC2046: Quote this to prevent word splitting.
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 11:
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
^-----------------------^ SC2046: Quote this to prevent word splitting.
^-- SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2155 -- Declare and assign separately to ...
https://www.shellcheck.net/wiki/SC3010 -- In POSIX sh, [[ ]] is undefined.
Diff between version 0.3 and 0.4
diff --git a/task/s2i/0.3/README.md b/task/s2i/0.4/README.md
index 7824d0f..85fcfb1 100644
--- a/task/s2i/0.3/README.md
+++ b/task/s2i/0.4/README.md
@@ -10,13 +10,13 @@ source code.
## Changelog
-- Renamed `IMAGE_NAME` parameter to `IMAGE`.
-- Add support for `dockerconfig` which can be provided via `workspaces`.
+- Add support for Environment variables to set during _build-time_ via `ENV_VARS` parameter.
+- Privileged Security Context is no longer required.
## Install the Task
```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.4/raw
```
## Parameters
@@ -27,12 +27,14 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
(_default: ._).
- **TLSVERIFY**: Verify the TLS on the registry endpoint (for push/pull to a
non-TLS registry) (_default:_ `true`)
+- **LOGLEVEL**: Log level when running the S2I binary (_default:_ `0`)
+- **ENV_VARS**: Environment variables to set during _build-time_ (_optional_, _default_: [])
## Workspaces
- **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the source to build.
- **sslcertdir**: An [_optional_ Workspace](https://github.com/tektoncd/pipeline/blob/v0.17.0/docs/workspaces.md#optional-workspaces) containing your custom SSL certificates to connect to the registry. Buildah will look for files ending with \*.crt, \*.cert, \*.key into this workspace. See [this sample](./samples/openshift-internal-registry.yaml) for a complete example on how to use it with OpenShift internal registry.
-- **`dockerconfig`**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
+- **dockerconfig**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
## Results
@@ -125,6 +127,7 @@ spec:
storage: 100Mi
```
- **[`dockerconfig.yaml`](samples/dockerconfig.yaml)**: A PipelineRun configured to demonstrate usage of `dockerconfig` workspace for referencing `.docker/config.json` file.
+- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
Here is a non-exhaustive list of well maintained s2i builder image
(from [`sclorg`](https://github.com/sclorg/)):
diff --git a/task/s2i/0.3/s2i.yaml b/task/s2i/0.4/s2i.yaml
index 52bc0f7..72d23f4 100644
--- a/task/s2i/0.3/s2i.yaml
+++ b/task/s2i/0.4/s2i.yaml
@@ -3,7 +3,7 @@ kind: Task
metadata:
name: s2i
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/pipelines.minVersion: "0.17.0"
tekton.dev/categories: Image Build
@@ -33,6 +33,10 @@ spec:
- name: LOGLEVEL
description: Log level when running the S2I binary
default: "0"
+ - name: ENV_VARS
+ type: array
+ description: Environment variables to set during _build-time_.
+ default: []
workspaces:
- name: source
- name: sslcertdir
@@ -50,27 +54,40 @@ spec:
- name: generate
image: quay.io/openshift-pipeline/s2i:nightly
workingDir: $(workspaces.source.path)
- command:
- - /usr/local/bin/s2i
- - --loglevel=$(params.LOGLEVEL)
- - build
- - $(params.PATH_CONTEXT)
- - $(params.BUILDER_IMAGE)
- - --as-dockerfile
- - /gen-source/Dockerfile.gen
+ args: ["$(params.ENV_VARS[*])"]
+ script: |
+ echo "Processing Build Environment Variables"
+ echo "" > /env-vars/env-file
+ for var in "$@"
+ do
+ echo "$var" >> /env-vars/env-file
+ done
+
+ echo "Generated Build Env Var file"
+ echo "------------------------------"
+ cat /env-vars/env-file
+ echo "------------------------------"
+
+ /usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
+ --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-vars/env-file
volumeMounts:
- mountPath: /gen-source
name: gen-source
+ - mountPath: /env-vars
+ name: env-vars
- name: build
image: quay.io/buildah/stable:v1.17.0
workingDir: /gen-source
script: |
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
- buildah ${CERT_DIR_FLAG} bud --tls-verify=$(params.TLSVERIFY) --layers \
- -f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
- buildah ${CERT_DIR_FLAG} push --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
+
+ buildah ${CERT_DIR_FLAG} bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
