ci: tls-scanner informing on 4.22 and 5.0 payload

[smith-xyz]

Adds tls scanner as informing on 4.22 and 5.0 ocp payload

Summary by CodeRabbit

This PR wires the TLS scanner into OpenShift nightly release pipelines for 4.22 and 5.0 as an informing (non-blocking) payload check, and adds matching disabled/optional private verify entries.

What changed in practical terms

• ci-operator job definitions for openshift-release-main nightly pipelines (4.22 and 5.0):
  • Adds a base_images entry tls-scanner-tool pointing to the tls-scanner image in the tls-scanner namespace (tag: tls-scanner-tool).
  • Adds a periodic tests job tls-scan (scheduled @yearly) that runs the tls-scanner-run test on the openshift-org-aws cluster profile using the ipi-aws workflow and sets compute resources (COMPUTE_NODE_TYPE m5.2xlarge as configured in job metadata).
  • Updates the step-registry ref for the TLS scanner run to use from: cli (cli: latest) with the same commands/envs (tls-scanner-run-ref.yaml), instead of the previous src ref.
• release-controller verification configs (core-services/_releases) for 4.22 and 5.0:
  • Adds an optional verify entry tls-scan that references the new periodic Prow jobs:
    • 4.22 -> periodic-ci-openshift-release-main-nightly-4.22-tls-scan
    • 5.0 -> periodic-ci-openshift-release-main-nightly-5.0-tls-scan
  • Adds corresponding priv release-controller entries for tls-scan that are disabled and optional, pointing at the -priv Prow job names.

Practical impact

• Nightly release payloads for 4.22 and 5.0 will be scanned for TLS/certificate issues and report results as informing checks; these are optional and do not block promotions.
• Changing the step ref to cli should avoid earlier transient dependency resolution errors referencing pipeline/src image links (reviewers suggested a rerun after the fix).

Files touched (high level)

• ci-operator/config/openshift/release/openshift-release-main__nightly-4.22.yaml
• core-services/release-controller/_releases/release-ocp-4.22.json
• ci-operator/config/openshift/release/openshift-release-main__nightly-5.0.yaml
• core-services/release-controller/_releases/release-ocp-5.0.json
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml
• core-services/release-controller/_releases/priv/release-ocp-4.22.json
• core-services/release-controller/_releases/priv/release-ocp-5.0.json

Notes from PR discussion

• Reviewer reported transient CI errors about missing step dependencies ("could not sort nodes" / missing internalImageStreamTag links). The author attempted rehearse commands and changed the step ref to cli; a rerun was suggested.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6a1ddc8f-84c4-4bea-b43d-31af255ddee6

📥 Commits

Reviewing files that changed from the base of the PR and between e6928a7 and e3c509e.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/release/openshift-release-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (7)

• ci-operator/config/openshift/release/openshift-release-main__nightly-4.22.yaml
• ci-operator/config/openshift/release/openshift-release-main__nightly-5.0.yaml
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml
• core-services/release-controller/_releases/priv/release-ocp-4.22.json
• core-services/release-controller/_releases/priv/release-ocp-5.0.json
• core-services/release-controller/_releases/release-ocp-4.22.json
• core-services/release-controller/_releases/release-ocp-5.0.json

✅ Files skipped from review due to trivial changes (2)

• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml
• core-services/release-controller/_releases/priv/release-ocp-5.0.json

🚧 Files skipped from review as they are similar to previous changes (5)

• core-services/release-controller/_releases/release-ocp-5.0.json
• ci-operator/config/openshift/release/openshift-release-main__nightly-4.22.yaml
• core-services/release-controller/_releases/release-ocp-4.22.json
• ci-operator/config/openshift/release/openshift-release-main__nightly-5.0.yaml
• core-services/release-controller/_releases/priv/release-ocp-4.22.json

---

Walkthrough

Registers a TLS scanner image, schedules yearly tls-scan periodic tests in nightly CI configs for OpenShift 4.22 and 5.0, updates the tls-scanner-run step ref to cli, and adds optional tls-scan verify entries (public and priv) pointing to the corresponding Prow jobs.

Changes

TLS Scanner Integration for OpenShift releases

Layer / File(s)	Summary
Base image entries ci-operator/config/openshift/release/openshift-release-main__nightly-4.22.yaml, ci-operator/config/openshift/release/openshift-release-main__nightly-5.0.yaml	Adds tls-scanner-tool base_images entries pointing to the tls-scanner image in the tls-scanner namespace with tag tls-scanner-tool.
Periodic tls-scan tests ci-operator/config/openshift/release/openshift-release-main__nightly-4.22.yaml, ci-operator/config/openshift/release/openshift-release-main__nightly-5.0.yaml	Defines a yearly tls-scan periodic test job that runs tls-scanner-run on the openshift-org-aws cluster profile using the ipi-aws workflow and sets COMPUTE_NODE_TYPE: m5.2xlarge.
Step registry ref update ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml	Changes the tls-scanner-run step ref source from src to cli.
Release verification integration (public) core-services/release-controller/_releases/release-ocp-4.22.json, core-services/release-controller/_releases/release-ocp-5.0.json	Adds optional tls-scan verify entries referencing periodic-ci-openshift-release-main-nightly-4.22-tls-scan and periodic-ci-openshift-release-main-nightly-5.0-tls-scan Prow jobs.
Release verification integration (priv) core-services/release-controller/_releases/priv/release-ocp-4.22.json, core-services/release-controller/_releases/priv/release-ocp-5.0.json	Adds disabled/optional tls-scan verify entries wired to periodic-ci-openshift-release-main-nightly-4.22-tls-scan-priv and periodic-ci-openshift-release-main-nightly-5.0-tls-scan-priv Prow jobs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

lgtm, rehearsals-ack

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Container-Privileges	❌ Error	The tls-scanner pod spec contains hostNetwork: true, hostPID: true, privileged: true, and runs as root (runAsUser: 0) with cluster-admin.	Review and justify the privileged settings if necessary, or implement non-privileged alternatives for TLS scanner operations.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding TLS scanner as an informing job for OpenShift 4.22 and 5.0 payloads, which matches the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only CI/CD configuration files (YAML/JSON), no Ginkgo test code. Check for dynamic test names is not applicable.
Test Structure And Quality	✅ Passed	Check is not applicable: PR contains only CI/release configuration files (YAML/JSON), not Ginkgo test code that the check is designed to review.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. It adds CI configuration and a shell script-based TLS scanner step, which are not within the scope of the MicroShift Test Compatibility check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. The tls-scan test is a shell script-based CI step, not a Ginkgo test, so the custom check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI/CD job configs (Prow jobs, release controller, step registry) only—not deployment manifests, operator code, or controllers. Topology-aware scheduling check not applicable.
Ote Binary Stdout Contract	✅ Passed	PR adds only CI config and bash scripts; no Go OTE binaries modified. Step registry scripts run as test steps with framework-managed output, not as main OTE binaries requiring JSON stdout contracts.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds CI infrastructure and a TLS scanning tool step (shell script), not Ginkgo e2e tests. The custom check is not applicable as it targets new Ginkgo test code only.
No-Weak-Crypto	✅ Passed	PR adds CI configuration for TLS scanner that detects weak crypto, not implements it. No MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom crypto, or unsafe comparisons found in any modified files.
No-Sensitive-Data-In-Logs	✅ Passed	TLS scanner job logs only configuration parameters, status messages, and artifact paths. No passwords, tokens, API keys, PII, or sensitive data are exposed.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jupierce]

/lgtm

[smith-xyz]

/pj-rehearse auto-ack

[openshift-merge-bot]

@smith-xyz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[richardsonnick]

This should be good.
This error is transient (? I think):

   * could not sort nodes
  * steps are missing dependencies
  * step src is missing dependencies: <&api.internalImageStreamTagLink{name:"pipeline", tag:"root", unsatisfiableError:""}>
  * step tls-scan is missing dependencies: <&api.internalImageStreamTagLink{name:"pipeline", tag:"src", unsatisfiableError:""}> 

worth a rerun though.

[openshift-merge-bot]

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[smith-xyz]

/pj-rehearse abort

[openshift-merge-bot]

@smith-xyz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[smith-xyz]

/pj-rehearse periodic-ci-openshift-release-main-nightly-4.22-tls-scan

[openshift-merge-bot]

@smith-xyz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[smith-xyz]

@richardsonnick see the error here - let me try to set this to cli instead

[smith-xyz]

/pj-rehearse periodic-ci-openshift-release-main-nightly-4.22-tls-scan

[openshift-merge-bot]

@smith-xyz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@smith-xyz: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cincinnati-operator-master-install-bundle-tls-scan	openshift/cincinnati-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-master-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-5.1-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-5.0-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-4.23-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-4.22-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-oadp-operator-oadp-1.6-4.22-tls-pqc-readiness	openshift/oadp-operator	presubmit	Registry content changed
pull-ci-openshift-oadp-operator-oadp-1.6-4.22-tls13-adherence	openshift/oadp-operator	presubmit	Registry content changed
pull-ci-openshift-oadp-operator-oadp-dev-4.22-tls-pqc-readiness	openshift/oadp-operator	presubmit	Registry content changed
pull-ci-openshift-oadp-operator-oadp-dev-4.22-tls13-adherence	openshift/oadp-operator	presubmit	Registry content changed
pull-ci-openshift-insights-runtime-extractor-main-tls-scanner	openshift/insights-runtime-extractor	presubmit	Registry content changed
pull-ci-openshift-insights-runtime-extractor-release-5.1-tls-scanner	openshift/insights-runtime-extractor	presubmit	Registry content changed
pull-ci-openshift-insights-runtime-extractor-release-5.0-tls-scanner	openshift/insights-runtime-extractor	presubmit	Registry content changed
pull-ci-openshift-insights-runtime-extractor-release-4.23-tls-scanner	openshift/insights-runtime-extractor	presubmit	Registry content changed
pull-ci-openshift-insights-runtime-extractor-release-4.22-tls-scanner	openshift/insights-runtime-extractor	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-main-smoke-tls	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.1-default-tls	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.1-default-pqc-readiness	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.1-tls13-adherence	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.1-tls13-pqc-readiness	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.0-default-tls	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.0-default-pqc-readiness	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.0-tls13-adherence	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-5.0-tls13-pqc-readiness	openshift/tls-scanner	presubmit	Registry content changed
pull-ci-openshift-tls-scanner-release-4.23-default-tls	openshift/tls-scanner	presubmit	Registry content changed

A total of 632 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[smith-xyz]

/pj-rehearse periodic-ci-openshift-release-main-nightly-4.22-tls-scan

[openshift-merge-bot]

@smith-xyz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[smith-xyz]

/pj-rehearse periodic-ci-openshift-release-main-nightly-5.0-tls-scan

[openshift-merge-bot]

@smith-xyz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@smith-xyz: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ovn-two-node-fencing-ipv6-recovery	8ca9bbc	link	unknown	/pj-rehearse periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ovn-two-node-fencing-ipv6-recovery

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jupierce]

/lgtm

[smith-xyz]

/pj-rehearse ack

[openshift-merge-bot]

@smith-xyz: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[richardsonnick]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jupierce, richardsonnick, smith-xyz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/release/OWNERS [jupierce]
• ci-operator/jobs/openshift/release/OWNERS [jupierce]
• ci-operator/step-registry/tls/scanner/run/OWNERS [jupierce,richardsonnick,smith-xyz]
• core-services/release-controller/_releases/OWNERS [jupierce]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment