From b5da538ca232464856941824dc5b2cecc9af53c1 Mon Sep 17 00:00:00 2001 From: Gal Ben Haim Date: Wed, 10 Jan 2024 17:59:07 +0200 Subject: [PATCH] RHTAP-1134: Build service mount RH certs (#3010) Required for accessing RH Gitlab instance. Signed-off-by: gbenhaim --- .../rh-certs/2015-RH-IT-Root-CA.pem | 25 +++++++++++++ .../components/rh-certs/2022-IT-Root-CA.pem | 37 +++++++++++++++++++ .../rh-certs/add-rh-certs-patch.yaml | 30 +++++++++++++++ .../components/rh-certs/kustomization.yaml | 16 ++++++++ .../development/kustomization.yaml | 3 ++ .../stone-stage-p01/kustomization.yaml | 2 + 6 files changed, 113 insertions(+) create mode 100644 components/build-service/components/rh-certs/2015-RH-IT-Root-CA.pem create mode 100644 components/build-service/components/rh-certs/2022-IT-Root-CA.pem create mode 100644 components/build-service/components/rh-certs/add-rh-certs-patch.yaml create mode 100644 components/build-service/components/rh-certs/kustomization.yaml diff --git a/components/build-service/components/rh-certs/2015-RH-IT-Root-CA.pem b/components/build-service/components/rh-certs/2015-RH-IT-Root-CA.pem new file mode 100644 index 00000000000..f306f00ff7f --- /dev/null +++ b/components/build-service/components/rh-certs/2015-RH-IT-Root-CA.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIJANunI0D662cnMA0GCSqGSIb3DQEBCwUAMIGlMQswCQYD +VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp +Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xEzARBgNVBAsMClJlZCBIYXQgSVQx +GzAZBgNVBAMMElJlZCBIYXQgSVQgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5m +b3NlY0ByZWRoYXQuY29tMCAXDTE1MDcwNjE3MzgxMVoYDzIwNTUwNjI2MTczODEx +WjCBpTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD +VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApS +ZWQgSGF0IElUMRswGQYDVQQDDBJSZWQgSGF0IElUIFJvb3QgQ0ExITAfBgkqhkiG +9w0BCQEWEmluZm9zZWNAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALQt9OJQh6GC5LT1g80qNh0u50BQ4sZ/yZ8aETxt+5lnPVX6MHKz +bfwI6nO1aMG6j9bSw+6UUyPBHP796+FT/pTS+K0wsDV7c9XvHoxJBJJU38cdLkI2 +c/i7lDqTfTcfLL2nyUBd2fQDk1B0fxrskhGIIZ3ifP1Ps4ltTkv8hRSob3VtNqSo +GxkKfvD2PKjTPxDPWYyruy9irLZioMffi3i/gCut0ZWtAyO3MVH5qWF/enKwgPES +X9po+TdCvRB/RUObBaM761EcrLSM1GqHNueSfqnho3AjLQ6dBnPWlo638Zm1VebK +BELyhkLWMSFkKwDmne0jQ02Y4g075vCKvCsCAwEAAaNjMGEwHQYDVR0OBBYEFH7R +4yC+UehIIPeuL8Zqw3PzbgcZMB8GA1UdIwQYMBaAFH7R4yC+UehIIPeuL8Zqw3Pz +bgcZMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQBDNvD2Vm9sA5A9AlOJR8+en5Xz9hXcxJB5phxcZQ8jFoG04Vshvd0e +LEnUrMcfFgIZ4njMKTQCM4ZFUPAieyLx4f52HuDopp3e5JyIMfW+KFcNIpKwCsak +oSoKtIUOsUJK7qBVZxcrIyeQV2qcYOeZhtS5wBqIwOAhFwlCET7Ze58QHmS48slj +S9K0JAcps2xdnGu0fkzhSQxY8GPQNFTlr6rYld5+ID/hHeS76gq0YG3q6RLWRkHf +4eTkRjivAlExrFzKcljC4axKQlnOvVAzz+Gm32U0xPBF4ByePVxCJUHw1TsyTmel +RxNEp7yHoXcwn+fXna+t5JWh1gxUZty3 +-----END CERTIFICATE----- diff --git a/components/build-service/components/rh-certs/2022-IT-Root-CA.pem b/components/build-service/components/rh-certs/2022-IT-Root-CA.pem new file mode 100644 index 00000000000..dbe10450b7e --- /dev/null +++ b/components/build-service/components/rh-certs/2022-IT-Root-CA.pem @@ -0,0 +1,37 @@ +-----BEGIN CERTIFICATE----- +MIIGcjCCBFqgAwIBAgIFICIEEFwwDQYJKoZIhvcNAQEMBQAwgaMxCzAJBgNVBAYT +AlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwHUmFsZWlnaDEW +MBQGA1UECgwNUmVkIEhhdCwgSW5jLjETMBEGA1UECwwKUmVkIEhhdCBJVDEZMBcG +A1UEAwwQSW50ZXJuYWwgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5mb3NlY0By +ZWRoYXQuY29tMCAXDTIzMDQwNTE4MzM0NFoYDzIwNTIwNDAyMTgzMzQ0WjCBozEL +MAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdS +YWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApSZWQgSGF0 +IElUMRkwFwYDVQQDDBBJbnRlcm5hbCBSb290IENBMSEwHwYJKoZIhvcNAQkBFhJp +bmZvc2VjQHJlZGhhdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQCxuloEVglzWXZ9FFFUOSVdpRIB2jW5YBpwgMem2fPZeWIIvrVQ6PL9XNenDOXu +BHbShD/PApxi/ujSZyOIjLsNh7WDO+0NqpkfTyB9wUYAhx3GTIGY75RSoyZy1yKb +ZDTKv+rSfui9IlstAMz6L3OQLZES9zAYK8ICiDUwTeNZ7quA6qf0Kam2LyuBc/bl +BI7WFLOGGWY135P1OUXJgnJUsMhnYMTgvZQyJ2P7eLQpiR8TOr5ZI6CYapiyG64L +nkr/rsALjSxoUo09Yai1CVO66VFJ/XgMNt3mzQtLDMPXiKUuwsBsgvo4QvLjkXYI +ii+/YQyQaypsKctG8mefKkTT1kRDKj4LNdTRRgd5tco+b4+O/4upt8mIsx1+tbdM +LNGEz3Jqd0sj8Fl4Rzus+W+enzXmMfZH86X6bU5tMvueuFd5LV+M9XzliscaEQMK +EQ7CC72ldrOK2K12Gjb7bu8dKq+aSlNuWK+Gz1NvbwYpaCBYp0JoryvHEq5jrCLP +lTkuJQ3HaaAf+4LaBm8no9xK2VbDf6l/7Htb5I5LnAAZi0/5TzH07NhHoIeMSmTE +Ea07i/i5lbhM2qbx6pfLukg24HLCKTdi4Fo6/JqPWH6/3eI55NsoWSmoDdTiLg4v +1G/rgUVr2N6F36GTYMGqiITvvd4Qm3i9XOTQvsx8RJx4JQIDAQABo4GoMIGlMB0G +A1UdDgQWBBS1+o3lCnihCZXbTSGGlWpZT0nIizAfBgNVHSMEGDAWgBS1+o3lCnih +CZXbTSGGlWpZT0nIizAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAR +BglghkgBhvhCAQEEBAMCAQYwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL29jc3Au +cmVkaGF0LmNvbS9jcmwucGVtMA0GCSqGSIb3DQEBDAUAA4ICAQCDLaGTS0g2HmMS +g0i6Z0RVDC7sSnWFgEk2ZO1WUQj5WkFVS7gWxed/mXCzeL2EV1Pd22YKHM1eU1vo +6b03cbNRXlRGGFksmQeM9h2sVjbP0hRZxqqfI+UW223N8E+qK3wSa8m6nhOfIJie +DD9s8CdL1VT6l4qq2gR8mVBW7EZ+Ux5u+AMXpN4WPEkcLer2djbfhXoPsJ4r5CcX +vh7W5rCZbo+0oBI5hrTlG4Tjhv1atqLhMmssjn8NbRrnhrbGF7w8NxFts69GkKDB +UIXr1pWZSAuRELlIxmvh5ZSX5YTbFmDuTvmNx8RPPy6OY4W1v1BUKp0HyJTi07s2 +8SN+n9htHPHX9XBZctQmOSFLiqhi15LIqI54tR2tSgwH3Z5moh4sy6MuApXstsu4 +qtkII2KZk3SottI8MOS6zqKrU7jPou6ZE0fznNiu23Q3Ksuuj6mBkLVw3bQe68Vm +NUTDac1oVzc8d5NMbx5kVb4Lahq+SATVFC8NK9G/Pk1AiwO8WhKffySsLeO5nMib +4BOVq0qFoAi8YCFuJOl9FlH1dPW/TnqlTQMQNhXpzGjU3HV3lr/Mk+ghNgIYcLcz +pEBsiGwKOVW4nYKIqPLn/36Ao/kfXeAdJhaAZq1SkTbeqNiwHQm3KNHzNObmjD0f +56vmq8fwQYIcazjrygWiaOnoep/SMw== +-----END CERTIFICATE----- diff --git a/components/build-service/components/rh-certs/add-rh-certs-patch.yaml b/components/build-service/components/rh-certs/add-rh-certs-patch.yaml new file mode 100644 index 00000000000..eaa65daa7a3 --- /dev/null +++ b/components/build-service/components/rh-certs/add-rh-certs-patch.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: build-service-controller-manager +spec: + template: + spec: + containers: + - name: manager + volumeMounts: + - name: rh-certs-2015 + mountPath: /etc/pki/tls/certs/2015-RH-IT-Root-CA.pem + subPath: 2015-RH-IT-Root-CA.pem + - name: rh-certs-2022 + mountPath: /etc/pki/tls/certs/2022-IT-Root-CA.pem + subPath: 2022-IT-Root-CA.pem + volumes: + - name: rh-certs-2015 + configMap: + name: rh-certs-2015 + items: + - key: 2015-RH-IT-Root-CA.pem + path: 2015-RH-IT-Root-CA.pem + - name: rh-certs-2022 + configMap: + name: rh-certs-2022 + items: + - key: 2022-IT-Root-CA.pem + path: 2022-IT-Root-CA.pem diff --git a/components/build-service/components/rh-certs/kustomization.yaml b/components/build-service/components/rh-certs/kustomization.yaml new file mode 100644 index 00000000000..e961547c214 --- /dev/null +++ b/components/build-service/components/rh-certs/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - path: add-rh-certs-patch.yaml + target: + name: build-service-controller-manager + kind: Deployment +configMapGenerator: + - name: rh-certs-2015 + files: + - 2015-RH-IT-Root-CA.pem + - name: rh-certs-2022 + files: + - 2022-IT-Root-CA.pem +namespace: build-service diff --git a/components/build-service/development/kustomization.yaml b/components/build-service/development/kustomization.yaml index ad662a9c9fc..5cc8eaf6828 100644 --- a/components/build-service/development/kustomization.yaml +++ b/components/build-service/development/kustomization.yaml @@ -33,3 +33,6 @@ patches: kind: Deployment name: build-service-controller-manager path: pac-webhook-insecure-ssl-patch.yaml + +components: + - ../components/rh-certs diff --git a/components/build-service/staging/stone-stage-p01/kustomization.yaml b/components/build-service/staging/stone-stage-p01/kustomization.yaml index ed65afa89e7..6729e3f0434 100644 --- a/components/build-service/staging/stone-stage-p01/kustomization.yaml +++ b/components/build-service/staging/stone-stage-p01/kustomization.yaml @@ -9,3 +9,5 @@ patches: group: external-secrets.io version: v1beta1 kind: ExternalSecret +components: + - ../../components/rh-certs