chore(KFLUXVNGD-148): Add custom certificate support for git clone task

Add param to support the custom certificate support for git-clone-oci-ta task to connect to internal registry. Jira-Url: https://issues.redhat.com/browse/KFLUXVNGD-155 Signed-off-by: Homaja Marisetty <[email protected]>
konflux-ci · Jan 21, 2025 · f7c7942 · f7c7942
1 parent c2003d9
commit f7c7942
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 4 deletions.
diff --git a/task-generator/trusted-artifacts/README.md b/task-generator/trusted-artifacts/README.md
@@ -55,10 +55,12 @@ The following is the list of supported options:
 | `addResult`          | sequence of Tekton [TaskResult]s                 | Additional Tekton Task results to add to the Task |
 | `addVolume`          | sequence of [Volume]s                            | Additional Volumes to add to the Task |
 | `addVolumeMount`     | sequence of [VolumeMount]s                       | Additional VolumeMount to add to the Task |
+| `addTAVolumeMount`   | sequence of [VolumeMount]s                       | Additional VolumeMount to add to the Trusted Artifact Task |
 | `base`               | string                                           | Relative path from `recipe.yaml` to the Task definition of the non-Trusted Artifacts Task |
 | `description`        | string                                           | Description of the Trusted Artifacts Task |
 | `displaySuffix`      | string                                           | Additional text to place to the value of `tekton.dev/displayName` annotation from the non-Trusted Artifacts Task to the Trusted Artifacts Task (default: `" oci trusted artifacts"`) |
 | `preferStepTemplate` | boolean                                          | When `true` preference is set to configure common configuration on the `Task.spec.stepTemplate` rather than on each Task Step |
+| `useTAVolumeMount`   | boolean                                          | When `true` Volume Mount is added to the Trusted Artifact |
 | `regexReplacements`  | map of strings keys and string values            | Perform regular expression-based replacement with keys being the regular expression and the values being the replacement, see [Replacements](#replacements) |
 | `removeParams`       | sequence of strings                              | Names of Task parameters to remove |
 | `removeVolumes`      | sequence of strings                              | Names of Task Volumes to remove |

diff --git a/task-generator/trusted-artifacts/golden/buildah/ta.yaml b/task-generator/trusted-artifacts/golden/buildah/ta.yaml
@@ -136,6 +136,11 @@ spec:
       - use
       - $(params.SOURCE_ARTIFACT)=/var/workdir/source
       - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+    volumeMounts:
+      - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+        name: trusted-ca
+        readOnly: true
+        subPath: ca-bundle.crt
   - image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
     name: build
     computeResources:

diff --git a/task-generator/trusted-artifacts/golden/git-clone/ta.yaml b/task-generator/trusted-artifacts/golden/git-clone/ta.yaml
@@ -265,6 +265,10 @@ spec:
     volumeMounts:
       - name: workdir
         mountPath: /var/workdir
+      - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+        name: trusted-ca
+        readOnly: true
+        subPath: ca-bundle.crt
     args:
       - create
       - --store

diff --git a/task-generator/trusted-artifacts/recipe.go b/task-generator/trusted-artifacts/recipe.go
@@ -24,10 +24,12 @@ type Recipe struct {
 	AddResult          []pipeline.TaskResult `json:"addResult"`
 	AddVolume          []core.Volume         `json:"addVolume"`
 	AddVolumeMount     []core.VolumeMount    `json:"addVolumeMount"`
+	AddTAVolumeMount   []core.VolumeMount    `json:"addTAVolumeMount"`
 	Base               string                `json:"base"`
 	Description        string                `json:"description"`
 	DisplaySuffix      string                `json:"displaySuffix"`
 	PreferStepTemplate bool                  `json:"preferStepTemplate"`
+	UseTAVolumeMount   bool                  `json:"useTAVolumeMount"`
 	RegexReplacements  map[string]string     `json:"regexReplacements"`
 	RemoveParams       []string              `json:"removeParams"`
 	RemoveVolumes      []string              `json:"removeVolumes"`

diff --git a/task-generator/trusted-artifacts/ta.go b/task-generator/trusted-artifacts/ta.go
@@ -159,9 +159,22 @@ func perform(task *pipeline.Task, recipe *Recipe) error {
 		Name:      "workdir",
 		MountPath: "/var/workdir",
 	}
+	trustedVolumeMount := core.VolumeMount{
+		Name:      "trusted-ca",
+		MountPath: "/etc/pki/tls/certs/ca-custom-bundle.crt",
+		SubPath:   "ca-bundle.crt",
+		ReadOnly:  true,
+	}
+
 	if len(recipe.AddVolumeMount) == 0 {
 		recipe.AddVolumeMount = []core.VolumeMount{workdirVolumeMount}
 	}
+	if len(recipe.AddTAVolumeMount) == 0 {
+		recipe.AddTAVolumeMount = []core.VolumeMount{trustedVolumeMount}
+	}
+	if !recipe.UseTAVolumeMount {
+		recipe.AddTAVolumeMount = []core.VolumeMount{}
+	}
 
 	removeEnv := func(env *[]string) func(core.EnvVar) bool {
 		return func(e core.EnvVar) bool {
@@ -305,9 +318,10 @@ func perform(task *pipeline.Task, recipe *Recipe) error {
 		}
 
 		task.Spec.Steps = append([]pipeline.Step{{
-			Name:  "use-trusted-artifact",
-			Image: image,
-			Args:  args,
+			Name:         "use-trusted-artifact",
+			Image:        image,
+			Args:         args,
+			VolumeMounts: recipe.AddTAVolumeMount,
 		}}, task.Spec.Steps...)
 	}
 	if recipe.createSource || recipe.createCachi2 {
@@ -348,7 +362,7 @@ func perform(task *pipeline.Task, recipe *Recipe) error {
 		}
 
 		if task.Spec.StepTemplate == nil && !recipe.PreferStepTemplate {
-			create.VolumeMounts = []core.VolumeMount{workdirVolumeMount}
+			create.VolumeMounts = append([]core.VolumeMount{workdirVolumeMount}, recipe.AddTAVolumeMount...)
 		}
 		task.Spec.Steps = append(task.Spec.Steps, create)
 	}

diff --git a/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.3/buildah-oci-ta.yaml
@@ -247,6 +247,11 @@ spec:
         - use
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+      volumeMounts:
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
     - name: build
       image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
       args:

diff --git a/task/buildah-oci-ta/0.3/recipe.yaml b/task/buildah-oci-ta/0.3/recipe.yaml
@@ -7,6 +7,7 @@ add:
   - use-cachi2
 removeWorkspaces:
   - source
+useTAVolumeMount: true
 replacements:
   workspaces.source.path: /var/workdir
 regexReplacements:

diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml
@@ -307,6 +307,10 @@ spec:
       volumeMounts:
         - mountPath: /var/workdir
           name: workdir
+        - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          name: trusted-ca
+          readOnly: true
+          subPath: ca-bundle.crt
       env:
         - name: IMAGE_EXPIRES_AFTER
           value: $(params.ociArtifactExpiresAfter)

diff --git a/task/git-clone-oci-ta/0.1/recipe.yaml b/task/git-clone-oci-ta/0.1/recipe.yaml
@@ -9,6 +9,7 @@ addEnvironment:
     value: /var/workdir/source
 add:
   - create-source
+useTAVolumeMount: true
 removeWorkspaces:
   - output
 description: The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted