Iterate over additional secret keys, making all available

Two bugs are fixed here. First, the buildah `--secret` arg expects a *file*, not a directory, so every key/value pair in the kubernetes secrets mounted in needs to be supplied as a separate argument to buildah. Second, buildah won't accept symlinks and all of the individual files in the mounted directory are symlinks. The `-L` option to `cp` addresses that by de-referencing them.
konflux-ci · Jul 2, 2024 · 1ff0928 · 1ff0928
1 parent ca6e878
commit 1ff0928
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
@@ -293,10 +293,13 @@ spec:
       fi
 
       ADDITIONAL_SECRET_PATH="/additional-secret"
+      ADDITIONAL_SECRET_TMP="/tmp/additional-secret"
       if [ -d "$ADDITIONAL_SECRET_PATH" ]; then
-        cp -r --preserve=mode "$ADDITIONAL_SECRET_PATH" /tmp/additional-secret
-        BUILDAH_ARGS+=("--secret=id=${ADDITIONAL_SECRET},src=/tmp/additional-secret")
-        echo "Adding the secret ${ADDITIONAL_SECRET} to the build, available at /run/secrets/${ADDITIONAL_SECRET}"
+        cp -r --preserve=mode -L "$ADDITIONAL_SECRET_PATH" $ADDITIONAL_SECRET_TMP
+        for filename in $(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;); do
+          echo "Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}"
+          BUILDAH_ARGS+=("--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}")
+        done
       fi
 
       unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \