From f1e408705c808c621b785dfc89505ab4a5b4842a Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Tue, 16 Jun 2026 14:00:46 +0200
Subject: [PATCH 1/4] ROX-33133: Add Konflux pipeline check for post-quantum
 crypto policy

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .tekton/collector-component-pipeline.yaml | 32 +++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml
index 226778b183..9e012ac21c 100644
--- a/.tekton/collector-component-pipeline.yaml
+++ b/.tekton/collector-component-pipeline.yaml
@@ -554,6 +554,38 @@ spec:
       operator: in
       values: [ "false" ]
 
+  - name: verify-crypto-policies
+    params:
+    - name: IMAGE_URL
+      value: $(tasks.build-image-index.results.IMAGE_URL)
+    - name: IMAGE_DIGEST
+      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
+    when:
+    - input: $(params.skip-checks)
+      operator: in
+      values: [ "false" ]
+    taskSpec:
+      params:
+      - name: IMAGE_URL
+        type: string
+      - name: IMAGE_DIGEST
+        type: string
+      steps:
+      - name: check-pq-crypto-policy
+        image: $(params.IMAGE_URL)@$(params.IMAGE_DIGEST)
+        script: |
+          #!/bin/bash
+          set -euo pipefail
+          echo "Verifying post-quantum crypto policy configuration..."
+          if grep -q X25519MLKEM768 /etc/crypto-policies/back-ends/opensslcnf.config; then
+            echo "PASS: X25519MLKEM768 found in /etc/crypto-policies/back-ends/opensslcnf.config"
+          else
+            echo "FAIL: X25519MLKEM768 not found in /etc/crypto-policies/back-ends/opensslcnf.config"
+            echo "The post-quantum crypto policy (DEFAULT:PQ) may not be properly applied."
+            cat /etc/crypto-policies/back-ends/opensslcnf.config
+            exit 1
+          fi
+
   - name: push-dockerfile
     params:
     - name: IMAGE

From 9c0b0e48cd7f49966f6439ce6e32838416c80c87 Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Tue, 16 Jun 2026 18:20:09 +0200
Subject: [PATCH 2/4] Apply code review suggestions

---
 .tekton/collector-component-pipeline.yaml | 32 +++++++++++------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml
index 9e012ac21c..e735e2ca60 100644
--- a/.tekton/collector-component-pipeline.yaml
+++ b/.tekton/collector-component-pipeline.yaml
@@ -555,34 +555,34 @@ spec:
       values: [ "false" ]
 
   - name: verify-crypto-policies
-    params:
-    - name: IMAGE_URL
-      value: $(tasks.build-image-index.results.IMAGE_URL)
-    - name: IMAGE_DIGEST
-      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
     when:
     - input: $(params.skip-checks)
       operator: in
       values: [ "false" ]
     taskSpec:
-      params:
-      - name: IMAGE_URL
-        type: string
-      - name: IMAGE_DIGEST
-        type: string
+      description: >-
+        Verify that OpenSSL in the built collector image is configured to support post-quantum
+        cryptography (more specifically, the ML-KEM algorithm group). Regressions can occur e.g.
+        if the crypto-policy setting is removed from the Dockerfile, or the base image is changed
+        to one that does not support post-quantum cryptography.
       steps:
       - name: check-pq-crypto-policy
-        image: $(params.IMAGE_URL)@$(params.IMAGE_DIGEST)
+        image: $(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST)
+        env:
+        - name: EXPECTED_GROUP
+          value: X25519MLKEM768
+        - name: CONFIG_FILE
+          value: /etc/crypto-policies/back-ends/opensslcnf.config
         script: |
           #!/bin/bash
           set -euo pipefail
           echo "Verifying post-quantum crypto policy configuration..."
-          if grep -q X25519MLKEM768 /etc/crypto-policies/back-ends/opensslcnf.config; then
-            echo "PASS: X25519MLKEM768 found in /etc/crypto-policies/back-ends/opensslcnf.config"
+          if grep -q "${EXPECTED_GROUP}" "${CONFIG_FILE}"; then
+            echo "PASS: ${EXPECTED_GROUP} found in ${CONFIG_FILE}"
           else
-            echo "FAIL: X25519MLKEM768 not found in /etc/crypto-policies/back-ends/opensslcnf.config"
-            echo "The post-quantum crypto policy (DEFAULT:PQ) may not be properly applied."
-            cat /etc/crypto-policies/back-ends/opensslcnf.config
+            cat "${CONFIG_FILE}"
+            echo "FAIL: The image's OpenSSL is not configured to support ML-KEM."
+            echo "FAIL: ${EXPECTED_GROUP} not found in ${CONFIG_FILE}"
             exit 1
           fi
 

