personal_tekton_catalog/task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: buildkit
  labels:
    app.kubernetes.io/version: "0.1"
  annotations:
    tekton.dev/categories: Image Build
    tekton.dev/pipelines.minVersion: "0.12.1"
    tekton.dev/tags: image-build
    tekton.dev/displayName: "Build a docker image with buildkit."
    tekton.dev/platforms: "linux/amd64"
    container.apparmor.security.beta.kubernetes.io/step-build-and-push: unconfined
spec:
  description: >-
    This task will build a docker image using buildkit and push the result to an image registry.    
  workspaces:
    - name: source
      mountPath: /source
      readOnly: true
    - name: dockerconfig
      description: Includes credentials for the docker image registry.
      optional: true
      mountPath: /home/user/.docker
  params:
    - name: OUTPUT
      type: string
      description: Argument to output flag for `buildctl build`
      # Examples:
      #   type=image,name=harbor.mydomain.example/private/foo:3.45,push=true,compression=zstd,compression-level=22
      #   type=image,"name=harbor.mydomain.example/private/foo:latest,harbor.mydomain.example/private/foo:3.45",push=true,compression=zstd,compression-level=22,oci-mediatypes=true
    - name: CONTEXT
      type: string
      description: Path to the docker context.
      default: "."
    - name: DOCKERFILE
      type: string
      description: Path to the Dockerfile relative to the context.
      default: "Dockerfile"
    - name: BUILDER_IMAGE
      type: string
      description: Docker image containing BuildKit.
      default: "moby/buildkit:v0.17.0-rc1-rootless"
      # or v0.16.0-rootless
    - name: EXTRA_ARGS
      type: array
      description: Arguments passed to the build command.
      default: []
    - name: BUILDKITD_TOML
      type: string
      description: Contents of buildkitd.toml.
      default: ""
  results:
    - name: IMAGE_DIGEST
      description: Digest of the docker image.
    - name: IMAGE_URL
      description: Full URL to the docker image.
      type: array
  volumes:
    - name: buildkitd
      emptyDir: {}
    - name: buildkitd-toml
      emptyDir: {}
    - name: metadata-out
      emptyDir: {}
  steps:
    - name: write-config
      image: $(params.BUILDER_IMAGE)
      workingDir: "$(workspaces.source.path)"
      script: |
        #!/usr/bin/env sh
        set -euo pipefail
        tee /home/user/.config/buildkit/buildkitd.toml <<EOF
        $(params.BUILDKITD_TOML)
        EOF
        cat > /home/user/.config/buildkit/entrypoint.sh <<EOF
        #!/usr/bin/env sh
        #
        set -euo pipefail
        if [ -n "\$(find /tekton/creds/.ssh -maxdepth 1 -name 'id_*' -print -quit)" ]; then
            eval \$(ssh-agent)
            ssh-add /tekton/creds/.ssh/id_*
            exec buildctl-daemonless.sh build --ssh default=\$SSH_AUTH_SOCK "\${@}"
        else
            exec buildctl-daemonless.sh build "\${@}"
        fi
        EOF
        chmod +x /home/user/.config/buildkit/entrypoint.sh        
      volumeMounts:
        - name: buildkitd
          mountPath: /home/user/.local/share/buildkit
        - name: buildkitd-toml
          mountPath: /home/user/.config/buildkit
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
    - name: build-and-push
      image: $(params.BUILDER_IMAGE)
      workingDir: "$(workspaces.source.path)"
      command: ["/home/user/.config/buildkit/entrypoint.sh"]
      args:
        - --frontend
        - dockerfile.v0
        - --local
        - context=$(workspaces.source.path)/$(params.CONTEXT)
        - --local
        - dockerfile=$(params.DOCKERFILE)
        - --output
        - $(params.OUTPUT)
        - --metadata-file
        - /home/user/.metadata/build.json
        - $(params.EXTRA_ARGS)
      volumeMounts:
        - name: buildkitd
          mountPath: /home/user/.local/share/buildkit
        - name: buildkitd-toml
          mountPath: /home/user/.config/buildkit
          readOnly: true
        - name: metadata-out
          mountPath: /home/user/.metadata
      securityContext:
        seccompProfile:
          type: Unconfined
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        # appArmorProfile:
        #   type: Unconfined
      env:
        - name: BUILDKITD_FLAGS
          value: "--oci-worker-no-process-sandbox"
        - name: DOCKER_CONFIG
          value: $(workspaces.dockerconfig.path)
    - name: read-metadata
      image: python:3.13-alpine3.20
      workingDir: "$(workspaces.source.path)"
      script: |
        #!/usr/bin/env python
        import json
        with open("/home/user/.metadata/build.json", "r") as f:
            meta_body = f.read()
            print(meta_body)
            meta = json.loads(meta_body)
        with open("$(results.IMAGE_DIGEST.path)", "w") as f:
            print(meta["containerimage.digest"], file=f, end="")
        with open("$(results.IMAGE_URL.path)", "w") as f:
            print(json.dumps(meta["image.name"].split(",")), file=f, end="")        
      volumeMounts:
        - name: metadata-out
          mountPath: /home/user/.metadata
          readOnly: true
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000