fix(newer-sonar-image): permissions for custom certificates

this should fix https://gitlab.com/to-be-continuous/sonar/-/issues/26 fix typo in log and variable name Signed-off-by: Florian Hennig <florian.hennig@committance.com>

fix(newer-sonar-image): permissions for custom certificates
6bc534d7 · Florian Hennig · 80c2015a · 6bc534d7
Commit 6bc534d7 authored 8 months ago by Florian Hennig
--- a/templates/gitlab-ci-sonar.yml
+++ b/templates/gitlab-ci-sonar.yml
@@ -147,15 +147,17 @@ stages:
    then
      return
    fi
+    # creat a writable folder for the keystore and certs
+    mkdir -p /tmp/certs

    # import in system
-    if echo "$certs" >> /etc/ssl/certs/ca-certificates.crt
+    if echo "$certs" >> /tmp/certs/ca-certificates.crt
    then
-      log_info "CA certificates imported in \\e[33;1m/etc/ssl/certs/ca-certificates.crt\\e[0m"
+      log_info "CA certificates imported in \\e[33;1m/tmp/certs/ca-certificates.crt\\e[0m"
    fi
-    if echo "$certs" >> /etc/ssl/cert.pem
+    if echo "$certs" >> /tmp/certs/cert.pem
    then
-      log_info "CA certificates imported in \\e[33;1m/etc/ssl/cert.pem\\e[0m"
+      log_info "CA certificates imported in \\e[33;1m/tmp/certs/cert.pem\\e[0m"
    fi

    # import in Java keystore (if keytool command found)
@@ -167,6 +169,10 @@ stages:
      keystore=${JAVA_KEYSTORE_PATH:-$(ls -1 $javahome/jre/lib/security/cacerts 2>/dev/null || ls -1 $javahome/lib/security/cacerts 2>/dev/null || echo "")}
      if [[ -f "$keystore" ]]
      then
+        # copy keystore into writable folder
+        cp -L -r --no-preserve=mode "$keystore" /tmp/writable_keystore
+        # set writable keystore as keystore
+        keystore="/tmp/writable_keystore"
        storepass=${JAVA_KEYSTORE_PASSWORD:-changeit}
        nb_certs=$(echo "$certs" | grep -c 'END CERTIFICATE')
        log_info "importing $nb_certs certificates in Java keystore \\e[33;1m$keystore\\e[0m..."
@@ -427,8 +433,19 @@ sonar:
        log_warn '$SONAR_AUTH_TOKEN variable detected: use $SONAR_TOKEN instead (see doc)'
        export SONAR_TOKEN="$SONAR_AUTH_TOKEN"
      fi
+    - |
+      if [[ -z "$CUSTOM_CA_CERTS" ]]
+      then
+        log_info '$CUSTOM_CA_CERTS not set: using default keystore'
+      else
+        log_info '$CUSTOM_CA_CERTS variable detected: using writable keystore path (/tmp/writable_keystore)'
+        export CUSTOM_KEYSTORE_PATH="/tmp/writable_keystore"
+        export CUSTOM_KEYSTORE_PASSWORD="changeit"
+      fi
    - >-
      sonar-scanner ${TRACE+-Dsonar.verbose=true} $java_proxy_args
+      ${CUSTOM_KEYSTORE_PATH:+-Dsonar.scanner.truststorePath=$CUSTOM_KEYSTORE_PATH}
+      ${CUSTOM_KEYSTORE_PASSWORD:+-Dsonar.scanner.truststorePassword=$CUSTOM_KEYSTORE_PASSWORD}
      ${SONAR_LOGIN:+-Dsonar.login=$SONAR_LOGIN} 
      ${SONAR_PASSWORD:+-Dsonar.password=$SONAR_PASSWORD} 
      ${SONAR_PROJECT_KEY:+-Dsonar.projectKey=$SONAR_PROJECT_KEY}