From 8ef772b095ce4eaf7f058dfd185255847ee9b9f6 Mon Sep 17 00:00:00 2001 From: Yftach Herzog Date: Mon, 12 Aug 2024 13:23:19 +0300 Subject: [PATCH] feat(RHTAPWATCH-1177): support custom certificate in sbom-json-check Support mounting a custom ca-bundle to allow the sbom-json-check task to use a registry with a self-signed certificate. Signed-off-by: Yftach Herzog --- pipelines/docker-build-oci-ta/README.md | 2 ++ pipelines/docker-build/README.md | 2 ++ pipelines/fbc-builder/README.md | 2 ++ pipelines/java-builder/README.md | 2 ++ pipelines/nodejs-builder/README.md | 2 ++ pipelines/tekton-bundle-builder/README.md | 2 ++ task/sbom-json-check/0.1/README.md | 10 ++++++---- task/sbom-json-check/0.1/sbom-json-check.yaml | 19 +++++++++++++++++++ 8 files changed, 37 insertions(+), 4 deletions(-) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index 7a20ef30a5..2285e7cf9d 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -134,6 +134,8 @@ ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 640d12e5f2..8807a6a4a8 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -128,6 +128,8 @@ ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index b7a9cfe3ae..8443e05123 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -108,6 +108,8 @@ ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index 717abbe45a..1341ae5ed6 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -112,6 +112,8 @@ ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index 696fb57114..8c61c6843d 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -113,6 +113,8 @@ ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index 0f7d36f8b0..f184060dd9 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -86,6 +86,8 @@ ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### summary:0.2 task parameters diff --git a/task/sbom-json-check/0.1/README.md b/task/sbom-json-check/0.1/README.md index 474920e769..5bd5a8223b 100644 --- a/task/sbom-json-check/0.1/README.md +++ b/task/sbom-json-check/0.1/README.md @@ -8,10 +8,12 @@ The syntax of the sbom-cyclonedx.json file (found in the `/root/buildinfo/conten ## Params: -| name | description | -|--------------|---------------------------------------| -| IMAGE_URL | Fully qualified image name to verify. | -| IMAGE_DIGEST | Image digest. | +| name | description | default | +|--------------------------|------------------------------------------------------------------------|---------------| +| IMAGE_URL | Fully qualified image name to verify. | None | +| IMAGE_DIGEST | Image digest. | None | +| CA_TRUST_CONFIG_MAP_NAME | The name of the ConfigMap to read CA bundle data from. | trusted-ca | +| CA_TRUST_CONFIG_MAP_KEY | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | ## Results: diff --git a/task/sbom-json-check/0.1/sbom-json-check.yaml b/task/sbom-json-check/0.1/sbom-json-check.yaml index beacc75306..8bc1176537 100644 --- a/task/sbom-json-check/0.1/sbom-json-check.yaml +++ b/task/sbom-json-check/0.1/sbom-json-check.yaml @@ -13,6 +13,14 @@ spec: - name: IMAGE_DIGEST description: Image digest. type: string + - name: CA_TRUST_CONFIG_MAP_NAME + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: CA_TRUST_CONFIG_MAP_KEY + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt results: - description: Tekton task test output. name: TEST_OUTPUT @@ -31,6 +39,10 @@ spec: volumeMounts: - mountPath: /shared name: shared + - name: trusted-ca + mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + subPath: ca-bundle.crt + readOnly: true env: - name: IMAGE_URL value: $(params.IMAGE_URL) @@ -114,3 +126,10 @@ spec: volumes: - name: shared emptyDir: {} + - name: trusted-ca + configMap: + name: $(params.CA_TRUST_CONFIG_MAP_NAME) + items: + - key: $(params.CA_TRUST_CONFIG_MAP_KEY) + path: ca-bundle.crt + optional: true