Add noverifyssl option to oz image builds

2021-05-12 13:44:06 -04:00 · 2021-05-12 13:44:06 -04:00 · 0f9a77c0e3
commit 0f9a77c0e3
parent 912a34a8c8
4 changed files with 23 additions and 5 deletions
--- a/builder/kojid
+++ b/builder/kojid
@ -3763,6 +3763,10 @@ class OzImageTask(BaseTaskHandler):
        # repo associated with the target passed in initially.
        ks.handler.repo.repoList = []  # delete whatever the ks file told us
        repo_class = kscontrol.dataMap[ks.version]['RepoData']
+        # only use noverifyssl if allowed in kojid.conf
+        if self.opts.get('noverifyssl') and not self.options.allow_noverifyssl:
+            raise koji.BuildError("noverifyssl option is not enabled")
+        noverifyssl = self.options.allow_noverifyssl and self.opts.get('noverifyssl')
        # TODO: sensibly use "url" and "repo" commands in kickstart
        if self.opts.get('repo'):
            # the user used --repo at least once
@ -3771,7 +3775,8 @@ class OzImageTask(BaseTaskHandler):
            for user_repo in user_repos:
                repo_url = user_repo.replace('$arch', self.arch)
                ks.handler.repo.repoList.append(repo_class(
-                    baseurl=repo_url, name='koji-override-%i' % index))
+                    baseurl=repo_url, name='koji-override-%i' % index,
+                    noverifyssl=noverifyssl))
                index += 1
        else:
            # --repo was not given, so we use the target's build repo
@ -3781,9 +3786,10 @@ class OzImageTask(BaseTaskHandler):
            baseurl = '%s/%s' % (repopath, self.arch)
            self.logger.debug('BASEURL: %s' % baseurl)
            ks.handler.repo.repoList.append(repo_class(
-                baseurl=baseurl, name='koji-override-0'))
+                baseurl=baseurl, name='koji-override-0',
+                noverifyssl=noverifyssl))
        # inject the URL of the install tree into the kickstart
-        ks.handler.url(url=install_tree)
+        ks.handler.url(url=install_tree, noverifyssl=noverifyssl)
        return ks

    def writeKickstart(self, ksobj, ksname):
@ -6362,7 +6368,8 @@ def get_options():
                'xz_options': '-z6T0',
                'task_avail_delay': 300,
                'cert': None,
-                'serverca': None}
+                'serverca': None,
+                'allow_noverifyssl': False}
    if config.has_section('kojid'):
        for name, value in config.items('kojid'):
            if name in ['sleeptime', 'maxjobs', 'minspace', 'retry_interval',
@ -6376,7 +6383,8 @@ def get_options():
                    quit("value for %s option must be a valid integer" % name)
            elif name in ['offline_retry', 'use_createrepo_c', 'createrepo_skip_stat',
                          'createrepo_update', 'use_fast_upload', 'support_rpm_source_layout',
-                          'build_arch_can_fail', 'no_ssl_verify', 'log_timestamps']:
+                          'build_arch_can_fail', 'no_ssl_verify', 'log_timestamps',
+                          'allow_noverifyssl']:
                defaults[name] = config.getboolean('kojid', name)
            elif name in ['plugin', 'plugins']:
                defaults['plugin'] = value.split()
--- a/builder/kojid.conf
+++ b/builder/kojid.conf
@ -138,3 +138,6 @@ from_addr=Koji Build System <buildsys@example.com>

 ;path where builder plugins are located, there could be multiple paths delimited by :
 ;pluginpath = /usr/lib/koji-builder-plugins
+
+;allow passing noverifyssl option to anaconda for image builds
+;allow_noverifyssl = False
--- a/cli/koji_cli/commands.py
+++ b/cli/koji_cli/commands.py
@ -6040,6 +6040,9 @@ def handle_image_build(options, session, args):
                      help=_("The syntax version used in the kickstart file"))
    parser.add_option("--noprogress", action="store_true",
                      help=_("Do not display progress of the upload"))
+    parser.add_option("--noverifyssl", action="store_true",
+                      help=_("Use the noverifyssl option for the install tree and all repos. "
+                             "This option is only allowed if enabled on the builder."))
    parser.add_option("--nowait", action="store_false", dest="wait",
                      help=_("Don't wait on image creation"))
    parser.add_option("--ova-option", action="append",
--- a/tests/test_cli/test_image_build.py
+++ b/tests/test_cli/test_image_build.py
@ -33,6 +33,7 @@ TASK_OPTIONS = {
    "ksurl": "git://git.fedorahosted.org/git/spin-kickstarts.git?fedora26#68c40eb7",
    "ksversion": "DEVEL",
    "noprogress": None,
+    "noverifyssl": None,
    "optional_arches": [
        "ppc",
        "arm64"
@ -356,6 +357,9 @@ Options:
  --ksurl=SCMURL        The URL to the SCM containing the kickstart file
  --ksversion=VERSION   The syntax version used in the kickstart file
  --noprogress          Do not display progress of the upload
+  --noverifyssl         Use the noverifyssl option for the install tree and
+                        all repos. This option is only allowed if enabled on
+                        the builder.
  --nowait              Don't wait on image creation
  --ova-option=OVA_OPTION
                        Override a value in the OVA description XML. Provide a