fix(RELEASE-2383): update trusted-ca volume mount to custom directory

[jinqi7]

The PR is focus on the custom ca being used in trusted-artifact
stepactions and in these stepactions, the environment variable
CA_FILE is set with the value of caCertPath (for example here).
Then it will be passed to oras_opts.sh in
https://github.com/konflux-ci/build-trusted-artifacts repo.

• It changes trusted-ca ConfigMap mount to use a custom directory to prevent conflicts with system certificate paths.
  The ConfigMap is now mounted back to /mnt/trusted-ca (directory mount)
  And the caCertPath parameter default is updated to: /mnt/trusted-ca/ca-bundle.crt
• The PR also removed the unnecessary volume mount in verify-access-to-resources task.
• Updated build-trusted-artifacts image reference in stepactions.
• Removed one volume mount in verify-access-to-resource task since it's not needed.

Signed-off-by: Jing Qi
Assisted-By: Claude

Related PR: konflux-ci/mobster#361

Describe your changes

Relevant Jira

Checklist before requesting a review

• I have marked as draft or added do not merge label if there's a dependency PR
  • If you want reviews on your draft PR, you can add reviewers or add the release-service-maintainers handle if you are unsure who to tag
• My commit message includes Signed-off-by: My name <email>
• I read CONTRIBUTING.MD and commit formatting
• I have run the README.md generator script in .github/scripts/readme_generator.sh and verified the results using .github/scripts/check_readme.sh

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[jinqi7]

/retest

[qodo-code-review]

PR Reviewer Guide 🔍

(Review updated until commit 952f1e2)

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Supply chain integrity: multiple stepactions reference quay.io/konflux-ci/build-trusted-artifacts by a mutable tag rather than an immutable digest. Pinning images by digest (@sha256:...) would reduce the risk of tag retargeting and improve build/release reproducibility.

⚡ Recommended focus areas for review Supply Chain The image reference was updated but is still pinned by a tag rather than an immutable digest. Consider pinning to @sha256:... (or otherwise guaranteeing immutability) to reduce the risk of tag retargeting and to improve reproducibility across environments. image: quay.io/konflux-ci/build-trusted-artifacts:8b09217702ec665d4fae6d09f6a7910421f15b69 env: Possible Issue The trusted CA ConfigMap is now mounted as a directory at /mnt/trusted-ca, and the prior file mounts to common system locations were removed. Please verify the task’s implementation actually consumes the CA bundle from this new location (e.g., via an env var like CA_FILE or explicit client flags); otherwise TLS verification against internal services might regress. - name: trusted-ca mountPath: /mnt/trusted-ca readOnly: true Redundancy The CA bundle is mounted both as a directory (/mnt/trusted-ca) and also as a single file at /etc/ssl/certs/ca-custom-bundle.crt. If only caCertPath/CA_FILE is intended to be used going forward, consider removing the extra mount to reduce confusion and ensure there is a single authoritative CA path. - name: trusted-ca mountPath: /mnt/trusted-ca readOnly: true - name: trusted-ca mountPath: /etc/ssl/certs/ca-custom-bundle.crt subPath: ca-bundle.crt

[qodo-code-review]

Suggestion: Add readOnly: true to the trusted-ca volume mount to explicitly prevent writes. [general, importance: 4]

New proposed code:

 - name: trusted-ca
   mountPath: /etc/ssl/certs/ca-custom-bundle.crt
   subPath: ca-bundle.crt
+  readOnly: true

[qodo-code-review]

Suggestion: Add a short note explaining why the CA bundle default moved to /mnt/trusted-ca (and any compatibility expectations), since this is a behavioral/environment assumption that may surprise task consumers. [organization best practice, importance: 6]

Suggested change

	| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /mnt/trusted-ca/ca-bundle.crt |
	| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /mnt/trusted-ca/ca-bundle.crt |
	**Note:** The trusted CA bundle is mounted as a directory at `/mnt/trusted-ca` (containing `ca-bundle.crt`) to avoid mounting over system certificate paths; consumers should use `$(params.caCertPath)` when configuring TLS verification.

[FilipNikolovski]

lgtm

[gbenhaim]

/ask is it enough to just mount the ca bundle to this location or we should do do something in addition so the script in this task will use it. Same questions for the changes for the other tasks.

