Merge pull request #845 from gbenhaim/git-ca-bundle

RHTAPSRE-405: Custom CA bundle for git-clone
konflux-ci · Mar 5, 2024 · 63e1607 · 63e1607
2 parents da638c3 + 6de9147
commit 63e1607
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/task/git-clone/0.1/git-clone.yaml b/task/git-clone/0.1/git-clone.yaml
@@ -83,6 +83,14 @@ spec:
     description: Fetch all tags for the repo.
     name: fetchTags
     type: string
+  - name: caTrustConfigMapName
+    type: string
+    description: The name of the ConfigMap to read CA bundle data from.
+    default: trusted-ca
+  - name: caTrustConfigMapKey
+    type: string
+    description: The name of the key in the ConfigMap that contains the CA bundle data.
+    default: ca-bundle.crt
   results:
   - description: The precise commit SHA that was fetched by this Task.
     name: commit
@@ -139,10 +147,20 @@ spec:
     computeResources: {}
     securityContext:
       runAsUser: 0
+    volumeMounts:
+      - name: trusted-ca
+        mountPath: /mnt/trusted-ca
+        readOnly: true
     script: |
       #!/usr/bin/env sh
       set -eu
 
+      ca_bundle=/mnt/trusted-ca/ca-bundle.crt
+      if [ -f "$ca_bundle" ]; then
+        echo "INFO: Using mounted CA bundle: $ca_bundle"
+        git config --global http.sslCAInfo "$ca_bundle"
+      fi
+
       if [ "${PARAM_VERBOSE}" = "true" ] ; then
         set -x
       fi
@@ -277,3 +295,11 @@ spec:
       Secret to this Workspace over other volume types.
     name: basic-auth
     optional: true
+  volumes:
+    - name: trusted-ca
+      configMap:
+        name: $(params.caTrustConfigMapName)
+        items:
+          - key: $(params.caTrustConfigMapKey)
+            path: ca-bundle.crt
+        optional: true