Skip to content

fix(RELEASE-2158): refactor trusted-ca mounts in verify-conforma task #3232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
querti wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix(RELEASE-2158): refactor trusted-ca mounts in verify-conforma task #3232

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 2 additions & 8 deletions tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,11 +264,10 @@ spec:
- mountPath: /var/workdir
name: workdir
- name: trusted-ca
mountPath: /mnt/trusted-ca
mountPath: /etc/ssl/certs
readOnly: true
- name: trusted-ca
mountPath: /etc/ssl/certs/ca-custom-bundle.crt
subPath: ca-bundle.crt
mountPath: /mnt/trusted-ca
readOnly: true
Comment thread
querti marked this conversation as resolved.
Comment on lines 266 to 271
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Read the specific file mentioned in the review
cat -n tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml | head -n 300 | tail -n 100

Repository: conforma/cli

Length of output: 1858

🏁 Script executed:

# Check the volume definitions near the end of the file
wc -l tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

Repository: conforma/cli

Length of output: 1861

🏁 Script executed:

# Read the volume definition section
cat -n tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml | sed -n '590,610p'

Repository: conforma/cli

Length of output: 688

🏁 Script executed:

# Look for SSL_CERT_DIR references in the file
rg -n "SSL_CERT_DIR" tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml -A 2 -B 2

Repository: conforma/cli

Length of output: 1097

🏁 Script executed:

# Read the volumeMounts section around lines 266-271
cat -n tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml | sed -n '260,280p'

Repository: conforma/cli

Length of output: 807

🏁 Script executed:

# Get broader context of the stepTemplate to understand the configuration
cat -n tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml | sed -n '240,290p'

Repository: conforma/cli

Length of output: 1916

🏁 Script executed:

# Check if there are any other references to /etc/ssl/certs or /mnt/trusted-ca
rg -n "(/etc/ssl/certs|/mnt/trusted-ca)" tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

Repository: conforma/cli

Length of output: 262

Remove the redundant /etc/ssl/certs mount; it unnecessarily shadows the image's CA directory.

The trusted-ca volume is mounted twice—at both /etc/ssl/certs (line 267) and /mnt/trusted-ca (line 270). The mount at /etc/ssl/certs shadows the base image's CA directory; because the ConfigMap is optional: true and contains only ca-bundle.crt, a missing or incomplete ConfigMap can leave the directory inaccessible, breaking TLS for any tool that relies exclusively on that path. The volume is already mounted at /mnt/trusted-ca, which is the safer location. Remove the /etc/ssl/certs mount, and wire /mnt/trusted-ca via SSL_CERT_DIR or SSL_CERT_FILE in steps that need external TLS (the existing SSL_CERT_DIR at line 506 already includes fallback standard paths, but making the custom CA path explicit avoids relying on undocumented behavior).

Suggested direction 
       - name: trusted-ca
-        mountPath: /etc/ssl/certs
-        readOnly: true
-      - name: trusted-ca
         mountPath: /mnt/trusted-ca
         readOnly: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: trusted-ca
mountPath: /mnt/trusted-ca
mountPath: /etc/ssl/certs
readOnly: true
- name: trusted-ca
mountPath: /etc/ssl/certs/ca-custom-bundle.crt
subPath: ca-bundle.crt
mountPath: /mnt/trusted-ca
readOnly: true
- name: trusted-ca
mountPath: /mnt/trusted-ca
readOnly: true
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml` around
lines 266 - 271, Remove the redundant mount of the `trusted-ca` volume at
`/etc/ssl/certs` (keep only the `trusted-ca` mount at `/mnt/trusted-ca`) so you
don't shadow the image's CA store; then ensure any steps/containers that need
the custom CA explicitly reference `/mnt/trusted-ca` by adding it to the
SSL_CERT_DIR or setting SSL_CERT_FILE (update the existing SSL_CERT_DIR/env
entries that are used by the job to include `/mnt/trusted-ca`), and leave the
`trusted-ca` volume name unchanged.

env:
- name: "ORAS_OPTIONS"
Expand Down Expand Up @@ -511,11 +510,6 @@ spec:
memory: 2Gi
limits:
memory: 2Gi
volumeMounts:
- name: trusted-ca
mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
subPath: ca-bundle.crt
readOnly: true

- name: report-json
image: quay.io/conforma/cli:latest
Expand Down
Loading