From 03679e645744c4544fdd539a7ff1e1ec571f5f2e Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Wed, 21 Jan 2026 17:16:54 +0000 Subject: [PATCH 01/12] Add tls-scanner step registry for scanning TLS configurations --- .../step-registry/tls/scanner/run/OWNERS | 9 ++ .../scanner/run/tls-scanner-run-commands.sh | 117 ++++++++++++++++++ .../run/tls-scanner-run-ref.metadata.json | 15 +++ .../tls/scanner/run/tls-scanner-run-ref.yaml | 23 ++++ 4 files changed, 164 insertions(+) create mode 100644 ci-operator/step-registry/tls/scanner/run/OWNERS create mode 100644 ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh create mode 100644 ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.metadata.json create mode 100644 ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml diff --git a/ci-operator/step-registry/tls/scanner/run/OWNERS b/ci-operator/step-registry/tls/scanner/run/OWNERS new file mode 100644 index 0000000000000..0c3a02e9e68c6 --- /dev/null +++ b/ci-operator/step-registry/tls/scanner/run/OWNERS @@ -0,0 +1,9 @@ +approvers: + - richardsonnick + - rhmdnd + - smith-xyz +reviewers: + - richardsonnick + - rhmdnd + - smith-xyz + diff --git a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh new file mode 100644 index 0000000000000..23190f61417e7 --- /dev/null +++ b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh @@ -0,0 +1,117 @@ +#!/bin/bash +set -o nounset +set -o errexit +set -o pipefail + +# TLS Scanner - scans TLS configurations of all pods in the cluster +NAMESPACE="tls-scanner" +SCANNER_IMAGE="${PULL_SPEC_TLS_SCANNER_TOOL}" +ARTIFACT_DIR="${ARTIFACT_DIR:-/tmp/artifacts}" +SCANNER_ARTIFACT_DIR="${ARTIFACT_DIR}/tls-scanner" + +# Determine scanner arguments based on whether a specific namespace is requested +if [[ -n "${SCAN_NAMESPACE:-}" ]]; then + SCANNER_ARGS="--namespace ${SCAN_NAMESPACE}" +else + SCANNER_ARGS="--all-pods" +fi + +mkdir -p "${SCANNER_ARTIFACT_DIR}" + +echo "=== TLS Scanner ===" +echo "Image: ${SCANNER_IMAGE}" + +# Create namespace +oc create namespace "${NAMESPACE}" --dry-run=client -o yaml | oc apply -f - + +# Cleanup on exit +cleanup() { + echo "Cleaning up..." + oc delete namespace "${NAMESPACE}" --ignore-not-found --wait=false || true +} +trap cleanup EXIT + +# Grant cluster-admin to the default service account for full access +oc adm policy add-cluster-role-to-user cluster-admin -z default -n "${NAMESPACE}" + +# Grant privileged SCC to the service account (required for hostNetwork, hostPID, privileged container) +oc adm policy add-scc-to-user privileged -z default -n "${NAMESPACE}" + +# Wait for RBAC/SCC changes to propagate before creating the pod +# This ensures the SCC admission controller sees the new binding +echo "Waiting for RBAC/SCC changes to propagate..." +sleep 10 + +# Create the scanner pod with privileged access +cat <&1 | tee /results/output.log + echo "Scan complete. Exit code: \$?" + # Keep pod alive for artifact collection + sleep 120 + securityContext: + privileged: true + runAsUser: 0 + volumeMounts: + - name: results + mountPath: /results + volumes: + - name: results + emptyDir: {} +EOF + +echo "Waiting for scanner pod to start..." +oc wait --for=condition=Ready pod/tls-scanner -n "${NAMESPACE}" --timeout=5m || { + echo "Pod failed to start:" + oc describe pod/tls-scanner -n "${NAMESPACE}" + oc get events -n "${NAMESPACE}" + exit 1 +} + +echo "Waiting for scan to complete..." +# Poll logs until scan completes (don't use -f which waits for container exit) +while true; do + if oc logs pod/tls-scanner -n "${NAMESPACE}" 2>/dev/null | grep -q "Scan complete"; then + break + fi + # Show progress + echo " Scan still running..." + sleep 30 +done + +echo "Scan completed. Fetching full logs..." +oc logs pod/tls-scanner -n "${NAMESPACE}" || true + +echo "Copying artifacts (container still alive in sleep phase)..." +oc cp "${NAMESPACE}/tls-scanner:/results/." "${SCANNER_ARTIFACT_DIR}/" || echo "Warning: Failed to copy some artifacts" + +# Wait for pod to complete +oc wait --for=jsonpath='{.status.phase}'=Succeeded pod/tls-scanner -n "${NAMESPACE}" --timeout=4h || { + echo "Scanner did not complete successfully" + oc describe pod/tls-scanner -n "${NAMESPACE}" + exit 1 +} + +echo "=== TLS Scanner Complete ===" +echo "Artifacts saved to: ${SCANNER_ARTIFACT_DIR}" +ls -la "${SCANNER_ARTIFACT_DIR}" || true diff --git a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.metadata.json b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.metadata.json new file mode 100644 index 0000000000000..e76c5b3622e9c --- /dev/null +++ b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.metadata.json @@ -0,0 +1,15 @@ +{ + "path": "tls/scanner/run/tls-scanner-run-ref.yaml", + "owners": { + "approvers": [ + "richardsonnick", + "rhmdnd", + "smith-xyz" + ], + "reviewers": [ + "richardsonnick", + "rhmdnd", + "smith-xyz" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml new file mode 100644 index 0000000000000..0814592419c15 --- /dev/null +++ b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml @@ -0,0 +1,23 @@ +ref: + as: tls-scanner-run + from: src + cli: latest + commands: tls-scanner-run-commands.sh + dependencies: + - env: RELEASE_IMAGE_LATEST + name: release:latest + - env: OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE + name: release:latest + - env: OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE + name: release:latest + - env: PULL_SPEC_TLS_SCANNER_TOOL + name: tls-scanner-tool + resources: + requests: + cpu: 100m + memory: 200Mi + timeout: 4h0m0s + grace_period: 5m0s + documentation: |- + Runs the TLS scanner against all pods in the target cluster. + The scanner runs with cluster-admin privileges and full host access. From d242dd3c39021568057c6ec85af880554f67fcfb Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Wed, 21 Jan 2026 17:17:07 +0000 Subject: [PATCH 02/12] Add CI configuration for openshift/tls-scanner repository --- .../config/openshift/tls-scanner/OWNERS | 8 + .../openshift-tls-scanner-main.yaml | 60 ++++++ ci-operator/jobs/openshift/tls-scanner/OWNERS | 8 + ...penshift-tls-scanner-main-postsubmits.yaml | 62 ++++++ ...openshift-tls-scanner-main-presubmits.yaml | 200 ++++++++++++++++++ .../openshift/tls-scanner/_pluginconfig.yaml | 13 ++ .../openshift/tls-scanner/_prowconfig.yaml | 14 ++ 7 files changed, 365 insertions(+) create mode 100644 ci-operator/config/openshift/tls-scanner/OWNERS create mode 100644 ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml create mode 100644 ci-operator/jobs/openshift/tls-scanner/OWNERS create mode 100644 ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-postsubmits.yaml create mode 100644 ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml create mode 100644 core-services/prow/02_config/openshift/tls-scanner/_pluginconfig.yaml create mode 100644 core-services/prow/02_config/openshift/tls-scanner/_prowconfig.yaml diff --git a/ci-operator/config/openshift/tls-scanner/OWNERS b/ci-operator/config/openshift/tls-scanner/OWNERS new file mode 100644 index 0000000000000..48d4984a35bfd --- /dev/null +++ b/ci-operator/config/openshift/tls-scanner/OWNERS @@ -0,0 +1,8 @@ +approvers: + - richardsonnick + - rhmdnd + - smith-xyz +reviewers: + - richardsonnick + - rhmdnd + - smith-xyz diff --git a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml new file mode 100644 index 0000000000000..e3020d0e59bfb --- /dev/null +++ b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml @@ -0,0 +1,60 @@ +base_images: + base: + name: "4.21" + namespace: ocp + tag: base-rhel9 + ocp_builder_rhel-9-golang-1.24-openshift-4.21: + name: builder + namespace: ocp + tag: rhel-9-golang-1.24-openshift-4.21 +build_root: + image_stream_tag: + name: builder + namespace: ocp + tag: rhel-9-golang-1.24-openshift-4.21 +images: +- dockerfile_path: Dockerfile + from: base + inputs: + ocp_builder_rhel-9-golang-1.24-openshift-4.21: {} + to: tls-scanner-tool +promotion: {} +releases: + initial: + integration: + name: "4.21" + namespace: ocp + latest: + integration: + include_built_images: true + name: "4.21" + namespace: ocp +resources: + '*': + requests: + cpu: 100m + memory: 200Mi +tests: +- as: scanner-default-tls + cluster_claim: + architecture: amd64 + cloud: aws + owner: openshift-ci + product: ocp + timeout: 5h0m0s + version: "4.22" + steps: + test: + - ref: tls-scanner-run + workflow: generic-claim +- as: scanner-tls13-conformance + steps: + cluster_profile: aws-5 + test: + - ref: tls-scanner-run + - ref: openshift-e2e-test + workflow: openshift-e2e-aws-ovn-tls-13 +zz_generated_metadata: + branch: main + org: openshift + repo: tls-scanner diff --git