feat(RELEASE-2158): Support self-hosted Quay#3148
feat(RELEASE-2158): Support self-hosted Quay#3148querti wants to merge 1 commit intoconforma:mainfrom
Conversation
Add a new e2e test pipeline that checks if push-to-external-registry works with self-hosted Quay. Unlike other e2e tests which use the stage cluster, this one uses ephemeral Kind cluster. The reason is Quay is deployed to the cluster and is used for testing. Two changes were made to the push-to-external-registry pipeline to ensure its compatibility with self-hosted Quay: - Mount the ca-bundle.crt from trusted-ca configmap to /etc/ssl/certs/. This ensures that the self-signed CA cert of the internal Quay instance is known to the 3rd party tools like skopeo and cosign. Without it, the tools would fail with a TLS error. - Update regexes to support a Quay URL with a port number. The regexes assume that only one ":" will be present in the url, which may be wrong. Update them to account for hostnames with port number. Several other changes were made to support this functionality: - Mounting the CA bundle in Conforma task[1] - Support self-hosted Quay deployment in the Kind cluster[2] - Add init-quay task and skip-quay parameter[3] - Add a new Go e2e test for self-hosted quay[4] [1] conforma/cli#3148 [2] konflux-ci/konflux-ci#5689 [3] konflux-ci/tekton-integration-catalog#272 [4] konflux-ci/e2e-tests#1798 Assisted-by: Cursor Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
|
This PR adds the cert to other tasks in the push-to-external-registry pipeline: konflux-ci/release-service-catalog#2031 |
Review Summary by QodoSupport self-hosted Quay with trusted CA certificates
WalkthroughsDescription• Add trusted CA certificate mounting for self-hosted Quay support • Mount CA bundle to both /mnt/trusted-ca and /etc/ssl/certs/ca-custom-bundle.crt • Enable Verify Conforma task to work with self-signed certificates Diagramflowchart LR
A["Verify Conforma Task"] -- "mounts CA bundle" --> B["Trusted CA Volume"]
B -- "maps to /mnt/trusted-ca" --> C["CA Bundle Location 1"]
B -- "maps to /etc/ssl/certs/ca-custom-bundle.crt" --> D["CA Bundle Location 2"]
C --> E["Self-hosted Quay Support"]
D --> E
File Changes1. tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml
|
Code Review by Qodo
1. CA mount not consumed
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Verify Conforma task should support images that are in a self-hosted Quay instance. This instance has a self-signed CA cert which is implicitly not trusted by 3rd party tools. This can be fixed by mounting the CA bundle to /etc/ssl/certs/, making it trusted. Mount to /mnt/trusted-ca is added to be consistent with other tasks in the pipeline. Assisted-by: Cursor Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
|
@simonbaird @joejstuart @st3penta can I request a review? Thanks! |
| - name: trusted-ca | ||
| mountPath: /mnt/trusted-ca | ||
| readOnly: true | ||
| - name: trusted-ca |
There was a problem hiding this comment.
Is it intentional to define two different volume mounts with the same name, trusted-ca?
There was a problem hiding this comment.
I'm mounting the same file in two places. Is this a risk or a bad pattern?
There was a problem hiding this comment.
Oh okay I get it. The name refers to the volume, so that's why it's not unique. Lgtm.
|
In your commit it says "This instance has a self-signed CA cert" which makes me think it was written by Cursor. What instance? Will this change impact Red Hat production Konflux which maybe isn't using a self-signed CA cert? |
Sorry if my original description isn't very clear. We are asked that the release pipeline "push-to-external-registry" should be compatible with self hosted Quay. We will not be using this feature, we will keep using quay.io. This is for our customers who may want to deploy their own quay instance, only available in their intranet. When that is the case, they will have their own CA cert. This CA cert must be mounted in the right place, otherwise tools like skopeo will not trust this instance. This PR mounts the custom CA cert to the right place to ensure that the task works correctly. trusted-ca configmap is generally defined by the cluster admin and should contain the internal CA cert. I'm not referring to any particular self-hosted quay instance, just any that might exist. I hope that makes things a bit clearer! |
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Add a new e2e test pipeline that checks if push-to-external-registry works with self-hosted Quay. Unlike other e2e tests which use the stage cluster, this one uses ephemeral Kind cluster. The reason is Quay is deployed to the cluster and is used for testing. Two changes were made to the push-to-external-registry pipeline to ensure its compatibility with self-hosted Quay: - Mount the ca-bundle.crt from trusted-ca configmap to /etc/ssl/certs/. This ensures that the self-signed CA cert of the internal Quay instance is known to the 3rd party tools like skopeo and cosign. Without it, the tools would fail with a TLS error. - Update regexes to support a Quay URL with a port number. The regexes assume that only one ":" will be present in the url, which may be wrong. Update them to account for hostnames with port number. Several other changes were made to support this functionality: - Mounting the CA bundle in Conforma task[1] - Support self-hosted Quay deployment in the Kind cluster[2] - Add init-quay task and skip-quay parameter[3] - Add a new Go e2e test for self-hosted quay[4] [1] conforma/cli#3148 [2] konflux-ci/konflux-ci#5689 [3] konflux-ci/tekton-integration-catalog#272 [4] konflux-ci/e2e-tests#1798 Assisted-by: Cursor Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
|
One thing I'm wondering about: There's already a mount here just for the Also, along the lines of what Qodo said, do we need to set SSL_CERT_DIR in the stepTemplate also? |
I asked Claude about this and it said it should be okay. But do you want to also mount
I think it could be done later when/if needed, so maybe not a blocker for this PR. Wdyt? |
|
/ok-to-test |
2 participants
Verify Conforma task should support images that are in a self-hosted Quay instance. This instance has a self-signed CA cert which is implicitly not trusted by 3rd party tools. This can be fixed by mounting the CA bundle to /etc/ssl/certs/, making it trusted. Mount to /mnt/trusted-ca is added to be consistent with other tasks in the pipeline.