Custom CA bundle for prefetch-dependencies for build-task

task/buildah/0.1/buildah.yaml

@@ -75,6 +75,14 @@ spec:
     description: Path to a file with build arguments which will be passed to podman during build
     type: string
     default: ""
+  - name: caTrustConfigMapName
+    type: string
+    description: The name of the ConfigMap to read CA bundle data from.
+    default: trusted-ca
+  - name: caTrustConfigMapKey
+    type: string
+    description: The name of the key in the ConfigMap that contains the CA bundle data.
+    default: ca-bundle.crt
 
   results:
   - description: Digest of the image just built
@@ -274,6 +282,9 @@ spec:
       name: varlibcontainers
     - mountPath: "/entitlement"
       name: etc-pki-entitlement
+    - name: trusted-ca
+      mountPath: /mnt/trusted-ca
+      readOnly: true
     workingDir: $(workspaces.source.path)
 
   - name: sbom-syft-generate
@@ -414,6 +425,13 @@ spec:
           echo "Failed to push sbom image to registry after ${max_run} tries"
           exit 1
       fi
+      
+      ca_bundle=/mnt/trusted-ca/ca-bundle.crt
+      if [ -f "$ca_bundle" ]; then
+        echo "INFO: Using mounted CA bundle: $ca_bundle"
+        cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
+        update-ca-trust
+      fi
 
       cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
       echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
@@ -447,6 +465,13 @@ spec:
     secret:
       secretName: $(params.ENTITLEMENT_SECRET)
       optional: true
+  - name: trusted-ca
+    configMap:
+      name: $(params.caTrustConfigMapName)
+      items:
+        - key: $(params.caTrustConfigMapKey)
+          path: ca-bundle.crt
+      optional: true
   workspaces:
   - name: source
     description: Workspace containing the source code to build.