CNTRLPLANE-3428: Adding TLS profile observed test cases

[gangwgr]

Summary

• Add tls-observed-config presubmit and periodic jobs to tls-scanner for main and release-4.22
• Add hypershift base images required by hypershift-aws-conformance workflow

Test plan

• Verify make update generates correct Prow job configs
• Confirm tls-observed-config jobs trigger correctly on PR and periodic schedules

This PR updates the OpenShift CI configuration (ci-operator configs under openshift/origin) to add TLS-profile "observed" test entries and required Hypershift base images used by the Hypershift AWS conformance workflow.

What changed, in practical terms

• Affects the openshift/release ci-operator config for the openshift/origin repository (main branch; PR also targets release-4.22 in intent).
• Adds two optional one-off test definitions that will be used to generate Prow jobs:
  • tls-observed-config — runs with cluster_profile: openshift-org-aws, workflow: openshift-e2e-test (ipi-aws variant), TEST_SUITE=openshift/tls-observed-config, and COMPUTE_NODE_TYPE: m5.4xlarge.
  • tls-observed-config-hypershift — runs with cluster_profile: hypershift-aws, workflow: hypershift-aws-conformance, TEST_SUITE=openshift/tls-observed-config.
• Adds Hypershift-related base_images (e.g., hypershift-operator) so the hypershift-aws-conformance workflow can reference required images.

Notes on periodic/presubmit jobs

• The intent is to expose presubmit (on-PR) and periodic schedules for these suites so they can run on-demand and on a recurring cadence. The ci-operator entries for the tests are present in this change; generating the actual Prow presubmit/periodic job definitions requires running make update to regenerate job configs. The diff inspected does not include generated Prow job YAMLs (periodic 72h job entries were not present in the shown ci-operator fragment).

Impact

• Enables CI coverage for TLS observed-configuration validation against both IPI AWS and Hypershift environments once prow jobs are generated.
• After landing, maintainers should run make update to regenerate Prow job definitions so the presubmit/periodic jobs appear in Prow.

Files/areas affected (practical)

• ci-operator/config/openshift/origin/openshift-origin-main.yaml — added tests and base_images entries used to produce Prow jobs and images for Hypershift workflows.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds two optional one-off CI jobs to run the openshift/tls-observed-config test suite: one on openshift-org-aws (sets COMPUTE_NODE_TYPE: m5.4xlarge, uses ipi-aws) and one on hypershift-aws (uses hypershift-aws-conformance).

Changes

TLS observed-config CI jobs

Layer / File(s)	Summary
One-off: openshift-org-aws ci-operator/config/openshift/origin/openshift-origin-main.yaml	Adds tls-observed-config one-off job on openshift-org-aws with COMPUTE_NODE_TYPE: m5.4xlarge, TEST_SUITE: openshift/tls-observed-config, running openshift-e2e-test via ipi-aws.
One-off: hypershift-aws ci-operator/config/openshift/origin/openshift-origin-main.yaml	Adds tls-observed-config-hypershift one-off job on hypershift-aws with TEST_SUITE: openshift/tls-observed-config, running openshift-e2e-test via hypershift-aws-conformance.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

