Sanitize param usage in some plumbing task script blocks

tekton/resources/cd/configmap-template.yaml

@@ -56,42 +56,50 @@ spec:
           env:
           - name: KUBECONFIG
             value: /workspace/$(resources.inputs.targetCluster.name)/kubeconfig
+          - name: CONFIG_PATH
+            value: $(params.configPath)
+          - name: NAMESPACE
+            value: $(params.namespace)
+          - name: CONFIG_MAP_NAME
+            value: $(params.configMapName)
+          - name: CONFIG_MAP_KEY
+            value: $(params.configMapKey)
         steps:
         - name: fetch-current-config
           image: gcr.io/tekton-releases/dogfooding/kubectl
           script: |
             #!/bin/sh
             set -ex
-            kubectl get configmap -n $(params.namespace) \
-              $(params.configMapName) -o template \
-              --template='{{ index .data "$(params.configMapKey)" }}' > \
-               /workspace/$(params.configMapKey) || \
-               rm /workspace/$(params.configMapKey)
+            kubectl get configmap -n ${NAMESPACE} \
+              ${CONFIG_MAP_NAME} -o template \
+              --template='{{ index .data "${CONFIG_MAP_KEY}" }}' > \
+               /workspace/${CONFIG_MAP_KEY} || \
+               rm /workspace/${CONFIG_MAP_KEY}
         - name: deploy
           image: gcr.io/tekton-releases/dogfooding/kubectl
           script: |
             #!/bin/sh
             set -ex
-            if [ ! -f /workspace/$(params.configMapKey) ]; then
+            if [ ! -f /workspace/${CONFIG_MAP_KEY} ]; then
               echo "First time deployment"
-              kubectl create configmap $(params.configMapName) \
-                --from-file=$(params.configMapKey)=$(resources.inputs.source.path)/$(params.configPath) \
-                -n $(params.namespace)
+              kubectl create configmap ${CONFIG_MAP_NAME} \
+                --from-file=${CONFIG_MAP_KEY}=$(resources.inputs.source.path)/${CONFIG_PATH} \
+                -n ${NAMESPACE}
                 exit 0
             fi
             echo "diff [current-config] [new config]"
             has_diff=0
-            diff /workspace/$(params.configMapKey) \
-              $(resources.inputs.source.path)/$(params.configPath) || has_diff=1
+            diff /workspace/${CONFIG_MAP_KEY} \
+              $(resources.inputs.source.path)/${CONFIG_PATH} || has_diff=1
             if [ $has_diff -eq 0 ]; then
               echo "No change in config detected. Nothing to be done."
               exit 0
             fi
             # Apply configuration changes
-            kubectl create configmap $(params.configMapName) \
-              --from-file=$(params.configMapKey)=$(resources.inputs.source.path)/$(params.configPath) \
+            kubectl create configmap ${CONFIG_MAP_NAME} \
+              --from-file=${CONFIG_MAP_KEY}=$(resources.inputs.source.path)/${CONFIG_PATH} \
               --dry-run -o yaml | \
-              kubectl replace configmap $(params.configMapName) -n $(params.namespace) -f -
+              kubectl replace configmap ${CONFIG_MAP_NAME} -n ${NAMESPACE} -f -
       params:
       - name: configPath
         value: $(tt.params.configPath)

tekton/resources/cd/folder-template.yaml

@@ -57,6 +57,14 @@ spec:
           env:
           - name: KUBECONFIG
             value: /workspace/$(resources.inputs.targetCluster.name)/kubeconfig
+          - name: FOLDER_PATH
+            value: $(params.folderPath)
+          - name: NAMESPACE
+            value: $(params.namespace)
+          - name: DEPLOY_METHOD
+            value: $(params.deployMethod)
+          - name: IS_OVERLAY
+            value: $(params.isOverlay)
         steps:
         - name: deploy-from-folder
           image: gcr.io/tekton-releases/dogfooding/kubectl
@@ -65,15 +73,15 @@ spec:
             set -ex
 
             # Determine whether to enforce namespace across resources
-            NAMESPACE_PARAM="-n $(params.namespace)"
-            [[ "$(params.namespace)" == "" ]] && NAMESPACE_PARAM=""
+            NAMESPACE_PARAM="-n ${NAMESPACE}"
+            [[ "${NAMESPACE}" == "" ]] && NAMESPACE_PARAM=""
 
             # Handle overlays
-            TARGET=$(resources.inputs.source.path)/$(params.folderPath)
-            if [[ "$(params.isOverlay)" == "true" ]]; then
+            TARGET=$(resources.inputs.source.path)/${FOLDER_PATH}
+            if [[ "${IS_OVERLAY}" == "true" ]]; then
               TARGET=target.yaml
               kustomize build \
-                $(resources.inputs.source.path)/$(params.folderPath) > $TARGET
+                $(resources.inputs.source.path)/${FOLDER_PATH} > $TARGET
             fi
 
             # Check if there is any diff
@@ -89,7 +97,7 @@ spec:
             # When deploying with replace, we need to do a create first,
             # to ensure new resources are created
             CREATE_OUTPUT=create.txt
-            if [[ "$(params.deployMethod)" == "replace" ]]; then
+            if [[ "${DEPLOY_METHOD}" == "replace" ]]; then
               kubectl create $NAMESPACE_PARAM -f $TARGET  2> $CREATE_OUTPUT || true
               # If there was some unexpected message in the error log, fail
               if egrep -v '(already exists|^Warning)' $CREATE_OUTPUT; then
@@ -99,7 +107,7 @@ spec:
             fi
 
             # Run the actual deployment. If it fails, it will fail the step.
-            kubectl "$(params.deployMethod)" $NAMESPACE_PARAM -f $TARGET
+            kubectl "${DEPLOY_METHOD}" $NAMESPACE_PARAM -f $TARGET
       params:
       - name: folderPath
         value: $(tt.params.folderPath)

tekton/resources/cd/helm-template.yaml

@@ -61,6 +61,18 @@ spec:
           env:
           - name: KUBECONFIG
             value: /workspace/$(resources.inputs.targetCluster.name)/kubeconfig
+          - name: CHART_NAME
+            value: $(params.chartName)
+          - name: CHART_VERSION
+            value: $(params.chartVersion)
+          - name: CHART_REPO
+            value: $(params.chartRepo)
+          - name: CHART_PARAMS
+            value: $(params.chartParams)
+          - name: NAMESPACE
+            value: $(params.namespace)
+          - name: PRE_DEPLOY_RESOURCES
+            value: $(params.preDeployResources)
         steps:
         - name: pre-deploy-from-url
           image: gcr.io/tekton-releases/dogfooding/kubectl
@@ -69,33 +81,33 @@ spec:
             set -ex
 
             # Check if we have something to be done
-            if [ "$(params.preDeployResources)" == "" ]; then
+            if [ "${PRE_DEPLOY_RESOURCES}" == "" ]; then
               echo "No pre-deploy resources to deploy, continue"
               exit 0
             fi
 
             # Apply the resources to the same namespace
             kubectl apply \
               --validate=false \
-              -n $(params.namespace) \
-              -f $(params.preDeployResources)
+              -n ${NAMESPACE} \
+              -f ${PRE_DEPLOY_RESOURCES}
 
         - name: helm-deploy
           image: alpine/helm:3.1.2
           script: |
             #!/bin/sh
             set -ex
             echo "Running install/upgrade"
-            echo "with $(params.chartParams)"
+            echo "with ${CHART_PARAMS}"
             helm upgrade \
               --debug \
-              $(params.chartName)-tektoncd-maintained \
-              $(params.chartName) \
+              ${CHART_NAME}-tektoncd-maintained \
+              ${CHART_NAME} \
               --install \
-              --version $(params.chartVersion) \
-              --repo $(params.chartRepo) \
-              --namespace=$(params.namespace) \
-              --set "$(params.chartParams)" \
+              --version ${CHART_VERSION} \
+              --repo ${CHART_REPO} \
+              --namespace=${NAMESPACE} \
+              --set "${CHART_PARAMS}" \
               --wait --timeout 5m
       params:
       - name: chartName

tekton/resources/images/docker-multi-arch-template.yaml

@@ -49,6 +49,10 @@ spec:
             value: /certs/client
           - name: GOOGLE_APPLICATION_CREDENTIALS
             value: /secret/release.json
+          - name: PLATFORMS
+            value: $(tt.params.platforms)
+          - name: CONTEXT_PATH
+            value: $(tt.params.contextPath)
           image: gcr.io/tekton-releases/dogfooding/buildx-gcloud:latest
           name: build-image-multi-arch
           script: |
@@ -62,15 +66,15 @@ spec:
 
             docker context create context1
 
-            docker buildx create context1 --name builder-buildx1 --driver docker-container --platform $(tt.params.platforms) --use
+            docker buildx create context1 --name builder-buildx1 --driver docker-container --platform ${PLATFORMS} --use
             docker buildx inspect --bootstrap --builder builder-buildx1
 
             cd $(resources.inputs.source.path)
             docker buildx build \
-            --platform $(tt.params.platforms) \
+            --platform ${PLATFORMS} \
             --tag $(resources.outputs.image.url) \
             --push \
-            $(tt.params.contextPath)
+            ${CONTEXT_PATH}
           volumeMounts:
           - mountPath: /certs/client
             name: dind-certs

tekton/resources/images/ko-multi-arch-template.yaml

@@ -42,6 +42,12 @@ spec:
             value: /secret/release.json
           - name: KO_DOCKER_REPO
             value: $(tt.params.registry)/$(tt.params.namespace)
+          - name: PLATFORMS
+            value: $(tt.params.platforms)
+          - name: IMAGE_TAG
+            value: $(tt.params.imageTag)
+          - name: CONTEXT_PATH
+            value: $(tt.params.contextPath)
           image: gcr.io/tekton-releases/dogfooding/ko-gcloud:latest
           name: build-image-multi-arch
           script: |
@@ -51,7 +57,7 @@ spec:
             gcloud auth configure-docker
 
             cd $(resources.inputs.source.path)
-            ko publish --platform $(tt.params.platforms) --base-import-paths --tags $(tt.params.imageTag) $(tt.params.contextPath)
+            ko publish --platform ${PLATFORMS} --base-import-paths --tags ${IMAGE_TAG} ${CONTEXT_PATH}
           volumeMounts:
           - mountPath: /secret
             name: gcp-secret

tekton/resources/nightly-release/tasks.yaml

@@ -46,9 +46,15 @@ spec:
       value: $(inputs.params.GOARCH)
     - name: GO111MODULE
       value: $(inputs.params.GO111MODULE)
+    - name: FLAGS
+      value: $(inputs.params.flags)
+    - name: PACKAGES
+      value: $(inputs.params.packages)
+    - name: PACKAGE
+      value: $(inputs.params.package)
     image: golang:$(inputs.params.version)
     name: unit-test
     resources: {}
     script: |
-      go test $(inputs.params.flags) $(inputs.params.packages)
-    workingDir: /workspace/src/$(inputs.params.package)
+      go test ${FLAGS} ${PACKAGES}
+    workingDir: /workspace/src/${PACKAGE}

tekton/resources/nightly-tests/base/deploy_tekton_component.yaml

@@ -12,6 +12,13 @@ spec:
   - name: extra-file
     description: extra file to install (for instance, interceptors.yaml for triggers)
     default: ""
+  env:
+  - name: PACKAGE
+    value: $(params.package)
+  - name: VERSION
+    value: $(params.version)
+  - name: EXTRA_FILE
+    value: $(params.extra-file)
   workspaces:
   - name: k8s-shared
     description: workspace for k8s config, configuration file is expected to have `config` name
@@ -25,12 +32,12 @@ spec:
     script: |
       #!/usr/bin/env sh
       set -exo pipefail
-      kubectl apply --filename https://storage.googleapis.com/tekton-releases-nightly/$(params.package)/$(params.version)/release.yaml
-      if [ "$(params.extra-file)" != "" ]; then
-        kubectl apply --filename https://storage.googleapis.com/tekton-releases-nightly/$(params.package)/$(params.version)/$(params.extra-file)
+      kubectl apply --filename https://storage.googleapis.com/tekton-releases-nightly/${PACKAGE}/${VERSION}/release.yaml
+      if [ "${EXTRA_FILE}" != "" ]; then
+        kubectl apply --filename https://storage.googleapis.com/tekton-releases-nightly/${PACKAGE}/${VERSION}/${EXTRA_FILE}
       fi
-      APPLICATION="tekton-$(params.package)"
-      if [ "$(params.package)" == "pipeline" ]; then
+      APPLICATION="tekton-${PACKAGE}"
+      if [ "${PACKAGE}" == "pipeline" ]; then
         APPLICATION="${APPLICATION}s"
       fi
       kubectl wait -n tekton-pipelines --for=condition=ready pods --all --timeout=120s -l app.kubernetes.io/part-of=$APPLICATION

tekton/resources/nightly-tests/bastion-p/k8s_cluster_setup.yaml

@@ -33,13 +33,22 @@ spec:
       type: string
       description: create and delete actions are supported
       default: create
+  env:
+    - name: REMOTE_HOST
+      value: $(params.remote-host)
+    - name: REMOTE_USER
+      value: $(params.remote-user)
+    - name: REMOTE_PORT
+      value: $(params.remote-port)
+    - name: ACTION
+      value: $(params.action)
   steps:
     - name: ssh
       image: kroniak/ssh-client
       script: |
-        ssh -p $(params.remote-port) -o StrictHostKeyChecking=no -o LogLevel=ERROR $(params.remote-user)@$(params.remote-host) k8smanager $(params.action)
-        if [ "$(params.action)" == "create" ]; then
-          scp -o StrictHostKeyChecking=no -o LogLevel=ERROR -P $(params.remote-port) $(params.remote-user)@$(params.remote-host):/root/data/share/config $(workspaces.k8s-shared.path)/config
-          scp -o StrictHostKeyChecking=no -o LogLevel=ERROR -P $(params.remote-port) $(params.remote-user)@$(params.remote-host):/root/data/share/config.json $(workspaces.registry-shared.path)/config.json
-          scp -o StrictHostKeyChecking=no -o LogLevel=ERROR -P $(params.remote-port) $(params.remote-user)@$(params.remote-host):/root/data/share/cert.pem $(workspaces.registry-shared.path)/cert.pem
+        ssh -p ${REMOTE_PORT} -o StrictHostKeyChecking=no -o LogLevel=ERROR ${REMOTE_USER}@${REMOTE_HOST} k8smanager ${ACTION}
+        if [ "${ACTION}" == "create" ]; then
+          scp -o StrictHostKeyChecking=no -o LogLevel=ERROR -P ${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}:/root/data/share/config $(workspaces.k8s-shared.path)/config
+          scp -o StrictHostKeyChecking=no -o LogLevel=ERROR -P ${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}:/root/data/share/config.json $(workspaces.registry-shared.path)/config.json
+          scp -o StrictHostKeyChecking=no -o LogLevel=ERROR -P ${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}:/root/data/share/cert.pem $(workspaces.registry-shared.path)/cert.pem
         fi

tekton/resources/nightly-tests/bastion-z/k8s_cluster_setup.yaml

@@ -31,8 +31,17 @@ spec:
   steps:
     - name: ssh
       image: kroniak/ssh-client
+      env:
+      - name: REMOTE_HOST
+        value: $(params.remote-host)
+      - name: REMOTE_PORT
+        value: $(params.remote-port)
+      - name: REMOTE_USER
+        value: $(params.remote-user)
+      - name: ACTION
+        value: $(params.action)
       script: |
-        ssh -p $(params.remote-port) -o StrictHostKeyChecking=no -o LogLevel=ERROR $(params.remote-user)@$(params.remote-host) k8smanager $(params.action)
-        if [ "$(params.action)" == "create" ]; then
-          scp -o StrictHostKeyChecking=no -o LogLevel=ERROR -P $(params.remote-port) $(params.remote-user)@$(params.remote-host):/home/k8smanager/kubeconfig/kubeconfig.conf $(workspaces.k8s-shared.path)/config
+        ssh -p ${REMOTE_HOST} -o StrictHostKeyChecking=no -o LogLevel=ERROR ${REMOTE_USER}@${REMOTE_HOST} k8smanager ${ACTION}
+        if [ "${ACTION}" == "create" ]; then
+          scp -o StrictHostKeyChecking=no -o LogLevel=ERROR -P ${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}:/home/k8smanager/kubeconfig/kubeconfig.conf $(workspaces.k8s-shared.path)/config
         fi

tekton/resources/release/base/github_release.yaml

@@ -46,6 +46,8 @@ spec:
         value: $(params.package)
       - name: OLD_VERSION
         value: $(params.previous-release-tag)
+      - name: RELEASE_NAME
+        value: $(params.release-name)
   steps:
     - name: header
       image: gcr.io/tekton-releases/dogfooding/hub
@@ -55,7 +57,7 @@ spec:
         TEKTON_PROJECT=$(basename $PROJECT)
 
         cat <<EOF | tee $HOME/release.md
-        Tekton ${TEKTON_PROJECT^} release ${VERSION} "$(params.release-name)"
+        Tekton ${TEKTON_PROJECT^} release ${VERSION} "${RELEASE_NAME}"
 
         # 🎉 [Tag Line - to be done] 🎉