+ -f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
+
+ buildah ${CERT_DIR_FLAG} push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
$(params.IMAGE) docker://$(params.IMAGE)
+
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
volumeMounts:
- name: varlibcontainers
@@ -78,9 +95,13 @@ spec:
- mountPath: /gen-source
name: gen-source
securityContext:
- privileged: true
+ capabilities:
+ add: ["SETFCAP"]
volumes:
- emptyDir: {}
name: varlibcontainers
- emptyDir: {}
name: gen-source
+ - emptyDir: {}
+ name: env-vars
+
diff --git a/task/s2i/0.4/samples/env-vars.yaml b/task/s2i/0.4/samples/env-vars.yaml
new file mode 100644
index 0000000..4a92199
--- /dev/null
+++ b/task/s2i/0.4/samples/env-vars.yaml
@@ -0,0 +1,56 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: s2i-test-pipeline-run
+spec:
+ pipelineSpec:
+ workspaces:
+ - name: shared-workspace
+ - name: sslcertdir
+ optional: true
+ - name: dockerconfig
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: shared-workspace
+ params:
+ - name: url
+ value: https://github.com/sclorg/nodejs-ex
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: s2i
+ taskRef:
+ name: s2i
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: shared-workspace
+ params:
+ - name: BUILDER_IMAGE
+ value: quay.io/centos7/nodejs-12-centos7
+ - name: TLSVERIFY
+ value: "false"
+ - name: LOGLEVEL
+ value: "10"
+ - name: IMAGE
+ value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/$(context.pipelineRun.name)
+ - name: ENV_VARS
+ value:
+ - "ENV_VAR_1=VALUE_1"
+ - "ENV_VAR_2=VALUE 2"
+ workspaces:
+ - name: shared-workspace
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 100Mi
diff --git a/task/s2i/0.3/tests/pre-apply-task-hook.sh b/task/s2i/0.4/tests/pre-apply-task-hook.sh
index 54f0b9b..3e061a9 100755
--- a/task/s2i/0.3/tests/pre-apply-task-hook.sh
+++ b/task/s2i/0.4/tests/pre-apply-task-hook.sh
@@ -3,4 +3,4 @@
add_sidecar_secure_registry
# Add git-clone
-add_task git-clone 0.7
+add_task git-clone latest
Catlin Output
FILE: task/s2i/0.4/s2i.yaml
HINT : Task: tekton.dev/v1beta1 - name: "s2i" is missing a readable display name annotation("tekton.dev/displayName")
WARN : Step "generate" references "$(params.LOGLEVEL)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
WARN : Step "build" references "$(params.TLSVERIFY)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-generate line 14:
/usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
^----------------^ SC2046: Quote this to prevent word splitting.
^--------------------^ SC2046: Quote this to prevent word splitting.
^---------------------^ SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-build line 2:
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
In s2i-build line 3:
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
^-----------^ SC2155: Declare and assign separately to avoid masking return values.
In s2i-build line 5:
buildah ${CERT_DIR_FLAG} bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
In s2i-build line 6:
-f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 8:
buildah ${CERT_DIR_FLAG} push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
^-----------------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
In s2i-build line 9:
$(params.IMAGE) docker://$(params.IMAGE)
^-------------^ SC2046: Quote this to prevent word splitting.
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 11:
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
^-----------------------^ SC2046: Quote this to prevent word splitting.
^-- SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2155 -- Declare and assign separately to ...
https://www.shellcheck.net/wiki/SC3010 -- In POSIX sh, [[ ]] is undefined.
Diff between version 0.3 and 0.4
diff --git a/task/s2i/0.3/README.md b/task/s2i/0.4/README.md
index 7824d0f..85fcfb1 100644
--- a/task/s2i/0.3/README.md
+++ b/task/s2i/0.4/README.md
@@ -10,13 +10,13 @@ source code.
## Changelog
-- Renamed `IMAGE_NAME` parameter to `IMAGE`.
-- Add support for `dockerconfig` which can be provided via `workspaces`.
+- Add support for Environment variables to set during _build-time_ via `ENV_VARS` parameter.
+- Privileged Security Context is no longer required.
## Install the Task
```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.4/raw
```
## Parameters
@@ -27,12 +27,14 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
(_default: ._).
- **TLSVERIFY**: Verify the TLS on the registry endpoint (for push/pull to a
non-TLS registry) (_default:_ `true`)
+- **LOGLEVEL**: Log level when running the S2I binary (_default:_ `0`)
+- **ENV_VARS**: Environment variables to set during _build-time_ (_optional_, _default_: [])
## Workspaces
- **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the source to build.
- **sslcertdir**: An [_optional_ Workspace](https://github.com/tektoncd/pipeline/blob/v0.17.0/docs/workspaces.md#optional-workspaces) containing your custom SSL certificates to connect to the registry. Buildah will look for files ending with \*.crt, \*.cert, \*.key into this workspace. See [this sample](./samples/openshift-internal-registry.yaml) for a complete example on how to use it with OpenShift internal registry.
-- **`dockerconfig`**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
+- **dockerconfig**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
## Results
@@ -125,6 +127,7 @@ spec:
storage: 100Mi
```
- **[`dockerconfig.yaml`](samples/dockerconfig.yaml)**: A PipelineRun configured to demonstrate usage of `dockerconfig` workspace for referencing `.docker/config.json` file.
+- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
Here is a non-exhaustive list of well maintained s2i builder image
(from [`sclorg`](https://github.com/sclorg/)):
diff --git a/task/s2i/0.3/s2i.yaml b/task/s2i/0.4/s2i.yaml
index 52bc0f7..aa5b9fc 100644
--- a/task/s2i/0.3/s2i.yaml
+++ b/task/s2i/0.4/s2i.yaml
@@ -3,7 +3,7 @@ kind: Task
metadata:
name: s2i
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/pipelines.minVersion: "0.17.0"
tekton.dev/categories: Image Build
@@ -33,6 +33,10 @@ spec:
- name: LOGLEVEL
description: Log level when running the S2I binary
default: "0"
+ - name: ENV_VARS
+ type: array
+ description: Environment variables to set during _build-time_.
+ default: []
workspaces:
- name: source
- name: sslcertdir
@@ -50,27 +54,40 @@ spec:
- name: generate
image: quay.io/openshift-pipeline/s2i:nightly
workingDir: $(workspaces.source.path)
- command:
- - /usr/local/bin/s2i
- - --loglevel=$(params.LOGLEVEL)
- - build
- - $(params.PATH_CONTEXT)
- - $(params.BUILDER_IMAGE)
- - --as-dockerfile
- - /gen-source/Dockerfile.gen
+ args: ["$(params.ENV_VARS[*])"]
+ script: |
+ echo "Processing Build Environment Variables"
+ echo "" > /env-vars/env-file
+ for var in "$@"
+ do
+ echo "$var" >> /env-vars/env-file
+ done
+
+ echo "Generated Build Env Var file"
+ echo "------------------------------"
+ cat /env-vars/env-file
+ echo "------------------------------"
+
+ /usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
+ --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-vars/env-file
volumeMounts:
- mountPath: /gen-source
name: gen-source
+ - mountPath: /env-vars
+ name: env-vars
- name: build
image: quay.io/buildah/stable:v1.17.0
workingDir: /gen-source
script: |
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
- buildah ${CERT_DIR_FLAG} bud --tls-verify=$(params.TLSVERIFY) --layers \
- -f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
- buildah ${CERT_DIR_FLAG} push --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
+
+ buildah ${CERT_DIR_FLAG} bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
+ -f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
+
+ buildah ${CERT_DIR_FLAG} push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
$(params.IMAGE) docker://$(params.IMAGE)
+
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
volumeMounts:
- name: varlibcontainers
@@ -78,9 +95,12 @@ spec:
- mountPath: /gen-source
name: gen-source
securityContext:
- privileged: true
+ capabilities:
+ add: ["SETFCAP"]
volumes:
- emptyDir: {}
name: varlibcontainers
- emptyDir: {}
name: gen-source
+ - emptyDir: {}
+ name: env-vars
diff --git a/task/s2i/0.4/samples/env-vars.yaml b/task/s2i/0.4/samples/env-vars.yaml
new file mode 100644
index 0000000..4a92199
--- /dev/null
+++ b/task/s2i/0.4/samples/env-vars.yaml
@@ -0,0 +1,56 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: s2i-test-pipeline-run
+spec:
+ pipelineSpec:
+ workspaces:
+ - name: shared-workspace
+ - name: sslcertdir
+ optional: true
+ - name: dockerconfig
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: shared-workspace
+ params:
+ - name: url
+ value: https://github.com/sclorg/nodejs-ex
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: s2i
+ taskRef:
+ name: s2i
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: shared-workspace
+ params:
+ - name: BUILDER_IMAGE
+ value: quay.io/centos7/nodejs-12-centos7
+ - name: TLSVERIFY
+ value: "false"
+ - name: LOGLEVEL
+ value: "10"
+ - name: IMAGE
+ value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/$(context.pipelineRun.name)
+ - name: ENV_VARS
+ value:
+ - "ENV_VAR_1=VALUE_1"
+ - "ENV_VAR_2=VALUE 2"
+ workspaces:
+ - name: shared-workspace
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 100Mi
diff --git a/task/s2i/0.3/tests/pre-apply-task-hook.sh b/task/s2i/0.4/tests/pre-apply-task-hook.sh
index 54f0b9b..3e061a9 100755
--- a/task/s2i/0.3/tests/pre-apply-task-hook.sh
+++ b/task/s2i/0.4/tests/pre-apply-task-hook.sh
@@ -3,4 +3,4 @@
add_sidecar_secure_registry
# Add git-clone
-add_task git-clone 0.7
+add_task git-clone latest
Catlin Output
FILE: task/s2i/0.4/s2i.yaml
HINT : Task: tekton.dev/v1beta1 - name: "s2i" is missing a readable display name annotation("tekton.dev/displayName")
WARN : Step "generate" references "$(params.LOGLEVEL)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
WARN : Step "build" references "$(params.TLSVERIFY)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-generate line 14:
/usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
^----------------^ SC2046: Quote this to prevent word splitting.
^--------------------^ SC2046: Quote this to prevent word splitting.
^---------------------^ SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-build line 2:
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
In s2i-build line 3:
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
^-----------^ SC2155: Declare and assign separately to avoid masking return values.
In s2i-build line 5:
buildah ${CERT_DIR_FLAG} bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
In s2i-build line 6:
-f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 8:
buildah ${CERT_DIR_FLAG} push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
^-----------------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
In s2i-build line 9:
$(params.IMAGE) docker://$(params.IMAGE)
^-------------^ SC2046: Quote this to prevent word splitting.
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 11:
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
^-----------------------^ SC2046: Quote this to prevent word splitting.
^-- SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2155 -- Declare and assign separately to ...
https://www.shellcheck.net/wiki/SC3010 -- In POSIX sh, [[ ]] is undefined.
Diff between version 0.3 and 0.4
diff --git a/task/s2i/0.3/README.md b/task/s2i/0.4/README.md
index 7824d0f..85fcfb1 100644
--- a/task/s2i/0.3/README.md
+++ b/task/s2i/0.4/README.md
@@ -10,13 +10,13 @@ source code.
## Changelog
-- Renamed `IMAGE_NAME` parameter to `IMAGE`.
-- Add support for `dockerconfig` which can be provided via `workspaces`.
+- Add support for Environment variables to set during _build-time_ via `ENV_VARS` parameter.
+- Privileged Security Context is no longer required.
## Install the Task
```bash
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.4/raw
```
## Parameters
@@ -27,12 +27,14 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/s2i/0.3/raw
(_default: ._).
- **TLSVERIFY**: Verify the TLS on the registry endpoint (for push/pull to a
non-TLS registry) (_default:_ `true`)
+- **LOGLEVEL**: Log level when running the S2I binary (_default:_ `0`)
+- **ENV_VARS**: Environment variables to set during _build-time_ (_optional_, _default_: [])
## Workspaces
- **source**: A [Workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md) containing the source to build.
- **sslcertdir**: An [_optional_ Workspace](https://github.com/tektoncd/pipeline/blob/v0.17.0/docs/workspaces.md#optional-workspaces) containing your custom SSL certificates to connect to the registry. Buildah will look for files ending with \*.crt, \*.cert, \*.key into this workspace. See [this sample](./samples/openshift-internal-registry.yaml) for a complete example on how to use it with OpenShift internal registry.
-- **`dockerconfig`**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
+- **dockerconfig**: An [optional workspace](https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#using-workspaces-in-tasks) that allows providing a `.docker/config.json` file for Buildah to access the container registry. The file should be placed at the root of the Workspace with name `config.json`. _(optional)_
## Results
@@ -125,6 +127,7 @@ spec:
storage: 100Mi
```
- **[`dockerconfig.yaml`](samples/dockerconfig.yaml)**: A PipelineRun configured to demonstrate usage of `dockerconfig` workspace for referencing `.docker/config.json` file.
