feat(RHTAPWATCH-1019): support custom certificate in show-sbom

Support mounting a custom ca-bundle to allow the show-sbom task to use a registry with a self-signed certificate. Signed-off-by: Yftach Herzog <[email protected]>
konflux-ci · Jul 30, 2024 · 72bfec2 · 72bfec2
1 parent 50de0a7
commit 72bfec2
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/task/show-sbom/0.1/README.md b/task/show-sbom/0.1/README.md
@@ -11,4 +11,5 @@ If PLATFORM is empty and the image is multi-arch, the task defaults to 'linux/am
 |-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-----------|
 | IMAGE_URL | Fully qualified image name to show SBOM for.                                                                                                                                                              |               | true      |
 | PLATFORM  | Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64". | linux/amd64   | false     |
-
+|CA_TRUST_CONFIG_MAP_NAME|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
+|CA_TRUST_CONFIG_MAP_KEY|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
diff --git a/task/show-sbom/0.1/show-sbom.yaml b/task/show-sbom/0.1/show-sbom.yaml
@@ -20,6 +20,14 @@ spec:
         refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".
       type: string
       default: "linux/amd64"
+    - name: CA_TRUST_CONFIG_MAP_NAME
+      type: string
+      description: The name of the ConfigMap to read CA bundle data from.
+      default: trusted-ca
+    - name: CA_TRUST_CONFIG_MAP_KEY
+      type: string
+      description: The name of the key in the ConfigMap that contains the CA bundle data.
+      default: ca-bundle.crt
   steps:
   - name: show-sbom
     image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
@@ -68,3 +76,15 @@ spec:
       else
         download_sbom_with_retry " --platform=$PLATFORM "
       fi
+    volumeMounts:
+    - name: trusted-ca
+      mountPath: /etc/ssl/certs
+      readOnly: true
+  volumes:
+  - name: trusted-ca
+    configMap:
+      name: $(params.CA_TRUST_CONFIG_MAP_NAME)
+      items:
+        - key: $(params.CA_TRUST_CONFIG_MAP_KEY)
+          path: ca-bundle.crt
+      optional: true