Enterprise Contract Configuration

Enterprise Contract configuration is described here.

The configuration used by EC can be provided by an EnterpriseContractPolicy cluster resource, or it can be fetched from a git url.

For command line use of Enterprise Contract a local file can also be used.

There are some pre-defined configuration files available here.

Finding the configuration used

The output of the Enterprise Contract task includes a copy of the configuration used. You can find it under the policy key in the raw YAML output where it can be copy and pasted.

c64db6a88c99447507fb87e42c966fda
Figure 1. Viewing the configuration in log
c64db6a88c99447507fb87e42c966fda
Figure 1. Viewing the configuration in log
Notice that the public key used to verify both the signed images and the signed attestations created by Tekton Chains is available in the YAML output also. This public key is useful if you want to use Enterprise Contract outside the Konflux cluster as described here.

Modifying the Enterprise Contract configuration used in Konflux

To change which configuration is used by the Enterprise Contract integration test, it is necessary to modify the applicable "IntegrationTestScenario" cluster resouce.

This is currently not possible via the web UI, so it must be done using either kubectl or oc.

See Using custom configuration for details on how to do this.