diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 3b452f957d..f27576d659 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -536,9 +536,20 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true script: | #!/bin/bash set -e + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -597,3 +608,7 @@ spec: - cyclonedx - $(params.IMAGE) workingDir: /var/workdir + volumeMounts: + - mountPath: /etc/ssl/certs + name: trusted-ca + readOnly: true diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 2145728f94..2577108f39 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -592,6 +592,14 @@ spec: script: | #!/bin/bash set -e + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -642,6 +650,9 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true workingDir: $(workspaces.source.path) - args: - attach @@ -654,6 +665,10 @@ spec: computeResources: {} image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 name: upload-sbom + volumeMounts: + - mountPath: /etc/ssl/certs + name: trusted-ca + readOnly: true workingDir: $(workspaces.source.path) volumes: - emptyDir: {} diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 8498b2571d..bcad6d06a9 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -488,6 +488,14 @@ spec: script: | #!/bin/bash set -e + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -538,6 +546,9 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true workingDir: $(workspaces.source.path) - name: upload-sbom @@ -550,6 +561,10 @@ spec: - --type - cyclonedx - $(params.IMAGE) + volumeMounts: + - name: trusted-ca + mountPath: /etc/ssl/certs + readOnly: true workingDir: $(workspaces.source.path) volumes: