Add TLS Scanner Component by richardsonnick · Pull Request #71526 · openshift/release

richardsonnick · 2025-11-18T21:00:30Z

Adds a CI step that runs the OpenShift tls scanner against either a default openshift or one configured to use minVersionTLS 13. Produces a csv in the prow artifacts that details minVersionTLS and ciphersuite compliance against the apiserver CRD.

Complete cluster scans take ~3 hours. This time can be reduced via the namespace filter.

openshift-ci · 2025-11-18T21:00:35Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

richardsonnick · 2025-11-18T21:00:49Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-18T21:00:52Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci-robot · 2025-11-18T21:04:05Z

@richardsonnick, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't checkout pull request: error fetching "pull/71526/head": exit status 128 remote: Internal Server Error
fatal: unable to access 'https://github.com/openshift/release/': The requested URL returned error: 500

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

openshift-ci-robot · 2025-11-18T21:06:01Z

@richardsonnick, pj-rehearse: unable prepare a candidate for rehearsal; rehearsals will not be run. This could be due to a branch that needs to be rebased. ERROR:

couldn't checkout pull request: error fetching "pull/71526/head": exit status 128 remote: Internal Server Error
fatal: unable to access 'https://github.com/openshift/release/': The requested URL returned error: 500

richardsonnick · 2025-11-18T22:28:22Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-18T22:28:24Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

richardsonnick · 2025-11-18T23:25:01Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-18T23:25:03Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

richardsonnick · 2025-11-19T01:57:09Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-19T01:57:11Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

richardsonnick · 2025-11-19T03:39:48Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-19T03:39:51Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

richardsonnick · 2025-11-19T14:28:17Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-19T14:28:19Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci-robot · 2025-11-19T14:32:04Z

@richardsonnick, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not load configuration from base revision of release repo: could not checkout worktree: '[git checkout 0aab2ee1881b287a06f7ab42f170e08d853fb191]' failed with out:  and error exec: Stdout already set

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

richardsonnick · 2025-11-19T14:33:37Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-19T14:33:40Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

richardsonnick · 2025-11-19T15:08:13Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-19T15:08:16Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

richardsonnick · 2025-11-19T19:38:08Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-19T19:38:11Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

richardsonnick · 2025-11-20T01:39:43Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-20T01:39:46Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

richardsonnick · 2025-11-20T15:46:00Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-20T15:46:03Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

richardsonnick · 2025-11-20T17:01:12Z

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

openshift-ci-robot · 2025-11-20T17:01:14Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci · 2026-02-03T14:51:54Z

New changes are detected. LGTM label has been removed.

joelanford · 2026-02-03T19:38:36Z

Looks like a make jobs call is needed to clear the generated-config failure?

richardsonnick · 2026-02-03T20:51:47Z

/retest

openshift-ci-robot · 2026-02-03T20:52:20Z

[REHEARSALNOTIFIER]
@richardsonnick: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-tls-scanner-main-default-tls	openshift/tls-scanner	presubmit	Presubmit changed
pull-ci-openshift-tls-scanner-main-images	openshift/tls-scanner	presubmit	Presubmit changed
pull-ci-openshift-tls-scanner-main-tls13-conformance	openshift/tls-scanner	presubmit	Presubmit changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

rhmdnd · 2026-02-04T18:06:55Z

What will the 4.22 periodic job names look like?

Naming is hard, but we could do:

Feature = tls-conformance
Test purpose = pqc or pqc-readiness

So something like:

periodic-ci-openshift-tls-scanner-release-4.22-amd64-nightly-aws-tls-conformance-f7-pqc-readiness

Would something like that make sense?

rhmdnd · 2026-02-04T19:19:41Z

To summarize the discussion regarding periodic job names. We have two options.

Have a single unified job for PQC-readiness and TLS conformance
Have two jobs, one for PQC-readiness and another for TLS conformance

The first option will be cheaper in that we get two signals in one job.

Potential names for the first option:

periodic-ci-openshift-release-master-nightly-4.22-tls-conformance-pqc-readiness

Potential names for the second option:

periodic-ci-openshift-release-master-nightly-4.22-tls-conformance
periodic-ci-openshift-release-master-nightly-4.22-pqc-readiness

Stashing these recommendations here for future reference when we go to add those jobs.

deepsm007 · 2026-02-05T15:24:38Z

/pj-rehearse auto-ack

deepsm007 · 2026-02-05T15:24:54Z

/lgtm

richardsonnick · 2026-02-05T16:17:55Z

/assign @jupierce

jupierce · 2026-02-05T16:32:12Z

/lgtm

openshift-ci · 2026-02-05T16:34:59Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepsm007, jupierce, rhmdnd, richardsonnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

richardsonnick · 2026-02-05T16:40:06Z

/pj-rehearse

openshift-ci-robot · 2026-02-05T16:40:09Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci · 2026-02-05T23:38:21Z

@richardsonnick: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/tls-scanner/main/scanner-tls13-conformance	`01277b7`	link	unknown	`/pj-rehearse pull-ci-openshift-tls-scanner-main-scanner-tls13-conformance`
ci/rehearse/openshift/tls-scanner/main/tls13-conformance	`a252d97`	link	unknown	`/pj-rehearse pull-ci-openshift-tls-scanner-main-tls13-conformance`
ci/rehearse/openshift/tls-scanner/main/default-tls	`a252d97`	link	unknown	`/pj-rehearse pull-ci-openshift-tls-scanner-main-default-tls`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

richardsonnick · 2026-02-06T15:56:36Z

/pj-rehearse ack

openshift-ci-robot · 2026-02-06T15:56:40Z

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci · 2026-02-06T16:30:46Z

@richardsonnick: Updated the following 2 configmaps:

plugins configmap in namespace ci at cluster app.ci using the following files:
- key core-services-prow-02_config-openshift-tls-scanner-_pluginconfig.yaml using file core-services/prow/02_config/openshift/tls-scanner/_pluginconfig.yaml
config configmap in namespace ci at cluster app.ci using the following files:
- key core-services-prow-02_config-openshift-tls-scanner-_prowconfig.yaml using file core-services/prow/02_config/openshift/tls-scanner/_prowconfig.yaml

Details

In response to this:

Adds a CI step that runs the OpenShift tls scanner against either a default openshift or one configured to use minVersionTLS 13. Produces a csv in the prow artifacts that details minVersionTLS and ciphersuite compliance against the apiserver CRD.

Complete cluster scans take ~3 hours. This time can be reduced via the namespace filter.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

* Add tls-scanner step registry for scanning TLS configurations * Add CI configuration for openshift/tls-scanner repository * Add OWNERS files for tls step registry directories * Add pqc-readiness informing job for TLS 1.3 scanning * Mark pqc-readiness job as optional * make release-controllers * Use openshift 4.22 * Rename pqc-readiness to post-quantum-crypto-readiness * Remove post-quantum crypto readiness job and related configurations from nightly 4.21 release files. * [Attempt] Add xml junit output for spyglass * Reformat workflow name to be less redundant * make jobs

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 18, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 18, 2025

openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Feb 3, 2026

Merge branch 'openshift:master' into master

335d831

make jobs

a252d97

richardsonnick requested review from dgoodwin and rhmdnd February 5, 2026 15:17

jupierce added the lgtm Indicates that a PR is ready to be merged. label Feb 5, 2026

openshift-ci bot assigned jupierce Feb 5, 2026

openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Feb 6, 2026

openshift-merge-bot bot merged commit 7ee0a3e into openshift:master Feb 6, 2026
21 of 23 checks passed

Comments

Conversation

richardsonnick commented Nov 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci bot commented Nov 18, 2025

Uh oh!

richardsonnick commented Nov 18, 2025

Uh oh!

openshift-ci-robot commented Nov 18, 2025

Uh oh!

openshift-ci-robot commented Nov 18, 2025

Uh oh!

openshift-ci-robot commented Nov 18, 2025

Uh oh!

richardsonnick commented Nov 18, 2025

Uh oh!

openshift-ci-robot commented Nov 18, 2025

Uh oh!

richardsonnick commented Nov 18, 2025

Uh oh!

openshift-ci-robot commented Nov 18, 2025

Uh oh!

richardsonnick commented Nov 19, 2025

Uh oh!

openshift-ci-robot commented Nov 19, 2025

Uh oh!

richardsonnick commented Nov 19, 2025

Uh oh!

openshift-ci-robot commented Nov 19, 2025

Uh oh!

richardsonnick commented Nov 19, 2025

Uh oh!

openshift-ci-robot commented Nov 19, 2025

Uh oh!

openshift-ci-robot commented Nov 19, 2025

Uh oh!

richardsonnick commented Nov 19, 2025

Uh oh!

openshift-ci-robot commented Nov 19, 2025

Uh oh!

richardsonnick commented Nov 19, 2025

Uh oh!

openshift-ci-robot commented Nov 19, 2025

Uh oh!

richardsonnick commented Nov 19, 2025

Uh oh!

openshift-ci-robot commented Nov 19, 2025

Uh oh!

richardsonnick commented Nov 20, 2025

Uh oh!

openshift-ci-robot commented Nov 20, 2025

Uh oh!

richardsonnick commented Nov 20, 2025

Uh oh!

openshift-ci-robot commented Nov 20, 2025

Uh oh!

richardsonnick commented Nov 20, 2025

Uh oh!

openshift-ci-robot commented Nov 20, 2025

Uh oh!

openshift-ci bot commented Feb 3, 2026

Uh oh!

joelanford commented Feb 3, 2026

Uh oh!

richardsonnick commented Feb 3, 2026

Uh oh!

openshift-ci-robot commented Feb 3, 2026

Uh oh!

rhmdnd commented Feb 4, 2026

Uh oh!

rhmdnd commented Feb 4, 2026

Uh oh!

deepsm007 commented Feb 5, 2026

Uh oh!

deepsm007 commented Feb 5, 2026

Uh oh!

richardsonnick commented Feb 5, 2026

Uh oh!

jupierce commented Feb 5, 2026

richardsonnick commented Nov 18, 2025 •

edited

Loading