refactor: Consolidate CA trust setup into import-additional-cas#2991
Draft
refactor: Consolidate CA trust setup into import-additional-cas#2991
Conversation
Migrate all scanner base images from UBI8/RHEL8 to UBI9/RHEL9: Konflux base images: - Builder: openshift-golang-builder:rhel_9_golang_1.25 - Scanner runtime: ubi9-minimal - Scanner DB: rhel9/postgresql-15 Non-Konflux base images: - Scanner: ubi9-minimal - Scanner DB: ubi9 / ubi9-minimal - Vulnerabilities: ubi9-minimal Other updates: - Tekton CPE labels: el8 -> el9 - rpms.lock.yaml: xz updated to RHEL 9 version (5.2.5-8.el9_0) - rpms.rhel.repo: RHEL 8 repos -> RHEL 9 repos - PostgreSQL download script: pg_rhel_major=9 - Image name labels: rhel8 -> rhel9 - microdnf install -y xz (explicit -y for UBI9 compatibility) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
In UBI9, update-ca-trust fails when running as an unprivileged user (nobody:nobody) because it attempts to write to system-wide paths. Use the -o flag to specify a user-writable output directory. Also switch restore-all-dir-contents to use --no-clobber to avoid overwriting CA trust files that were already updated at runtime. See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…migration # Conflicts: # image/db/rhel/konflux.Dockerfile
…migration # Conflicts: # image/db/rhel/konflux.Dockerfile
Align the scanner entrypoint scripts and Dockerfiles with the proven CA trust setup from stackrox/stackrox#19454: - save-dir-contents: Only save /etc/pki/ca-trust/source (not the full /etc/pki/ca-trust or /etc/ssl). The extracted dir is regenerated at runtime by update-ca-trust. - Remove /etc/ssl from chown and save-dir-contents (not needed). - import-additional-cas: Add logging, use --output flag with detailed comment explaining why it's needed (BZ#2241240). - trust-root-ca: Same --output flag and comment. - restore-all-dir-contents: Add comment explaining --no-clobber. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…anner into konflux-ubi9-rhel9-migration
|
@davdhacs: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
davdhacs
force-pushed
the
refactor-ca-trust-scripts
branch
from
0a688a4 to
17e5bdb
Compare
davdhacs
commented
Mar 26, 2026
|
|
||
| update-ca-trust extract | ||
| # Copy the StackRox root CA if available (mounted by the operator). | ||
| copy_existing /run/secrets/stackrox.io/certs |
Contributor
Author
There was a problem hiding this comment.
@mclasmeier what do you think about moving scanner's "root ca" copy into here to more-closely match the main/sensor setup?
There was a problem hiding this comment.
You mean, as it is currently being done in this PR here, right?
Seems reasonable to me. Of course we shouldn't be over-engineering this, but I have been wondering if it would be a a good idea to generalize copy_existing() slightly, as in:
if $1 is a directory {
current behaviour of this function
} else if $1 is a file {
// Expect $1 to be a directly referenced CA pem file
// case for the stackrox CA pem
} else {
warn
}
This way we would consolidate the copying in a single function and could just invoke it with different arguments.
WDYT? Just an idea, definitely not a must from my side.
Merge trust-root-ca into import-additional-cas to align with how stackrox/stackrox handles CA trust (single script, single update-ca-trust call). This eliminates a redundant update-ca-trust invocation and simplifies the entrypoint. Changes: - Add copy_single() to import-additional-cas for the StackRox root CA at /run/secrets/stackrox.io/certs/ca.pem - Remove trust-root-ca script and its references in entrypoint.sh and create-bundle.sh - update-ca-trust extract --output is now called once instead of twice Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
davdhacs
force-pushed
the
refactor-ca-trust-scripts
branch
from
17e5bdb to
6700798
Compare
1 task
mclasmeier
reviewed
Mar 26, 2026
| echo "Copying StackRox root CA from '$CA_PATH'" | ||
| cp -v -L "$CA_PATH" /etc/pki/ca-trust/source/anchors/ | ||
| else | ||
| echo "No StackRox root CA found at $CA_PATH" |
There was a problem hiding this comment.
Is this an expected situation? Wondering if we should do something like
echo >&2 "WARNING: No StackRox root CA found at '$CA_PATH'"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Consolidate the CA trust setup to align with how stackrox/stackrox handles it (see stackrox/stackrox#19454).
The scanner had a separate
trust-root-cascript that copied the StackRox root CA and calledupdate-ca-trusta second time. The stackrox main/sensor images don't have this — they handle everything in a singleimport-additional-casscript with oneupdate-ca-trustcall.Changes
copy_single()function toimport-additional-casfor the StackRox root CA at/run/secrets/stackrox.io/certs/ca.pemtrust-root-cascript and its references inentrypoint.shandcreate-bundle.shupdate-ca-trust extract --outputis now called once instead of twiceBenefits
update-ca-trustinvocation (avoids thedirectory-hashpermission issue on the second call)Checklist
Testing Performed
CI (especially slim-e2e-tests and e2e-tests) will validate that the scanner starts correctly with the consolidated CA trust setup.