You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: corporate CA trust for pipeline git-clone from internal hosts (#142)
* feat: corporate CA trust for pipeline git-clone from internal hosts
Add support for the git-clone task to trust corporate/internal CA
certificates when cloning from private Git servers (e.g. GitLab behind
a corporate CA).
Supply-chain chart:
- Add conditional ssl-ca-directory workspace to pipeline and
pipelinerun templates (gated by git.sslCABundle.enabled)
- Add git.sslCABundle values (enabled, configMapName) defaulting to
the ztvp-trusted-ca ConfigMap
- Set CRT_FILENAME param so git-clone finds the CA bundle file
ztvp-certificates chart:
- Auto-detect internal Git hosts via customCA.remoteHosts: the
extraction Job connects to the host on port 443, extracts the full
CA chain from the TLS handshake, and merges it into the bundle
- Distribute ztvp-trusted-ca to the pipeline namespace via the
targetNamespaces list
Generator (gen-feature-variants.py):
- Auto-enable git.sslCABundle and customCA.remoteHosts when --git-repo
points to a non-public host (not github.com/gitlab.com/bitbucket.org)
- Add git.sslCABundle.enabled to the protected-repos feature fragment
and to the commented-out overrides in the base values-hub.yaml
values-hub.yaml:
- Replace hand-edited file with gen-feature-variants output for
consistent indentation and complete feature composition
Documentation:
- Add "Corporate CA trust for internal Git hosts" section to
docs/supply-chain.md covering enablement, auto-extraction, and
manual CA provisioning alternatives
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: trim username in git-credentials to handle trailing newlines
Signed-off-by: Manuel Lorenzo <mlorenzofr@redhat.com>
* fix: address PR review feedback
- Skip SSL CA bundle workspace/params when authType is SSH (not needed
for SSH connections to git)
- Add hostname validation in _parse_git_repo_url() to fail early on
malformed URLs
Signed-off-by: Min Zhang <minzhang@redhat.com>
* fix: update ExternalSecret API version from v1beta1 to v1
The External Secrets Operator no longer serves v1beta1; only v1 is
available on the cluster, causing supply-chain sync failures.
Signed-off-by: Min Zhang <minzhang@redhat.com>
* docs: mention Vault JWT roles that must be uncommented for supply chain
The supply-chain doc lists values-hub.yaml sections to uncomment but
did not mention overrides/values-vault-jwt.yaml. Without the rhtpa and
supply-chain JWT roles, RHTPA and the pipeline SA cannot authenticate
to Vault via SPIFFE.
Signed-off-by: Min Zhang <minzhang@redhat.com>
* docs: add repo-server restart guidance for post-install custom CA
When a custom CA is added after the pattern is already deployed, the
ArgoCD repo-server init container will not re-run to pick up the
updated trusted-ca-bundle. Document the rollout restart workaround
and broaden the x509 troubleshooting entry to cover Gitea and other
self-hosted Git servers beyond GitLab.
Signed-off-by: Min Zhang <minzhang@redhat.com>
* docs: decouple corporate CA trust from protected repositories
The corporate CA trust configuration was nested as step 4 under
"Protected Repositories", implying it only applies to private repos.
In reality these are orthogonal concerns -- a public repo on an
internal Git server behind a corporate CA also needs CA trust without
any git credentials.
Promote "Corporate CA Trust for Internal Git Hosts" to its own
top-level section, split the combined "How it works" block, and add
bidirectional cross-references. Also fix the duplicate SSH mode
PipelineRun YAML and add ssl-ca-directory guidance to the Web Console
instructions.
Signed-off-by: Min Zhang <minzhang@redhat.com>
---------
Signed-off-by: Min Zhang <minzhang@redhat.com>
Signed-off-by: Manuel Lorenzo <mlorenzofr@redhat.com>
Co-authored-by: Manuel Lorenzo <mlorenzofr@redhat.com>
Copy file name to clipboardExpand all lines: docs/supply-chain.md
+45Lines changed: 45 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,6 +18,11 @@ In this project, we used the [qtodo](https://github.com/validatedpatterns-demos/
18
18
> *`applications.noobaa-mcg` — NooBaa MCG object storage (required by Quay and RHTPA)
19
19
> *`subscriptions.odf` and `subscriptions.quay-operator` and their namespace entries
20
20
>
21
+
> Additionally, uncomment the following Vault JWT roles in `overrides/values-vault-jwt.yaml` so that RHTPA and the pipeline ServiceAccount can authenticate to Vault via SPIFFE:
22
+
>
23
+
> *`rhtpa` role — allows RHTPA to read its OIDC credentials from Vault
24
+
> *`supply-chain` role — allows the Tekton pipeline ServiceAccount to read git credentials, registry credentials, and RHTPA OIDC secrets from Vault
25
+
>
21
26
> If you prefer to use an external image registry instead of Quay, skip the Quay and NooBaa sections and set the registry parameters in the `supply-chain` application overrides accordingly.
22
27
23
28
## Components
@@ -267,6 +272,7 @@ Once the supply-chain application has synced in ArgoCD, start the pipeline using
267
272
* For **git-auth**, the binding depends on the authentication mode (see [How it works](#how-it-works) for details):
268
273
* **HTTPS mode**: select `Secret` and the name of the secret is `qtodo-git-credentials`. The `git-clone` ClusterTask's `basic-auth` workspace requires the secret to be provided explicitly; ServiceAccount-level credential injection alone is not sufficient for HTTPS.
