kaniko/build.sh

#!/usr/bin/env bash
set -euo pipefail

###############################################################################
# Mandatory variables – abort if not provided
###############################################################################
if [[ -z "${KANIKO_CONTEXT:-}" ]]; then
  echo "Error: KANIKO_CONTEXT environment variable is required but not set." >&2
  exit 1
fi

if [[ -z "${GITHUB_REF_NAME:-}" ]]; then
  echo "Error: GITHUB_REF_NAME environment variable is required but not set." >&2
  exit 1
fi

if [[ -z "${GIT_USERNAME:-}" ]]; then
  echo "Error: GIT_USERNAME environment variable is required but not set." >&2
  exit 1
fi

if [[ -z "${GIT_PASSWORD:-}" ]]; then
  echo "Error: GIT_PASSWORD environment variable is required but not set." >&2
  exit 1
fi

###############################################################################
# Optional / defaulted variables
###############################################################################
REGISTRY_HOST="${REGISTRY_HOST:-git.van-hemmen.com}"
REGISTRY_USER="${REGISTRY_USER:-}"
REGISTRY_PASS="${REGISTRY_PASS:-}"

KANIKO_DESTINATION="${KANIKO_DESTINATION:-}"   # optional
KANIKO_VERBOSITY="${KANIKO_VERBOSITY:-info}"
KANIKO_DOCKERFILE="${KANIKO_DOCKERFILE:-./Dockerfile}"

###############################################################################
# Handle registry authentication (only if credentials are present)
###############################################################################
AUTH_ENABLED=false
if [[ -n "${REGISTRY_USER}" && -n "${REGISTRY_PASS}" ]]; then
  echo "Registry credentials supplied – configuring authentication for ${REGISTRY_HOST}"
  mkdir -p /kaniko/.docker
  cat > /kaniko/.docker/config.json <<EOF
{
  "auths": {
    "${REGISTRY_HOST}": {
      "username": "${REGISTRY_USER}",
      "password": "${REGISTRY_PASS}"
    }
  }
}
EOF
  AUTH_ENABLED=true
else
  echo "Registry credentials not supplied – skipping authentication."
fi

###############################################################################
# Decide between --destination [...] or --no-push
###############################################################################
DEST_FLAGS=""

# Push is only possible if we have BOTH credentials and at least one destination
if $AUTH_ENABLED && [[ -n "${KANIKO_DESTINATION// }" ]]; then
  echo "Building list of --destination flags"
  OLD_IFS="$IFS"; IFS=','

  for raw in $KANIKO_DESTINATION; do
    raw="$(echo "$raw" | xargs)"           # trim whitespace
    expanded="$(eval echo "$raw")"         # expand variables
    [[ -n "$expanded" ]] && DEST_FLAGS+=" --destination=${expanded}"
  done

  IFS="$OLD_IFS"
  echo "Image(s) will be pushed to the registry."
else
  DEST_FLAGS="--no-push"
  if ! $AUTH_ENABLED; then
    echo "Image(s) will NOT be pushed because registry credentials are missing."
  elif [[ -z "${KANIKO_DESTINATION// }" ]]; then
    echo "KANIKO_DESTINATION not provided – image(s) will be built with --no-push."
  fi
fi

echo "Kaniko will be called with: ${DEST_FLAGS}"

###############################################################################
# Invoke Kaniko
###############################################################################
/kaniko/executor \
  --verbosity="${KANIKO_VERBOSITY}" \
  --context="${KANIKO_CONTEXT}#${GITHUB_REF_NAME}" \
  --dockerfile="${KANIKO_DOCKERFILE}" \
  ${DEST_FLAGS}