tektoncd · tekton-robot · Sep 6, 2021 · Jul 30, 2021 · ghost · Sep 1, 2021
diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -46,6 +46,7 @@ var (
 	gitImage                 = flag.String("git-image", "", "The container image containing our Git binary.")
 	kubeconfigWriterImage    = flag.String("kubeconfig-writer-image", "", "The container image containing our kubeconfig writer binary.")
 	shellImage               = flag.String("shell-image", "", "The container image containing a shell")
+	shellImageWin            = flag.String("shell-image-win", "", "The container image containing a windows shell")
 	gsutilImage              = flag.String("gsutil-image", "", "The container image containing gsutil")
 	prImage                  = flag.String("pr-image", "", "The container image containing our PR binary.")
 	imageDigestExporterImage = flag.String("imagedigest-exporter-image", "", "The container image containing our image digest exporter binary.")
@@ -65,6 +66,7 @@ func main() {
 		GitImage:                 *gitImage,
 		KubeconfigWriterImage:    *kubeconfigWriterImage,
 		ShellImage:               *shellImage,
+		ShellImageWin:            *shellImageWin,
 		GsutilImage:              *gsutilImage,
 		PRImage:                  *prImage,
 		ImageDigestExporterImage: *imageDigestExporterImage,

diff --git a/config/controller.yaml b/config/controller.yaml
@@ -77,7 +77,10 @@ spec:
           # The shell image must be root in order to create directories and copy files to PVCs.
           # gcr.io/distroless/base:debug as of Apirl 17, 2021
           # image shall not contains tag, so it will be supported on a runtime like cri-o
-          "-shell-image", "gcr.io/distroless/base@sha256:aa4fd987555ea10e1a4ec8765da8158b5ffdfef1e72da512c7ede509bc9966c4"
+          "-shell-image", "gcr.io/distroless/base@sha256:aa4fd987555ea10e1a4ec8765da8158b5ffdfef1e72da512c7ede509bc9966c4",
+          # for script mode to work with windows we need a powershell image
+          # pinning to nanoserver tag as of July 15 2021
+          "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6"
         ]
         volumeMounts:
         - name: config-logging

diff --git a/docs/tasks.md b/docs/tasks.md
@@ -12,6 +12,7 @@ weight: 200
   - [Defining `Steps`](#defining-steps)
     - [Reserved directories](#reserved-directories)
     - [Running scripts within `Steps`](#running-scripts-within-steps)
+      - [Windows Scripts](#windows-scripts)
     - [Specifying a timeout](#specifying-a-timeout)
     - [Specifying `onError` for a `step`](#specifying-onerror-for-a-step)
     - [Accessing Step's `exitCode` in subsequent `Steps`](#accessing-steps-exitcode-in-subsequent-steps)
@@ -265,6 +266,51 @@ steps:
       #!/usr/bin/env bash
       /bin/my-binary
 ```
+
+##### Windows scripts
+
+Scripts in tasks that will eventually run on windows nodes need a custom shebang line, so that Tekton knows how to run the script. The format of the shebang line is:
+
+`#!win <interpreter command> <args>`
+
+Unlike linux, we need to specify how to interpret the script file which is generated by Tekton. The example below shows how to execute a powershell script:
+
+```yaml
+steps:
+  - image: mcr.microsoft.com/windows/servercore:1809
+    script: |
+      #!win powershell.exe -File
+      echo 'Hello from PowerShell'
+```
+
+Microsoft provide `powershell` images, which contain Powershell Core (which is slightly different from powershell found in standard windows images). The example below shows how to use these images:
+```yaml
+steps:
+  - image: mcr.microsoft.com/powershell:nanoserver
+    script: |
+      #!win pwsh.exe -File
+      echo 'Hello from PowerShell Core'
+```
+
+As can be seen the command is different. The windows shebang can be used for any interpreter, as long as it exists in the image and can interpret commands from a file. The example below executes a Python script:
+```yaml
+  steps:
+  - image: python
+    script: |
+      #!win python
+      print("Hello from Python!")
+```
+Note that other than the `#!win` shebang the example is identical to the earlier linux example.
+
+Finally, if no interpreter is specified on the `#!win` line then the script will be treated as a windows `.cmd` file which will be excecuted. The example below shows this:
+```yaml
+  steps:
+  - image: mcr.microsoft.com/powershell:lts-nanoserver-1809
+    script: |
+      #!win
+      echo Hello from the default cmd file
+```
+
 #### Specifying a timeout
 
 A `Step` can specify a `timeout` field.

diff --git a/pkg/apis/pipeline/images.go b/pkg/apis/pipeline/images.go
@@ -34,6 +34,8 @@ type Images struct {
 	KubeconfigWriterImage string
 	// ShellImage is the container image containing bash shell.
 	ShellImage string
+	// ShellImageWin is the container image containing powershell.
+	ShellImageWin string
 	// GsutilImage is the container image containing gsutil.
 	GsutilImage string
 	// PRImage is the container image that we use to implement the PR source step.
