Skip to content

Comments

Add TLS Scanner Component#71526

Merged
openshift-merge-bot[bot] merged 16 commits intoopenshift:masterfrom
richardsonnick:master
Feb 6, 2026
Merged

Add TLS Scanner Component#71526
openshift-merge-bot[bot] merged 16 commits intoopenshift:masterfrom
richardsonnick:master

Conversation

@richardsonnick
Copy link
Contributor

@richardsonnick richardsonnick commented Nov 18, 2025

Adds a CI step that runs the OpenShift tls scanner against either a default openshift or one configured to use minVersionTLS 13. Produces a csv in the prow artifacts that details minVersionTLS and ciphersuite compliance against the apiserver CRD.

Complete cluster scans take ~3 hours. This time can be reduced via the namespace filter.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 18, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 18, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci-robot
Copy link
Contributor

@richardsonnick, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't checkout pull request: error fetching "pull/71526/head": exit status 128 remote: Internal Server Error
fatal: unable to access 'https://github.com/openshift/release/': The requested URL returned error: 500

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@openshift-ci-robot
Copy link
Contributor

@richardsonnick, pj-rehearse: unable prepare a candidate for rehearsal; rehearsals will not be run. This could be due to a branch that needs to be rebased. ERROR:

couldn't checkout pull request: error fetching "pull/71526/head": exit status 128 remote: Internal Server Error
fatal: unable to access 'https://github.com/openshift/release/': The requested URL returned error: 500

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 18, 2025
@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci-robot
Copy link
Contributor

@richardsonnick, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not load configuration from base revision of release repo: could not checkout worktree: '[git checkout 0aab2ee1881b287a06f7ab42f170e08d853fb191]' failed with out:  and error exec: Stdout already set
Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse pull-ci-openshift-tls-scanner-main-run-scanner-on-cluster

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Feb 3, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 3, 2026

New changes are detected. LGTM label has been removed.

@joelanford
Copy link
Member

Looks like a make jobs call is needed to clear the generated-config failure?

@richardsonnick
Copy link
Contributor Author

/retest

@openshift-ci-robot
Copy link
Contributor

[REHEARSALNOTIFIER]
@richardsonnick: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-openshift-tls-scanner-main-default-tls openshift/tls-scanner presubmit Presubmit changed
pull-ci-openshift-tls-scanner-main-images openshift/tls-scanner presubmit Presubmit changed
pull-ci-openshift-tls-scanner-main-tls13-conformance openshift/tls-scanner presubmit Presubmit changed
Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@rhmdnd
Copy link
Contributor

rhmdnd commented Feb 4, 2026

What will the 4.22 periodic job names look like?

Naming is hard, but we could do:

Feature = tls-conformance
Test purpose = pqc or pqc-readiness

So something like:

periodic-ci-openshift-tls-scanner-release-4.22-amd64-nightly-aws-tls-conformance-f7-pqc-readiness

Would something like that make sense?

@rhmdnd
Copy link
Contributor

rhmdnd commented Feb 4, 2026

To summarize the discussion regarding periodic job names. We have two options.

  1. Have a single unified job for PQC-readiness and TLS conformance
  2. Have two jobs, one for PQC-readiness and another for TLS conformance

The first option will be cheaper in that we get two signals in one job.

Potential names for the first option:

periodic-ci-openshift-release-master-nightly-4.22-tls-conformance-pqc-readiness

Potential names for the second option:

periodic-ci-openshift-release-master-nightly-4.22-tls-conformance
periodic-ci-openshift-release-master-nightly-4.22-pqc-readiness

Stashing these recommendations here for future reference when we go to add those jobs.

@deepsm007
Copy link
Contributor

/pj-rehearse auto-ack

@deepsm007
Copy link
Contributor

/lgtm

@richardsonnick
Copy link
Contributor Author

/assign @jupierce

@jupierce
Copy link
Contributor

jupierce commented Feb 5, 2026

/lgtm

@jupierce jupierce added the lgtm Indicates that a PR is ready to be merged. label Feb 5, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 5, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepsm007, jupierce, rhmdnd, richardsonnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@richardsonnick
Copy link
Contributor Author

/pj-rehearse

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 5, 2026

@richardsonnick: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/rehearse/openshift/tls-scanner/main/scanner-tls13-conformance 01277b7 link unknown /pj-rehearse pull-ci-openshift-tls-scanner-main-scanner-tls13-conformance
ci/rehearse/openshift/tls-scanner/main/tls13-conformance a252d97 link unknown /pj-rehearse pull-ci-openshift-tls-scanner-main-tls13-conformance
ci/rehearse/openshift/tls-scanner/main/default-tls a252d97 link unknown /pj-rehearse pull-ci-openshift-tls-scanner-main-default-tls

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@richardsonnick
Copy link
Contributor Author

/pj-rehearse ack

@openshift-ci-robot
Copy link
Contributor

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci-robot openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Feb 6, 2026
@openshift-merge-bot openshift-merge-bot bot merged commit 7ee0a3e into openshift:master Feb 6, 2026
21 of 23 checks passed
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 6, 2026

@richardsonnick: Updated the following 2 configmaps:

  • plugins configmap in namespace ci at cluster app.ci using the following files:
    • key core-services-prow-02_config-openshift-tls-scanner-_pluginconfig.yaml using file core-services/prow/02_config/openshift/tls-scanner/_pluginconfig.yaml
  • config configmap in namespace ci at cluster app.ci using the following files:
    • key core-services-prow-02_config-openshift-tls-scanner-_prowconfig.yaml using file core-services/prow/02_config/openshift/tls-scanner/_prowconfig.yaml
Details

In response to this:

Adds a CI step that runs the OpenShift tls scanner against either a default openshift or one configured to use minVersionTLS 13. Produces a csv in the prow artifacts that details minVersionTLS and ciphersuite compliance against the apiserver CRD.

Complete cluster scans take ~3 hours. This time can be reduced via the namespace filter.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sau1506mya pushed a commit to Sau1506mya/release that referenced this pull request Feb 9, 2026
* Add tls-scanner step registry for scanning TLS configurations

* Add CI configuration for openshift/tls-scanner repository

* Add OWNERS files for tls step registry directories

* Add pqc-readiness informing job for TLS 1.3 scanning

* Mark pqc-readiness job as optional

* make release-controllers

* Use openshift 4.22

* Rename pqc-readiness to post-quantum-crypto-readiness

* Remove post-quantum crypto readiness job and related configurations from nightly 4.21 release files.

* [Attempt] Add xml junit output for spyglass

* Reformat workflow name to be less redundant

* make jobs
richardsonnick added a commit to richardsonnick/release that referenced this pull request Feb 18, 2026
* Add tls-scanner step registry for scanning TLS configurations

* Add CI configuration for openshift/tls-scanner repository

* Add OWNERS files for tls step registry directories

* Add pqc-readiness informing job for TLS 1.3 scanning

* Mark pqc-readiness job as optional

* make release-controllers

* Use openshift 4.22

* Rename pqc-readiness to post-quantum-crypto-readiness

* Remove post-quantum crypto readiness job and related configurations from nightly 4.21 release files.

* [Attempt] Add xml junit output for spyglass

* Reformat workflow name to be less redundant

* make jobs
memodi pushed a commit to memodi/release that referenced this pull request Feb 18, 2026
* Add tls-scanner step registry for scanning TLS configurations

* Add CI configuration for openshift/tls-scanner repository

* Add OWNERS files for tls step registry directories

* Add pqc-readiness informing job for TLS 1.3 scanning

* Mark pqc-readiness job as optional

* make release-controllers

* Use openshift 4.22

* Rename pqc-readiness to post-quantum-crypto-readiness

* Remove post-quantum crypto readiness job and related configurations from nightly 4.21 release files.

* [Attempt] Add xml junit output for spyglass

* Reformat workflow name to be less redundant

* make jobs
dhensel-rh pushed a commit to dhensel-rh/release that referenced this pull request Feb 19, 2026
* Add tls-scanner step registry for scanning TLS configurations

* Add CI configuration for openshift/tls-scanner repository

* Add OWNERS files for tls step registry directories

* Add pqc-readiness informing job for TLS 1.3 scanning

* Mark pqc-readiness job as optional

* make release-controllers

* Use openshift 4.22

* Rename pqc-readiness to post-quantum-crypto-readiness

* Remove post-quantum crypto readiness job and related configurations from nightly 4.21 release files.

* [Attempt] Add xml junit output for spyglass

* Reformat workflow name to be less redundant

* make jobs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants