Remove image wrappers

Supply private certificate via secret volume to tasks.

Closes #621.

Makefile

@@ -144,18 +144,3 @@ ifeq ($(strip $(namespace)),)
 endif
 	cd scripts && ./install-inside-kind.sh -n $(namespace)
 .PHONY: deploy
-
-##@ OpenShift
-
-start-ods-builds: ## Start builds for each ODS BuildConfig
-	oc start-build ods-package-image
-	oc start-build ods-finish
-	oc start-build ods-go-toolset
-	oc start-build ods-gradle-toolset
-	oc start-build ods-helm
-	oc start-build ods-node16-npm-toolset
-	oc start-build ods-pipeline-manager
-	oc start-build ods-python-toolset
-	oc start-build ods-sonar
-	oc start-build ods-start
-.PHONY: start-ods-builds

build/package/Dockerfile.gradle-toolset

@@ -37,13 +37,13 @@ COPY build/package/scripts/copy-build-if-cached.sh /usr/local/bin/copy-build-if-
 COPY build/package/scripts/copy-artifacts.sh /usr/local/bin/copy-artifacts
 COPY build/package/scripts/build-gradle.sh /usr/local/bin/build-gradle
 COPY build/package/scripts/supply-sonar-project-properties-default.sh /usr/local/bin/supply-sonar-project-properties-default
-COPY build/package/scripts/set-gradle-proxy.sh /usr/local/bin/set-gradle-proxy
+COPY build/package/scripts/configure-gradle.sh /usr/local/bin/configure-gradle
 RUN chmod +x /usr/local/bin/build-gradle && \
     chmod +x /usr/local/bin/cache-build && \
     chmod +x /usr/local/bin/copy-build-if-cached && \
     chmod +x /usr/local/bin/copy-artifacts && \
     chmod +x /usr/local/bin/supply-sonar-project-properties-default && \
-    chmod +x /usr/local/bin/set-gradle-proxy
+    chmod +x /usr/local/bin/configure-gradle
 
 # Add sonar-project.properties
 COPY build/package/sonar-project.properties.d/gradle.properties /usr/local/default-sonar-project.properties

build/package/scripts/build-gradle.sh

@@ -43,8 +43,9 @@ echo "Using NEXUS_URL=$NEXUS_URL"
 echo "Using GRADLE_OPTS=$GRADLE_OPTS"
 echo "Using GRADLE_USER_HOME=$GRADLE_USER_HOME"
 echo "Using ARTIFACTS_DIR=$ARTIFACTS_DIR"
+mkdir -p "${GRADLE_USER_HOME}"
 
-set-gradle-proxy
+configure-gradle
 
 echo
 cd "${WORKING_DIR}"

build/package/scripts/build-npm.sh

@@ -65,17 +65,17 @@ if [ "${WORKING_DIR}" != "." ]; then
   ARTIFACT_PREFIX="${WORKING_DIR/\//-}-"
 fi
 
-echo "Configuring npm to use Nexus ..."
-# Remove the protocol segment from NEXUS_URL
-NEXUS_HOST=$(echo "${NEXUS_URL}" | sed -E 's/^\s*.*:\/\///g')
-if [ -n "${NEXUS_HOST}" ] && [ -n "${NEXUS_USERNAME}" ] && [ -n "${NEXUS_PASSWORD}" ]; then
+echo "Configuring npm to use Nexus (${NEXUS_URL}) ..."
+if [ -n "${NEXUS_URL}" ] && [ -n "${NEXUS_USERNAME}" ] && [ -n "${NEXUS_PASSWORD}" ]; then
     NEXUS_AUTH="$(urlencode "${NEXUS_USERNAME}"):$(urlencode "${NEXUS_PASSWORD}")"
     npm config set registry="$NEXUS_URL"/repository/npmjs/
     npm config set always-auth=true
     npm config set _auth="$(echo -n "$NEXUS_AUTH" | base64)"
     npm config set [email protected]
-    npm config set ca=null
-    npm config set strict-ssl=false
+    if [ -f /etc/ssl/certs/private-cert.pem ]; then
+      echo "Configuring private cert ..."
+      npm config set cafile=/etc/ssl/certs/private-cert.pem
+    fi
 fi;
 
 echo "package-*.json checks ..."

build/package/scripts/build-python.sh

@@ -55,7 +55,7 @@ if [ "${WORKING_DIR}" != "." ]; then
   ARTIFACT_PREFIX="${WORKING_DIR/\//-}-"
 fi
 
-echo "Configuring pip to use Nexus ..."
+echo "Configuring pip to use Nexus (${NEXUS_URL}) ..."
 # Remove the protocol segment from NEXUS_URL
 NEXUS_HOST=$(echo "${NEXUS_URL}" | sed -E 's/^\s*.*:\/\///g')
 if [ -n "${NEXUS_HOST}" ] && [ -n "${NEXUS_USERNAME}" ] && [ -n "${NEXUS_PASSWORD}" ]; then

build/package/scripts/set-gradle-proxy.sh → build/package/scripts/configure-gradle.sh

@@ -3,8 +3,31 @@
 # This script checks for env variable HTTP_PROXY and adds them to gradle.properties.
 CONTENT=""
 
-if [[ $HTTP_PROXY != "" ]]; then
+if [ -f /etc/ssl/certs/private-cert.pem ]; then
+  echo "Configuring Gradle to trust private cert ..."
+  # Copy global keystone to location where we can write to (hide output with warnings).
+  keytool -importkeystore \
+    -srckeystore "${JAVA_HOME}/lib/security/cacerts" -destkeystore "${GRADLE_USER_HOME}/cacerts" \
+    -deststorepass changeit -srcstorepass changeit &> keytool-output.txt
+  # shellcheck disable=SC2181
+  if [ $? -ne 0 ]; then
+    cat keytool-output.txt; exit 1
+  fi
+  # Trust private cert (hide output with warnings).
+  keytool -importcert -noprompt -trustcacerts \
+    -alias private-cert -file /etc/ssl/certs/private-cert.pem \
+    -keystore "${GRADLE_USER_HOME}/cacerts" -storepass changeit &> keytool-output.txt
+  # shellcheck disable=SC2181
+  if [ $? -ne 0 ]; then
+    cat keytool-output.txt; exit 1
+  fi
+  # Configure Gradle to use the modified trust store.
+  CONTENT+="systemProp.javax.net.ssl.trustStore=${GRADLE_USER_HOME}/cacerts\n"
+  CONTENT+="systemProp.javax.net.ssl.trustStorePassword=changeit\n"
+fi
 
+if [ "${HTTP_PROXY}" != "" ]; then
+	echo "Configuring Gradle to honor HTTP_PROXY ..."
 	proxy=$(echo "$HTTP_PROXY" | sed -e "s|https://||g" | sed -e "s|http://||g")
 	proxy_hostp=$(echo "$proxy" | cut -d "@" -f2)
 
@@ -32,7 +55,8 @@ if [[ $HTTP_PROXY != "" ]]; then
  	fi
 fi
 
-if [[ $NO_PROXY != "" ]]; then
+if [ "${NO_PROXY}" != "" ]; then
+	echo "Configuring Gradle to honor NO_PROXY ..."
 	# shellcheck disable=SC2001
 	noproxy_host=$(echo "$NO_PROXY" | sed -e 's|\,\.|\,\*\.|g')
 	# shellcheck disable=SC2001
@@ -41,6 +65,6 @@ if [[ $NO_PROXY != "" ]]; then
 	CONTENT+="systemProp.https.nonProxyHosts=$noproxy_host\n"
 fi
 
-if [[ $CONTENT != "" ]]; then
+if [ "${CONTENT}" != "" ]; then
   echo -e "$CONTENT" > "${GRADLE_USER_HOME}/gradle.properties"
 fi

deploy/README.md

@@ -6,18 +6,15 @@ Manifests in `ods-pipeline` are applied once per project by a project administra
 
 ## Subcharts
 
-The `tasks`, `images` and `setup` subcharts are maintained in https://github.com/opendevstack/ods-pipeline, and may be used by project admins to control the deployment of ODS pipeline resources in the respective project namespace in OpenShift.
+The `tasks` and `setup` subcharts are maintained in https://github.com/opendevstack/ods-pipeline, and may be used by project admins to control the deployment of ODS pipeline resources in the respective project namespace in OpenShift.
 
 ### Subcharts Contents
 
 The resources are defined using Helm:
-* `BuildConfig` and `ImageStream` resources (in the `images` subchart)
 * `Task` resources (in `tasks` subchart)
 * `ConfigMap` and `Secret` resources used by ODS tasks (in `setup` subchart)
 * ODS pipeline manager (`Service`/`Deployment`) (in `setup` subchart)
 
-The resources of the `images` subchart are only applicable for OpenShift clusters. The subcharts may individually be enabled or disabled via the umbrella chart's `values.yaml`.
-
 ### Versioning
 
 In a KinD cluster there are no versions. Images use the implicit `latest` tag. That makes testing and local development easy.

deploy/install.sh

@@ -19,6 +19,7 @@ BITBUCKET_AUTH=""
 BITBUCKET_WEBHOOK_SECRET=""
 NEXUS_AUTH=""
 SONAR_AUTH=""
+PRIVATE_CERT=""
 
 # Check prerequisites.
 KUBECTL_BIN=""
@@ -103,6 +104,9 @@ while [[ "$#" -gt 0 ]]; do
     --sonar-auth) SONAR_AUTH="$2"; shift;;
     --sonar-auth=*) SONAR_AUTH="${1#*=}";;
 
+    --private-cert) PRIVATE_CERT="$2"; shift;;
+    --private-cert=*) PRIVATE_CERT="${1#*=}";;
+
     *) echo "Unknown parameter passed: $1"; exit 1;;
 esac; shift; done
 
@@ -173,6 +177,35 @@ installSecret () {
     fi
 }
 
+installTLSSecret () {
+    local secretName="$1"
+    local privateCert="$2"
+    local certFile=""
+    if [ -z "${privateCert}" ]; then
+        echo "No private cert given, skipping ..."
+    else
+        if [ "${privateCert:0:1}" == '/' ] || [ "${privateCert:0:2}" == './' ]; then
+            if [ ! -f "${privateCert}" ]; then
+                echo "No cert file exists at ${privateCert}"; exit 1
+            fi
+            certFile="${privateCert}"
+        else
+            certFile="private-cert.pem.tmp"
+            openssl s_client -showcerts -connect "${privateCert}" </dev/null \
+                | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > "${certFile}"
+        fi
+        if "${KUBECTL_BIN}" -n "${NAMESPACE}" get "secret/${secretName}" &> /dev/null; then
+            echo "Re-creating secret ${secretName} ..."
+            "${KUBECTL_BIN}" -n "${NAMESPACE}" delete secret "${secretName}"
+        else
+            echo "Creating secret ${secretName} ..."
+        fi
+        "${KUBECTL_BIN}" -n "${NAMESPACE}" create secret generic "${secretName}" \
+            --from-file=tls.crt="${certFile}"
+        rm private-cert.pem.tmp &>/dev/null || true
+    fi
+}
+
 # Manage serviceaccount ...
 if "${KUBECTL_BIN}" -n "${NAMESPACE}" get serviceaccount/"${SERVICEACCOUNT}" &> /dev/null; then
     echo "Serviceaccount exists already ..."
@@ -233,6 +266,8 @@ else
         "${SONAR_AUTH}" \
         "" \
         "Please enter an auth token of a SonarQube user with scan permissions (input will be hidden):"
+
+    installTLSSecret "ods-private-cert" "${PRIVATE_CERT}"
 fi
 
 echo "Installing Helm release ${RELEASE_NAME} ..."

deploy/ods-pipeline/Chart.yaml

@@ -24,9 +24,6 @@ version: 0.8.0
 appVersion: "0.8.0"
 
 dependencies:
-  - name: images
-    version: 0.8.0
-    condition: images.enabled
   - name: setup
     version: 0.8.0
     condition: setup.enabled