quay

.woodpecker.yml

@@ -13,24 +13,19 @@ steps:
       dockerfile: Dockerfile
     when:
       - event: [push, tag]
-  scan_image:
-    image: aquasec/trivy
-    commands:
-      - trivy image $FORGE_NAME/$CI_REPO:$CI_COMMIT_SHA --quiet --exit-code 1
-    when:
-      - event: [push, tag]
   build:
     image: plugins/kaniko
     settings:
       repo: quay.io/wollud1969/k8s-admin-helper
-      registry: quay.io
+      registry: 
-      tags: 
+        from_secret: quay_registry
-        - latest
-        - ${CI_COMMIT_TAG}
       username:
         from_secret: quay_username
       password:
         from_secret: quay_password
+      tags: 
+        - latest
+        - ${CI_COMMIT_TAG}
       dockerfile: Dockerfile
     when:
       - event: [tag]

Dockerfile

@@ -1,12 +1,16 @@
-FROM alpine:latest
+FROM alpine:3.22.2
 
 ARG USER="user"
 
-RUN apk add --no-cache kubectl gpg bash && \
+RUN apk add --no-cache kubectl gpg gpg-agent bash curl helm podman && \
     addgroup $USER && \
     adduser -G $USER -D $USER
 
+COPY decrypt-secrets.sh /usr/local/bin/
+
 USER $USER
 WORKDIR /home/$USER
 
+RUN gpg -k
+
 

decrypt-secrets.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+#
+# Set the environment variable GPG_PASSPHRASE
+# Pipe the encrypted data and 
+#   - redirect the output into the destination file or
+#   - directly eval the output, in this case make sure ONLY variable definitions are in the file
+#
+# The second option would be
+#   eval "`cat secrets.asc | ./decrypt-secrets.sh`"
+#
+# To create the encrypted file use
+#   gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
+# where secrets.txt is the cleartext file and secrets.asc will be the encrypted file.
+# Make sure to use a good passphrase, make sure to store the passphrase safely.
+#
+# Adding the encrypted file secrets.asc to a source code repository is secure.
+#
+
+
+gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output -