Fix private cert issues discovered in manual testing

build/package/Dockerfile.start

@@ -4,11 +4,7 @@ ARG TARGETARCH
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 USER root
 
-ENV TEKTON_VERSION=0.24.0 \
-    TEKTONCD_PATH=/opt/app-root/src/go/src/github.com/tektoncd \
-    BINARY=git-init.orig \
-    KO_APP=/ko-app \
-    GIT_LFS_VERSION=3.0.2
+ENV GIT_LFS_VERSION=3.0.2
 
 # Build Go binary.
 RUN mkdir -p /etc/go
@@ -20,25 +16,14 @@ COPY internal /etc/go/internal
 COPY pkg /etc/go/pkg
 RUN cd /etc/go/cmd/start && CGO_ENABLED=0 go build -o /usr/local/bin/ods-start
 
-RUN mkdir -p $TEKTONCD_PATH && \
-    cd /tmp && \
-    curl -LO https://github.com/tektoncd/pipeline/archive/refs/tags/v$TEKTON_VERSION.tar.gz && \
-    tar -C $TEKTONCD_PATH -xzf v$TEKTON_VERSION.tar.gz && \
-    ln -s $TEKTONCD_PATH/pipeline-$TEKTON_VERSION $TEKTONCD_PATH/pipeline && \
-    cd -
-
-WORKDIR $TEKTONCD_PATH/pipeline
-
+# Install Git LFS.
 RUN cd /tmp \
     && mkdir -p /tmp/git-lfs \
     && curl -LO https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${TARGETARCH}-v${GIT_LFS_VERSION}.tar.gz \
     && tar -zxvf git-lfs-linux-${TARGETARCH}-v${GIT_LFS_VERSION}.tar.gz -C /tmp/git-lfs \
     && bash /tmp/git-lfs/install.sh \
     && git lfs version
 
-RUN CGO_ENABLED=0 go build -o /tmp/openshift-pipelines-git-init ./cmd/git-init && \
-    mkdir ${KO_APP} && cp /tmp/openshift-pipelines-git-init ${KO_APP}/${BINARY}
-
 # Final image
 FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4
 
@@ -53,14 +38,4 @@ COPY --from=builder /usr/local/bin/ods-start /usr/local/bin/ods-start
 COPY --from=builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs
 RUN git lfs version
 
-RUN mkdir /ko-app
-COPY --from=builder /ko-app/git-init.orig /ko-app/git-init.orig
-COPY build/package/scripts/uidwrapper /ko-app/git-init
-
-USER root
-RUN chgrp -R 0 /ko-app && \
-    chmod -R g=u /ko-app /etc/passwd
-
 USER 1001
-
-ENTRYPOINT ["/ko-app/git-init"]

build/package/scripts/configure-gradle.sh

@@ -4,15 +4,17 @@
 CONTENT=""
 
 if [ -f /etc/ssl/certs/private-cert.pem ]; then
-  echo "Configuring Gradle to trust private cert ..."
-  configure-truststore --dest-store ".ods-cache/truststore/cacerts"
-  # shellcheck disable=SC2181
-  if [ $? -ne 0 ]; then
-    exit 1
-  fi
-  # Configure Gradle to use the modified trust store.
-  CONTENT+="systemProp.javax.net.ssl.trustStore=.ods-cache/keystore/cacerts\n"
-  CONTENT+="systemProp.javax.net.ssl.trustStorePassword=password\n"
+	truststore_location="$(pwd)/.ods-cache/truststore/cacerts"
+	truststore_pass="changeit"
+	echo "Configuring Gradle to trust private cert ..."
+	configure-truststore --dest-store="${truststore_location}" --dest-storepass="${truststore_pass}"
+	# shellcheck disable=SC2181
+	if [ $? -ne 0 ]; then
+		exit 1
+	fi
+	# Configure Gradle to use the modified trust store.
+	CONTENT+="systemProp.javax.net.ssl.trustStore=${truststore_location}\n"
+	CONTENT+="systemProp.javax.net.ssl.trustStorePassword=${truststore_pass}\n"
 fi
 
 if [ "${HTTP_PROXY}" != "" ]; then

build/package/scripts/configure-truststore.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -u
 
-md5_bin="${MD5_BIN:-"md5sum --tag"}"
+md5_bin="${MD5_BIN:-"md5sum"}"
 private_cert="/etc/ssl/certs/private-cert.pem"
 src_truststore="${JAVA_HOME}/lib/security/cacerts"
 src_pass="changeit"
@@ -30,16 +30,20 @@ esac; shift; done
 dest_truststore_dir="${dest_truststore%/*}"
 mkdir -p "${dest_truststore_dir}"
 md5_private_cert_path="${dest_truststore_dir}/.md5-private-cert"
-md5_private_cert=$(${md5_bin} "${private_cert}")
+md5_private_cert=$(${md5_bin} < "${private_cert}" | cut -d- -f1)
 
 if [ ! -f "${dest_truststore}" ] || [ "${md5_private_cert}" != "$(cat "${md5_private_cert_path}")" ]; then
     echo "Creating truststore with private cert ..."
     # Copy global keystone to location where we can write to (hide output containing warnings).
+    if [ -f "${dest_truststore}" ]; then
+        rm "${dest_truststore}"
+    fi
     keytool -importkeystore \
         -srckeystore "${src_truststore}" -destkeystore "${dest_truststore}" \
         -deststorepass "${dest_pass}" -srcstorepass "${src_pass}" &> keytool-output.txt
     # shellcheck disable=SC2181
     if [ $? -ne 0 ]; then
+        echo "error importing keystore:"
         cat keytool-output.txt; exit 1
     fi
     # Trust private cert (hide output containing warnings).
@@ -48,7 +52,10 @@ if [ ! -f "${dest_truststore}" ] || [ "${md5_private_cert}" != "$(cat "${md5_pri
         -keystore "${dest_truststore}" -storepass "${dest_pass}" &> keytool-output.txt
     # shellcheck disable=SC2181
     if [ $? -ne 0 ]; then
+        echo "error importing cert:"
         cat keytool-output.txt; exit 1
     fi
     echo "${md5_private_cert}" > "${md5_private_cert_path}"
+else
+    echo "Trustore with private cert exists already and is up-to-date."
 fi

build/package/scripts/download-aqua-scanner.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -eu
 
-md5_bin="${MD5_BIN:-"md5sum --tag"}"
+md5_bin="${MD5_BIN:-"md5sum"}"
 aqua_scanner_url=""
 bin_dir=".ods-cache/bin"
 
@@ -21,15 +21,16 @@ esac; shift; done
 
 aqua_scanner_path="${bin_dir}/aquasec"
 md5_aqua_scanner_url_path="${bin_dir}/.md5-aquasec"
+mkdir -p "${bin_dir}"
 
 # Optionally install Aqua scanner.
 # If the binary already exists and was downloaded from the
 # URL given by aqua_scanner_url, skip download.
 if [ -n "${aqua_scanner_url}" ] && [ "${aqua_scanner_url}" != "none" ]; then
-    md5_aqua_scanner_url=$(${md5_bin} -s "${aqua_scanner_url}")
+    md5_aqua_scanner_url=$(printf "%s" "${aqua_scanner_url}" | ${md5_bin} | cut -d- -f1)
     if [ ! -f "${md5_aqua_scanner_url_path}" ] || [ "${md5_aqua_scanner_url}" != "$(cat "${md5_aqua_scanner_url_path}")" ]; then
         echo 'Installing Aqua scanner...'
-        curl -v -sSf -L "${aqua_scanner_url}" -o aquasec
+        curl -sSf -L "${aqua_scanner_url}" -o aquasec
         mv aquasec "${aqua_scanner_path}"
         chmod +x "${aqua_scanner_path}"
         echo "${md5_aqua_scanner_url}" > "${md5_aqua_scanner_url_path}"

cmd/start/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"bytes"
 	"errors"
 	"flag"
 	"fmt"
@@ -375,62 +376,68 @@ func checkoutAndAssembleContext(
 	checkoutDir, url, gitFullRef, gitRefSpec, sslVerify, submodules, depth string,
 	baseCtxt *pipelinectxt.ODSContext,
 	logger logging.LeveledLoggerInterface) (*pipelinectxt.ODSContext, error) {
+
 	absCheckoutDir, err := filepath.Abs(checkoutDir)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("absolute path: %w", err)
 	}
+
 	logger.Infof("Checking out %s@%s into %s ...", url, gitFullRef, absCheckoutDir)
-	gitInitArgs := []string{
-		fmt.Sprintf("-url=%v", url),
-		fmt.Sprintf("-revision=%v", gitFullRef),
-		fmt.Sprintf("-refspec=%v", gitRefSpec),
-		fmt.Sprintf("-path=%v", absCheckoutDir),
-		fmt.Sprintf("-sslVerify=%v", sslVerify),
-		fmt.Sprintf("-submodules=%v", submodules),
-		fmt.Sprintf("-depth=%v", depth),
-	}
-	logger.Debugf("git-init %s", strings.Join(gitInitArgs, " "))
-	stdout, stderr, err := command.RunBuffered("/ko-app/git-init", gitInitArgs)
-	if err != nil {
-		logger.Errorf(string(stderr))
-		log.Fatal(err)
+
+	if err := runGit("init", absCheckoutDir); err != nil {
+		return nil, fmt.Errorf("run git cmd: %w", err)
+	}
+	if err := os.Chdir(absCheckoutDir); err != nil {
+		return nil, fmt.Errorf("change dir: %w", err)
+	}
+	if err := runGit("remote", "add", "origin", url); err != nil {
+		return nil, fmt.Errorf("run git cmd: %w", err)
+	}
+	if err := runGit("fetch",
+		"--recurse-submodules=yes", fmt.Sprintf("--depth=%s", depth),
+		"origin",
+		"--update-head-ok", "--force", gitFullRef,
+	); err != nil {
+		return nil, fmt.Errorf("run git cmd: %w", err)
+	}
+	if err := runGit("checkout", "-f", "FETCH_HEAD"); err != nil {
+		return nil, fmt.Errorf("run git cmd: %w", err)
 	}
-	logger.Infof(string(stdout))
 
 	odsPipelineIgnoreFile := filepath.Join(absCheckoutDir, ".git", "info", "exclude")
 	if err := pipelinectxt.WriteGitIgnore(odsPipelineIgnoreFile); err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("write git ignore: %w", err)
 	}
 	logger.Infof("Wrote gitignore exclude at %s", odsPipelineIgnoreFile)
 
 	// check git LFS state and maybe pull
 	lfs, err := gitLfsInUse(logger, absCheckoutDir)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("check if git LFS is in use: %w", err)
 	}
 	if lfs {
 		logger.Infof("Git LFS detected, enabling and pulling files...")
 		err := gitLfsEnableAndPullFiles(logger, absCheckoutDir)
 		if err != nil {
-			log.Fatal(err)
+			return nil, fmt.Errorf("git LFS enable and pull: %w", err)
 		}
 	}
 
 	// write ODS cache
 	sha, err := getCommitSHA(absCheckoutDir)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("commit SHA: %w", err)
 	}
 	ctxt := baseCtxt.Copy()
 	ctxt.GitFullRef = gitFullRef
 	ctxt.GitCommitSHA = sha
 	err = ctxt.Assemble(absCheckoutDir)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("assemble ODS context: %w", err)
 	}
 	err = ctxt.WriteCache(absCheckoutDir)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("write ODS context cache: %w", err)
 	}
 	return ctxt, nil
 }
@@ -454,13 +461,22 @@ func gitLfsInUse(logger logging.LeveledLoggerInterface, dir string) (lfs bool, e
 func gitLfsEnableAndPullFiles(logger logging.LeveledLoggerInterface, dir string) (err error) {
 	stdout, stderr, err := command.RunBufferedInDir("git", []string{"lfs", "install"}, dir)
 	if err != nil {
-		return fmt.Errorf("cannot enable git lfs: %s (%w)", stderr, err)
+		return fmt.Errorf("lfs install: %s (%w)", stderr, err)
 	}
 	logger.Infof(string(stdout))
 	stdout, stderr, err = command.RunBufferedInDir("git", []string{"lfs", "pull"}, dir)
 	if err != nil {
-		return fmt.Errorf("cannot git pull lfs files: %s (%w)", stderr, err)
+		return fmt.Errorf("lfs pull: %s (%w)", stderr, err)
 	}
 	logger.Infof(string(stdout))
 	return err
 }
+
+func runGit(args ...string) error {
+	var output bytes.Buffer
+	err := command.Run("git", args, []string{}, &output, &output)
+	if err != nil {
+		return fmt.Errorf("git %v: %w\n%s", args, err, output.String())
+	}
+	return nil
+}

deploy/ods-pipeline/charts/tasks/templates/_sonar-step.tpl

@@ -34,9 +34,9 @@
 
       truststore="${JAVA_HOME}/lib/security/cacerts"
       if [ -f /etc/ssl/certs/private-cert.pem ]; then
-        truststore=".ods-cache/truststore/cacerts"
+        truststore="$(pwd)/.ods-cache/truststore/cacerts"
+        configure-truststore --dest-store "${truststore}"
       fi
-      configure-truststore --dest-store "${truststore}"
       # sonar is built from cmd/sonar/main.go.
       sonar \
         -working-dir=$(params.working-dir) \

deploy/ods-pipeline/charts/tasks/templates/task-ods-start.yaml

@@ -175,9 +175,9 @@ spec:
               name: ods-pipeline
       resources: {}
       script: |
-
         if [ -f /etc/ssl/certs/private-cert.pem ]; then
-          git config --global http.sslCAInfo /etc/ssl/certs/private-cert.pem
+          cat /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/private-cert.pem > /tekton/home/git-cert.pem
+          git config --global http.sslCAInfo /tekton/home/git-cert.pem
         fi
 
         # ods-start is built from cmd/start/main.go.

docs/design/software-design-specification.adoc

@@ -207,7 +207,7 @@ Input parameters: TODO
 
 | SDS-TASK-8
 | `ods-start` container image
-| Container image to start a pipeline. Based on `ubi8/ubi-minimal` (SDS-EXT-2), includes SDS-EXT-9, SDS-EXT-13, SDS-EXT-22, SDS-EXT-27, SDS-EXT-30 and SDS-TASK-9.
+| Container image to start a pipeline. Based on `ubi8/ubi-minimal` (SDS-EXT-2), includes SDS-EXT-9, SDS-EXT-13, SDS-EXT-27, SDS-EXT-30 and SDS-TASK-9.
 
 | SDS-TASK-9
 | `start` binary
@@ -616,12 +616,6 @@ a| The script installs the Helm chart located in `deploy/ods-pipeline`. Further,
 | Manages secrets with Git workflow.
 | https://github.com/jkroepke/helm-secrets
 
-| SDS-EXT-22
-| Tekton
-| 0.24
-| Cloud-native Pipeline resource.
-| https://github.com/tektoncd/pipeline
-
 | SDS-EXT-23
 | Sops
 | 3.7