You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The verify-enterprise-contract and verify-conforma-konflux-ta tasks support custom CA certificate configuration via CA_TRUST_CONFIGMAP_NAME and CA_TRUST_CONFIG_MAP_KEY parameters (introduced in PR #1814). These parameters allow mounting a ConfigMap containing a CA bundle so the CLI can communicate with registries and Rekor instances using non-standard CAs.
Currently, the only CA-related acceptance test covers the SSL_CERT_DIR parameter in task_validate_image.feature. There is no acceptance test coverage for:
CA_TRUST_CONFIGMAP_NAME / CA_TRUST_CONFIG_MAP_KEY parameters - verifying that a ConfigMap-provided CA bundle is correctly mounted and used during validation in the verify-enterprise-contract task.
verify-conforma-konflux-ta CA handling - the trusted artifacts variant has its own CA mount logic (mounting to /mnt/trusted-ca and conditionally exporting SSL_CERT_FILE), which has zero acceptance test coverage. This path has already required a production fix (PR fix(RELEASE-2397): custom ca support in verify-conforma task #3259 / RELEASE-2397).
End-to-end custom CA scenario - validating an image from a registry served with a self-signed certificate, using the custom CA parameters to provide the trust chain.
The lack of test coverage for these paths has contributed to regressions (e.g., RELEASE-2397 where the volume mount style caused failures when the ConfigMap was absent).
Acceptance criteria:
Acceptance test exercises CA_TRUST_CONFIGMAP_NAME and CA_TRUST_CONFIG_MAP_KEY with a ConfigMap containing a custom CA bundle in the verify-enterprise-contract task
Acceptance test exercises the trusted-ca mount and SSL_CERT_FILE logic in the verify-conforma-konflux-ta task
Tests verify that the task succeeds when a valid CA bundle is provided and handles the case when the ConfigMap is absent gracefully
The verify-enterprise-contract and verify-conforma-konflux-ta tasks support custom CA certificate configuration via
CA_TRUST_CONFIGMAP_NAMEandCA_TRUST_CONFIG_MAP_KEYparameters (introduced in PR #1814). These parameters allow mounting a ConfigMap containing a CA bundle so the CLI can communicate with registries and Rekor instances using non-standard CAs.Currently, the only CA-related acceptance test covers the
SSL_CERT_DIRparameter intask_validate_image.feature. There is no acceptance test coverage for:/mnt/trusted-caand conditionally exportingSSL_CERT_FILE), which has zero acceptance test coverage. This path has already required a production fix (PR fix(RELEASE-2397): custom ca support in verify-conforma task #3259 / RELEASE-2397).The lack of test coverage for these paths has contributed to regressions (e.g., RELEASE-2397 where the volume mount style caused failures when the ConfigMap was absent).
Acceptance criteria: