Skip to content

Commit

Permalink
Incorporate auth param for oci-copy task
Browse files Browse the repository at this point in the history
  • Loading branch information
ralphbean committed Jul 1, 2024
1 parent 0d1223c commit a5a4812
Show file tree
Hide file tree
Showing 4 changed files with 49 additions and 4 deletions.
1 change: 1 addition & 0 deletions task/oci-copy-oci-ta/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in
## Parameters
|name|description|default value|required|
|---|---|---|---|
|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header|""|false|
|IMAGE|Reference of the image we will push||true|
|OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
Expand Down
26 changes: 24 additions & 2 deletions task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ spec:
description: Given a file in the user's source directory, copy content from
arbitrary urls into the OCI registry.
params:
- name: BEARER_TOKEN_SECRET_NAME
description: Name of a secret which will be made available to the build
as an Authorization header
type: string
default: ""
- name: IMAGE
description: Reference of the image we will push
type: string
Expand Down Expand Up @@ -85,16 +90,33 @@ spec:
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
env:
- name: BEARER_TOKEN
valueFrom:
secretKeyRef:
key: token
name: $(params.BEARER_TOKEN_SECRET_NAME)
optional: true
script: |
set -eu
set -e
set -o pipefail
CURL_ARGS=()
if [ -n "${BEARER_TOKEN}" ]; then
echo "Found bearer token. Using it for authentication."
CURL_ARGS+=(-H "Authorization: Bearer ${BEARER_TOKEN}")
else
echo "Proceeding with anonymous requests"
fi
set -u
for varfile in /var/workdir/vars/*; do
echo "Reading $varfile"
source $varfile
echo "Downloading $OCI_SOURCE to $OCI_FILENAME"
curl --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME
curl "${CURL_ARGS[@]}" --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME
echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST"
echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check
Expand Down
1 change: 1 addition & 0 deletions task/oci-copy/0.1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ It is not to be considered safe for general use as it cannot provide a high degr
|---|---|---|---|
|IMAGE|Reference of the image buildah will produce.||true|
|OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|
|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header|""|false|

## Results
|name|description|
Expand Down
25 changes: 23 additions & 2 deletions task/oci-copy/0.1/oci-copy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ spec:
description: Path to the oci copy file.
name: OCI_COPY_FILE
type: string
- name: BEARER_TOKEN_SECRET_NAME
description: Name of a secret which will be made available to the build as an Authorization header
type: string
default: ""
results:
- description: Digest of the artifact just pushed
name: IMAGE_DIGEST
Expand Down Expand Up @@ -71,16 +75,33 @@ spec:
capabilities:
add:
- SETFCAP
env:
- name: BEARER_TOKEN
valueFrom:
secretKeyRef:
name: $(params.BEARER_TOKEN_SECRET_NAME)
key: token
optional: true
script: |
set -eu
set -e
set -o pipefail
CURL_ARGS=()
if [ -n "${BEARER_TOKEN}" ]; then
echo "Found bearer token. Using it for authentication."
CURL_ARGS+=(-H "Authorization: Bearer ${BEARER_TOKEN}")
else
echo "Proceeding with anonymous requests"
fi
set -u
for varfile in /var/workdir/vars/*; do
echo "Reading $varfile"
source $varfile
echo "Downloading $OCI_SOURCE to $OCI_FILENAME"
curl --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME
curl "${CURL_ARGS[@]}" --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME
echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST"
echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check
Expand Down

0 comments on commit a5a4812

Please sign in to comment.