From 3b35b6e0fc458f579d78f2465fde9c6aa7f0ac86 Mon Sep 17 00:00:00 2001
From: Marc Hildenbrand <mwhildenbrand+github@gmail.com>
Date: Fri, 7 Aug 2020 09:20:24 +0000
Subject: [PATCH] Add condition for running scan image

Adds support for a condition that will look for a secret.  This is integrated with the pipeline to skip the scan-image step if sysdig secret isn't there, unfortunately optional steps are not supported yet in Tekton so the whole rest of the pipeline will fail if there is no secret per here: https://github.com/tektoncd/pipeline/issues/1023
---
 .../conditions/secret-exists-condition.yaml   | 27 +++++++++++++++++++
 .../pipelines/fraud-model-dev-pipeline.yaml   |  8 ++++++
 2 files changed, 35 insertions(+)
 create mode 100644 kube/tekton/conditions/secret-exists-condition.yaml

diff --git a/kube/tekton/conditions/secret-exists-condition.yaml b/kube/tekton/conditions/secret-exists-condition.yaml
new file mode 100644
index 0000000..842fb9e
--- /dev/null
+++ b/kube/tekton/conditions/secret-exists-condition.yaml
@@ -0,0 +1,27 @@
+apiVersion: tekton.dev/v1alpha1
+kind: Condition
+metadata:
+  name: secret-exists
+spec:
+  params:
+    - name: SECRET_NAME
+      description: "The name of the secret to check for in the specified project"
+    - name: PROJECT
+      description: "The name of the project in which to seek SECRET_NAME.  Defaults to the project this condition is defined in"
+      default: ""
+  check:
+    image: quay.io/openshift/origin-cli:latest
+    script: |
+        #!/usr/bin/env bash
+        set -e -o pipefail
+
+        declare CHECK_PRJ="$(params.PROJECT)"
+        if [[ -z "${CHECK_PRJ}" ]]; then
+            echo "Looking to the pod to determine the current namespace"
+            CHECK_PRJ=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+        fi
+
+        echo "command to run is: oc get secret $(params.SECRET_NAME) -n ${CHECK_PRJ} 2>/dev/null"
+
+        # check for non-empty string result looking for secret
+        test -n "$(oc get secret $(params.SECRET_NAME) -n ${CHECK_PRJ} 2>/dev/null)"
\ No newline at end of file
diff --git a/kube/tekton/pipelines/fraud-model-dev-pipeline.yaml b/kube/tekton/pipelines/fraud-model-dev-pipeline.yaml
index 20e76a0..8ba0e5e 100644
--- a/kube/tekton/pipelines/fraud-model-dev-pipeline.yaml
+++ b/kube/tekton/pipelines/fraud-model-dev-pipeline.yaml
@@ -146,6 +146,14 @@ spec:
     - name: workvol
       workspace: local-workspace
   - name: scan-image
+    # FIXME: Unfortunately, we can't skip this step and have the rest of the pipeline run in this version of tekton
+    # See feature request here: https://github.com/tektoncd/pipeline/issues/1023
+    conditions:
+      - conditionRef: secret-exists
+        params:
+        - name: SECRET_NAME
+          value: sysdig-secret
+    # END FIXME
     taskRef:
       name: sysdig-image-scan
     runAfter: