Fix Custom CA certs for UBI-based images
What does this MR do?
Problem:
As outlined here, the approach for trusting a Custom CA cert differs for Alpine-based(Non-FIPS) and UBI-based(FIPS) images. The current implementation applies the logic of writing Custom CA cert content into /etc/ssl/certs/ca-certificates.crt
file for both Alpine and UBI images. Although it works fine for Alpine-based images, it does nothing for UBI images. This can be confirmed by running the following command inside UBI container post-write operation which results in no entries in the output:
$ trust list | grep "<CN field value of the custom certificate>"
Solution:
As per RHEL official docs, the logic for trusting a Custom CA in UBI images involves a different set of steps as mentioned below:
- Copy the custom CA certificate into the trust anchors directory i.e.
/etc/pki/ca-cert/source/anchors
- Run
update-ca-trust
command
This MR introduces the steps mentioned above for UBI-based images. A similar approach is followed by container-scanning too.
Note: Unit tests are not added for the MR change in the project since they're better confirmed via integration tests done using test-custom-ca-bundle
and test-custom-ca-bundle fips
CI QA jobs. To prove the correctness of this MR change, I used a tmp Semgrep image which includes this MR's change to add to the downstream integration test. The pipeline passed for both semgrep
and semgrep-fips
CI jobs.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer