apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: buildah
spec:
  params:
  - name: buildahVersion
    type: string
  - name: outputContainerImage
    type: string
  results:
  - name: imageDigest
    description: The digest of the built image manifest
  workspaces:
  - name: src
    mountPath: /src
  - name: containers
    mountPath: /var/lib/containers
  steps:
  - name: buildah
    image: quay.io/containers/buildah:$(params.buildahVersion)
    workingDir: /src
    env:
    - name: RESULT_IMAGE_DIGEST
      value: "$(results.imageDigest.path)"
    - name: TARGET_IMAGE
      value: "$(params.outputContainerImage)"
    securityContext:
      capabilities:
        add:
        - 'SYS_ADMIN'
      privileged: true
    script: |
      #!/bin/bash

      set -Eeuo pipefail

      function build () {
        echo "========================================================="
        echo " buildah build $TARGET_IMAGE"
        echo "========================================================="
        echo

        extra_args=""
        if [ -n "${CONTAINERFILE:-}" ]; then
          extra_args="$extra_args --file $CONTAINERFILE"
        fi

        buildah bud --storage-driver vfs --manifest tekton -t $TARGET_IMAGE $extra_args .
        echo
      }

      function push () {
        echo "========================================================="
        echo " buildah push $1"
        echo "========================================================="
        echo

        # buildah requires a slight modification to the push secret provided by the service
        # account to use it for pushing the image
        cp /var/run/secrets/openshift.io/push/.dockercfg /tmp
        echo "{ \"auths\": $(cat /var/run/secrets/openshift.io/push/.dockercfg) }" > /tmp/.dockercfg

        buildah manifest push --storage-driver vfs --all tekton "docker://$1" --digestfile "$RESULT_IMAGE_DIGEST" --tls-verify=false --authfile /tmp/.dockercfg
        echo
      }

      build

      push "$TARGET_IMAGE:latest"

      exit 0