Bug 1826183: Generate trust bundle for builds

* Create entrypoint script which does the following:
** Check if the CA trust bundle exists in the new neutral location.
** Run `update-ca-trust extract` if a custom PKI is present.
* Add mounts.conf to /etc/containers
** Mount /run/secrets from build pod containers to buildah's containers.
   In RHEL/Fedora, /run/secrets is mounted in from /usr/share/rhel/secrets, and contains host
   information needed to access subscription content.
** Mount /etc/pki/ca-trust from the build pod to buildah's containers. This contains the TLS trust store
   that the entrypoint script configures via `update-ca-trust extract`.
* Organize image content to simplify the Dockerfile instructions for building `openshift/builder`.

Dockerfile

@@ -12,9 +12,8 @@ RUN INSTALL_PKGS=" \
     yum install -y --setopt=skip_missing_names_on_install=False $INSTALL_PKGS && \
     yum clean all
 COPY --from=builder /go/src/github.com/openshift/builder/openshift-builder /usr/bin/
-COPY imagecontent/policy.json /etc/containers/
-COPY imagecontent/registries.conf /etc/containers/
-COPY imagecontent/storage.conf /etc/containers/
+COPY imagecontent/bin /usr/bin
+COPY imagecontent/etc/containers /etc/containers
 RUN mkdir -p /var/cache/blobs \
     /var/lib/shared/overlay-images \
     /var/lib/shared/overlay-layers && \
@@ -29,3 +28,4 @@ RUN ln -s /usr/bin/openshift-builder /usr/bin/openshift-sti-build && \
 LABEL io.k8s.display-name="OpenShift Builder" \
       io.k8s.description="This is a component of OpenShift and is responsible for executing image builds." \
       io.openshift.tags="openshift,builder"
+ENTRYPOINT [ "/usr/bin/entrypoint.sh" ]

Dockerfile-dev

@@ -10,10 +10,8 @@ RUN INSTALL_PKGS=" \
       " && \
     yum install -y --setopt=skip_missing_names_on_install=False ${INSTALL_PKGS} && \
     yum clean all
-
-COPY imagecontent/policy.json /etc/containers/
-COPY imagecontent/registries.conf /etc/containers/
-COPY imagecontent/storage.conf /etc/containers/
+COPY imagecontent/bin /usr/bin
+COPY imagecontent/etc/containers /etc/containers
 RUN mkdir -p /var/cache/blobs \
     /var/lib/shared/overlay-images \
     /var/lib/shared/overlay-layers && \
@@ -26,3 +24,4 @@ RUN ln -s /usr/bin/openshift-builder /usr/bin/openshift-sti-build && \
     ln -s /usr/bin/openshift-builder /usr/bin/openshift-git-clone && \
     ln -s /usr/bin/openshift-builder /usr/bin/openshift-manage-dockerfile && \
     ln -s /usr/bin/openshift-builder /usr/bin/openshift-extract-image-content
+ENTRYPOINT [ "/usr/bin/entrypoint.sh" ]

Dockerfile.rhel7

@@ -12,9 +12,8 @@ RUN INSTALL_PKGS=" \
     yum install -y --setopt=skip_missing_names_on_install=False $INSTALL_PKGS && \
     yum clean all
 COPY --from=builder /go/src/github.com/openshift/builder/openshift-builder /usr/bin/
-COPY imagecontent/policy.json /etc/containers/
-COPY imagecontent/registries.conf /etc/containers/
-COPY imagecontent/storage.conf /etc/containers/
+COPY imagecontent/bin /usr/bin
+COPY imagecontent/etc/containers /etc/containers
 RUN mkdir -p /var/cache/blobs \
     /var/lib/shared/overlay-images \
     /var/lib/shared/overlay-layers && \
@@ -29,3 +28,4 @@ RUN ln -s /usr/bin/openshift-builder /usr/bin/openshift-sti-build && \
 LABEL io.k8s.display-name="OpenShift Builder" \
       io.k8s.description="This is a component of OpenShift and is responsible for executing image builds." \
       io.openshift.tags="openshift,builder"
+ENTRYPOINT [ "/usr/bin/entrypoint.sh" ]

imagecontent/bin/entrypoint.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+clusterCA="/var/run/configs/openshift.io/pki/tls-ca-bundle.pem"
+
+if [ -e "$clusterCA" ]; then
+    echo "Adding cluster TLS certificate authority to trust store"
+    cp -f "$clusterCA" /etc/pki/ca-trust/source/anchors/cluster-ca-bundle.pem
+    update-ca-trust extract
+fi
+
+exec "$@"

imagecontent/etc/containers/mounts.conf

@@ -0,0 +1,2 @@
+/run/secrets:/run/secrets
+/etc/pki/ca-trust:/etc/pki/ca-trust