Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom CA bundle for build-task #1025

Merged
merged 2 commits into from
May 29, 2024
Merged

Custom CA bundle for build-task #1025

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
84d5ecd
custom CA bundle for build-task
ashwindasr May 16, 2024
3f799dc
Merge branch 'main' into build-task-custom-ca
ashwindasr May 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions task/buildah-remote/0.1/buildah-remote.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,15 @@ spec:
description: Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file
name: BUILD_ARGS_FILE
type: string
- default: trusted-ca
description: The name of the ConfigMap to read CA bundle data from.
name: caTrustConfigMapName
type: string
- default: ca-bundle.crt
description: The name of the key in the ConfigMap that contains the CA bundle
data.
name: caTrustConfigMapKey
type: string
- description: The platform to build on
name: PLATFORM
type: string
Expand Down Expand Up @@ -191,6 +200,13 @@ spec:
echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect."
fi

ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we can symlink instead of copy to avoid creating another copy of the entire bundle in RAM.

For now we end up with 3 copies at least:

  1. The config map
  2. The file in /etc/pki/ca-trust/source/anchors
  3. The resulting bundle file after running update-ca-trust

Maybe we can even mount the config map directly into /etc/pki/ca-trust/source/anchors ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe, but we now that this approach works and I don't think the memory overhead is too big.
I think we should proceed with this PR for unblocking @ashwindasr

Copy link
Member

@ifireball ifireball May 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How hard is it to test using ln -s instead of cp ?

update-ca-trust
fi

SOURCE_CODE_DIR=source
if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
Expand Down Expand Up @@ -365,6 +381,9 @@ spec:
name: varlibcontainers
- mountPath: /entitlement
name: etc-pki-entitlement
- mountPath: /mnt/trusted-ca
name: trusted-ca
readOnly: true
- mountPath: /ssh
name: ssh
readOnly: true
Expand Down Expand Up @@ -537,6 +556,13 @@ spec:
secret:
optional: true
secretName: $(params.ENTITLEMENT_SECRET)
- configMap:
items:
- key: $(params.caTrustConfigMapKey)
path: ca-bundle.crt
name: $(params.caTrustConfigMapName)
optional: true
name: trusted-ca
- name: ssh
secret:
optional: false
Expand Down
25 changes: 25 additions & 0 deletions task/buildah/0.1/buildah.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,14 @@ spec:
description: Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file
type: string
default: ""
- name: caTrustConfigMapName
type: string
description: The name of the ConfigMap to read CA bundle data from.
default: trusted-ca
- name: caTrustConfigMapKey
Comment on lines +82 to +86
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm conflicted about the consistency of these param names.

On the one hand, the buildah task uses UPPERCASE_NAMES, so this is inconsistent. On the other hand, we already dropped the ball in #942

(And in the context of the whole pipeline, the params should be consistent across all the tasks.)

For this PR, I don't really care what you choose. We really need to make the param casing across all tasks consistent. Breaking changes on that scale will be fun 🥲

type: string
description: The name of the key in the ConfigMap that contains the CA bundle data.
default: ca-bundle.crt

results:
- description: Digest of the image just built
Expand Down Expand Up @@ -144,6 +152,13 @@ spec:
echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect."
fi

ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi

SOURCE_CODE_DIR=source
if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
Expand Down Expand Up @@ -284,6 +299,9 @@ spec:
name: varlibcontainers
- mountPath: "/entitlement"
name: etc-pki-entitlement
- name: trusted-ca
mountPath: /mnt/trusted-ca
readOnly: true
workingDir: $(workspaces.source.path)

- name: sbom-syft-generate
Expand Down Expand Up @@ -457,6 +475,13 @@ spec:
secret:
secretName: $(params.ENTITLEMENT_SECRET)
optional: true
- name: trusted-ca
configMap:
name: $(params.caTrustConfigMapName)
items:
- key: $(params.caTrustConfigMapKey)
path: ca-bundle.crt
optional: true
workspaces:
- name: source
description: Workspace containing the source code to build.