OCPBUGS-65730: add --tls-cipher-suites to oauth-apiserver deployment

[vsolanki12]

What this PR does / why we need it:

The openshift-oauth-apiserver deployed by the HyperShift Control Plane Operator (CPO) was started with --tls-min-version but without --tls-cipher-suites. In standalone OCP, the authentication-operator configures both flags. Other CPO-managed components like kube-controller-manager and kube-scheduler already include cipher suites.

This PR adds the --tls-cipher-suites argument to the oauth-apiserver deployment using config.CipherSuites(), following the same pattern as kube-controller-manager (v2/kcm/deployment.go).

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-65730

Special notes for your reviewer:

• The fix follows the existing pattern used by KCM and kube-scheduler for setting cipher suites.
• config.CipherSuites() defaults to Intermediate TLS profile when no profile is explicitly configured.
• Verified on a live KubeVirt HCP cluster with a custom CPO image — --tls-cipher-suites is now present on the oauth-apiserver deployment.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • OAuth API server deployment now adds a TLS cipher-suites parameter only when the selected TLS security profile provides a non-empty cipher list.
  • Ensures the OAuth API server enforces the appropriate minimum TLS version for each profile.

• Tests

  • Added/updated tests to validate presence or absence of the cipher-suites parameter and correct TLS minimum version across TLS profiles.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@vsolanki12: This pull request references Jira Issue OCPBUGS-65730, which is invalid:

• expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.21.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

The openshift-oauth-apiserver deployed by the HyperShift Control Plane Operator (CPO) was started with --tls-min-version but without --tls-cipher-suites. In standalone OCP, the authentication-operator configures both flags. Other CPO-managed components like kube-controller-manager and kube-scheduler already include cipher suites.

This PR adds the --tls-cipher-suites argument to the oauth-apiserver deployment using config.CipherSuites(), following the same pattern as kube-controller-manager (v2/kcm/deployment.go).

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-65730

Special notes for your reviewer:

• The fix follows the existing pattern used by KCM and kube-scheduler for setting cipher suites.
• config.CipherSuites() defaults to Intermediate TLS profile when no profile is explicitly configured.
• Verified on a live KubeVirt HCP cluster with a custom CPO image — --tls-cipher-suites is now present on the oauth-apiserver deployment.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 10e1a794-9289-43b0-88b5-9600267aa9f5

📥 Commits

Reviewing files that changed from the base of the PR and between 839ced3 and 6e74cbe.

⛔ Files ignored due to path filters (5)

• control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/AROSwift/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/GCP/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml is excluded by !**/testdata/**

📒 Files selected for processing (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go

---

📝 Walkthrough

Walkthrough

This PR adds TLS cipher suites configuration to the OAuth API server deployment controller. The adaptDeployment function now conditionally appends a --tls-cipher-suites argument to the container command when the selected TLS security profile specifies non-empty cipher suites. A new test case validates this behavior for the Intermediate TLS profile, and the existing TLS test was extended to assert the cipher-suites argument is absent for profiles that return no suites.

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Most test assertions lack meaningful failure messages. 56 assertions without messages vs 6 with. Violates requirement 4: messages help diagnose test failures.	Add failure messages to assertions: e.g. change g.Expect(err).ToNot(HaveOccurred()) to g.Expect(err).ToNot(HaveOccurred(), "failed to adapt deployment")

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding --tls-cipher-suites argument to oauth-apiserver deployment, which aligns with the code modifications shown in the summary.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names use static string literals; no dynamic values, generated identifiers, or Ginkgo declarations found. New test name follows the same stable pattern.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR modifies unit tests using Go's standard testing package, not Ginkgo framework (Describe/It/Context/When patterns). Check applies only to Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only Go unit tests (testing.T), not Ginkgo e2e tests (It/Describe/Context). SNO check applies only to Ginkgo e2e tests, so it does not apply here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds TLS cipher suite arguments only; no scheduling constraints (affinity, topology spread, replicas, nodeSelector, tolerations, PDB) are modified or introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies standard Go unit test files with no process-level code or stdout writes. Not applicable to OTE binary stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Custom check applies only to new Ginkgo e2e tests. These are standard Go unit tests in control-plane-operator, not e2e tests. No IPv4 assumptions or external connectivity.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@vsolanki12: This pull request references Jira Issue OCPBUGS-65730, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

Details

In response to this:

What this PR does / why we need it:

The openshift-oauth-apiserver deployed by the HyperShift Control Plane Operator (CPO) was started with --tls-min-version but without --tls-cipher-suites. In standalone OCP, the authentication-operator configures both flags. Other CPO-managed components like kube-controller-manager and kube-scheduler already include cipher suites.

