konflux-ci · mmorhun · Sep 19, 2024 · Sep 19, 2024 · Sep 19, 2024 · Sep 19, 2024
@@ -21,7 +21,7 @@ spec:
       description: Directory to write the result .repo files.
   steps:
     - name: generate-odcs-compose
-      image: quay.io/redhat-appstudio/tools@sha256:463b8b97125285e93201a2c858bdf1fb1a3f4f6b23247ff44bec3f6fb926fdbb
+      image: quay.io/redhat-appstudio/tools@sha256:130dbe49cc76ff4457cb53916a32b6b1330d86feeb95beaa3b443fd8ac5b47fa
       env:
         - name: CLIENT_ID
           valueFrom:

@@ -21,7 +21,7 @@ spec:
       description: Directory to write the result .repo files.
   steps:
     - name: generate-odcs-compose
-      image: quay.io/redhat-appstudio/tools@sha256:463b8b97125285e93201a2c858bdf1fb1a3f4f6b23247ff44bec3f6fb926fdbb
+      image: quay.io/redhat-appstudio/tools@sha256:130dbe49cc76ff4457cb53916a32b6b1330d86feeb95beaa3b443fd8ac5b47fa
       env:
         - name: CLIENT_ID
           valueFrom:

@@ -3,19 +3,19 @@
 ## Description:
 This tasks scans RPMs in an image and provide information about RPMs signatures.
 
-It can be used in two modes. Depending on the value of parameter `FAIL_UNSIGNED`, it
+It can be used in two modes. Depending on the value of parameter `fail-unsigned`, it
 will either fail any run that find unsigned RPMs, or only report its finding without
 failing (the latter is useful when running inside a build pipeline which tests the use of RPMs before their official release).
 
 ## Params:
 
-| Name            | Description                                                       | Defaults  |
-|-----------------|-------------------------------------------------------------------|-----------|
-| IMAGE           | Image used for running the tasks's script                         |           |
-| INPUT           | A reference to a container image                                  |           |
-| FAIL_UNSIGNED   | [true \| false] If true fail if unsigned RPMs were found          | false     |
-| WORKDIR         | Directory for storing temporary files                             |           |
-
+| Name                     | Description                                                            | Defaults      | Required |
+|--------------------------|------------------------------------------------------------------------|---------------|----------|
+| image-url                | A reference to a container image                                       |               | true     |
+| fail-unsigned            | [true \| false] If true fail if unsigned RPMs were found               | false         | false    |
+| workdir                  | Directory for storing temporary files                                  | /tmp          | false    |
+| ca-trust-config-map-name | The name of the ConfigMap to read CA bundle data from.                 | trusted-ca    | false    |
+| ca-trust-config-map-key  | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | false    |
 
 ## Results:
 

@@ -5,19 +5,27 @@ metadata:
   name: rpms-signature-scan
 spec:
   params:
-    - name: INPUT
+    - name: image-url
       type: string
-      description: "AppStudio snapshot or a reference to a container image"
-    - name: FAIL_UNSIGNED
+      description: "AppStudio container image"
+    - name: fail-unsigned
       type: string
       description: "[true | false] If true fail if unsigned RPMs were found"
       default: "false"
-    - name: WORKDIR
+    - name: workdir
       type: string
       default: /tmp
       description: |
         Directory that will be used for storing temporary
         files produced by this task.
+    - name: ca-trust-config-map-name
+      type: string
+      description: The name of the ConfigMap to read CA bundle data from.
+      default: trusted-ca
+    - name: ca-trust-config-map-key
+      type: string
+      description: The name of the key in the ConfigMap that contains the CA bundle data.
+      default: ca-bundle.crt
   results:
     - name: TEST_OUTPUT
       description: Tekton task test output.
@@ -26,36 +34,47 @@ spec:
   volumes:
     - name: workdir
       emptyDir: {}
+    - name: trusted-ca
+      configMap:
+        name: $(params.ca-trust-config-map-name)
+        items:
+          - key: $(params.ca-trust-config-map-key)
+            path: ca-bundle.crt
+        optional: true
   steps:
     - name: rpms-signature-scan
-      image: quay.io/redhat-appstudio/tools@sha256:463b8b97125285e93201a2c858bdf1fb1a3f4f6b23247ff44bec3f6fb926fdbb
+      image: quay.io/redhat-appstudio/tools@sha256:130dbe49cc76ff4457cb53916a32b6b1330d86feeb95beaa3b443fd8ac5b47fa
       volumeMounts:
         - name: workdir
-          mountPath: "$(params.WORKDIR)"
+          mountPath: "$(params.workdir)"
+        - name: trusted-ca
+          mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+          subPath: ca-bundle.crt
+          readOnly: true
       env:
-        - name: INPUT
-          value: "$(params.INPUT)"
+        - name: IMAGE_URL
+          value: "$(params.image-url)"
         - name: FAIL_UNSIGNED
-          value: "$(params.FAIL_UNSIGNED)"
+          value: "$(params.fail-unsigned)"
         - name: WORKDIR
-          value: "$(params.WORKDIR)"
+          value: "$(params.workdir)"
       script: |
         #!/bin/bash
         set -ex
         set -o pipefail
 
         rpm_verifier \
-          --input "${INPUT}" \
+          --input "${IMAGE_URL}" \
           --fail-unsigned "${FAIL_UNSIGNED}" \
           --workdir "${WORKDIR}" \
     - name: output-results
       image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c
       volumeMounts:
         - name: workdir
-          mountPath: "$(params.WORKDIR)"
+          mountPath: "$(params.workdir)"
       env:
         - name: WORKDIR
-          value: "$(params.WORKDIR)"
+          value: "$(params.workdir)"
       script: |
         #!/bin/bash
         set -ex