Skip to content

Commit

Permalink
feat(RHTAPWATCH-1011): support custom certificate in buildah
Browse files Browse the repository at this point in the history
The build step already included support for mounting custom ca-bundle.
This change introduces similar capabilities also to steps
inject-sbom-and-push and upload-sbom.

Signed-off-by: Yftach Herzog <yherzog@redhat.com>
  • Loading branch information
yftacherzog committed Jul 30, 2024
1 parent 8a2d1f0 commit eb01317
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 0 deletions.
15 changes: 15 additions & 0 deletions task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -536,9 +536,20 @@ spec:
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
script: |
#!/bin/bash
set -e
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
container=$(buildah from --pull-never $IMAGE)
Expand Down Expand Up @@ -597,3 +608,7 @@ spec:
- cyclonedx
- $(params.IMAGE)
workingDir: /var/workdir
volumeMounts:
- mountPath: /etc/ssl/certs
name: trusted-ca
readOnly: true
15 changes: 15 additions & 0 deletions task/buildah-remote/0.2/buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,14 @@ spec:
script: |
#!/bin/bash
set -e
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
container=$(buildah from --pull-never $IMAGE)
Expand Down Expand Up @@ -642,6 +650,9 @@ spec:
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
workingDir: $(workspaces.source.path)
- args:
- attach
Expand All @@ -654,6 +665,10 @@ spec:
computeResources: {}
image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
name: upload-sbom
volumeMounts:
- mountPath: /etc/ssl/certs
name: trusted-ca
readOnly: true
workingDir: $(workspaces.source.path)
volumes:
- emptyDir: {}
Expand Down
15 changes: 15 additions & 0 deletions task/buildah/0.2/buildah.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -488,6 +488,14 @@ spec:
script: |
#!/bin/bash
set -e
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
container=$(buildah from --pull-never $IMAGE)
Expand Down Expand Up @@ -538,6 +546,9 @@ spec:
volumeMounts:
- mountPath: /var/lib/containers
name: varlibcontainers
- name: trusted-ca
mountPath: /mnt/trusted-ca
readOnly: true
workingDir: $(workspaces.source.path)

- name: upload-sbom
Expand All @@ -550,6 +561,10 @@ spec:
- --type
- cyclonedx
- $(params.IMAGE)
volumeMounts:
- name: trusted-ca
mountPath: /etc/ssl/certs
readOnly: true
workingDir: $(workspaces.source.path)

volumes:
Expand Down

0 comments on commit eb01317

Please sign in to comment.