From 55f0c9eb9b2348935d481d2b26ee70989bdaf85b Mon Sep 17 00:00:00 2001 From: Yftach Herzog Date: Tue, 30 Jul 2024 11:17:24 +0300 Subject: [PATCH] feat(RHTAPWATCH-1011): support custom certificate in buildah The build step already included support for mounting custom ca-bundle. This change introduces similar capabilities also to steps inject-sbom-and-push and upload-sbom. Signed-off-by: Yftach Herzog --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 16 ++++++++++++++++ .../0.2/buildah-remote-oci-ta.yaml | 16 ++++++++++++++++ task/buildah-remote/0.2/buildah-remote.yaml | 16 ++++++++++++++++ task/buildah/0.2/buildah.yaml | 16 ++++++++++++++++ 4 files changed, 64 insertions(+) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 3b452f957d..b947622590 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -536,9 +536,20 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true script: | #!/bin/bash set -e + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -597,3 +608,8 @@ spec: - cyclonedx - $(params.IMAGE) workingDir: /var/workdir + volumeMounts: + - mountPath: /etc/ssl/certs/ca-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 4518418ca4..887a94213d 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -610,6 +610,14 @@ spec: script: | #!/bin/bash set -e + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -660,6 +668,9 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true workingDir: /var/workdir - args: - attach @@ -672,6 +683,11 @@ spec: computeResources: {} image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 name: upload-sbom + volumeMounts: + - mountPath: /etc/ssl/certs/ca-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt workingDir: /var/workdir volumes: - name: activation-key diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 2145728f94..604db60a38 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -592,6 +592,14 @@ spec: script: | #!/bin/bash set -e + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -642,6 +650,9 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true workingDir: $(workspaces.source.path) - args: - attach @@ -654,6 +665,11 @@ spec: computeResources: {} image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 name: upload-sbom + volumeMounts: + - mountPath: /etc/ssl/certs/ca-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt workingDir: $(workspaces.source.path) volumes: - emptyDir: {} diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 8498b2571d..1a4da2306a 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -488,6 +488,14 @@ spec: script: | #!/bin/bash set -e + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -538,6 +546,9 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true workingDir: $(workspaces.source.path) - name: upload-sbom @@ -550,6 +561,11 @@ spec: - --type - cyclonedx - $(params.IMAGE) + volumeMounts: + - name: trusted-ca + mountPath: /etc/ssl/certs/ca-bundle.crt + subPath: ca-bundle.crt + readOnly: true workingDir: $(workspaces.source.path) volumes: