From 86ae5073365286e3d0a37f7a304f4804dc79729f Mon Sep 17 00:00:00 2001 From: Yftach Herzog Date: Thu, 15 Aug 2024 15:33:04 +0300 Subject: [PATCH] feat(RHTAPWATCH-1180): support custom certificate in clamav-scan Support mounting a custom ca-bundle to allow the clamav-scan task to use a registry with a self-signed certificate. Signed-off-by: Yftach Herzog --- pipelines/docker-build-oci-ta/README.md | 2 ++ pipelines/docker-build/README.md | 2 ++ pipelines/java-builder/README.md | 2 ++ pipelines/nodejs-builder/README.md | 2 ++ task/clamav-scan/0.1/README.md | 12 +++++++----- task/clamav-scan/0.1/clamav-scan.yaml | 19 +++++++++++++++++++ 6 files changed, 34 insertions(+), 5 deletions(-) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index ce5b227a4a..af06676dab 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -63,6 +63,8 @@ ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused| | | |image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 2f79684ae5..3ee59862c2 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -61,6 +61,8 @@ ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused| | | |image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index 9ad536a989..cbd47c017b 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -33,6 +33,8 @@ ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused| | | |image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index a843dd426f..fa96efa0ac 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -33,6 +33,8 @@ ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused| | | |image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| diff --git a/task/clamav-scan/0.1/README.md b/task/clamav-scan/0.1/README.md index ca1efa8d37..e0cd236ab4 100644 --- a/task/clamav-scan/0.1/README.md +++ b/task/clamav-scan/0.1/README.md @@ -7,11 +7,13 @@ The task will extract compiled code to compare it against the latest virus datab ## Params: -| name | description | -|--------------|----------------------------------------------------------------| -| image-digest | Image digest to scan. | -| image-url | Image URL. | -| docker-auth | Unused, should be removed in next task version. | +| name | description | default | +|--------------------------|------------------------------------------------------------------------|---------------| +| image-digest | Image digest to scan. | None | +| image-url | Image URL. | None | +| docker-auth | Unused, should be removed in next task version. | | +| ca-trust-config-map-name | The name of the ConfigMap to read CA bundle data from. | trusted-ca | +| ca-trust-config-map-key | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | ## Results: diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml index 941a9defe2..04541535a2 100644 --- a/task/clamav-scan/0.1/clamav-scan.yaml +++ b/task/clamav-scan/0.1/clamav-scan.yaml @@ -23,6 +23,14 @@ spec: - name: docker-auth description: unused default: "" + - name: ca-trust-config-map-name + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: ca-trust-config-map-key + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt steps: - name: extract-and-scan-image @@ -143,6 +151,10 @@ spec: name: dbfolder - mountPath: /work name: work + - name: trusted-ca + mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + subPath: ca-bundle.crt + readOnly: true - name: upload image: quay.io/konflux-ci/oras:latest@sha256:f4b891ee3038a5f13cd92ff4f473faad5601c2434d1c6b9bccdfc134d9d5f820 computeResources: @@ -205,3 +217,10 @@ spec: emptyDir: {} - name: work emptyDir: {} + - name: trusted-ca + configMap: + name: $(params.ca-trust-config-map-name) + items: + - key: $(params.ca-trust-config-map-key) + path: ca-bundle.crt + optional: true