From 4bb57bb518b2a5473574cfdc292a32eb2c18c1b7 Mon Sep 17 00:00:00 2001 From: Yftach Herzog Date: Thu, 8 Aug 2024 10:15:17 +0300 Subject: [PATCH] feat(RHTAPWATCH-1172): support custom cert in deprecated-image-check Support mounting a custom ca-bundle to allow the deprecated-image-check task to use a registry with a self-signed certificate. Signed-off-by: Yftach Herzog --- pipelines/docker-build-oci-ta/README.md | 2 ++ pipelines/docker-build/README.md | 2 ++ pipelines/fbc-builder/README.md | 2 ++ pipelines/java-builder/README.md | 2 ++ pipelines/nodejs-builder/README.md | 2 ++ task/deprecated-image-check/0.4/README.md | 16 +++++++------- .../0.4/deprecated-image-check.yaml | 21 +++++++++++++++++++ 7 files changed, 40 insertions(+), 7 deletions(-) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index f2cb3d4a15..ad77f97716 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -68,6 +68,8 @@ |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 176808661f..1fb8c47478 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -66,6 +66,8 @@ |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index 8443e05123..3e812a1b76 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -52,6 +52,8 @@ |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index bbb67c0b1d..177706060c 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -38,6 +38,8 @@ |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index 7f9caa1ab6..26750ad366 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -38,6 +38,8 @@ |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | diff --git a/task/deprecated-image-check/0.4/README.md b/task/deprecated-image-check/0.4/README.md index 6302046aea..591a0b837f 100644 --- a/task/deprecated-image-check/0.4/README.md +++ b/task/deprecated-image-check/0.4/README.md @@ -10,13 +10,15 @@ in a high-level declarative language called Rego. ## Params -| name | description | -|---------------------|-------------------------------------------------| -| POLICY_DIR | Path to directory containing Conftest policies. | -| POLICY_NAMESPACE | Namespace for Conftest policy. | -| BASE_IMAGES_DIGESTS | (Optional) Digests of base build images. | -| IMAGE_DIGEST | Image digest. | -| IMAGE_URL | Fully qualified image name. | +| name | description | default | +|-------------------------|-------------------------------------------------|-| +| POLICY_DIR | Path to directory containing Conftest policies. | /project/repository/ | +| POLICY_NAMESPACE | Namespace for Conftest policy. | required_checks | +| BASE_IMAGES_DIGESTS | (Optional) Digests of base build images. | | +| IMAGE_DIGEST | Image digest. | None | +| IMAGE_URL | Fully qualified image name. | None | +| CA_TRUST_CONFIG_MAP_NAME|The name of the ConfigMap to read CA bundle data from.| trusted-ca | +| CA_TRUST_CONFIG_MAP_KEY |The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt | ## Results diff --git a/task/deprecated-image-check/0.4/deprecated-image-check.yaml b/task/deprecated-image-check/0.4/deprecated-image-check.yaml index fa68e9ad3d..2e0f5eec72 100644 --- a/task/deprecated-image-check/0.4/deprecated-image-check.yaml +++ b/task/deprecated-image-check/0.4/deprecated-image-check.yaml @@ -26,6 +26,14 @@ spec: description: Fully qualified image name. - name: IMAGE_DIGEST description: Image digest. + - name: CA_TRUST_CONFIG_MAP_NAME + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: CA_TRUST_CONFIG_MAP_KEY + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt results: - description: Tekton task test output. name: TEST_OUTPUT @@ -175,3 +183,16 @@ spec: echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path) echo "${images_processed_template/\[%s]/[$digests_processed_string]}" | tee $(results.IMAGES_PROCESSED.path) + volumeMounts: + - name: trusted-ca + mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + subPath: ca-bundle.crt + readOnly: true + volumes: + - name: trusted-ca + configMap: + name: $(params.CA_TRUST_CONFIG_MAP_NAME) + items: + - key: $(params.CA_TRUST_CONFIG_MAP_KEY) + path: ca-bundle.crt + optional: true