chore(KFLUXVNGD-148): Add custom certificate support for git clone task

Add param to support the custom certificate support for git-clone-oci-ta task to connect to internal registry. Jira-Url: https://issues.redhat.com/browse/KFLUXVNGD-155 Signed-off-by: Homaja Marisetty <[email protected]>
konflux-ci · Jan 21, 2025 · 8ab3727 · 8ab3727
1 parent a07704d
commit 8ab3727
Show file tree

Hide file tree

Showing 28 changed files with 141 additions and 1 deletion.
diff --git a/task-generator/trusted-artifacts/golden/buildah/ta.yaml b/task-generator/trusted-artifacts/golden/buildah/ta.yaml
@@ -136,6 +136,11 @@ spec:
       - use
       - $(params.SOURCE_ARTIFACT)=/var/workdir/source
       - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+    volumeMounts:
+      - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+        name: trusted-ca
+        readOnly: true
+        subPath: ca-bundle.crt
   - image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     name: build
     computeResources:

diff --git a/task-generator/trusted-artifacts/golden/git-clone/ta.yaml b/task-generator/trusted-artifacts/golden/git-clone/ta.yaml
@@ -265,6 +265,10 @@ spec:
     volumeMounts:
       - name: workdir
         mountPath: /var/workdir
+      - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+        name: trusted-ca
+        readOnly: true
+        subPath: ca-bundle.crt
     args:
       - create
       - --store

diff --git a/task-generator/trusted-artifacts/golden/prefetch-dependencies/ta.yaml b/task-generator/trusted-artifacts/golden/prefetch-dependencies/ta.yaml
@@ -78,6 +78,11 @@ spec:
     args:
       - use
       - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+    volumeMounts:
+      - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+        name: trusted-ca
+        readOnly: true
+        subPath: ca-bundle.crt
   - image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8
     name: prefetch-dependencies
     env:

diff --git a/task-generator/trusted-artifacts/golden/sast-snyk-check/ta.yaml b/task-generator/trusted-artifacts/golden/sast-snyk-check/ta.yaml
@@ -62,6 +62,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: sast-snyk-check
       image: quay.io/konflux-ci/konflux-test:v1.4.0@sha256:54d49b37c9a2e280d42961a57e4f7a16c171d6b065559f1329b548db85300bea
       workingDir: /var/workdir/source

diff --git a/task-generator/trusted-artifacts/golden/source-build/ta.yaml b/task-generator/trusted-artifacts/golden/source-build/ta.yaml
@@ -58,6 +58,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: get-base-images
       image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       env:

diff --git a/task-generator/trusted-artifacts/recipe.go b/task-generator/trusted-artifacts/recipe.go
@@ -24,6 +24,7 @@ type Recipe struct {
 	AddResult          []pipeline.TaskResult `json:"addResult"`
 	AddVolume          []core.Volume         `json:"addVolume"`
 	AddVolumeMount     []core.VolumeMount    `json:"addVolumeMount"`
+	AddTAVolumeMount   []core.VolumeMount      `json:"addTAVolumeMount"`
 	Base               string                `json:"base"`
 	Description        string                `json:"description"`
 	DisplaySuffix      string                `json:"displaySuffix"`

diff --git a/task-generator/trusted-artifacts/ta.go b/task-generator/trusted-artifacts/ta.go
@@ -159,9 +159,19 @@ func perform(task *pipeline.Task, recipe *Recipe) error {
 		Name:      "workdir",
 		MountPath: "/var/workdir",
 	}
+	trustedVolumeMount := core.VolumeMount{
+		Name:      "trusted-ca",
+		MountPath: "/etc/pki/tls/certs/ca-custom-bundle.crt",
+		SubPath:   "ca-bundle.crt",
+		ReadOnly:  true,
+	}
+
 	if len(recipe.AddVolumeMount) == 0 {
 		recipe.AddVolumeMount = []core.VolumeMount{workdirVolumeMount}
 	}
+	if len(recipe.AddTAVolumeMount) == 0 {
+		recipe.AddTAVolumeMount = []core.VolumeMount{trustedVolumeMount}
+	}
 
 	removeEnv := func(env *[]string) func(core.EnvVar) bool {
 		return func(e core.EnvVar) bool {
@@ -308,6 +318,7 @@ func perform(task *pipeline.Task, recipe *Recipe) error {
 			Name:  "use-trusted-artifact",
 			Image: image,
 			Args:  args,
+			VolumeMounts: recipe.AddTAVolumeMount,
 		}}, task.Spec.Steps...)
 	}
 	if recipe.createSource || recipe.createCachi2 {
@@ -348,7 +359,7 @@ func perform(task *pipeline.Task, recipe *Recipe) error {
 		}
 
 		if task.Spec.StepTemplate == nil && !recipe.PreferStepTemplate {
-			create.VolumeMounts = []core.VolumeMount{workdirVolumeMount}
+			create.VolumeMounts = append([]core.VolumeMount{workdirVolumeMount}, recipe.AddTAVolumeMount...)
 		}
 		task.Spec.Steps = append(task.Spec.Steps, create)
 	}

diff --git a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml
@@ -93,6 +93,11 @@ spec:
       args:
         - use
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: prepare
       image: quay.io/konflux-ci/appstudio-utils@sha256:426143910a9fe57a340143f8c19f1ad8e7103749be84096c3faacc20b260b15a
       workingDir: /var/workdir

diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml
@@ -220,6 +220,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: build
       image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
       args:

diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
@@ -246,6 +246,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: build
       image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
       args:

diff --git a/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml
@@ -239,6 +239,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: build
       image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
       args:

diff --git a/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml
@@ -56,6 +56,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: coverity-availability-check
       image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8
       workingDir: /var/workdir/source

diff --git a/task/fbc-fips-check-oci-ta/0.1/fbc-fips-check-oci-ta.yaml b/task/fbc-fips-check-oci-ta/0.1/fbc-fips-check-oci-ta.yaml
@@ -40,6 +40,11 @@ spec:
       args:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: get-unique-related-images
       image: quay.io/redhat-appstudio/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8
       env:

diff --git a/task/fips-operator-bundle-check-oci-ta/0.1/fips-operator-bundle-check-oci-ta.yaml b/task/fips-operator-bundle-check-oci-ta/0.1/fips-operator-bundle-check-oci-ta.yaml
@@ -50,6 +50,11 @@ spec:
       args:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: get-unique-related-images
       image: quay.io/redhat-appstudio/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8
       env:

diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml
@@ -307,6 +307,10 @@ spec:
       volumeMounts:
         - mountPath: /var/workdir
           name: workdir
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
       env:
         - name: IMAGE_EXPIRES_AFTER
           value: $(params.ociArtifactExpiresAfter)

diff --git a/task/git-clone-oci-ta/0.1/recipe.yaml b/task/git-clone-oci-ta/0.1/recipe.yaml
@@ -9,6 +9,11 @@ addEnvironment:
     value: /var/workdir/source
 add:
   - create-source
+addTAVolumeMount:
+  - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+    name: trusted-ca
+    readOnly: true
+    subPath: ca-bundle.crt
 removeWorkspaces:
   - output
 description: The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted

diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml
@@ -70,6 +70,11 @@ spec:
       args:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: prepare
       image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
       workingDir: /var/workdir

diff --git a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml
@@ -148,6 +148,11 @@ spec:
       args:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: sanitize-cachi2-config-file-with-yq
       image: quay.io/konflux-ci/yq:latest@sha256:99fb3254efcfd6a96977bcda12b4b74b872831f524e02938f9fa0d4ae797ffe2
       script: |

diff --git a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml
@@ -57,6 +57,11 @@ spec:
       args:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: push
       image: quay.io/konflux-ci/oras:latest@sha256:d164490b5cbd38dcd819898cd3f5b73b64d2e3334cb2ddc728f49945207e2706
       workingDir: /var/workdir

diff --git a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml
@@ -109,6 +109,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: build
       image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44
       workingDir: /var/workdir

diff --git a/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml
@@ -100,6 +100,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: sast-coverity-check
       image: quay.io/redhat-services-prod/sast/coverity@sha256:0d1b96fb08a901b2d0e340599c7fee7e1de25e2d6ba58f3d95db4983f32b5a3c
       workingDir: /var/workdir/source

diff --git a/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml b/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml
@@ -83,6 +83,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: sast-shell-check
       image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:58d19a7da752be21b4db74dc1a203a55914c5aff68b785460a0b9c340092f7e3
       workingDir: /var/workdir/source

diff --git a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml
@@ -57,6 +57,11 @@ spec:
       args:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: sast-snyk-check
       image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8
       workingDir: /var/workdir/source

diff --git a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml
@@ -63,6 +63,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: sast-snyk-check
       image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8
       workingDir: /var/workdir/source

diff --git a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml
@@ -94,6 +94,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: sast-snyk-check
       image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8
       workingDir: /var/workdir/source

diff --git a/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml b/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml
@@ -81,6 +81,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: sast-unicode-check
       image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8
       workingDir: /var/workdir/source

diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml
@@ -60,6 +60,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: get-base-images
       image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       env:

diff --git a/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml b/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml
@@ -58,6 +58,11 @@ spec:
       args:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: modify-task-files
       image: quay.io/konflux-ci/konflux-test:latest@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70
       workingDir: /var/workdir/source