These tests validate Conforma (Enterprise Contract) end-to-end functionality -- covering Tekton Chains signing, attestation verification, and enterprise contract policy evaluation. They are ported from konflux-ci/e2e-tests and run against an upstream Konflux instance deployed with Tekton Chains.
The test suite uses the Ginkgo framework and is labeled with ec for selective execution.
- An OpenShift or KinD cluster with Konflux deployed (including Tekton Chains and Enterprise Contract)
QUAY_TOKENenvironment variable set (base64-encoded Docker config for Quay.io registry access)- The following CRD APIs available on the cluster:
Snapshot(Application API)PipelineRun(Tekton)EnterpriseContractPolicy(Conforma CRDs)
-
Infrastructure checks
- Tekton Chains controller is running
- Cosign signing secret (
signing-secrets) is present withcosign.key,cosign.pub, andcosign.password
-
Image build, signing, and attestation
- A
buildah-demopipeline builds and pushes a container image - Tekton Chains creates a cosign signature (
.sig) and attestation (.att) for the image
- A
-
Enterprise Contract verification (
verify-enterprise-contracttask)- Succeeds when the SLSA provenance policy is met
- Reports
FAILURE(non-strict mode) when test policies are not satisfied - Fails (strict mode) when test policies are not satisfied
- Fails when an unexpected/wrong signing key is used
-
EC CLI validation
- Error handling: verifies proper failure message when attestation doesn't match the public key
- Multi-image validation: accepts a list of image references for batch verification
-
Release policy
- Red Hat products pass the full Red Hat policy rule collection
- Untrusted task references are detected and rejected
- Unpinned task bundle references produce a
WARNING
-
Provision an OpenShift cluster
Use cluster-bot or a similar tool:
workflow-launch hypershift-hostedcluster-workflow 4.15 -
Install the OpenShift Pipelines operator
kubectl apply -f - <<EOF apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: openshift-pipelines-operator namespace: openshift-operators spec: channel: latest name: openshift-pipelines-operator-rh source: redhat-operators sourceNamespace: openshift-marketplace EOF
-
Create required secrets
The following secrets must exist in the pipeline namespace:
Secret Purpose mapt-kind-secretAWS credentials for KinD cluster provisioning/deprovisioning konflux-e2e-secretsE2E test secrets (e.g., quay-token)konflux-test-infraOCI registry credentials for artifact storage konflux-operator-e2e-credentialsOperator-level credentials for E2E -
Apply the pipeline definition
kubectl apply -f ./.tekton/pipelines/conforma-e2e/pipeline.yaml
-
Start the pipeline
tkn pipeline start conforma-e2e-pipeline \ --param git-url=https://github.com/conforma/e2e-tests.git \ --param revision=main \ --param oci-container-repo=quay.io/conforma/e2e-tests \ --param oci-container-repo-credentials-secret=konflux-test-infra \ --use-param-defaults \ --showlog
The pipeline will:
- Provision a KinD cluster on AWS
- Deploy Konflux with Tekton Chains via the Konflux operator
- Run the Ginkgo test suite
- Collect artifacts and push to OCI
- Deprovision the cluster
To test a conforma/cli PR against the e2e suite, pass the custom CLI params:
tkn pipeline start conforma-e2e-pipeline \
--param git-url=https://github.com/conforma/e2e-tests.git \
--param revision=main \
--param oci-container-repo=quay.io/conforma/e2e-tests \
--param oci-container-repo-credentials-secret=konflux-test-infra \
--param custom-ec-cli-url=https://github.com/conforma/cli.git \
--param custom-ec-cli-revision=<commit-sha-or-branch> \
--use-param-defaults \
--showlogThe pipeline clones the CLI repo, builds the ec binary, layers it onto quay.io/conforma/cli:latest using crane append, and pushes a throwaway image tagged cli-pr-<short-sha>. All verify-enterprise-contract test cases then run against the custom image instead of the released one.
When both params are empty (the default), the pipeline uses the standard task bundle and released CLI image.
If you already have a Konflux cluster running:
export KUBECONFIG=/path/to/your/kubeconfig
export QUAY_TOKEN="$(base64 -w0 < ~/.docker/config.json)"
export TEST_ENVIRONMENT=upstream
go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter="ec" ./cmdOr using the Makefile:
export KUBECONFIG=/path/to/your/kubeconfig
export QUAY_TOKEN="$(base64 -w0 < ~/.docker/config.json)"
export TEST_ENVIRONMENT=upstream
make test-e2ecmd/e2e_test.go # Test entrypoint and BeforeSuite setup
tests/contract/contract.go # Enterprise Contract test scenarios
pkg/
clients/
common/controller.go # Kubernetes helper operations
kubernetes/client.go # K8s client initialization
tekton/ # Tekton-specific clients (bundles, chains, ECP, pipelines, signing)
constants/constants.go # Shared constants and timeouts
framework/ # Test framework (namespace creation, RBAC, reporting)
utils/
contract/policy.go # ECP policy helpers
tekton/ # Pipeline generators, matchers, cosign utilities, task image patching
.tekton/
pipelines/conforma-e2e/pipeline.yaml # Tekton Pipeline for full CI execution
conforma-e2e-pull-request.yaml # PipelineRun trigger for pull requests
