use extracted (combined) system ca-trust bundle for import-artifacts (!929) · Merge requests · Iron Bank / ironbank-pipeline

Tim Seagren requested to merge 559-dod-ca-import-artifacts into master May 18, 2022

Merge Request Description

Merge Request BOE

Risk

If for some reason the extracted (combined) system ca-trust bundle was missing commercial CAs/Intermediate CAs and only contained DoD CAs, we would start seeing a lot more failures. However, in UBI we add our DoD CAs and then run update-ca-trust to combine them with existing CAs. So this should be safe. Also tested with a non-DoD certificate as well as a DoD certificate to ensure both cases worked (or at least broke how we expected them to).

Other than that, the regular risk.

Rollback Plan

Revert this MR

Testing

Tested in staging using this repo. We got an expected 401 using the DoD artifact and a failed checksum for the non-DoD source. Notice the lack of SSL failures... Would be happy to test with an alternate repository (that isn't failing in other ways) if one is available.

Edited May 18, 2022 by Tim Seagren

use extracted (combined) system ca-trust bundle for import-artifacts

Merge Request Description

Merge Request BOE

Risk

Rollback Plan

Testing

Merge request reports