269
274
* **SSH mode**: leave **git-auth** unbound (empty). SSH credentials are injected automatically via the `pipeline` ServiceAccount. Binding the workspace directly causes the `git-clone` ClusterTask's `prepare.sh` to run a recursive `chmod` on the copied secret volume, which fails on the read-only Kubernetes projected volume symlinks.
275
+
* For **ssl-ca-directory** (HTTPS mode with internal Git hosts only): if `git.sslCABundle.enabled` is `true`, select `ConfigMap` and the name is `ztvp-trusted-ca`. This is only needed when cloning over HTTPS from a Git server behind a corporate or self-signed CA (see [Corporate CA Trust for Internal Git Hosts](#corporate-ca-trust-for-internal-git-hosts)).
270
276
271
277
5. Press **Start** to finish and run the pipeline.
272
278
@@ -299,6 +305,10 @@ spec:
299
305
- name: git-auth
300
306
secret:
301
307
secretName: qtodo-git-credentials
308
+
# Add this workspace when git.sslCABundle.enabled is true (internal Git hosts):
309
+
# - name: ssl-ca-directory
310
+
# configMap:
311
+
# name: ztvp-trusted-ca
302
312
```
303
313
304
314
**SSH mode** (leave `git-auth` unbound):
@@ -476,6 +486,41 @@ When `git.credentials.enabled` is `true`:
476
486
* **SSH mode**: the `git-auth` workspace must be left **unbound**. SSH credentials are injected automatically via the ServiceAccount. Binding the workspace triggers the `git-clone` ClusterTask's `prepare.sh`, which runs a recursive `chmod` on the copied secret volume; this fails on the read-only Kubernetes projected volume symlinks and aborts the step.
477
487
* The Vault policy `hub-supply-chain-jwt-secret` grants read access to `secret/data/hub/supply-chain/*` for the pipeline's SPIFFE identity.
478
488
489
+
> [!NOTE]
490
+
> If your internal Git server also uses a corporate or self-signed CA, see [Corporate CA Trust for Internal Git Hosts](#corporate-ca-trust-for-internal-git-hosts) to configure TLS trust.
491
+
492
+
### Corporate CA Trust for Internal Git Hosts
493
+
494
+
This section applies whenever the pipeline clones from a Git server whose TLS certificate is signed by a corporate or self-signed CA, regardless of whether the repository is private. It is only relevant for HTTPS clones; SSH connections do not use TLS certificate verification.
495
+
496
+
> [!NOTE]
497
+
> Public Git hosts (github.com, gitlab.com) use publicly trusted certificates and do not require this. If the repository is also private, combine these settings with the [Protected Repositories](#protected-repositories) configuration above.
498
+
499
+
When a repository is hosted on an internal Git server (e.g. GitLab behind a corporate CA), the `git-clone` task will fail with `SSL certificate problem: self-signed certificate in certificate chain` because the pod does not trust the corporate CA.
500
+
501
+
The `ztvp-certificates` chart already extracts and distributes the cluster's CA bundle (ingress, service, and any custom/corporate CAs). When the `supply-chain` feature is enabled, the `ztvp-trusted-ca` ConfigMap is automatically distributed to the pipeline namespace (`layered-zero-trust-hub`) via ACM policy.
502
+
503
+
To make the `git-clone` task use this CA bundle, enable the SSL CA bundle mount in the `supply-chain` application overrides:
504
+
505
+
```yaml
506
+
- name: git.sslCABundle.enabled
507
+
value: "true"
508
+
```
509
+
510
+
This binds the `ztvp-trusted-ca` ConfigMap as the `ssl-ca-directory` workspace on the `git-clone` task and sets the `CRT_FILENAME` parameter to `tls-ca-bundle.pem` (matching the key in the ConfigMap). The upstream `git-clone` ClusterTask uses this file to set `GIT_SSL_CAPATH`, so TLS verification succeeds against internal Git servers.
511
+
512
+
The corporate CA must be included in the `ztvp-trusted-ca` bundle. The easiest way is to use **automatic remote host extraction** -- add the Git host to `customCA.remoteHosts` in the `ztvp-certificates` overrides:
513
+
514
+
```yaml
515
+
# ztvp-certificates overrides in values-hub.yaml
516
+
- name: customCA.remoteHosts[0]
517
+
value: "gitlab.internal.example.com"
518
+
```
519
+
520
+
The `ztvp-certificates` extraction Job will connect to the host on port 443, extract the full CA chain from the TLS handshake (no authentication needed), and merge it into the CA bundle. The CronJob keeps it fresh automatically.
521
+
522
+
Alternatively, you can provide the CA certificate manually via `customCA.secretRef` or `customCA.additionalCertificates`. See the [ztvp-certificates documentation](./ztvp-certificates.md) for details.
523
+
479
524
### Init task (pre-flight image check)
480
525
481
526
The pipeline includes an `init` task that runs before `git-clone`. It uses `skopeo inspect` to check whether the target image already exists in the registry. If the image exists (and `rebuild` is not set to `"true"`), the pipeline skips the build. This avoids unnecessary rebuilds and is modeled after the [RHTAP sample pipelines](https://github.com/konflux-ci/build-definitions).
0 commit comments