Conforma Configuration

Conforma configuration is described here.

The configuration used by Conforma can be provided by an EnterpriseContractPolicy cluster resource, or it can be fetched from a git url.

For command line use of Conforma a local file can also be used.

There are some pre-defined configuration files available here.

Finding the configuration used

The output of the Conforma task includes a copy of the configuration used. You can find it under the policy key in the raw YAML output where it can be copy and pasted.

c64db6a88c99447507fb87e42c966fda
Figure 1. Viewing the configuration in log
c64db6a88c99447507fb87e42c966fda
Figure 1. Viewing the configuration in log
Notice that the public key used to verify both the signed images and the signed attestations created by Tekton Chains is available in the YAML output also. This public key is useful if you want to use Conforma outside the Konflux cluster as described here.

Modifying the Conforma configuration used in Konflux

To change which configuration is used by the Conforma integration test, it is necessary to modify the applicable "IntegrationTestScenario" cluster resouce.

This is currently not possible via the web UI, so it must be done using either kubectl or oc.

See Using custom configuration for details on how to do this.