From 96b731df4294b4ddbead7347d55be45da73749ad Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Wed, 17 Jun 2026 13:51:24 +0200
Subject: [PATCH 3/4] Update .tekton/collector-component-pipeline.yaml

Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
---
 .tekton/collector-component-pipeline.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml
index e735e2ca60..c9c198ff0f 100644
--- a/.tekton/collector-component-pipeline.yaml
+++ b/.tekton/collector-component-pipeline.yaml
@@ -580,7 +580,9 @@ spec:
           if grep -q "${EXPECTED_GROUP}" "${CONFIG_FILE}"; then
             echo "PASS: ${EXPECTED_GROUP} found in ${CONFIG_FILE}"
           else
+            echo "Contents of ${CONFIG_FILE}:"
             cat "${CONFIG_FILE}"
+            echo
             echo "FAIL: The image's OpenSSL is not configured to support ML-KEM."
             echo "FAIL: ${EXPECTED_GROUP} not found in ${CONFIG_FILE}"
             exit 1

From 560aaddc27bbaa5701fd1e0df7d0241e52bb7029 Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Fri, 19 Jun 2026 15:29:04 +0200
Subject: [PATCH 4/4] Use konflux-tasks

---
 .tekton/collector-component-pipeline.yaml | 44 ++++++++---------------
 1 file changed, 15 insertions(+), 29 deletions(-)

diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml
index c9c198ff0f..f5a1b3559d 100644
--- a/.tekton/collector-component-pipeline.yaml
+++ b/.tekton/collector-component-pipeline.yaml
@@ -554,39 +554,25 @@ spec:
       operator: in
       values: [ "false" ]
 
-  - name: verify-crypto-policies
+  - name: verify-pq-crypto-policies
+    params:
+    - name: IMAGE_URL
+      value: $(tasks.build-image-index.results.IMAGE_URL)
+    - name: IMAGE_DIGEST
+      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
     when:
     - input: $(params.skip-checks)
       operator: in
       values: [ "false" ]
-    taskSpec:
-      description: >-
-        Verify that OpenSSL in the built collector image is configured to support post-quantum
-        cryptography (more specifically, the ML-KEM algorithm group). Regressions can occur e.g.
-        if the crypto-policy setting is removed from the Dockerfile, or the base image is changed
-        to one that does not support post-quantum cryptography.
-      steps:
-      - name: check-pq-crypto-policy
-        image: $(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST)
-        env:
-        - name: EXPECTED_GROUP
-          value: X25519MLKEM768
-        - name: CONFIG_FILE
-          value: /etc/crypto-policies/back-ends/opensslcnf.config
-        script: |
-          #!/bin/bash
-          set -euo pipefail
-          echo "Verifying post-quantum crypto policy configuration..."
-          if grep -q "${EXPECTED_GROUP}" "${CONFIG_FILE}"; then
-            echo "PASS: ${EXPECTED_GROUP} found in ${CONFIG_FILE}"
-          else
-            echo "Contents of ${CONFIG_FILE}:"
-            cat "${CONFIG_FILE}"
-            echo
-            echo "FAIL: The image's OpenSSL is not configured to support ML-KEM."
-            echo "FAIL: ${EXPECTED_GROUP} not found in ${CONFIG_FILE}"
-            exit 1
-          fi
+    taskRef:
+      params:
+      - name: name
+        value: verify-pq-crypto-policies
+      - name: bundle
+        value: quay.io/rhacs-eng/konflux-tasks:pr-105@sha256:bbda5ad1b1ffdffb4918d0c12542c0d603060a1690338a6592b0eaa46cf2119b
+      - name: kind
+        value: task
+      resolver: bundles
 
   - name: push-dockerfile
     params: