Merge branch 'add-custom-root-ca' into 'main'

Add the option to use a custom CA certificate Closes #109 See merge request components/opentofu!234

Merge branch 'add-custom-root-ca' into 'main'
d8e40463 · Timo Furrer · 360a1701 · dab36747 · d8e40463 · d8e40463
Commit d8e40463 authored 3 months ago by Timo Furrer
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -104,6 +104,15 @@ stages:
  - export RELEASE_IMAGE_TAG="${RELEASE_VERSION}${RELEASE_OPENTOFU_VERSION:+-opentofu$RELEASE_OPENTOFU_VERSION}${RELEASE_BASE_IMAGE_OS:+-$RELEASE_BASE_IMAGE_OS}"
  - export RELEASE_IMAGE="${RELEASE_IMAGE_NAME}:${RELEASE_IMAGE_TAG}"
+.install-custom-ca: &install-custom-ca
+  - |
+    if [ -f "${CUSTOM_CA}" ]; then
+      cp "$CUSTOM_CA" /usr/share/pki/ca-trust-source/anchors/custom-ca.pem
+      update-ca-trust
+    else
+      echo 'Skipping to install custom CA because $CUSTOM_CA environment variable is not set'
+    fi
 variables:
  # OpenTofu variables
  LATEST_OPENTOFU_VERSION: !reference [.data, latest_version]
@@ -141,6 +150,7 @@ check-semantic-version:
  stage: build
  image: quay.io/containers/buildah:v1.38.1
  before_script:
+    - *install-custom-ca
    # Supporting GitLab dependency proxies:
    # see https://docs.gitlab.com/ee/user/packages/dependency_proxy/
    - |
@@ -254,6 +264,7 @@ shellcheck:
  variables:
    GITLAB_OPENTOFU_BASE_IMAGE_OS: $RELEASE_BASE_IMAGE_OS
  before_script:
+    - *install-custom-ca
    - *image-matrix-deploy-release-name-script
    - crane auth login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
    - 'echo "base image OS: $GITLAB_OPENTOFU_BASE_IMAGE_OS"'
@@ -343,6 +354,7 @@ gitlab-opentofu-image:verify-signature:
    name: alpine/crane:0.20.3
    entrypoint: [""]
  before_script:
+    - *install-custom-ca
    - *image-matrix-deploy-release-name-script
    - apk add --update cosign
  script:

--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -548,6 +548,13 @@ The pipeline of this component respects the
 by detecting the `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` environment variable
 and configuring `buildah` to use it when building the container images.
+If you need to use this CI/CD component with a custom root CA, please set a CI/CD file variable called `CUSTOM_CA`. The
+certificate needs to be in the PEM format. Currently the certificate is applied to the following jobs:
+- `gitlab-opentofu-image:build`
+- `gitlab-opentofu-image:deploy`
+- `gitlab-opentofu-image:verify-signature`
 ## Migrating from the Terraform CI/CD templates
 When migrating from the GitLab Terraform CI/CD templates you can use the following migration rules:

--- a/README.md
+++ b/README.md
@@ -622,6 +622,13 @@ The pipeline of this component respects the
 by detecting the `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` environment variable
 and configuring `buildah` to use it when building the container images.
+If you need to use this CI/CD component with a custom root CA, please set a CI/CD file variable called `CUSTOM_CA`. The
+certificate needs to be in the PEM format. Currently the certificate is applied to the following jobs:
+- `gitlab-opentofu-image:build`
+- `gitlab-opentofu-image:deploy`
+- `gitlab-opentofu-image:verify-signature`
 ## Migrating from the Terraform CI/CD templates
 When migrating from the GitLab Terraform CI/CD templates you can use the following migration rules: