brandonros · September 21, 2023 23:05
diff --git a/kaniko.yaml b/kaniko.yaml
 apiVersion: tekton.dev/v1beta1
 kind: Task
 metadata:
  name: kaniko
  labels:
    app.kubernetes.io/version: "0.6"
  annotations:
    tekton.dev/pipelines.minVersion: "0.17.0"
    tekton.dev/categories: Image Build
    tekton.dev/tags: image-build
    tekton.dev/displayName: "Build and upload container image using Kaniko"
    tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le"
 spec:
  description: >-
    This Task builds a simple Dockerfile with kaniko and pushes to a registry.
    This Task stores the image name and digest as results, allowing Tekton Chains to pick up
    that an image was built & sign it.
  params:
    - name: IMAGE
      description: Name (reference) of the image to build.
    - name: DOCKERFILE
      description: Path to the Dockerfile to build.
      default: ./Dockerfile
    - name: CONTEXT
      description: The build context used by Kaniko.
      default: ./
    - name: EXTRA_ARGS
      type: array
      default: []
    - name: BUILDER_IMAGE
      description: The image on which builds will run (default is v1.5.1)
      default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5
  workspaces:
    - name: source
      description: Holds the context and Dockerfile
    - name: dockerconfig
      description: Includes a docker `config.json`
      optional: true
      mountPath: /kaniko/.docker
  results:
    - name: IMAGE_DIGEST
      description: Digest of the image just built.
    - name: IMAGE_URL
      description: URL of the image just built.
  steps:
    - name: build-and-push
      workingDir: $(workspaces.source.path)
      image: $(params.BUILDER_IMAGE)
      volumeMounts:
        - name: docker-registry-ca-volume
          mountPath: /kaniko/.custom-certs/
          readOnly: true
      args:
        - $(params.EXTRA_ARGS)
        - --dockerfile=$(params.DOCKERFILE)
        - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source.
        - --destination=$(params.IMAGE)
        - --digest-file=$(results.IMAGE_DIGEST.path)
      # kaniko assumes it is running as root, which means this example fails on platforms
      # that default to run containers as random uid (like OpenShift). Adding this securityContext
      # makes it explicit that it needs to run as root.
      securityContext:
        runAsUser: 0
    - name: write-url
      image: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9
      script: |
        set -e
        image="$(params.IMAGE)"
        echo -n "${image}" | tee "$(results.IMAGE_URL.path)"
	apiVersion: tekton.dev/v1beta1
	kind: Task
	metadata:
	name: kaniko
	labels:
	app.kubernetes.io/version: "0.6"
	annotations:
	tekton.dev/pipelines.minVersion: "0.17.0"
	tekton.dev/categories: Image Build
	tekton.dev/tags: image-build
	tekton.dev/displayName: "Build and upload container image using Kaniko"
	tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le"
	spec:
	description: >-
	This Task builds a simple Dockerfile with kaniko and pushes to a registry.
	This Task stores the image name and digest as results, allowing Tekton Chains to pick up
	that an image was built & sign it.
	params:
	- name: IMAGE
	description: Name (reference) of the image to build.
	- name: DOCKERFILE
	description: Path to the Dockerfile to build.
	default: ./Dockerfile
	- name: CONTEXT
	description: The build context used by Kaniko.
	default: ./
	- name: EXTRA_ARGS
	type: array
	default: []
	- name: BUILDER_IMAGE
	description: The image on which builds will run (default is v1.5.1)
	default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5
	workspaces:
	- name: source
	description: Holds the context and Dockerfile
	- name: dockerconfig
	description: Includes a docker `config.json`
	optional: true
	mountPath: /kaniko/.docker
	results:
	- name: IMAGE_DIGEST
	description: Digest of the image just built.
	- name: IMAGE_URL
	description: URL of the image just built.
	steps:
	- name: build-and-push
	workingDir: $(workspaces.source.path)
	image: $(params.BUILDER_IMAGE)
	volumeMounts:
	- name: docker-registry-ca-volume
	mountPath: /kaniko/.custom-certs/
	readOnly: true
	args:
	- $(params.EXTRA_ARGS)
	- --dockerfile=$(params.DOCKERFILE)
	- --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source.
	- --destination=$(params.IMAGE)
	- --digest-file=$(results.IMAGE_DIGEST.path)
	# kaniko assumes it is running as root, which means this example fails on platforms
	# that default to run containers as random uid (like OpenShift). Adding this securityContext
	# makes it explicit that it needs to run as root.
	securityContext:
	runAsUser: 0
	- name: write-url
	image: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9
	script: \|
	set -e
	image="$(params.IMAGE)"
	echo -n "${image}" \| tee "$(results.IMAGE_URL.path)"