diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml index 0cb68e7772..93a7227fdf 100644 --- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:463b8b97125285e93201a2c858bdf1fb1a3f4f6b23247ff44bec3f6fb926fdbb + image: quay.io/redhat-appstudio/tools@sha256:130dbe49cc76ff4457cb53916a32b6b1330d86feeb95beaa3b443fd8ac5b47fa env: - name: CLIENT_ID valueFrom: diff --git a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml index f0572f200d..d8c5e99e21 100644 --- a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:463b8b97125285e93201a2c858bdf1fb1a3f4f6b23247ff44bec3f6fb926fdbb + image: quay.io/redhat-appstudio/tools@sha256:130dbe49cc76ff4457cb53916a32b6b1330d86feeb95beaa3b443fd8ac5b47fa env: - name: CLIENT_ID valueFrom: diff --git a/task/rpms-signature-scan/0.1/README.md b/task/rpms-signature-scan/0.1/README.md index afdcddb6b8..d8ee420126 100644 --- a/task/rpms-signature-scan/0.1/README.md +++ b/task/rpms-signature-scan/0.1/README.md @@ -3,19 +3,19 @@ ## Description: This tasks scans RPMs in an image and provide information about RPMs signatures. -It can be used in two modes. Depending on the value of parameter `FAIL_UNSIGNED`, it +It can be used in two modes. Depending on the value of parameter `fail-unsigned`, it will either fail any run that find unsigned RPMs, or only report its finding without failing (the latter is useful when running inside a build pipeline which tests the use of RPMs before their official release). ## Params: -| Name | Description | Defaults | -|-----------------|-------------------------------------------------------------------|-----------| -| IMAGE | Image used for running the tasks's script | | -| INPUT | A reference to a container image | | -| FAIL_UNSIGNED | [true \| false] If true fail if unsigned RPMs were found | false | -| WORKDIR | Directory for storing temporary files | | - +| Name | Description | Defaults | Required | +|--------------------------|------------------------------------------------------------------------|---------------|----------| +| image-url | A reference to a container image | | true | +| fail-unsigned | [true \| false] If true fail if unsigned RPMs were found | false | false | +| workdir | Directory for storing temporary files | /tmp | false | +| ca-trust-config-map-name | The name of the ConfigMap to read CA bundle data from. | trusted-ca | false | +| ca-trust-config-map-key | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | false | ## Results: diff --git a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml index f52d150cec..13e62c0d48 100644 --- a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml @@ -5,19 +5,27 @@ metadata: name: rpms-signature-scan spec: params: - - name: INPUT + - name: image-url type: string - description: "AppStudio snapshot or a reference to a container image" - - name: FAIL_UNSIGNED + description: "AppStudio container image" + - name: fail-unsigned type: string description: "[true | false] If true fail if unsigned RPMs were found" default: "false" - - name: WORKDIR + - name: workdir type: string default: /tmp description: | Directory that will be used for storing temporary files produced by this task. + - name: ca-trust-config-map-name + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: ca-trust-config-map-key + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt results: - name: TEST_OUTPUT description: Tekton task test output. @@ -26,36 +34,47 @@ spec: volumes: - name: workdir emptyDir: {} + - name: trusted-ca + configMap: + name: $(params.ca-trust-config-map-name) + items: + - key: $(params.ca-trust-config-map-key) + path: ca-bundle.crt + optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:463b8b97125285e93201a2c858bdf1fb1a3f4f6b23247ff44bec3f6fb926fdbb + image: quay.io/redhat-appstudio/tools@sha256:130dbe49cc76ff4457cb53916a32b6b1330d86feeb95beaa3b443fd8ac5b47fa volumeMounts: - name: workdir - mountPath: "$(params.WORKDIR)" + mountPath: "$(params.workdir)" + - name: trusted-ca + mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + subPath: ca-bundle.crt + readOnly: true env: - - name: INPUT - value: "$(params.INPUT)" + - name: IMAGE_URL + value: "$(params.image-url)" - name: FAIL_UNSIGNED - value: "$(params.FAIL_UNSIGNED)" + value: "$(params.fail-unsigned)" - name: WORKDIR - value: "$(params.WORKDIR)" + value: "$(params.workdir)" script: | #!/bin/bash set -ex set -o pipefail rpm_verifier \ - --input "${INPUT}" \ + --input "${IMAGE_URL}" \ --fail-unsigned "${FAIL_UNSIGNED}" \ --workdir "${WORKDIR}" \ - name: output-results image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c volumeMounts: - name: workdir - mountPath: "$(params.WORKDIR)" + mountPath: "$(params.workdir)" env: - name: WORKDIR - value: "$(params.WORKDIR)" + value: "$(params.workdir)" script: | #!/bin/bash set -ex