chore(ci): yearly cert update

[dcaravel]

Updates the Scanner CI certs, this must be done 'yearly'

Scanner OSCI jobs have been failing / timing out waiting for scanner pods to be ready, the pods will never become ready due to invalid certs (example):

{"Event":"Failed to open database.","Level":"error","Location":"database.go:81","Time":"2026-02-03 00:16:06.008333","error":"pgsql: could not open database: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2026-02-03T00:16:06Z is after 2025-12-18T18:58:00Z"}

The certs were updated by following the instructions in scripts/cert/README.md

Additionally the gen-cert.sh script was deleting the Konflux rpms.in.yaml and rpms.lock.yaml files in the root of the scanner repo, the script was adjusted to no longer delete those files.

---

Last time certs were updated was here: #1748

Those certs had the expiration:

$ cat chart/templates/mock-scanner-tls.yaml | yq -r '.data."cert.pem"' | base64 -d |  openssl x509 -text -noout | grep -i validity -A2
        Validity
            Not Before: Dec 18 18:58:00 2024 GMT
            Not After : Dec 18 18:58:00 2025 GMT

$ cat chart/templates/mock-scanner-db-tls.yaml | yq -r '.data."cert.pem"' | base64 -d |  openssl x509 -text -noout | grep -i validity -A2
        Validity
            Not Before: Dec 18 18:58:00 2024 GMT
            Not After : Dec 18 18:58:00 2025 GMT

The new certs have the following expirations:

$ cat chart/templates/mock-scanner-tls.yaml | yq -r '.data."cert.pem"' | base64 -d |  openssl x509 -text -noout | grep -i validity -A2
        Validity
            Not Before: Feb  3 02:02:00 2026 GMT
            Not After : Feb  3 02:02:00 2027 GMT

$ cat chart/templates/mock-scanner-db-tls.yaml | yq -r '.data."cert.pem"' | base64 -d |  openssl x509 -text -noout | grep -i validity -A2
        Validity
            Not Before: Feb  3 02:02:00 2026 GMT
            Not After : Feb  3 02:02:00 2027 GMT

[openshift-ci]

@dcaravel: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-tests	605ab7f	link	false	/test e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dcaravel]

Latest test failure is a good thing, it shows tests are now running but failed due to data changes. Going to merge this one and create another PR for updating the individual failing test.