filter only cma namespace for scan by miyadav · Pull Request #74671 · openshift/release

miyadav · 2026-02-10T10:51:55Z

/hold

openshift-ci · 2026-02-10T10:52:41Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: miyadav
Once this PR has been reviewed and has the lgtm label, please assign radekmanak for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

miyadav · 2026-02-10T10:53:31Z

/pj-rehearse pull-ci-openshift-cluster-machine-approver-release-4.22-tls13-conformance-cma

openshift-ci-robot · 2026-02-10T10:53:33Z

@miyadav: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

damdo · 2026-02-10T16:02:26Z

+- dockerfile_literal: |
+    FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22 AS builder
+    WORKDIR /app
+    RUN git clone --depth=1 --branch=main https://github.com/openshift/tls-scanner.git . && \
+        make
+
+    FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
+    ARG OC_VERSION=latest
+    ARG UMOCI_VERSION=latest
+    RUN dnf -y update && \
+        dnf install -y binutils file go podman runc jq skopeo nmap tar lsof && \
+        dnf clean all
+    RUN wget -O "openshift-client-linux-${OC_VERSION}.tar.gz" "https://mirror.openshift.com/pub/openshift-v4/amd64/clients/ocp/${OC_VERSION}/openshift-client-linux.tar.gz" && \
+        tar -C /usr/local/bin -xzvf "openshift-client-linux-$OC_VERSION.tar.gz" oc && \
+        rm -f "openshift-client-linux-$OC_VERSION.tar.gz"
+    RUN curl --fail --retry 3 -LJO https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest-4.14/opm-linux.tar.gz && \
+        tar -xzf opm-linux.tar.gz && \
+        mv ./opm /usr/local/bin/ && \
+        rm -f opm-linux.tar.gz
+    RUN wget -O /usr/local/bin/umoci "https://github.com/opencontainers/umoci/releases/$UMOCI_VERSION/download/umoci.linux.amd64" && \
+        chmod +x /usr/local/bin/umoci
+    COPY --from=builder /app/bin/tls-scanner /usr/local/bin/tls-scanner
+    ENTRYPOINT ["/usr/local/bin/tls-scanner -namespace-filter openshift-cluster-machine-approver -all-pods"]
+    LABEL com.redhat.component="tls-scanner"
+  to: tls-scanner-tool


Do you think we could try and use this step from the registry : https://github.com/openshift/release/tree/0a352ddeb78172b9e2853774fef8b99e62869c5f/ci-operator/step-registry/tls/scanner/run ?

I think we need to investigate how to set the -namespace-filter and -all-pods flags with it though, or propose a modification to it.

miyadav · 2026-02-10T17:29:19Z

/pj-rehearse pull-ci-openshift-cluster-machine-approver-release-4.22-tls13-conformance-cma

openshift-ci-robot · 2026-02-10T17:29:21Z

@miyadav: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci-robot · 2026-02-10T17:30:41Z

[REHEARSALNOTIFIER]
@miyadav: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-machine-approver-release-4.22-tls13-conformance-cma	openshift/cluster-machine-approver	presubmit	Presubmit changed
pull-ci-openshift-cluster-machine-approver-release-4.22-e2e-aws	openshift/cluster-machine-approver	presubmit	Ci-operator config changed
pull-ci-openshift-cluster-machine-approver-release-4.22-e2e-aws-capi-techpreview	openshift/cluster-machine-approver	presubmit	Ci-operator config changed
pull-ci-openshift-cluster-machine-approver-release-4.22-e2e-aws-operator	openshift/cluster-machine-approver	presubmit	Ci-operator config changed
pull-ci-openshift-cluster-machine-approver-release-4.22-e2e-azure-operator	openshift/cluster-machine-approver	presubmit	Ci-operator config changed
pull-ci-openshift-cluster-machine-approver-release-4.22-e2e-gcp-operator	openshift/cluster-machine-approver	presubmit	Ci-operator config changed
pull-ci-openshift-cluster-machine-approver-release-4.22-e2e-upgrade	openshift/cluster-machine-approver	presubmit	Ci-operator config changed
pull-ci-openshift-cluster-machine-approver-release-4.22-images	openshift/cluster-machine-approver	presubmit	Ci-operator config changed
pull-ci-openshift-cluster-machine-approver-release-4.22-unit	openshift/cluster-machine-approver	presubmit	Ci-operator config changed
pull-ci-openshift-cluster-machine-approver-release-4.22-verify-deps	openshift/cluster-machine-approver	presubmit	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

miyadav · 2026-02-11T06:50:39Z

/pj-rehearse pull-ci-openshift-cluster-machine-approver-release-4.22-tls13-conformance-cma

openshift-ci-robot · 2026-02-11T06:50:42Z

@miyadav: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci · 2026-02-11T12:11:32Z

@miyadav: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-bot · 2026-03-16T07:40:17Z

Issues in openshift/release go stale after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 15d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot · 2026-03-31T08:24:47Z

Stale issue in openshift/release rot after 15d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 15d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

openshift-ci · 2026-03-31T08:25:02Z

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-bot · 2026-04-15T13:20:02Z

Rotten issues in openshift/release close after 15d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci · 2026-04-15T13:20:34Z

@openshift-bot: Closed this PR.

Details

In response to this:

Rotten issues in openshift/release close after 15d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

filter only cma namespace for scan

f429bf3

openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 10, 2026

openshift-ci Bot requested review from RadekManak and chrischdi February 10, 2026 10:52

damdo reviewed Feb 10, 2026

View reviewed changes

update workflow instead of generic use tls13 cluster

a0688bd

openshift-ci Bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 16, 2026

openshift-ci Bot closed this Apr 15, 2026

Conversation

miyadav commented Feb 10, 2026

Uh oh!

openshift-ci Bot commented Feb 10, 2026

Uh oh!

miyadav commented Feb 10, 2026

Uh oh!

openshift-ci-robot commented Feb 10, 2026

Uh oh!

damdo Feb 10, 2026

Choose a reason for hiding this comment

Uh oh!

miyadav commented Feb 10, 2026

Uh oh!

openshift-ci-robot commented Feb 10, 2026

Uh oh!

openshift-ci-robot commented Feb 10, 2026

Uh oh!

miyadav commented Feb 11, 2026

Uh oh!

openshift-ci-robot commented Feb 11, 2026

Uh oh!

openshift-ci Bot commented Feb 11, 2026

Uh oh!

openshift-bot commented Mar 16, 2026

Uh oh!

openshift-bot commented Mar 31, 2026

Uh oh!

openshift-ci Bot commented Mar 31, 2026

Uh oh!

openshift-bot commented Apr 15, 2026

Uh oh!

openshift-ci Bot commented Apr 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants