feat:[CI-15236]: Added IMAGE_TAR_PATH as output variable for the plugin. (#132 )

* feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Test commit. * feat:[CI-15236]: Test commit. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Directory check and UTs. * Update pkg/output/output.go * feat:[CI-15236]: fixes * feat:[CI-15236]: Test fixes - removed root * feat:[CI-15236]: Test fixes - removed root * feat:[CI-15236]: Test fixes - removed root * feat:[CI-15236]: If tarPath directory no present it will create it. * feat:[CI-15236]: If tarPath directory no present it will create it. * feat:[CI-15236]: fixes * Update kaniko.go removed as getTarPath is only called when tarPath isn't empty --------- Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>
feat: [Ci-14242]: add oidc support for ecr (#131 )
2026-06-16 14:49:02 +08:00 · 2024-11-28 18:31:10 +05:30 · 2024-10-17 01:51:09 +05:30 · 2024-09-09 11:23:40 +05:30 · 2024-07-10 19:44:09 +05:30 · 2024-07-10 16:06:42 +05:30
25 changed files with 535 additions and 30 deletions
@@ -11,7 +11,7 @@ platform:

 steps:
 - name: build
-  image: golang:1.22
+  image: golang:1.22.4
  commands:
  - go test ./...
  - sh scripts/build.sh
@@ -178,7 +178,7 @@ pool:

 steps:
 - name: build
-  image: golang:1.22
+  image: golang:1.22.4
  commands:
  - go test ./...
  - sh scripts/build.sh
@@ -4,6 +4,12 @@ Drone kaniko plugin uses [kaniko](https://github.com/GoogleContainerTools/kaniko

 Plugin images are published with 1.6.0 as well as 1.9.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.9.1` uses 1.9.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gcr images as well.

+Run the following script to install git-leaks support to this repo.
+```
+chmod +x ./git-hooks/install.sh
+./git-hooks/install.sh
+```
+
 ## Build

 Build the binaries with the following commands:
@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"os"
 	"strings"
+	"time"

 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
@@ -17,6 +18,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
 	ecrpublicv1 "github.com/aws/aws-sdk-go/service/ecrpublic"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/aws/smithy-go"
 	"github.com/hashicorp/go-version"
 	"github.com/joho/godotenv"
@@ -35,6 +37,7 @@ const (
 	secretKeyEnv     string = "AWS_SECRET_ACCESS_KEY"
 	ecrPublicDomain  string = "public.ecr.aws"
 	kanikoVersionEnv string = "KANIKO_VERSION"
+	sessionKeyEnv    string = "AWS_SESSION_TOKEN"

 	oneDotEightVersion string = "1.8.0"
 	defaultDigestFile  string = "/kaniko/digest-file"
@@ -384,6 +387,11 @@ func main() {
 			Usage:  "Number of retries for downloading base images.",
 			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
 		},
+		cli.StringFlag{
+			Name:   "oidc-token-id",
+			Usage:  "OIDC token for assuming role via web identity",
+			EnvVar: "PLUGIN_OIDC_TOKEN_ID",
+		},
 	}

 	if err := app.Run(os.Args); err != nil {
@@ -398,6 +406,7 @@ func run(c *cli.Context) error {
 	noPush := c.Bool("no-push")
 	assumeRole := c.String("assume-role")
 	externalId := c.String("external-id")
+	oidcToken := c.String("oidc-token-id")

 	// setup docker config for azure registry and base image docker registry
 	err := setDockerAuth(
@@ -411,6 +420,7 @@ func run(c *cli.Context) error {
 		externalId,
 		region,
 		noPush,
+		oidcToken,
 	)
 	if err != nil {
 		return errors.Wrap(err, "failed to create docker config")
@@ -518,7 +528,7 @@ func run(c *cli.Context) error {
 }

 func setDockerAuth(dockerRegistry, dockerUsername, dockerPassword, accessKey, secretKey,
-	registry, assumeRole, externalId, region string, noPush bool) error {
+	registry, assumeRole, externalId, region string, noPush bool, oidcToken string) error {
 	dockerConfig := docker.NewConfig()
 	credentials := []docker.RegistryCredentials{}
 	// set docker credentials for base image registry
@@ -531,7 +541,24 @@ func setDockerAuth(dockerRegistry, dockerUsername, dockerPassword, accessKey, se
 		credentials = append(credentials, pullFromRegistryCreds)
 	}

-	if assumeRole != "" {
+	if assumeRole != "" && oidcToken != "" {
+		oidcAccessKey, oidcSecretKey, oidcSessionKey, err := getOidcCreds(oidcToken, assumeRole)
+		if err != nil {
+			return err
+		}
+
+		_ = os.Setenv(accessKeyEnv, oidcAccessKey)
+		_ = os.Setenv(secretKeyEnv, oidcSecretKey)
+		_ = os.Setenv(sessionKeyEnv, oidcSessionKey)
+
+		// kaniko-executor >=1.8.0 does not require additional cred helper logic for ECR,
+		// as it discovers ECR repositories automatically and acts accordingly.
+		if isKanikoVersionBelowOneDotEight(os.Getenv(kanikoVersionEnv)) {
+			dockerConfig.SetCredHelper(ecrPublicDomain, "ecr-login")
+			dockerConfig.SetCredHelper(registry, "ecr-login")
+		}
+
+	} else if assumeRole != "" {
 		var err error
 		username, password, registry, err := getAssumeRoleCreds(region, assumeRole, externalId, "")
 		if err != nil {
@@ -771,3 +798,37 @@ func isKanikoVersionBelowOneDotEight(v string) bool {

 	return currVer.LessThan(oneEightVer)
 }
+
+func getOidcCreds(oidcToken, assumeRole string) (string, string, string, error) {
+	// Create a new session
+	sess, err := session.NewSession()
+	if err != nil {
+		return "", "", "", fmt.Errorf("failed to create AWS session: %w", err)
+	}
+
+	// Create a new STS client
+	svc := sts.New(sess)
+
+	// Prepare the input parameters for the STS call
+	duration := int64(time.Hour / time.Second)
+	input := &sts.AssumeRoleWithWebIdentityInput{
+		RoleArn:          aws.String(assumeRole),
+		RoleSessionName:  aws.String("kaniko-ecr-oidc"),
+		WebIdentityToken: aws.String(oidcToken),
+		DurationSeconds:  aws.Int64(duration),
+	}
+
+	// Call the AssumeRoleWithWebIdentity function
+	result, err := svc.AssumeRoleWithWebIdentity(input)
+	if err != nil {
+		return "", "", "", fmt.Errorf("failed to assume role with web identity: %w", err)
+	}
+
+	// Check if credentials exist in the result
+	if result.Credentials == nil {
+		return "", "", "", errors.New("no credentials returned by AssumeRoleWithWebIdentity")
+	}
+
+	// Return the credentials
+	return *result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken, nil
+}
@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-acr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-acr"]
@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.0

 ENV HOME /root
 ENV USER root

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.0
 ADD release/linux/arm64/kaniko-acr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-acr"]
@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]
@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

 ENV HOME /root
 ENV USER root

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/arm64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]
@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]
@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2

 ADD release/linux/arm64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]
@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-gar /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gar"]
@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2

 ADD release/linux/arm64/kaniko-gar /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gar"]
@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]
@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2

 ADD release/linux/arm64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]
@@ -0,0 +1,8 @@
+This document explains on how to install certain git hooks globally for all repositories in your machine.
+
+Step 1: git clone https://github.com/drone/drone-kaniko.git
+Step 2: cd git-hooks
+Step 3: Run install.sh
+
+"install.sh" script will create .git_template in the user directory and will put the git hook and its dependent scripts in it. Along with the .git_template folder, it will add 2 sections "init" and "hooks boolean" in the .gitconfig file in the same user's root directory.
+After running "install.sh" if you create/clone a new git repository then all the hooks will get install automatically for the git repository. In case of existing git repository copy the contents of ~/.git_template/hooks into the .git/hooks directory of existing git repository.
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS_PRE_COMMIT=s$(git config --bool hook.pre-commit.gitleak)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks protect --staged -v --exit-code=100
+STATUS=$?
+if [ $STATUS = 100  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+else
+    exit 0
+fi
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS=$(git config --bool hook.pre-push.gitleaks)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks detect -s ./ --log-level=debug --log-opts=-1 -v
+STATUS=$?
+if [ $STATUS != 0  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+    exit $STATUS
+else
+    exit 0
+fi
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks-pre-commit.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+if [ "`git config $GIT_LEAKS_PRE_COMMIT`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS_PRE_COMMIT '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS_PRE_COMMIT true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS=hook.pre-push.gitleaks
+if [ "`git config $GIT_LEAKS`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+#Function to check if package is installed or not
+#args: $1: Name of the Package
+function check_package_installed() {
+  LOCAL_PACKAGE_NAME=$1
+  echo "Checking if $LOCAL_PACKAGE_NAME is installed or not..."
+  brew list $LOCAL_PACKAGE_NAME
+  if [ "$?" -eq 1 ];then
+    echo "Installing $LOCAL_PACKAGE_NAME package..."
+    brew install $LOCAL_PACKAGE_NAME
+  fi
+}
+
+function create_git_template() {
+    cd $BASEDIR
+    mkdir -p ~/.git_template/hooks
+    git config --global init.templatedir ${GIT_TEMPLATE}
+    git config --global --add $GIT_LEAKS true
+    git config --global --add $GIT_LEAKS_PRE_COMMIT true
+    find hooks/ -type f -exec cp "{}" ~/.git_template/hooks \;
+    #cp -f hooks/* ~/.git_template/hooks
+    cat ~/.gitconfig
+}
+
+GIT_TEMPLATE="~/.git_template"
+GIT_LEAKS=hook.pre-push.gitleaks
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+
+pushd `dirname $0` && BASEDIR=$(pwd -L) && popd
+
+echo This script will install hooks that run scripts that could be updated without notice.
+
+while true; do
+    read -p "Do you wish to install these hooks?" yn
+    case $yn in
+        [Yy]* ) check_package_installed "gitleaks";
+                break;;
+        [Nn]* ) exit;;
+        * ) echo "Please answer yes or no.";;
+    esac
+done
+
+create_git_template
@@ -47,4 +47,4 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

-go 1.22.0
+go 1.22.4
@@ -5,6 +5,7 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"

 	"github.com/drone/drone-kaniko/pkg/artifact"
@@ -222,7 +223,7 @@ func (p Plugin) Exec() error {
 	}

 	if p.Build.SnapshotMode != "" {
-		cmdArgs = append(cmdArgs, fmt.Sprintf("--snapshotMode=%s", p.Build.SnapshotMode))
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--snapshot-mode=%s", p.Build.SnapshotMode))
 	}

 	if p.Build.EnableCache {
@@ -258,6 +259,12 @@ func (p Plugin) Exec() error {
 	}

 	if p.Build.TarPath != "" {
+		tarDir := filepath.Dir(p.Build.TarPath)
+		if _, err := os.Stat(tarDir); os.IsNotExist(err) {
+			if mkdirErr := os.MkdirAll(tarDir, 0755); mkdirErr != nil {
+				return fmt.Errorf("failed to create directory for tar path %s: %v", tarDir, mkdirErr)
+			}
+		}
 		cmdArgs = append(cmdArgs, fmt.Sprintf("--tar-path=%s", p.Build.TarPath))
 	}

@@ -407,7 +414,11 @@ func (p Plugin) Exec() error {
 	}

 	if p.Output.OutputFile != "" {
-		if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile)); err != nil {
+		var tarPath string
+		if p.Build.TarPath != "" {
+			tarPath = getTarPath(p.Build.TarPath)
+		}
+		if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile), tarPath); err != nil {
 			fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
 		}
 	}
@@ -415,6 +426,15 @@ func (p Plugin) Exec() error {
 	return nil
 }

+func getTarPath(tarPath string) string {
+	tarDir := filepath.Dir(tarPath)
+	if _, err := os.Stat(tarDir); err != nil && os.IsNotExist(err) {
+		fmt.Fprintf(os.Stderr, "Warning: tar path does not exist: %s\n", tarPath)
+		return ""
+	}
+	return tarPath
+}
+
 func getDigest(digestFile string) string {
 	content, err := ioutil.ReadFile(digestFile)
 	if err != nil {
@@ -1,6 +1,8 @@
 package kaniko

 import (
+	"os"
+	"path/filepath"
 	"testing"

 	"github.com/google/go-cmp/cmp"
@@ -148,3 +150,133 @@ func TestBuild_AutoTags(t *testing.T) {
 		}
 	})
 }
+
+func TestTarPathValidation(t *testing.T) {
+	tests := []struct {
+		name          string
+		tarPath       string
+		setup         func(string) error
+		cleanup       func(string) error
+		expectSuccess bool
+		privileged    bool
+	}{
+		{
+			name:    "valid_path_privileged",
+			tarPath: "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-image-tar")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectSuccess: true,
+			privileged:    true,
+		},
+		{
+			name:    "valid_path_unprivileged",
+			tarPath: "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-image-tar")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectSuccess: true,
+			privileged:    false,
+		},
+		{
+			name:          "empty_path",
+			tarPath:       "",
+			setup:         func(path string) error { return nil },
+			cleanup:       func(path string) error { return nil },
+			expectSuccess: false,
+			privileged:    false,
+		},
+		{
+			name:    "relative_path_dots",
+			tarPath: "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-image-tar")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectSuccess: true,
+			privileged:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Skip privileged tests if not running as root
+			if tt.privileged && os.Getuid() != 0 {
+				t.Skip("Skipping privileged test as not running as root")
+			}
+
+			if err := tt.setup(tt.tarPath); err != nil {
+				t.Fatalf("Setup failed: %v", err)
+			}
+			defer tt.cleanup(tt.tarPath)
+
+			// Determine tar path based on test case
+			var tarPath string
+			tmpDir := os.Getenv("DRONE_WORKSPACE")
+			switch tt.name {
+			case "valid_path_privileged", "valid_path_unprivileged":
+				tarPath = filepath.Join(tmpDir, "test", "image.tar")
+			case "invalid_path_no_permissions":
+				tarPath = "/test/image.tar"
+			case "relative_path_dots":
+				tarPath = filepath.Join("..", "test", "image.tar")
+			default:
+				tarPath = tt.tarPath
+			}
+
+			p := Plugin{
+				Build: Build{
+					TarPath: tarPath,
+				},
+			}
+
+			tarDir := filepath.Dir(p.Build.TarPath)
+			err := os.MkdirAll(tarDir, 0755)
+			if tt.expectSuccess {
+				if err != nil {
+					t.Errorf("Expected directory creation to succeed, got error: %v", err)
+				}
+				if _, err := os.Stat(tarDir); err != nil {
+					t.Errorf("Expected directory to exist after creation, got error: %v", err)
+				}
+			}
+
+			result := getTarPath(p.Build.TarPath)
+			if tt.expectSuccess && result == "" {
+				t.Error("Expected non-empty tar path, got empty string")
+			}
+			if !tt.expectSuccess && result != "" {
+				t.Error("Expected empty tar path, got non-empty string")
+			}
+		})
+	}
+}
@@ -4,9 +4,15 @@ import (
 	"github.com/joho/godotenv"
 )

-func WritePluginOutputFile(outputFilePath, digest string) error {
-	output := map[string]string{
-		"digest": digest,
+func WritePluginOutputFile(outputFilePath, digest string, pluginTarPath string) error {
+	output := make(map[string]string)
+	if digest != "" {
+		output["digest"] = digest
 	}
+
+	if pluginTarPath != "" {
+		output["IMAGE_TAR_PATH"] = pluginTarPath
+	}
+
 	return godotenv.Write(output, outputFilePath)
 }
@@ -0,0 +1,145 @@
+package output
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestWritePluginOutputFile(t *testing.T) {
+	tests := []struct {
+		name        string
+		outputPath  string
+		digest      string
+		tarPath     string
+		setup       func(string) error
+		cleanup     func(string) error
+		expectError bool
+		privileged  bool
+	}{
+		{
+			name:       "valid_output_privileged",
+			outputPath: "",
+			digest:     "sha256:test",
+			tarPath:    "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-output")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectError: false,
+			privileged:  true,
+		},
+		{
+			name:       "valid_output_unprivileged",
+			outputPath: "",
+			digest:     "sha256:test",
+			tarPath:    "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-output")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectError: false,
+			privileged:  false,
+		},
+		{
+			name:       "digest_only",
+			outputPath: "",
+			digest:     "sha256:test",
+			tarPath:    "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-output")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectError: false,
+			privileged:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Skip privileged tests if not running as root
+			if tt.privileged && os.Getuid() != 0 {
+				t.Skip("Skipping privileged test as not running as root")
+			}
+
+			if err := tt.setup(tt.outputPath); err != nil {
+				t.Fatalf("Setup failed: %v", err)
+			}
+			defer tt.cleanup(tt.outputPath)
+
+			tmpDir := os.Getenv("DRONE_WORKSPACE")
+			var outputPath, tarPath string
+			switch tt.name {
+			case "valid_output_privileged", "valid_output_unprivileged":
+				outputPath = filepath.Join(tmpDir, "test", "output.env")
+				tarPath = filepath.Join(tmpDir, "test", "image.tar")
+			case "invalid_output_path":
+				outputPath = filepath.Join("/root", "test", "output.env")
+				tarPath = filepath.Join("/root", "test", "image.tar")
+			case "digest_only":
+				outputPath = filepath.Join(tmpDir, "test", "output.env")
+				tarPath = ""
+			}
+
+			err := os.MkdirAll(filepath.Dir(outputPath), 0755)
+			if err != nil {
+				t.Fatalf("Failed to create output directory: %v", err)
+			}
+
+			err = WritePluginOutputFile(outputPath, tt.digest, tarPath)
+
+			if tt.expectError && err == nil {
+				t.Error("Expected error, got none")
+			}
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error, got: %v", err)
+			}
+
+			if !tt.expectError && err == nil {
+				content, err := os.ReadFile(outputPath)
+				if err != nil {
+					t.Fatalf("Failed to read output file: %v", err)
+				}
+
+				if tt.digest != "" && !contains(string(content), tt.digest) {
+					t.Error("Expected digest in output file")
+				}
+
+				if tarPath != "" && !contains(string(content), tarPath) {
+					t.Error("Expected tar path in output file")
+				}
+			}
+		})
+	}
+}
+
+func contains(content, substring string) bool {
+	return len(substring) > 0 && content != "" && content != "\n" && content != "\r\n"
+}
Author	SHA1	Message	Date
Anshika Anand	e6ab8aa3c0	feat:[CI-15236]: Added IMAGE_TAR_PATH as output variable for the plugin. (#132 ) * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Test commit. * feat:[CI-15236]: Test commit. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Directory check and UTs. * Update pkg/output/output.go * feat:[CI-15236]: fixes * feat:[CI-15236]: Test fixes - removed root * feat:[CI-15236]: Test fixes - removed root * feat:[CI-15236]: Test fixes - removed root * feat:[CI-15236]: If tarPath directory no present it will create it. * feat:[CI-15236]: If tarPath directory no present it will create it. * feat:[CI-15236]: fixes * Update kaniko.go removed as getTarPath is only called when tarPath isn't empty --------- Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>	2024-11-28 18:31:10 +05:30
Abhay	113a61b0e1	feat: [Ci-14242]: add oidc support for ecr (#131 ) * feat: [Ci-14242]: add oidc support for ecr * fix: [CI-14242]: error handling for oidc kakniko-ecr	2024-10-17 01:51:09 +05:30
rahkumar56	982c141391	feat: [CI-13961]: Upgraded gcr.io/kaniko-project/executor version to v1.23.2. (#125 )	2024-09-09 11:23:40 +05:30
Aishwarya Lad	f41d7cb836	upgrade kaniko version for chmod on ADD and COPY (#121 )	2024-07-10 19:44:09 +05:30
rahkumar56	a71177d4b4	fix: [CI-13178]: Upgrade go version with minor version to 1.22.4 (#120 )	2024-07-10 16:06:42 +05:30
rahkumar56	5582e3ed7c	feat: [CI-13178]: GO version upgrade from 1.22.0 to 1.22.4. (#119 )	2024-07-03 12:30:41 +05:30
Hemanth Mantri	4c0f781999	[CI-13182]: Use snapshot-mode instead of snapshotMode (#118 ) The kaniko flag `snapshotMode` is deprecated in favor of `snapshot-mode`. The default value of `snapshot-mode` is `full`. As a result, the `optimize` flag set in Harness CI's `BuildAndPushToDocker` steps doesn't behave as expected because the `full` mode triggers a full filesystem scan which is slow. The `optimize` flag in Harness translates to `snapshot-mode=redo` which means only filesystem deltas are compared which is much faster. This change fixes the flag name being sent to Kaniko executor. I verified that the executor present in the current version already supports this flag as shown below: ``` hemanthkumarmantri@Hemanth Kumar harness-core % docker run -it --entrypoint /kaniko/executor plugins/kaniko:1.8.10 --help \| grep snapshot-mode --snapshot-mode string Change the file attributes inspected during snapshotting (default "full") --snapshotMode string This flag is deprecated. Please use '--snapshot-mode'. ```	2024-07-01 14:06:19 -07:00
Abhay	20525e5403	feat: [CI-10849]: add git-leaks support (#113 ) * feat: [CI-10849]: add git-leaks support * correct reference	2024-05-10 12:38:31 +01:00