fix(RELEASE-2158): use trusted-ca mounts to support self hosted Quay

Add trusted-ca volume mounts to system certificate paths to be
consistent with other tasks in the push-to-external-registry pipeline.
Go-based tools (cosign, mobster) require the CA bundle at
/etc/ssl/certs/ to include it in the system cert pool. This is needed
for push-to-external-registry to work with self-hosted Quay instances
that use custom CA certificates.

Assisted-by: Cursor
Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>

Author: querti

tasks/augment-component-sboms-ta/0.3/augment-component-sboms-ta.yaml

@@ -157,6 +157,14 @@ spec:
         A regular expression to extract build identity from the OIDC token claims, if applicable.
       default: ""
 
+    - name: caTrustConfigMapName
+      type: string
+      description: The name of the ConfigMap to read CA bundle data from
+      default: trusted-ca
+    - name: caTrustConfigMapKey
+      type: string
+      description: The name of the key in the ConfigMap that contains the CA bundle data
+      default: ca-bundle.crt
 
   results:
     - description: Produced trusted data artifact
@@ -174,11 +182,26 @@ spec:
               # 30 minutes should be enough to finish this task
               expirationSeconds: 1800
               path: oidc-token
+    - name: trusted-ca
+      configMap:
+        name: $(params.caTrustConfigMapName)
+        items:
+          - key: $(params.caTrustConfigMapKey)
+            path: ca-bundle.crt
+        optional: true
 
   stepTemplate:
     volumeMounts:
       - mountPath: /var/workdir
         name: workdir
+      - name: trusted-ca
+        mountPath: /etc/pki/tls/certs/ca-bundle.crt
+        subPath: ca-bundle.crt
+        readOnly: true
+      - name: trusted-ca
+        mountPath: /etc/ssl/certs/ca-custom-bundle.crt
+        subPath: ca-bundle.crt
+        readOnly: true
     env:
       - name: IMAGE_EXPIRES_AFTER
         value: $(params.ociArtifactExpiresAfter)