Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

buildah 0.8 #1282

Merged
merged 1 commit into from
Jul 15, 2024
Merged

buildah 0.8 #1282

merged 1 commit into from
Jul 15, 2024

Conversation

jimmyjones2
Copy link
Contributor

  • Don't use interpolation (move to env)
  • Easier way of specifying build args - previously would have to use BUILD_EXTRA_ARGS and quote them very carefully
  • Add warning for BUILD_EXTRA_ARGS and PUSH_EXTRA_ARGS that inputs need to be sanitized

e.g. now the following are correctly passed as Dockerfile build arguments:

        - name: BUILD_ARGS
          value:
            - |
                foo=b\"a'z"u uu
            - baz=8888$(echo foo)ssss`ssss` -v a:b

Changes

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Follows the authoring recommendations
  • Includes docs (if user facing)
  • Includes tests (for new tasks or changed functionality)
  • Meets the Tekton contributor standards (including functionality, content, code)
  • [] Commit messages follow commit message best practices
  • Has a kind label. You can add one by adding a comment on this PR that
    contains /kind <type>. Valid types are bug, cleanup, design, documentation,
    feature, flake, misc, question, tep
  • Complies with Catalog Organization TEP, see example. Note An issue has been filed to automate this validation

    • File path follows <kind>/<name>/<version>/name.yaml

    • Has README.md at <kind>/<name>/<version>/README.md

    • Has mandatory metadata.labels - app.kubernetes.io/version the same as the <version> of the resource

    • Has mandatory metadata.annotations tekton.dev/pipelines.minVersion

    • mandatory spec.description follows the convention

        ```

  spec:
    description: >-
      one line summary of the resource

      Paragraph(s) to describe the resource.
  ```

See the contribution guide for more details.

@tekton-robot tekton-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 22, 2024
@tekton-robot
Copy link

Hi @jimmyjones2. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Jun 22, 2024
@tekton-robot
Copy link

Diff between version 0.7 and 0.8 
diff --git a/task/buildah/0.7/README.md b/task/buildah/0.8/README.md
index 363e22e..c7ef355 100644
--- a/task/buildah/0.7/README.md
+++ b/task/buildah/0.8/README.md
@@ -10,7 +10,7 @@ to assemble a container image, then pushes that image to a container registry.
 ## Install the Task
 
 ```
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/buildah/0.7/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/buildah/0.8/raw
 ```
 
 ## Parameters
@@ -27,10 +27,13 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/buildah/0.7/
 * **FORMAT**: The format of the built container, oci or docker (_default:_
  `oci`)
 * **BUILD_EXTRA_ARGS**: Extra parameters passed for the build command when
-  building images. (_default:_ `""`)
+  building images. WARNING - must be sanitized to avoid command injection 
+  (_default:_ `""`)
 * **PUSH_EXTRA_ARGS**: Extra parameters passed for the push command when
-  pushing images. (_default:_ `""`)
+  pushing images. WARNING - must be sanitized to avoid command injection
+  (_default:_ `""`)
 * **SKIP_PUSH**: Skip pushing the built image (_default:_ `false`)
+* **BUILD_ARGS**: Dockerfile build arguments, array of key=value (_default:_ [""])
 
 ## Results
 
diff --git a/task/buildah/0.7/buildah.yaml b/task/buildah/0.8/buildah.yaml
index 3ab4f77..189b687 100644
--- a/task/buildah/0.7/buildah.yaml
+++ b/task/buildah/0.8/buildah.yaml
@@ -4,7 +4,7 @@ kind: Task
 metadata:
   name: buildah
   labels:
-    app.kubernetes.io/version: "0.7"
+    app.kubernetes.io/version: "0.8"
   annotations:
     tekton.dev/categories: Image Build
     tekton.dev/pipelines.minVersion: "0.17.0"
@@ -44,15 +44,20 @@ spec:
     description: The format of the built container, oci or docker
     default: "oci"
   - name: BUILD_EXTRA_ARGS
-    description: Extra parameters passed for the build command when building images.
+    description: Extra parameters passed for the build command when building images. WARNING - must be sanitized to avoid command injection
     default: ""
   - name: PUSH_EXTRA_ARGS
-    description: Extra parameters passed for the push command when pushing images.
+    description: Extra parameters passed for the push command when pushing images. WARNING - must be sanitized to avoid command injection
     type: string
     default: ""
   - name: SKIP_PUSH
     description: Skip pushing the built image
     default: "false"
+  - name: BUILD_ARGS
+    description: Dockerfile build arguments, array of key=value
+    type: array
+    default:
+    - ""
   workspaces:
   - name: source
   - name: sslcertdir
@@ -72,22 +77,48 @@ spec:
   - name: build-and-push
     image: $(params.BUILDER_IMAGE)
     workingDir: $(workspaces.source.path)
+    env:
+    - name: PARAM_IMAGE
+      value: $(params.IMAGE)
+    - name: PARAM_STORAGE_DRIVER
+      value: $(params.STORAGE_DRIVER)
+    - name: PARAM_DOCKERFILE
+      value: $(params.DOCKERFILE)
+    - name: PARAM_CONTEXT
+      value: $(params.CONTEXT)
+    - name: PARAM_TLSVERIFY
+      value: $(params.TLSVERIFY)
+    - name: PARAM_FORMAT
+      value: $(params.FORMAT)
+    - name: PARAM_BUILD_EXTRA_ARGS
+      value: $(params.BUILD_EXTRA_ARGS)
+    - name: PARAM_PUSH_EXTRA_ARGS
+      value: $(params.PUSH_EXTRA_ARGS)
+    - name: PARAM_SKIP_PUSH
+      value: $(params.SKIP_PUSH)
+    args:
+    - $(params.BUILD_ARGS[*])
     script: |
+      BUILD_ARGS=()
+      for buildarg in "$@"
+      do
+        BUILD_ARGS+=("--build-arg=$buildarg")
+      done
       [ "$(workspaces.sslcertdir.bound)" = "true" ] && CERT_DIR_FLAG="--cert-dir=$(workspaces.sslcertdir.path)"
       [ "$(workspaces.dockerconfig.bound)" = "true" ] && DOCKER_CONFIG="$(workspaces.dockerconfig.path)" && export DOCKER_CONFIG
       # build the image (CERT_DIR_FLAG should be omitted if empty and BUILD_EXTRA_ARGS can contain multiple args)
       # shellcheck disable=SC2046,SC2086
-      buildah ${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" bud $(params.BUILD_EXTRA_ARGS) \
-        "--format=$(params.FORMAT)" "--tls-verify=$(params.TLSVERIFY)" \
-        -f "$(params.DOCKERFILE)" -t "$(params.IMAGE)" "$(params.CONTEXT)"
-      [ "$(params.SKIP_PUSH)" = "true" ] && echo "Push skipped" && exit 0
+      buildah ${CERT_DIR_FLAG} "--storage-driver=${PARAM_STORAGE_DRIVER}" bud "${BUILD_ARGS[@]}" ${PARAM_BUILD_EXTRA_ARGS} \
+        "--format=${PARAM_FORMAT}" "--tls-verify=${PARAM_TLSVERIFY}" \
+        -f "${PARAM_DOCKERFILE}" -t "${PARAM_IMAGE}" "${PARAM_CONTEXT}"
+      [ "${PARAM_SKIP_PUSH}" = "true" ] && echo "Push skipped" && exit 0
       # push the image (CERT_DIR_FLAG should be omitted if empty and PUSH_EXTRA_ARGS can contain multiple args)
       # shellcheck disable=SC2046,SC2086
-      buildah ${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" push $(params.PUSH_EXTRA_ARGS) \
-        "--tls-verify=$(params.TLSVERIFY)" --digestfile /tmp/image-digest "$(params.IMAGE)" \
-        "docker://$(params.IMAGE)"
+      buildah ${CERT_DIR_FLAG} "--storage-driver=${PARAM_STORAGE_DRIVER}" push ${PARAM_PUSH_EXTRA_ARGS} \
+        "--tls-verify=${PARAM_TLSVERIFY}" --digestfile /tmp/image-digest "${PARAM_IMAGE}" \
+        "docker://${PARAM_IMAGE}"
       tee "$(results.IMAGE_DIGEST.path)" < /tmp/image-digest
-      printf '%s' "$(params.IMAGE)" | tee "$(results.IMAGE_URL.path)"
+      printf '%s' "${PARAM_IMAGE}" | tee "$(results.IMAGE_URL.path)"
     volumeMounts:
     - name: varlibcontainers
       mountPath: /var/lib/containers

@tekton-robot
Copy link

Catlin Output 
FILE: task/buildah/0.8/buildah.yaml
WARN : Step "build-and-push" uses image "$(params.BUILDER_IMAGE)" that contains variables; skipping validation
Catlin script lint Output 
ERROR: /usr/bin/shellcheck, [-s sh] failed:

In buildah-build-and-push line 2:
BUILD_ARGS=()
           ^-- SC3030 (warning): In POSIX sh, arrays are undefined.


In buildah-build-and-push line 5:
  BUILD_ARGS+=("--build-arg=$buildarg")
  ^--------^ SC3024 (warning): In POSIX sh, += is undefined.
              ^-----------------------^ SC3030 (warning): In POSIX sh, arrays are undefined.


In buildah-build-and-push line 11:
buildah ${CERT_DIR_FLAG} "--storage-driver=${PARAM_STORAGE_DRIVER}" bud "${BUILD_ARGS[@]}" ${PARAM_BUILD_EXTRA_ARGS} \
                                                                         ^--------------^ SC3054 (warning): In POSIX sh, array references are undefined.

For more information:
  https://www.shellcheck.net/wiki/SC3024 -- In POSIX sh, += is undefined.
  https://www.shellcheck.net/wiki/SC3030 -- In POSIX sh, arrays are undefined.
  https://www.shellcheck.net/wiki/SC3054 -- In POSIX sh, array references are...

ERROR: /bin/sh, [-n] failed:
buildah-build-and-push: line 2: syntax error: unexpected "("

@jimmyjones2
Copy link
Contributor Author

@vdemeester @vinamra28 Can you review please?

@vdemeester
Copy link
Member

/ok-to-test

@tekton-robot tekton-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 3, 2024
vdemeester
vdemeester approved these changes Jul 3, 2024
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @vinamra28

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 3, 2024
vinamra28
vinamra28 reviewed Jul 3, 2024
View reviewed changes
task/buildah/0.8/buildah.yaml Outdated
@@ -0,0 +1,129 @@
---
apiVersion: tekton.dev/v1beta1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should make this tekton.dev/v1 ?

task/buildah/0.8/buildah.yaml Outdated
app.kubernetes.io/version: "0.8"
annotations:
tekton.dev/categories: Image Build
tekton.dev/pipelines.minVersion: "0.17.0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are doing tekton.dev/v1, then we should bump this to "0.50.0"

task/buildah/0.8/samples/dockerconfig.yaml Outdated
}
}
---
apiVersion: tekton.dev/v1beta1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above

task/buildah/0.8/samples/openshift-internal-registry.yaml Outdated
....................................................
-----END CERTIFICATE-----
---
apiVersion: tekton.dev/v1beta1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above

task/buildah/0.8/tests/run.yaml Outdated
@@ -0,0 +1,126 @@
---
apiVersion: tekton.dev/v1beta1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above

@tekton-robot
Copy link

Diff between version 0.7 and 0.8 
diff --git a/task/buildah/0.7/README.md b/task/buildah/0.8/README.md
index 363e22e..aa5047c 100644
--- a/task/buildah/0.7/README.md
+++ b/task/buildah/0.8/README.md
@@ -10,7 +10,7 @@ to assemble a container image, then pushes that image to a container registry.
 ## Install the Task
 
