diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 65cd28337b..fb832ae075 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -5,6 +5,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in ## Parameters |name|description|default value|required| |---|---|---|---| +|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header|""|false| |IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index a37030e6ea..ffa5582b1d 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -13,6 +13,11 @@ spec: description: Given a file in the user's source directory, copy content from arbitrary urls into the OCI registry. params: + - name: BEARER_TOKEN_SECRET_NAME + description: Name of a secret which will be made available to the build + as an Authorization header + type: string + default: "" - name: IMAGE description: Reference of the image we will push type: string @@ -85,16 +90,33 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + env: + - name: BEARER_TOKEN + valueFrom: + secretKeyRef: + key: token + name: $(params.BEARER_TOKEN_SECRET_NAME) + optional: true script: | - set -eu + set -e set -o pipefail + CURL_ARGS=() + if [ -n "${BEARER_TOKEN}" ]; then + echo "Found bearer token. Using it for authentication." + CURL_ARGS+=(-H "Authorization: Bearer ${BEARER_TOKEN}") + else + echo "Proceeding with anonymous requests" + fi + + set -u + for varfile in /var/workdir/vars/*; do echo "Reading $varfile" source $varfile echo "Downloading $OCI_SOURCE to $OCI_FILENAME" - curl --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME + curl "${CURL_ARGS[@]}" --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST" echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index bb2826b124..b52e0a1d51 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -11,6 +11,7 @@ It is not to be considered safe for general use as it cannot provide a high degr |---|---|---|---| |IMAGE|Reference of the image buildah will produce.||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| +|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header|""|false| ## Results |name|description| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 189083a80c..cb901ed329 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -18,6 +18,10 @@ spec: description: Path to the oci copy file. name: OCI_COPY_FILE type: string + - name: BEARER_TOKEN_SECRET_NAME + description: Name of a secret which will be made available to the build as an Authorization header + type: string + default: "" results: - description: Digest of the artifact just pushed name: IMAGE_DIGEST @@ -71,16 +75,33 @@ spec: capabilities: add: - SETFCAP + env: + - name: BEARER_TOKEN + valueFrom: + secretKeyRef: + name: $(params.BEARER_TOKEN_SECRET_NAME) + key: token + optional: true script: | - set -eu + set -e set -o pipefail + CURL_ARGS=() + if [ -n "${BEARER_TOKEN}" ]; then + echo "Found bearer token. Using it for authentication." + CURL_ARGS+=(-H "Authorization: Bearer ${BEARER_TOKEN}") + else + echo "Proceeding with anonymous requests" + fi + + set -u + for varfile in /var/workdir/vars/*; do echo "Reading $varfile" source $varfile echo "Downloading $OCI_SOURCE to $OCI_FILENAME" - curl --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME + curl "${CURL_ARGS[@]}" --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST" echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check