fix(RELEASE-2397): custom ca support in verify-conforma task

[mmalina]

Refactor trusted-ca volume mounts in verify-conforma-konflux-ta to use directory mount (/mnt/trusted-ca) instead of subPath-based mounts. This is consistent with the mount style used across release-service-catalog tasks and ensures that the task doesn't exit with a failure when the configmap is not present. Remove the redundant trusted-ca volumeMount from the report step, which does not need CA certificate access.

Also, update the build-trusted-artifacts image to include a related fix for custom ca handling.

Related build-trusted-artifacts PR: konflux-ci/build-trusted-artifacts#315

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ff146db5-d53b-42e8-a0be-2e45c180bffb

📥 Commits

Reviewing files that changed from the base of the PR and between 64c9678 and 070c7f2.

📒 Files selected for processing (1)

• tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

---

📝 Walkthrough

Walkthrough

Modified trusted CA certificate handling in a Tekton task by removing dedicated volumeMounts, updating the build-trusted-artifacts image reference with a pinned digest, setting CA_FILE=/mnt/trusted-ca/ca-bundle.crt, and implementing conditional SSL_CERT_FILE environment variable export in the validate step.

Changes

Cohort / File(s)	Summary
Trusted CA Certificate Configuration tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml	Removed dedicated volumeMount for /etc/ssl/certs/ca-custom-bundle.crt. Updated use-trusted-artifact step to use pinned build-trusted-artifacts image digest and set CA_FILE path. Modified validate step to conditionally export SSL_CERT_FILE=/mnt/trusted-ca/ca-bundle.crt when file exists.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: fixing custom CA support in the verify-conforma task, directly matching the primary objectives of the PR.
Description check	✅ Passed	The description provides relevant details about the refactoring of CA certificate handling and references related changes, which aligns with the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mmalina]

Cc: @querti @simonbaird