---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: j7s-buildah
spec:
  description: Build and push a container image.
  params:
  - name: registry
    description: Registry to push to.
  - name: name
    description: Name of the image.
  - name: version
    description: Version for the image.
  - name: containerfile
    description: Path of the Containerfile relative to source.
  - name: registry-login-secret-name
    description: Name of the secret containing the credentials to push to the registry.
  - name: cosign-secret-name
    description: Name of the secret container the credentials for cosign.
  workspaces:
  - name: source
  steps:
  - name: build
    image: harbor.internal.jpace121.net/k8s/buildah:latest
    workingDir: $(workspaces.source.path)
    script: |
      set -x
      # Login
      buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
      # Setup cosign.
      mkdir -p ~/.sigstore
      cp /etc/cosign-credentials/* ~/.sigstore
      cat <<EOF > ~/.sigstore/param-file.yaml
      privateKeyFile: "$HOME/.sigstore/cosign.key"
      privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password"
      EOF
      mkdir -p /etc/containers/registries.d/
      cat <<EOF > /etc/containers/registries.d/james-registry.yaml
      docker:
         $(params.registry):
            use-sigstore-attachments: true
      EOF
      # Build
      buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
        -f $(params.containerfile)  -t $(params.name):$(params.version) .
      # Push
      skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
              containers-storage:localhost/$(params.name):$(params.version) \
              docker://$(params.registry)/$(params.name):$(params.version)
      skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
              containers-storage:localhost/$(params.name):$(params.version) \
              docker://$(params.registry)/$(params.name):latest
    env:
    - name: USERNAME
      valueFrom:
        secretKeyRef:
          name: $(params.registry-login-secret-name)
          key: username
    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: $(params.registry-login-secret-name)
          key: password
    volumeMounts:
    - name: varlibcontainers
      mountPath: /var/lib/containers
    - name: cosign-credentials
      mountPath: /etc/cosign-credentials
    securityContext:
      privileged: true
  volumes:
  - name: varlibcontainers
    emptyDir: {}
  - name: cosign-credentials
    secret:
      secretName: $(params.cosign-secret-name)