diff --git a/ci-operator/config/openshift/tls-scanner/OWNERS b/ci-operator/config/openshift/tls-scanner/OWNERS new file mode 100644 index 0000000000000..48d4984a35bfd --- /dev/null +++ b/ci-operator/config/openshift/tls-scanner/OWNERS @@ -0,0 +1,8 @@ +approvers: + - richardsonnick + - rhmdnd + - smith-xyz +reviewers: + - richardsonnick + - rhmdnd + - smith-xyz diff --git a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml new file mode 100644 index 0000000000000..edfa79cb29631 --- /dev/null +++ b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml @@ -0,0 +1,60 @@ +base_images: + base: + name: "4.22" + namespace: ocp + tag: base-rhel9 + ocp_builder_rhel-9-golang-1.24-openshift-4.22: + name: builder + namespace: ocp + tag: rhel-9-golang-1.24-openshift-4.22 +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.24-openshift-4.22 +images: +- dockerfile_path: Dockerfile + from: base + inputs: + ocp_builder_rhel-9-golang-1.24-openshift-4.22: {} + to: tls-scanner-tool +promotion: {} +releases: + initial: + integration: + name: "4.22" + namespace: ocp + latest: + integration: + include_built_images: true + name: "4.22" + namespace: ocp +resources: + '*': + requests: + cpu: 100m + memory: 200Mi +tests: +- as: default-tls + cluster_claim: + architecture: amd64 + cloud: aws + owner: openshift-ci + product: ocp + timeout: 5h0m0s + version: "4.22" + steps: + test: + - ref: tls-scanner-run + workflow: generic-claim +- as: tls13-conformance + steps: + cluster_profile: aws-5 + test: + - ref: tls-scanner-run + - ref: openshift-e2e-test + workflow: openshift-e2e-aws-ovn-tls-13 +zz_generated_metadata: + branch: main + org: openshift + repo: tls-scanner diff --git a/ci-operator/jobs/openshift/tls-scanner/OWNERS b/ci-operator/jobs/openshift/tls-scanner/OWNERS new file mode 100644 index 0000000000000..48d4984a35bfd --- /dev/null +++ b/ci-operator/jobs/openshift/tls-scanner/OWNERS @@ -0,0 +1,8 @@ +approvers: + - richardsonnick + - rhmdnd + - smith-xyz +reviewers: + - richardsonnick + - rhmdnd + - smith-xyz diff --git a/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-postsubmits.yaml b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-postsubmits.yaml new file mode 100644 index 0000000000000..21c71a4d9bfe0 --- /dev/null +++ b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-postsubmits.yaml @@ -0,0 +1,62 @@ +postsubmits: + openshift/tls-scanner: + - agent: kubernetes + always_run: true + branches: + - ^main$ + cluster: build01 + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/is-promotion: "true" + ci.openshift.io/generator: prowgen + max_concurrency: 1 + name: branch-ci-openshift-tls-scanner-main-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson + - --promote + - --report-credentials-file=/etc/report/credentials + - --target=[images] + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/push-secret + name: push-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: push-secret + secret: + secretName: registry-push-credentials-ci-central + - name: result-aggregator + secret: + secretName: result-aggregator diff --git a/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml new file mode 100644 index 0000000000000..ac200e0e52687 --- /dev/null +++ b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml @@ -0,0 +1,200 @@ +presubmits: + openshift/tls-scanner: + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build01 + context: ci/prow/default-tls + decorate: true + decoration_config: + skip_cloning: true + labels: + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-tls-scanner-main-default-tls + rerun_command: /test default-tls + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --hive-kubeconfig=/secrets/hive-hive-credentials/kubeconfig + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=default-tls + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/hive-hive-credentials + name: hive-hive-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: hive-hive-credentials + secret: + secretName: hive-hive-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )default-tls,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build01 + context: ci/prow/images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-tls-scanner-main-images + rerun_command: /test images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build05 + context: ci/prow/tls13-conformance + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-5 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-tls-scanner-main-tls13-conformance + rerun_command: /test tls13-conformance + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=tls13-conformance + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )tls13-conformance,?($|\s.*) diff --git a/ci-operator/step-registry/tls/OWNERS b/ci-operator/step-registry/tls/OWNERS new file mode 100644 index 0000000000000..8d50643e36ca1 --- /dev/null +++ b/ci-operator/step-registry/tls/OWNERS @@ -0,0 +1,8 @@ +approvers: + - richardsonnick + - rhmdnd + - smith-xyz +reviewers: + - richardsonnick + - rhmdnd + - smith-xyz diff --git a/ci-operator/step-registry/tls/scanner/OWNERS b/ci-operator/step-registry/tls/scanner/OWNERS new file mode 100644 index 0000000000000..8d50643e36ca1 --- /dev/null +++ b/ci-operator/step-registry/tls/scanner/OWNERS @@ -0,0 +1,8 @@ +approvers: + - richardsonnick + - rhmdnd + - smith-xyz +reviewers: + - richardsonnick + - rhmdnd + - smith-xyz diff --git a/ci-operator/step-registry/tls/scanner/run/OWNERS b/ci-operator/step-registry/tls/scanner/run/OWNERS new file mode 100644 index 0000000000000..0c3a02e9e68c6 --- /dev/null +++ b/ci-operator/step-registry/tls/scanner/run/OWNERS @@ -0,0 +1,9 @@ +approvers: + - richardsonnick + - rhmdnd + - smith-xyz +reviewers: + - richardsonnick + - rhmdnd + - smith-xyz + diff --git a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh new file mode 100644 index 0000000000000..84f4d63eae5f2 --- /dev/null +++ b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh @@ -0,0 +1,124 @@ +#!/bin/bash +set -o nounset +set -o errexit +set -o pipefail + +# TLS Scanner - scans TLS configurations of all pods in the cluster +NAMESPACE="tls-scanner" +SCANNER_IMAGE="${PULL_SPEC_TLS_SCANNER_TOOL}" +ARTIFACT_DIR="${ARTIFACT_DIR:-/tmp/artifacts}" +SCANNER_ARTIFACT_DIR="${ARTIFACT_DIR}/tls-scanner" + +# Determine scanner arguments based on whether a specific namespace is requested +if [[ -n "${SCAN_NAMESPACE:-}" ]]; then + SCANNER_ARGS="--namespace ${SCAN_NAMESPACE}" +else + SCANNER_ARGS="--all-pods" +fi + +mkdir -p "${SCANNER_ARTIFACT_DIR}" + +echo "=== TLS Scanner ===" +echo "Image: ${SCANNER_IMAGE}" + +# Create namespace +oc create namespace "${NAMESPACE}" --dry-run=client -o yaml | oc apply -f - + +# Cleanup on exit +cleanup() { + echo "Cleaning up..." + oc delete namespace "${NAMESPACE}" --ignore-not-found --wait=false || true +} +trap cleanup EXIT + +# Grant cluster-admin to the default service account for full access +oc adm policy add-cluster-role-to-user cluster-admin -z default -n "${NAMESPACE}" + +# Grant privileged SCC to the service account (required for hostNetwork, hostPID, privileged container) +oc adm policy add-scc-to-user privileged -z default -n "${NAMESPACE}" + +# Wait for RBAC/SCC changes to propagate before creating the pod +# This ensures the SCC admission controller sees the new binding +echo "Waiting for RBAC/SCC changes to propagate..." +sleep 10 + +# Create the scanner pod with privileged access +cat <&1 | tee /results/output.log + echo "Scan complete. Exit code: \$?" + # Keep pod alive for artifact collection + sleep 120 + securityContext: + privileged: true + runAsUser: 0 + volumeMounts: + - name: results + mountPath: /results + volumes: + - name: results + emptyDir: {} +EOF + +echo "Waiting for scanner pod to start..." +oc wait --for=condition=Ready pod/tls-scanner -n "${NAMESPACE}" --timeout=5m || { + echo "Pod failed to start:" + oc describe pod/tls-scanner -n "${NAMESPACE}" + oc get events -n "${NAMESPACE}" + exit 1 +} + +echo "Waiting for scan to complete..." +# Poll logs until scan completes (don't use -f which waits for container exit) +while true; do + if oc logs pod/tls-scanner -n "${NAMESPACE}" 2>/dev/null | grep -q "Scan complete"; then + break + fi + # Show progress + echo " Scan still running..." + sleep 30 +done + +echo "Scan completed. Fetching full logs..." +oc logs pod/tls-scanner -n "${NAMESPACE}" || true + +echo "Copying artifacts (container still alive in sleep phase)..." +oc cp "${NAMESPACE}/tls-scanner:/results/." "${SCANNER_ARTIFACT_DIR}/" || echo "Warning: Failed to copy some artifacts" + +# Copy JUnit XML to root artifact dir for Spyglass (pattern: artifacts/junit*.xml) +if [[ -f "${SCANNER_ARTIFACT_DIR}/junit_tls_scan.xml" ]]; then + cp "${SCANNER_ARTIFACT_DIR}/junit_tls_scan.xml" "${ARTIFACT_DIR}/junit_tls_scan.xml" + echo "JUnit results copied to ${ARTIFACT_DIR}/junit_tls_scan.xml for Spyglass" +fi + +# Wait for pod to complete +oc wait --for=jsonpath='{.status.phase}'=Succeeded pod/tls-scanner -n "${NAMESPACE}" --timeout=4h || { + echo "Scanner did not complete successfully" + oc describe pod/tls-scanner -n "${NAMESPACE}" + exit 1 +} + +echo "=== TLS Scanner Complete ===" +echo "Artifacts saved to: ${SCANNER_ARTIFACT_DIR}" +ls -la "${SCANNER_ARTIFACT_DIR}" || true diff --git a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.metadata.json b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.metadata.json new file mode 100644 index 0000000000000..e76c5b3622e9c --- /dev/null +++ b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "tls/scanner/run/tls-scanner-run-ref.yaml", + "owners": { + "approvers": [ + "richardsonnick", + "rhmdnd", + "smith-xyz" + ], + "reviewers": [ + "richardsonnick", + "rhmdnd", + "smith-xyz" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml new file mode 100644 index 0000000000000..0814592419c15 --- /dev/null +++ b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml @@ -0,0 +1,23 @@ +ref: + as: tls-scanner-run + from: src + cli: latest + commands: tls-scanner-run-commands.sh + dependencies: + - env: RELEASE_IMAGE_LATEST + name: release:latest + - env: OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE + name: release:latest + - env: OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE + name: release:latest + - env: PULL_SPEC_TLS_SCANNER_TOOL + name: tls-scanner-tool + resources: + requests: + cpu: 100m + memory: 200Mi + timeout: 4h0m0s + grace_period: 5m0s + documentation: |- + Runs the TLS scanner against all pods in the target cluster. + The scanner runs with cluster-admin privileges and full host access. diff --git a/core-services/prow/02_config/openshift/tls-scanner/_pluginconfig.yaml b/core-services/prow/02_config/openshift/tls-scanner/_pluginconfig.yaml new file mode 100644 index 0000000000000..5b10eb2af0851 --- /dev/null +++ b/core-services/prow/02_config/openshift/tls-scanner/_pluginconfig.yaml @@ -0,0 +1,13 @@ +approve: +- commandHelpLink: "" + repos: + - openshift/tls-scanner + require_self_approval: false +lgtm: +- repos: + - openshift/tls-scanner + review_acts_as_lgtm: true +plugins: + openshift/tls-scanner: + plugins: + - approve diff --git a/core-services/prow/02_config/openshift/tls-scanner/_prowconfig.yaml b/core-services/prow/02_config/openshift/tls-scanner/_prowconfig.yaml new file mode 100644 index 0000000000000..0252803482944 --- /dev/null +++ b/core-services/prow/02_config/openshift/tls-scanner/_prowconfig.yaml @@ -0,0 +1,14 @@ +tide: + queries: + - labels: + - approved + - lgtm + missingLabels: + - backports/unvalidated-commits + - do-not-merge/hold + - do-not-merge/invalid-owners-file + - do-not-merge/work-in-progress + - jira/invalid-bug + - needs-rebase + repos: + - openshift/tls-scanner