apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: osh-scan-task-from-source
spec:
  stepTemplate:
    env:
      - name: "HOME"
        value: "/tekton/home"
  params:
  - name: targz-file
    type: string
    default: "source.tar.gz"
    description: The filename of the tar.gz we'll be uploading to covscan

  - name: mock-build-params
    type: string
    description: Parameters pushed to mock build
    default: "-p snyk-only-unstable --tarball-build-script=:"

  volumes:
    - name: osh-client-kerb-vol
      secret:
        defaultMode: 292
        optional: false
        secretName: kerberos-keytab-osh

    - name: osh-client-kerb-config-vol
      configMap:
        name: kerberos-config-osh-client
        items:
          - key: linux-krb5.conf
            path: linux-krb5.conf
        defaultMode: 292
        optional: false

    - name: osh-client-config-vol
      configMap:
        name: osh-client-config
        items:
          - key: client.conf
            path: client.conf
        optional: false

  workspaces:
    - name: source-tars
      description: source tar gzips are kept here

  steps:
    - name: perform-buildid-scan
      image: quay.io/pct-security/osh-wrapper-client:latest
      workingDir: /home/covscan
      volumeMounts:
        - name: osh-client-kerb-vol
          mountPath: /kerberos
          readOnly: true

        - name: osh-client-config-vol
          mountPath: /etc/osh/client.conf
          readOnly: true
          subPath: client.conf

        - name: osh-client-kerb-config-vol
          mountPath: /etc/krb5.conf
          readOnly: true
          subPath: linux-krb5.conf

      script: |
        #!/bin/bash
        echo $(params.mock-build-params)
        echo $(params.targz-file)
        covscan mock-build $(params.mock-build-params) /workspace/source-tars/$(params.targz-file)