feat(backend): Add CA injection to step-copy-artifacts step. Fixes ku…

…beflow#1394. (kubeflow#1395)

Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>

backend/src/apiserver/common/config.go

@@ -42,6 +42,9 @@ const (
 	ArtifactScript                          string = "ARTIFACT_SCRIPT"
 	ArtifactImage                           string = "ARTIFACT_IMAGE"
 	ArtifactCopyStepTemplate                string = "ARTIFACT_COPY_STEP_TEMPLATE"
+	ArtifactCopyStepCABundleConfigMapName   string = "ARTIFACT_COPY_STEP_CABUNDLE_CONFIGMAP_NAME"
+	ArtifactCopyStepCABundleConfigMapKey    string = "ARTIFACT_COPY_STEP_CABUNDLE_CONFIGMAP_KEY"
+	ArtifactCopyStepCABundleMountPath       string = "ARTIFACT_COPY_STEP_CABUNDLE_MOUNTPATH"
 	InjectDefaultScript                     string = "INJECT_DEFAULT_SCRIPT"
 	ApplyTektonCustomResource               string = "APPLY_TEKTON_CUSTOM_RESOURCE"
 	TerminateStatus                         string = "TERMINATE_STATUS"
@@ -140,6 +143,18 @@ func IsApplyTektonCustomResource() string {
 	return GetStringConfigWithDefault(ApplyTektonCustomResource, "true")
 }
 
+func GetCABundleConfigMapName() string {
+	return GetStringConfigWithDefault(ArtifactCopyStepCABundleConfigMapName, "")
+}
+
+func GetCABundleConfigMapKey() string {
+	return GetStringConfigWithDefault(ArtifactCopyStepCABundleConfigMapKey, "")
+}
+
+func GetCABundleMountPath() string {
+	return GetStringConfigWithDefault(ArtifactCopyStepCABundleMountPath, "/etc/ssl/certs")
+}
+
 func GetPodNamespace() string {
 	return GetStringConfig(PodNamespace)
 }

backend/src/apiserver/template/tekton_template.go

@@ -356,6 +356,22 @@ func (t *Tekton) injectArchivalStep(workflow util.Workflow, artifactItemsJSON ma
 				step.Command = []string{"sh", "-c"}
 				step.Args = []string{artifactScript}
 
+				caBundleCfgMapName := common.GetCABundleConfigMapName()
+				caBundleCfgMapKey := common.GetCABundleConfigMapKey()
+				if caBundleCfgMapName != "" && caBundleCfgMapKey != "" {
+					if step.VolumeMounts == nil {
+						step.VolumeMounts = []corev1.VolumeMount{}
+					}
+					volName := "custom-ca-bundle"
+					bundleVolume := t.getConfigMapVolumeSource(volName, caBundleCfgMapName)
+					task.TaskSpec.Volumes = append(task.TaskSpec.Volumes, bundleVolume)
+					bundleVolumeMount := corev1.VolumeMount{
+						Name:      volName,
+						MountPath: fmt.Sprintf("%s/%s", common.GetCABundleMountPath(), caBundleCfgMapKey),
+						SubPath:   caBundleCfgMapKey,
+					}
+					step.VolumeMounts = append(step.VolumeMounts, bundleVolumeMount)
+				}
 				task.TaskSpec.Steps = append(task.TaskSpec.Steps, step)
 			}
 		}
@@ -444,6 +460,19 @@ func (t *Tekton) getHostPathVolumeSource(name string, path string) corev1.Volume
 	}
 }
 
+func (t *Tekton) getConfigMapVolumeSource(name string, configMapName string) corev1.Volume {
+	return corev1.Volume{
+		Name: name,
+		VolumeSource: corev1.VolumeSource{
+			ConfigMap: &corev1.ConfigMapVolumeSource{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: configMapName,
+				},
+			},
+		},
+	}
+}
+
 func (t *Tekton) applyCustomResources(workflow util.Workflow, tektonTemplates string, namespace string) error {
 	// Create kubeClient to deploy Tekton custom task crd
 	var config *rest.Config