diff --git a/task-generator/trusted-artifacts/golden/buildah/ta.yaml b/task-generator/trusted-artifacts/golden/buildah/ta.yaml index f64bedc1a8..beaebd5c4a 100644 --- a/task-generator/trusted-artifacts/golden/buildah/ta.yaml +++ b/task-generator/trusted-artifacts/golden/buildah/ta.yaml @@ -136,6 +136,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb name: build computeResources: diff --git a/task-generator/trusted-artifacts/golden/git-clone/ta.yaml b/task-generator/trusted-artifacts/golden/git-clone/ta.yaml index c29fb3d0e4..f232d922c9 100644 --- a/task-generator/trusted-artifacts/golden/git-clone/ta.yaml +++ b/task-generator/trusted-artifacts/golden/git-clone/ta.yaml @@ -265,6 +265,10 @@ spec: volumeMounts: - name: workdir mountPath: /var/workdir + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt args: - create - --store diff --git a/task-generator/trusted-artifacts/golden/prefetch-dependencies/ta.yaml b/task-generator/trusted-artifacts/golden/prefetch-dependencies/ta.yaml index 6ab24b0f78..8cbf5c20ae 100644 --- a/task-generator/trusted-artifacts/golden/prefetch-dependencies/ta.yaml +++ b/task-generator/trusted-artifacts/golden/prefetch-dependencies/ta.yaml @@ -78,6 +78,11 @@ spec: args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 name: prefetch-dependencies env: diff --git a/task-generator/trusted-artifacts/golden/sast-snyk-check/ta.yaml b/task-generator/trusted-artifacts/golden/sast-snyk-check/ta.yaml index d2900cf283..332f28a973 100644 --- a/task-generator/trusted-artifacts/golden/sast-snyk-check/ta.yaml +++ b/task-generator/trusted-artifacts/golden/sast-snyk-check/ta.yaml @@ -62,6 +62,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: sast-snyk-check image: quay.io/konflux-ci/konflux-test:v1.4.0@sha256:54d49b37c9a2e280d42961a57e4f7a16c171d6b065559f1329b548db85300bea workingDir: /var/workdir/source diff --git a/task-generator/trusted-artifacts/golden/source-build/ta.yaml b/task-generator/trusted-artifacts/golden/source-build/ta.yaml index 4b1e97b475..25012b62e7 100644 --- a/task-generator/trusted-artifacts/golden/source-build/ta.yaml +++ b/task-generator/trusted-artifacts/golden/source-build/ta.yaml @@ -58,6 +58,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: get-base-images image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 env: diff --git a/task-generator/trusted-artifacts/recipe.go b/task-generator/trusted-artifacts/recipe.go index 2d2691d3dd..f04368e270 100644 --- a/task-generator/trusted-artifacts/recipe.go +++ b/task-generator/trusted-artifacts/recipe.go @@ -24,6 +24,7 @@ type Recipe struct { AddResult []pipeline.TaskResult `json:"addResult"` AddVolume []core.Volume `json:"addVolume"` AddVolumeMount []core.VolumeMount `json:"addVolumeMount"` + AddTAVolumeMount []core.VolumeMount `json:"addTAVolumeMount"` Base string `json:"base"` Description string `json:"description"` DisplaySuffix string `json:"displaySuffix"` diff --git a/task-generator/trusted-artifacts/ta.go b/task-generator/trusted-artifacts/ta.go index f826865402..3a736344e4 100644 --- a/task-generator/trusted-artifacts/ta.go +++ b/task-generator/trusted-artifacts/ta.go @@ -159,9 +159,19 @@ func perform(task *pipeline.Task, recipe *Recipe) error { Name: "workdir", MountPath: "/var/workdir", } + trustedVolumeMount := core.VolumeMount{ + Name: "trusted-ca", + MountPath: "/etc/pki/tls/certs/ca-custom-bundle.crt", + SubPath: "ca-bundle.crt", + ReadOnly: true, + } + if len(recipe.AddVolumeMount) == 0 { recipe.AddVolumeMount = []core.VolumeMount{workdirVolumeMount} } + if len(recipe.AddTAVolumeMount) == 0 { + recipe.AddTAVolumeMount = []core.VolumeMount{trustedVolumeMount} + } removeEnv := func(env *[]string) func(core.EnvVar) bool { return func(e core.EnvVar) bool { @@ -308,6 +318,7 @@ func perform(task *pipeline.Task, recipe *Recipe) error { Name: "use-trusted-artifact", Image: image, Args: args, + VolumeMounts: recipe.AddTAVolumeMount, }}, task.Spec.Steps...) } if recipe.createSource || recipe.createCachi2 { @@ -348,7 +359,7 @@ func perform(task *pipeline.Task, recipe *Recipe) error { } if task.Spec.StepTemplate == nil && !recipe.PreferStepTemplate { - create.VolumeMounts = []core.VolumeMount{workdirVolumeMount} + create.VolumeMounts = append([]core.VolumeMount{workdirVolumeMount}, recipe.AddTAVolumeMount...) } task.Spec.Steps = append(task.Spec.Steps, create) } diff --git a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml index 96f3346aba..859adde453 100644 --- a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml +++ b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml @@ -93,6 +93,11 @@ spec: args: - use - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: prepare image: quay.io/konflux-ci/appstudio-utils@sha256:426143910a9fe57a340143f8c19f1ad8e7103749be84096c3faacc20b260b15a workingDir: /var/workdir diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 174a3915c8..bd55e4ecaa 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -220,6 +220,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: build image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c args: diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 93814684e4..6548dab9d2 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -246,6 +246,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: build image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c args: diff --git a/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml index 045b5188dc..59fad520a5 100644 --- a/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml @@ -239,6 +239,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: build image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c args: diff --git a/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml index 2e29e0ecad..e247583b3f 100644 --- a/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml +++ b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml @@ -56,6 +56,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: coverity-availability-check image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8 workingDir: /var/workdir/source diff --git a/task/fbc-fips-check-oci-ta/0.1/fbc-fips-check-oci-ta.yaml b/task/fbc-fips-check-oci-ta/0.1/fbc-fips-check-oci-ta.yaml index e75ad033d2..da4787c8ea 100644 --- a/task/fbc-fips-check-oci-ta/0.1/fbc-fips-check-oci-ta.yaml +++ b/task/fbc-fips-check-oci-ta/0.1/fbc-fips-check-oci-ta.yaml @@ -40,6 +40,11 @@ spec: args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: get-unique-related-images image: quay.io/redhat-appstudio/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8 env: diff --git a/task/fips-operator-bundle-check-oci-ta/0.1/fips-operator-bundle-check-oci-ta.yaml b/task/fips-operator-bundle-check-oci-ta/0.1/fips-operator-bundle-check-oci-ta.yaml index e7888a1891..a11a168998 100644 --- a/task/fips-operator-bundle-check-oci-ta/0.1/fips-operator-bundle-check-oci-ta.yaml +++ b/task/fips-operator-bundle-check-oci-ta/0.1/fips-operator-bundle-check-oci-ta.yaml @@ -50,6 +50,11 @@ spec: args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: get-unique-related-images image: quay.io/redhat-appstudio/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8 env: diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml index 7fb6d2bd11..2dde0e4f89 100644 --- a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml +++ b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml @@ -307,6 +307,10 @@ spec: volumeMounts: - mountPath: /var/workdir name: workdir + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt env: - name: IMAGE_EXPIRES_AFTER value: $(params.ociArtifactExpiresAfter) diff --git a/task/git-clone-oci-ta/0.1/recipe.yaml b/task/git-clone-oci-ta/0.1/recipe.yaml index 4b35d69707..bc17bb78b6 100644 --- a/task/git-clone-oci-ta/0.1/recipe.yaml +++ b/task/git-clone-oci-ta/0.1/recipe.yaml @@ -9,6 +9,11 @@ addEnvironment: value: /var/workdir/source add: - create-source +addTAVolumeMount: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt removeWorkspaces: - output description: The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index c6daaf6753..49ca9aebd6 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -70,6 +70,11 @@ spec: args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: prepare image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21 workingDir: /var/workdir diff --git a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml index 987a248540..1be77a1849 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml +++ b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml @@ -148,6 +148,11 @@ spec: args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: sanitize-cachi2-config-file-with-yq image: quay.io/konflux-ci/yq:latest@sha256:99fb3254efcfd6a96977bcda12b4b74b872831f524e02938f9fa0d4ae797ffe2 script: | diff --git a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml index dc1408b4ca..7975b0d201 100644 --- a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml +++ b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml @@ -57,6 +57,11 @@ spec: args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: push image: quay.io/konflux-ci/oras:latest@sha256:d164490b5cbd38dcd819898cd3f5b73b64d2e3334cb2ddc728f49945207e2706 workingDir: /var/workdir diff --git a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml index 10675ede20..4baecd4776 100644 --- a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml +++ b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml @@ -109,6 +109,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: build image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44 workingDir: /var/workdir diff --git a/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml index 8cd6bab785..0942dae4af 100644 --- a/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml +++ b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml @@ -100,6 +100,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: sast-coverity-check image: quay.io/redhat-services-prod/sast/coverity@sha256:0d1b96fb08a901b2d0e340599c7fee7e1de25e2d6ba58f3d95db4983f32b5a3c workingDir: /var/workdir/source diff --git a/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml b/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml index 6b4d29c21a..f432962b31 100644 --- a/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml +++ b/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml @@ -83,6 +83,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: sast-shell-check image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:58d19a7da752be21b4db74dc1a203a55914c5aff68b785460a0b9c340092f7e3 workingDir: /var/workdir/source diff --git a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml index 92bc6eea6d..ca91fa36de 100644 --- a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml @@ -57,6 +57,11 @@ spec: args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: sast-snyk-check image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8 workingDir: /var/workdir/source diff --git a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml index 562166248d..2b264b0815 100644 --- a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml @@ -63,6 +63,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: sast-snyk-check image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8 workingDir: /var/workdir/source diff --git a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml index 07327d43a0..cd7f1a3ebf 100644 --- a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml @@ -94,6 +94,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: sast-snyk-check image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8 workingDir: /var/workdir/source diff --git a/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml b/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml index 88f056a183..6cd5af657b 100644 --- a/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml +++ b/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml @@ -81,6 +81,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: sast-unicode-check image: quay.io/konflux-ci/konflux-test:v1.4.11@sha256:540f795828852c90ec8f7d1b7b5e66e88700dc3dfe45d9cad7e2b8f64217bea8 workingDir: /var/workdir/source diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index 36a95dfa8d..1e82fbb691 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -60,6 +60,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: get-base-images image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 env: diff --git a/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml b/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml index 4e09d4c397..1c81885268 100644 --- a/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml +++ b/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml @@ -58,6 +58,11 @@ spec: args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: modify-task-files image: quay.io/konflux-ci/konflux-test:latest@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70 workingDir: /var/workdir/source