This PR adds the --tls-cipher-suites argument to the oauth-apiserver deployment using config.CipherSuites(), following the same pattern as kube-controller-manager (v2/kcm/deployment.go).

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-65730

Special notes for your reviewer:

• The fix follows the existing pattern used by KCM and kube-scheduler for setting cipher suites.
• config.CipherSuites() defaults to Intermediate TLS profile when no profile is explicitly configured.
• Verified on a live KubeVirt HCP cluster with a custom CPO image — --tls-cipher-suites is now present on the oauth-apiserver deployment.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features
• OAuth API server deployment now supports applying TLS cipher suite configurations based on the selected TLS security profile. This enables operators to enforce specific cipher requirements for enhanced SSL/TLS security control, providing granular configuration capabilities for deployments with particular compliance and security standards.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vsolanki12]

/jira refresh

[openshift-ci-robot]

@vsolanki12: This pull request references Jira Issue OCPBUGS-65730, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go (1)

111-152: 💤 Low value

Consider adding a negative assertion for cipher suites in the Modern TLS profile test.

The Modern TLS profile test validates --tls-min-version=VersionTLS13 but doesn't explicitly verify that --tls-cipher-suites is absent. While the test would likely fail if cipher suites were incorrectly added, a negative assertion would make the expected behavior clearer and improve test coverage.

💡 Suggested enhancement

 container := podspec.FindContainer(ComponentName, deployment.Spec.Template.Spec.Containers)
 g.Expect(container).ToNot(BeNil())
 g.Expect(container.Args).To(ContainElement("--tls-min-version=VersionTLS13"))
+g.Expect(container.Args).ToNot(ContainElement(ContainSubstring("--tls-cipher-suites=")))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go`
around lines 111 - 152, Add a negative assertion to the Modern TLS profile test
to verify that cipher suites are not set: after locating the OAuth APIServer
container (using podspec.FindContainer with ComponentName) and asserting the
tls-min-version flag, also assert that container.Args does NOT contain any
"--tls-cipher-suites=..." entry (e.g., check for absence of the exact
"--tls-cipher-suites" argument or any arg prefixing with that string) so
adaptDeployment and the container args are validated for the absence of
cipher-suite configuration.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go`:
- Around line 111-152: Add a negative assertion to the Modern TLS profile test
to verify that cipher suites are not set: after locating the OAuth APIServer
container (using podspec.FindContainer with ComponentName) and asserting the
tls-min-version flag, also assert that container.Args does NOT contain any
"--tls-cipher-suites=..." entry (e.g., check for absence of the exact
"--tls-cipher-suites" argument or any arg prefixing with that string) so
adaptDeployment and the container args are validated for the absence of
cipher-suite configuration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7d3ec71e-95a9-4394-bf2b-6d4e743a9f91

📥 Commits

Reviewing files that changed from the base of the PR and between 9e283ae and d2388a6.

📒 Files selected for processing (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.34%. Comparing base (294fa41) to head (6e74cbe).
⚠️ Report is 47 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8554      +/-   ##
==========================================
+ Coverage   40.00%   40.34%   +0.34%     
==========================================
  Files         751      755       +4     
  Lines       92863    93170     +307     
==========================================
+ Hits        37147    37590     +443     
+ Misses      53024    52877     -147     
- Partials     2692     2703      +11     

Files with missing lines	Coverage Δ
...ostedcontrolplane/v2/oauth_apiserver/deployment.go	100.00% <100.00%> (ø)

... and 18 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.30% <ø> (+0.21%)	⬆️
cpo-hostedcontrolplane	41.77% <100.00%> (+1.20%)	⬆️
cpo-other	40.14% <ø> (ø)
hypershift-operator	50.72% <ø> (+0.20%)	⬆️
other	31.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (2)

control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go (2)

111-152: 💤 Low value

Consider verifying that Modern TLS profile does not include --tls-cipher-suites argument.

The existing Modern profile test validates --tls-min-version=VersionTLS13 but doesn't explicitly verify the absence of the --tls-cipher-suites argument. Since Modern profile (TLS 1.3) uses a different cipher suite mechanism and the implementation only adds --tls-cipher-suites when the list is non-empty, adding an assertion for absence would make the test coverage more complete and explicitly document the expected behavior.

🧪 Optional: Add assertion for cipher suites absence

 				container := podspec.FindContainer(ComponentName, deployment.Spec.Template.Spec.Containers)
 				g.Expect(container).ToNot(BeNil())
 				g.Expect(container.Args).To(ContainElement("--tls-min-version=VersionTLS13"))
+				// Modern profile (TLS 1.3) should not include cipher suites argument
+				for _, arg := range container.Args {
+					g.Expect(arg).ToNot(ContainSubstring("--tls-cipher-suites"), "Modern profile should not configure cipher suites")
+				}

This explicitly documents that TLS 1.3 (Modern) doesn't use the --tls-cipher-suites flag, making the test suite's coverage of both positive and negative cases clearer.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go`
around lines 111 - 152, The Modern TLS profile test currently asserts
--tls-min-version=VersionTLS13 but not the absence of the cipher-suites flag;
update the validation inside the test's validate function (where it calls
adaptDeployment and locates the container via
podspec.FindContainer(ComponentName, ...)) to also assert that container.Args
does NOT contain any --tls-cipher-suites entry (e.g., use the test framework's
negative containment assertion on container.Args to ensure no
"--tls-cipher-suites=" flag is present for ModernTLSProfile/Modern).

---

194-194: 💤 Low value

Consider validating the actual cipher suite values in addition to argument presence.

The test currently uses ContainElement(ContainSubstring("--tls-cipher-suites=")) which only verifies the argument is present but not that it contains the expected Intermediate profile cipher suites. While this approach avoids brittleness if the cipher suite list changes, it doesn't catch potential issues where the argument is present but has incorrect or empty values.

💡 Optional: More robust assertion

 				g.Expect(container.Args).To(ContainElement("--tls-min-version=VersionTLS12"))
-				g.Expect(container.Args).To(ContainElement(ContainSubstring("--tls-cipher-suites=")))
+				// Verify cipher suites argument exists and is non-empty
+				var cipherSuitesArg string
+				for _, arg := range container.Args {
+					if strings.HasPrefix(arg, "--tls-cipher-suites=") {
+						cipherSuitesArg = arg
+						break
+					}
+				}
+				g.Expect(cipherSuitesArg).ToNot(BeEmpty(), "should have --tls-cipher-suites argument")
+				g.Expect(strings.TrimPrefix(cipherSuitesArg, "--tls-cipher-suites=")).ToNot(BeEmpty(), "cipher suites list should not be empty")

Note: This is optional since the current substring match is simpler and sufficient for verifying the feature works correctly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go`
at line 194, Test only checks presence of the --tls-cipher-suites= argument;
update the assertion in deployment_test.go so it validates the actual value
rather than just the flag name (locate the assertion that inspects
container.Args). Replace the current
ContainElement(ContainSubstring("--tls-cipher-suites=")) check with a stricter
assertion that either (a) matches a non-empty value via a regexp like
--tls-cipher-suites=.+ or (b) compares against the expected Intermediate-profile
cipher string (e.g. build expectedCipherSuites and assert
ContainElement(ContainSubstring("--tls-cipher-suites="+expectedCipherSuites))).
Ensure the change uses the same container.Args target so the test still finds
the arg but now validates its value.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go`:
- Around line 111-152: The Modern TLS profile test currently asserts
--tls-min-version=VersionTLS13 but not the absence of the cipher-suites flag;
update the validation inside the test's validate function (where it calls
adaptDeployment and locates the container via
podspec.FindContainer(ComponentName, ...)) to also assert that container.Args
does NOT contain any --tls-cipher-suites entry (e.g., use the test framework's
negative containment assertion on container.Args to ensure no
"--tls-cipher-suites=" flag is present for ModernTLSProfile/Modern).
- Line 194: Test only checks presence of the --tls-cipher-suites= argument;
update the assertion in deployment_test.go so it validates the actual value
rather than just the flag name (locate the assertion that inspects
container.Args). Replace the current
ContainElement(ContainSubstring("--tls-cipher-suites=")) check with a stricter
assertion that either (a) matches a non-empty value via a regexp like
--tls-cipher-suites=.+ or (b) compares against the expected Intermediate-profile
cipher string (e.g. build expectedCipherSuites and assert
ContainElement(ContainSubstring("--tls-cipher-suites="+expectedCipherSuites))).
Ensure the change uses the same container.Args target so the test still finds
the arg but now validates its value.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4f83572e-787e-45ca-a557-520fcf1fd1d0

📥 Commits

Reviewing files that changed from the base of the PR and between d2388a6 and c2fd13b.

📒 Files selected for processing (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go

[openshift-ci]

@vsolanki12: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[muraee]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: muraee, vsolanki12

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [muraee]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hypershift-jira-solve-ci]

Now I have the complete analysis. Here is the report:

Test Failure Analysis Complete

Job Information

• Prow Job: Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main
• Build ID: hypershift-operator-main-enterprise-contract-b6f2d
• Second Job: Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main
• Second Build ID: hypershift-operator-enterprise-contract-kfpjv
• PR: #8554 — OCPBUGS-65730: add --tls-cipher-suites to oauth-apiserver deployment
• Snapshot: hypershift-operator-20260520-114250-000
• Component: hypershift-operator-main

Test Failure Analysis

Error

Enterprise Contract verify step: 254 success(es), 24 warning(s), 2 failure(s)

Rule: prefetch_dependencies.package_registry_proxy_enabled
Failure message: Task 'prefetch-dependencies-oci-ta' does not have the
enable-package-registry-proxy parameter set to true

Summary

Both Enterprise Contract (EC) checks fail because PR #8554's .tekton/pipelines/common-operator-build.yaml is missing the enable-package-registry-proxy: "true" parameter on the prefetch-dependencies task. This parameter became mandatory on 2026-05-13 via the EC policy rule prefetch_dependencies.package_registry_proxy_enabled (with effective_on: 2026-05-13T00:00:00Z). The fix was merged to main via PR #8552 (commit b42412952e) on 2026-05-20T13:52Z, but PR #8554 was created at 2026-05-20T10:48Z — before the fix landed — so its branch carries the old, non-compliant pipeline definition. This is not caused by the PR's code changes (which only add --tls-cipher-suites to the oauth-apiserver deployment). The failures are identical to those seen on PR #8555 and PR #8556, and were also present on the main branch itself (commits ca519ed7 through a7d68da7) until the fix was merged.

Root Cause

The Enterprise Contract policy prefetch_dependencies.package_registry_proxy_enabled was introduced with an effective_on date of 2026-05-13T00:00:00Z in the enterprise-contract/ec-policies repository. This rule requires the prefetch-dependencies-oci-ta Tekton task to have the parameter enable-package-registry-proxy set to "true".

PR #8554's branch was created from a base commit (9e283aee) that predates the fix. Pipelines-as-Code (PaC) reads the .tekton/ configuration from the PR branch itself, not from the target branch. Since PR #8554 did not modify any .tekton/ files, its pipeline definition is stale and lacks the required parameter.

The fix was delivered in PR #8552 (commit b42412952e90730cce0699126abad6dd4cf2d592), which added:

- name: enable-package-registry-proxy
  value: "true"

to both .tekton/pipelines/common-operator-build.yaml and .tekton/hypershift-operator-main-tag.yaml. This fix was merged to main on 2026-05-20T13:52Z. After the fix, the main branch EC checks transitioned from failure to neutral (warnings only, 0 failures).

The 2 failures correspond to the same rule evaluated against 2 SLSA provenance attestations generated during the build (one for the buildah-remote task and one for the build-image-index task), each containing a reference to the prefetch-dependencies-oci-ta task invocation.

Recommendations

1. Rebase PR OCPBUGS-65730: add --tls-cipher-suites to oauth-apiserver deployment #8554 on main — This will pick up the .tekton/pipelines/common-operator-build.yaml fix from commit b42412952e and resolve the EC failures. No code changes to the PR itself are needed.

   git fetch upstream main
   git rebase upstream/main
   git push --force-with-lease

2. No action needed on the PR's code changes — The --tls-cipher-suites addition to the oauth-apiserver deployment is unrelated to the EC failure. All Prow CI checks (ci/prow/images, ci/prow/verify-deps, ci/prow/security) and GitHub Actions checks (unit tests, lint, verify, envtest) passed successfully.

3. Other affected PRs — PRs build(deps): bump google.golang.org/api from 0.279.0 to 0.280.0 in the misc-dependencies group across 1 directory #8555 and OCPBUGS-86329: cpo: turn off cluster-api crdmigrator controller #8556 have the same issue and also need rebasing. Any PR created before 2026-05-20T13:52Z that triggers the hypershift-operator-main build will encounter this failure until rebased.

Evidence

Evidence	Detail
Failing EC rule	prefetch_dependencies.package_registry_proxy_enabled (source)
Rule effective date	2026-05-13T00:00:00Z
Missing parameter	enable-package-registry-proxy: "true" on prefetch-dependencies-oci-ta task
Fix commit	b42412952e (part of PR #8552)
Fix merged to main	2026-05-20T13:52Z
PR #8554 created	2026-05-20T10:48Z (before fix)
PR #8554 base commit	9e283aee4b29841c98c45f0130825cf61df4624c (2026-05-19, pre-fix)
Main branch after fix	neutral — 512 successes, 16 warnings, 0 failures
PR #8554 (pre-fix branch)	failure — 254 successes, 24 warnings, 2 failures
Main branch before fix	failure — 508 successes, 48 warnings, 4 failures (multi-arch)
Same failure on PR #8555	✅ Confirmed — identical 254/24/2 pattern
Same failure on PR #8556	✅ Confirmed — identical 254/24/2 pattern
PR code changes unrelated	Only changes: deployment.go, deployment_test.go, testdata YAML fixtures
All other CI checks	✅ Passed (Prow images, verify-deps, security, unit tests, lint)

---