a/ci-operator/jobs/openshift/tls-scanner/OWNERS b/ci-operator/jobs/openshift/tls-scanner/OWNERS new file mode 100644 index 0000000000000..48d4984a35bfd --- /dev/null +++ b/ci-operator/jobs/openshift/tls-scanner/OWNERS @@ -0,0 +1,8 @@ +approvers: + - richardsonnick + - rhmdnd + - smith-xyz +reviewers: + - richardsonnick + - rhmdnd + - smith-xyz diff --git a/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-postsubmits.yaml b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-postsubmits.yaml new file mode 100644 index 0000000000000..21c71a4d9bfe0 --- /dev/null +++ b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-postsubmits.yaml @@ -0,0 +1,62 @@ +postsubmits: + openshift/tls-scanner: + - agent: kubernetes + always_run: true + branches: + - ^main$ + cluster: build01 + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/is-promotion: "true" + ci.openshift.io/generator: prowgen + max_concurrency: 1 + name: branch-ci-openshift-tls-scanner-main-images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --image-mirror-push-secret=/etc/push-secret/.dockerconfigjson + - --promote + - --report-credentials-file=/etc/report/credentials + - --target=[images] + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/push-secret + name: push-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: push-secret + secret: + secretName: registry-push-credentials-ci-central + - name: result-aggregator + secret: + secretName: result-aggregator diff --git a/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml new file mode 100644 index 0000000000000..ee964f143829a --- /dev/null +++ b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml @@ -0,0 +1,200 @@ +presubmits: + openshift/tls-scanner: + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build01 + context: ci/prow/images + decorate: true + decoration_config: + skip_cloning: true + labels: + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-tls-scanner-main-images + rerun_command: /test images + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --target=[images] + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )images,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build01 + context: ci/prow/scanner-default-tls + decorate: true + decoration_config: + skip_cloning: true + labels: + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-tls-scanner-main-scanner-default-tls + rerun_command: /test scanner-default-tls + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --hive-kubeconfig=/secrets/hive-hive-credentials/kubeconfig + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=scanner-default-tls + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/hive-hive-credentials + name: hive-hive-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: hive-hive-credentials + secret: + secretName: hive-hive-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )scanner-default-tls,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build05 + context: ci/prow/scanner-tls13-conformance + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-5 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-tls-scanner-main-scanner-tls13-conformance + rerun_command: /test scanner-tls13-conformance + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=scanner-tls13-conformance + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )scanner-tls13-conformance,?($|\s.*) diff --git a/core-services/prow/02_config/openshift/tls-scanner/_pluginconfig.yaml b/core-services/prow/02_config/openshift/tls-scanner/_pluginconfig.yaml new file mode 100644 index 0000000000000..5b10eb2af0851 --- /dev/null +++ b/core-services/prow/02_config/openshift/tls-scanner/_pluginconfig.yaml @@ -0,0 +1,13 @@ +approve: +- commandHelpLink: "" + repos: + - openshift/tls-scanner + require_self_approval: false +lgtm: +- repos: + - openshift/tls-scanner + review_acts_as_lgtm: true +plugins: + openshift/tls-scanner: + plugins: + - approve diff --git a/core-services/prow/02_config/openshift/tls-scanner/_prowconfig.yaml b/core-services/prow/02_config/openshift/tls-scanner/_prowconfig.yaml new file mode 100644 index 0000000000000..0252803482944 --- /dev/null +++ b/core-services/prow/02_config/openshift/tls-scanner/_prowconfig.yaml @@ -0,0 +1,14 @@ +tide: + queries: + - labels: + - approved + - lgtm + missingLabels: + - backports/unvalidated-commits + - do-not-merge/hold + - do-not-merge/invalid-owners-file + - do-not-merge/work-in-progress + - jira/invalid-bug + - needs-rebase + repos: + - openshift/tls-scanner From a564fad917e0d53e58d95b96696c42dc16be5868 Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Wed, 21 Jan 2026 19:50:39 +0000 Subject: [PATCH 03/12] Add OWNERS files for tls step registry directories --- ci-operator/step-registry/tls/OWNERS | 8 ++++++++ ci-operator/step-registry/tls/scanner/OWNERS | 8 ++++++++ 2 files changed, 16 insertions(+) create mode 100644 ci-operator/step-registry/tls/OWNERS create mode 100644 ci-operator/step-registry/tls/scanner/OWNERS diff --git a/ci-operator/step-registry/tls/OWNERS b/ci-operator/step-registry/tls/OWNERS new file mode 100644 index 0000000000000..8d50643e36ca1 --- /dev/null +++ b/ci-operator/step-registry/tls/OWNERS @@ -0,0 +1,8 @@ +approvers: + - richardsonnick + - rhmdnd + - smith-xyz +reviewers: + - richardsonnick + - rhmdnd + - smith-xyz diff --git a/ci-operator/step-registry/tls/scanner/OWNERS b/ci-operator/step-registry/tls/scanner/OWNERS new file mode 100644 index 0000000000000..8d50643e36ca1 --- /dev/null +++ b/ci-operator/step-registry/tls/scanner/OWNERS @@ -0,0 +1,8 @@ +approvers: + - richardsonnick + - rhmdnd + - smith-xyz +reviewers: + - richardsonnick + - rhmdnd + - smith-xyz From e7500036029a3920d48372dd38da6672e255f7df Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Wed, 21 Jan 2026 20:17:55 +0000 Subject: [PATCH 04/12] Add pqc-readiness informing job for TLS 1.3 scanning --- ...penshift-release-master__nightly-4.21.yaml | 8 ++ .../openshift-release-master-periodics.yaml | 76 +++++++++++++++++++ .../_releases/release-ocp-4.21.json | 6 ++ 3 files changed, 90 insertions(+) diff --git a/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml b/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml index 5585c496ac560..b7392075de286 100644 --- a/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml +++ b/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml @@ -1966,6 +1966,14 @@ tests: - ref: fips-check-node-scan - ref: fips-check-art-fips workflow: ipi-aws +- as: pqc-readiness + cron: '@yearly' + steps: + cluster_profile: aws-3 + test: + - ref: tls-scanner-run + - ref: openshift-e2e-test + workflow: openshift-e2e-aws-ovn-tls-13 - as: e2e-external-aws cron: '@weekly' steps: diff --git a/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml b/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml index 175176059cf22..3c265d0645abe 100644 --- a/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml +++ b/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml @@ -178464,6 +178464,82 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build11 + cron: '@yearly' + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: master + org: openshift + repo: release + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-3 + ci-operator.openshift.io/variant: nightly-4.21 + ci.openshift.io/generator: prowgen + ci.openshift.io/no-builds: "true" + job-release: "4.21" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-release-master-nightly-4.21-pqc-readiness + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=pqc-readiness + - --variant=nightly-4.21 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 0 13 * * * diff --git a/core-services/release-controller/_releases/release-ocp-4.21.json b/core-services/release-controller/_releases/release-ocp-4.21.json index fa00350044a25..55e566b9990bd 100644 --- a/core-services/release-controller/_releases/release-ocp-4.21.json +++ b/core-services/release-controller/_releases/release-ocp-4.21.json @@ -675,6 +675,12 @@ "prowJob": { "name": "periodic-ci-openshift-release-master-nightly-4.21-fips-payload-scan" } + }, + "pqc-readiness": { + "maxRetries": 2, + "prowJob": { + "name": "periodic-ci-openshift-release-master-nightly-4.21-pqc-readiness" + } } } } From 2f35cac6c585a410ce9450322559ac47f9a42161 Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Wed, 21 Jan 2026 20:30:28 +0000 Subject: [PATCH 05/12] Mark pqc-readiness job as optional --- core-services/release-controller/_releases/release-ocp-4.21.json | 1 + 1 file changed, 1 insertion(+) diff --git a/core-services/release-controller/_releases/release-ocp-4.21.json b/core-services/release-controller/_releases/release-ocp-4.21.json index 55e566b9990bd..b7e19f0aea995 100644 --- a/core-services/release-controller/_releases/release-ocp-4.21.json +++ b/core-services/release-controller/_releases/release-ocp-4.21.json @@ -677,6 +677,7 @@ } }, "pqc-readiness": { + "optional": true, "maxRetries": 2, "prowJob": { "name": "periodic-ci-openshift-release-master-nightly-4.21-pqc-readiness" From 73713afccbef24170eab1a450434126b2af13981 Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Thu, 22 Jan 2026 15:02:44 +0000 Subject: [PATCH 06/12] make release-controllers --- .../_releases/priv/release-ocp-4.21.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/core-services/release-controller/_releases/priv/release-ocp-4.21.json b/core-services/release-controller/_releases/priv/release-ocp-4.21.json index 36ff697dc595e..127bb32ad54e9 100644 --- a/core-services/release-controller/_releases/priv/release-ocp-4.21.json +++ b/core-services/release-controller/_releases/priv/release-ocp-4.21.json @@ -602,6 +602,14 @@ "name": "periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ovn-single-node-live-iso-priv" } }, + "pqc-readiness": { + "disabled": true, + "maxRetries": 2, + "optional": true, + "prowJob": { + "name": "periodic-ci-openshift-release-master-nightly-4.21-pqc-readiness-priv" + } + }, "qe-perfscale": { "disabled": true, "optional": true, From 93439ac9b9905879d07d8c933201306c3461d1ef Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Fri, 30 Jan 2026 14:58:38 +0000 Subject: [PATCH 07/12] Use openshift 4.22 --- .../tls-scanner/openshift-tls-scanner-main.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml index e3020d0e59bfb..8ebe77ca060ea 100644 --- a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml +++ b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml @@ -1,33 +1,33 @@ base_images: base: - name: "4.21" + name: "4.22" namespace: ocp tag: base-rhel9 - ocp_builder_rhel-9-golang-1.24-openshift-4.21: + ocp_builder_rhel-9-golang-1.24-openshift-4.22: name: builder namespace: ocp - tag: rhel-9-golang-1.24-openshift-4.21 + tag: rhel-9-golang-1.24-openshift-4.22 build_root: image_stream_tag: name: builder namespace: ocp - tag: rhel-9-golang-1.24-openshift-4.21 + tag: rhel-9-golang-1.24-openshift-4.22 images: - dockerfile_path: Dockerfile from: base inputs: - ocp_builder_rhel-9-golang-1.24-openshift-4.21: {} + ocp_builder_rhel-9-golang-1.24-openshift-4.22: {} to: tls-scanner-tool promotion: {} releases: initial: integration: - name: "4.21" + name: "4.22" namespace: ocp latest: integration: include_built_images: true - name: "4.21" + name: "4.22" namespace: ocp resources: '*': From 3ef66e60c28b07a6c21054494d70f7f75d0dfa66 Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Fri, 30 Jan 2026 15:04:48 +0000 Subject: [PATCH 08/12] Rename pqc-readiness to post-quantum-crypto-readiness --- .../release/openshift-release-master__nightly-4.21.yaml | 2 +- .../openshift/release/openshift-release-master-periodics.yaml | 4 ++-- .../release-controller/_releases/priv/release-ocp-4.21.json | 4 ++-- .../release-controller/_releases/release-ocp-4.21.json | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml b/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml index deddc2a366ff8..da995fdf41d1c 100644 --- a/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml +++ b/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml @@ -1973,7 +1973,7 @@ tests: - ref: fips-check-node-scan - ref: fips-check-art-fips workflow: ipi-aws -- as: pqc-readiness +- as: post-quantum-crypto-readiness cron: '@yearly' steps: cluster_profile: aws-3 diff --git a/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml b/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml index af851599bbb3d..ee9490691ebb8 100644 --- a/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml +++ b/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml @@ -177911,7 +177911,7 @@ periodics: ci.openshift.io/no-builds: "true" job-release: "4.21" pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-release-master-nightly-4.21-pqc-readiness + name: periodic-ci-openshift-release-master-nightly-4.21-post-quantum-crypto-readiness spec: containers: - args: @@ -177920,7 +177920,7 @@ periodics: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=pqc-readiness + - --target=post-quantum-crypto-readiness - --variant=nightly-4.21 command: - ci-operator diff --git a/core-services/release-controller/_releases/priv/release-ocp-4.21.json b/core-services/release-controller/_releases/priv/release-ocp-4.21.json index 127bb32ad54e9..426730351ea8b 100644 --- a/core-services/release-controller/_releases/priv/release-ocp-4.21.json +++ b/core-services/release-controller/_releases/priv/release-ocp-4.21.json @@ -602,12 +602,12 @@ "name": "periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ovn-single-node-live-iso-priv" } }, - "pqc-readiness": { + "post-quantum-crypto-readiness": { "disabled": true, "maxRetries": 2, "optional": true, "prowJob": { - "name": "periodic-ci-openshift-release-master-nightly-4.21-pqc-readiness-priv" + "name": "periodic-ci-openshift-release-master-nightly-4.21-post-quantum-crypto-readiness-priv" } }, "qe-perfscale": { diff --git a/core-services/release-controller/_releases/release-ocp-4.21.json b/core-services/release-controller/_releases/release-ocp-4.21.json index b7e19f0aea995..35b111c2c4e23 100644 --- a/core-services/release-controller/_releases/release-ocp-4.21.json +++ b/core-services/release-controller/_releases/release-ocp-4.21.json @@ -676,11 +676,11 @@ "name": "periodic-ci-openshift-release-master-nightly-4.21-fips-payload-scan" } }, - "pqc-readiness": { + "post-quantum-crypto-readiness": { "optional": true, "maxRetries": 2, "prowJob": { - "name": "periodic-ci-openshift-release-master-nightly-4.21-pqc-readiness" + "name": "periodic-ci-openshift-release-master-nightly-4.21-post-quantum-crypto-readiness" } } } From 8e98fbd843b2c5c12c7dd82931bcf160bf90c249 Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Fri, 30 Jan 2026 18:41:53 +0000 Subject: [PATCH 09/12] Remove post-quantum crypto readiness job and related configurations from nightly 4.21 release files. --- ...penshift-release-master__nightly-4.21.yaml | 8 -- .../openshift-release-master-periodics.yaml | 76 ------------------- .../_releases/priv/release-ocp-4.21.json | 8 -- .../_releases/release-ocp-4.21.json | 7 -- 4 files changed, 99 deletions(-) diff --git a/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml b/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml index da995fdf41d1c..40d27697cdeed 100644 --- a/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml +++ b/ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml @@ -1973,14 +1973,6 @@ tests: - ref: fips-check-node-scan - ref: fips-check-art-fips workflow: ipi-aws -- as: post-quantum-crypto-readiness - cron: '@yearly' - steps: - cluster_profile: aws-3 - test: - - ref: tls-scanner-run - - ref: openshift-e2e-test - workflow: openshift-e2e-aws-ovn-tls-13 - as: e2e-external-aws cron: '@weekly' steps: diff --git a/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml b/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml index ee9490691ebb8..94b23bd11aa05 100644 --- a/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml +++ b/ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml @@ -177893,82 +177893,6 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator -- agent: kubernetes - cluster: build11 - cron: '@yearly' - decorate: true - decoration_config: - skip_cloning: true - extra_refs: - - base_ref: master - org: openshift - repo: release - labels: - ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: aws-3 - ci-operator.openshift.io/variant: nightly-4.21 - ci.openshift.io/generator: prowgen - ci.openshift.io/no-builds: "true" - job-release: "4.21" - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-release-master-nightly-4.21-post-quantum-crypto-readiness - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --lease-server-credentials-file=/etc/boskos/credentials - - --report-credentials-file=/etc/report/credentials - - --secret-dir=/secrets/ci-pull-credentials - - --target=post-quantum-crypto-readiness - - --variant=nightly-4.21 - command: - - ci-operator - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/boskos - name: boskos - readOnly: true - - mountPath: /secrets/ci-pull-credentials - name: ci-pull-credentials - readOnly: true - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: boskos - secret: - items: - - key: credentials - path: credentials - secretName: boskos-credentials - - name: ci-pull-credentials - secret: - secretName: ci-pull-credentials - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 0 13 * * * diff --git a/core-services/release-controller/_releases/priv/release-ocp-4.21.json b/core-services/release-controller/_releases/priv/release-ocp-4.21.json index 426730351ea8b..36ff697dc595e 100644 --- a/core-services/release-controller/_releases/priv/release-ocp-4.21.json +++ b/core-services/release-controller/_releases/priv/release-ocp-4.21.json @@ -602,14 +602,6 @@ "name": "periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ovn-single-node-live-iso-priv" } }, - "post-quantum-crypto-readiness": { - "disabled": true, - "maxRetries": 2, - "optional": true, - "prowJob": { - "name": "periodic-ci-openshift-release-master-nightly-4.21-post-quantum-crypto-readiness-priv" - } - }, "qe-perfscale": { "disabled": true, "optional": true, diff --git a/core-services/release-controller/_releases/release-ocp-4.21.json b/core-services/release-controller/_releases/release-ocp-4.21.json index 35b111c2c4e23..fa00350044a25 100644 --- a/core-services/release-controller/_releases/release-ocp-4.21.json +++ b/core-services/release-controller/_releases/release-ocp-4.21.json @@ -675,13 +675,6 @@ "prowJob": { "name": "periodic-ci-openshift-release-master-nightly-4.21-fips-payload-scan" } - }, - "post-quantum-crypto-readiness": { - "optional": true, - "maxRetries": 2, - "prowJob": { - "name": "periodic-ci-openshift-release-master-nightly-4.21-post-quantum-crypto-readiness" - } } } } From 01277b76ebdef32981ba858bce5f911c3999a131 Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Fri, 30 Jan 2026 20:51:09 +0000 Subject: [PATCH 10/12] [Attempt] Add xml junit output for spyglass --- .../tls/scanner/run/tls-scanner-run-commands.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh index 23190f61417e7..84f4d63eae5f2 100644 --- a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh +++ b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh @@ -65,6 +65,7 @@ spec: /usr/local/bin/tls-scanner ${SCANNER_ARGS} \ --json-file /results/results.json \ --csv-file /results/results.csv \ + --junit-file /results/junit_tls_scan.xml \ --log-file /results/scan.log 2>&1 | tee /results/output.log echo "Scan complete. Exit code: \$?" # Keep pod alive for artifact collection @@ -105,6 +106,12 @@ oc logs pod/tls-scanner -n "${NAMESPACE}" || true echo "Copying artifacts (container still alive in sleep phase)..." oc cp "${NAMESPACE}/tls-scanner:/results/." "${SCANNER_ARTIFACT_DIR}/" || echo "Warning: Failed to copy some artifacts" +# Copy JUnit XML to root artifact dir for Spyglass (pattern: artifacts/junit*.xml) +if [[ -f "${SCANNER_ARTIFACT_DIR}/junit_tls_scan.xml" ]]; then + cp "${SCANNER_ARTIFACT_DIR}/junit_tls_scan.xml" "${ARTIFACT_DIR}/junit_tls_scan.xml" + echo "JUnit results copied to ${ARTIFACT_DIR}/junit_tls_scan.xml for Spyglass" +fi + # Wait for pod to complete oc wait --for=jsonpath='{.status.phase}'=Succeeded pod/tls-scanner -n "${NAMESPACE}" --timeout=4h || { echo "Scanner did not complete successfully" From febc31b5abdaec6d5012ea2a0cf93556a6a4d7cb Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Tue, 3 Feb 2026 14:51:08 +0000 Subject: [PATCH 11/12] Reformat workflow name to be less redundant --- .../openshift/tls-scanner/openshift-tls-scanner-main.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml index 8ebe77ca060ea..edfa79cb29631 100644 --- a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml +++ b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml @@ -35,7 +35,7 @@ resources: cpu: 100m memory: 200Mi tests: -- as: scanner-default-tls +- as: default-tls cluster_claim: architecture: amd64 cloud: aws @@ -47,7 +47,7 @@ tests: test: - ref: tls-scanner-run workflow: generic-claim -- as: scanner-tls13-conformance +- as: tls13-conformance steps: cluster_profile: aws-5 test: From a252d974f8683289e182be86cbfe6d11d61d3493 Mon Sep 17 00:00:00 2001 From: richardsonnick Date: Tue, 3 Feb 2026 20:49:21 +0000 Subject: [PATCH 12/12] make jobs --- ...openshift-tls-scanner-main-presubmits.yaml | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml index ee964f143829a..ac200e0e52687 100644 --- a/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml @@ -6,22 +6,24 @@ presubmits: - ^main$ - ^main- cluster: build01 - context: ci/prow/images + context: ci/prow/default-tls decorate: true decoration_config: skip_cloning: true labels: ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-tls-scanner-main-images - rerun_command: /test images + name: pull-ci-openshift-tls-scanner-main-default-tls + rerun_command: /test default-tls spec: containers: - args: - --gcs-upload-secret=/secrets/gcs/service-account.json + - --hive-kubeconfig=/secrets/hive-hive-credentials/kubeconfig - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - --report-credentials-file=/etc/report/credentials - - --target=[images] + - --secret-dir=/secrets/ci-pull-credentials + - --target=default-tls command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest @@ -31,9 +33,15 @@ presubmits: requests: cpu: 10m volumeMounts: + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true - mountPath: /secrets/gcs name: gcs-credentials readOnly: true + - mountPath: /secrets/hive-hive-credentials + name: hive-hive-credentials + readOnly: true - mountPath: /secrets/manifest-tool name: manifest-tool-local-pusher readOnly: true @@ -45,6 +53,12 @@ presubmits: readOnly: true serviceAccountName: ci-operator volumes: + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: hive-hive-credentials + secret: + secretName: hive-hive-credentials - name: manifest-tool-local-pusher secret: secretName: manifest-tool-local-pusher @@ -54,31 +68,29 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )images,?($|\s.*) + trigger: (?m)^/test( | .* )default-tls,?($|\s.*) - agent: kubernetes always_run: true branches: - ^main$ - ^main- cluster: build01 - context: ci/prow/scanner-default-tls + context: ci/prow/images decorate: true decoration_config: skip_cloning: true labels: ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-tls-scanner-main-scanner-default-tls - rerun_command: /test scanner-default-tls + name: pull-ci-openshift-tls-scanner-main-images + rerun_command: /test images spec: containers: - args: - --gcs-upload-secret=/secrets/gcs/service-account.json - - --hive-kubeconfig=/secrets/hive-hive-credentials/kubeconfig - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - --report-credentials-file=/etc/report/credentials - - --secret-dir=/secrets/ci-pull-credentials - - --target=scanner-default-tls + - --target=[images] command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest @@ -88,15 +100,9 @@ presubmits: requests: cpu: 10m volumeMounts: - - mountPath: /secrets/ci-pull-credentials - name: ci-pull-credentials - readOnly: true - mountPath: /secrets/gcs name: gcs-credentials readOnly: true - - mountPath: /secrets/hive-hive-credentials - name: hive-hive-credentials - readOnly: true - mountPath: /secrets/manifest-tool name: manifest-tool-local-pusher readOnly: true @@ -108,12 +114,6 @@ presubmits: readOnly: true serviceAccountName: ci-operator volumes: - - name: ci-pull-credentials - secret: - secretName: ci-pull-credentials - - name: hive-hive-credentials - secret: - secretName: hive-hive-credentials - name: manifest-tool-local-pusher secret: secretName: manifest-tool-local-pusher @@ -123,14 +123,14 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )scanner-default-tls,?($|\s.*) + trigger: (?m)^/test( | .* )images,?($|\s.*) - agent: kubernetes always_run: true branches: - ^main$ - ^main- cluster: build05 - context: ci/prow/scanner-tls13-conformance + context: ci/prow/tls13-conformance decorate: true decoration_config: skip_cloning: true @@ -139,8 +139,8 @@ presubmits: ci-operator.openshift.io/cloud-cluster-profile: aws-5 ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: pull-ci-openshift-tls-scanner-main-scanner-tls13-conformance - rerun_command: /test scanner-tls13-conformance + name: pull-ci-openshift-tls-scanner-main-tls13-conformance + rerun_command: /test tls13-conformance spec: containers: - args: @@ -149,7 +149,7 @@ presubmits: - --lease-server-credentials-file=/etc/boskos/credentials - --report-credentials-file=/etc/report/credentials - --secret-dir=/secrets/ci-pull-credentials - - --target=scanner-tls13-conformance + - --target=tls13-conformance command: - ci-operator image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest @@ -197,4 +197,4 @@ presubmits: - name: result-aggregator secret: secretName: result-aggregator - trigger: (?m)^/test( | .* )scanner-tls13-conformance,?($|\s.*) + trigger: (?m)^/test( | .* )tls13-conformance,?($|\s.*)