ROX-35107: Add Konflux pipeline check for post-quantum crypto policy

[vladbologa]

Description

Verify that the built collector image has X25519MLKEM768 in /etc/crypto-policies/back-ends/opensslcnf.config, guarding against regressions of the DEFAULT:PQ crypto-policy setting.

I added this check because:

• I added PQC support in ROX-33133: Enable post-quantum crypto-policies for Collector #2977
• it was subsequently removed by mistake in ROX-33559: Migrate collector images from UBI-minimal to UBI-micro #3021
• since we currently do not have E2E tests for PQC support, I only discovered this months later, via manual testing
• until we have E2E tests in place, I'd like to have a regression test that is ideally not located in the same place as the code that enables PQC (i.e. not in the Dockerfile), so it's harder to remove it by mistake

Checklist

• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

If any of these don't apply, please comment below.

Testing Performed

CI is sufficient.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: a3520cb8-40d0-4c85-9832-20dab96a6957

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately describes the main change: adding a Konflux pipeline check for post-quantum crypto policy verification, which aligns with the changeset adding a verify-crypto-policies task.
Description check	✅ Passed	PR description includes detailed rationale and testing information, though some checklist items are unchecked.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch vb/crypto-policies-test

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 27.34%. Comparing base (473345e) to head (77ce121).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3463   +/-   ##
=======================================
  Coverage   27.34%   27.34%           
=======================================
  Files          95       95           
  Lines        5420     5420           
  Branches     2545     2545           
=======================================
  Hits         1482     1482           
  Misses       3211     3211           
  Partials      727      727           

Flag	Coverage Δ
collector-unit-tests	27.34% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

[coderabbitai]

🧹 Nitpick comments (1)

.tekton/collector-component-pipeline.yaml (1)

577-587: ⚡ Quick win

Consider adding an explicit file existence check for clearer error messages.

Currently, if /etc/crypto-policies/back-ends/opensslcnf.config doesn't exist, both grep and cat will emit "No such file or directory" errors. Adding an explicit check would provide a clearer diagnostic message distinguishing "file missing" from "marker not found."

📋 Suggested improvement

           #!/bin/bash
           set -euo pipefail
           echo "Verifying post-quantum crypto policy configuration..."
+          if [[ ! -f /etc/crypto-policies/back-ends/opensslcnf.config ]]; then
+            echo "FAIL: /etc/crypto-policies/back-ends/opensslcnf.config not found"
+            echo "The crypto-policies configuration file is missing from the image."
+            exit 1
+          fi
           if grep -q X25519MLKEM768 /etc/crypto-policies/back-ends/opensslcnf.config; then
             echo "PASS: X25519MLKEM768 found in /etc/crypto-policies/back-ends/opensslcnf.config"
           else
             echo "FAIL: X25519MLKEM768 not found in /etc/crypto-policies/back-ends/opensslcnf.config"
             echo "The post-quantum crypto policy (DEFAULT:PQ) may not be properly applied."
             cat /etc/crypto-policies/back-ends/opensslcnf.config
             exit 1
           fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.tekton/collector-component-pipeline.yaml around lines 577 - 587, Add an
explicit file existence check before the grep command in the post-quantum crypto
policy verification script. Before attempting to grep for X25519MLKEM768 in
/etc/crypto-policies/back-ends/opensslcnf.config, use a test conditional (like [
-f ]) to verify the file exists. If the file doesn't exist, output a specific
error message distinguishing this from the case where the file exists but lacks
the marker, then exit with status 1. This ensures clear diagnostic messages for
"file missing" versus "marker not found" scenarios.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.tekton/collector-component-pipeline.yaml:
- Around line 577-587: Add an explicit file existence check before the grep
command in the post-quantum crypto policy verification script. Before attempting
to grep for X25519MLKEM768 in /etc/crypto-policies/back-ends/opensslcnf.config,
use a test conditional (like [ -f ]) to verify the file exists. If the file
doesn't exist, output a specific error message distinguishing this from the case
where the file exists but lacks the marker, then exit with status 1. This
ensures clear diagnostic messages for "file missing" versus "marker not found"
scenarios.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 26994889-28a8-47dc-82cb-6fe698c0fa19

📥 Commits

Reviewing files that changed from the base of the PR and between 8b42e7a and 710bab2.

📒 Files selected for processing (1)

• .tekton/collector-component-pipeline.yaml