-
Notifications
You must be signed in to change notification settings - Fork 20
SHIP-0042: Trusted certificates #281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
openshift-merge-bot
merged 1 commit into
shipwright-io:main
from
sayan-biswas:certificates
Mar 10, 2026
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,157 @@ | ||
| --- | ||
| title: trusted-certificates | ||
| authors: | ||
| - "@sayan-biswas" | ||
| reviewers: | ||
| - TBD | ||
| approvers: | ||
| - TBD | ||
| creation-date: 2025-11-11 | ||
| last-updated: 2025-12-11 | ||
| status: provisional | ||
| see-also: | ||
| replaces: | ||
| superseded-by: [] | ||
| --- | ||
|
|
||
| # SHIP-0042: Trusted Certificates | ||
|
|
||
| ## Release Signoff Checklist | ||
|
|
||
| - [ ] Enhancement is `implementable` | ||
| - [ ] Design details are appropriately documented from clear requirements | ||
| - [ ] Test plan is defined | ||
| - [ ] Graduation criteria for dev preview, tech preview, GA | ||
| - [ ] User-facing documentation is created in [docs](/docs/) | ||
|
|
||
| ## Open Questions [optional] | ||
|
|
||
|
|
||
| ## Summary | ||
|
|
||
| This proposal aims to enhance Shipwright by allowing users to add user certificates in the build container's | ||
| system trust store by extending the Build APIs to let user define a list of Kubernetes Secrets/ConfigMaps, which will | ||
| hold the certificate data and will be added to the trust store. | ||
| This capability is essential for scenarios requiring access to external resources like self-signed | ||
| certificates for Git/image registries or other necessary build artifacts, independent of BuildStrategy | ||
| definitions, overcoming a current limitation where all volumes must be pre-defined or overridable via the strategy. | ||
|
|
||
| ## Motivation | ||
|
|
||
| Currently, Shipwright Builds face challenges when needing to utilize resources like self-signed | ||
| certificates for interacting with private Git repositories or image registries. | ||
|
|
||
| ### Goals | ||
|
|
||
| - Extend `Build` and `BuildRun` resources API to declare a Secrets/ConfigMaps that holds certificate data. | ||
| - Ensure these certificates are loaded and accessible to all primary containers involved | ||
| in executing the build steps throughout the lifecycle of the build's execution Pod. | ||
|
|
||
| ### Non-Goals | ||
|
|
||
| What is out of scope for this proposal? | ||
| Although users can create their own ConfigMap and Secret with the certificates data, we have few options which automate this distribution of trust anchors: | ||
| - Using [TrustManager](https://cert-manager.io/docs/trust/trust-manager/) generate trust bundle and mount it in workload during reconciliation. | ||
| - Use [Cluster trust bundles](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#cluster-trust-bundles) and [clusterTrustBundle projected volumes](https://kubernetes.io/docs/concepts/storage/projected-volumes/#clustertrustbundle) to mount it in workload. | ||
|
|
||
| ## Proposal | ||
|
|
||
| ### User Stories | ||
|
|
||
| #### Using self-signed certificates | ||
|
|
||
| As a user, I want to use Git repositories or image registries that are secured with self-signed | ||
| certificates. These certificates need to be accessible by the build process, potentially across | ||
| multiple steps (e.g., source cloning, image push/pull). | ||
|
|
||
| ### Implementation Notes | ||
|
|
||
| The current BuildRun APIs will be extended to support a list of certificates accepted as kubernetes Secret | ||
| resources that should be loaded in the container's trust store. | ||
|
|
||
| ```yaml | ||
| apiVersion: shipwright.io/v1beta1 # Ensure this is the correct API group | ||
| kind: Build | ||
| metadata: | ||
| namespace: test | ||
| # ... | ||
| spec: | ||
| # ... | ||
| caBundle: # can define either a secret or a configmap | ||
| secret: | ||
| name: gitea-tls # name of the secret in the same namespace that holds the CA data | ||
| key: tls.crt # key in the secret data to look for. We don't want to mount every key | ||
| configMap: | ||
| name: gitea-tls # name of the secret in the same namespace that holds the CA data | ||
| key: tls.crt # key in the secret data to look for. We don't want to mount every key | ||
| ``` | ||
|
|
||
| The CA bundle will be mounted on common locations is linux distributions. | ||
| Reference: https://go.dev/src/crypto/x509/root_linux.go | ||
| ```text | ||
| "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc | ||
| "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL | ||
| ``` | ||
|
|
||
| Consideration for mount point: | ||
| - Certificate defines a CA Bundle. | ||
| - User should provide the CA bundle in a secret or configmap in the same namespace as Build and BuildRun resource. | ||
| - Priority of certificate spec: BuildRun >> Build | ||
| - Use subPath: Sub paths will be used mount for single file injection. This method doesn't support auto-update of when secret is modified. In CI build context, this not relevant. | ||
| - Environment Variables: Mount certain environment variables.. | ||
| - Node.js `NODE_EXTRA_CA_CERTS` | ||
| - Python `REQUESTS_CA_BUNDLE` | ||
| - Openssl `SSL_CERT_FILE` | ||
| - Curl CA bundle `CURL_CA_BUNDLE` | ||
| - Java: Use the jks or pkcs12 target in your trust-manager Bundle spec and mount it to the Java cacerts path `$JAVA_HOME/lib/security/cacerts`. | ||
| - Mount points should not overwrite a symlink. | ||
| - The mounted path will be available as system parameter at `shp-ca-bundle`, so that it can be references in the `BuildRun` resource. | ||
|
|
||
| If a certificate with the same name is defined at multiple levels, the following precedence will apply | ||
| for its definition (e.g., which Secret or ConfigMap to use): | ||
|
|
||
| - `BuildRun.spec.caBundle` (highest precedence) >> `Build.spec.caBundle` | ||
| - For new, directly mounted volumes, a mountPath and subPath must be specified. | ||
| - Volume names to have postfix (hash or randon) to avoid conflict | ||
| - Standard Kubernetes validation for the source secret will apply. | ||
| - A `CABundle` definition can have either Secret and ConfigMap reference. | ||
| - Validation will be done to check if the referenced resource exists in the cluster and namespace. | ||
| - Syntax validation of CA data in the secret/configmap to be done. | ||
|
|
||
| ### Test Plan | ||
|
|
||
| TBD | ||
|
|
||
| ### Release Criteria | ||
|
|
||
| TBD | ||
|
|
||
| #### Upgrade Strategy [if necessary] | ||
|
|
||
| This API change doesn't break any existing functionalities. Upgrade strategy is not relevant. | ||
|
|
||
| ### Risks and Mitigations | ||
|
|
||
| - File injection into the operating system's trust store will replace the existing CA bundle which might have CAs for several public domains. | ||
| - This can be solved by mounting the certificates in common places (different linux distros) which provide to mount user certs and then allow OS to index and place it in the right place. (Requires Pod Lifecycle hook, not available in tekton yet) | ||
| - Instead of replacing the CA bundle in the system, append the content of the new CA to the existing one. (Requires Pod Lifecycle hook, not available in tekton yet) | ||
|
|
||
| ## Drawbacks | ||
|
|
||
| - If we don't want to replace the existing certificate, then we have to mount the system's certificate directory (eg: /etc/ssl/cert) as a volume, since we have ReadOnlyRootFileSystem enabled. | ||
|
|
||
| ## Alternatives | ||
|
|
||
| - Define volumes directly in the Strategy and allow Build to override it. Mount volumes to git and image-push containers and user manages everything from defining secret and mounting it to the correct location. Already proposed in [https://github.com/shipwright-io/community/pull/265] | ||
|
|
||
| ## Infrastructure Needed [optional] | ||
|
|
||
| Use this section if you need things from the project. Examples include a new subproject, repos | ||
| requested, GitHub details, and/or testing infrastructure. | ||
|
|
||
| Listing these here allows the community to get the process for these resources started right away. | ||
|
|
||
| ## Implementation History | ||
|
|
||
| - 2025-11-11: Initial Draft | ||
| - 2026-02-23: Updated Draft | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feedback for getting this proposal to "implementable" - be specific about our "challenges" by linking to GitHub issues or other documented errors.