add CA_CERT_FILE option for injecting cert overrides

openshift · Aug 23, 2017 · 9c7664a · 9c7664a
1 parent 4c150f5
commit 9c7664a
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -372,8 +372,8 @@ Per the OpenShift documentation, see the commands `oc describe serviceaccount de
 
 For the certificate, when running in the OpenShift Jenkins image, the CA certificate by default is pulled from the well known location ("/run/secrets/kubernetes.io/serviceaccount/ca.crt") where OpenShift mounts it, and then is stored into the Java KeyStore and X.509 TrustManager for subsequent verification against the OpenShift server on all subsequent interactions.  If you wish to override the certificate used:
 
-- For all steps of a given project, set a build parameter (again, of type `Text Parameter`)  named `CA_CERT` to the string needed to construct the certificate.
-- Since `Text Parameter` input fields are not available with the global key/value properties, the plug-in does not support defining certificates via a `CA_CERT` property across Jenkins projects.
+- Option 1:  set a either a project specific build parameter or global key/value property named `CA_CERT_FILE` to the file location of the certificate
+- Option 2: For all steps of a given project, set a build parameter (again, of type `Text Parameter`)  named `CA_CERT` to the string needed to construct the certificate.  Since `Text Parameter` input fields are not available with the global key/value properties, the plug-in does not support defining certificates via a `CA_CERT` property across Jenkins projects.
 
 If you want to skip TLS verification and allow for untrusted certificates, set the named parameter `SKIP_TLS` to any value other than `false`.  Since this can be done with a Jenkins `String Parameter`, you can use this at either the global or project level. 
 

diff --git a/src/main/java/com/openshift/jenkins/plugins/pipeline/Auth.java b/src/main/java/com/openshift/jenkins/plugins/pipeline/Auth.java
@@ -49,7 +49,16 @@ private Auth(Collection<X509Certificate> certs, TaskListener listener,
     public static Auth createInstance(TaskListener listener, String apiURL,
             Map<String, String> env) throws RuntimeException {
         Auth auth = null;
-        File f = new File(CERT_FILE);
+        File f = null;
+        // first see if customer override cert file location
+        String certFile = env.get("CA_CERT_FILE");
+        if (certFile != null && certFile.trim().length() > 0) {
+            f = new File(certFile.trim());
+        }
+        // if did not override, or if provided bad value, use default
+        if (f == null || !f.exists()) {
+            f = new File(CERT_FILE);
+        }
         String skipVal = env.get("SKIP_TLS");
         String certVal = env.get("CA_CERT");
         boolean skip = skipVal != null
@@ -320,7 +329,7 @@ public static String deriveBearerToken(String at, TaskListener listener,
      * e.printStackTrace(listener.getLogger()); } } return deriveBearerToken(at,
      * listener, verbose, vars, env); }
      */
-    public static String deriveCA(String ca, TaskListener listener,
+    /*public static String deriveCA(String ca, TaskListener listener,
             boolean verbose) {
         String caCert = ca;
         if (verbose && listener != null)
@@ -381,7 +390,7 @@ public static String deriveCA(String ca, TaskListener listener,
         }
 
         return caCert;
-    }
+    }*/
 
     private static InputStream getInputStreamFromDataOrFile(String data,
             File file) throws FileNotFoundException,