apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: promote
  namespace: {{ $.Release.Namespace }}
spec:
  description: >-
    This task will promote images and chart into a non-test repository
  workspaces:
    - name: k8s_cluster_data
    - name: development_pipeline_data
  steps:
    - name: promote-artifacts
      image: {{ $.Values.tasks.promote.promoteImage }}
      env:
      # Connect to the sidecar over TCP, with TLS.
      - name: DOCKER_HOST
        value: tcp://localhost:2376
      # Verify TLS.
      - name: DOCKER_TLS_VERIFY
        value: '1'
      # Use the certs generated by the sidecar daemon.
      - name: DOCKER_CERT_PATH
        value: /certs/client
      volumeMounts:
        - mountPath: /tekton/home/.docker/config.json
          name: image-push-creds
          subPath: .dockerconfigjson
        - mountPath: /certs/client
          name: dind-certs
        - mountPath: /usr/local/share/ca-certificates/harbor-ca.crt
          name: harbor-ca
          subPath: harbor-ca
        - mountPath: /workspace/helm-creds
          name: helm-publish-creds
      script: |
        #!/usr/bin/env sh
        set -ex
        update-ca-certificates
        ansible-playbook -vvv {{ $.Values.tasks.promote.promotePlaybook }} -i hosts -e '{"stage":"promote_image"}' -e @"$(workspaces.development_pipeline_data.path)/default.json" -e @"$(workspaces.development_pipeline_data.path)/image.json"
        ansible-playbook -vvv {{ $.Values.tasks.promote.promotePlaybook }} -i hosts -e '{"stage":"promote_chart"}' -e @"$(workspaces.development_pipeline_data.path)/default.json" -e @"$(workspaces.development_pipeline_data.path)/chart.json"
  sidecars:
    - image: {{ $.Values.tasks.image.sidecarServer }}
      name: server
      args:
        - --storage-driver=vfs
        - --userland-proxy=false
        - --debug
        - --insecure-registry={{ $.Values.tasks.image.insecureRegistry }}
      securityContext:
        privileged: true
      env:
      # Write generated certs to the path shared with the client.
      - name: DOCKER_TLS_CERTDIR
        value: /certs
      volumeMounts:
        - mountPath: /certs/client
          name: dind-certs
      # Wait for the dind daemon to generate the certs it will share with the
      # client.
      readinessProbe:
        periodSeconds: 1
        exec:
          command: ['ls', '/certs/client/ca.pem']
  volumes:
    - name: dind-certs
      emptyDir: {}
    - name: image-push-creds
      secret:
        secretName: harbor-docker-auth
    - name: helm-publish-creds
      secret:
        secretName: harbor-basic-auth
    - name: harbor-ca
      secret:
        secretName: harbor-ca