From 168776c31c34c795971bc2f5792bf0ff924a1a93 Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Tue, 16 Jun 2026 14:00:46 +0200
Subject: [PATCH 1/5] ROX-33133: Add Konflux pipeline check for post-quantum
 crypto policy

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .tekton/collector-component-pipeline.yaml | 32 +++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml
index 5e9446aa3b..f483ebd1d7 100644
--- a/.tekton/collector-component-pipeline.yaml
+++ b/.tekton/collector-component-pipeline.yaml
@@ -554,6 +554,38 @@ spec:
       operator: in
       values: [ "false" ]
 
+  - name: verify-crypto-policies
+    params:
+    - name: IMAGE_URL
+      value: $(tasks.build-image-index.results.IMAGE_URL)
+    - name: IMAGE_DIGEST
+      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
+    when:
+    - input: $(params.skip-checks)
+      operator: in
+      values: [ "false" ]
+    taskSpec:
+      params:
+      - name: IMAGE_URL
+        type: string
+      - name: IMAGE_DIGEST
+        type: string
+      steps:
+      - name: check-pq-crypto-policy
+        image: $(params.IMAGE_URL)@$(params.IMAGE_DIGEST)
+        script: |
+          #!/bin/bash
+          set -euo pipefail
+          echo "Verifying post-quantum crypto policy configuration..."
+          if grep -q X25519MLKEM768 /etc/crypto-policies/back-ends/opensslcnf.config; then
+            echo "PASS: X25519MLKEM768 found in /etc/crypto-policies/back-ends/opensslcnf.config"
+          else
+            echo "FAIL: X25519MLKEM768 not found in /etc/crypto-policies/back-ends/opensslcnf.config"
+            echo "The post-quantum crypto policy (DEFAULT:PQ) may not be properly applied."
+            cat /etc/crypto-policies/back-ends/opensslcnf.config
+            exit 1
+          fi
+
   - name: push-dockerfile
     params:
     - name: IMAGE

From 67b29ff718cde4a633496bf550e2c00ee8b57dc7 Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Tue, 16 Jun 2026 18:20:09 +0200
Subject: [PATCH 2/5] Apply code review suggestions

---
 .tekton/collector-component-pipeline.yaml | 32 +++++++++++------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml
index f483ebd1d7..e773f71416 100644
--- a/.tekton/collector-component-pipeline.yaml
+++ b/.tekton/collector-component-pipeline.yaml
@@ -555,34 +555,34 @@ spec:
       values: [ "false" ]
 
   - name: verify-crypto-policies
-    params:
-    - name: IMAGE_URL
-      value: $(tasks.build-image-index.results.IMAGE_URL)
-    - name: IMAGE_DIGEST
-      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
     when:
     - input: $(params.skip-checks)
       operator: in
       values: [ "false" ]
     taskSpec:
-      params:
-      - name: IMAGE_URL
-        type: string
-      - name: IMAGE_DIGEST
-        type: string
+      description: >-
+        Verify that OpenSSL in the built collector image is configured to support post-quantum
+        cryptography (more specifically, the ML-KEM algorithm group). Regressions can occur e.g.
+        if the crypto-policy setting is removed from the Dockerfile, or the base image is changed
+        to one that does not support post-quantum cryptography.
       steps:
       - name: check-pq-crypto-policy
-        image: $(params.IMAGE_URL)@$(params.IMAGE_DIGEST)
+        image: $(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST)
+        env:
+        - name: EXPECTED_GROUP
+          value: X25519MLKEM768
+        - name: CONFIG_FILE
+          value: /etc/crypto-policies/back-ends/opensslcnf.config
         script: |
           #!/bin/bash
           set -euo pipefail
           echo "Verifying post-quantum crypto policy configuration..."
-          if grep -q X25519MLKEM768 /etc/crypto-policies/back-ends/opensslcnf.config; then
-            echo "PASS: X25519MLKEM768 found in /etc/crypto-policies/back-ends/opensslcnf.config"
+          if grep -q "${EXPECTED_GROUP}" "${CONFIG_FILE}"; then
+            echo "PASS: ${EXPECTED_GROUP} found in ${CONFIG_FILE}"
           else
-            echo "FAIL: X25519MLKEM768 not found in /etc/crypto-policies/back-ends/opensslcnf.config"
-            echo "The post-quantum crypto policy (DEFAULT:PQ) may not be properly applied."
-            cat /etc/crypto-policies/back-ends/opensslcnf.config
+            cat "${CONFIG_FILE}"
+            echo "FAIL: The image's OpenSSL is not configured to support ML-KEM."
+            echo "FAIL: ${EXPECTED_GROUP} not found in ${CONFIG_FILE}"
             exit 1
           fi
 

From 1618309ba1291a0eaf9ece32072a252a1a9849e8 Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Wed, 17 Jun 2026 13:51:24 +0200
Subject: [PATCH 3/5] Update .tekton/collector-component-pipeline.yaml

Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
---
 .tekton/collector-component-pipeline.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml
index e773f71416..3af2856723 100644
--- a/.tekton/collector-component-pipeline.yaml
+++ b/.tekton/collector-component-pipeline.yaml
@@ -580,7 +580,9 @@ spec:
           if grep -q "${EXPECTED_GROUP}" "${CONFIG_FILE}"; then
             echo "PASS: ${EXPECTED_GROUP} found in ${CONFIG_FILE}"
           else
+            echo "Contents of ${CONFIG_FILE}:"
             cat "${CONFIG_FILE}"
+            echo
             echo "FAIL: The image's OpenSSL is not configured to support ML-KEM."
             echo "FAIL: ${EXPECTED_GROUP} not found in ${CONFIG_FILE}"
             exit 1

From e28f457a73756e4a34333c1ff84614b0f9122fe1 Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Fri, 19 Jun 2026 15:29:04 +0200
Subject: [PATCH 4/5] Use konflux-tasks

---
 .tekton/collector-component-pipeline.yaml | 44 ++++++++---------------
 1 file changed, 15 insertions(+), 29 deletions(-)

diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml
index 3af2856723..f4dcf99551 100644
--- a/.tekton/collector-component-pipeline.yaml
+++ b/.tekton/collector-component-pipeline.yaml
@@ -554,39 +554,25 @@ spec:
       operator: in
       values: [ "false" ]
 
-  - name: verify-crypto-policies
+  - name: verify-pq-crypto-policies
+    params:
+    - name: IMAGE_URL
+      value: $(tasks.build-image-index.results.IMAGE_URL)
+    - name: IMAGE_DIGEST
+      value: $(tasks.build-image-index.results.IMAGE_DIGEST)
     when:
     - input: $(params.skip-checks)
       operator: in
       values: [ "false" ]
-    taskSpec:
-      description: >-
-        Verify that OpenSSL in the built collector image is configured to support post-quantum
-        cryptography (more specifically, the ML-KEM algorithm group). Regressions can occur e.g.
-        if the crypto-policy setting is removed from the Dockerfile, or the base image is changed
-        to one that does not support post-quantum cryptography.
-      steps:
-      - name: check-pq-crypto-policy
-        image: $(tasks.build-image-index.results.IMAGE_URL)@$(tasks.build-image-index.results.IMAGE_DIGEST)
-        env:
-        - name: EXPECTED_GROUP
-          value: X25519MLKEM768
-        - name: CONFIG_FILE
-          value: /etc/crypto-policies/back-ends/opensslcnf.config
-        script: |
-          #!/bin/bash
-          set -euo pipefail
-          echo "Verifying post-quantum crypto policy configuration..."
-          if grep -q "${EXPECTED_GROUP}" "${CONFIG_FILE}"; then
-            echo "PASS: ${EXPECTED_GROUP} found in ${CONFIG_FILE}"
-          else
-            echo "Contents of ${CONFIG_FILE}:"
-            cat "${CONFIG_FILE}"
-            echo
-            echo "FAIL: The image's OpenSSL is not configured to support ML-KEM."
-            echo "FAIL: ${EXPECTED_GROUP} not found in ${CONFIG_FILE}"
-            exit 1
-          fi
+    taskRef:
+      params:
+      - name: name
+        value: verify-pq-crypto-policies
+      - name: bundle
+        value: quay.io/rhacs-eng/konflux-tasks:pr-105@sha256:bbda5ad1b1ffdffb4918d0c12542c0d603060a1690338a6592b0eaa46cf2119b
+      - name: kind
+        value: task
+      resolver: bundles
 
   - name: push-dockerfile
     params:

From a9d45389169087ba591c8febbc1b0e840fb221ee Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Mon, 22 Jun 2026 10:22:47 +0200
Subject: [PATCH 5/5] Update bundle

---
 .tekton/collector-component-pipeline.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml
index f4dcf99551..9e7ee99ffd 100644
--- a/.tekton/collector-component-pipeline.yaml
+++ b/.tekton/collector-component-pipeline.yaml
@@ -560,19 +560,19 @@ spec:
       value: $(tasks.build-image-index.results.IMAGE_URL)
     - name: IMAGE_DIGEST
       value: $(tasks.build-image-index.results.IMAGE_DIGEST)
-    when:
-    - input: $(params.skip-checks)
-      operator: in
-      values: [ "false" ]
     taskRef:
       params:
       - name: name
         value: verify-pq-crypto-policies
       - name: bundle
-        value: quay.io/rhacs-eng/konflux-tasks:pr-105@sha256:bbda5ad1b1ffdffb4918d0c12542c0d603060a1690338a6592b0eaa46cf2119b
+        value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:4d05c7ad1bcf63015b6b67787e9f024466fd2c864b69f7939a1925e307afb9b0
       - name: kind
         value: task
       resolver: bundles
+    when:
+    - input: $(params.skip-checks)
+      operator: in
+      values: [ "false" ]
 
   - name: push-dockerfile
     params: