From 5ae4b8d62770d578ca58befc3d67acf0e9aab0dd Mon Sep 17 00:00:00 2001 From: Homaja Marisetty Date: Mon, 13 Jan 2025 09:03:30 -0500 Subject: [PATCH] chore(KFLUXVNGD-148): Add custom certificate support for git clone task Add param to support the custom certificate support for git-clone-oci-ta task to connect to internal registry. Jira-Url: https://issues.redhat.com/browse/KFLUXVNGD-155 Signed-off-by: Homaja Marisetty --- task-generator/trusted-artifacts/README.md | 2 ++ task-generator/trusted-artifacts/recipe.go | 2 ++ task-generator/trusted-artifacts/ta.go | 22 +++++++++++++++---- task/buildah-oci-ta/0.3/buildah-oci-ta.yaml | 5 +++++ task/buildah-oci-ta/0.3/recipe.yaml | 1 + .../0.3/buildah-remote-oci-ta.yaml | 5 +++++ .../0.1/git-clone-oci-ta.yaml | 4 ++++ task/git-clone-oci-ta/0.1/recipe.yaml | 1 + 8 files changed, 38 insertions(+), 4 deletions(-) diff --git a/task-generator/trusted-artifacts/README.md b/task-generator/trusted-artifacts/README.md index ff887047d6..9b56b61919 100644 --- a/task-generator/trusted-artifacts/README.md +++ b/task-generator/trusted-artifacts/README.md @@ -55,10 +55,12 @@ The following is the list of supported options: | `addResult` | sequence of Tekton [TaskResult]s | Additional Tekton Task results to add to the Task | | `addVolume` | sequence of [Volume]s | Additional Volumes to add to the Task | | `addVolumeMount` | sequence of [VolumeMount]s | Additional VolumeMount to add to the Task | +| `addTAVolumeMount` | sequence of [VolumeMount]s | Additional VolumeMount to add to the Trusted Artifact Task | | `base` | string | Relative path from `recipe.yaml` to the Task definition of the non-Trusted Artifacts Task | | `description` | string | Description of the Trusted Artifacts Task | | `displaySuffix` | string | Additional text to place to the value of `tekton.dev/displayName` annotation from the non-Trusted Artifacts Task to the Trusted Artifacts Task (default: `" oci trusted artifacts"`) | | `preferStepTemplate` | boolean | When `true` preference is set to configure common configuration on the `Task.spec.stepTemplate` rather than on each Task Step | +| `useTAVolumeMount` | boolean | When `true` Volume Mount is added to the Trusted Artifact | | `regexReplacements` | map of strings keys and string values | Perform regular expression-based replacement with keys being the regular expression and the values being the replacement, see [Replacements](#replacements) | | `removeParams` | sequence of strings | Names of Task parameters to remove | | `removeVolumes` | sequence of strings | Names of Task Volumes to remove | diff --git a/task-generator/trusted-artifacts/recipe.go b/task-generator/trusted-artifacts/recipe.go index 2d2691d3dd..5c5410abbc 100644 --- a/task-generator/trusted-artifacts/recipe.go +++ b/task-generator/trusted-artifacts/recipe.go @@ -24,10 +24,12 @@ type Recipe struct { AddResult []pipeline.TaskResult `json:"addResult"` AddVolume []core.Volume `json:"addVolume"` AddVolumeMount []core.VolumeMount `json:"addVolumeMount"` + AddTAVolumeMount []core.VolumeMount `json:"addTAVolumeMount"` Base string `json:"base"` Description string `json:"description"` DisplaySuffix string `json:"displaySuffix"` PreferStepTemplate bool `json:"preferStepTemplate"` + UseTAVolumeMount bool `json:"useTAVolumeMount"` RegexReplacements map[string]string `json:"regexReplacements"` RemoveParams []string `json:"removeParams"` RemoveVolumes []string `json:"removeVolumes"` diff --git a/task-generator/trusted-artifacts/ta.go b/task-generator/trusted-artifacts/ta.go index f826865402..65bcb3364a 100644 --- a/task-generator/trusted-artifacts/ta.go +++ b/task-generator/trusted-artifacts/ta.go @@ -159,9 +159,22 @@ func perform(task *pipeline.Task, recipe *Recipe) error { Name: "workdir", MountPath: "/var/workdir", } + trustedVolumeMount := core.VolumeMount{ + Name: "trusted-ca", + MountPath: "/etc/pki/tls/certs/ca-custom-bundle.crt", + SubPath: "ca-bundle.crt", + ReadOnly: true, + } + if len(recipe.AddVolumeMount) == 0 { recipe.AddVolumeMount = []core.VolumeMount{workdirVolumeMount} } + if len(recipe.AddTAVolumeMount) == 0 { + recipe.AddTAVolumeMount = []core.VolumeMount{trustedVolumeMount} + } + if !recipe.UseTAVolumeMount { + recipe.AddTAVolumeMount = []core.VolumeMount{} + } removeEnv := func(env *[]string) func(core.EnvVar) bool { return func(e core.EnvVar) bool { @@ -305,9 +318,10 @@ func perform(task *pipeline.Task, recipe *Recipe) error { } task.Spec.Steps = append([]pipeline.Step{{ - Name: "use-trusted-artifact", - Image: image, - Args: args, + Name: "use-trusted-artifact", + Image: image, + Args: args, + VolumeMounts: recipe.AddTAVolumeMount, }}, task.Spec.Steps...) } if recipe.createSource || recipe.createCachi2 { @@ -348,7 +362,7 @@ func perform(task *pipeline.Task, recipe *Recipe) error { } if task.Spec.StepTemplate == nil && !recipe.PreferStepTemplate { - create.VolumeMounts = []core.VolumeMount{workdirVolumeMount} + create.VolumeMounts = append([]core.VolumeMount{workdirVolumeMount}, recipe.AddTAVolumeMount...) } task.Spec.Steps = append(task.Spec.Steps, create) } diff --git a/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml index 5d30e04189..a11992b6f9 100644 --- a/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml @@ -247,6 +247,11 @@ spec: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - name: build image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c args: diff --git a/task/buildah-oci-ta/0.3/recipe.yaml b/task/buildah-oci-ta/0.3/recipe.yaml index c0162beb20..d434dcd7ea 100644 --- a/task/buildah-oci-ta/0.3/recipe.yaml +++ b/task/buildah-oci-ta/0.3/recipe.yaml @@ -7,6 +7,7 @@ add: - use-cachi2 removeWorkspaces: - source +useTAVolumeMount: true replacements: workspaces.source.path: /var/workdir regexReplacements: diff --git a/task/buildah-remote-oci-ta/0.3/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.3/buildah-remote-oci-ta.yaml index b7a245b123..cd34b1e856 100644 --- a/task/buildah-remote-oci-ta/0.3/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.3/buildah-remote-oci-ta.yaml @@ -233,6 +233,11 @@ spec: computeResources: {} image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:ff35e09ff5c89e54538b50abae241a765b2b7868f05d62c4835bebf0978f3659 name: use-trusted-artifact + volumeMounts: + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt - args: - --build-args - $(params.BUILD_ARGS[*]) diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml index 7fb6d2bd11..2dde0e4f89 100644 --- a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml +++ b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml @@ -307,6 +307,10 @@ spec: volumeMounts: - mountPath: /var/workdir name: workdir + - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + name: trusted-ca + readOnly: true + subPath: ca-bundle.crt env: - name: IMAGE_EXPIRES_AFTER value: $(params.ociArtifactExpiresAfter) diff --git a/task/git-clone-oci-ta/0.1/recipe.yaml b/task/git-clone-oci-ta/0.1/recipe.yaml index 4b35d69707..6c816f609d 100644 --- a/task/git-clone-oci-ta/0.1/recipe.yaml +++ b/task/git-clone-oci-ta/0.1/recipe.yaml @@ -9,6 +9,7 @@ addEnvironment: value: /var/workdir/source add: - create-source +useTAVolumeMount: true removeWorkspaces: - output description: The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted