From e55a8e320ce8f61c547158062ca53437aa78630c Mon Sep 17 00:00:00 2001 From: gbenhaim Date: Wed, 28 Feb 2024 13:52:22 +0200 Subject: [PATCH] RHTAPSRE-405: Custom CA bundle for git-clone Support custom CA bundle in the git-clone task. Required when cloning using HTTPs from an SCM that has self-signed certificate. Signed-off-by: gbenhaim --- task/git-clone/0.1/git-clone.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/task/git-clone/0.1/git-clone.yaml b/task/git-clone/0.1/git-clone.yaml index 576f72f520..e9ac176ead 100644 --- a/task/git-clone/0.1/git-clone.yaml +++ b/task/git-clone/0.1/git-clone.yaml @@ -83,6 +83,14 @@ spec: description: Fetch all tags for the repo. name: fetchTags type: string + - name: caTrustConfigMapName + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: caTrustConfigMapKey + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt results: - description: The precise commit SHA that was fetched by this Task. name: commit @@ -139,10 +147,20 @@ spec: computeResources: {} securityContext: runAsUser: 0 + volumeMounts: + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true script: | #!/usr/bin/env sh set -eu + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + git config --global http.sslCAInfo "$ca_bundle" + fi + if [ "${PARAM_VERBOSE}" = "true" ] ; then set -x fi @@ -277,3 +295,11 @@ spec: Secret to this Workspace over other volume types. name: basic-auth optional: true + volumes: + - name: trusted-ca + configMap: + name: $(params.caTrustConfigMapName) + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + optional: true