+- **[`env-vars.yaml`](samples/env-vars.yaml)**: A PipelineRun configured to provide _build-time_ environment variables.
Here is a non-exhaustive list of well maintained s2i builder image
(from [`sclorg`](https://github.com/sclorg/)):
diff --git a/task/s2i/0.3/s2i.yaml b/task/s2i/0.4/s2i.yaml
index 52bc0f7..72976de 100644
--- a/task/s2i/0.3/s2i.yaml
+++ b/task/s2i/0.4/s2i.yaml
@@ -3,7 +3,7 @@ kind: Task
metadata:
name: s2i
labels:
- app.kubernetes.io/version: "0.3"
+ app.kubernetes.io/version: "0.4"
annotations:
tekton.dev/pipelines.minVersion: "0.17.0"
tekton.dev/categories: Image Build
@@ -33,6 +33,10 @@ spec:
- name: LOGLEVEL
description: Log level when running the S2I binary
default: "0"
+ - name: ENV_VARS
+ type: array
+ description: Environment variables to set during _build-time_.
+ default: []
workspaces:
- name: source
- name: sslcertdir
@@ -50,27 +54,40 @@ spec:
- name: generate
image: quay.io/openshift-pipeline/s2i:nightly
workingDir: $(workspaces.source.path)
- command:
- - /usr/local/bin/s2i
- - --loglevel=$(params.LOGLEVEL)
- - build
- - $(params.PATH_CONTEXT)
- - $(params.BUILDER_IMAGE)
- - --as-dockerfile
- - /gen-source/Dockerfile.gen
+ args: ["$(params.ENV_VARS[*])"]
+ script: |
+ echo "Processing Build Environment Variables"
+ echo "" > /env-vars/env-file
+ for var in "$@"
+ do
+ echo "$var" >> /env-vars/env-file
+ done
+
+ echo "Generated Build Env Var file"
+ echo "------------------------------"
+ cat /env-vars/env-file
+ echo "------------------------------"
+
+ /usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
+ --as-dockerfile /gen-source/Dockerfile.gen --environment-file /env-vars/env-file
volumeMounts:
- mountPath: /gen-source
name: gen-source
+ - mountPath: /env-vars
+ name: env-vars
- name: build
image: quay.io/buildah/stable:v1.17.0
workingDir: /gen-source
script: |
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
- buildah ${CERT_DIR_FLAG} bud --tls-verify=$(params.TLSVERIFY) --layers \
- -f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
- buildah ${CERT_DIR_FLAG} push --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
+
+ buildah ${CERT_DIR_FLAG} bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
+ -f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
+
+ buildah ${CERT_DIR_FLAG} push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
$(params.IMAGE) docker://$(params.IMAGE)
+
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
volumeMounts:
- name: varlibcontainers
@@ -78,9 +95,12 @@ spec:
- mountPath: /gen-source
name: gen-source
securityContext:
- privileged: true
+ capabilities:
+ add: ["SETFCAP"]
volumes:
- emptyDir: {}
name: varlibcontainers
- emptyDir: {}
name: gen-source
+ - emptyDir: {}
+ name: env-vars
diff --git a/task/s2i/0.4/samples/env-vars.yaml b/task/s2i/0.4/samples/env-vars.yaml
new file mode 100644
index 0000000..4a92199
--- /dev/null
+++ b/task/s2i/0.4/samples/env-vars.yaml
@@ -0,0 +1,56 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+ name: s2i-test-pipeline-run
+spec:
+ pipelineSpec:
+ workspaces:
+ - name: shared-workspace
+ - name: sslcertdir
+ optional: true
+ - name: dockerconfig
+ optional: true
+ tasks:
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ workspaces:
+ - name: output
+ workspace: shared-workspace
+ params:
+ - name: url
+ value: https://github.com/sclorg/nodejs-ex
+ - name: subdirectory
+ value: ""
+ - name: deleteExisting
+ value: "true"
+ - name: s2i
+ taskRef:
+ name: s2i
+ runAfter:
+ - fetch-repository
+ workspaces:
+ - name: source
+ workspace: shared-workspace
+ params:
+ - name: BUILDER_IMAGE
+ value: quay.io/centos7/nodejs-12-centos7
+ - name: TLSVERIFY
+ value: "false"
+ - name: LOGLEVEL
+ value: "10"
+ - name: IMAGE
+ value: image-registry.openshift-image-registry.svc:5000/$(context.pipelineRun.namespace)/$(context.pipelineRun.name)
+ - name: ENV_VARS
+ value:
+ - "ENV_VAR_1=VALUE_1"
+ - "ENV_VAR_2=VALUE 2"
+ workspaces:
+ - name: shared-workspace