rehearsals-ack

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies CI configuration YAML files, not Ginkgo test code. Test job names are static and descriptive with no dynamic information.
Test Structure And Quality	✅ Passed	PR modifies CI configuration files (YAML) in the openshift/release repository to add test job definitions. No Ginkgo test code is present in the changes. The check is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	PR modifies only CI config files, not test source code. The MicroShift check applies to Ginkgo test code additions, not CI configuration changes.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only modifies CI configuration (YAML) files in the openshift/release repository. The custom check applies to new Ginkgo e2e test code, which this PR does not contain.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only CI test job configuration to openshift-origin-main.yaml. No deployment manifests, operator code, or controllers are modified. Check is not applicable to CI configuration files.
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML CI configuration changes. OTE Binary Stdout Contract check applies to Go test binary code. Not applicable here.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only adds CI configuration entries to reference an existing test suite in openshift/origin. No new Ginkgo e2e test code is added. Check applies only to new Ginkgo tests, so not applicable.
Title check	✅ Passed	The title accurately describes the main change: adding TLS profile observed test cases to the CI configuration. It directly correlates with the changeset which adds two new test entries (tls-observed-config and tls-observed-config-hypershift) for TLS testing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml`:
- Around line 159-175: Add a reporter_config block to the new periodic jobs
periodic-tls-observed-config and periodic-tls-observed-config-hypershift so they
match the other periodic jobs' notification behavior; copy the same
reporter_config used by the existing periodic jobs (the Slack notification to
`#forum-case` with notify_on: ["failure"] and notify: ["slack"]) and insert it
under each job's top-level keys (alongside interval/steps/workflow) to ensure
failures are reported to the team.

In
`@ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-release-4.22.yaml`:
- Around line 128-144: The two new periodic jobs periodic-tls-observed-config
and periodic-tls-observed-config-hypershift are missing reporter_config
sections; add a reporter_config block to each job (matching the pattern used by
periodic-default-tls and the main branch) that configures Slack notifications to
`#forum-case` (include channel, send and template keys as used elsewhere) so both
jobs report consistently; update the reporter_config under the job definitions
for periodic-tls-observed-config and periodic-tls-observed-config-hypershift.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8d34c314-713c-479f-98d5-a8969c5306b1

📥 Commits

Reviewing files that changed from the base of the PR and between d7d9cc1 and b725512.

⛔ Files ignored due to path filters (3)

• ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-release-4.22-periodics.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-release-4.22-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (2)

• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
• ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-release-4.22.yaml

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Missing reporter_config for new periodic jobs.

The new periodic jobs periodic-tls-observed-config and periodic-tls-observed-config-hypershift lack reporter_config sections, while all other periodic jobs in this file (lines 79-139) include Slack notifications to #forum-case. This inconsistency means failures in these new periodic jobs won't be reported to the team.

📢 Proposed fix to add reporter_config

 - as: periodic-tls-observed-config
   interval: 72h
+  reporter_config:
+    channel: '`#forum-case`'
+    job_states_to_report:
+    - success
+    - failure
+    - error
+    report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}*
+      ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> {{else}} :warning:
+      Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs>
+      {{end}}'
   steps:

Apply the same for periodic-tls-observed-config-hypershift at line 169.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- as: periodic-tls-observed-config
	interval: 72h
	steps:
	cluster_profile: openshift-org-aws
	env:
	COMPUTE_NODE_TYPE: m5.4xlarge
	TEST_SUITE: openshift/tls-observed-config-ocp
	test:
	- ref: openshift-e2e-test
	workflow: ipi-aws
	- as: periodic-tls-observed-config-hypershift
	interval: 72h
	steps:
	cluster_profile: hypershift-aws
	env:
	TEST_SUITE: openshift/tls-observed-config-hypershift
	workflow: hypershift-aws-conformance
	- as: periodic-tls-observed-config
	interval: 72h
	reporter_config:
	channel: '`#forum-case`'
	job_states_to_report:
	- success
	- failure
	- error
	report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}*
	ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> {{else}} :warning:
	Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs>
	{{end}}'
	steps:
	cluster_profile: openshift-org-aws
	env:
	COMPUTE_NODE_TYPE: m5.4xlarge
	TEST_SUITE: openshift/tls-observed-config-ocp
	test:
	- ref: openshift-e2e-test
	workflow: ipi-aws
	- as: periodic-tls-observed-config-hypershift
	interval: 72h
	reporter_config:
	channel: '`#forum-case`'
	job_states_to_report:
	- success
	- failure
	- error
	report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}*
	ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> {{else}} :warning:
	Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs>
	{{end}}'
	steps:
	cluster_profile: hypershift-aws
	env:
	TEST_SUITE: openshift/tls-observed-config-hypershift
	workflow: hypershift-aws-conformance

