Add acceptance test for new params task

simonbaird · simonbaird · commit a81c464c0a6e · 2026-03-20T12:40:18.000-04:00
Ref: https://redhat.atlassian.net/browse/EC-1695
diff --git a/features/__snapshots__/task_validate_image.snap b/features/__snapshots__/task_validate_image.snap
@@ -453,3 +453,70 @@ true
   "TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":5,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
 }
 ---
+
+[Collect keyless signing parameters from ConfigMap:collect-signing-params - 1]
+Reading ConfigMap konflux-info/cluster-config
+ConfigMap found, extracting keyless signing parameters
+results.keylessSigningEnabled: true
+results.defaultOIDCIssuer: https://kubernetes.default.svc.cluster.local
+results.rekorExternalUrl: https://rekor.example.com
+results.fulcioExternalUrl: https://fulcio.example.com
+results.tufExternalUrl: https://tuf.example.com
+results.buildIdentity: https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller
+results.buildIdentityRegexp: ^https://konflux-ci.dev/.*$
+
+---
+
+[Collect keyless signing parameters from ConfigMap with keyless signing disabled:collect-signing-params - 1]
+Reading ConfigMap konflux-info/cluster-config-2
+ConfigMap found, extracting keyless signing parameters
+enableKeylessSigning is not set, using default empty values
+results.keylessSigningEnabled: false
+results.defaultOIDCIssuer: 
+results.rekorExternalUrl: 
+results.fulcioExternalUrl: 
+results.tufExternalUrl: 
+results.buildIdentity: 
+results.buildIdentityRegexp: 
+
+---
+
+[Collect keyless signing parameters when there is a malformed ConfigMap:collect-signing-params - 1]
+Reading ConfigMap konflux-info/cluster-config-3
+ConfigMap found, extracting keyless signing parameters
+enableKeylessSigning is not set, using default empty values
+results.keylessSigningEnabled: false
+results.defaultOIDCIssuer: 
+results.rekorExternalUrl: 
+results.fulcioExternalUrl: 
+results.tufExternalUrl: 
+results.buildIdentity: 
+results.buildIdentityRegexp: 
+
+---
+
+[Collect keyless signing parameters when the ConfigMap does not exist:collect-signing-params - 1]
+Reading ConfigMap konflux-info/doesnt-exist-config
+ConfigMap not found, using default empty values
+results.keylessSigningEnabled: false
+results.defaultOIDCIssuer: 
+results.rekorExternalUrl: 
+results.fulcioExternalUrl: 
+results.tufExternalUrl: 
+results.buildIdentity: 
+results.buildIdentityRegexp: 
+
+---
+
+[Collect keyless signing parameters when the namespace does not exist:collect-signing-params - 1]
+Reading ConfigMap doesnt-exist-namespace/whatever
+ConfigMap not found, using default empty values
+results.keylessSigningEnabled: false
+results.defaultOIDCIssuer: 
+results.rekorExternalUrl: 
+results.fulcioExternalUrl: 
+results.tufExternalUrl: 
+results.buildIdentity: 
+results.buildIdentityRegexp: 
+
+---
diff --git a/features/task_validate_image.feature b/features/task_validate_image.feature
@@ -412,3 +412,121 @@ Feature: Verify Enterprise Contract Tekton Tasks
     Then the task should succeed
      And the task logs for step "report-json" should match the snapshot
      And the task results should match the snapshot
+
+  Scenario: Collect keyless signing parameters from ConfigMap
+    Given a working namespace
+    And a namespace named "konflux-info" exists
+    # Note: These scenarios might run in parallel so let's use a different config map
+    # for each scenario so we don't have to worry about them clashing with each other
+    And a ConfigMap "cluster-config" in namespace "konflux-info" with content:
+      """
+      {
+        "defaultOIDCIssuer": "https://kubernetes.default.svc.cluster.local",
+        "rekorExternalUrl": "https://rekor.example.com",
+        "fulcioExternalUrl": "https://fulcio.example.com",
+        "tufExternalUrl": "https://tuf.example.com",
+        "buildIdentity": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller",
+        "buildIdentityRegexp": "^https://konflux-ci.dev/.*$",
+        "enableKeylessSigning": "true"
+      }
+      """
+    When version 0.1 of the task named "collect-keyless-params" is run with parameters:
+      | configMapName      | cluster-config |
+    Then the task should succeed
+     And the task logs for step "collect-signing-params" should match the snapshot
+     And the task result "defaultOIDCIssuer" should equal "https://kubernetes.default.svc.cluster.local"
+     And the task result "rekorExternalUrl" should equal "https://rekor.example.com"
+     And the task result "fulcioExternalUrl" should equal "https://fulcio.example.com"
+     And the task result "tufExternalUrl" should equal "https://tuf.example.com"
+     And the task result "buildIdentity" should equal "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller"
+     And the task result "buildIdentityRegexp" should equal "^https://konflux-ci.dev/.*$"
+     And the task result "keylessSigningEnabled" should equal "true"
+
+  Scenario: Collect keyless signing parameters from ConfigMap with keyless signing disabled
+    Given a working namespace
+    And a namespace named "konflux-info" exists
+    # Note: These scenarios might run in parallel so let's use a different config map
+    # for each scenario so we don't have to worry about them clashing with each other
+    And a ConfigMap "cluster-config-2" in namespace "konflux-info" with content:
+      """
+      {
+        "defaultOIDCIssuer": "https://kubernetes.default.svc.cluster.local",
+        "rekorExternalUrl": "https://rekor.example.com",
+        "fulcioExternalUrl": "https://fulcio.example.com",
+        "tufExternalUrl": "https://tuf.example.com",
+        "buildIdentity": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller",
+        "buildIdentityRegexp": "^https://konflux-ci.dev/.*$",
+        "enableKeylessSigning": "false"
+      }
+      """
+    When version 0.1 of the task named "collect-keyless-params" is run with parameters:
+      | configMapName      | cluster-config-2 |
+    Then the task should succeed
+     And the task logs for step "collect-signing-params" should match the snapshot
+     And the task result "defaultOIDCIssuer" should equal ""
+     And the task result "rekorExternalUrl" should equal ""
+     And the task result "fulcioExternalUrl" should equal ""
+     And the task result "tufExternalUrl" should equal ""
+     And the task result "buildIdentity" should equal ""
+     And the task result "buildIdentityRegexp" should equal ""
+     And the task result "keylessSigningEnabled" should equal "false"
+
+  Scenario: Collect keyless signing parameters when there is a malformed ConfigMap
+    Given a working namespace
+    And a namespace named "konflux-info" exists
+    # Note: These scenarios might run in parallel so let's use a different config map
+    # for each scenario so we don't have to worry about them clashing with each other
+    And a ConfigMap "cluster-config-3" in namespace "konflux-info" with content:
+      """
+      {"foo": "bar"}
+      """
+    When version 0.1 of the task named "collect-keyless-params" is run with parameters:
+      | configMapName      | cluster-config-3 |
+    Then the task should succeed
+     And the task logs for step "collect-signing-params" should match the snapshot
+     And the task result "defaultOIDCIssuer" should equal ""
+     And the task result "rekorExternalUrl" should equal ""
+     And the task result "fulcioExternalUrl" should equal ""
+     And the task result "tufExternalUrl" should equal ""
+     And the task result "buildIdentity" should equal ""
+     And the task result "buildIdentityRegexp" should equal ""
+     And the task result "keylessSigningEnabled" should equal "false"
+
+  Scenario: Collect keyless signing parameters when the ConfigMap does not exist
+    Given a working namespace
+    And a namespace named "konflux-info" exists
+    # Note: These scenarios might run in parallel so let's use a different config map
+    # for each scenario so we don't have to worry about them clashing with each other.
+    # Creating a config map deliberately so we are sure the rbac is created. (I might
+    # be wrong but I think it could matter if this secenario runs before any of the
+    # others.)
+    And a ConfigMap "cluster-config-4" in namespace "konflux-info" with content:
+      """
+      {"foo": "bar"}
+      """
+    When version 0.1 of the task named "collect-keyless-params" is run with parameters:
+      | configMapNamespace | konflux-info |
+      | configMapName      | doesnt-exist-config |
+    Then the task should succeed
+     And the task logs for step "collect-signing-params" should match the snapshot
+     And the task result "defaultOIDCIssuer" should equal ""
+     And the task result "rekorExternalUrl" should equal ""
+     And the task result "fulcioExternalUrl" should equal ""
+     And the task result "tufExternalUrl" should equal ""
+     And the task result "buildIdentityRegexp" should equal ""
+     And the task result "keylessSigningEnabled" should equal "false"
+
+  Scenario: Collect keyless signing parameters when the namespace does not exist
+    Given a working namespace
+    When version 0.1 of the task named "collect-keyless-params" is run with parameters:
+      | configMapNamespace | doesnt-exist-namespace |
+      | configMapName      | whatever               |
+    Then the task should succeed
+     And the task logs for step "collect-signing-params" should match the snapshot
+     And the task result "defaultOIDCIssuer" should equal ""
+     And the task result "rekorExternalUrl" should equal ""
+     And the task result "fulcioExternalUrl" should equal ""
+     And the task result "tufExternalUrl" should equal ""
+     And the task result "buildIdentity" should equal ""
+     And the task result "buildIdentityRegexp" should equal ""
+     And the task result "keylessSigningEnabled" should equal "false"
