1

I am currently implementing a CI Pipeline using Tekton. I was wondering if there is a way to use some kind of valueFromEnv for pipeline params.

For example to authenticate a Task for sonarqube analysis with my company's sonar host i need the login token, which I would rather want to insert via reference to a secret than passing it directly.

As I am relatively new to tekton I am unsure if I just haven't grasped the tekton way of doing this. Two possibilities that crossed my mind were:

  1. A "Pre-Task" which reads the env in it's step definition and publishes it as a result (which then can be used as param to the next Task)
  2. Mounting the secret as a file for the Task to load the secret (e.g. by catting it)

Both of those ideas do not feel like I should do it this way, but maybe I am wrong here.

Any help is appreciated!

René Jahn
  • 1,155
  • 1
  • 10
  • 27

1 Answers1

1

Your first Idea is not impossible, but in my eyes ugly as well. You can set the desired ENV in your image via DockerFile and use it later in the task:

Docker file (example):

FROM gradle:7.4-jdk11    
USER root    
RUN apt-get update && apt-get install -y npm    

YOUR_VARIABLE_KEY="any VALUE"

afterwards you can just use it in script tasks like:

echo $YOUR_VARIABLE_KEY

RECOMMENDED (for Openshift)

The cleaner way is, to define it as Secret (Key/value) or as a SealeedSecret (Opaque)

this can be done directly within the namespace on the openshift-UI or as Code.

Next step is to "bind" it in your task:

spec:
  description: |-
    any
  params:
    - name: any-secret-name
      default: "any-secret"
      type: string
  stepTemplate:
    name: ""
    resources:
      limits:
        cpu: 1500m
        memory: 4Gi
      requests:
        cpu: 250m
        memory: 500Mi
  steps:
    - image: $(params.BUILDER_IMAGE)
      name: posting
      resources:
        limits:
          cpu: 1500m
          memory: 4Gi
        requests:
          cpu: 250m
          memory: 500Mi
      env:
        - name: YOU_NAME_IT
          valueFrom:
            secretKeyRef:
              name: $(params.any-secret-name)
              key: "any-secret-key"
      script: |
        #!/usr/bin/env sh
        set -eu

        set +x
        echo $YOU_NAME_IT
        set -x

BEWARE!!! If you run it that way - nothing should be logged - if you leave out set +x before and set -x after the echo it is logged.

Now I saw you're may not working in openshift - here is the kubernetes page: https://kubernetes.io/docs/concepts/configuration/secret/ => Using Secrets as environment variables (is close to your first idea - but the whole page looks like good cookbook)

Dennis Megert
  • 11
  • 4