#4 - Switch to POSIX-compliant shell and drop root privileges
Replaced bash with sh for broader compatibility, ensuring scripts work with BusyBox/dash. Updated Dockerfile to use non-root user (UID 1000) and adjusted paths and permissions accordingly. Simplified and streamlined variable checks and logic in build.sh.
This commit is contained in:
parent
9395bf30a3
commit
f777a7197a
2 changed files with 28 additions and 42 deletions
|
|
@ -34,11 +34,14 @@ LABEL \
|
||||||
#-----------------------------------------------------------------------------
|
#-----------------------------------------------------------------------------
|
||||||
# Copy artefacts & make the wrapper executable
|
# Copy artefacts & make the wrapper executable
|
||||||
#-----------------------------------------------------------------------------
|
#-----------------------------------------------------------------------------
|
||||||
COPY build.sh /usr/local/bin/build.sh
|
COPY --chmod=0755 build.sh /bin/build.sh
|
||||||
COPY LICENSE /LICENSE
|
COPY LICENSE /LICENSE
|
||||||
RUN chmod +x /usr/local/bin/build.sh
|
RUN chmod +x /bin/build.sh
|
||||||
|
|
||||||
|
# Drop root privileges (UID 1000 exists in the base image)
|
||||||
|
USER 1000
|
||||||
|
|
||||||
#-----------------------------------------------------------------------------
|
#-----------------------------------------------------------------------------
|
||||||
# Runtime entrypoint
|
# Runtime entrypoint
|
||||||
#-----------------------------------------------------------------------------
|
#-----------------------------------------------------------------------------
|
||||||
ENTRYPOINT ["/usr/local/bin/build.sh"]
|
ENTRYPOINT ["/bin/build.sh"]
|
||||||
|
|
|
||||||
61
build.sh
61
build.sh
|
|
@ -1,28 +1,17 @@
|
||||||
#!/usr/bin/env bash
|
#!/bin/sh
|
||||||
set -euo pipefail
|
# BusyBox/dash-friendly: no “pipefail”, no “[[ … ]]”, no “+=”
|
||||||
|
|
||||||
|
set -eu # BusyBox ash does not support “pipefail”
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Mandatory variables – abort if not provided
|
# Mandatory variables – abort if not provided
|
||||||
###############################################################################
|
###############################################################################
|
||||||
if [[ -z "${KANIKO_CONTEXT:-}" ]]; then
|
for var in KANIKO_CONTEXT GITHUB_REF_NAME GIT_USERNAME GIT_PASSWORD; do
|
||||||
echo "Error: KANIKO_CONTEXT environment variable is required but not set." >&2
|
eval [ -z \"\${$var:-}\" ] && {
|
||||||
exit 1
|
echo "Error: $var environment variable is required but not set." >&2
|
||||||
fi
|
exit 1
|
||||||
|
}
|
||||||
if [[ -z "${GITHUB_REF_NAME:-}" ]]; then
|
done
|
||||||
echo "Error: GITHUB_REF_NAME environment variable is required but not set." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ -z "${GIT_USERNAME:-}" ]]; then
|
|
||||||
echo "Error: GIT_USERNAME environment variable is required but not set." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ -z "${GIT_PASSWORD:-}" ]]; then
|
|
||||||
echo "Error: GIT_PASSWORD environment variable is required but not set." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Optional / defaulted variables
|
# Optional / defaulted variables
|
||||||
|
|
@ -39,7 +28,7 @@ KANIKO_DOCKERFILE="${KANIKO_DOCKERFILE:-./Dockerfile}"
|
||||||
# Handle registry authentication (only if credentials are present)
|
# Handle registry authentication (only if credentials are present)
|
||||||
###############################################################################
|
###############################################################################
|
||||||
AUTH_ENABLED=false
|
AUTH_ENABLED=false
|
||||||
if [[ -n "${REGISTRY_USER}" && -n "${REGISTRY_PASS}" ]]; then
|
if [ -n "${REGISTRY_USER}" ] && [ -n "${REGISTRY_PASS}" ]; then
|
||||||
echo "Registry credentials supplied – configuring authentication for ${REGISTRY_HOST}"
|
echo "Registry credentials supplied – configuring authentication for ${REGISTRY_HOST}"
|
||||||
mkdir -p /kaniko/.docker
|
mkdir -p /kaniko/.docker
|
||||||
cat > /kaniko/.docker/config.json <<EOF
|
cat > /kaniko/.docker/config.json <<EOF
|
||||||
|
|
@ -62,35 +51,29 @@ fi
|
||||||
###############################################################################
|
###############################################################################
|
||||||
DEST_FLAGS=""
|
DEST_FLAGS=""
|
||||||
|
|
||||||
# Push is only possible if we have BOTH credentials and at least one destination
|
if $AUTH_ENABLED && [ -n "${KANIKO_DESTINATION## }" ]; then
|
||||||
if $AUTH_ENABLED && [[ -n "${KANIKO_DESTINATION// }" ]]; then
|
|
||||||
echo "Building list of --destination flags"
|
echo "Building list of --destination flags"
|
||||||
OLD_IFS="$IFS"; IFS=','
|
old_ifs="$IFS"; IFS=','
|
||||||
|
|
||||||
for raw in $KANIKO_DESTINATION; do
|
for raw in $KANIKO_DESTINATION; do
|
||||||
raw="$(echo "$raw" | xargs)" # trim whitespace
|
raw=$(echo "$raw" | xargs) # trim
|
||||||
expanded="$(eval echo "$raw")" # expand variables
|
expanded=$(eval echo "$raw") # env-var expansion if any
|
||||||
[[ -n "$expanded" ]] && DEST_FLAGS+=" --destination=${expanded}"
|
[ -n "$expanded" ] && DEST_FLAGS="$DEST_FLAGS --destination=$expanded"
|
||||||
done
|
done
|
||||||
|
IFS="$old_ifs"
|
||||||
IFS="$OLD_IFS"
|
|
||||||
echo "Image(s) will be pushed to the registry."
|
echo "Image(s) will be pushed to the registry."
|
||||||
else
|
else
|
||||||
DEST_FLAGS="--no-push"
|
DEST_FLAGS="--no-push"
|
||||||
if ! $AUTH_ENABLED; then
|
$AUTH_ENABLED || echo "Registry credentials are missing – image(s) will not be pushed."
|
||||||
echo "Image(s) will NOT be pushed because registry credentials are missing."
|
[ -n "${KANIKO_DESTINATION## }" ] || echo "KANIKO_DESTINATION not provided – using --no-push."
|
||||||
elif [[ -z "${KANIKO_DESTINATION// }" ]]; then
|
|
||||||
echo "KANIKO_DESTINATION not provided – image(s) will be built with --no-push."
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Kaniko will be called with: ${DEST_FLAGS}"
|
echo "Kaniko will be called with:${DEST_FLAGS}"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Invoke Kaniko
|
# Invoke Kaniko
|
||||||
###############################################################################
|
###############################################################################
|
||||||
/kaniko/executor \
|
exec /kaniko/executor \
|
||||||
--verbosity="${KANIKO_VERBOSITY}" \
|
--verbosity="${KANIKO_VERBOSITY}" \
|
||||||
--context="${KANIKO_CONTEXT}#${GITHUB_REF_NAME}" \
|
--context="${KANIKO_CONTEXT}#${GITHUB_REF_NAME}" \
|
||||||
--dockerfile="${KANIKO_DOCKERFILE}" \
|
--dockerfile="${KANIKO_DOCKERFILE}" \
|
||||||
${DEST_FLAGS}
|
$DEST_FLAGS
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue