From 16d97aa4ddb1128901d9d4c4975af8269f9ffa06 Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Wed, 14 Aug 2024 17:04:36 +0000 Subject: [PATCH 1/2] update .tekton/tasks/e2e-test.yaml --- .tekton/tasks/e2e-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index e3844a7959..4394153d33 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -26,7 +26,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:efcb425bd32dcf61b82b1214c45e58f68f6f445d + image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:e51393f156f418cdb2e5997b1ced6193e369c717 command: ["/konflux-e2e/konflux-e2e.test"] # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag From cb8f2333039ef339385720d4bb159c1a2bf9e4a6 Mon Sep 17 00:00:00 2001 From: Yftach Herzog Date: Thu, 15 Aug 2024 15:03:20 +0300 Subject: [PATCH 2/2] feat(RHTAPWATCH-1179): custom cert in ecosystem-cert-preflight-check Support mounting a custom ca-bundle to allow the ecosystem-cert-preflight-check task to use a registry with a self-signed certificate. Signed-off-by: Yftach Herzog --- pipelines/docker-build-oci-ta/README.md | 2 ++ pipelines/docker-build/README.md | 2 ++ pipelines/java-builder/README.md | 2 ++ pipelines/nodejs-builder/README.md | 2 ++ pipelines/tekton-bundle-builder/README.md | 2 ++ .../0.1/README.md | 8 +++++--- .../0.1/ecosystem-cert-preflight-checks.yaml | 19 +++++++++++++++++++ 7 files changed, 34 insertions(+), 3 deletions(-) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index ad77f97716..6e84f37772 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -77,6 +77,8 @@ ### ecosystem-cert-preflight-checks:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### git-clone-oci-ta:0.1 task parameters |name|description|default value|already set by| diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 1fb8c47478..955a3fd52c 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -75,6 +75,8 @@ ### ecosystem-cert-preflight-checks:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index 177706060c..f74062c02c 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -47,6 +47,8 @@ ### ecosystem-cert-preflight-checks:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index 26750ad366..b183a0d745 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -47,6 +47,8 @@ ### ecosystem-cert-preflight-checks:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index 9f67a86536..2387bdfc9b 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -31,6 +31,8 @@ ### ecosystem-cert-preflight-checks:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| diff --git a/task/ecosystem-cert-preflight-checks/0.1/README.md b/task/ecosystem-cert-preflight-checks/0.1/README.md index 7903bb79f8..9d87b9612b 100644 --- a/task/ecosystem-cert-preflight-checks/0.1/README.md +++ b/task/ecosystem-cert-preflight-checks/0.1/README.md @@ -6,9 +6,11 @@ The ecosystem-cert-preflight-checks task checks an image for certification readi ## Params: -| name | description | -|--------------|----------------------------------------------------------------| -| image-url | Image URL. | +| name | description | default | +|--------------------------|------------------------------------------------------------------------|---------------| +| image-url | Image URL. | None | +| ca-trust-config-map-name | The name of the ConfigMap to read CA bundle data from. | trusted-ca | +| ca-trust-config-map-key | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | ## Results: diff --git a/task/ecosystem-cert-preflight-checks/0.1/ecosystem-cert-preflight-checks.yaml b/task/ecosystem-cert-preflight-checks/0.1/ecosystem-cert-preflight-checks.yaml index c870b86834..19ff6d6e2a 100644 --- a/task/ecosystem-cert-preflight-checks/0.1/ecosystem-cert-preflight-checks.yaml +++ b/task/ecosystem-cert-preflight-checks/0.1/ecosystem-cert-preflight-checks.yaml @@ -8,6 +8,14 @@ spec: params: - name: image-url description: Image url to scan. + - name: ca-trust-config-map-name + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: ca-trust-config-map-key + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt results: - name: TEST_OUTPUT description: Preflight pass or fail outcome. @@ -21,6 +29,10 @@ spec: volumeMounts: - name: pfltoutputdir mountPath: /artifacts + - name: trusted-ca + mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + subPath: ca-bundle.crt + readOnly: true - name: gather-pflt-results image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 volumeMounts: @@ -78,3 +90,10 @@ spec: volumes: - name: pfltoutputdir emptyDir: {} + - name: trusted-ca + configMap: + name: $(params.ca-trust-config-map-name) + items: + - key: $(params.ca-trust-config-map-key) + path: ca-bundle.crt + optional: true