Feat: Add corporate certificates to Build APIs

# Changes:
- Added APIs to allow user to define custom Root CAs in Build and BuildRun APIs

Signed-off-by: Sayan Biswas <sayan-biswas@live.com>

Author: sayan-biswas

deploy/crds/shipwright.io_buildruns.yaml

@@ -7129,6 +7129,50 @@ spec:
                   spec:
                     description: Spec refers to an embedded build specification
                     properties:
+                      caBundle:
+                        description: CABundle specifies the list certificates to be
+                          loaded in workload containers.
+                        properties:
+                          configMap:
+                            description: |-
+                              configMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
+                              list of ConfigMap's `data` key(s) using label selector, in the namespace.
+                            properties:
+                              key:
+                                description: Key of the entry in the object's `data`
+                                  field to be used.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                              name:
+                                description: Name is the name of the source object
+                                  in the trust namespace.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          secret:
+                            description: |-
+                              secret is a reference (by name) to a Secret's `data` key(s), or to a
+                              list of Secret's `data` key(s) using label selector, in the namespace.
+                            properties:
+                              key:
+                                description: Key of the entry in the object's `data`
+                                  field to be used.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                              name:
+                                description: Name is the name of the source object
+                                  in the trust namespace.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                        x-kubernetes-map-type: atomic
                       env:
                         description: Env contains additional environment variables
                           that should be passed to the build container
@@ -9508,6 +9552,50 @@ spec:
                     - strategy
                     type: object
                 type: object
+              caBundle:
+                description: CABundle specifies the list certificates to be loaded
+                  in workload containers.
+                properties:
+                  configMap:
+                    description: |-
+                      configMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
+                      list of ConfigMap's `data` key(s) using label selector, in the namespace.
+                    properties:
+                      key:
+                        description: Key of the entry in the object's `data` field
+                          to be used.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      name:
+                        description: Name is the name of the source object in the
+                          trust namespace.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  secret:
+                    description: |-
+                      secret is a reference (by name) to a Secret's `data` key(s), or to a
+                      list of Secret's `data` key(s) using label selector, in the namespace.
+                    properties:
+                      key:
+                        description: Key of the entry in the object's `data` field
+                          to be used.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      name:
+                        description: Name is the name of the source object in the
+                          trust namespace.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+                x-kubernetes-map-type: atomic
               env:
                 description: Env contains additional environment variables that should
                   be passed to the build container
@@ -11710,6 +11798,50 @@ spec:
               buildSpec:
                 description: BuildSpec is the Build Spec of this BuildRun.
                 properties:
+                  caBundle:
+                    description: CABundle specifies the list certificates to be loaded
+                      in workload containers.
+                    properties:
+                      configMap:
+                        description: |-
+                          configMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
+                          list of ConfigMap's `data` key(s) using label selector, in the namespace.
+                        properties:
+                          key:
+                            description: Key of the entry in the object's `data` field
+                              to be used.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          name:
+                            description: Name is the name of the source object in
+                              the trust namespace.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      secret:
+                        description: |-
+                          secret is a reference (by name) to a Secret's `data` key(s), or to a
+                          list of Secret's `data` key(s) using label selector, in the namespace.
+                        properties:
+                          key:
+                            description: Key of the entry in the object's `data` field
+                              to be used.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          name:
+                            description: Name is the name of the source object in
+                              the trust namespace.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
+                    type: object
+                    x-kubernetes-map-type: atomic
                   env:
                     description: Env contains additional environment variables that
                       should be passed to the build container

deploy/crds/shipwright.io_builds.yaml

@@ -2486,6 +2486,50 @@ spec:
           spec:
             description: BuildSpec defines the desired state of Build
             properties:
+              caBundle:
+                description: CABundle specifies the list certificates to be loaded
+                  in workload containers.
+                properties:
+                  configMap:
+                    description: |-
+                      configMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
+                      list of ConfigMap's `data` key(s) using label selector, in the namespace.
+                    properties:
+                      key:
+                        description: Key of the entry in the object's `data` field
+                          to be used.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      name:
+                        description: Name is the name of the source object in the
+                          trust namespace.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  secret:
+                    description: |-
+                      secret is a reference (by name) to a Secret's `data` key(s), or to a
+                      list of Secret's `data` key(s) using label selector, in the namespace.
+                    properties:
+                      key:
+                        description: Key of the entry in the object's `data` field
+                          to be used.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      name:
+                        description: Name is the name of the source object in the
+                          trust namespace.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+                x-kubernetes-map-type: atomic
               env:
                 description: Env contains additional environment variables that should
                   be passed to the build container

pkg/apis/build/v1beta1/build_types.go

@@ -86,6 +86,8 @@ const (
 	RuntimeClassNameNotValid BuildReason = "RuntimeClassNameNotValid"
 	// AllValidationsSucceeded indicates a Build was successfully validated
 	AllValidationsSucceeded = "all validations succeeded"
+	// CABundleReferenceNotFound indicates the referenced Secret or ConfigMap is missing
+	CABundleReferenceNotFound BuildReason = "CABundleReferenceNotFound"
 )
 
 // IgnoredVulnerabilitySeverity is an enum for the possible values for the ignored severity
@@ -202,6 +204,10 @@ type BuildSpec struct {
 	// RuntimeClassName specifies the RuntimeClass to be used to run the Pod
 	// +optional
 	RuntimeClassName *string `json:"runtimeClassName,omitempty"`
+
+	// CABundle specifies the list certificates to be loaded in workload containers.
+	// +optional
+	CABundle *CABundle `json:"caBundle,omitempty"`
 }
 
 // BuildVolume is a volume that will be mounted in build pod during build step

pkg/apis/build/v1beta1/buildrun_types.go

@@ -130,6 +130,10 @@ type BuildRunSpec struct {
 	// RuntimeClassName specifies the RuntimeClass to be used to run the Pod
 	// +optional
 	RuntimeClassName *string `json:"runtimeClassName,omitempty"`
+
+	// CABundle specifies the list certificates to be loaded in workload containers.
+	// +optional
+	CABundle *CABundle `json:"caBundle,omitempty"`
 }
 
 // BuildRunRequestedState defines the buildrun state the user can provide to override whatever is the current state.

pkg/apis/build/v1beta1/cabundle.go

@@ -0,0 +1,34 @@
+// Copyright The Shipwright Contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+package v1beta1
+
+// CABundle is a set of sources whose data will be added to system trust bundle.
+// +structType=atomic
+// +kubebuilder:validation:ExactlyOneOf=configMap;secret
+type CABundle struct {
+	// configMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
+	// list of ConfigMap's `data` key(s) using label selector, in the namespace.
+	// +optional
+	ConfigMap *SourceObjectKeySelector `json:"configMap,omitempty"`
+
+	// secret is a reference (by name) to a Secret's `data` key(s), or to a
+	// list of Secret's `data` key(s) using label selector, in the namespace.
+	// +optional
+	Secret *SourceObjectKeySelector `json:"secret,omitempty"`
+}
+
+// SourceObjectKeySelector is a reference to a source object and its `data` key(s)
+// in the trust namespace.
+// +structType=atomic
+type SourceObjectKeySelector struct {
+	// Name is the name of the source object in the trust namespace.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	Name string `json:"name,omitempty"`
+
+	// Key of the entry in the object's `data` field to be used.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	Key string `json:"key,omitempty"`
+}