Add new task to collect keyless signing params

simonbaird · claude · simonbaird · commit 142a144ffaa8 · 2026-03-18T16:50:44.000-04:00
Ref: https://redhat.atlassian.net/browse/EC-1695 Co-authored-by: Claude Code <noreply@anthropic.com>
diff --git a/docs/modules/ROOT/pages/collect-keyless-signing-params.adoc b/docs/modules/ROOT/pages/collect-keyless-signing-params.adoc
@@ -0,0 +1,41 @@
+= collect-keyless-signing-params
+
+Version: 0.1
+
+== Synopsis
+
+Tekton task to collect Konflux configuration parameters related to
+keyless signing using cosign. The task attempts to read the "cluster-config"
+ConfigMap in the "konflux-info" namespace to extract signing parameters.
+
+In case the ConfigMap is not found, the task will output empty strings for all parameters,
+allowing the pipeline to continue without signing parameters.
+
+
+== Params
+[horizontal]
+
+*configMapName* (`string`):: The name of the ConfigMap to read signing parameters from
++
+*Default*: `cluster-config`
+*configMapNamespace* (`string`):: The namespace where the ConfigMap is located
++
+*Default*: `konflux-info`
+
+== Results
+
+[horizontal]
+*defaultOIDCIssuer*:: A default OIDC issuer URL to be used for signing.
+
+*rekorExternalUrl*:: The external URL of the Rekor transparency log.
+
+*fulcioExternalUrl*:: The external URL of the Fulcio certificate authority.
+
+*tufExternalUrl*:: The external URL of the TUF repository.
+
+*buildIdentity*:: The build identity from the OIDC token claims, if applicable.
+
+*buildIdentityRegexp*:: A regular expression to extract build identity from the OIDC token claims, if applicable.
+
+*keylessSigningEnabled*:: A flag indicating whether keyless signing is enabled based on the presence of signing parameters.
+
diff --git a/docs/modules/ROOT/partials/tasks_nav.adoc b/docs/modules/ROOT/partials/tasks_nav.adoc
@@ -1,4 +1,5 @@
 * xref:tasks.adoc[Tekton Tasks]
+** xref:collect-keyless-signing-params.adoc[collect-keyless-signing-params]
 ** xref:verify-conforma-konflux-ta.adoc[verify-conforma-konflux-ta]
 ** xref:verify-conforma-vsa-release-ta.adoc[verify-conforma-vsa-release-ta]
 ** xref:verify-enterprise-contract.adoc[verify-enterprise-contract]
diff --git a/features/__snapshots__/task_validate_image.snap b/features/__snapshots__/task_validate_image.snap
@@ -552,3 +552,70 @@ results.buildIdentity: https://kubernetes.io/namespaces/openshift-pipelines/serv
 results.buildIdentityRegexp: ^https://konflux-ci.dev/.*$
 
 ---
+
+[Collect keyless signing parameters when there is a malformed ConfigMap:collect-signing-params - 1]
+Reading ConfigMap konflux-info/cluster-config-3
+ConfigMap found, extracting keyless signing parameters
+enableKeylessSigning is not set, using default empty values
+results.keylessSigningEnabled: false
+results.defaultOIDCIssuer: 
+results.rekorExternalUrl: 
+results.fulcioExternalUrl: 
+results.tufExternalUrl: 
+results.buildIdentity: 
+results.buildIdentityRegexp: 
+
+---
+
+[Collect keyless signing parameters when the namespace does not exist:collect-signing-params - 1]
+Reading ConfigMap doesnt-exist-namespace/whatever
+ConfigMap not found, using default empty values
+results.keylessSigningEnabled: false
+results.defaultOIDCIssuer: 
+results.rekorExternalUrl: 
+results.fulcioExternalUrl: 
+results.tufExternalUrl: 
+results.buildIdentity: 
+results.buildIdentityRegexp: 
+
+---
+
+[Collect keyless signing parameters when the ConfigMap does not exist:collect-signing-params - 1]
+Reading ConfigMap konflux-info/doesnt-exist-config
+ConfigMap not found, using default empty values
+results.keylessSigningEnabled: false
+results.defaultOIDCIssuer: 
+results.rekorExternalUrl: 
+results.fulcioExternalUrl: 
+results.tufExternalUrl: 
+results.buildIdentity: 
+results.buildIdentityRegexp: 
+
+---
+
+[Collect keyless signing parameters from ConfigMap with keyless signing disabled:collect-signing-params - 1]
+Reading ConfigMap konflux-info/cluster-config-2
+ConfigMap found, extracting keyless signing parameters
+enableKeylessSigning is not set, using default empty values
+results.keylessSigningEnabled: false
+results.defaultOIDCIssuer: 
+results.rekorExternalUrl: 
+results.fulcioExternalUrl: 
+results.tufExternalUrl: 
+results.buildIdentity: 
+results.buildIdentityRegexp: 
+
+---
+
+[Collect keyless signing parameters from ConfigMap:collect-signing-params - 1]
+Reading ConfigMap konflux-info/cluster-config
+ConfigMap found, extracting keyless signing parameters
+results.keylessSigningEnabled: true
+results.defaultOIDCIssuer: https://kubernetes.default.svc.cluster.local
+results.rekorExternalUrl: https://rekor.example.com
+results.fulcioExternalUrl: https://fulcio.example.com
+results.tufExternalUrl: https://tuf.example.com
+results.buildIdentity: https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller
+results.buildIdentityRegexp: ^https://konflux-ci.dev/.*$
+
+---
diff --git a/features/task_validate_image.feature b/features/task_validate_image.feature
@@ -318,3 +318,121 @@ Feature: Verify Enterprise Contract Tekton Tasks
     Then the task should succeed
      And the task logs for step "detailed-report" should match the snapshot
      And the task results should match the snapshot
+
+  Scenario: Collect keyless signing parameters from ConfigMap
+    Given a working namespace
+    And a namespace named "konflux-info" exists
+    # Note: These scenarios might run in parallel so let's use a different config map
+    # for each scenario so we don't have to worry about them clashing with each other
+    And a ConfigMap "cluster-config" in namespace "konflux-info" with content:
+      """
+      {
+        "defaultOIDCIssuer": "https://kubernetes.default.svc.cluster.local",
+        "rekorExternalUrl": "https://rekor.example.com",
+        "fulcioExternalUrl": "https://fulcio.example.com",
+        "tufExternalUrl": "https://tuf.example.com",
+        "buildIdentity": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller",
+        "buildIdentityRegexp": "^https://konflux-ci.dev/.*$",
+        "enableKeylessSigning": "true"
+      }
+      """
+    When version 0.1 of the task named "collect-keyless-signing-params" is run with parameters:
+      | configMapName      | cluster-config |
+    Then the task should succeed
+     And the task logs for step "collect-signing-params" should match the snapshot
+     And the task result "defaultOIDCIssuer" should equal "https://kubernetes.default.svc.cluster.local"
+     And the task result "rekorExternalUrl" should equal "https://rekor.example.com"
+     And the task result "fulcioExternalUrl" should equal "https://fulcio.example.com"
+     And the task result "tufExternalUrl" should equal "https://tuf.example.com"
+     And the task result "buildIdentity" should equal "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller"
+     And the task result "buildIdentityRegexp" should equal "^https://konflux-ci.dev/.*$"
+     And the task result "keylessSigningEnabled" should equal "true"
+
+  Scenario: Collect keyless signing parameters from ConfigMap with keyless signing disabled
+    Given a working namespace
+    And a namespace named "konflux-info" exists
+    # Note: These scenarios might run in parallel so let's use a different config map
+    # for each scenario so we don't have to worry about them clashing with each other
+    And a ConfigMap "cluster-config-2" in namespace "konflux-info" with content:
+      """
+      {
+        "defaultOIDCIssuer": "https://kubernetes.default.svc.cluster.local",
+        "rekorExternalUrl": "https://rekor.example.com",
+        "fulcioExternalUrl": "https://fulcio.example.com",
+        "tufExternalUrl": "https://tuf.example.com",
+        "buildIdentity": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller",
+        "buildIdentityRegexp": "^https://konflux-ci.dev/.*$",
+        "enableKeylessSigning": "false"
+      }
+      """
+    When version 0.1 of the task named "collect-keyless-signing-params" is run with parameters:
+      | configMapName      | cluster-config-2 |
+    Then the task should succeed
+     And the task logs for step "collect-signing-params" should match the snapshot
+     And the task result "defaultOIDCIssuer" should equal ""
+     And the task result "rekorExternalUrl" should equal ""
+     And the task result "fulcioExternalUrl" should equal ""
+     And the task result "tufExternalUrl" should equal ""
+     And the task result "buildIdentity" should equal ""
+     And the task result "buildIdentityRegexp" should equal ""
+     And the task result "keylessSigningEnabled" should equal "false"
+
+  Scenario: Collect keyless signing parameters when there is a malformed ConfigMap
+    Given a working namespace
+    And a namespace named "konflux-info" exists
+    # Note: These scenarios might run in parallel so let's use a different config map
+    # for each scenario so we don't have to worry about them clashing with each other
+    And a ConfigMap "cluster-config-3" in namespace "konflux-info" with content:
+      """
+      {"foo": "bar"}
+      """
+    When version 0.1 of the task named "collect-keyless-signing-params" is run with parameters:
+      | configMapName      | cluster-config-3 |
+    Then the task should succeed
+     And the task logs for step "collect-signing-params" should match the snapshot
+     And the task result "defaultOIDCIssuer" should equal ""
+     And the task result "rekorExternalUrl" should equal ""
+     And the task result "fulcioExternalUrl" should equal ""
+     And the task result "tufExternalUrl" should equal ""
+     And the task result "buildIdentity" should equal ""
+     And the task result "buildIdentityRegexp" should equal ""
+     And the task result "keylessSigningEnabled" should equal "false"
+
+  Scenario: Collect keyless signing parameters when the ConfigMap does not exist
+    Given a working namespace
+    And a namespace named "konflux-info" exists
+    # Note: These scenarios might run in parallel so let's use a different config map
+    # for each scenario so we don't have to worry about them clashing with each other.
+    # Creating a config map deliberately so we are sure the rbac is created. (I might
+    # be wrong but I think it could matter if this secenario runs before any of the
+    # others.)
+    And a ConfigMap "cluster-config-4" in namespace "konflux-info" with content:
+      """
+      {"foo": "bar"}
+      """
+    When version 0.1 of the task named "collect-keyless-signing-params" is run with parameters:
+      | configMapNamespace | konflux-info |
+      | configMapName      | doesnt-exist-config |
+    Then the task should succeed
+     And the task logs for step "collect-signing-params" should match the snapshot
+     And the task result "defaultOIDCIssuer" should equal ""
+     And the task result "rekorExternalUrl" should equal ""
+     And the task result "fulcioExternalUrl" should equal ""
+     And the task result "tufExternalUrl" should equal ""
+     And the task result "buildIdentityRegexp" should equal ""
+     And the task result "keylessSigningEnabled" should equal "false"
+
+  Scenario: Collect keyless signing parameters when the namespace does not exist
+    Given a working namespace
+    When version 0.1 of the task named "collect-keyless-signing-params" is run with parameters:
+      | configMapNamespace | doesnt-exist-namespace |
+      | configMapName      | whatever               |
+    Then the task should succeed
+     And the task logs for step "collect-signing-params" should match the snapshot
+     And the task result "defaultOIDCIssuer" should equal ""
+     And the task result "rekorExternalUrl" should equal ""
+     And the task result "fulcioExternalUrl" should equal ""
+     And the task result "tufExternalUrl" should equal ""
+     And the task result "buildIdentity" should equal ""
+     And the task result "buildIdentityRegexp" should equal ""
+     And the task result "keylessSigningEnabled" should equal "false"
diff --git a/tasks/collect-keyless-signing-params/0.1/collect-keyless-signing-params.yaml b/tasks/collect-keyless-signing-params/0.1/collect-keyless-signing-params.yaml
