Skip to content

Commit 0227271

Browse files
jinqi7elenagerman
jinqi7
authored and
elenagerman
committed
fix: update trusted-ca volume mount to custom directory
The PR is focus on the custom ca being used in trusted-artifact stepactions and in these stepactions, the environment variable CA_FILE is set with the value of caCertPath (for example here). Then it will be passed to oras_opts.sh in https://github.com/konflux-ci/build-trusted-artifacts repo. It changes trusted-ca ConfigMap mount to use a custom directory to prevent conflicts with system certificate paths. The ConfigMap is now mounted back to: /mnt/trusted-ca (directory mount) And the caCertPath parameter default is updated to: /mnt/trusted-ca/ca-bundle.crt The PR also removed the unnecessary volume mount in verify-access-to-resources task. It also update to new build-trusted-artifacts image reference in stepactions. Signed-off-by: Jing Qi Assisted-By: Claude Made-with: Cursor
1 parent d5e1411 commit 0227271

27 files changed

Lines changed: 194 additions & 245 deletions

File tree

stepactions/create-trusted-artifact/create-trusted-artifact.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ spec:
77
description: >-
88
This stepaction creates a trusted artifact. It does nothing if a .skip-trusted-artifacts file exists
99
in root folder.
10-
image: quay.io/konflux-ci/build-trusted-artifacts:653578444c73afc32b3a865fee9869a09f96c1a2
10+
image: quay.io/konflux-ci/build-trusted-artifacts:8b09217702ec665d4fae6d09f6a7910421f15b69
1111
env:
1212
# Set HOME variable to something else than `/` to avoid 'permission denied' problems when writing files.
1313
- name: HOME

stepactions/use-trusted-artifact-array/use-trusted-artifact-array.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ metadata:
66
spec:
77
description: >-
88
This stepaction extracts an array of Trusted Artifacts into a folder.
9-
image: quay.io/konflux-ci/build-trusted-artifacts:653578444c73afc32b3a865fee9869a09f96c1a2
9+
image: quay.io/konflux-ci/build-trusted-artifacts:8b09217702ec665d4fae6d09f6a7910421f15b69
1010
env:
1111
# Set HOME variable to something else than `/` to avoid 'permission denied' problems when writing files.
1212
- name: HOME

stepactions/use-trusted-artifact/use-trusted-artifact.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ metadata:
66
spec:
77
description: >-
88
This stepaction extracts a Trusted Artifact into a folder.
9-
image: quay.io/konflux-ci/build-trusted-artifacts:653578444c73afc32b3a865fee9869a09f96c1a2
9+
image: quay.io/konflux-ci/build-trusted-artifacts:8b09217702ec665d4fae6d09f6a7910421f15b69
1010
env:
1111
# Set HOME variable to something else than `/` to avoid 'permission denied' problems when writing files.
1212
- name: HOME

tasks/managed/apply-mapping/README.md

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -28,20 +28,20 @@ You can also expand image labels, e.g. "{{ labels.mylabel }}" -> The value of im
2828

2929
## Parameters
3030

31-
| Name | Description | Optional | Default value |
32-
|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------------------------------|
33-
| snapshotPath | Path to the JSON string of the Snapshot spec in the config workspace to apply the mapping to | No | - |
34-
| dataPath | Path to the JSON string of the merged data to use in the data workspace | No | - |
35-
| failOnEmptyResult | Fail the task if the resulting snapshot contains 0 components | Yes | false |
36-
| ociStorage | The OCI repository where the Trusted Artifacts are stored | Yes | empty |
37-
| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire | Yes | 1d |
38-
| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable | Yes | "" |
39-
| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" |
40-
| sourceDataArtifact | Location of trusted artifacts to be used to populate data directory | Yes | "" |
41-
| dataDir | The location where data will be stored | Yes | /var/workdir/release |
42-
| taskGitUrl | The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored | No | - |
43-
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
44-
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
45-
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
46-
| addImplicitTimestampTag | When "true", for each repository the resolved {{ timestamp }} value is added to the list of tags after translation (deduplicated). Fails if timestamp is empty. Only pipelines referencing the check-labels task should set this to "true" | Yes | false |
47-
| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /etc/pki/tls/certs/ca-bundle.crt |
31+
| Name | Description | Optional | Default value |
32+
|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------------------------------|
33+
| snapshotPath | Path to the JSON string of the Snapshot spec in the config workspace to apply the mapping to | No | - |
34+
| dataPath | Path to the JSON string of the merged data to use in the data workspace | No | - |
35+
| failOnEmptyResult | Fail the task if the resulting snapshot contains 0 components | Yes | false |
36+
| ociStorage | The OCI repository where the Trusted Artifacts are stored | Yes | empty |
37+
| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire | Yes | 1d |
38+
| trustedArtifactsDebug | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable | Yes | "" |
39+
| orasOptions | oras options to pass to Trusted Artifacts calls | Yes | "" |
40+
| sourceDataArtifact | Location of trusted artifacts to be used to populate data directory | Yes | "" |
41+
| dataDir | The location where data will be stored | Yes | /var/workdir/release |
42+
| taskGitUrl | The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored | No | - |
43+
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
44+
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
45+
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
46+
| addImplicitTimestampTag | When "true", for each repository the resolved {{ timestamp }} value is added to the list of tags after translation (deduplicated). Fails if timestamp is empty. Only pipelines referencing the check-labels task should set this to "true" | Yes | false |
47+
| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /mnt/trusted-ca/ca-bundle.crt |

tasks/managed/apply-mapping/apply-mapping.yaml

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ spec:
9393
- name: caCertPath
9494
type: string
9595
description: Path to CA certificate bundle for TLS verification with self-signed certificates
96-
default: /etc/pki/tls/certs/ca-bundle.crt
96+
default: /mnt/trusted-ca/ca-bundle.crt
9797
results:
9898
- name: mapped
9999
type: string
@@ -116,12 +116,7 @@ spec:
116116
- mountPath: /var/workdir
117117
name: workdir
118118
- name: trusted-ca
119-
mountPath: /etc/pki/tls/certs/ca-bundle.crt
120-
subPath: ca-bundle.crt
121-
readOnly: true
122-
- name: trusted-ca
123-
mountPath: /etc/ssl/certs/ca-custom-bundle.crt
124-
subPath: ca-bundle.crt
119+
mountPath: /mnt/trusted-ca
125120
readOnly: true
126121
env:
127122
- name: IMAGE_EXPIRES_AFTER

tasks/managed/check-data-keys/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,4 @@ The validation schema is defined in `schema/dataKeys.json` in this repository.
2727
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
2828
| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from | Yes | trusted-ca |
2929
| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data | Yes | ca-bundle.crt |
30-
| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /etc/pki/tls/certs/ca-bundle.crt |
30+
| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /mnt/trusted-ca/ca-bundle.crt |

tasks/managed/check-data-keys/check-data-keys.yaml

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ spec:
7171
- name: caCertPath
7272
type: string
7373
description: Path to CA certificate bundle for TLS verification with self-signed certificates
74-
default: /etc/pki/tls/certs/ca-bundle.crt
74+
default: /mnt/trusted-ca/ca-bundle.crt
7575
results:
7676
- description: Produced trusted data artifact
7777
name: sourceDataArtifact
@@ -91,12 +91,7 @@ spec:
9191
- mountPath: /var/workdir
9292
name: workdir
9393
- name: trusted-ca
94-
mountPath: /etc/pki/tls/certs/ca-bundle.crt
95-
subPath: ca-bundle.crt
96-
readOnly: true
97-
- name: trusted-ca
98-
mountPath: /etc/ssl/certs/ca-custom-bundle.crt
99-
subPath: ca-bundle.crt
94+
mountPath: /mnt/trusted-ca
10095
readOnly: true
10196
env:
10297
- name: IMAGE_EXPIRES_AFTER

0 commit comments

Comments
 (0)