[qodo-code-review]

Just mounting the bundle at /mnt/trusted-ca/ca-bundle.crt is only enough if the task’s script/commands actually reference that path (directly or via the caCertPath param). Changing the param default alone doesn’t automatically make tools use it.

What to verify/update in this task (and similarly in the other tasks):

• Does the script/command use $(params.caCertPath)?

  • If the script currently hardcodes /etc/pki/tls/certs/ca-bundle.crt, it will keep using the old path and your mount + default change won’t help.
  • If it already uses $(params.caCertPath) (e.g., passes it into a CLI flag), then the default change is sufficient.

• Does the underlying tool/library automatically pick up a custom CA path?

  • Many tools do not automatically look at “some file mounted somewhere”. They need either:
    • an explicit flag (preferred), e.g. --cacert $(params.caCertPath) (curl), --certificate-authority=$(params.caCertPath) (some CLIs), etc.
    • or a well-known environment variable, e.g.:
      • SSL_CERT_FILE=$(params.caCertPath) (common OpenSSL consumers)
      • REQUESTS_CA_BUNDLE=$(params.caCertPath) (Python requests)
      • GIT_SSL_CAINFO=$(params.caCertPath) (git)
  • If the task uses Java, Node, etc., those often require their own configuration (truststore / NODE_EXTRA_CA_CERTS, etc.).

• Ensure the mount matches the new default

  • The Task/TaskRun needs a volume mount that actually places the bundle at /mnt/trusted-ca/ca-bundle.crt (or places a directory at /mnt/trusted-ca containing ca-bundle.crt).
  • Also confirm file permissions allow the task container user to read it.

So: No, the param default change is not automatically enough by itself. It’s enough only when the task implementation is wired to use $(params.caCertPath) (or appropriate env vars/flags). You should perform the same check for the other tasks: search for /etc/pki/tls/certs/ca-bundle.crt hardcoding and ensure each task either uses the param in its command or exports an env var that the used tooling respects.

[gbenhaim]

@jinqi7 please take a look on this comment.

[jinqi7]

The PR is focus on the custom ca being used in trusted-artifact stepactions and in these stepactions, the environment variable CA_FILE is set with the value of caCertPath (for example here). Then it will be passed to https://github.com/konflux-ci/build-trusted-artifacts/blob/main/oras_opts.sh.

[gbenhaim]

The PR is focus on the custom ca being used in trusted-artifact stepactions and in these stepactions, the environment variable CA_FILE is set with the value of caCertPath (for example here). Then it will be passed to https://github.com/konflux-ci/build-trusted-artifacts/blob/main/oras_opts.sh.

@jinqi7 can you please include this explanation in the commit message? it's not clear right now that this PR is only for the support of custom ca bundle for the trusted-artifacts stepaction.

[jinqi7]

Yes. Updated the commit message.

[gbenhaim]

why do we still have this mount?

[jinqi7]

The mount makes the volume can be accessed by the steps (use-trusted-artifact/ create-trusted-artifact) of the tasks.

[gbenhaim]

/ask what is the reason we need two mounts for the trusted-ca?

[qodo-code-review]

We typically end up with two mounts for trusted-ca when the same CA bundle needs to be visible in two different filesystem locations inside the container:

• Legacy / OS trust-store path: some images/tools expect the CA bundle in a “standard” location (e.g., /etc/pki/ca-trust/..., /etc/ssl/certs, etc.). If the container (or update-ca-trust/update-ca-certificates) relies on that path, you need a mount there.
• Application-specific/custom path: other components (or our own scripts) may be hardcoded/configured to read CAs from a custom directory (what this PR title suggests). To support that without breaking existing behavior, we mount the same volume again at the custom location.

In Kubernetes, that’s done by mounting the same volume (name: trusted-ca) multiple times with different mountPaths (often with subPath), so the container sees the same underlying content in both places.

If both mounts are still present after this change, it’s worth double-checking:

• whether both consumers still exist (OS-level + app-level), and
• whether one can be removed by standardizing on a single path (preferred long-term), assuming nothing in the image/tooling expects the old location.

[jinqi7]

The one with "/mnt/trusted-ca" as mount point is used by my PR. The other one is added by RELEASE-2158. We may need eventually merge them into one? But it's no conflict to have two from our testing.

[gbenhaim]

I'm a bit confused. This pr mentions a ticket about making the trusted ca bundle optional. In order to do it, the mount that uses a subpath should be removed.

[jinqi7]

The mount of trusted-ca to "/etc/pki/tls/certs/ca-bundle.crt" can't work well when the configmap doesn't exist. But we still need mount the configmap in another way so that the stepactions can access it.

[qodo-code-review]

Suggestion: Revert the default caCertPath to the original system path (/etc/pki/tls/certs/ca-bundle.crt) to prevent potential TLS failures when the optional trusted-ca ConfigMap is not available. [possible issue, importance: 8]

Suggested change

	- name: caCertPath
	type: string
	description: Path to CA certificate bundle for TLS verification with self-signed certificates
	default: /etc/pki/tls/certs/ca-bundle.crt
	default: /mnt/trusted-ca/ca-bundle.crt
	- name: caCertPath
	type: string
	description: Path to CA certificate bundle for TLS verification with self-signed certificates
	default: /etc/pki/tls/certs/ca-bundle.crt

[qodo-code-review]

Suggestion: Re-add the removed caCertPath parameter to the task definition to maintain backward compatibility and prevent validation errors for existing pipelines that may still use it. [possible issue, importance: 6]

New proposed code:

 - name: caTrustConfigMapKey
   type: string
   description: The name of the key in the ConfigMap that contains the CA bundle data
   default: ca-bundle.crt
+- name: caCertPath
+  type: string
+  description: Path to CA certificate bundle for TLS verification with self-signed certificates
+  default: /mnt/trusted-ca/ca-bundle.crt

[qodo-code-review]

Suggestion: Restore the caCertPath parameter and the volume mount for the CA bundle in verify-access-to-resources.yaml to maintain consistency with other tasks and prevent potential TLS failures. [possible issue, importance: 8]

New proposed code:

+params:
+  - name: caCertPath
+    type: string
+    description: Path to CA certificate bundle for TLS verification with self-signed certificates
+    default: /mnt/trusted-ca/ca-bundle.crt
 volumes:
   - name: trusted-ca
     configMap:
       name: $(params.caTrustConfigMapName)
       items:
         - key: $(params.caTrustConfigMapKey)
           path: ca-bundle.crt
       optional: true
 stepTemplate:
   volumeMounts:
     - name: trusted-ca
       mountPath: /mnt/trusted-ca
       readOnly: true
+    - name: trusted-ca
+      mountPath: /etc/ssl/certs/ca-custom-bundle.crt
+      subPath: ca-bundle.crt
+      readOnly: true

[qodo-code-review]

Suggestion: Add a short note near the parameters table explaining why the default CA bundle path moved to /mnt/trusted-ca/ca-bundle.crt (directory mount) and call out that any consumers relying on the old /etc/pki/... path must update. [organization best practice, importance: 5]

Suggested change

	| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /mnt/trusted-ca/ca-bundle.crt |
	| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /mnt/trusted-ca/ca-bundle.crt |
	**Note:** The trusted CA bundle is now mounted as a directory at `/mnt/trusted-ca` (default bundle path: `/mnt/trusted-ca/ca-bundle.crt`) instead of being mounted directly at `/etc/pki/tls/certs/ca-bundle.crt`. Pipelines or scripts that referenced the old path must be updated to use `caCertPath`.

[qodo-code-review]

Suggestion: Restore the caCertPath parameter and the volume mount for the CA bundle to /etc/ssl/certs/ca-custom-bundle.crt in verify-access-to-resources.yaml to maintain consistency and prevent potential TLS errors. [possible issue, importance: 9]

Suggested change

	stepTemplate:
	volumeMounts:
	- name: trusted-ca
	mountPath: /etc/pki/tls/certs/ca-bundle.crt
	subPath: ca-bundle.crt
	readOnly: true
	- name: trusted-ca
	mountPath: /etc/ssl/certs/ca-custom-bundle.crt
	subPath: ca-bundle.crt
	mountPath: /mnt/trusted-ca
	readOnly: true
	securityContext:
	runAsUser: 1001
	- name: caCertPath
	type: string
	description: Path to CA certificate bundle for TLS verification with self-signed certificates
	default: /mnt/trusted-ca/ca-bundle.crt
	...
	stepTemplate:
	volumeMounts:
	- name: trusted-ca
	mountPath: /mnt/trusted-ca
	readOnly: true
	- name: trusted-ca
	mountPath: /etc/ssl/certs/ca-custom-bundle.crt
	subPath: ca-bundle.crt
	readOnly: true
	securityContext:
	runAsUser: 1001