@@ -55,6 +57,7 @@ func (i Images) Validate() error {
 		{i.GitImage, "git"},
 		{i.KubeconfigWriterImage, "kubeconfig-writer"},
 		{i.ShellImage, "shell"},
+		{i.ShellImageWin, "windows-shell"},
 		{i.GsutilImage, "gsutil"},
 		{i.PRImage, "pr"},
 		{i.ImageDigestExporterImage, "imagedigest-exporter"},

diff --git a/pkg/apis/pipeline/images_test.go b/pkg/apis/pipeline/images_test.go
@@ -13,6 +13,7 @@ func TestValidate(t *testing.T) {
 		GitImage:                 "set",
 		KubeconfigWriterImage:    "set",
 		ShellImage:               "set",
+		ShellImageWin:            "set",
 		GsutilImage:              "set",
 		PRImage:                  "set",
 		ImageDigestExporterImage: "set",
@@ -27,6 +28,7 @@ func TestValidate(t *testing.T) {
 		GitImage:                 "", // unset!
 		KubeconfigWriterImage:    "set",
 		ShellImage:               "", // unset!
+		ShellImageWin:            "set",
 		GsutilImage:              "set",
 		PRImage:                  "", // unset!
 		ImageDigestExporterImage: "set",

diff --git a/pkg/apis/pipeline/v1beta1/task_validation.go b/pkg/apis/pipeline/v1beta1/task_validation.go
@@ -231,6 +231,13 @@ func validateStep(ctx context.Context, s Step, names sets.String) (errs *apis.Fi
 			})
 		}
 	}
+
+	if s.Script != "" {
+		cleaned := strings.TrimSpace(s.Script)
+		if strings.HasPrefix(cleaned, "#!win") {
+			errs = errs.Also(ValidateEnabledAPIFields(ctx, "windows script support", config.AlphaAPIFields).ViaField("script"))
+		}
+	}
 	return errs
 }
 

diff --git a/pkg/apis/pipeline/v1beta1/task_validation_test.go b/pkg/apis/pipeline/v1beta1/task_validation_test.go
@@ -1253,6 +1253,19 @@ func TestIncompatibleAPIVersions(t *testing.T) {
 				},
 			}},
 		},
+	}, {
+		name:            "windows script support requires alpha",
+		requiredVersion: "alpha",
+		spec: v1beta1.TaskSpec{
+			Steps: []v1beta1.Step{{
+				Container: corev1.Container{
+					Image: "my-image",
+				},
+				Script: `
+				#!win powershell -File
+				script-1`,
+			}},
+		},
 	}}
 	versions := []string{"alpha", "stable"}
 	for _, tt := range tests {

diff --git a/pkg/pod/pod.go b/pkg/pod/pod.go
@@ -136,9 +136,9 @@ func (b *Builder) Build(ctx context.Context, taskRun *v1beta1.TaskRun, taskSpec
 	// Convert any steps with Script to command+args.
 	// If any are found, append an init container to initialize scripts.
 	if alphaAPIEnabled {
-		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, steps, taskSpec.Sidecars, taskRun.Spec.Debug)
+		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, b.Images.ShellImageWin, steps, taskSpec.Sidecars, taskRun.Spec.Debug)
 	} else {
-		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, steps, taskSpec.Sidecars, nil)
+		scriptsInit, stepContainers, sidecarContainers = convertScripts(b.Images.ShellImage, "", steps, taskSpec.Sidecars, nil)
 	}
 	if scriptsInit != nil {
 		initContainers = append(initContainers, *scriptsInit)

diff --git a/pkg/pod/script.go b/pkg/pod/script.go
@@ -70,20 +70,28 @@ var (
 )
 
 // convertScripts converts any steps and sidecars that specify a Script field into a normal Container.
-//
-// It does this by prepending a container that writes specified Script bodies
-// to executable files in a shared volumeMount, then produces Containers that
-// simply run those executable files.
-func convertScripts(shellImage string, steps []v1beta1.Step, sidecars []v1beta1.Sidecar, debugConfig *v1beta1.TaskRunDebug) (*corev1.Container, []corev1.Container, []corev1.Container) {
+func convertScripts(shellImageLinux string, shellImageWin string, steps []v1beta1.Step, sidecars []v1beta1.Sidecar, debugConfig *v1beta1.TaskRunDebug) (*corev1.Container, []corev1.Container, []corev1.Container) {
 	placeScripts := false
 	// Place scripts is an init container used for creating scripts in the
 	// /tekton/scripts directory which would be later used by the step containers
 	// as a Command
+	requiresWindows := checkWindowsRequirement(steps, sidecars)
+
+	shellImage := shellImageLinux
+	shellCommand := "sh"
+	shellArg := "-c"
+	// Set windows variants for Image, Command and Args
+	if requiresWindows {
+		shellImage = shellImageWin
+		shellCommand = "pwsh"
+		shellArg = "-Command"
+	}
+
 	placeScriptsInit := corev1.Container{
 		Name:         "place-scripts",
 		Image:        shellImage,
-		Command:      []string{"sh"},
-		Args:         []string{"-c", ""},
+		Command:      []string{shellCommand},
+		Args:         []string{shellArg, ""},
 		VolumeMounts: []corev1.VolumeMount{writeScriptsVolumeMount, toolsMount},
 	}
 
@@ -131,6 +139,7 @@ func convertListOfSteps(steps []v1beta1.Step, initContainer *corev1.Container, p
 		// The shebang must be the first non-empty line.
 		cleaned := strings.TrimSpace(s.Script)
 		hasShebang := strings.HasPrefix(cleaned, "#!")
