thoth-station/helm-charts

Remove the TLS workspace workaround from the build pipeline

Opened this issue · 6 comments

In order to make TLS verification work (#13), a workaround was introduced to use an additional workspace.

In theory this should not be necessary, as the platform should inject the necessary CA certificates into the pods so that they can securely communicate.

More info

Pushing to the internal OpenShift registry requires using the service CA certificates.

An earlier version of the upstream buildah task in the Tekton catalog used the same trick as #32:

https://github.com/tektoncd/catalog/blob/6e2659db334d3e7d6fec0fdc7f31aa3dd1d4af18/task/buildah/0.3/buildah.yaml#L83

    - name: push
      image: $(params.BUILDER_IMAGE)
      workingDir: $(workspaces.source.path)
      script: |
        [[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0
        [[ "$(workspaces.sslcertdir.bound)" == "true" ]] && CERT_DIR_FLAG="--cert-dir $(workspaces.sslcertdir.path)"
        buildah ${CERT_DIR_FLAG} --storage-driver=$(params.STORAGE_DRIVER) push \
          $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \
          --digestfile $(workspaces.source.path)/image-digest $(params.IMAGE) \
          docker://$(params.IMAGE)
      volumeMounts:
      - name: varlibcontainers
        mountPath: /var/lib/containers
      securityContext:
        privileged: true

A later version of that task (e.g. current buildah ClusterTask in OpenShift pipelines does not use that trick. Instead, a volume and an enviroment variable are injected so that buildah push works out of the box.

Acceptance criteria

  • Explore the cluster buildah task for tls certs vs the buildah task to see the difference.
  • no extra workspace to manually manage TLS certificates is used in the pipelines.
goern commented

/triage needs-information
/sig user-experience

/wg cnbi

@codificat: The label(s) wg/cnbi cannot be applied, because the repository doesn't have them.

In response to this:

/wg cnbi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

/wg cnbi

We just need to test that it works, if I read the linked issues correctly ?

/triage accepted
Story point: 3pt