[qodo-code-review]

Suggestion: Verify that the use-trusted-artifact StepAction defines orasOptions and caCertPath parameters to prevent runtime errors when they are passed from the collect-tpa-params task. [possible issue, importance: 6]

New proposed code:

-- name: use-trusted-artifact
-  ...
-  params:
-    - name: workDir
-      value: $(params.dataDir)
-    - name: sourceDataArtifact
-      value: $(params.sourceDataArtifact)
-    - name: orasOptions
-      value: $(params.orasOptions)
-    - name: caCertPath
-      value: $(params.caCertPath)
 
+

[qodo-code-review]

Suggestion: Pin the container image quay.io/konflux-ci/build-trusted-artifacts to its digest (@sha256:...) instead of a mutable tag to improve security and ensure reproducible builds. [security, importance: 7]

Suggested change

	spec:
	description: >-
	This stepaction extracts a Trusted Artifact into a folder.
	image: quay.io/konflux-ci/build-trusted-artifacts:653578444c73afc32b3a865fee9869a09f96c1a2
	image: quay.io/konflux-ci/build-trusted-artifacts:8b09217702ec665d4fae6d09f6a7910421f15b69
	spec:
	description: >-
	This stepaction extracts a Trusted Artifact into a folder.
	image: quay.io/konflux-ci/build-trusted-artifacts@sha256:<insert_resolved_digest>

[FilipNikolovski]

I noticed here we remove the other trusted-ca volume mount, but in the other places we don't, is this correct?

[jinqi7]

In fact, that volume mount is not needed in the task. In some other tasks, it's needed. So, I removed it here.

[qodo-code-review]

Suggestion: Restore the caCertPath parameter and the /etc/ssl/certs/ca-custom-bundle.crt volume mount in verify-access-to-resources.yaml to maintain consistency with other tasks in the PR. [possible issue, importance: 7]

Suggested change

	stepTemplate:
	volumeMounts:
	- name: trusted-ca
	mountPath: /etc/pki/tls/certs/ca-bundle.crt
	subPath: ca-bundle.crt
	readOnly: true
	- name: trusted-ca
	mountPath: /etc/ssl/certs/ca-custom-bundle.crt
	subPath: ca-bundle.crt
	mountPath: /mnt/trusted-ca
	readOnly: true
	- name: caTrustConfigMapKey
	type: string
	description: The name of the key in the ConfigMap that contains the CA bundle data
	default: ca-bundle.crt
	- name: caCertPath
	type: string
	description: Path to CA certificate bundle for TLS verification with self-signed certificates
	default: /mnt/trusted-ca/ca-bundle.crt
	volumes:
	- name: trusted-ca
	configMap:
	name: $(params.caTrustConfigMapName)
	items:
	- key: $(params.caTrustConfigMapKey)
	path: ca-bundle.crt
	optional: true
	stepTemplate:
	volumeMounts:
	- name: trusted-ca
	mountPath: /mnt/trusted-ca
	readOnly: true
	- name: trusted-ca
	mountPath: /etc/ssl/certs/ca-custom-bundle.crt
	subPath: ca-bundle.crt
	readOnly: true

[qodo-code-review]

Suggestion: Add a brief note explaining that the trusted-ca ConfigMap is now mounted as a directory at /mnt/trusted-ca (and why), so users understand the new default and how to override it. [organization best practice, importance: 6]

Suggested change

	| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /mnt/trusted-ca/ca-bundle.crt |
	| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /mnt/trusted-ca/ca-bundle.crt |
	**CA bundle note:** the `trusted-ca` ConfigMap is mounted at `/mnt/trusted-ca`, so the default CA bundle path is `/mnt/trusted-ca/ca-bundle.crt` (override `caCertPath` if your pipeline mounts a different location).

[jinqi7]

/retest

[jinqi7]

/retest

[qodo-code-review]

Suggestion: Revert the default caCertPath to a system path, such as /etc/ssl/certs/ca-bundle.crt, to prevent failures when the optional trusted-ca ConfigMap is not provided. [possible issue, importance: 8]

Suggested change

	- name: caCertPath
	type: string
	description: Path to CA certificate bundle for TLS verification with self-signed certificates
	default: /etc/pki/tls/certs/ca-bundle.crt
	default: /mnt/trusted-ca/ca-bundle.crt
	- name: caCertPath
	type: string
	description: Path to CA certificate bundle for TLS verification with self-signed certificates
	default: /etc/ssl/certs/ca-bundle.crt

[qodo-code-review]

Suggestion: Restore the caCertPath parameter and the compatibility volume mount for trusted-ca to /etc/ssl/certs/ca-custom-bundle.crt to ensure custom CA functionality is not broken. [possible issue, importance: 9]

Suggested change

	stepTemplate:
	volumeMounts:
	- name: trusted-ca
	mountPath: /etc/pki/tls/certs/ca-bundle.crt
	subPath: ca-bundle.crt
	readOnly: true
	- name: trusted-ca
	mountPath: /etc/ssl/certs/ca-custom-bundle.crt
	subPath: ca-bundle.crt
	mountPath: /mnt/trusted-ca
	readOnly: true
	- name: caCertPath
	type: string
	description: Path to CA certificate bundle for TLS verification with self-signed certificates
	default: /mnt/trusted-ca/ca-bundle.crt
	...
	stepTemplate:
	volumeMounts:
	- name: trusted-ca
	mountPath: /mnt/trusted-ca
	readOnly: true
	- name: trusted-ca
	mountPath: /etc/ssl/certs/ca-custom-bundle.crt
	subPath: ca-bundle.crt
	readOnly: true

[qodo-code-review]

Suggestion: Remove the volumeMount that uses subPath on the optional trusted-ca volume. This prevents potential pod startup failures when the corresponding ConfigMap is absent. [possible issue, importance: 8]

New proposed code:

 volumeMounts:
   - mountPath: /var/workdir
     name: workdir
   - name: trusted-ca
     mountPath: /mnt/trusted-ca
     readOnly: true
-  - name: trusted-ca
-    mountPath: /etc/ssl/certs/ca-custom-bundle.crt
-    subPath: ca-bundle.crt
-    readOnly: true

[qodo-code-review]

Suggestion: Add an environment variable like SSL_CERT_FILE to the stepTemplate. This will point tools to the custom CA bundle, preventing TLS failures in environments that require it. [possible issue, importance: 8]

Suggested change

	stepTemplate:
	volumeMounts:
	- name: trusted-ca
	mountPath: /etc/pki/tls/certs/ca-bundle.crt
	subPath: ca-bundle.crt
	readOnly: true
	- name: trusted-ca
	mountPath: /etc/ssl/certs/ca-custom-bundle.crt
	subPath: ca-bundle.crt
	mountPath: /mnt/trusted-ca
	readOnly: true
	securityContext:
	runAsUser: 1001
	stepTemplate:
	volumeMounts:
	- name: trusted-ca
	mountPath: /mnt/trusted-ca
	readOnly: true
	env:
	- name: SSL_CERT_FILE
	value: /mnt/trusted-ca/ca-bundle.crt
	securityContext:
	runAsUser: 1001

[qodo-code-review]

Suggestion: Add a short note clarifying that the trusted-ca ConfigMap is now mounted as a directory at /mnt/trusted-ca and that caCertPath should point to /mnt/trusted-ca/ca-bundle.crt to reduce confusion for users migrating from the previous file mount. [organization best practice, importance: 6]

Suggested change

	| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /mnt/trusted-ca/ca-bundle.crt |
	| caCertPath | Path to CA certificate bundle for TLS verification with self-signed certificates | Yes | /mnt/trusted-ca/ca-bundle.crt |
	**Note:** The `trusted-ca` ConfigMap is mounted at `/mnt/trusted-ca` (directory mount). Set `caCertPath` to `/mnt/trusted-ca/ca-bundle.crt` (or override it) when using a custom CA bundle.

[elenagerman]

Sorry, I have to open a new one to have full control over the code:
#2145