Add new sonar certificate (#3118)

* Add new sonar certificate

* add missing arg

* Update property name

* fix typo

* Bump sonar maven plugin version

* Update Dockerfile and sonarqube.bash

* remove unused

* Update Dockerfile

* Update .rhcicd/sonarqube/Dockerfile

Co-authored-by: Mikel Alejo <[email protected]>

---------

Co-authored-by: Mikel Alejo <[email protected]>

.rhcicd/sonarqube/Dockerfile

@@ -4,8 +4,6 @@ FROM registry.access.redhat.com/ubi9/openjdk-21
 # Switch to the root user to be able to install the required packages.
 USER root
 
-# This argument holds the new password for the "cacerts" keystore.
-ARG cacerts_keystore_password
 # The argument that holds Red Hat IT's custom certificate's location.
 ARG rh_it_root_ca_cert_url
 ARG rh_it_root_ca_cert_secondary_url
@@ -17,43 +15,11 @@ RUN dnf --disablerepo=* -y install https://download.postgresql.org/pub/repos/yum
 RUN dnf install -y postgresql15-server
 RUN dnf install -y postgresql15-contrib
 
-
-# 1. Install the UUID package which is required for the scripts.
-# 2. Change the default "cacert" keystore's password to a custom one for more
-#    security.
-# 3. Import Red Hat IT's custom self signed certificate in the general
-#    "cacerts" file.
-# 4. Remove the certificate file.
-RUN mkdir --parents "/var/cache/yum/metadata" \
-    && microdnf install --assumeyes uuid-1.6.2-55.el9.x86_64 \
-    && microdnf clean all \
-    && readonly rh_it_root_ca_file="$(mktemp)" \
-    && readonly rh_it_root_ca_secondary_file="$(mktemp)" \
-    && curl --output "${rh_it_root_ca_file}" --insecure "${rh_it_root_ca_cert_url}" \
-    && curl --output "${rh_it_root_ca_secondary_file}" --insecure "${rh_it_root_ca_cert_secondary_url}" \
-    && keytool \
-        -cacerts \
-        -new "${cacerts_keystore_password}" \
-        -storepasswd \
-        -storepass "changeit" \
-    && keytool \
-         -alias "RH-IT-Root-CA" \
-         -cacerts \
-         -file "${rh_it_root_ca_file}" \
-         -importcert \
-         -noprompt \
-         -storepass "${cacerts_keystore_password}" \
-         -trustcacerts \
-    && keytool \
-         -alias "RH-IT-Root-CA-SECONDARY" \
-         -cacerts \
-         -file "${rh_it_root_ca_secondary_file}" \
-         -importcert \
-         -noprompt \
-         -storepass "${cacerts_keystore_password}" \
-         -trustcacerts \
-    && rm "${rh_it_root_ca_file}" \
-    && rm "${rh_it_root_ca_secondary_file}"
+# Add RedHat CAs on OS truststore (check https://certs.corp.redhat.com/ for more details)
+RUN curl --output rh_it_root_ca_file.crt --insecure "${rh_it_root_ca_cert_url}" \
+    && curl --output rh_it_root_ca_secondary_file.crt --insecure "${rh_it_root_ca_cert_secondary_url}" \
+    && mv rh*.crt /etc/pki/ca-trust/source/anchors \
+    && update-ca-trust
 
 # Copy the repository contents.
 COPY --chown=default:default . /home/default

.rhcicd/sonarqube/sonarqube.bash

@@ -18,7 +18,6 @@ readonly COMMIT_SHORT=$(git rev-parse --short=7 HEAD)
 # Build the Docker image.
 #
 docker build \
-  --build-arg cacerts_keystore_password="${CACERTS_KEYSTORE_PASSWORD}" \
   --build-arg rh_it_root_ca_cert_url="${RH_IT_ROOT_CA_CERT_URL}" \
   --build-arg rh_it_root_ca_cert_secondary_url="${RH_IT_ROOT_CA_CERT_SECONDARY_URL}" \
   --file .rhcicd/sonarqube/Dockerfile \

pom.xml

@@ -83,7 +83,7 @@
         <quarkus.platform.version>3.15.1</quarkus.platform.version>
         <redhat.event-schemas.version>1.4.11</redhat.event-schemas.version>
 
-        <sonar.maven.plugin.version>4.0.0.4121</sonar.maven.plugin.version>
+        <sonar.maven.plugin.version>5.0.0.4389</sonar.maven.plugin.version>
         <jacoco.output.directory>${project.build.directory}/jacoco-report</jacoco.output.directory>
         <!-- Point the Sonar Qube Plugin always to the same JaCoCo report to aggregate sub-modules reports-->
         <sonar.coverage.jacoco.xmlReportPaths>target/jacoco-report/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>