+		requiresWindows := strings.HasPrefix(cleaned, "#!win")
 
 		script := s.Script
 		if !hasShebang {
@@ -141,26 +150,40 @@ func convertListOfSteps(steps []v1beta1.Step, initContainer *corev1.Container, p
 		// non-nil init container.
 		*placeScripts = true
 
-		script = encodeScript(script)
-
 		// Append to the place-scripts script to place the
 		// script file in a known location in the scripts volume.
 		scriptFile := filepath.Join(scriptsDir, names.SimpleNameGenerator.RestrictLengthWithRandomSuffix(fmt.Sprintf("%s-%d", namePrefix, i)))
-		heredoc := "_EOF_" // underscores because base64 doesnt include them in its alphabet
-		initContainer.Args[1] += fmt.Sprintf(`scriptfile="%s"
+		if requiresWindows {
+			command, args, script, scriptFile := extractWindowsScriptComponents(script, scriptFile)
+			initContainer.Args[1] += fmt.Sprintf(`@"
+%s
+"@ | Out-File -FilePath %s
+`, script, scriptFile)
+
+			steps[i].Command = command
+			// Append existing args field to end of derived args
+			args = append(args, steps[i].Args...)
+			steps[i].Args = args
+		} else {
+			// Only encode the script for linux scripts
+			// The decode-script subcommand of the entrypoint does not work under windows
+			script = encodeScript(script)
+			heredoc := "_EOF_" // underscores because base64 doesnt include them in its alphabet
+			initContainer.Args[1] += fmt.Sprintf(`scriptfile="%s"
 touch ${scriptfile} && chmod +x ${scriptfile}
 cat > ${scriptfile} << '%s'
 %s
 %s
 /tekton/tools/entrypoint decode-script "${scriptfile}"
 `, scriptFile, heredoc, script, heredoc)
 
-		// Set the command to execute the correct script in the mounted
-		// volume.
-		// A previous merge with stepTemplate may have populated
-		// Command and Args, even though this is not normally valid, so
-		// we'll clear out the Args and overwrite Command.
-		steps[i].Command = []string{scriptFile}
+			// Set the command to execute the correct script in the mounted
+			// volume.
+			// A previous merge with stepTemplate may have populated
+			// Command and Args, even though this is not normally valid, so
+			// we'll clear out the Args and overwrite Command.
+			steps[i].Command = []string{scriptFile}
+		}
 		steps[i].VolumeMounts = append(steps[i].VolumeMounts, scriptsVolumeMount)
 
 		// Add debug mounts if breakpoints are present
@@ -207,3 +230,52 @@ cat > ${scriptfile} << '%s'
 func encodeScript(script string) string {
 	return base64.StdEncoding.EncodeToString([]byte(script))
 }
+
+func checkWindowsRequirement(steps []v1beta1.Step, sidecars []v1beta1.Sidecar) bool {
+	// Detect windows shebangs
+	for _, step := range steps {
+		cleaned := strings.TrimSpace(step.Script)
+		if strings.HasPrefix(cleaned, "#!win") {
+			return true
+		}
+	}
+	// If no step needs windows, then check sidecars to be sure
+	for _, sidecar := range sidecars {
+		cleaned := strings.TrimSpace(sidecar.Script)
+		if strings.HasPrefix(cleaned, "#!win") {
+			return true
+		}
+	}
+	return false
+}
+
+func extractWindowsScriptComponents(script string, fileName string) ([]string, []string, string, string) {
+	// Set the command to execute the correct script in the mounted volume.
+	shebangLine := strings.Split(script, "\n")[0]
+	splitLine := strings.Split(shebangLine, " ")
+	var command, args []string
+	if len(splitLine) > 1 {
+		strippedCommand := splitLine[1:]
+		command = strippedCommand[0:1]
+		// Handle legacy powershell limitation
+		if strings.HasPrefix(command[0], "powershell") {
+			fileName += ".ps1"
+		}
+		if len(strippedCommand) > 1 {
+			args = strippedCommand[1:]
+			args = append(args, fileName)
+		} else {
+			args = []string{fileName}
+		}
+	} else {
+		// If no interpreter is specified then strip the shebang and
+		// create a .cmd file
+		fileName += ".cmd"
+		commandLines := strings.Split(script, "\n")[1:]
+		script = strings.Join(commandLines, "\n")
+		command = []string{fileName}
+		args = []string{}
+	}
+
+	return command, args, script, fileName
+}