fix(RELEASE-2158): refactor trusted-ca mounts in verify-conforma task

[querti]

Refactor trusted-ca volume mounts in verify-conforma-konflux-ta to use
directory mounts (/etc/ssl/certs and /mnt/trusted-ca) instead of
subPath-based mounts. This is consistent with the mount style used
across release-service-catalog tasks and ensures that the task doesn't
exit with a failure when the configmap is not present. Remove the
redundant trusted-ca volumeMount from the report step, which does
not need CA certificate access.

Assisted-by: Cursor

[coderabbitai]

Warning

Rate limit exceeded

@querti has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 5 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 49 minutes and 5 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e8c597ec-c464-40a2-a35b-8e9e336eefb5

📥 Commits

Reviewing files that changed from the base of the PR and between a067e6e and d5f6484.

📒 Files selected for processing (1)

• tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

📝 Walkthrough

Walkthrough

Modified the Tekton Task volume mounting configuration for the trusted-ca ConfigMap, changing from mounting a specific CA bundle file via subPath to mounting the entire ConfigMap volume read-only at a different path. A duplicate mount in the validate step was removed.

Changes

Cohort / File(s)	Summary
Tekton Task Volume Mount Configuration tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml	Updated stepTemplate volume mount for trusted-ca ConfigMap to mount the entire volume read-only at /etc/ssl/certs instead of using subPath to place file at /etc/ssl/certs/ca-custom-bundle.crt. Removed duplicate volumeMounts entry from validate step that previously mounted the ConfigMap at /etc/pki/tls/certs/ca-custom-bundle.crt.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: refactoring trusted-ca mounts in the verify-conforma task to align with project standards.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description accurately describes the changes: refactoring trusted-ca volume mounts to use directory mounts instead of subPath-based mounts, aligning with release-service-catalog conventions, and removing redundant mounts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Refactor trusted-ca mounts in verify-conforma-konflux-ta task

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Refactor trusted-ca volume mounts to use directory mounts instead of subPath
• Mount /etc/ssl/certs and /mnt/trusted-ca for full CA bundle availability
• Remove redundant trusted-ca volumeMount from report step
• Align with release-service-catalog task mount conventions

Diagram

flowchart LR
  A["stepTemplate volumeMounts"] -->|"Replace subPath mounts"| B["Directory mounts"]
  B -->|"/etc/ssl/certs"| C["CA bundle directory"]
  B -->|"/mnt/trusted-ca"| D["Custom CA bundle"]
  E["report step volumeMounts"] -->|"Remove redundant"| F["Cleanup"]

Loading

File Changes

1. tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml 🐞 Bug fix +2/-8

Refactor CA bundle mounts to use directories

• Refactored stepTemplate volumeMounts to use directory mounts instead of subPath-based mounts
• Changed /etc/ssl/certs mount to use full directory instead of single file with subPath
• Changed /mnt/trusted-ca mount to use full directory instead of single file with subPath
• Removed redundant trusted-ca volumeMount from report step that does not require CA access

tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (0)   📎 Requirement gaps (0)

🐞\ ☼ Reliability (1)

1. CA mount masks system CAs 🐞 ☼

Description

The task now mounts the optional trusted-ca ConfigMap over /etc/ssl/certs, which replaces
whatever CA directory the container image ships and can break TLS if that ConfigMap is missing/empty
or not a full CA directory. This is especially risky for steps that perform HTTPS (e.g.,
initialize-tuf) and don’t set SSL_CERT_DIR/SSL_CERT_FILE, and it diverges from the repo’s other
tasks which mount the bundle via subPath into an existing cert directory to avoid masking system
CAs.

Code

tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[R266-271]

      - name: trusted-ca
-        mountPath: /mnt/trusted-ca
+        mountPath: /etc/ssl/certs
        readOnly: true
      - name: trusted-ca
-        mountPath: /etc/ssl/certs/ca-custom-bundle.crt
-        subPath: ca-bundle.crt
+        mountPath: /mnt/trusted-ca
        readOnly: true

Evidence

The PR changes the stepTemplate to mount trusted-ca at /etc/ssl/certs, which overlays that
directory in the container. The trusted-ca volume is an optional ConfigMap volume restricted to a
single file (ca-bundle.crt), so when the ConfigMap is absent or incomplete, /etc/ssl/certs
becomes empty/limited. The initialize-tuf step executes a networked ec sigstore initialize ...
operation without any explicit SSL env configuration, so it relies on the image’s default trust
store behavior. Other tasks in this repo avoid directory masking by mounting the same ConfigMap key
via subPath into /etc/pki/tls/certs/ca-custom-bundle.crt.

tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[262-271]
tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[598-605]
tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[296-311]
tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml[299-303]
tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml[405-409]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The Task mounts the optional `trusted-ca` ConfigMap directly onto `/etc/ssl/certs`, which overlays (masks) the container image’s existing CA directory. Because the volume is `optional: true` and restricted to a single file via `items`, this can leave `/etc/ssl/certs` empty/partial and break TLS for steps that rely on the image default trust store.

## Issue Context
Other tasks in this repo mount the CA bundle as a file using `subPath` into an existing cert directory (e.g. `/etc/pki/tls/certs/ca-custom-bundle.crt`) to avoid masking system certificates.

## Fix Focus Areas
- tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[262-271]
- tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[296-311]
- tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[598-605]

## Concrete fix options (pick one)
1) **Safer (matches other tasks):** stop mounting onto `/etc/ssl/certs`; instead mount the ConfigMap key via `subPath` into an existing cert directory (e.g. `/etc/pki/tls/certs/ca-custom-bundle.crt`) and (optionally) keep the `/mnt/trusted-ca` directory mount.
2) **If directory mount is required:** mount to a *subdirectory* (e.g. `/etc/ssl/certs/trusted-ca` or `/mnt/trusted-ca`) and ensure all steps that need it have `SSL_CERT_DIR` include that directory (ideally via `stepTemplate.env`, preserving Tekton’s required default paths).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml`:
- Around line 266-271: Remove the redundant mount of the `trusted-ca` volume at
`/etc/ssl/certs` (keep only the `trusted-ca` mount at `/mnt/trusted-ca`) so you
don't shadow the image's CA store; then ensure any steps/containers that need
the custom CA explicitly reference `/mnt/trusted-ca` by adding it to the
SSL_CERT_DIR or setting SSL_CERT_FILE (update the existing SSL_CERT_DIR/env
entries that are used by the job to include `/mnt/trusted-ca`), and leave the
`trusted-ca` volume name unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 6057281d-c91a-41a9-9e77-e88668e470a2

📥 Commits

Reviewing files that changed from the base of the PR and between b1ede77 and a067e6e.

📒 Files selected for processing (1)

• tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Read the specific file mentioned in the review
cat -n tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml | head -n 300 | tail -n 100

Repository: conforma/cli

Length of output: 1858

---

🏁 Script executed:

# Check the volume definitions near the end of the file
wc -l tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

Repository: conforma/cli

Length of output: 1861

---

🏁 Script executed:

# Read the volume definition section
cat -n tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml | sed -n '590,610p'

Repository: conforma/cli

Length of output: 688

---

🏁 Script executed:

# Look for SSL_CERT_DIR references in the file
rg -n "SSL_CERT_DIR" tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml -A 2 -B 2

Repository: conforma/cli

Length of output: 1097

---

🏁 Script executed:

# Read the volumeMounts section around lines 266-271
cat -n tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml | sed -n '260,280p'

Repository: conforma/cli

Length of output: 807

---

🏁 Script executed:

# Get broader context of the stepTemplate to understand the configuration
cat -n tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml | sed -n '240,290p'

Repository: conforma/cli

Length of output: 1916

---

🏁 Script executed:

# Check if there are any other references to /etc/ssl/certs or /mnt/trusted-ca
rg -n "(/etc/ssl/certs|/mnt/trusted-ca)" tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

Repository: conforma/cli

Length of output: 262

---

Remove the redundant /etc/ssl/certs mount; it unnecessarily shadows the image's CA directory.

The trusted-ca volume is mounted twice—at both /etc/ssl/certs (line 267) and /mnt/trusted-ca (line 270). The mount at /etc/ssl/certs shadows the base image's CA directory; because the ConfigMap is optional: true and contains only ca-bundle.crt, a missing or incomplete ConfigMap can leave the directory inaccessible, breaking TLS for any tool that relies exclusively on that path. The volume is already mounted at /mnt/trusted-ca, which is the safer location. Remove the /etc/ssl/certs mount, and wire /mnt/trusted-ca via SSL_CERT_DIR or SSL_CERT_FILE in steps that need external TLS (the existing SSL_CERT_DIR at line 506 already includes fallback standard paths, but making the custom CA path explicit avoids relying on undocumented behavior).

Suggested direction

       - name: trusted-ca
-        mountPath: /etc/ssl/certs
-        readOnly: true
-      - name: trusted-ca
         mountPath: /mnt/trusted-ca
         readOnly: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: trusted-ca
	mountPath: /mnt/trusted-ca
	mountPath: /etc/ssl/certs
	readOnly: true
	- name: trusted-ca
	mountPath: /etc/ssl/certs/ca-custom-bundle.crt
	subPath: ca-bundle.crt
	mountPath: /mnt/trusted-ca
	readOnly: true
	- name: trusted-ca
	mountPath: /mnt/trusted-ca
	readOnly: true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml` around
lines 266 - 271, Remove the redundant mount of the `trusted-ca` volume at
`/etc/ssl/certs` (keep only the `trusted-ca` mount at `/mnt/trusted-ca`) so you
don't shadow the image's CA store; then ensure any steps/containers that need
the custom CA explicitly reference `/mnt/trusted-ca` by adding it to the
SSL_CERT_DIR or setting SSL_CERT_FILE (update the existing SSL_CERT_DIR/env
entries that are used by the job to include `/mnt/trusted-ca`), and leave the
`trusted-ca` volume name unchanged.

[simonbaird]

@querti what do you think about code rabbit's comment?

[simonbaird]

Lgtm, but see what you think about the bot's comment.

I retriggered the tests because it seems likely the acceptance failure was a temporary flake.