apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: kaniko
  labels:
    app.kubernetes.io/version: "0.5"
  annotations:
    tekton.dev/pipelines.minVersion: "0.17.0"
    tekton.dev/categories: Image Build
    tekton.dev/tags: image-build
    tekton.dev/displayName: "Build and upload container image using Kaniko"
    tekton.dev/platforms: "linux/arm64"
spec:
  description: >-
    This Task builds source into a container image using Google's kaniko tool.

    Kaniko doesn't depend on a Docker daemon and executes each
    command within a Dockerfile completely in userspace. This enables
    building container images in environments that can't easily or
    securely run a Docker daemon, such as a standard Kubernetes cluster.

  params:
  - name: IMAGE
    description: Name (reference) of the image to build.
  - name: DOCKERFILE
    description: Path to the Dockerfile to build.
    default: ./Dockerfile
  - name: CONTEXT
    description: The build context used by Kaniko.
    default: ./
  - name: EXTRA_ARGS
    type: array
    default: []
  - name: BUILDER_IMAGE
    description: The image on which builds will run (default is v1.5.1)
    default: gcr.io/kaniko-project/executor:v1.9.1
  workspaces:
  - name: source
    description: Holds the context and docker file
  - name: dockerconfig
    description: Includes a docker `config.json`
    optional: true
    mountPath: /kaniko/.docker
  results:
  - name: IMAGE-DIGEST
    description: Digest of the image just built.

  steps:
  - name: build-and-push
    workingDir: $(workspaces.source.path)
    image: $(params.BUILDER_IMAGE)
    args:
    - $(params.EXTRA_ARGS[*])
    - --dockerfile=$(params.DOCKERFILE)
    - --context=$(params.CONTEXT)  # The user does not need to care the workspace and the source.
    - --destination=$(params.IMAGE)
    - --digest-file=/tekton/results/IMAGE-DIGEST
    - --snapshotMode=redo
    - --single-snapshot
    - --use-new-run
    - --skip-tls-verify
    - --cache
    - --cache-copy-layers
    - --cache-dir=/workspace/cache
    # kaniko assumes it is running as root, which means this example fails on platforms
    # that default to run containers as random uid (like OpenShift). Adding this securityContext
    # makes it explicit that it needs to run as root.
    securityContext:
      runAsUser: 0