Untrusted CA causes artifact import failure
Feature description
The ability to add custom trusted CAs to the Ironbank pipeline, either through a request process (similar to the way custom credentials are handled) or as an additional attribute in the hardening manifest e.g.:
resources:
- url: "https://nexus.devforce.disa.mil/artifact.tar.gz"
filename: "artifact.tar.gz"
# ...
verify:
ca: ./path_to_ca_file_in_repo.pem
Use cases
Some artifacts are hosted in environments with certificates that are signed by trusted entities but that are not bundled by default with the operating system. For example https://nexus.devforce.disa.mil has a valid TLS certificate signed by C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 3
but pipelines that try to download artifacts from there are met with a certificate error because RedHat doesn't include DoD CAs in the system CA bundle.
Benefits
This feature would allow users to download artifacts directly from DoD environments without needing to do extra work to move the artifact to a different repository with a commonly trusted CA.
Requirements
This feature will require time and effort from the Ironbank pipeline team to implement.
Links / references
Example of a failing job, due to an untrusted CA: https://repo1.dso.mil/dsop/bdp/rda/bootstrap/-/jobs/11207581
Tasks
-
Feature has been implemented