Skip to content

Feat: Add corporate certificates to Build APIs #2107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sayan-biswas wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Feat: Add corporate certificates to Build APIs #2107

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
159 changes: 159 additions & 0 deletions deploy/crds/shipwright.io_buildruns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7598,6 +7598,59 @@ spec:
spec:
description: Spec refers to an embedded build specification
properties:
caBundle:
description: CABundle specifies the Secret or ConfigMap containing
CA certificates to be loaded in workload containers.
properties:
configMap:
description: configMap is a reference (by name) to a ConfigMap's
`data` key.
properties:
key:
description: Key of the entry in the object's `data`
field to be used.
maxLength: 253
minLength: 1
type: string
name:
description: Name is the name of the source object
in the trust namespace.
maxLength: 253
minLength: 1
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
secret:
description: secret is a reference (by name) to a Secret's
`data` key.
properties:
key:
description: Key of the entry in the object's `data`
field to be used.
maxLength: 253
minLength: 1
type: string
name:
description: Name is the name of the source object
in the trust namespace.
maxLength: 253
minLength: 1
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- message: exactly one of the fields in [configMap secret]
must be set
rule: '[has(self.configMap),has(self.secret)].filter(x,x==true).size()
== 1'
env:
description: Env contains additional environment variables
that should be passed to the build container
Expand Down Expand Up @@ -10244,6 +10297,59 @@ spec:
- strategy
type: object
type: object
caBundle:
description: CABundle specifies the Secret or ConfigMap containing
CA certificates to be loaded in workload containers.
properties:
configMap:
description: configMap is a reference (by name) to a ConfigMap's
`data` key.
properties:
key:
description: Key of the entry in the object's `data` field
to be used.
maxLength: 253
minLength: 1
type: string
name:
description: Name is the name of the source object in the
trust namespace.
maxLength: 253
minLength: 1
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
secret:
description: secret is a reference (by name) to a Secret's `data`
key.
properties:
key:
description: Key of the entry in the object's `data` field
to be used.
maxLength: 253
minLength: 1
type: string
name:
description: Name is the name of the source object in the
trust namespace.
maxLength: 253
minLength: 1
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- message: exactly one of the fields in [configMap secret] must be
set
rule: '[has(self.configMap),has(self.secret)].filter(x,x==true).size()
== 1'
env:
description: Env contains additional environment variables that should
be passed to the build container
Expand Down Expand Up @@ -12713,6 +12819,59 @@ spec:
buildSpec:
description: BuildSpec is the Build Spec of this BuildRun.
properties:
caBundle:
description: CABundle specifies the Secret or ConfigMap containing
CA certificates to be loaded in workload containers.
properties:
configMap:
description: configMap is a reference (by name) to a ConfigMap's
`data` key.
properties:
key:
description: Key of the entry in the object's `data` field
to be used.
maxLength: 253
minLength: 1
type: string
name:
description: Name is the name of the source object in
the trust namespace.
maxLength: 253
minLength: 1
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
secret:
description: secret is a reference (by name) to a Secret's
`data` key.
properties:
key:
description: Key of the entry in the object's `data` field
to be used.
maxLength: 253
minLength: 1
type: string
name:
description: Name is the name of the source object in
the trust namespace.
maxLength: 253
minLength: 1
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- message: exactly one of the fields in [configMap secret] must
be set
rule: '[has(self.configMap),has(self.secret)].filter(x,x==true).size()
== 1'
env:
description: Env contains additional environment variables that
should be passed to the build container
Expand Down
53 changes: 53 additions & 0 deletions deploy/crds/shipwright.io_builds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2643,6 +2643,59 @@ spec:
spec:
description: BuildSpec defines the desired state of Build
properties:
caBundle:
description: CABundle specifies the Secret or ConfigMap containing
CA certificates to be loaded in workload containers.
properties:
configMap:
description: configMap is a reference (by name) to a ConfigMap's
`data` key.
properties:
key:
description: Key of the entry in the object's `data` field
to be used.
maxLength: 253
minLength: 1
type: string
name:
description: Name is the name of the source object in the
trust namespace.
maxLength: 253
minLength: 1
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
secret:
description: secret is a reference (by name) to a Secret's `data`
key.
properties:
key:
description: Key of the entry in the object's `data` field
to be used.
maxLength: 253
minLength: 1
type: string
name:
description: Name is the name of the source object in the
trust namespace.
maxLength: 253
minLength: 1
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- message: exactly one of the fields in [configMap secret] must be
set
rule: '[has(self.configMap),has(self.secret)].filter(x,x==true).size()
== 1'
env:
description: Env contains additional environment variables that should
be passed to the build container
Expand Down
51 changes: 51 additions & 0 deletions docs/build.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ SPDX-License-Identifier: Apache-2.0
- [Defining the vulnerabilityScan](#defining-the-vulnerabilityscan)
- [Defining Retention Parameters](#defining-retention-parameters)
- [Defining Volumes](#defining-volumes)
- [Defining CA Bundle](#defining-ca-bundle)
- [Defining Step Resources](#defining-step-resources)
- [Defining Triggers](#defining-triggers)
- [GitHub](#github)
Expand All @@ -45,6 +46,7 @@ A `Build` resource allows the user to define:
- tolerations
- schedulerName
- runtimeClassName
- caBundle

A `Build` is available within a namespace.

Expand All @@ -60,6 +62,7 @@ When the controller reconciles it:
- Validates if the specified `paramValues` exist on the referenced strategy parameters. It also validates if the `paramValues` names collide with the Shipwright reserved names.
- Validates if the container `registry` output secret exists.
- Validates if the referenced `spec.source.git.url` endpoint exists.
- Validates the Secret/ConfigMap referenced in the CA Bundle exists or not and also validates if the data in the referenced Secret/ConfigMap is a valid certificate authority.

## Build Validations

Expand Down Expand Up @@ -108,6 +111,12 @@ To prevent users from triggering `BuildRun`s (_execution of a Build_) that will
| NodeSelectorPlatformConflict | `spec.output.platforms` is set and `spec.nodeSelector` includes `kubernetes.io/os` or `kubernetes.io/arch`. |
| ExecutorNotPipelineRun | *(BuildRun only)* Multi-arch output requires `PipelineRun` executor mode. |
| NodePlatformNotFound | *(BuildRun only)* No schedulable node matches a requested platform (`kubernetes.io/os` / `kubernetes.io/arch`). |
| NodeSelectorNotValid | The specified nodeSelector is not valid. |
| TolerationNotValid | The specified tolerations are not valid. |
| SchedulerNameNotValid | The specified schedulerName is not valid. |
| RuntimeClassNameNotValid | The specified runtimeClassName is not valid. |
| CABundleNotFound | Referenced ConfigMap/Secret does not exists. |
| CABundleNotValid | The data in the referenced ConfigMap/Secret is not a valid certificate authority. |

## Configuring a Build

Expand Down Expand Up @@ -144,6 +153,7 @@ The `Build` definition supports the following fields:
- `spec.schedulerName` - Specifies the scheduler name for the build pod. If schedulerName is specified in both a `Build` and `BuildRun`, `BuildRun` values take precedence.
- `spec.strategy.stepResources` - Allows overriding resource requirements (CPU, memory) for individual steps defined in the `BuildStrategy` or `ClusterBuildStrategy`. Each entry specifies a step name and the resources to use instead of those defined in the strategy. You can overwrite values in the `BuildRun`. See [Defining Step Resources](#defining-step-resources) for more information.
- `spec.runtimeClassName` - Specifies the [RuntimeClass](https://kubernetes.io/docs/concepts/containers/runtime-class/) to be used for the build pod. If runtimeClassName is specified in both a `Build` and `BuildRun`, `BuildRun` values take precedence.
- `spec.caBundle` - Specifies a CA Bundle that is mounted in all the workloads. Either `ConfigMap` or `Secret` can be referenced. The `Key` inside the referenced object also needs to be specified.

### Defining the Source

Expand Down Expand Up @@ -788,6 +798,47 @@ spec:

See the related [BuildRun documentation](buildrun.md#defining-step-resources) for how to override step resources at the BuildRun level.

### Defining CA Bundle

Using the CA Bundle API, you can mount your own certificate authority, so that any program running in the build workload can use defined CA to establish mutual trust.

CA Bundle can be referenced from a `ConfigMap` or `Secret` in the build namespace.
The `Key` to be used from referenced `ConfigMap` or `Secret` also needs to be defined.

The CA will be mounted in all the containers at the following locations
- /etc/ssl/certs/ca-certificates.crt
- /etc/pki/tls/certs/ca-bundle.crt

The following environment variables will be added in all the containers, with value `/etc/ssl/certs/ca-certificates.crt`
- SSL_CERT_FILE - OS trust store
- NODE_EXTRA_CA_CERTS - Node.js uses this to append additional certificates
- REQUESTS_CA_BUNDLE - Python requests library
- CURL_CA_BUNDLE - curl CA bundle

**Note**: If an environment is already defined, it will not be overwritten.

```yaml
apiVersion: shipwright.io/v1beta1
kind: Build
metadata:
name: buildah-build-with-ca
spec:
output:
image: registry/namespace/image:latest
source:
contextDir: buildah
git:
url: https://gitea.com/admin/samples.git
type: Git
strategy:
kind: ClusterBuildStrategy
name: buildah
caBundle:
secret:
name: ca-bundle
key: ca.crt
```

### Defining Triggers

Using the triggers, you can submit `BuildRun` instances when certain events happen. The idea is to be able to trigger Shipwright builds in an event driven fashion, for that purpose you can watch certain types of events.
Expand Down
Loading
Loading