WINC-1938: [wmco] Add tls scanner job

[mansikulkarni96]

Summary by CodeRabbit

This PR updates the OpenShift CI configuration in openshift/release for the Windows Machine Config Operator (WMCO) by adding a TLS scanner job and a corresponding base image used by that job.

What changed in practical terms:

• Added a new base_images entry tls-scanner-tool (name: "5.0", namespace: ocp, tag: tls-scanner-tool) used by WMCO CI.
• Added a new optional CI test job (as: tls-scanner):
  • optional / not always running (always_run: false, optional: true)
  • runs on the AWS cluster profile (cluster_profile: openshift-org-aws)
  • environment variables set for cluster sizing and scope: COMPUTE_NODE_REPLICAS="1", CONTROL_PLANE_REPLICAS="1", COMPUTE_NODE_TYPE="m5.2xlarge", SCAN_NAMESPACE=openshift-windows-machine-config-operator
  • test refs invoked: openshift-windows-install-wmco and tls-scanner-run
  • workflow: ipi-aws-ovn-hybrid

Impact:

• Introduces a selective TLS validation scan into WMCO’s CI pipeline without affecting existing mandatory jobs. The job is optional and targets AWS, so it can be used for targeted TLS scanning runs (rehearsals/periodics) without changing default PR gating.

[openshift-ci-robot]

@mansikulkarni96: This pull request references WINC-1938 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: cb4ab082-99b2-4899-a856-8c0fc6f8ab4a

📥 Commits

Reviewing files that changed from the base of the PR and between 61952c0 and 0b4e4cc.

📒 Files selected for processing (1)

• ci-operator/config/openshift/windows-machine-config-operator/openshift-windows-machine-config-operator-master.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/openshift/windows-machine-config-operator/openshift-windows-machine-config-operator-master.yaml

---

Walkthrough

Adds a base_images.tls-scanner-tool image entry and an optional tls-scanner CI test job to the Windows Machine Config Operator ci-operator config; the job targets openshift-org-aws, sets COMPUTE_NODE_REPLICAS and CONTROL_PLANE_REPLICAS to "1", sets SCAN_NAMESPACE, and runs openshift-windows-install-wmco and tls-scanner-run via the ipi-aws-ovn-hybrid workflow.

Changes

CI Configuration: base image + test job

Layer / File(s)	Summary
Base image entry ci-operator/config/openshift/windows-machine-config-operator/openshift-windows-machine-config-operator-master.yaml	Adds base_images.tls-scanner-tool (name: "5.0", namespace: ocp, tag: tls-scanner-tool).
TLS scanner test job ci-operator/config/openshift/windows-machine-config-operator/openshift-windows-machine-config-operator-master.yaml	Adds an optional tests[].as: tls-scanner job (always_run: false, optional: true) for openshift-org-aws, sets COMPUTE_NODE_REPLICAS: "1", CONTROL_PLANE_REPLICAS: "1", COMPUTE_NODE_TYPE: m5.2xlarge, SCAN_NAMESPACE: openshift-windows-machine-config-operator, references openshift-windows-install-wmco and tls-scanner-run, and uses ipi-aws-ovn-hybrid workflow.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs:

• openshift/release#79807: Also adds new base_images entries in ci-operator YAMLs (similar image-config change).
• openshift/release#79758: Adds the same tls-scanner-tool base image and TLS scanner CI wiring in a different ci-operator scope.

Suggested labels:
lgtm, rehearsals-ack

Suggested reviewers:

• stbenjam

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The openshift-windows-install-wmco-commands.sh script added in this PR logs the WMCO_INDEX_IMAGE env var at line 13, which could expose sensitive data like registry credentials or internal hostnames.	Remove or sanitize logging of WMCO_INDEX_IMAGE; log only non-sensitive metadata like "Using dynamically fetched WMCO index image (length: XX)".

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a TLS scanner CI job to the Windows Machine Config Operator configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies CI configuration YAML and shell scripts only; no Ginkgo test code with test titles is present in the changes.
Test Structure And Quality	✅ Passed	PR modifies only CI configuration YAML file, not Ginkgo test code. The custom check for Ginkgo test structure is not applicable to CI configuration files.
Microshift Test Compatibility	✅ Passed	PR adds CI infrastructure scripts and config, not new Ginkgo e2e tests. The tls-scanner-run and openshift-windows-install-wmco are shell scripts, not Ginkgo test definitions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds CI configuration changes only; no new Ginkgo e2e tests. The tls-scanner job uses shell scripts for operator installation and TLS scanning, not Ginkgo tests. Check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	File is a ci-operator CI/CD configuration, not a deployment manifest or operator code. Custom check applies only to deployment manifests, operator code, or controllers being added/modified.
Ote Binary Stdout Contract	✅ Passed	PR adds CI configuration and bash workflow scripts, not OTE test binaries. Bash scripts appropriately log to stdout as CI steps, which doesn't violate OTE contract that applies only to Go test code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds CI job configuration and TLS scanning script, not Ginkgo e2e tests. Custom check applies only to new Ginkgo tests, so it does not apply here.
No-Weak-Crypto	✅ Passed	PR adds CI configuration for TLS security scanning tool; no weak crypto implementations (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) or insecure patterns detected in YAML configuration file.
Container-Privileges	✅ Passed	The tls-scanner job added in this CI configuration contains no container privilege escalation settings (privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation).

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mansikulkarni96]

/pj-rehearse pull-ci-openshift-windows-machine-config-operator-master-tls-scanner

[openshift-merge-bot]

@mansikulkarni96: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 0

[mansikulkarni96]

/pj-rehearse pull-ci-openshift-windows-machine-config-operator-master-tls-scanner

[openshift-merge-bot]

@mansikulkarni96: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/windows-machine-config-operator/openshift-windows-machine-config-operator-master.yaml`:
- Around line 392-404: This change adds a new optional test job (as:
tls-scanner) with refs openshift-windows-install-wmco and tls-scanner-run and
workflow ipi-aws-ovn-hybrid; run make update from the repository root to
regenerate the ProwJob specs under ci-operator/jobs/, commit the updated
generated YAMLs so the new tls-scanner job is reflected in the prow job outputs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 96757000-c87a-4fcb-9ae4-6a668519f562

📥 Commits

Reviewing files that changed from the base of the PR and between b8bbb82 and 61952c0.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/windows-machine-config-operator/openshift-windows-machine-config-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/windows-machine-config-operator/openshift-windows-machine-config-operator-master.yaml

[mansikulkarni96]

/pj-rehearse pull-ci-openshift-windows-machine-config-operator-master-tls-scanner

[openshift-merge-bot]

@mansikulkarni96: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@mansikulkarni96: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-windows-machine-config-operator-master-tls-scanner	openshift/windows-machine-config-operator	presubmit	Presubmit changed
pull-ci-openshift-windows-machine-config-operator-master-aws-e2e-operator	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-azure-e2e-operator	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-azure-e2e-upgrade	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-ci-bundle-wmco-bundle	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-gcp-e2e-operator	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-images	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-lint	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-nutanix-e2e-operator	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-platform-none-vsphere-e2e-operator	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-security	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-unit	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-vsphere-disconnected-e2e-operator	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-vsphere-e2e-operator	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-vsphere-proxy-e2e-operator	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
pull-ci-openshift-windows-machine-config-operator-master-wicd-unit-vsphere	openshift/windows-machine-config-operator	presubmit	Ci-operator config changed
periodic-ci-openshift-windows-machine-config-operator-master-vsphere-e2e-operator-2025	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-windows-machine-config-operator-master-vsphere-e2e-operator-fips	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-windows-machine-config-operator-master-aws-e2e-olmv1-install	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-windows-machine-config-operator-master-aws-e2e-operator-windows-server-2025	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-windows-machine-config-operator-master-gcp-e2e-operator-2025	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-windows-machine-config-operator-master-vsphere-e2e-ccm-install	N/A	periodic	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[mansikulkarni96]

/test ci/prow/yamllint

[mansikulkarni96]

/test yamllint

[jrvaldes]

in the job logs seeing onnection refused message, does it means the job failed?

 rDNS (10.0.12.200):     ip-10-0-12-200.us-west-1.compute.internal.bash: connect: Connection refused
bash: line 1: /dev/tcp/10.0.12.200/22623: Connection refused
 Oops: TCP connect problem

Unable to open a socket to 10.0.12.200:22623. 
Fatal error: Can't connect to "10.0.12.200:22623"
Make sure a firewall is not between you and your scanning target!

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_release/79785/rehearse-79785-pull-ci-openshift-windows-machine-config-operator-master-tls-scanner/2060151779881914368/artifacts/tls-scanner/tls-scanner-run/build-log.txt

[jrvaldes]

@mansikulkarni96 seems the private key secret is missing; see logs

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_release/79785/rehearse-79785-pull-ci-openshift-windows-machine-config-operator-master-tls-scanner/2060151779881914368/artifacts/tls-scanner/openshift-windows-install-wmco/build-log.txt

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_release/79785/rehearse-79785-pull-ci-openshift-windows-machine-config-operator-master-tls-scanner/2060151779881914368/artifacts/tls-scanner/gather-extra/artifacts/pods/openshift-windows-machine-config-operator_windows-machine-config-operator-7b448b58bf-msjwb_manager.log

[mansikulkarni96]

@jrvaldes thanks I ll see to fix that. Not sure if its required though as the operator was installed.
The job did not fail. It generated the output we need to verify all TLS versions used and ports secured.
Here is the log we need specifically the results.csv https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_release/79785/rehearse-79785-pull-ci-openshift-windows-machine-config-operator-master-tls-scanner/2060151779881914368/artifacts/tls-scanner/tls-scanner-run/artifacts/tls-scanner/
Here is a doc on how to read the results.csv file https://github.com/openshift/tls-scanner#status-categories

[jrvaldes]

@jrvaldes thanks I ll see to fix that. Not sure if its required though as the operator was installed. The job did not fail. It generated the output we need to verify all TLS versions used and ports secured. Here is the log we need specifically the results.csv https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_release/79785/rehearse-79785-pull-ci-openshift-windows-machine-config-operator-master-tls-scanner/2060151779881914368/artifacts/tls-scanner/tls-scanner-run/artifacts/tls-scanner/ Here is a doc on how to read the results.csv file https://github.com/openshift/tls-scanner#status-categories

understood, thanks for the explanation.

[jrvaldes]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jrvaldes, mansikulkarni96

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/windows-machine-config-operator/OWNERS [jrvaldes,mansikulkarni96]
• ci-operator/jobs/openshift/windows-machine-config-operator/OWNERS [jrvaldes,mansikulkarni96]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jrvaldes]

/pj-rehearse ack

[openshift-merge-bot]

@jrvaldes: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@mansikulkarni96: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.