feat: RHTAP-4382 Add support for custom root CA for secure connections

This commit introduces the ability to use a custom root CA certificate for secure connections in various scripts. This is achieved by:

- Adding a `CUSTOM_ROOT_CA` variable to the GitHub Actions workflow and `ghub-set-vars` script.
- Implementing an `addRootCert` function in `acs-deploy-check.sh`, `buildah-rhtap.sh`, and `cosign-sign-attest.sh` to install the custom CA certificate if provided.
- Adding support for `CUSTOM_ROOT_CA` in `download-sbom-from-url-in-attestation.sh`
- Updating the templates to include the new variable.

Author: rhopp

generated/source-repo/githubactions/.github/workflows/build-and-update-gitops.yml

@@ -26,6 +26,8 @@ env:
   # NEXUS_IO_CREDS_USR: ${{ vars.NEXUS_IO_CREDS_USR }}
   # Used to verify the image signature and attestation
   COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
+  # Custom Root CA to be used in scripts as trusted
+  CUSTOM_ROOT_CA: ${{ vars.CUSTOM_ROOT_CA }}
   # Secrets
   ROX_API_TOKEN: ${{ secrets.ROX_API_TOKEN }}
   GITOPS_AUTH_PASSWORD: ${{ secrets.GITOPS_AUTH_PASSWORD }}

hack/ghub-set-vars

@@ -63,5 +63,7 @@ set_variable TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID"
 set_variable TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION"
 set_secret TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
 
+set_variable CUSTOM_ROOT_CA $CUSTOM_ROOT_CA
+
 echo
 echo "All variables and secrets are set."

rhtap/common.sh

@@ -48,6 +48,14 @@ prepare-registry-user-pass() {
     fi
 }
 
+function addRootCert() {
+    if [ ! -z "$CUSTOM_ROOT_CA" ]; then
+        echo "Using provided CA bundle"
+        echo "$CUSTOM_ROOT_CA" > /etc/pki/ca-trust/source/anchors/ca-bundle.crt
+        update-ca-trust
+    fi
+}
+
 # Performs an image registry login. It takes a single parameter which could be either an image
 # registry, e.g. quay.io, or a full image reference, e.g. quay.io/spam/bacon:crispy.
 function registry-login() {
@@ -81,3 +89,5 @@ export PATH=$PATH:/usr/local/bin
 
 # env.sh comes from the users repo in rhtap/env.sh
 source $DIR/rhtap/env.sh
+
+addRootCert

rhtap/download-sbom-from-url-in-attestation.sh

@@ -40,6 +40,13 @@ source "$SCRIPTDIR"/common.sh
 : "${IGNORE_REKOR=false}"
 : "${TUF_MIRROR=}"
 
+# Import custom certificate if set.
+if [ ! -z "$CUSTOM_ROOT_CA" ]; then
+    echo "Using provided CA bundle"
+    echo "$CUSTOM_ROOT_CA" > /etc/pki/ca-trust/source/anchors/ca-bundle.crt
+    update-ca-trust
+fi
+
 # Set script-local variables
 WORKDIR=$(mktemp -d --tmpdir "download-sbom-workdir.XXXXXX")
 

rhtap/env.template.sh

@@ -11,7 +11,7 @@ export IMAGE=${IMAGE-$IMAGE_URL}
 
 export DOCKERFILE=${DOCKERFILE-${{ values.dockerfile }}}
 export CONTEXT=${CONTEXT-${{ values.buildContext }}}
-export TLSVERIFY=${TLSVERIFY-false}
+export TLSVERIFY=${TLSVERIFY-true}
 export BUILD_ARGS=${BUILD_ARGS-""}
 export BUILD_ARGS_FILE=${BUILD_ARGS_FILE-""}
 
@@ -49,6 +49,8 @@ export EFFECTIVE_TIME=${EFFECTIVE_TIME-now}
 export HOMEDIR=${HOMEDIR-$(pwd)}
 export TUF_MIRROR=${TUF_MIRROR-http://tuf.tssc-tas.svc}
 
+export CUSTOM_ROOT_CA=${CUSTOM_ROOT_CA-""}
+
 # Allow PR to succeed even if TAS vars not configured
 export FAIL_IF_TRUSTIFICATION_NOT_CONFIGURED=false
 

rhtap/upload-sbom-to-trustification.sh

@@ -39,6 +39,13 @@ source "$SCRIPTDIR"/common.sh
 : "${TRUSTIFICATION_OIDC_CLIENT_SECRET=}"
 : "${TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION=}"
 
+# Import custom certificate if set.
+if [ ! -z "$CUSTOM_ROOT_CA" ]; then
+    echo "Using provided CA bundle"
+    echo "$CUSTOM_ROOT_CA" > /etc/pki/ca-trust/source/anchors/ca-bundle.crt
+    update-ca-trust
+fi
+
 # Set script-local variables
 WORKDIR=$(mktemp -d --tmpdir "upload-sbom-workdir.XXXXXX")
 trap 'rm -r "$WORKDIR"' EXIT

templates/data.yaml

@@ -71,6 +71,10 @@ build_variables:
     commented_out: true
     comment: Used to verify the image signature and attestation
 
+  - name: CUSTOM_ROOT_CA
+    comment: Custom Root CA to be used in scripts as trusted
+    optional: true
+
 build_secrets:
   - name: ROX_API_TOKEN