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml`
around lines 159 - 175, Add a reporter_config block to the new periodic jobs
periodic-tls-observed-config and periodic-tls-observed-config-hypershift so they
match the other periodic jobs' notification behavior; copy the same
reporter_config used by the existing periodic jobs (the Slack notification to
`#forum-case` with notify_on: ["failure"] and notify: ["slack"]) and insert it
under each job's top-level keys (alongside interval/steps/workflow) to ensure
failures are reported to the team.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Missing reporter_config for new periodic jobs.

The new periodic jobs periodic-tls-observed-config and periodic-tls-observed-config-hypershift lack reporter_config sections. Note that this file already has inconsistent reporting: periodic-default-tls (line 99) includes Slack notifications, while periodic-tls13-conformance (line 118) does not. For consistency with periodic-default-tls and the main branch configuration (where all periodic jobs report to #forum-case), consider adding reporter_config to these new jobs.

📢 Proposed fix to add reporter_config

 - as: periodic-tls-observed-config
   interval: 72h
+  reporter_config:
+    channel: '`#forum-case`'
+    job_states_to_report:
+    - success
+    - failure
+    - error
+    report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}*
+      ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> {{else}} :warning:
+      Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs>
+      {{end}}'
   steps:

Apply the same for periodic-tls-observed-config-hypershift at line 138.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-release-4.22.yaml`
around lines 128 - 144, The two new periodic jobs periodic-tls-observed-config
and periodic-tls-observed-config-hypershift are missing reporter_config
sections; add a reporter_config block to each job (matching the pattern used by
periodic-default-tls and the main branch) that configures Slack notifications to
`#forum-case` (include channel, send and template keys as used elsewhere) so both
jobs report consistently; update the reporter_config under the job definitions
for periodic-tls-observed-config and periodic-tls-observed-config-hypershift.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

ci-operator/config/openshift/origin/openshift-origin-main.yaml (2)

858-865: Consider enabling observers for consistency.

Many similar e2e test configurations in this file enable the observers-resource-watch observer (e.g., lines 103-105, 128-130, 252-254). Consider adding observers to this test for consistency and enhanced monitoring capabilities.

Optional enhancement

   steps:
     cluster_profile: openshift-org-aws
     env:
       COMPUTE_NODE_TYPE: m5.4xlarge
       TEST_SUITE: openshift/tls-observed-config
+    observers:
+      enable:
+      - observers-resource-watch
     test:
     - ref: openshift-e2e-test
     workflow: ipi-aws

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/origin/openshift-origin-main.yaml` around lines
858 - 865, Add the observers-resource-watch observer to the test step for the
TEST_SUITE "openshift/tls-observed-config" so it matches other e2e configs:
update the steps/test block that references "openshift-e2e-test" to include an
observers list (or observers-resource-watch entry) alongside existing
env/cluster_profile settings to enable the observer for this workflow (ipi-aws)
and ensure consistent monitoring behavior.

---

868-872: Consider enabling observers for consistency.

Similar to the standard AWS test, consider adding the observers-resource-watch observer to this HyperShift test configuration for consistency with other e2e tests in this file.

Optional enhancement

   steps:
     cluster_profile: hypershift-aws
     env:
       TEST_SUITE: openshift/tls-observed-config
+    observers:
+      enable:
+      - observers-resource-watch
     workflow: hypershift-aws-conformance

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/origin/openshift-origin-main.yaml` around lines
868 - 872, Add the observers-resource-watch observer to this HyperShift test job
so it matches other e2e tests: update the job definition that contains
steps/cluster_profile: hypershift-aws, env/TEST_SUITE:
openshift/tls-observed-config, and workflow: hypershift-aws-conformance to
include the observers-resource-watch observer entry (same placement as other AWS
jobs in this file) so the test runs with resource-watch observers enabled for
consistency.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/config/openshift/origin/openshift-origin-main.yaml`:
- Around line 866-872: Add the explicit always_run: false field to the periodic
job definition for the job identified by as:
periodic-tls-observed-config-hypershift; locate the block that sets interval:
72h, steps: { cluster_profile: hypershift-aws, env: TEST_SUITE:
openshift/tls-observed-config, workflow: hypershift-aws-conformance } and insert
always_run: false alongside those fields to match other entries and make the
job's execution behavior explicit.
- Around line 856-865: The periodic job definition for
"periodic-tls-observed-config" is missing an explicit always_run setting; add
always_run: false under the job's steps (alongside cluster_profile, env,
TEST_SUITE, and test) so the job block for periodic-tls-observed-config
explicitly includes always_run: false for consistency with other entries and to
avoid ambiguous behavior.

---

Nitpick comments:
In `@ci-operator/config/openshift/origin/openshift-origin-main.yaml`:
- Around line 858-865: Add the observers-resource-watch observer to the test
step for the TEST_SUITE "openshift/tls-observed-config" so it matches other e2e
configs: update the steps/test block that references "openshift-e2e-test" to
include an observers list (or observers-resource-watch entry) alongside existing
env/cluster_profile settings to enable the observer for this workflow (ipi-aws)
and ensure consistent monitoring behavior.
- Around line 868-872: Add the observers-resource-watch observer to this
HyperShift test job so it matches other e2e tests: update the job definition
that contains steps/cluster_profile: hypershift-aws, env/TEST_SUITE:
openshift/tls-observed-config, and workflow: hypershift-aws-conformance to
include the observers-resource-watch observer entry (same placement as other AWS
jobs in this file) so the test runs with resource-watch observers enabled for
consistency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 571513e2-30c9-4347-af8f-51c5729dac78

📥 Commits

Reviewing files that changed from the base of the PR and between b725512 and 56425d2.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/origin/openshift-origin-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (2)

• ci-operator/config/openshift/origin/openshift-origin-main.yaml
• core-services/prow/02_config/openshift-virtualization/virt-platform-autopilot/_pluginconfig.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add always_run: false for consistency and clarity.

All other test entries in this file explicitly set always_run: false. While periodic tests with an interval may not run on PRs by default, it's better to be explicit to avoid unintended behavior and maintain consistency with the rest of the configuration.

Proposed fix

 - as: periodic-tls-observed-config
+  always_run: false
   interval: 72h
   steps:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- as: periodic-tls-observed-config
	interval: 72h
	steps:
	cluster_profile: openshift-org-aws
	env:
	COMPUTE_NODE_TYPE: m5.4xlarge
	TEST_SUITE: openshift/tls-observed-config
	test:
	- ref: openshift-e2e-test
	workflow: ipi-aws
	- as: periodic-tls-observed-config
	always_run: false
	interval: 72h
	steps:
	cluster_profile: openshift-org-aws
	env:
	COMPUTE_NODE_TYPE: m5.4xlarge
	TEST_SUITE: openshift/tls-observed-config
	test:
	- ref: openshift-e2e-test
	workflow: ipi-aws

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/origin/openshift-origin-main.yaml` around lines
856 - 865, The periodic job definition for "periodic-tls-observed-config" is
missing an explicit always_run setting; add always_run: false under the job's
steps (alongside cluster_profile, env, TEST_SUITE, and test) so the job block
for periodic-tls-observed-config explicitly includes always_run: false for
consistency with other entries and to avoid ambiguous behavior.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add always_run: false for consistency and clarity.

Same issue as the previous test entry: all other test entries in this file explicitly set always_run: false. Add this field to be explicit about the test's execution behavior and maintain consistency.

Proposed fix

 - as: periodic-tls-observed-config-hypershift
+  always_run: false
   interval: 72h
   steps:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- as: periodic-tls-observed-config-hypershift
	interval: 72h
	steps:
	cluster_profile: hypershift-aws
	env:
	TEST_SUITE: openshift/tls-observed-config
	workflow: hypershift-aws-conformance
	- as: periodic-tls-observed-config-hypershift
	always_run: false
	interval: 72h
	steps:
	cluster_profile: hypershift-aws
	env:
	TEST_SUITE: openshift/tls-observed-config
	workflow: hypershift-aws-conformance

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci-operator/config/openshift/origin/openshift-origin-main.yaml` around lines
866 - 872, Add the explicit always_run: false field to the periodic job
definition for the job identified by as:
periodic-tls-observed-config-hypershift; locate the block that sets interval:
72h, steps: { cluster_profile: hypershift-aws, env: TEST_SUITE:
openshift/tls-observed-config, workflow: hypershift-aws-conformance } and insert
always_run: false alongside those fields to match other entries and make the
job's execution behavior explicit.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@gangwgr: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-origin-main-tls-observed-config	openshift/origin	presubmit	Presubmit changed
pull-ci-openshift-origin-main-tls-observed-config-hypershift	openshift/origin	presubmit	Presubmit changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[smg247]

/approve

[openshift-ci-robot]

@gangwgr: This pull request references CNTRLPLANE-3428 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Add tls-observed-config presubmit and periodic jobs to tls-scanner for main and release-4.22
• Add hypershift base images required by hypershift-aws-conformance workflow

Test plan

• Verify make update generates correct Prow job configs
• Confirm tls-observed-config jobs trigger correctly on PR and periodic schedules

This PR updates the OpenShift CI configuration (ci-operator configs under openshift/origin) to add TLS-profile "observed" test entries and required Hypershift base images used by the Hypershift AWS conformance workflow.

What changed, in practical terms

• Affects the openshift/release ci-operator config for the openshift/origin repository (main branch; PR also targets release-4.22 in intent).
• Adds two optional one-off test definitions that will be used to generate Prow jobs:
• tls-observed-config — runs with cluster_profile: openshift-org-aws, workflow: openshift-e2e-test (ipi-aws variant), TEST_SUITE=openshift/tls-observed-config, and COMPUTE_NODE_TYPE: m5.4xlarge.
• tls-observed-config-hypershift — runs with cluster_profile: hypershift-aws, workflow: hypershift-aws-conformance, TEST_SUITE=openshift/tls-observed-config.
• Adds Hypershift-related base_images (e.g., hypershift-operator) so the hypershift-aws-conformance workflow can reference required images.

Notes on periodic/presubmit jobs

• The intent is to expose presubmit (on-PR) and periodic schedules for these suites so they can run on-demand and on a recurring cadence. The ci-operator entries for the tests are present in this change; generating the actual Prow presubmit/periodic job definitions requires running make update to regenerate job configs. The diff inspected does not include generated Prow job YAMLs (periodic 72h job entries were not present in the shown ci-operator fragment).

Impact

• Enables CI coverage for TLS observed-configuration validation against both IPI AWS and Hypershift environments once prow jobs are generated.
• After landing, maintainers should run make update to regenerate Prow job definitions so the presubmit/periodic jobs appear in Prow.

Files/areas affected (practical)

• ci-operator/config/openshift/origin/openshift-origin-main.yaml — added tests and base_images entries used to produce Prow jobs and images for Hypershift workflows.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gangwgr]

/pj-rehearse

[openshift-merge-bot]

@gangwgr: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[ingvagabund]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gangwgr, ingvagabund, smg247

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/origin/OWNERS [smg247]
• ci-operator/jobs/openshift/origin/OWNERS [smg247]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gangwgr]

/hold

[gangwgr]

/unhold

[gangwgr]

/pj-rehearse ack

[openshift-merge-bot]

@gangwgr: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@gangwgr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/origin/main/tls-observed-config-hypershift	0761475	link	unknown	/pj-rehearse pull-ci-openshift-origin-main-tls-observed-config-hypershift

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.