Skip to content

Commit b48a61f

Browse files
committed
fix(tekton): use env vars for JSON parameters to avoid quoting issues
Pass POLICY_CONFIGURATION and EXTRA_RULE_DATA via environment variables to safely handle JSON strings in Tekton task parameters. Assisted-by: Claude 4.5 Opus
1 parent 5abcc08 commit b48a61f

2 files changed

Lines changed: 33 additions & 3 deletions

File tree

features/ta_task_validate_image.feature

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,3 +50,25 @@ Feature: Verify Conforma Trusted Artifact Tekton Task
5050
And the task results should match the snapshot
5151
And the task logs for step "show-config" should match the snapshot
5252

53+
Scenario: Policy configuration passed as JSON string
54+
Given a working namespace
55+
Given a snapshot artifact with content:
56+
```
57+
{
58+
"components": [
59+
{
60+
"containerImage": "quay.io/hacbs-contract-demo/golden-container@sha256:e76a4ae9dd8a52a0d191fd34ca133af5b4f2609536d32200a4a40a09fdc93a0d"
61+
}
62+
]
63+
}
64+
```
65+
When version 0.1 of the task named "verify-conforma-konflux-ta" is run with parameters:
66+
| SNAPSHOT_FILENAME | snapshotartifact |
67+
| SOURCE_DATA_ARTIFACT | oci:${REGISTRY}/acceptance/snapshotartifact@${BUILD_SNAPSHOT_DIGEST} |
68+
| POLICY_CONFIGURATION | {"publicKey":"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERhr8Zj4dZW67zucg8fDr11M4lmRp\\nzN6SIcIjkvH39siYg1DkCoa2h2xMUZ10ecbM3/ECqvBV55YwQ2rcIEa7XQ==\\n-----END PUBLIC KEY-----","sources":[{"policy":["git::github.com/conforma/policy//policy/release?ref=d34eab36b23d43748e451004177ca144296bf323","git::github.com/conforma/policy//policy/lib?ref=d34eab36b23d43748e451004177ca144296bf323"],"config":{"include":["slsa_provenance_available"]}}]} |
69+
| STRICT | true |
70+
| IGNORE_REKOR | true |
71+
| TRUSTED_ARTIFACTS_DEBUG | "true" |
72+
| ORAS_OPTIONS | --plain-http |
73+
Then the task should succeed
74+
And the task logs for step "show-config" should contain "slsa_provenance_available"

tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -295,12 +295,13 @@ spec:
295295
#!/bin/bash
296296
set -euo pipefail
297297
298-
# Build EC arguments
298+
# Build EC arguments array
299+
# POLICY_CONFIGURATION is passed via environment variable to safely handle JSON strings
299300
EC_ARGS=(
300301
validate
301302
image
302303
--images /tekton/home/snapshot.json
303-
--policy "$(params.POLICY_CONFIGURATION)"
304+
--policy "${POLICY_CONFIGURATION}"
304305
--public-key "$(params.PUBLIC_KEY)"
305306
--rekor-url "$(params.REKOR_HOST)"
306307
--ignore-rekor=$(params.IGNORE_REKOR)
@@ -311,6 +312,9 @@ spec:
311312
--show-successes
312313
--effective-time=$(params.EFFECTIVE_TIME)
313314
--extra-rule-data=$(params.EXTRA_RULE_DATA)
315+
)
316+
317+
EC_ARGS+=(
314318
--retry-max-wait "$(params.RETRY_MAX_WAIT)"
315319
--retry-max-retry "$(params.RETRY_MAX_RETRY)"
316320
--retry-duration "$(params.RETRY_DURATION)"
@@ -327,7 +331,7 @@ spec:
327331
328332
if [[ "$(params.ATTESTATION_FORMAT)" == "dsse" ]]; then
329333
if [[ -z "$(params.VSA_SIGNING_KEY)" ]]; then
330-
echo "ERROR: VSA_SIGNING_KEY required for format=dsse"
334+
echo "ERROR: VSA_SIGNING_KEY required for format=dsse" >&2
331335
exit 1
332336
fi
333337
EC_ARGS+=(--vsa-signing-key "$(params.VSA_SIGNING_KEY)")
@@ -342,6 +346,10 @@ spec:
342346
# Execute EC with constructed arguments
343347
ec "${EC_ARGS[@]}"
344348
env:
349+
# POLICY_CONFIGURATION is passed via environment variable to safely handle JSON strings
350+
# This avoids shell quoting issues when Tekton substitutes parameter values directly in scripts
351+
- name: POLICY_CONFIGURATION
352+
value: "$(params.POLICY_CONFIGURATION)"
345353
- name: SSL_CERT_DIR
346354
# The Tekton Operator automatically sets the SSL_CERT_DIR env to the value below but,
347355
# of course, without the $(param.SSL_CERT_DIR) bit. When a Task Step sets it to a

0 commit comments

Comments
 (0)