 ```
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/buildah/0.7/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/buildah/0.8/raw
 ```
 
 ## Parameters
@@ -27,10 +27,13 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/buildah/0.7/
 * **FORMAT**: The format of the built container, oci or docker (_default:_
  `oci`)
 * **BUILD_EXTRA_ARGS**: Extra parameters passed for the build command when
-  building images. (_default:_ `""`)
+  building images. WARNING - must be sanitized to avoid command injection 
+  (_default:_ `""`)
 * **PUSH_EXTRA_ARGS**: Extra parameters passed for the push command when
-  pushing images. (_default:_ `""`)
+  pushing images. WARNING - must be sanitized to avoid command injection
+  (_default:_ `""`)
 * **SKIP_PUSH**: Skip pushing the built image (_default:_ `false`)
+* **BUILD_ARGS**: Dockerfile build arguments, array of key=value (_default:_ [""])
 
 ## Results
 
@@ -53,7 +56,7 @@ This TaskRun runs the Task to fetch a Git repo, and build and push a container
 image using Buildah.
 
 ```yaml
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: TaskRun
 metadata:
   name: buildah-build-my-repo
diff --git a/task/buildah/0.7/buildah.yaml b/task/buildah/0.8/buildah.yaml
index 3ab4f77..7866810 100644
--- a/task/buildah/0.7/buildah.yaml
+++ b/task/buildah/0.8/buildah.yaml
@@ -1,13 +1,13 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: buildah
   labels:
-    app.kubernetes.io/version: "0.7"
+    app.kubernetes.io/version: "0.8"
   annotations:
     tekton.dev/categories: Image Build
-    tekton.dev/pipelines.minVersion: "0.17.0"
+    tekton.dev/pipelines.minVersion: "0.50.0"
     tekton.dev/tags: image-build
     tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64"
     tekton.dev/displayName: buildah
@@ -44,15 +44,20 @@ spec:
     description: The format of the built container, oci or docker
     default: "oci"
   - name: BUILD_EXTRA_ARGS
-    description: Extra parameters passed for the build command when building images.
+    description: Extra parameters passed for the build command when building images. WARNING - must be sanitized to avoid command injection
     default: ""
   - name: PUSH_EXTRA_ARGS
-    description: Extra parameters passed for the push command when pushing images.
+    description: Extra parameters passed for the push command when pushing images. WARNING - must be sanitized to avoid command injection
     type: string
     default: ""
   - name: SKIP_PUSH
     description: Skip pushing the built image
     default: "false"
+  - name: BUILD_ARGS
+    description: Dockerfile build arguments, array of key=value
+    type: array
+    default:
+    - ""
   workspaces:
   - name: source
   - name: sslcertdir
@@ -72,22 +77,48 @@ spec:
   - name: build-and-push
     image: $(params.BUILDER_IMAGE)
     workingDir: $(workspaces.source.path)
+    env:
+    - name: PARAM_IMAGE
+      value: $(params.IMAGE)
+    - name: PARAM_STORAGE_DRIVER
+      value: $(params.STORAGE_DRIVER)
+    - name: PARAM_DOCKERFILE
+      value: $(params.DOCKERFILE)
+    - name: PARAM_CONTEXT
+      value: $(params.CONTEXT)
+    - name: PARAM_TLSVERIFY
+      value: $(params.TLSVERIFY)
+    - name: PARAM_FORMAT
+      value: $(params.FORMAT)
+    - name: PARAM_BUILD_EXTRA_ARGS
+      value: $(params.BUILD_EXTRA_ARGS)
+    - name: PARAM_PUSH_EXTRA_ARGS
+      value: $(params.PUSH_EXTRA_ARGS)
+    - name: PARAM_SKIP_PUSH
+      value: $(params.SKIP_PUSH)
+    args:
+    - $(params.BUILD_ARGS[*])
     script: |
+      BUILD_ARGS=()
+      for buildarg in "$@"
+      do
+        BUILD_ARGS+=("--build-arg=$buildarg")
+      done
       [ "$(workspaces.sslcertdir.bound)" = "true" ] && CERT_DIR_FLAG="--cert-dir=$(workspaces.sslcertdir.path)"
       [ "$(workspaces.dockerconfig.bound)" = "true" ] && DOCKER_CONFIG="$(workspaces.dockerconfig.path)" && export DOCKER_CONFIG
       # build the image (CERT_DIR_FLAG should be omitted if empty and BUILD_EXTRA_ARGS can contain multiple args)
       # shellcheck disable=SC2046,SC2086
-      buildah ${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" bud $(params.BUILD_EXTRA_ARGS) \
-        "--format=$(params.FORMAT)" "--tls-verify=$(params.TLSVERIFY)" \
-        -f "$(params.DOCKERFILE)" -t "$(params.IMAGE)" "$(params.CONTEXT)"
-      [ "$(params.SKIP_PUSH)" = "true" ] && echo "Push skipped" && exit 0
+      buildah ${CERT_DIR_FLAG} "--storage-driver=${PARAM_STORAGE_DRIVER}" bud "${BUILD_ARGS[@]}" ${PARAM_BUILD_EXTRA_ARGS} \
+        "--format=${PARAM_FORMAT}" "--tls-verify=${PARAM_TLSVERIFY}" \
+        -f "${PARAM_DOCKERFILE}" -t "${PARAM_IMAGE}" "${PARAM_CONTEXT}"
+      [ "${PARAM_SKIP_PUSH}" = "true" ] && echo "Push skipped" && exit 0
       # push the image (CERT_DIR_FLAG should be omitted if empty and PUSH_EXTRA_ARGS can contain multiple args)
       # shellcheck disable=SC2046,SC2086
-      buildah ${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" push $(params.PUSH_EXTRA_ARGS) \
-        "--tls-verify=$(params.TLSVERIFY)" --digestfile /tmp/image-digest "$(params.IMAGE)" \
-        "docker://$(params.IMAGE)"
+      buildah ${CERT_DIR_FLAG} "--storage-driver=${PARAM_STORAGE_DRIVER}" push ${PARAM_PUSH_EXTRA_ARGS} \
+        "--tls-verify=${PARAM_TLSVERIFY}" --digestfile /tmp/image-digest "${PARAM_IMAGE}" \
+        "docker://${PARAM_IMAGE}"
       tee "$(results.IMAGE_DIGEST.path)" < /tmp/image-digest
-      printf '%s' "$(params.IMAGE)" | tee "$(results.IMAGE_URL.path)"
+      printf '%s' "${PARAM_IMAGE}" | tee "$(results.IMAGE_URL.path)"
     volumeMounts:
     - name: varlibcontainers
       mountPath: /var/lib/containers
diff --git a/task/buildah/0.7/samples/dockerconfig.yaml b/task/buildah/0.8/samples/dockerconfig.yaml
index fb23184..9002eb5 100644
--- a/task/buildah/0.7/samples/dockerconfig.yaml
+++ b/task/buildah/0.8/samples/dockerconfig.yaml
@@ -14,7 +14,7 @@ stringData:
       }
     }
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   name: buildah-test-pipeline-run
diff --git a/task/buildah/0.7/samples/openshift-internal-registry.yaml b/task/buildah/0.8/samples/openshift-internal-registry.yaml
index f2c6075..491406b 100644
--- a/task/buildah/0.7/samples/openshift-internal-registry.yaml
+++ b/task/buildah/0.8/samples/openshift-internal-registry.yaml
@@ -32,7 +32,7 @@ data:
     ....................................................
     -----END CERTIFICATE-----
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   generateName: buildah-custom-ca-
diff --git a/task/buildah/0.7/tests/run.yaml b/task/buildah/0.8/tests/run.yaml
index 4f1a074..cf48756 100644
--- a/task/buildah/0.7/tests/run.yaml
+++ b/task/buildah/0.8/tests/run.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   name: buildah-test-pipeline-run
@@ -69,7 +69,7 @@ spec:
       - key: ca.crt
         path: ca.crt
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   name: buildah-test-skip-push-pipeline-run

@jimmyjones2
Copy link
Contributor Author

@vinamra28 Converted to v1

vinamra28
vinamra28 reviewed Jul 5, 2024
View reviewed changes
task/buildah/0.8/buildah.yaml
Comment on lines +56 to +59
- name: BUILD_ARGS
description: Dockerfile build arguments, array of key=value
type: array
default:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BUILD_EXTRA_ARGS is already there, do we still need this?

Copy link
Contributor Author

@jimmyjones2 jimmyjones2 Jul 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BUILD_ARGS can only be used to set ARGs in the Dockerfile (safely and handling escaping).

BUILD_EXTRA_ARGS is still necessary to allow passing arbitrary extra command line options to the buildah build command (accepting the risk and potential escaping requirements).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack,lastly, can you please squash the commits? will merge it

@jimmyjones2
buildah 0.8
7646210 
* don't use interpolation
* easier way of specifying build args
* move to v1 resources
@tekton-robot
Copy link

Diff between version 0.7 and 0.8 
diff --git a/task/buildah/0.7/README.md b/task/buildah/0.8/README.md
index 363e22e..aa5047c 100644
--- a/task/buildah/0.7/README.md
+++ b/task/buildah/0.8/README.md
@@ -10,7 +10,7 @@ to assemble a container image, then pushes that image to a container registry.
 ## Install the Task
 
 ```
-kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/buildah/0.7/raw
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/buildah/0.8/raw
 ```
 
 ## Parameters
@@ -27,10 +27,13 @@ kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/buildah/0.7/
 * **FORMAT**: The format of the built container, oci or docker (_default:_
  `oci`)
 * **BUILD_EXTRA_ARGS**: Extra parameters passed for the build command when
-  building images. (_default:_ `""`)
+  building images. WARNING - must be sanitized to avoid command injection 
+  (_default:_ `""`)
 * **PUSH_EXTRA_ARGS**: Extra parameters passed for the push command when
-  pushing images. (_default:_ `""`)
+  pushing images. WARNING - must be sanitized to avoid command injection
+  (_default:_ `""`)
 * **SKIP_PUSH**: Skip pushing the built image (_default:_ `false`)
+* **BUILD_ARGS**: Dockerfile build arguments, array of key=value (_default:_ [""])
 
 ## Results
 
@@ -53,7 +56,7 @@ This TaskRun runs the Task to fetch a Git repo, and build and push a container
 image using Buildah.
 
 ```yaml
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: TaskRun
 metadata:
   name: buildah-build-my-repo
diff --git a/task/buildah/0.7/buildah.yaml b/task/buildah/0.8/buildah.yaml
index 3ab4f77..7866810 100644
--- a/task/buildah/0.7/buildah.yaml
+++ b/task/buildah/0.8/buildah.yaml
@@ -1,13 +1,13 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: Task
 metadata:
   name: buildah
   labels:
-    app.kubernetes.io/version: "0.7"
+    app.kubernetes.io/version: "0.8"
   annotations:
     tekton.dev/categories: Image Build
-    tekton.dev/pipelines.minVersion: "0.17.0"
+    tekton.dev/pipelines.minVersion: "0.50.0"
     tekton.dev/tags: image-build
     tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64"
     tekton.dev/displayName: buildah
@@ -44,15 +44,20 @@ spec:
     description: The format of the built container, oci or docker
     default: "oci"
   - name: BUILD_EXTRA_ARGS
-    description: Extra parameters passed for the build command when building images.
+    description: Extra parameters passed for the build command when building images. WARNING - must be sanitized to avoid command injection
     default: ""
   - name: PUSH_EXTRA_ARGS
-    description: Extra parameters passed for the push command when pushing images.
+    description: Extra parameters passed for the push command when pushing images. WARNING - must be sanitized to avoid command injection
     type: string
     default: ""
   - name: SKIP_PUSH
     description: Skip pushing the built image
     default: "false"
+  - name: BUILD_ARGS
+    description: Dockerfile build arguments, array of key=value
+    type: array
+    default:
+    - ""
   workspaces:
   - name: source
   - name: sslcertdir
@@ -72,22 +77,48 @@ spec:
   - name: build-and-push
     image: $(params.BUILDER_IMAGE)
     workingDir: $(workspaces.source.path)
+    env:
+    - name: PARAM_IMAGE
+      value: $(params.IMAGE)
+    - name: PARAM_STORAGE_DRIVER
+      value: $(params.STORAGE_DRIVER)
+    - name: PARAM_DOCKERFILE
+      value: $(params.DOCKERFILE)
+    - name: PARAM_CONTEXT
+      value: $(params.CONTEXT)
+    - name: PARAM_TLSVERIFY
+      value: $(params.TLSVERIFY)
+    - name: PARAM_FORMAT
+      value: $(params.FORMAT)
+    - name: PARAM_BUILD_EXTRA_ARGS
+      value: $(params.BUILD_EXTRA_ARGS)
+    - name: PARAM_PUSH_EXTRA_ARGS
+      value: $(params.PUSH_EXTRA_ARGS)
+    - name: PARAM_SKIP_PUSH
+      value: $(params.SKIP_PUSH)
+    args:
+    - $(params.BUILD_ARGS[*])
     script: |
+      BUILD_ARGS=()
+      for buildarg in "$@"
+      do
+        BUILD_ARGS+=("--build-arg=$buildarg")
+      done
       [ "$(workspaces.sslcertdir.bound)" = "true" ] && CERT_DIR_FLAG="--cert-dir=$(workspaces.sslcertdir.path)"
       [ "$(workspaces.dockerconfig.bound)" = "true" ] && DOCKER_CONFIG="$(workspaces.dockerconfig.path)" && export DOCKER_CONFIG
       # build the image (CERT_DIR_FLAG should be omitted if empty and BUILD_EXTRA_ARGS can contain multiple args)
       # shellcheck disable=SC2046,SC2086
-      buildah ${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" bud $(params.BUILD_EXTRA_ARGS) \
-        "--format=$(params.FORMAT)" "--tls-verify=$(params.TLSVERIFY)" \
-        -f "$(params.DOCKERFILE)" -t "$(params.IMAGE)" "$(params.CONTEXT)"
-      [ "$(params.SKIP_PUSH)" = "true" ] && echo "Push skipped" && exit 0
+      buildah ${CERT_DIR_FLAG} "--storage-driver=${PARAM_STORAGE_DRIVER}" bud "${BUILD_ARGS[@]}" ${PARAM_BUILD_EXTRA_ARGS} \
+        "--format=${PARAM_FORMAT}" "--tls-verify=${PARAM_TLSVERIFY}" \
+        -f "${PARAM_DOCKERFILE}" -t "${PARAM_IMAGE}" "${PARAM_CONTEXT}"
+      [ "${PARAM_SKIP_PUSH}" = "true" ] && echo "Push skipped" && exit 0
       # push the image (CERT_DIR_FLAG should be omitted if empty and PUSH_EXTRA_ARGS can contain multiple args)
       # shellcheck disable=SC2046,SC2086
-      buildah ${CERT_DIR_FLAG} "--storage-driver=$(params.STORAGE_DRIVER)" push $(params.PUSH_EXTRA_ARGS) \
-        "--tls-verify=$(params.TLSVERIFY)" --digestfile /tmp/image-digest "$(params.IMAGE)" \
-        "docker://$(params.IMAGE)"
+      buildah ${CERT_DIR_FLAG} "--storage-driver=${PARAM_STORAGE_DRIVER}" push ${PARAM_PUSH_EXTRA_ARGS} \
+        "--tls-verify=${PARAM_TLSVERIFY}" --digestfile /tmp/image-digest "${PARAM_IMAGE}" \
+        "docker://${PARAM_IMAGE}"
       tee "$(results.IMAGE_DIGEST.path)" < /tmp/image-digest
-      printf '%s' "$(params.IMAGE)" | tee "$(results.IMAGE_URL.path)"
+      printf '%s' "${PARAM_IMAGE}" | tee "$(results.IMAGE_URL.path)"
     volumeMounts:
     - name: varlibcontainers
       mountPath: /var/lib/containers
diff --git a/task/buildah/0.7/samples/dockerconfig.yaml b/task/buildah/0.8/samples/dockerconfig.yaml
index fb23184..9002eb5 100644
--- a/task/buildah/0.7/samples/dockerconfig.yaml
+++ b/task/buildah/0.8/samples/dockerconfig.yaml
@@ -14,7 +14,7 @@ stringData:
       }
     }
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   name: buildah-test-pipeline-run
diff --git a/task/buildah/0.7/samples/openshift-internal-registry.yaml b/task/buildah/0.8/samples/openshift-internal-registry.yaml
index f2c6075..491406b 100644
--- a/task/buildah/0.7/samples/openshift-internal-registry.yaml
+++ b/task/buildah/0.8/samples/openshift-internal-registry.yaml
@@ -32,7 +32,7 @@ data:
     ....................................................
     -----END CERTIFICATE-----
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   generateName: buildah-custom-ca-
diff --git a/task/buildah/0.7/tests/run.yaml b/task/buildah/0.8/tests/run.yaml
index 4f1a074..cf48756 100644
--- a/task/buildah/0.7/tests/run.yaml
+++ b/task/buildah/0.8/tests/run.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   name: buildah-test-pipeline-run
@@ -69,7 +69,7 @@ spec:
       - key: ca.crt
         path: ca.crt
 ---
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   name: buildah-test-skip-push-pipeline-run

@jimmyjones2
Copy link
Contributor Author

@vinamra28 Squashed and ready to merge :)

@vinamra28
Copy link
Member

/lgtm
/approve

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 15, 2024
@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester, vinamra28

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot merged commit 82a2a61 into tektoncd:main Jul 15, 2024
6 checks passed
@jimmyjones2 jimmyjones2 deleted the buildah-0.8 branch July 15, 2024 19:05
@jimmyjones2 jimmyjones2 mentioned this pull request Jul 18, 2024
Closed
4 tasks
@jimmyjones2 jimmyjones2 mentioned this pull request Aug 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vinamra28 vinamra28 vinamra28 left review comments

@vdemeester vdemeester vdemeester approved these changes

@chmouel chmouel Awaiting requested review from chmouel

@imjasonh imjasonh Awaiting requested review from imjasonh

Assignees

@vinamra28 vinamra28

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jimmyjones2 @tekton-robot @vdemeester @vinamra28