Adding TLS scanner job for hypershift

[richardsonnick]

testtesttest

Summary by CodeRabbit

This PR extends OpenShift CI infrastructure to continuously validate HyperShift “Modern TLS” (TLS 1.3) behavior in AWS by adding a new periodic HyperShift TLS scanner job and the HyperShift-specific TLS/Modern-TLS enablement and scanning steps.

What changed (practically)

• New periodic CI job: Adds periodic-hypershift-tls (runs every 72h) to ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml, executing the tls-scanner-hypershift-aws workflow for the hypershift-aws cluster profile and reporting job state to #forum-case.
• New HyperShift Modern TLS step (hypershift-modern-tls):
  • Patches the target HyperShift HostedCluster to set spec.configuration.apiServer.tlsSecurityProfile.type=Modern.
  • Waits for the hosted kube-apiserver to reconcile/roll out (with a short generation-change wait) and verifies the guest TLS behavior by:
    • Polling apiserver/cluster for spec.tlsSecurityProfile.type=Modern, and
    • Falling back to an endpoint probe that enforces TLS 1.3 and fails if TLS 1.2 is negotiated.
• New HyperShift TLS scanning workflow (tls-scanner-hypershift-aws):
  • Provisions an ephemeral HyperShift AWS hosted cluster with Modern TLS enabled.
  • Runs TLS scanning across both HyperShift control-plane areas (management/shared control plane and guest/hosted cluster), then dumps results and tears down AWS resources.
• Cluster-aware TLS scanner step plumbing:
  • Enhances tls-scanner-run with:
    • TLS_SCANNER_CLUSTER_LABEL to drive management vs guest targeting and scope artifacts.
    • TLS_PROFILE_TYPE to run compliance checks without relying on APIServer CR mirroring (HyperShift quirk).
  • Refactors the scanner orchestration into a reusable run_tls_scan() and adjusts pod resource handling and artifact/JUnit output collection accordingly.
• HyperShift scanner step (tls-scanner-hypershift-run):
  • Defaults TLS_PROFILE_TYPE to Modern for HyperShift compliance checks.
  • Runs the scanner for management + guest (single step controlled by TLS_SCANNER_RUN_HYPERSHIFT=true) and emits separate JUnit outputs per label (management vs guest).

Ownership / reviewers

• hypershift-modern-tls is owned by gangwgr.
• HyperShift TLS scanner workflow/steps for AWS are owned/reviewed by richardsonnick, rhmdnd, and smith-xyz (as configured in the relevant OWNERS/metadata files).

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[richardsonnick]

/pj-rehearse periodic-ci-openshift-tls-scanner-main-periodic-hypershift-tls

[openshift-merge-bot]

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Walkthrough

Adds a periodic CI job (periodic-hypershift-tls, 72h interval) that provisions an ephemeral HyperShift AWS cluster, applies Modern TLS (TLS 1.3) to the HostedCluster, and runs TLS scanning against both management and guest clusters. Refactors the existing TLS scanner run script into a reusable run_tls_scan() function and introduces new step-registry entries for Modern TLS configuration and HyperShift-specific scanning.

Changes

HyperShift TLS Scanning Pipeline

Layer / File(s)	Summary
TLS Scanner Refactored for Cluster-Aware Scanning ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh, ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml	Wraps all scanner pod logic into run_tls_scan() with TLS_SCANNER_CLUSTER_LABEL-based KUBECONFIG/namespace switching, per-cluster artifact directory scoping, guest resource overrides, JUnit filename suffixing, and exit-code propagation from the tee pipeline. Adds TLS_SCANNER_CLUSTER_LABEL and TLS_PROFILE_TYPE env vars to the step ref for HyperShift dual-cluster scanning.
Modern TLS HyperShift Step Patches and Verifies ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh, ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml, ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json, ci-operator/step-registry/hypershift/modern-tls/OWNERS	New step that patches the HostedCluster tlsSecurityProfile.type to Modern, waits for kube-apiserver generation change on the management cluster, switches to the guest kubeconfig, polls apiserver/cluster for TLS 1.3 confirmation, and falls back to openssl s_client negotiation probes when the field is not mirrored.
HyperShift Scanner Step Definition and Configuration ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml, ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh, ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json, ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS	New step definition that symlinks commands to the refactored tls-scanner-run-commands.sh, declares env vars for management/guest scan control, PQC checks, per-cluster resource sizing, and TLS profile selection (defaulting to Modern). Sets 8h timeout with 5m grace period and documents management vs guest JUnit output separation.
HyperShift TLS Scanning Workflow and Periodic Job ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml, ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json, ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS, ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml	New workflow orchestrates pre-stage HyperShift provisioning and Modern TLS configuration, test-stage scanner runs (management and guest), and post-stage result collection and AWS cleanup. Main config adds the hypershift-operator base image and registers periodic-hypershift-tls at 72h interval targeting the hypershift-aws cluster profile, reporting to #forum-case.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

rehearsals-ack

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the primary change—adding a TLS scanner job for HyperShift, which is supported by new workflow, step registry, and configuration files throughout the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Go test files or Ginkgo test definitions. Changes are CI configuration (YAML), shell scripts, JSON metadata, and OWNERS files only. Check not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code—only CI configuration YAML, shell scripts, and metadata files. Check is inapplicable.
Microshift Test Compatibility	✅ Passed	This PR adds CI/CD configuration, metadata, and shell scripts for TLS scanner jobs—no Ginkgo e2e tests are introduced, so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds CI operator configuration, step registry definitions, and supporting shell scripts for a TLS scanner job targeting HyperShift clusters. No Ginkgo e2e tests (It(), Describe(), Context()...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only adds CI/CD configuration (step registries and workflows), shell scripts, and OWNERS files. It does not introduce deployment manifests, operator code, or controllers with topology-unawa...
Ote Binary Stdout Contract	✅ Passed	PR contains only CI configuration YAML, shell scripts, and metadata files—no Go test code subject to OTE Binary Stdout Contract check.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds CI/Operator configuration files and shell scripts, not Ginkgo e2e tests. The custom check for Ginkgo test IPv6/disconnected network compatibility is not applicable.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) or custom crypto implementations found. PR adds CI test infrastructure for TLS scanning, not cryptographic code.
Container-Privileges	✅ Passed	Privileged settings (hostNetwork, hostPID, privileged container, runAsUser: 0) are used conditionally and justified: required for host-mode TLS scanning. For HCP scans, restricted security context...
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposure found. Logging includes only TLS configuration values, file paths, container image references, and API hostnames—no credentials, tokens, or secrets are logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: richardsonnick
Once this PR has been reviewed and has the lgtm label, please assign bryan-cox for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/tls-scanner/OWNERS [richardsonnick]
• ci-operator/jobs/openshift/tls-scanner/OWNERS [richardsonnick]
• ci-operator/step-registry/hypershift/OWNERS
• ci-operator/step-registry/tls/scanner/OWNERS [richardsonnick]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh`:
- Line 7: Remove the unconditional `unset SCAN_NAMESPACE` command on line 7 to
preserve any caller-provided namespace configuration. The current implementation
discards user-configured namespace scoping which changes the scan behavior to
encompass all namespaces. Apply the same fix to the similar occurrences around
lines 42-47 where the same pattern of unsetting SCAN_NAMESPACE appears. Only
unset the variable if it was not explicitly provided by the caller, or remove
the unset commands entirely to respect the caller's configuration.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6f6be6d9-58b7-4845-9c3b-b38d294369b9

📥 Commits

Reviewing files that changed from the base of the PR and between ded2dc7 and ada4144.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (14)

• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
• ci-operator/step-registry/hypershift/modern-tls/OWNERS
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml
• ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml
• ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml

[richardsonnick]

/pj-rehearse periodic-ci-openshift-tls-scanner-main-periodic-hypershift-tls

[openshift-merge-bot]

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh (1)

126-132: 💤 Low value

Unused variable PRIVILEGED_CONTAINER.

The variable is assigned at line 129 but never referenced in the pod spec. The securityContext is set entirely via SECURITY_CONTEXT_YAML which already includes privileged: true inline at line 130.

♻️ Remove unused variable

   else
       HOST_NETWORK="true"
       HOST_PID="true"
-      PRIVILEGED_CONTAINER="true"
       SECURITY_CONTEXT_YAML="      privileged: true
       runAsUser: 0"
   fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh` around
lines 126 - 132, Remove the unused assignment of the PRIVILEGED_CONTAINER
variable in the else block. This variable is assigned at line 129 but is never
referenced anywhere in the pod spec, and the privileged mode functionality is
already provided by the SECURITY_CONTEXT_YAML variable which contains
privileged: true. Keep the other variable assignments for HOST_NETWORK,
HOST_PID, and SECURITY_CONTEXT_YAML as they are still needed.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh`:
- Around line 126-132: Remove the unused assignment of the PRIVILEGED_CONTAINER
variable in the else block. This variable is assigned at line 129 but is never
referenced anywhere in the pod spec, and the privileged mode functionality is
already provided by the SECURITY_CONTEXT_YAML variable which contains
privileged: true. Keep the other variable assignments for HOST_NETWORK,
HOST_PID, and SECURITY_CONTEXT_YAML as they are still needed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e342ea11-4a72-4805-97ea-14e6401b528b

📥 Commits

Reviewing files that changed from the base of the PR and between ada4144 and dc0c1be.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (14)

• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
• ci-operator/step-registry/hypershift/modern-tls/OWNERS
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml
• ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml
• ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml

✅ Files skipped from review due to trivial changes (4)

• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json
• ci-operator/step-registry/hypershift/modern-tls/OWNERS

🚧 Files skipped from review as they are similar to previous changes (9)

• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml
• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh

[richardsonnick]

/pj-rehearse periodic-ci-openshift-tls-scanner-main-periodic-hypershift-tls

[openshift-merge-bot]

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh (1)

129-129: 💤 Low value

Remove unused PRIVILEGED_CONTAINER variable.

This variable is assigned but never referenced. The pod's security configuration is fully handled by SECURITY_CONTEXT_YAML. The privileged: true setting is embedded directly in that YAML string at line 130, making this variable dead code.

Suggested fix

   else
       HOST_NETWORK="true"
       HOST_PID="true"
-      PRIVILEGED_CONTAINER="true"
       SECURITY_CONTEXT_YAML="      privileged: true
       runAsUser: 0"
   fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh` at
line 129, Remove the unused PRIVILEGED_CONTAINER variable assignment. The
variable is assigned a value but never referenced anywhere in the script, and
its functionality is already covered by the SECURITY_CONTEXT_YAML variable which
contains the privileged: true setting. Delete the line containing
PRIVILEGED_CONTAINER="true" to clean up the dead code.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml`:
- Around line 7-11: There is a mismatch between the default value declared for
the TLS_SCANNER_RUN_HYPERSHIFT parameter in the ref file and the default being
used in the commands script. The TLS_SCANNER_RUN_HYPERSHIFT parameter is
declared with default: "true" in the ref file, but the
tls-scanner-hypershift-run-commands.sh script uses
${TLS_SCANNER_RUN_HYPERSHIFT:-false} which defaults to "false" when the variable
is not set. To fix this, either change the ref file's default value from "true"
to "false" to match the script's actual default, or update the script's
parameter expansion from :-false to :-true to align with the ref file
declaration. Choose whichever approach aligns with the intended behavior for
dual-cluster scanning.

---

Nitpick comments:
In `@ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh`:
- Line 129: Remove the unused PRIVILEGED_CONTAINER variable assignment. The
variable is assigned a value but never referenced anywhere in the script, and
its functionality is already covered by the SECURITY_CONTEXT_YAML variable which
contains the privileged: true setting. Delete the line containing
PRIVILEGED_CONTAINER="true" to clean up the dead code.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 523fb901-f975-486f-bd7c-2b3b2d96e146

📥 Commits

Reviewing files that changed from the base of the PR and between dc0c1be and 51b6e5b.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (14)

• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
• ci-operator/step-registry/hypershift/modern-tls/OWNERS
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml
• ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml
• ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml

✅ Files skipped from review due to trivial changes (7)

• ci-operator/step-registry/hypershift/modern-tls/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh

🚧 Files skipped from review as they are similar to previous changes (5)

• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml
• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh

[richardsonnick]

At a glance it looks like the he compliance check is working. I'll check this again from my desktop (working from my phone)

[richardsonnick]

/pj-rehearse periodic-ci-openshift-tls-scanner-main-periodic-hypershift-tls

[richardsonnick]

This run should fix spyglass junit output and the early exit before guest cluster scan

