Skip to content

Commit

Permalink
feat(RHTAPWATCH-1172): support custom cert in deprecated-image-check
Browse files Browse the repository at this point in the history
Support mounting a custom ca-bundle to allow the deprecated-image-check
task to use a registry with a self-signed certificate.

Signed-off-by: Yftach Herzog <[email protected]>
  • Loading branch information
yftacherzog authored and chmeliik committed Aug 14, 2024
1 parent 935188b commit 4bb57bb
Show file tree
Hide file tree
Showing 7 changed files with 40 additions and 7 deletions.
2 changes: 2 additions & 0 deletions pipelines/docker-build-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@
|name|description|default value|already set by|
|---|---|---|---|
|BASE_IMAGES_DIGESTS| Digests of base build images.| | |
|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'|
|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| |
Expand Down
2 changes: 2 additions & 0 deletions pipelines/docker-build/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@
|name|description|default value|already set by|
|---|---|---|---|
|BASE_IMAGES_DIGESTS| Digests of base build images.| | |
|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'|
|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| |
Expand Down
2 changes: 2 additions & 0 deletions pipelines/fbc-builder/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@
|name|description|default value|already set by|
|---|---|---|---|
|BASE_IMAGES_DIGESTS| Digests of base build images.| | |
|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'|
|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| |
Expand Down
2 changes: 2 additions & 0 deletions pipelines/java-builder/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@
|name|description|default value|already set by|
|---|---|---|---|
|BASE_IMAGES_DIGESTS| Digests of base build images.| | |
|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'|
|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| |
Expand Down
2 changes: 2 additions & 0 deletions pipelines/nodejs-builder/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@
|name|description|default value|already set by|
|---|---|---|---|
|BASE_IMAGES_DIGESTS| Digests of base build images.| | |
|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'|
|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| |
Expand Down
16 changes: 9 additions & 7 deletions task/deprecated-image-check/0.4/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,15 @@ in a high-level declarative language called Rego.

## Params

| name | description |
|---------------------|-------------------------------------------------|
| POLICY_DIR | Path to directory containing Conftest policies. |
| POLICY_NAMESPACE | Namespace for Conftest policy. |
| BASE_IMAGES_DIGESTS | (Optional) Digests of base build images. |
| IMAGE_DIGEST | Image digest. |
| IMAGE_URL | Fully qualified image name. |
| name | description | default |
|-------------------------|-------------------------------------------------|-|
| POLICY_DIR | Path to directory containing Conftest policies. | /project/repository/ |
| POLICY_NAMESPACE | Namespace for Conftest policy. | required_checks |
| BASE_IMAGES_DIGESTS | (Optional) Digests of base build images. | |
| IMAGE_DIGEST | Image digest. | None |
| IMAGE_URL | Fully qualified image name. | None |
| CA_TRUST_CONFIG_MAP_NAME|The name of the ConfigMap to read CA bundle data from.| trusted-ca |
| CA_TRUST_CONFIG_MAP_KEY |The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt |

## Results

Expand Down
21 changes: 21 additions & 0 deletions task/deprecated-image-check/0.4/deprecated-image-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,14 @@ spec:
description: Fully qualified image name.
- name: IMAGE_DIGEST
description: Image digest.
- name: CA_TRUST_CONFIG_MAP_NAME
type: string
description: The name of the ConfigMap to read CA bundle data from.
default: trusted-ca
- name: CA_TRUST_CONFIG_MAP_KEY
type: string
description: The name of the key in the ConfigMap that contains the CA bundle data.
default: ca-bundle.crt
results:
- description: Tekton task test output.
name: TEST_OUTPUT
Expand Down Expand Up @@ -175,3 +183,16 @@ spec:
echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
echo "${images_processed_template/\[%s]/[$digests_processed_string]}" | tee $(results.IMAGES_PROCESSED.path)
volumeMounts:
- name: trusted-ca
mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
subPath: ca-bundle.crt
readOnly: true
volumes:
- name: trusted-ca
configMap:
name: $(params.CA_TRUST_CONFIG_MAP_NAME)
items:
- key: $(params.CA_TRUST_CONFIG_MAP_KEY)
path: ca-bundle.crt
optional: true

0 comments on commit 4bb57bb

Please sign in to comment.