kaniko/build.sh
Guillaume B.B. Van Hemmen a719e4dfbc - CI pipeline & Dockerfile hardening: env var rename, extended logging, POSIX shell, privilege drop ()
This PR closes  by renaming the GitHub Actions variable from GITHUB_REF_NAME to GIT_REF_NAME, fixing secrets and artifact destination paths, and adding detailed logging of environment variables and build actions for easier troubleshooting. It also updates the Dockerfile to run installation steps as root but switches to a non-root user for runtime, and replaces the shell with a strictly POSIX-compliant variant to improve portability and security.

Reviewed-on: 
Co-authored-by: Guillaume B.B. Van Hemmen <GuillaumeHemmen@noreply.git.van-hemmen.com>
Co-committed-by: Guillaume B.B. Van Hemmen <GuillaumeHemmen@noreply.git.van-hemmen.com>
2025-05-19 11:31:45 +00:00

101 lines
3.8 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/sh
# BusyBox/dash-friendly: no “pipefail”, no “[[ … ]]”, no “+=”
set -eu # BusyBox ash does not support “pipefail”
###############################################################################
# Mandatory variables abort if not provided
###############################################################################
for var in KANIKO_CONTEXT GIT_REF_NAME GIT_USERNAME GIT_PASSWORD; do
eval [ -z \"\${$var:-}\" ] && {
echo "Error: $var environment variable is required but not set." >&2
exit 1
}
done
###############################################################################
# Optional / defaulted variables
###############################################################################
REGISTRY_HOST="${REGISTRY_HOST:-git.van-hemmen.com}"
REGISTRY_USER="${REGISTRY_USER:-}"
REGISTRY_PASS="${REGISTRY_PASS:-}"
KANIKO_DESTINATION="${KANIKO_DESTINATION:-}" # optional
KANIKO_VERBOSITY="${KANIKO_VERBOSITY:-info}"
KANIKO_DOCKERFILE="${KANIKO_DOCKERFILE:-./Dockerfile}"
###############################################################################
# Handle registry authentication (only if credentials are present)
###############################################################################
AUTH_ENABLED=false
if [ -n "${REGISTRY_USER}" ] && [ -n "${REGISTRY_PASS}" ]; then
echo "Registry credentials supplied configuring authentication for ${REGISTRY_HOST}"
mkdir -p /kaniko/.docker
cat > /kaniko/.docker/config.json <<EOF
{
"auths": {
"${REGISTRY_HOST}": {
"username": "${REGISTRY_USER}",
"password": "${REGISTRY_PASS}"
}
}
}
EOF
AUTH_ENABLED=true
else
echo "Registry credentials not supplied skipping authentication."
fi
###############################################################################
# Decide between --destination [...] or --no-push
###############################################################################
DEST_FLAGS=""
if $AUTH_ENABLED && [ -n "${KANIKO_DESTINATION## }" ]; then
echo "Building list of --destination flags"
old_ifs="$IFS"; IFS=','
for raw in $KANIKO_DESTINATION; do
raw=$(echo "$raw" | xargs) # trim
expanded=$(eval echo "$raw") # env-var expansion if any
[ -n "$expanded" ] && DEST_FLAGS="$DEST_FLAGS --destination=$expanded"
done
IFS="$old_ifs"
echo "Image(s) will be pushed to the registry."
else
DEST_FLAGS="--no-push"
$AUTH_ENABLED || echo "Registry credentials are missing image(s) will not be pushed."
[ -n "${KANIKO_DESTINATION## }" ] || echo "KANIKO_DESTINATION not provided using --no-push."
fi
echo "Kaniko will be called with:${DEST_FLAGS}"
###############################################################################
# resume what will be done
###############################################################################
echo "Environment Variables:"
echo "KANIKO_CONTEXT=${KANIKO_CONTEXT}"
echo "GIT_REF_NAME=${GIT_REF_NAME}"
echo "GIT_USERNAME=${GIT_USERNAME}"
echo "GIT_PASSWORD=$(echo "${GIT_PASSWORD}" | sed 's/\(^..\).*\(..$\)/\1...\2/')"
echo "REGISTRY_HOST=${REGISTRY_HOST}"
echo "REGISTRY_USER=${REGISTRY_USER}"
[ -n "${REGISTRY_PASS}" ] && echo "REGISTRY_PASS=$(echo "${REGISTRY_PASS}" | sed 's/\(^..\).*\(..$\)/\1...\2/')"
echo "KANIKO_DESTINATION=${KANIKO_DESTINATION}"
echo "KANIKO_VERBOSITY=${KANIKO_VERBOSITY}"
echo "KANIKO_DOCKERFILE=${KANIKO_DOCKERFILE}"
echo ""
if [ "${DEST_FLAGS}" = "--no-push" ]; then
echo "Action: Build only (no push)"
else
echo "Action: Build and push"
fi
echo ""
###############################################################################
# Invoke Kaniko
###############################################################################
exec /kaniko/executor \
--verbosity="${KANIKO_VERBOSITY}" \
--context="${KANIKO_CONTEXT}#${GIT_REF_NAME}" \
--dockerfile="${KANIKO_DOCKERFILE}" \
$DEST_FLAGS