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@richardsonnick: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cluster-version-operator-main-tls-scanner-default-profile	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-main-tls-scanner-modern-profile	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-5.1-tls-scanner-default-profile	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-5.1-tls-scanner-modern-profile	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-5.0-tls-scanner-default-profile	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-5.0-tls-scanner-modern-profile	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-4.23-tls-scanner-default-profile	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-4.23-tls-scanner-modern-profile	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-version-operator-release-4.22-tls-scanner	openshift/cluster-version-operator	presubmit	Registry content changed
pull-ci-openshift-oadp-operator-oadp-1.6-4.22-tls-pqc-readiness	openshift/oadp-operator	presubmit	Registry content changed
pull-ci-openshift-oadp-operator-oadp-1.6-4.22-tls13-adherence	openshift/oadp-operator	presubmit	Registry content changed
pull-ci-openshift-oadp-operator-oadp-1.6-4.23-tls-pqc-readiness	openshift/oadp-operator	presubmit	Registry content changed
pull-ci-openshift-oadp-operator-oadp-1.6-4.23-tls13-adherence	openshift/oadp-operator	presubmit	Registry content changed
pull-ci-openshift-oadp-operator-oadp-dev-4.22-tls-pqc-readiness	openshift/oadp-operator	presubmit	Registry content changed
pull-ci-openshift-oadp-operator-oadp-dev-4.22-tls13-adherence	openshift/oadp-operator	presubmit	Registry content changed
pull-ci-openshift-cincinnati-master-olm-e2e-tls-scan	openshift/cincinnati	presubmit	Registry content changed
pull-ci-openshift-windows-machine-config-operator-master-tls-scanner	openshift/windows-machine-config-operator	presubmit	Registry content changed
pull-ci-openshift-windows-machine-config-operator-release-5.1-tls-scanner	openshift/windows-machine-config-operator	presubmit	Registry content changed
pull-ci-openshift-windows-machine-config-operator-release-5.0-tls-scanner	openshift/windows-machine-config-operator	presubmit	Registry content changed
pull-ci-openshift-windows-machine-config-operator-release-4.23-tls-scanner	openshift/windows-machine-config-operator	presubmit	Registry content changed
pull-ci-openshift-cincinnati-operator-master-install-bundle-tls-scan	openshift/cincinnati-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-master-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-5.1-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-5.0-tls-scanner	openshift/insights-operator	presubmit	Registry content changed
pull-ci-openshift-insights-operator-release-4.23-tls-scanner	openshift/insights-operator	presubmit	Registry content changed

A total of 62 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

@richardsonnick: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh (1)

126-132: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Remove unused PRIVILEGED_CONTAINER variable.

PRIVILEGED_CONTAINER is set but never referenced—the privileged flag is already embedded in SECURITY_CONTEXT_YAML. Shellcheck SC2034 correctly flags this as unused.

Suggested fix

   else
       HOST_NETWORK="true"
       HOST_PID="true"
-      PRIVILEGED_CONTAINER="true"
       SECURITY_CONTEXT_YAML="      privileged: true
       runAsUser: 0"
   fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh` around
lines 126 - 132, The `PRIVILEGED_CONTAINER` variable is being set but never used
anywhere in the script—the privileged container configuration is already
included in the `SECURITY_CONTEXT_YAML` variable. Remove the line that assigns
`PRIVILEGED_CONTAINER="true"` from the else block to eliminate the unused
variable warning flagged by Shellcheck SC2034. The privileged flag embedded in
`SECURITY_CONTEXT_YAML` provides all the necessary security context
configuration.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh`:
- Around line 126-132: The `PRIVILEGED_CONTAINER` variable is being set but
never used anywhere in the script—the privileged container configuration is
already included in the `SECURITY_CONTEXT_YAML` variable. Remove the line that
assigns `PRIVILEGED_CONTAINER="true"` from the else block to eliminate the
unused variable warning flagged by Shellcheck SC2034. The privileged flag
embedded in `SECURITY_CONTEXT_YAML` provides all the necessary security context
configuration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1331676f-b268-4635-89d4-8f70bb0c131c

📥 Commits

Reviewing files that changed from the base of the PR and between 51b6e5b and ccf01a8.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (14)

• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
• ci-operator/step-registry/hypershift/modern-tls/OWNERS
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml
• ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml
• ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml

✅ Files skipped from review due to trivial changes (7)

• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh
• ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json
• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json
• ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml
• ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml
• ci-operator/step-registry/hypershift/modern-tls/OWNERS
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh
• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
• ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml

[openshift-ci]

@richardsonnick: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.