Using custom configuration
Accessing the Konflux cluster using oc or kubectl
Follow the procedure for accessing the Konflux cluster via the oc command line
client as described here.
You can then view the integration test scenario CRs, for example:
$ oc get integrationtestscenario
$ oc get integrationtestscenario <testname> -o yamlAdding the policy configuration parameter
A convenient method of modifying a CR is to use the oc edit command.
Determine the name of the integration test you want to modify, then run the following:
$ oc edit integrationtestscenario <testname>Find the spec key and add params underneath it like this:
…
spec:
params:
- name: POLICY_CONFIGURATION
value: github.com/enterprise-contract/config//slsa3
…The params key should be at the same indent level as application and
contexts underneath the spec key.
Before saving the YAML file, to workaround a problem with the API versions
present in the cluster, you also need to also modify the API version to change
v1beta1 to v1alpha1 in the first line of the YAML file.
apiVersion: appstudio.redhat.com/v1alpha1Save the file to update the CR in the cluster.
| The config file specified in the above example is this one. There are some other predefined configurations available in that same repo. You can of course substitute your own git repo with your own customized policy file. |
The // syntax in the git url is used to separate the git repo location
and the subdirectory inside the git repo. EC will look for a policy.yaml or
.ec/policy.yaml file in the directory specified, or at the top level of the git
repo if no directory is specified. For details on this syntax consult the go-getter documentation.
|
Using an EnterpriseContractPolicy Kubernetes Custom Resource (CR)
In the above example we set the POLICY_CONFIGURATION parameter in the
IntegrationTestScenario Custom Resource (CR) a git url. It’s also possible to set it to the name
of a EnterpriseContractPolicy CR present in the cluster.
The following procedure shows how to create such a CR and reference it in the
POLICY_CONFIGURATION param.
Create a yaml file called policy.yaml with the following content:
apiVersion: appstudio.redhat.com/v1alpha1
kind: EnterpriseContractPolicy
metadata:
name: ec-policy
spec:
description: An example custom EC policy
publicKey: k8s://openshift-pipelines/public-key
sources:
- name: Release policies
policy:
- github.com/enterprise-contract/ec-policies//policy/lib
- github.com/enterprise-contract/ec-policies//policy/release
data:
- oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
- github.com/release-engineering/rhtap-ec-policy//data
config:
include:
- "*"
exclude:
- hermetic_build_task.*This particular example will include every rule except for rules in the
hermetic_build_task package.
Ensure you have a current token and then create the CR in the cluster as follows:
$ oc create -f policy.yamlThe next step is to modify the IntegrationTestScenario CR as described above.
$ oc edit integrationtestscenario <testname>The POLICY_CONFIGURATION value should be set to the name of the EnterpriseContractPolicy CR that was just created.
…
spec:
params:
- name: POLICY_CONFIGURATION
value: ec-policy
…Once again the API version workaround is needed, so modify the apiVersion value.
apiVersion: appstudio.redhat.com/v1alpha1Save the YAML file to update the IntegrationTestScenario CR with the new policy configuration parameter value.
Retriggering the integration test
There’s currently no way to retrigger just the integration test, so to rerun the Enterprise Contract pipeline a retrigger of the build pipeline is required.
This can be achieved by opening a new PR, typing /retest in an existing PR,
or by pushing a commit to main branch. An empty commit works fine, so you
could do this for example:
$ git commit -m "Trigger a Konflux rebuild" --allow-empty && git push origin mainFor testing and debugging Enterprise Contract policies conveniently on your workstation, you can use command line ec as described here.