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 100Mi
diff --git a/task/s2i/0.3/tests/pre-apply-task-hook.sh b/task/s2i/0.4/tests/pre-apply-task-hook.sh
index 54f0b9b..3e061a9 100755
--- a/task/s2i/0.3/tests/pre-apply-task-hook.sh
+++ b/task/s2i/0.4/tests/pre-apply-task-hook.sh
@@ -3,4 +3,4 @@
add_sidecar_secure_registry
# Add git-clone
-add_task git-clone 0.7
+add_task git-clone latest
Catlin Output
FILE: task/s2i/0.4/s2i.yaml
HINT : Task: tekton.dev/v1beta1 - name: "s2i" is missing a readable display name annotation("tekton.dev/displayName")
WARN : Step "generate" references "$(params.LOGLEVEL)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
WARN : Step "build" references "$(params.TLSVERIFY)" directly from its script block. For reliability and security, consider putting the param into an environment variable of the Step and accessing that environment variable in your script instead.
Catlin script lint Output
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-generate line 14:
/usr/local/bin/s2i --loglevel=$(params.LOGLEVEL) build $(params.PATH_CONTEXT) $(params.BUILDER_IMAGE) \
^----------------^ SC2046: Quote this to prevent word splitting.
^--------------------^ SC2046: Quote this to prevent word splitting.
^---------------------^ SC2046: Quote this to prevent word splitting.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
ERROR: /usr/bin/shellcheck, [-s sh] failed:
In s2i-build line 2:
[[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
In s2i-build line 3:
[[ "$(workspaces.dockerconfig.bound)" == "true" ]] && export DOCKER_CONFIG="$(workspaces.dockerconfig.path)"
^-- SC3010: In POSIX sh, [[ ]] is undefined.
^-----------^ SC2155: Declare and assign separately to avoid masking return values.
In s2i-build line 5:
buildah ${CERT_DIR_FLAG} bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" bud --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --layers \
In s2i-build line 6:
-f /gen-source/Dockerfile.gen -t $(params.IMAGE) .
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 8:
buildah ${CERT_DIR_FLAG} push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
^--------------^ SC2086: Double quote to prevent globbing and word splitting.
^-----------------^ SC2046: Quote this to prevent word splitting.
^-----------------------^ SC2046: Quote this to prevent word splitting.
Did you mean:
buildah "${CERT_DIR_FLAG}" push --storage-driver=vfs --tls-verify=$(params.TLSVERIFY) --digestfile $(workspaces.source.path)/image-digest \
In s2i-build line 9:
$(params.IMAGE) docker://$(params.IMAGE)
^-------------^ SC2046: Quote this to prevent word splitting.
^-------------^ SC2046: Quote this to prevent word splitting.
In s2i-build line 11:
cat $(workspaces.source.path)/image-digest | tee /tekton/results/IMAGE_DIGEST
^-----------------------^ SC2046: Quote this to prevent word splitting.
^-- SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file | ..' instead.
For more information:
https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitt...
https://www.shellcheck.net/wiki/SC2155 -- Declare and assign separately to ...
https://www.shellcheck.net/wiki/SC3010 -- In POSIX sh, [[ ]] is undefined.
@zroubalik: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| pull-tekton-catalog-integration-tests | 6cf3a2727b084c12d0eb653aa26ec5908fe98615 | link | true | /test pull-tekton-catalog-integration-tests |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle rotten
Send feedback to tektoncd/plumbing.
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/close
Send feedback to tektoncd/plumbing.
@tekton-robot: Closed this PR.
In response to this:
Rotten issues close after 30d of inactivity. Reopen the issue with
/reopenwith a justification. Mark the issue as fresh with/remove-lifecycle rottenwith a justification. If this issue should be exempted, mark the issue as frozen with/lifecycle frozenwith a justification./close
Send feedback to tektoncd/plumbing.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.